Totally just got burnt by this, it appears that 4.15-r1 (and 4.15?) and beyond have a TLS_DHPARAMS parameter that points to /usr/share/dhparams.pem by default. This file seems to be required for STARTTLS (but not for vanilla SSL/TLS); without it STARTTLS connections will fail. Courier includes /usr/sbin/mkdhparams to create the file, I have to assume the file contains random data that's supposed to be rebuilt periodically for security reasons. From the man MKDHPARAMS(8) page: =============================================================================== DESCRIPTION This script creates new DH parameters and saves them in /usr/share/dhparams.pem. If this file already exists and it's less than 25 days old, the script returns immediately. If this file is over 25 days old, new DH parameters get generated and the file gets replaced. This script is intended to be execute when the system boots, or from a monthly cron job. =============================================================================== I'd have written a new ebuild to attach, but I'd like opinions as to the following: 1.) The file is generated into /usr/share/ which seems disorganized. Is that acceptable or should we modify the source for mkdhparams to write it elsewhere (/etc/courier-imap/ or /var/lib/courier-imap/?) or wrap the script and just move the file? (Moving wrapper is easier to maintain, but it'll need to duplicate the 25-day check to keep that feature functional.) 2.) Should we run the program on install? On Run? Install a cron script in /etc/cron.monthly/? Install and one of the others? In the meantime, someone might want to add a notice to the courier install that the program needs to be run for STARTTLS support for either IMAP or POP3 courier servers. Reproducible: Always
I would put it into cron.weekly
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8b5e3f3a2b90e9cabacd6aa453261b88567bf9f commit e8b5e3f3a2b90e9cabacd6aa453261b88567bf9f Author: Tupone Alfredo <tupone@gentoo.org> AuthorDate: 2019-07-05 07:14:20 +0000 Commit: Tupone Alfredo <tupone@gentoo.org> CommitDate: 2019-07-05 07:14:20 +0000 net-mail/courier-imap: Install a monthly cron job for dhparams Closes: https://bugs.gentoo.org/517682 Signed-off-by: Alfredo Tupone <tupone@gentoo.org> Package-Manager: Portage-2.3.66, Repoman-2.3.11 net-mail/courier-imap/courier-imap-5.0.7.ebuild | 2 ++ net-mail/courier-imap/files/courier-imap.cron | 3 +++ 2 files changed, 5 insertions(+)