Updated for Debian 13 and dovecot 2.4

18 files changed, 23 insertions, 409 deletions

diff --git a/roles/dovecot/files/conf.d/10-auth.conf b/roles/dovecot/files/conf.d/10-auth.conf
index 7ac1eee..d6a6417 100644
--- a/roles/dovecot/files/conf.d/10-auth.conf
+++ b/roles/dovecot/files/conf.d/10-auth.conf
@@ -1,10 +1,9 @@
 # Authentication
-disable_plaintext_auth = yes
-auth_username_format = %n
+auth_allow_cleartext = no
+auth_username_format = %{user | username}
 auth_mechanisms = plain
-userdb {
-        driver = passwd
+userdb passwd {
 }
-passdb {
-        driver = pam
+passdb pam {
+  failure_show_msg = yes
 }
diff --git a/roles/dovecot/files/conf.d/10-mail.conf b/roles/dovecot/files/conf.d/10-mail.conf
index 683c5e9..8a5b61c 100644
--- a/roles/dovecot/files/conf.d/10-mail.conf
+++ b/roles/dovecot/files/conf.d/10-mail.conf
@@ -1,10 +1,14 @@
 # Mail location
-mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+mail_driver = maildir
+mail_path = ~/Mail
+mail_inbox_path = ~/Mail/Inbox
+mailbox_list_layout = fs
 namespace inbox {
-        type = private
-        prefix = 
-        separator = /
-        inbox = yes
-        subscriptions = yes
-        list = yes
+        type = private
+        prefix =
+        separator = /
+        inbox = yes
+        subscriptions = yes
+        list = yes
 }
+
diff --git a/roles/dovecot/files/conf.d/10-master.conf b/roles/dovecot/files/conf.d/10-master.conf
index c2c9493..013ebfd 100644
--- a/roles/dovecot/files/conf.d/10-master.conf
+++ b/roles/dovecot/files/conf.d/10-master.conf
@@ -1,7 +1,7 @@
 # Master Configuration
 service imap-login {
         # Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs)
-        service_count = 1
+        service_restart_request_count = 1
         # Disable unencrypted IMAP by setting port for plain IMAP to 0
         inet_listener imap {
                 port = 0
diff --git a/roles/dovecot/files/conf.d/10-tcpwrapper.conf b/roles/dovecot/files/conf.d/10-tcpwrapper.conf
deleted file mode 100644
index b237d96..0000000
--- a/roles/dovecot/files/conf.d/10-tcpwrapper.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# 10-tcpwrapper.conf
-#
-# service name for hosts.{allow|deny} are those defined as
-# inet_listener in master.conf
-#
-#login_access_sockets = tcpwrap
-#
-#service tcpwrap {
-#  unix_listener login/tcpwrap {
-#    group = $default_login_user
-#    mode = 0600
-#    user = $default_login_user
-#  }
-#}
diff --git a/roles/dovecot/files/conf.d/15-lda.conf b/roles/dovecot/files/conf.d/15-lda.conf
deleted file mode 100644
index 8538f79..0000000
--- a/roles/dovecot/files/conf.d/15-lda.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# Local Delivery Agent
-protocol lda {
-        mail_plugins = $mail_plugins sieve
-}
diff --git a/roles/dovecot/files/conf.d/90-acl.conf b/roles/dovecot/files/conf.d/90-acl.conf
deleted file mode 100644
index f0c0e7a..0000000
--- a/roles/dovecot/files/conf.d/90-acl.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-##
-## Mailbox access control lists.
-##
-
-# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
-# You can also optionally give a global ACL directory path where ACLs are
-# applied to all users' mailboxes. The global ACL directory contains
-# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
-# specifies how many seconds to wait between stat()ing dovecot-acl file
-# to see if it changed.
-plugin {
-  #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
-}
-
-# To let users LIST mailboxes shared by other users, Dovecot needs a
-# shared mailbox dictionary. For example:
-plugin {
-  #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
-}
diff --git a/roles/dovecot/files/conf.d/90-plugin.conf b/roles/dovecot/files/conf.d/90-plugin.conf
deleted file mode 100644
index 8c8fccf..0000000
--- a/roles/dovecot/files/conf.d/90-plugin.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-##
-## Plugin settings
-##
-
-# All wanted plugins must be listed in mail_plugins setting before any of the
-# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
-# their configuration. Note that %variable expansion is done for all values.
