Merge remote-tracking branch 'ispc3/stable-3.1' into rspamd

Author: Marius Burkard

install/dist/lib/debian60.lib.php

@@ -115,6 +115,32 @@ public function configure_dovecot()
 				file_put_contents($config_dir.'/'.$configfile,$content);
 				unset($content);
 			}
+			if(version_compare($dovecot_version,2.3) >= 0) {
+				// Remove deprecated setting(s)
+				removeLine($config_dir.'/'.$configfile, 'ssl_protocols =');
+				
+				// Check if we have a dhparams file and if not, create it
+				if(!file_exists('/etc/dovecot/dh.pem')) {
+					swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
+					if(file_exists('/var/lib/dovecot/ssl-parameters.dat')) {
+						// convert existing ssl parameters file
+						$command = 'dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem';
+						caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+					} else {
+						/*
+						   Create a new dhparams file. We use 2048 bit only as it simply takes too long
+						   on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need
+						   a 4096 bit file, create it manually before you install ISPConfig
+						*/
+						$command = 'openssl dhparam -out /etc/dovecot/dh.pem 2048';
+						caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
+					}
+				}
+			} else {
+				// remove settings which are not supported in Dovecot < 2.3
+				removeLine($config_dir.'/'.$configfile, 'ssl_min_protocol =');
+				removeLine($config_dir.'/'.$configfile, 'ssl_dh =');
+			}
 		} else {
 			if(is_file($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian6_dovecot.conf.master')) {
 				copy($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian6_dovecot.conf.master', $config_dir.'/'.$configfile);

install/tpl/apache_ispconfig.vhost.master

@@ -89,11 +89,11 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
 
   <IfModule mod_headers.c>
     # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
-    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
     Header set X-Content-Type-Options: nosniff
     Header set X-Frame-Options: SAMEORIGIN
     Header set X-XSS-Protection: "1; mode=block"
-    Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
+    <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
     <IfVersion >= 2.4.7>
         Header setifempty Strict-Transport-Security "max-age=15768000"
     </IfVersion>

install/tpl/debian6_dovecot2.conf.master

@@ -6,7 +6,9 @@ log_timestamp = "%Y-%m-%d %H:%M:%S "
 mail_privileged_group = vmail
 ssl_cert = </etc/postfix/smtpd.cert
 ssl_key = </etc/postfix/smtpd.key
+ssl_dh = </etc/dovecot/dh.pem
 ssl_protocols = !SSLv2 !SSLv3
+ssl_min_protocol = TLSv1
 mail_max_userip_connections = 100
 passdb {
   args = /etc/dovecot/dovecot-sql.conf