517682 – >=net-mail/courier-imap-4.15-r1 should run /usr/sbin/mkdhparams on install and/or at startup

Bug 517682 - >=net-mail/courier-imap-4.15-r1 should run /usr/sbin/mkdhparams on install and/or at startup

Summary: >=net-mail/courier-imap-4.15-r1 should run /usr/sbin/mkdhparams on install an...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement (vote)
Assignee:	Tupone Alfredo

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-21 14:39 UTC by Philippe Chaintreuil
Modified:	2019-07-05 07:14 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philippe Chaintreuil 2014-07-21 14:39:18 UTC

Totally just got burnt by this, it appears that 4.15-r1 (and 4.15?) and beyond have a TLS_DHPARAMS parameter that points to /usr/share/dhparams.pem by default.  This file seems to be required for STARTTLS (but not for vanilla SSL/TLS); without it STARTTLS connections will fail.  Courier includes /usr/sbin/mkdhparams to create the file, I have to assume the file contains random data that's supposed to be rebuilt periodically for security reasons.

From the man MKDHPARAMS(8) page:

===============================================================================
DESCRIPTION
       This script creates new DH parameters and saves them in
       /usr/share/dhparams.pem. If this file already exists and it's less than
       25 days old, the script returns immediately. If this file is over 25
       days old, new DH parameters get generated and the file gets replaced.

       This script is intended to be execute when the system boots, or from a
       monthly cron job.
===============================================================================

I'd have written a new ebuild to attach, but I'd like opinions as to the following:

1.)  The file is generated into /usr/share/ which seems disorganized.  Is that acceptable or should we modify the source for mkdhparams to write it elsewhere (/etc/courier-imap/ or /var/lib/courier-imap/?) or wrap the script and just move the file?  (Moving wrapper is easier to maintain, but it'll need to duplicate the 25-day check to keep that feature functional.)

2.)  Should we run the program on install?  On Run?  Install a cron script in /etc/cron.monthly/?  Install and one of the others?

In the meantime, someone might want to add a notice to the courier install that the program needs to be run for STARTTLS support for either IMAP or POP3 courier servers.

Reproducible: Always

Comment 1 Pacho Ramos gentoo-dev

2016-08-09 09:03:56 UTC

I would put it into cron.weekly

Comment 2 Larry the Git Cow gentoo-dev

2019-07-05 07:14:43 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8b5e3f3a2b90e9cabacd6aa453261b88567bf9f

commit e8b5e3f3a2b90e9cabacd6aa453261b88567bf9f
Author:     Tupone Alfredo <tupone@gentoo.org>
AuthorDate: 2019-07-05 07:14:20 +0000
Commit:     Tupone Alfredo <tupone@gentoo.org>
CommitDate: 2019-07-05 07:14:20 +0000

    net-mail/courier-imap: Install a monthly cron job for dhparams
    
    Closes: https://bugs.gentoo.org/517682
    Signed-off-by: Alfredo Tupone <tupone@gentoo.org>
    Package-Manager: Portage-2.3.66, Repoman-2.3.11

 net-mail/courier-imap/courier-imap-5.0.7.ebuild | 2 ++
 net-mail/courier-imap/files/courier-imap.cron   | 3 +++
 2 files changed, 5 insertions(+)