initial commit

25 files changed, 681 insertions, 0 deletions

diff --git a/roles/dovecot/files/conf.d/10-auth.conf b/roles/dovecot/files/conf.d/10-auth.conf
new file mode 100644
index 0000000..7ac1eee
--- /dev/null
+++ b/roles/dovecot/files/conf.d/10-auth.conf
@@ -0,0 +1,10 @@
+# Authentication
+disable_plaintext_auth = yes
+auth_username_format = %n
+auth_mechanisms = plain
+userdb {
+        driver = passwd
+}
+passdb {
+        driver = pam
+}
diff --git a/roles/dovecot/files/conf.d/10-director.conf b/roles/dovecot/files/conf.d/10-director.conf
new file mode 100644
index 0000000..073d8a8
--- /dev/null
+++ b/roles/dovecot/files/conf.d/10-director.conf
@@ -0,0 +1,60 @@
+##
+## Director-specific settings.
+##
+
+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
+# mapping. As long as user has simultaneous connections, the user is always
+# redirected to the same server. Each proxy server is running its own director
+# process, and the directors are communicating the state to each others.
+# Directors are mainly useful with NFS-like setups.
+
+# List of IPs or hostnames to all director servers, including ourself.
+# Ports can be specified as ip:port. The default port is the same as
+# what director service's inet_listener is using.
+#director_servers = 
+
+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
+# too, like 10.0.0.10-10.0.0.30.
+#director_mail_servers = 
+
+# How long to redirect users to a specific server after it no longer has
+# any connections.
+#director_user_expire = 15 min
+
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
+# To enable director service, uncomment the modes and assign a port.
+service director {
+  unix_listener login/director {
+    #mode = 0666
+  }
+  fifo_listener login/proxy-notify {
+    #mode = 0666
+  }
+  unix_listener director-userdb {
+    #mode = 0600
+  }
+  inet_listener {
+    #port = 
+  }
+}
+
+# Enable director for the wanted login services by telling them to
+# connect to director socket instead of the default login socket:
+service imap-login {
+  #executable = imap-login director
+}
+service pop3-login {
+  #executable = pop3-login director
+}
+service submission-login {
+  #executable = submission-login director
+}
+
+# Enable director for LMTP proxying:
+protocol lmtp {
+  #auth_socket_path = director-userdb
+}
diff --git a/roles/dovecot/files/conf.d/10-logging.conf b/roles/dovecot/files/conf.d/10-logging.conf
new file mode 100644
index 0000000..bcd6dea
--- /dev/null
+++ b/roles/dovecot/files/conf.d/10-logging.conf
@@ -0,0 +1,109 @@
+##
+## Log destination.
+##
+
+# Log file to use for error messages. "syslog" logs to syslog,
+# /dev/stderr logs to stderr.
+#log_path = syslog
+
+# Log file to use for informational messages. Defaults to log_path.
+#info_log_path = 
+# Log file to use for debug messages. Defaults to info_log_path.
+#debug_log_path = 
+
+# Syslog facility to use if you're logging to syslog. Usually if you don't
+# want to use "mail", you'll use local0..local7. Also other standard
+# facilities are supported.
+#syslog_facility = mail
+
+##
+## Logging verbosity and debugging.
+##
+
+# Log filter is a space-separated list conditions. If any of the conditions
+# match, the log filter matches (i.e. they're ORed together). Parenthesis
+# are supported if multiple conditions need to be matched together.
+# Supported conditions are:
+#  event:<name wildcard> - Match event name. '*' and '?' wildcards supported.
+#  source:<filename>[:<line number>] - Match source code filename [and line]
+#  field:<key>=<value wildcard> - Match field key to a value. Can be specified
+#    multiple times to match multiple keys.
+#  cat[egory]:<value> - Match a category. Can be specified multiple times to
+#    match multiple categories.
+# For example: event:http_request_* (cat:error cat:storage)
+
+# Filter to specify what debug logging to enable. This will eventually replace
+# mail_debug and auth_debug settings.
+#log_debug = 
+
+# Crash after logging a matching event. For example category:error will crash
+# any time an error is logged, which can be useful for debugging.
+#log_core_filter = 
+
+# Log unsuccessful authentication attempts and the reasons why they failed.
+#auth_verbose = no
+
+# In case of password mismatches, log the attempted password. Valid values are
+# no, plain and sha1. sha1 can be useful for detecting brute force password
+# attempts vs. user simply trying the same password over and over again.