-
-plugin {
-  #setting_name = value
-}
diff --git a/roles/dovecot/files/conf.d/90-quota.conf b/roles/dovecot/files/conf.d/90-quota.conf
deleted file mode 100644
index 3308c05..0000000
--- a/roles/dovecot/files/conf.d/90-quota.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-##
-## Quota configuration.
-##
-
-# Note that you also have to enable quota plugin in mail_plugins setting.
-# <doc/wiki/Quota.txt>
-
-##
-## Quota limits
-##
-
-# Quota limits are set using "quota_rule" parameters. To get per-user quota
-# limits, you can set/override them by returning "quota_rule" extra field
-# from userdb. It's also possible to give mailbox-specific limits, for example
-# to give additional 100 MB when saving to Trash:
-
-plugin {
-  #quota_rule = *:storage=1G
-  #quota_rule2 = Trash:storage=+100M
-
-  # LDA/LMTP allows saving the last mail to bring user from under quota to
-  # over quota, if the quota doesn't grow too high. Default is to allow as
-  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
-  #quota_grace = 10%%
-
-  # Quota plugin can also limit the maximum accepted mail size.
-  #quota_max_mail_size = 100M
-}
-
-##
-## Quota warnings
-##
-
-# You can execute a given command when user exceeds a specified quota limit.
-# Each quota root has separate limits. Only the command for the first
-# exceeded limit is executed, so put the highest limit first.
-# The commands are executed via script service by connecting to the named
-# UNIX socket (quota-warning below).
-# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
-
-plugin {
-  #quota_warning = storage=95%% quota-warning 95 %u
-  #quota_warning2 = storage=80%% quota-warning 80 %u
-}
-
-# Example quota-warning service. The unix listener's permissions should be
-# set in a way that mail processes can connect to it. Below example assumes
-# that mail processes run as vmail user. If you use mode=0666, all system users
-# can generate quota warnings to anyone.
-#service quota-warning {
-#  executable = script /usr/local/bin/quota-warning.sh
-#  user = dovecot
-#  unix_listener quota-warning {
-#    user = vmail
-#  }
-#}
-
-##
-## Quota backends
-##
-
-# Multiple backends are supported:
-#   dirsize: Find and sum all the files found from mail directory.
-#            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
-#   dict: Keep quota stored in dictionary (eg. SQL)
-#   maildir: Maildir++ quota
-#   fs: Read-only support for filesystem quota
-
-plugin {
-  #quota = dirsize:User quota
-  #quota = maildir:User quota
-  #quota = dict:User quota::proxy::quota
-  #quota = fs:User quota
-}
-
-# Multiple quota roots are also possible, for example this gives each user
-# their own 100MB quota and one shared 1GB quota within the domain:
-plugin {
-  #quota = dict:user::proxy::quota
-  #quota2 = dict:domain:%d:proxy::quota_domain
-  #quota_rule = *:storage=102400
-  #quota2_rule = *:storage=1048576
-}
diff --git a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf
deleted file mode 100644
index 17dcb77..0000000
--- a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# Sieve Extprograms plugin configuration
-
-# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
-# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
-# vnd.dovecot.filter and vnd.dovecot.execute) by adding these   to the
-# sieve_extensions or sieve_global_extensions settings. Restricting these
-# extensions to a global context using sieve_global_extensions is recommended.
-
-plugin {
-
-  # The directory where the program sockets are located for the
-  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
-  # respectively. The name of each unix socket contained in that directory
-  # directly maps to a program-name referenced from the Sieve script.
-  #sieve_pipe_socket_dir = sieve-pipe
-  #sieve_filter_socket_dir = sieve-filter
-  #sieve_execute_socket_dir = sieve-execute
-
-  # The directory where the scripts are located for direct execution by the
-  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
-  # respectively. The name of each script contained in that directory
-  # directly maps to a program-name referenced from the Sieve script.
