Merge branch 'master' of https://git.oopen.de/install/mailsystem

install_update_dovecot.sh: relax/defuse systemd-hardening
2026-02-04 22:23:01 +01:00 · 2026-02-04 22:22:31 +01:00
1 changed files with 154 additions and 98 deletions
--- a/install_update_dovecot.sh
+++ b/install_update_dovecot.sh
@@ -2597,6 +2597,8 @@ chown -R vmail:vmail /usr/local/dovecot-${_version}/etc/dovecot/sieve
 if $systemd_support; then
   _folder_created=false
   ## - # - At time, we don't use private tmp directory for divecot.
   ## - # -
   ## - echononl "\tAdjust Systemd service file, set PrivateTmp=false.."
@@ -2621,8 +2623,15 @@ if $systemd_support; then
   ## - here:
   ## -    LimitNOFILE=32768
   ## -
-   if [[ -f "/lib/systemd/system/dovecot.service" ]] \
+   ## - zwei Bemerkungen:
-      && $(grep -q -E "^LimitNOFILE=" /lib/systemd/system/dovecot.service) ; then 
+   ## -     - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
   ## -     - hier auch keine backslah '\' am ende der zeile notwendig, da statement
   ## -       offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
   ## -
   if [[ -f /lib/systemd/system/dovecot.service ]] &&
      grep -qE '^[[:space:]]*LimitNOFILE=' /lib/systemd/system/dovecot.service ||
      [[ -f /etc/systemd/system/dovecot.service ]] &&
      grep -qE '^[[:space:]]*LimitNOFILE=' /etc/systemd/system/dovecot.service ; then
      _LimitNOFILE="$(grep -E "^LimitNOFILE=[[:digit:]]+" /lib/systemd/system/dovecot.service | cut -d'=' -f2)"
@@ -2638,6 +2647,7 @@ if $systemd_support; then
            mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
            if [[ $? -eq 0 ]]; then
               echo -e "$rc_done"
               _folder_created=true
            else
               echo -e "$rc_failed"
               adjust_limit_nofile=false
@@ -2656,8 +2666,54 @@ LimitNOFILE=$service_limit_nofile
 EOF
         echo -e "$rc_done"
      fi
   fi
   ## - Adjust systemd hardening:
   ## -
   ## - Options such as ProtectSystem=full/strict make the service's mount namespace,
   ## - including /usr (and thus /usr/local/dovecote/..), read-only, even though it is w
   ## - ritable outside the service.
   ## -
   ## - However, we would like to allow dovecot to write to the directory
   ## - /usr/local/dovecot/etc/dovecot/sieve/.
   ## -
   ## -    ProtectSystem=off
   ## -
   ## - zwei Bemerkungen:
   ## -     - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
   ## -     - hier auch keine backslah '\' am ende der zeile notwendig, da statement
   ## -       offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
   ## -
   if [[ -f /lib/systemd/system/dovecot.service ]] &&
      grep -qE '^[[:space:]]*ProtectSystem=' /lib/systemd/system/dovecot.service ||
      [[ -f /etc/systemd/system/dovecot.service ]] &&
      grep -qE '^[[:space:]]*ProtectSystem=' /etc/systemd/system/dovecot.service ; then
      if ! ${_folder_created} ; then
         echononl "\tCreate Directory '/etc/systemd/system/dovecot.service.d'.."
         if [[ -d "/etc/systemd/system/dovecot.service.d" ]] ; then
            echo -e "$rc_skipped"
         else
            mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
            if [[ $? -eq 0 ]]; then
               echo -e "$rc_done"
            else
               echo -e "$rc_failed"
            fi
         fi
      fi
      echononl "\tSet 'ProtectSystem=off' for 'dovecot.service'.."
      cat <<EOF > /etc/systemd/system/dovecot.service.d/systemd-hardening.conf
 [Service]
 ProtectSystem=off
 EOF
         echo -e "$rc_done"
   fi
   echononl "\tReload systemd .."
   systemctl daemon-reload > /dev/null 2>&1
Author	SHA1	Message	Date
Christoph	96a77260c3	Merge branch 'master' of https://git.oopen.de/install/mailsystem	2026-02-04 22:23:01 +01:00
Christoph	71be7f0754	install_update_dovecot.sh: relax/defuse systemd-hardening	2026-02-04 22:22:31 +01:00