+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
+#auth_verbose_passwords = no
+
+# Even more verbose logging for debugging purposes. Shows for example SQL
+# queries.
+#auth_debug = no
+
+# In case of password mismatches, log the passwords and used scheme so the
+# problem can be debugged. Enabling this also enables auth_debug.
+#auth_debug_passwords = no
+
+# Enable mail process debugging. This can help you figure out why Dovecot
+# isn't finding your mails.
+#mail_debug = no
+
+# Show protocol level SSL errors.
+#verbose_ssl = no
+
+# mail_log plugin provides more event logging for mail processes.
+plugin {
+  # Events to log. Also available: flag_change append
+  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
+  # size and vsize are available only for expunge and copy events.
+  #mail_log_fields = uid box msgid size
+}
+
+##
+## Log formatting.
+##
+
+# Prefix for each line written to log file. % codes are in strftime(3)
+# format.
+#log_timestamp = "%b %d %H:%M:%S "
+
+# Space-separated list of elements we want to log. The elements which have
+# a non-empty variable value are joined together to form a comma-separated
+# string.
+#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
+
+# Login log format. %s contains login_log_format_elements string, %$ contains
+# the data we want to log.
+#login_log_format = %$: %s
+ 
+# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
+# possible variables you can use.
+#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
+
+# Format to use for logging mail deliveries:
+#  %$ - Delivery status message (e.g. "saved to INBOX")
+#  %m / %{msgid} - Message-ID
+#  %s / %{subject} - Subject
+#  %f / %{from} - From address
+#  %p / %{size} - Physical size
+#  %w / %{vsize} - Virtual size
+#  %e / %{from_envelope} - MAIL FROM envelope
+#  %{to_envelope} - RCPT TO envelope
+#  %{delivery_time} - How many milliseconds it took to deliver the mail
+#  %{session_time} - How long LMTP session took, not including delivery_time
+#  %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
+#deliver_log_format = msgid=%m: %$
diff --git a/roles/dovecot/files/conf.d/10-mail.conf b/roles/dovecot/files/conf.d/10-mail.conf
new file mode 100644
index 0000000..683c5e9
--- /dev/null
+++ b/roles/dovecot/files/conf.d/10-mail.conf
@@ -0,0 +1,10 @@
+# Mail location
+mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+namespace inbox {
+        type = private
+        prefix = 
+        separator = /
+        inbox = yes
+        subscriptions = yes
+        list = yes
+}
diff --git a/roles/dovecot/files/conf.d/10-master.conf b/roles/dovecot/files/conf.d/10-master.conf
new file mode 100644
index 0000000..c2c9493
--- /dev/null
+++ b/roles/dovecot/files/conf.d/10-master.conf
@@ -0,0 +1,22 @@
+# Master Configuration
+service imap-login {
+        # Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs)
+        service_count = 1
+        # Disable unencrypted IMAP by setting port for plain IMAP to 0
+        inet_listener imap {
+                port = 0
+        }
+        inet_listener imaps {
+                port = 993
+                ssl = yes
+        }
+}
+
+# Allow postfix to user dovecot SASL
+service auth {
+        unix_listener /var/spool/postfix/private/auth {
+                mode = 0660
+                user = postfix
+                group = postfix
+        }
+}
diff --git a/roles/dovecot/files/conf.d/10-tcpwrapper.conf b/roles/dovecot/files/conf.d/10-tcpwrapper.conf
new file mode 100644
index 0000000..b237d96
--- /dev/null
+++ b/roles/dovecot/files/conf.d/10-tcpwrapper.conf
@@ -0,0 +1,14 @@
+# 10-tcpwrapper.conf
+#
+# service name for hosts.{allow|deny} are those defined as
+# inet_listener in master.conf
+#
+#login_access_sockets = tcpwrap
+#
+#service tcpwrap {
+#  unix_listener login/tcpwrap {
+#    group = $default_login_user
+#    mode = 0600
+#    user = $default_login_user
+#  }
+#}
diff --git a/roles/dovecot/files/conf.d/15-lda.conf b/roles/dovecot/files/conf.d/15-lda.conf
new file mode 100644
index 0000000..8538f79
--- /dev/null
+++ b/roles/dovecot/files/conf.d/15-lda.conf
@@ -0,0 +1,4 @@
+# Local Delivery Agent
+protocol lda {
+        mail_plugins = $mail_plugins sieve
+}
diff --git a/roles/dovecot/files/conf.d/15-mailboxes.conf b/roles/dovecot/files/conf.d/15-mailboxes.conf
