mail-server: Portfile and launch daemon improvements and bugfixes

* Ensure that launch daemons run at load (necessary) * Apply review comments from PR #4978
macports · Nov 13, 2019 · 0cee5a4 · 0cee5a4
1 parent 2aea590
commit 0cee5a4
Show file tree

Hide file tree

Showing 10 changed files with 135 additions and 98 deletions.
diff --git a/mail/dovecot2/Portfile b/mail/dovecot2/Portfile
@@ -150,10 +150,10 @@ variant apns \
 plugin. APNS use requires these steps:
 
      1. Acquire APNS Mail certificates from a (virtual) macOS\
-        High Sierra 10.13 and Server.app version 5.7. Export\
+        High Sierra 10.13 and Server.app version 5.6. Export\
         the certificates from the Keychain into the file\
         com.apple.servermgrd.apns.mail.p12 . *Note*: APNS Mail\
-        certificate creation is deprecated on Server.app version 5.8+.
+        certificate creation is deprecated on Server.app version 5.7+.
 
      2. Convert the APNS Mail certificates to PEM files:
 

diff --git a/mail/mail-server/Portfile b/mail/mail-server/Portfile
@@ -5,7 +5,7 @@ PortGroup               active_variants 1.1
 
 name                    mail-server
 version                 1.0
-revision                2
+revision                3
 categories              mail net
 platforms               darwin
 supported_archs         noarch
@@ -15,11 +15,11 @@ distfiles
 
 description             Mail server configuration
 long_description ${description} \
-    Mail server working configuration that provides a basic, working, \
-    easily modifiable mail server. The configuration is built using \
-    postfix for the MTA, dovecot for the MDA, solr for fast search, \
-    rspamd for a milter, and clamav for email virus scans. The \
-    configuration includes a surrogate TLS certificate, DKIM, and \
+    Mail server working configuration that provides a basic, working,\
+    easily modifiable mail server. The configuration is built using\
+    postfix for the MTA, dovecot for the MDA, solr for fast search,\
+    rspamd for a milter, and clamav for email virus scans. The\
+    configuration includes a surrogate TLS certificate, DKIM, and\
     Apple Push Notification Service (APNS) capability for iOS devices.
 
 homepage                https://www.postfix.org/
@@ -47,9 +47,19 @@ depends_lib-append      port:apache-solr8 \
 
 depends_run-append      port:clamav-server
 
-variant initialize \
-    description {Initialize all configuration files. Existing
-        configurations files are not overwritten by default.} {}
+variant initialize_always \
+    description {Always initialize all configuration files. Intended\
+        for development and troubleshooting only. Working deployments\
+        must disable this variant to prevent configuration files\
+        being overwritten at the next upgrade. Existing configuration\
+        files are not overwritten by default.} {
+    ui_warn \
+        "
+\tAll configuration files will be initialized because
+\tthe variant +initialize_always is set. Please disable
+\tthis variant for working deployments.
+"
+}
 
 use_configure           no
 
@@ -64,7 +74,7 @@ pre-build {
 
     if { [catch {set result [registry_active postfix]}]
         || [lindex [lindex ${result} 0] 3] \
-            != "+[join ${postfix_required_variants} +]" } {
+            ne "+[join ${postfix_required_variants} +]" } {
         append required_variants_message "\
 Postfix not installed with required variants. Please install:
 
@@ -75,7 +85,7 @@ Postfix not installed with required variants. Please install:
     }
     if { [catch {set result [registry_active dovecot2]}]
         || [lindex [lindex ${result} 0] 3] \
-            != "+[join ${dovecot2_required_variants} +]" } {
+            ne "+[join ${dovecot2_required_variants} +]" } {
         append required_variants_message "\
 Dovecot not installed with required variants. Please install:
 
