From 4b09a3da9ca4b119443e340632e3eab0e2419810 Mon Sep 17 00:00:00 2001 From: Adar Nimrod Date: Thu, 26 Nov 2020 10:28:38 +0200 Subject: [PATCH] Optional Diffie-hellman paramaters generation. - Use an environment variable for setting the location of the dhparams file. - Don't generate the file if it already exists. - Use the dhparams file in the host in production. --- docker-compose.yml | 1 + dovecot/Dockerfile | 1 + dovecot/entrypoint | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c851b0c..4de1dd7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,6 +10,7 @@ services: ${LDAP_BASE_DN:-ou=People,dc=shore,dc=co,dc=il} LDAP_URIS: &ldap_uris '${LDAP_URIS:-ldapi:///}' TLS_CERT_FILE: &tls_cert_file /var/ssl/mail.crt + TLS_DHPARAMS_FILE: /var/ssl/dhparams TLS_KEY_FILE: &tls_key_file /var/ssl/mail.key hostname: &imap_hostname imap.shore.co.il networks: diff --git a/dovecot/Dockerfile b/dovecot/Dockerfile index f38a3d3..7a9fb02 100644 --- a/dovecot/Dockerfile +++ b/dovecot/Dockerfile @@ -31,6 +31,7 @@ RUN find /var/lib/dovecot/sieve.d/ -type f -name '*.sieve' -print0 | xargs -0n1 VOLUME /var/mail VOLUME /run/dovecot EXPOSE 993 25 +ENV TLS_DHPARAMS_FILE /usr/share/dovecot/dh.pem ENTRYPOINT [ "/entrypoint" ] CMD [ "dovecot", "-F" ] HEALTHCHECK --start-period=5m CMD doveadm service status || exit 1 diff --git a/dovecot/entrypoint b/dovecot/entrypoint index 63fd14f..f2375b5 100755 --- a/dovecot/entrypoint +++ b/dovecot/entrypoint @@ -4,7 +4,7 @@ set -eux install -d -m 755 -o dovecot -g root /var/run/dovecot install -d -m 775 -o root -g dovecot /var/mail install -d -m 775 -o root -g dovecot /run/dovecot -time openssl dhparam -out /usr/share/dovecot/dh.pem 2048 +[ -f "$TLS_DHPARAMS_FILE" ] || time openssl dhparam -out "$TLS_DHPARAMS_FILE" 2048 DEBIAN_FRONTEND=noninteractive time make-ssl-cert generate-default-snakeoil --force-overwrite # I don't know why environment variables aren't expanded and I'm too interested @@ -14,5 +14,6 @@ sed -i "s@%{env:LDAP_URIS}@$LDAP_URIS@g" /etc/dovecot/dovecot-ldap.conf.ext sed -i "s@%{env:LDAP_BASEDN}@$LDAP_BASEDN@g" /etc/dovecot/dovecot-ldap.conf.ext sed -i "s@/etc/ssl/private/ssl-cert-snakeoil.key@$TLS_KEY_FILE@g" /etc/dovecot/conf.d/10-ssl.conf sed -i "s@/etc/ssl/certs/ssl-cert-snakeoil.pem@$TLS_CERT_FILE@g" /etc/dovecot/conf.d/10-ssl.conf +sed -i "s@/usr/share/dovecot/dh.pem@$TLS_DHPARAMS_FILE@g" /etc/dovecot/conf.d/10-ssl.conf eval exec "$@" -- GitLab