new file mode 100644
index 0000000..4de88b0
--- /dev/null
+++ b/roles/dovecot/files/conf.d/15-mailboxes.conf
@@ -0,0 +1,25 @@
+# Mailboxes
+namespace inbox {
+        mailbox Sent {
+                special_use = \Sent
+                auto = subscribe
+        }
+        mailbox Trash {
+                special_use = \Trash
+                auto = create
+                autoexpunge = 30d
+        }
+        mailbox Drafts {
+                special_use = \Drafts
+                auto = subscribe
+        }
+        mailbox Spam {
+                special_use = \Junk
+                auto = create
+                autoexpunge = 30d
+        }
+        mailbox Archive {
+                special_use = \Archive
+                auto = create
+        }
+}
diff --git a/roles/dovecot/files/conf.d/20-imap.conf b/roles/dovecot/files/conf.d/20-imap.conf
new file mode 100644
index 0000000..0e7d4ae
--- /dev/null
+++ b/roles/dovecot/files/conf.d/20-imap.conf
@@ -0,0 +1,2 @@
+# IMAP
+imap_capability = +SPECIAL-USE
diff --git a/roles/dovecot/files/conf.d/90-acl.conf b/roles/dovecot/files/conf.d/90-acl.conf
new file mode 100644
index 0000000..f0c0e7a
--- /dev/null
+++ b/roles/dovecot/files/conf.d/90-acl.conf
@@ -0,0 +1,19 @@
+##
+## Mailbox access control lists.
+##
+
+# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
+# You can also optionally give a global ACL directory path where ACLs are
+# applied to all users' mailboxes. The global ACL directory contains
+# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
+# specifies how many seconds to wait between stat()ing dovecot-acl file
+# to see if it changed.
+plugin {
+  #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
+}
+
+# To let users LIST mailboxes shared by other users, Dovecot needs a
+# shared mailbox dictionary. For example:
+plugin {
+  #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
+}
diff --git a/roles/dovecot/files/conf.d/90-plugin.conf b/roles/dovecot/files/conf.d/90-plugin.conf
new file mode 100644
index 0000000..8c8fccf
--- /dev/null
+++ b/roles/dovecot/files/conf.d/90-plugin.conf
@@ -0,0 +1,11 @@
+##
+## Plugin settings
+##
+
+# All wanted plugins must be listed in mail_plugins setting before any of the
+# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
+# their configuration. Note that %variable expansion is done for all values.
+
+plugin {
+  #setting_name = value
+}
diff --git a/roles/dovecot/files/conf.d/90-quota.conf b/roles/dovecot/files/conf.d/90-quota.conf
new file mode 100644
index 0000000..3308c05
--- /dev/null
+++ b/roles/dovecot/files/conf.d/90-quota.conf
@@ -0,0 +1,83 @@
+##
+## Quota configuration.
+##
+
+# Note that you also have to enable quota plugin in mail_plugins setting.
+# <doc/wiki/Quota.txt>
+
+##
+## Quota limits
+##
+
+# Quota limits are set using "quota_rule" parameters. To get per-user quota
+# limits, you can set/override them by returning "quota_rule" extra field
+# from userdb. It's also possible to give mailbox-specific limits, for example
+# to give additional 100 MB when saving to Trash:
+
+plugin {
+  #quota_rule = *:storage=1G
+  #quota_rule2 = Trash:storage=+100M
+
+  # LDA/LMTP allows saving the last mail to bring user from under quota to
+  # over quota, if the quota doesn't grow too high. Default is to allow as
+  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+  #quota_grace = 10%%
+
+  # Quota plugin can also limit the maximum accepted mail size.
+  #quota_max_mail_size = 100M
+}
+
+##
+## Quota warnings
+##
+
+# You can execute a given command when user exceeds a specified quota limit.
+# Each quota root has separate limits. Only the command for the first
+# exceeded limit is executed, so put the highest limit first.
+# The commands are executed via script service by connecting to the named
+# UNIX socket (quota-warning below).
+# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
+
+plugin {
+  #quota_warning = storage=95%% quota-warning 95 %u
+  #quota_warning2 = storage=80%% quota-warning 80 %u
+}
+
+# Example quota-warning service. The unix listener's permissions should be
+# set in a way that mail processes can connect to it. Below example assumes
+# that mail processes run as vmail user. If you use mode=0666, all system users
+# can generate quota warnings to anyone.