@@ -84,7 +94,7 @@ Dovecot not installed with required variants. Please install:
 "
         set required_variants_flag false
     }
-    if {${required_variants_flag} != true} {
+    if {${required_variants_flag} ne true} {
         ui_error ${required_variants_message}
         # one of these will exit with error if the ports are not installed at all
         registry_active postfix
@@ -298,7 +308,7 @@ destroot {
     xinstall -m 0644 \
         ${filespath}/prefix/etc/certificates/ca/intermediate/openssl_intermediate.cnf \
         ${destroot}${tls_ca_dir}/intermediate
-    if { [variant_isset "initialize"]
+    if { [variant_isset "initialize_always"]
          && [file exists ${tls_ca_dir}]
         } {
         delete ${tls_ca_dir}.previous
@@ -328,7 +338,7 @@ post-activate {
     # use network settings for installed example configuration
     set fullhost [exec /bin/hostname -f]
     set host [lindex [split ${fullhost} .] 0]
-    set domaintld [join [lrange [split ${fullhost} .] end-1 end] .]
+    set domaintld [join [lrange [split ${fullhost} .] 1 end] .]
     set domain [lindex [split ${domaintld} .] 0]
     set tld [lindex [split ${domaintld} .] end]
     set HOST            [string toupper ${host}]
@@ -349,15 +359,15 @@ post-activate {
 "
 
     proc install_initial_configuration {f_or_d} {
-        if { [variant_isset "initialize"]
+        if { [variant_isset "initialize_always"]
              && [file exists ${f_or_d}]
             } {
             delete ${f_or_d}.previous
             move \
                 ${f_or_d} \
                 ${f_or_d}.previous
         }
-        if { [variant_isset "initialize"]
+        if { [variant_isset "initialize_always"]
              || ![file exists ${f_or_d}]
             } {
             if { [file isfile ${f_or_d}.macports] } {
@@ -400,7 +410,7 @@ post-activate {
     xinstall -m 0777 -g mail -d /private/var/mail/${tld}.${domain}.mail/attachments/
 
     # solr configuration
-    if { [variant_isset "initialize"] } {
+    if { [variant_isset "initialize_always"] } {
         system "sudo -u solr -g solr sh <<SOLR_DELETE_DOVECOT
             solr8 stop -p 8983 2>/dev/null || true
             solr8 start -p 8983 2>/dev/null || true
@@ -738,18 +748,18 @@ in ${prefix}/etc/dovecot/sieve*/*.sieve are compiled with sievec.
     }
 
     # PAM authentication
-    if ![file exists /etc/pam.d/smtp] {
+    if { ![file exists /etc/pam.d/smtp] } {
         xinstall -m 0644 ${prefix}/etc/postfix/etc/pam.d/smtp /etc/pam.d/
     }
-    if ![file exists /etc/pam.d/imap] {
+    if { ![file exists /etc/pam.d/imap] } {
         xinstall -m 0644 ${prefix}/etc/dovecot/etc/pam.d/imap /etc/pam.d/
     }
 
     # TLS PFS
-    if ![file exists ${prefix}/var/lib/postfix/dh2048.pem] {
+    if { ![file exists ${prefix}/var/lib/postfix/dh2048.pem] } {
         system -W ${prefix}/var/lib/postfix "sudo -u _postfix openssl dhparam -out dh2048.pem 2048"
     }
-    if ![file exists ${prefix}/etc/dovecot/dh2048.pem] {
+    if { ![file exists ${prefix}/etc/dovecot/dh2048.pem] } {
         # create a shorter, faster DH parameter file for the default installation
         system -W ${prefix}/etc/dovecot "openssl dhparam -out dh2048.pem 2048"
     }
@@ -793,18 +803,35 @@ startupitem.restart      "port reload apache-solr8
 \tport load dovecot2
 \tport reload rspamd"
 
-notes "A mail server is a complex, interdependent set of tools that must
+proc plutil_startup {plcmds label} {
+    global prefix startupitem.location
+    foreach cmd ${plcmds} {
+        system -W ${prefix}/etc/${startupitem.location}/${label} \
+            "/usr/bin/plutil ${cmd} ${label}.plist"
+    }
+}
+
+post-activate {
+    # modify the launch daemons
+    plutil_startup [list \
+        "-remove KeepAlive" \
+        "-insert RunAtLoad -bool YES" \
+        ] \
+        org.macports.${startupitem.name}
+}
+
+notes "A mail server is a complex, interdependent set of tools that must\
 all be configured correctly to provide secure, reliable email.
 