-  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
-  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
-  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
-}
-
-# An example program service called 'do-something' to pipe messages to
-#service do-something {
-  # Define the executed script as parameter to the sieve service
-  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
-
-  # Use some unprivileged user for executing the program
-  #user = dovenull
-
-  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
-  # plugin {} section above)
-  #unix_listener sieve-pipe/do-something {
-    # LDA/LMTP must have access
-  #  user = vmail  
-  #  mode = 0600
-  #}
-#}
-
diff --git a/roles/dovecot/files/conf.d/90-sieve.conf b/roles/dovecot/files/conf.d/90-sieve.conf
index c7ef6c4..a4f70d3 100644
--- a/roles/dovecot/files/conf.d/90-sieve.conf
+++ b/roles/dovecot/files/conf.d/90-sieve.conf
@@ -1,6 +1,8 @@
 # Sieve Configuration
-plugin {
-        sieve = ~/.dovecot.sieve
-        sieve_default = /var/lib/dovecot/sieve/default.sieve
-        sieve_global = /var/lib/dovecot/sieve/
+sieve_script default {
+  type = default
+  name = default
+  driver = file
+  path = /var/lib/dovecot/sieve/default.sieve
+  active_path = ~/.dovecot.sieve
 }
diff --git a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext
deleted file mode 100644
index b2fb13a..0000000
--- a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext
+++ /dev/null
@@ -1,21 +0,0 @@
-# Authentication for checkpassword users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.CheckPassword.txt>
-
-passdb {
-  driver = checkpassword
-  args = /usr/bin/checkpassword
-}
-
-# passdb lookup should return also userdb info
-userdb {
-  driver = prefetch
-}
-
-# Standard checkpassword doesn't support direct userdb lookups.
-# If you need checkpassword userdb, the checkpassword must support
-# Dovecot-specific extensions.
-#userdb {
-#  driver = checkpassword
-#  args = /usr/bin/checkpassword
-#}
diff --git a/roles/dovecot/files/conf.d/auth-deny.conf.ext b/roles/dovecot/files/conf.d/auth-deny.conf.ext
deleted file mode 100644
index ce3f1cf..0000000
--- a/roles/dovecot/files/conf.d/auth-deny.conf.ext
+++ /dev/null
@@ -1,15 +0,0 @@
-# Deny access for users. Included from 10-auth.conf.
-
-# Users can be (temporarily) disabled by adding a passdb with deny=yes.
-# If the user is found from that database, authentication will fail.
-# The deny passdb should always be specified before others, so it gets
-# checked first.
-
-# Example deny passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  deny = yes
-
-  # File contains a list of usernames, one per line
-  args = /etc/dovecot/deny-users
-}
diff --git a/roles/dovecot/files/conf.d/auth-dict.conf.ext b/roles/dovecot/files/conf.d/auth-dict.conf.ext
deleted file mode 100644
index 0be4847..0000000
--- a/roles/dovecot/files/conf.d/auth-dict.conf.ext
+++ /dev/null
@@ -1,16 +0,0 @@
-# Authentication via dict backend. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.Dict.txt>
-
-passdb {
-  driver = dict
-
-  # Path for dict configuration file, see
-  # example-config/dovecot-dict-auth.conf.ext
-  args = /etc/dovecot/dovecot-dict-auth.conf.ext
-}
-
-userdb {
-  driver = dict
-  args = /etc/dovecot/dovecot-dict-auth.conf.ext
-}
diff --git a/roles/dovecot/files/conf.d/auth-master.conf.ext b/roles/dovecot/files/conf.d/auth-master.conf.ext
deleted file mode 100644
index 2cf128f..0000000
--- a/roles/dovecot/files/conf.d/auth-master.conf.ext
+++ /dev/null
@@ -1,16 +0,0 @@
-# Authentication for master users. Included from 10-auth.conf.
-
-# By adding master=yes setting inside a passdb you make the passdb a list
-# of "master users", who can log in as anyone else.
-# <doc/wiki/Authentication.MasterUsers.txt>
-
-# Example master user passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  master = yes
-  args = /etc/dovecot/master-users
-
-  # Unless you're using PAM, you probably still want the destination user to
-  # be looked up from passdb that it really exists. pass=yes does that.
-  pass = yes
-}
diff --git a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext
deleted file mode 100644
index c89d28c..0000000
--- a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext
+++ /dev/null
@@ -1,20 +0,0 @@
-# Authentication for passwd-file users. Included from 10-auth.conf.
-#
-# passwd-like file with specified location.
-# <doc/wiki/AuthDatabase.PasswdFile.txt>
-
-passdb {
-  driver = passwd-file
-  args = scheme=CRYPT username_format=%u /etc/dovecot/users
-}
-
-userdb {
-  driver = passwd-file
-  args = username_format=%u /etc/dovecot/users
-
-  # Default fields that can be overridden by passwd-file
-  #default_fields = quota_rule=*:storage=1G
-
-  # Override fields from passwd-file
-  #override_fields = home=/home/virtual/%u
-}
diff --git a/roles/dovecot/files/conf.d/auth-sql.conf.ext b/roles/dovecot/files/conf.d/auth-sql.conf.ext
deleted file mode 100644
index ccbea86..0000000
--- a/roles/dovecot/files/conf.d/auth-sql.conf.ext
+++ /dev/null
@@ -1,30 +0,0 @@
-# Authentication for SQL users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.SQL.txt>
-
-passdb {
-  driver = sql
-
-  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
-  args = /etc/dovecot/dovecot-sql.conf.ext
-}
-
-# "prefetch" user database means that the passdb already provided the
-# needed information and there's no need to do a separate userdb lookup.