+#service quota-warning {
+#  executable = script /usr/local/bin/quota-warning.sh
+#  user = dovecot
+#  unix_listener quota-warning {
+#    user = vmail
+#  }
+#}
+
+##
+## Quota backends
+##
+
+# Multiple backends are supported:
+#   dirsize: Find and sum all the files found from mail directory.
+#            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
+#   dict: Keep quota stored in dictionary (eg. SQL)
+#   maildir: Maildir++ quota
+#   fs: Read-only support for filesystem quota
+
+plugin {
+  #quota = dirsize:User quota
+  #quota = maildir:User quota
+  #quota = dict:User quota::proxy::quota
+  #quota = fs:User quota
+}
+
+# Multiple quota roots are also possible, for example this gives each user
+# their own 100MB quota and one shared 1GB quota within the domain:
+plugin {
+  #quota = dict:user::proxy::quota
+  #quota2 = dict:domain:%d:proxy::quota_domain
+  #quota_rule = *:storage=102400
+  #quota2_rule = *:storage=1048576
+}
diff --git a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf
new file mode 100644
index 0000000..17dcb77
--- /dev/null
+++ b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf
@@ -0,0 +1,44 @@
+# Sieve Extprograms plugin configuration
+
+# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
+# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
+# vnd.dovecot.filter and vnd.dovecot.execute) by adding these   to the
+# sieve_extensions or sieve_global_extensions settings. Restricting these
+# extensions to a global context using sieve_global_extensions is recommended.
+
+plugin {
+
+  # The directory where the program sockets are located for the
+  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+  # respectively. The name of each unix socket contained in that directory
+  # directly maps to a program-name referenced from the Sieve script.
+  #sieve_pipe_socket_dir = sieve-pipe
+  #sieve_filter_socket_dir = sieve-filter
+  #sieve_execute_socket_dir = sieve-execute
+
+  # The directory where the scripts are located for direct execution by the
+  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+  # respectively. The name of each script contained in that directory
+  # directly maps to a program-name referenced from the Sieve script.
+  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
+  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
+  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
+}
+
+# An example program service called 'do-something' to pipe messages to
+#service do-something {
+  # Define the executed script as parameter to the sieve service
+  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
+
+  # Use some unprivileged user for executing the program
+  #user = dovenull
+
+  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
+  # plugin {} section above)
+  #unix_listener sieve-pipe/do-something {
+    # LDA/LMTP must have access
+  #  user = vmail  
+  #  mode = 0600
+  #}
+#}
+
diff --git a/roles/dovecot/files/conf.d/90-sieve.conf b/roles/dovecot/files/conf.d/90-sieve.conf
new file mode 100644
index 0000000..c7ef6c4
--- /dev/null
+++ b/roles/dovecot/files/conf.d/90-sieve.conf
@@ -0,0 +1,6 @@
+# Sieve Configuration
+plugin {
+        sieve = ~/.dovecot.sieve
+        sieve_default = /var/lib/dovecot/sieve/default.sieve
+        sieve_global = /var/lib/dovecot/sieve/
+}
diff --git a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext
new file mode 100644
index 0000000..b2fb13a
--- /dev/null
+++ b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext
@@ -0,0 +1,21 @@
+# Authentication for checkpassword users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.CheckPassword.txt>
+
+passdb {
+  driver = checkpassword
+  args = /usr/bin/checkpassword
+}
+
+# passdb lookup should return also userdb info
+userdb {
+  driver = prefetch
+}
+
+# Standard checkpassword doesn't support direct userdb lookups.
+# If you need checkpassword userdb, the checkpassword must support
+# Dovecot-specific extensions.
+#userdb {
+#  driver = checkpassword
+#  args = /usr/bin/checkpassword
+#}
diff --git a/roles/dovecot/files/conf.d/auth-deny.conf.ext b/roles/dovecot/files/conf.d/auth-deny.conf.ext
new file mode 100644
index 0000000..ce3f1cf
--- /dev/null
+++ b/roles/dovecot/files/conf.d/auth-deny.conf.ext
@@ -0,0 +1,15 @@
+# Deny access for users. Included from 10-auth.conf.
+
+# Users can be (temporarily) disabled by adding a passdb with deny=yes.
+# If the user is found from that database, authentication will fail.