-Users must reconfigure this installation for their own system, network,
-and security model specifics by editing all necessary files and checking
+Users must reconfigure this installation for their own system, network,\
+and security model specifics by editing all necessary files and checking\
 file permissions. A subset of these settings are visible in the files:
 
         port contents mail-server
         port file mail-server
 
-Full deployment also requires a working DNS configuration on both the LAN
-and the internet, including SPF and DKIM records, trusted TLS certificates,
+Full deployment also requires a working DNS configuration on both the LAN\
+and the internet, including SPF and DKIM records, trusted TLS certificates,\
 port forwarding, possibly a mail replay, and more.
 
 Postfix and dovecot must be installed with these variants:
@@ -841,7 +868,7 @@ These are the locations and network settings for the default configuration:
     Spam/Ham training (default behavior):
         Move/Copy email to the folders Spam_train or Notspam_train.
 
-The configuration also includes a surrogate TLS certificate and DKIM settings
+The configuration also includes a surrogate TLS certificate and DKIM settings\
 that must be changed before deployment.
 
     TLS:
@@ -850,15 +877,15 @@ that must be changed before deployment.
     DKIM:
         ${prefix}/var/lib/rspamd/dkim
 
-The ports dns-server and logrotate provide necessary DNS service on the LAN
+The ports dns-server and logrotate provide necessary DNS service on the LAN\
 and log rotation capabilities:
 
         sudo port install dns-server logrotate
 
-This port assume indepedent installation and management of DNS and
+This port assume indepedent installation and management of DNS and\
 log rotation; mail-server includes example logrotate configuration files.
 
-The port's launch daemon controls launching for each of the dependendent
+The port's launch daemon controls launching for each of the dependendent\
 services. These may be controlled independently, e.g.
 
         sudo port load clamav-server
@@ -882,11 +909,21 @@ and if installed independently,
         * _The Book of Postfix_, by Patrick Koetter and Ralf Hildebrandt
 
     Known issues:
-        * The Postfix service does not reliably start after reboot,
-          presumably due to an issue with launchd. A workaround
+        * The Postfix service does not reliably start after reboot,\
+          presumably due to an issue with launchd. A workaround\
           after rebooting is to issue the commands:
 
-          sudo port unload postfix ; sleep 5 ; sudo port load postfix
-"
+          sudo port unload postfix ; sleep 5 ; sudo port load postfix"
+
+if { [variant_isset "initialize_always"] } {
+    if {[exists notes]} {
+        # leave a blank line after the existing notes
+        notes-append ""
+    }
+    notes-append \
+        "The variant +initialize_always is set, which initializes\
+        all configuration files. Please disable this variant for\
+        working deployments."
+}
 
 livecheck.type         none
diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-auth.conf
@@ -114,7 +114,7 @@ auth_gssapi_hostname = "$ALL"
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # auth_mechanisms = cram-md5 plain login apop digest-md5 gssapi
 # plain username/password auth - OK since everything is over TLS
 auth_mechanisms = plain gssapi

diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-mail.conf
@@ -49,7 +49,7 @@
 # default home directory location for all users
 mail_home = /private/var/mail/@tld@.@[email protected]
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 #mail_location = 
 # Note: This key is managed by Server Admin. See above before making changes
 # mail_location = maildir:/Library/Server/Mail/Data/mail/%u
@@ -111,7 +111,7 @@ inbox = yes
 #subscriptions = yes
 }
 
