* Use ssl key paths set up by Debian as default
- adapt mail-stack-delivery default config
- move old mail-stack-delivery symlinks to the new dovecot-core
pem/key links
Merge Notes:
- Debian adapted snakeoil later than Ubuntu
- It was done with slightly different paths
- We adapt our config to match on any new install
- Old modified installations will keep their conf
- Eventually these are "just" symlinks not considered conffiles
- So no mv_conffile or such to not mess with existing setups
- If they would the would ahve changed path and owning package
Details:
Debian places links:
K /etc/dovecot/private/dovecot.key -> /etc/ssl/private/ssl-cert-snakeoil.key
C /etc/dovecot/private/dovecot.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem
old Ubuntu "dovecot": had None
old Ubuntu package: "mail-stack-delivery"
K /etc/dovecot/private/dovecot.pem -> /etc/ssl/private/ssl-cert-snakeoil.key
C /etc/dovecot/dovecot.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem
One might ask why did Ubuntu use the .pem name for the key, but that is
the (unchangeable) past.
What will happen:
- INSTALL: We will be like Debian does it, default works (good)
- UPGRADE: On a system which never had package mail-stack-delivery the
ssl setup by Debian works as intended (good)
- UPGRADE: On a system that had mail-stack-delivery the dovecot postinst
will try to create the new links to pem/key
- the link for the cert will fail as that was the old ubuntu
link for the key (/etc/dovecot/private/dovecot.pem)
- That will leave the default setup as intended by Debian broken
- Therefore we move the keys mail-stack-delivery had set up in the
place dovecot-core does (on upgrade)
- On new install there is no need, so skip
- Only on the matchign upgrade (like conffile actions) so with
version check
- There are certain cases to this then:
- if the user had a custom key setup on the deault links this will
retain this
- if the user had no custom key setup the links point to the same
default snakeoil keys as set up by dovecot-core - so the mv
happens but is a no-op
- if the user had removed the symlinks the dovecot-core set up keys are
untouched (check on exist)
- if a user had installed dovecot-core and mail-stack-delivery but
upgrades dovecot-core before mail-stack-delivery this could overwrite
the key it set up, but that is avoided by not moving if already
pointing to the cert. (That is required as the new cert and the old
key path collide)
Signed-off-by: Christian Ehrhardt <email address hidden>