+# The deny passdb should always be specified before others, so it gets
+# checked first.
+
+# Example deny passdb using passwd-file. You can use any passdb though.
+passdb {
+  driver = passwd-file
+  deny = yes
+
+  # File contains a list of usernames, one per line
+  args = /etc/dovecot/deny-users
+}
diff --git a/roles/dovecot/files/conf.d/auth-dict.conf.ext b/roles/dovecot/files/conf.d/auth-dict.conf.ext
new file mode 100644
index 0000000..0be4847
--- /dev/null
+++ b/roles/dovecot/files/conf.d/auth-dict.conf.ext
@@ -0,0 +1,16 @@
+# Authentication via dict backend. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.Dict.txt>
+
+passdb {
+  driver = dict
+
+  # Path for dict configuration file, see
+  # example-config/dovecot-dict-auth.conf.ext
+  args = /etc/dovecot/dovecot-dict-auth.conf.ext
+}
+
+userdb {
+  driver = dict
+  args = /etc/dovecot/dovecot-dict-auth.conf.ext
+}
diff --git a/roles/dovecot/files/conf.d/auth-master.conf.ext b/roles/dovecot/files/conf.d/auth-master.conf.ext
new file mode 100644
index 0000000..2cf128f
--- /dev/null
+++ b/roles/dovecot/files/conf.d/auth-master.conf.ext
@@ -0,0 +1,16 @@
+# Authentication for master users. Included from 10-auth.conf.
+
+# By adding master=yes setting inside a passdb you make the passdb a list
+# of "master users", who can log in as anyone else.
+# <doc/wiki/Authentication.MasterUsers.txt>
+
+# Example master user passdb using passwd-file. You can use any passdb though.
+passdb {
+  driver = passwd-file
+  master = yes
+  args = /etc/dovecot/master-users
+
+  # Unless you're using PAM, you probably still want the destination user to
+  # be looked up from passdb that it really exists. pass=yes does that.
+  pass = yes
+}
diff --git a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext
new file mode 100644
index 0000000..c89d28c
--- /dev/null
+++ b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext
@@ -0,0 +1,20 @@
+# Authentication for passwd-file users. Included from 10-auth.conf.
+#
+# passwd-like file with specified location.
+# <doc/wiki/AuthDatabase.PasswdFile.txt>
+
+passdb {
+  driver = passwd-file
+  args = scheme=CRYPT username_format=%u /etc/dovecot/users
+}
+
+userdb {
+  driver = passwd-file
+  args = username_format=%u /etc/dovecot/users
+
+  # Default fields that can be overridden by passwd-file
+  #default_fields = quota_rule=*:storage=1G
+
+  # Override fields from passwd-file
+  #override_fields = home=/home/virtual/%u
+}
diff --git a/roles/dovecot/files/conf.d/auth-sql.conf.ext b/roles/dovecot/files/conf.d/auth-sql.conf.ext
new file mode 100644
index 0000000..ccbea86
--- /dev/null
+++ b/roles/dovecot/files/conf.d/auth-sql.conf.ext
@@ -0,0 +1,30 @@
+# Authentication for SQL users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.SQL.txt>
+
+passdb {
+  driver = sql
+
+  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+userdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf.ext
+}
+
+# If you don't have any user-specific settings, you can avoid the user_query
+# by using userdb static instead of userdb sql, for example:
+# <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  #args = uid=vmail gid=vmail home=/var/vmail/%u
+#}
diff --git a/roles/dovecot/files/conf.d/auth-static.conf.ext b/roles/dovecot/files/conf.d/auth-static.conf.ext
new file mode 100644
index 0000000..90890c5
--- /dev/null
+++ b/roles/dovecot/files/conf.d/auth-static.conf.ext
@@ -0,0 +1,24 @@
+# Static passdb. Included from 10-auth.conf.
+
+# This can be used for situations where Dovecot doesn't need to verify the
+# username or the password, or if there is a single password for all users:
+#
+#  - proxy frontend, where the backend verifies the password
+#  - proxy backend, where the frontend already verified the password
+#  - authentication with SSL certificates
+#  - simple testing
+
+#passdb {
+#  driver = static
+#  args = proxy=y host=%1Mu.example.com nopassword=y
+#}
+
+#passdb {
+#  driver = static
+#  args = password=test
+#}
+
+#userdb {
+#  driver = static
+#  args = uid=vmail gid=vmail home=/home/%u
+#}
diff --git a/roles/dovecot/files/conf.d/auth-system.conf.ext b/roles/dovecot/files/conf.d/auth-system.conf.ext
new file mode 100644
index 0000000..dadb9f7
--- /dev/null
+++ b/roles/dovecot/files/conf.d/auth-system.conf.ext
@@ -0,0 +1,74 @@
+# Authentication for system users. Included from 10-auth.conf.