-# macOS v.5.7 configuration:
+# macOS v.5.6 configuration:
 # # shared namespace configuration
 # namespace acl-mailboxes {
 #   type = shared
@@ -272,7 +272,7 @@ auth_socket_path = @PREFIX@/var/run/dovecot/auth-userdb
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
 # (APPLE) added fts_sk
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # mail_plugins = quota zlib acl fts fts_sk
 mail_plugins = quota zlib acl
 

diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-master.conf
@@ -58,7 +58,7 @@ service imap-login {
 
 }
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # service pop3-login {
 #   inet_listener pop3 {
 #     port = 110
@@ -100,7 +100,7 @@ service imap {
 # Results in imap userdb Fatal setuid errors
 # See: https://dovecot.org/pipermail/dovecot/2019-May/116014.html
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # service pop3 {
 #   # Max. number of POP3 processes (connections)
 #   process_limit = 200
@@ -111,7 +111,7 @@ service imap {
 
 # expose an auth socket for postfix to authenticate users
 service auth {
-  # macOS Server v.5.7 configuration:
+  # macOS Server v.5.6 configuration:
   # auth_socket_path points to this userdb socket by default. It's typically
   # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
   # full permissions to this socket are able to get a list of all usernames and
@@ -159,15 +159,15 @@ service auth-worker {
   group = mail
 }
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # service auth-worker {
 #   # Auth worker process is run as root by default, so that it can access
 #   # /etc/shadow. If this isn't necessary, the user should be changed to
 #   # $default_internal_user.
 #   #user = root
 # }
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # service dict {
 #   # If dict proxy is used, mail processes should have access to its socket.
 #   # For example: mode=0660, group=vmail and global mail_access_groups=vmail
@@ -178,14 +178,14 @@ service auth-worker {
 #   }
 # }
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 service dns_client {
   unix_listener dns-client {
     mode = 0600
   }
 }
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # # for stats plugin, if enabled
 # service stats {
 #   fifo_listener stats-mail {

diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
@@ -89,11 +89,11 @@ ssl_ca = <@PREFIX@/etc/certificates/@host@.@domain@.@tld@.@[email protected]
 ssl_dh = <@PREFIX@/etc/dovecot/dh2048.pem
 
 # SSL protocols to use
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # ssl_protocols = !SSLv2 !SSLv3
 
 # SSL ciphers to use
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
 # SSL crypto device to use, for valid values run "openssl engine"

diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/15-mailboxes.conf
@@ -49,7 +49,7 @@ namespace inbox {
     auto = subscribe
     special_use = \Sent
   }
-  # macOS Server v.5.7 configuration; used by iOS:
+  # macOS Server v.5.6 configuration; used by iOS:
   mailbox "Sent Messages" {
     special_use = \Sent
   }

diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext b/mail/mail-server/files/prefix/etc/dovecot/conf.d/auth-od.conf.ext
@@ -183,7 +183,7 @@ userdb passwd {
 ##   driver = passwd
 ## }
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # passdb {
 #  # OD cache refresh intervals.  The positive cache TTL applies to
 #  # enabled accounts.  The negative cache TTL applies to disabled
@@ -193,7 +193,7 @@ userdb passwd {
 #  # driver = od
 # }
 
-# macOS Server v.5.7 configuration:
+# macOS Server v.5.6 configuration:
 # userdb {
 #   # OD cache refresh intervals.  The positive cache TTL applies to
 #   # enabled accounts.  The negative cache TTL applies to disabled
@@ -205,7 +205,7 @@ userdb passwd {
 #   # additional args: pos_cache_ttl=3600 neg_cache_ttl=60
 #   #                  luser_relay=<userid> enforce_quotas=no
 #   #                  use_getpwnam_ext=yes blocking=no
-#   # macOS Server v.5.7 configuration
+#   # macOS Server v.5.6 configuration
 #   # driver = od
 #   driver = ldap
 #   args = partition=@PREFIX@/etc/dovecot/partition_map.conf global_quota=8192 enforce_quotas=yes