Unverified Commit 17b5150f authored by Martin Weinelt's avatar Martin Weinelt Committed by GitHub
Browse files

Revert "nixos/dovecot: improve and harden systemd unit" (#422817) 

Users reported issues with this changeset in https://github.com/NixOS/nixpkgs/pull/418722.
parents a697a033 a794031c

nixos/modules/services/mail/dovecot.nix

+4 −48
Original line number Diff line number Diff line
@@ -692,67 +692,23 @@ in 


    environment.etc."dovecot/dovecot.conf".source = cfg.configFile;



    systemd.services.dovecot = {

      aliases = [ "dovecot2.service" ];

    systemd.services.dovecot2 = {

      description = "Dovecot IMAP/POP3 server";

      documentation = [

        "man:dovecot(1)"

        "https://doc.dovecot.org"

      ];



      after = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      restartTriggers = [ cfg.configFile ];

      restartTriggers = [

        cfg.configFile

      ];



      startLimitIntervalSec = 60; # 1 min

      serviceConfig = {

        Type = "notify";

        ExecStart = "${dovecotPkg}/sbin/dovecot -F";

        ExecReload = "${dovecotPkg}/sbin/doveadm reload";



        CapabilityBoundingSet = [

          "CAP_CHOWN"

          "CAP_DAC_OVERRIDE"

          "CAP_FOWNER"

          "CAP_NET_BIND_SERVICE"

          "CAP_SETGID"

          "CAP_SETUID"

          "CAP_SYS_CHROOT"

          "CAP_SYS_RESOURCE"

        ];

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        OOMPolicy = "continue";

        PrivateTmp = true;

        ProcSubset = "pid";

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = lib.mkDefault false;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProtectSystem = "full";

        PrivateDevices = true;

        Restart = "on-failure";

        RestartSec = "1s";

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

          "AF_UNIX"

        ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = false; # sets sgid on maildirs

        RuntimeDirectory = [ "dovecot2" ];

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service @resources"

          "~@privileged"

          "@chown @setuid capset chroot"

        ];

      };



      # When copying sieve scripts preserve the original time stamp

nixos/tests/dovecot.nix

+1 −3
Original line number Diff line number Diff line
@@ -84,13 +84,11 @@ 


  testScript = ''

    machine.wait_for_unit("postfix.service")

    machine.wait_for_unit("dovecot.service")

    machine.wait_for_unit("dovecot2.service")

    machine.succeed("send-testmail")

    machine.succeed("send-lda")

    machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')

    machine.succeed("test-imap")

    machine.succeed("test-pop")



    machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v ✓"))

  '';

}