+#
+# <doc/wiki/PasswordDatabase.txt>
+# <doc/wiki/UserDatabase.txt>
+
+# PAM authentication. Preferred nowadays by most systems.
+# PAM is typically used with either userdb passwd or userdb static.
+# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
+# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
+passdb {
+  driver = pam
+  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
+  # [cache_key=<key>] [<service name>]
+  #args = dovecot
+}
+
+# System users (NSS, /etc/passwd, or similar).
+# In many systems nowadays this uses Name Service Switch, which is
+# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
+#passdb {
+  #driver = passwd
+  # [blocking=no]
+  #args = 
+#}
+
+# Shadow passwords for system users (NSS, /etc/shadow or similar).
+# Deprecated by PAM nowadays.
+# <doc/wiki/PasswordDatabase.Shadow.txt>
+#passdb {
+  #driver = shadow
+  # [blocking=no]
+  #args = 
+#}
+
+# PAM-like authentication for OpenBSD.
+# <doc/wiki/PasswordDatabase.BSDAuth.txt>
+#passdb {
+  #driver = bsdauth
+  # [blocking=no] [cache_key=<key>]
+  #args =
+#}
+
+##
+## User databases
+##
+
+# System users (NSS, /etc/passwd, or similar). In many systems nowadays this
+# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
+userdb {
+  # <doc/wiki/AuthDatabase.Passwd.txt>
+  driver = passwd
+  # [blocking=no]
+  #args = 
+
+  # Override fields from passwd
+  #override_fields = home=/home/virtual/%u
+}
+
+# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  # Can return anything a userdb could normally return. For example:
+  #
+  #  args = uid=500 gid=500 home=/var/mail/%u
+  #
+  # LDA and LMTP needs to look up users only from the userdb. This of course
+  # doesn't work with static userdb because there is no list of users.
+  # Normally static userdb handles this by doing a passdb lookup. This works
+  # with most passdbs, with PAM being the most notable exception. If you do
+  # the user verification another way, you can add allow_all_users=yes to
+  # the args in which case the passdb lookup is skipped.
+  #
+  #args =
+#}
diff --git a/roles/dovecot/files/default.sieve b/roles/dovecot/files/default.sieve
new file mode 100644
index 0000000..6709988
--- /dev/null
+++ b/roles/dovecot/files/default.sieve
@@ -0,0 +1,22 @@
+require ["fileinto", "mailbox"];
+/*
+* Discard mail that has a spam score greater than or equal to 5
+*/
+if header :contains "X-Spam-Level" "*****" {
+                discard;
+                stop;
+}
+/*
+* Discard messages marked as infected by virus scanner
+*/
+if header :contains "X-Virus-Scan" "infected" {
+                discard;
+                stop;
+}
+/*
+* If message is marked as spam (and falls below discard threshold) put into spam mailbox
+*/
+if header :contains "X-Spam-Flag" "YES" {
+                fileinto "Spam";
+}
+
diff --git a/roles/dovecot/files/dovecot.conf b/roles/dovecot/files/dovecot.conf
new file mode 100644
index 0000000..14a4cf0
--- /dev/null
+++ b/roles/dovecot/files/dovecot.conf
@@ -0,0 +1,16 @@
+# Enable installed protocols
+!include_try /usr/share/dovecot/protocols.d/*.protocol
+
+dict {
+  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
+  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
+}
+
+# Most of the actual configuration gets included below. The filenames are
+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
+# in filenames are intended to make it easier to understand the ordering.
+!include conf.d/*.conf
+
+# A config file can also tried to be included without giving an error if
+# it's not found:
+!include_try local.conf
diff --git a/roles/dovecot/files/dovecot_pam b/roles/dovecot/files/dovecot_pam
new file mode 100644
index 0000000..af0e0dd
--- /dev/null
+++ b/roles/dovecot/files/dovecot_pam
@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+@include common-auth
+@include common-account
+@include common-session
+
+auth    required        pam_unix.so
+account required        pam_unix.so