-# <doc/wiki/UserDatabase.Prefetch.txt>
-#userdb {
-#  driver = prefetch
-#}
-
-userdb {
-  driver = sql
-  args = /etc/dovecot/dovecot-sql.conf.ext
-}
-
-# If you don't have any user-specific settings, you can avoid the user_query
-# by using userdb static instead of userdb sql, for example:
-# <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-  #driver = static
-  #args = uid=vmail gid=vmail home=/var/vmail/%u
-#}
diff --git a/roles/dovecot/files/conf.d/auth-static.conf.ext b/roles/dovecot/files/conf.d/auth-static.conf.ext
deleted file mode 100644
index 90890c5..0000000
--- a/roles/dovecot/files/conf.d/auth-static.conf.ext
+++ /dev/null
@@ -1,24 +0,0 @@
-# Static passdb. Included from 10-auth.conf.
-
-# This can be used for situations where Dovecot doesn't need to verify the
-# username or the password, or if there is a single password for all users:
-#
-#  - proxy frontend, where the backend verifies the password
-#  - proxy backend, where the frontend already verified the password
-#  - authentication with SSL certificates
-#  - simple testing
-
-#passdb {
-#  driver = static
-#  args = proxy=y host=%1Mu.example.com nopassword=y
-#}
-
-#passdb {
-#  driver = static
-#  args = password=test
-#}
-
-#userdb {
-#  driver = static
-#  args = uid=vmail gid=vmail home=/home/%u
-#}
diff --git a/roles/dovecot/files/conf.d/auth-system.conf.ext b/roles/dovecot/files/conf.d/auth-system.conf.ext
deleted file mode 100644
index dadb9f7..0000000
--- a/roles/dovecot/files/conf.d/auth-system.conf.ext
+++ /dev/null
@@ -1,74 +0,0 @@
-# Authentication for system users. Included from 10-auth.conf.
-#
-# <doc/wiki/PasswordDatabase.txt>
-# <doc/wiki/UserDatabase.txt>
-
-# PAM authentication. Preferred nowadays by most systems.
-# PAM is typically used with either userdb passwd or userdb static.
-# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
-# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
-passdb {
-  driver = pam
-  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
-  # [cache_key=<key>] [<service name>]
-  #args = dovecot
-}
-
-# System users (NSS, /etc/passwd, or similar).
-# In many systems nowadays this uses Name Service Switch, which is
-# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
-#passdb {
-  #driver = passwd
-  # [blocking=no]
-  #args = 
-#}
-
-# Shadow passwords for system users (NSS, /etc/shadow or similar).
-# Deprecated by PAM nowadays.
-# <doc/wiki/PasswordDatabase.Shadow.txt>
-#passdb {
-  #driver = shadow
-  # [blocking=no]
-  #args = 
-#}
-
-# PAM-like authentication for OpenBSD.
-# <doc/wiki/PasswordDatabase.BSDAuth.txt>
-#passdb {
-  #driver = bsdauth
-  # [blocking=no] [cache_key=<key>]
-  #args =
-#}
-
-##
-## User databases
-##
-
-# System users (NSS, /etc/passwd, or similar). In many systems nowadays this
-# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
-userdb {
-  # <doc/wiki/AuthDatabase.Passwd.txt>
-  driver = passwd
-  # [blocking=no]
-  #args = 
-
-  # Override fields from passwd
-  #override_fields = home=/home/virtual/%u
-}
-
-# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-  #driver = static
-  # Can return anything a userdb could normally return. For example:
-  #
-  #  args = uid=500 gid=500 home=/var/mail/%u
-  #
-  # LDA and LMTP needs to look up users only from the userdb. This of course
-  # doesn't work with static userdb because there is no list of users.
-  # Normally static userdb handles this by doing a passdb lookup. This works
-  # with most passdbs, with PAM being the most notable exception. If you do
-  # the user verification another way, you can add allow_all_users=yes to
-  # the args in which case the passdb lookup is skipped.
-  #
-  #args =
-#}