Updated for Debian 13 and dovecot 2.4

19 files changed, 99 insertions, 414 deletions

diff --git a/roles/dovecot/files/conf.d/10-auth.conf b/roles/dovecot/files/conf.d/10-auth.conf
index 7ac1eee..d6a6417 100644
--- a/roles/dovecot/files/conf.d/10-auth.conf
+++ b/roles/dovecot/files/conf.d/10-auth.conf
@@ -1,10 +1,9 @@
 # Authentication
-disable_plaintext_auth = yes
-auth_username_format = %n
+auth_allow_cleartext = no
+auth_username_format = %{user | username}
 auth_mechanisms = plain
-userdb {
-        driver = passwd
+userdb passwd {
 }
-passdb {
-        driver = pam
+passdb pam {
+  failure_show_msg = yes
 }
diff --git a/roles/dovecot/files/conf.d/10-mail.conf b/roles/dovecot/files/conf.d/10-mail.conf
index 683c5e9..8a5b61c 100644
--- a/roles/dovecot/files/conf.d/10-mail.conf
+++ b/roles/dovecot/files/conf.d/10-mail.conf
@@ -1,10 +1,14 @@
 # Mail location
-mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+mail_driver = maildir
+mail_path = ~/Mail
+mail_inbox_path = ~/Mail/Inbox
+mailbox_list_layout = fs
 namespace inbox {
-        type = private
-        prefix = 
-        separator = /
-        inbox = yes
-        subscriptions = yes
-        list = yes
+        type = private
+        prefix =
+        separator = /
+        inbox = yes
+        subscriptions = yes
+        list = yes
 }
+
diff --git a/roles/dovecot/files/conf.d/10-master.conf b/roles/dovecot/files/conf.d/10-master.conf
index c2c9493..013ebfd 100644
--- a/roles/dovecot/files/conf.d/10-master.conf
+++ b/roles/dovecot/files/conf.d/10-master.conf
@@ -1,7 +1,7 @@
 # Master Configuration
 service imap-login {
         # Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs)
-        service_count = 1
+        service_restart_request_count = 1
         # Disable unencrypted IMAP by setting port for plain IMAP to 0
         inet_listener imap {
                 port = 0
diff --git a/roles/dovecot/files/conf.d/10-tcpwrapper.conf b/roles/dovecot/files/conf.d/10-tcpwrapper.conf
deleted file mode 100644
index b237d96..0000000
--- a/roles/dovecot/files/conf.d/10-tcpwrapper.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# 10-tcpwrapper.conf
-#
-# service name for hosts.{allow|deny} are those defined as
-# inet_listener in master.conf
-#
-#login_access_sockets = tcpwrap
-#
-#service tcpwrap {
-#  unix_listener login/tcpwrap {
-#    group = $default_login_user
-#    mode = 0600
-#    user = $default_login_user
-#  }
-#}
diff --git a/roles/dovecot/files/conf.d/15-lda.conf b/roles/dovecot/files/conf.d/15-lda.conf
deleted file mode 100644
index 8538f79..0000000
--- a/roles/dovecot/files/conf.d/15-lda.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# Local Delivery Agent
-protocol lda {
-        mail_plugins = $mail_plugins sieve
-}
diff --git a/roles/dovecot/files/conf.d/90-acl.conf b/roles/dovecot/files/conf.d/90-acl.conf
deleted file mode 100644
index f0c0e7a..0000000
--- a/roles/dovecot/files/conf.d/90-acl.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-##
-## Mailbox access control lists.
-##
-
-# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
-# You can also optionally give a global ACL directory path where ACLs are
-# applied to all users' mailboxes. The global ACL directory contains
-# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
-# specifies how many seconds to wait between stat()ing dovecot-acl file
-# to see if it changed.
-plugin {
-  #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
-}
-
-# To let users LIST mailboxes shared by other users, Dovecot needs a
-# shared mailbox dictionary. For example:
-plugin {
-  #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
-}
diff --git a/roles/dovecot/files/conf.d/90-plugin.conf b/roles/dovecot/files/conf.d/90-plugin.conf
deleted file mode 100644
index 8c8fccf..0000000
--- a/roles/dovecot/files/conf.d/90-plugin.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-##
-## Plugin settings
-##
-
-# All wanted plugins must be listed in mail_plugins setting before any of the
-# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
-# their configuration. Note that %variable expansion is done for all values.
-
-plugin {
-  #setting_name = value
-}
diff --git a/roles/dovecot/files/conf.d/90-quota.conf b/roles/dovecot/files/conf.d/90-quota.conf
deleted file mode 100644
index 3308c05..0000000
--- a/roles/dovecot/files/conf.d/90-quota.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-##
-## Quota configuration.
-##
-
-# Note that you also have to enable quota plugin in mail_plugins setting.
-# <doc/wiki/Quota.txt>
-
-##
-## Quota limits
-##
-
-# Quota limits are set using "quota_rule" parameters. To get per-user quota
-# limits, you can set/override them by returning "quota_rule" extra field
-# from userdb. It's also possible to give mailbox-specific limits, for example
-# to give additional 100 MB when saving to Trash:
-
-plugin {
-  #quota_rule = *:storage=1G
-  #quota_rule2 = Trash:storage=+100M
-
-  # LDA/LMTP allows saving the last mail to bring user from under quota to
-  # over quota, if the quota doesn't grow too high. Default is to allow as
-  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
-  #quota_grace = 10%%
-
-  # Quota plugin can also limit the maximum accepted mail size.
-  #quota_max_mail_size = 100M
-}
-
-##
-## Quota warnings
-##
-
-# You can execute a given command when user exceeds a specified quota limit.
-# Each quota root has separate limits. Only the command for the first
-# exceeded limit is executed, so put the highest limit first.
-# The commands are executed via script service by connecting to the named
-# UNIX socket (quota-warning below).
-# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
-
-plugin {
-  #quota_warning = storage=95%% quota-warning 95 %u
-  #quota_warning2 = storage=80%% quota-warning 80 %u
-}
-
-# Example quota-warning service. The unix listener's permissions should be
-# set in a way that mail processes can connect to it. Below example assumes
-# that mail processes run as vmail user. If you use mode=0666, all system users
-# can generate quota warnings to anyone.
-#service quota-warning {
-#  executable = script /usr/local/bin/quota-warning.sh
-#  user = dovecot
-#  unix_listener quota-warning {
-#    user = vmail
-#  }
-#}
-
-##
-## Quota backends
-##
-
-# Multiple backends are supported:
-#   dirsize: Find and sum all the files found from mail directory.
-#            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
-#   dict: Keep quota stored in dictionary (eg. SQL)
-#   maildir: Maildir++ quota
-#   fs: Read-only support for filesystem quota
-
-plugin {
-  #quota = dirsize:User quota
-  #quota = maildir:User quota
-  #quota = dict:User quota::proxy::quota
-  #quota = fs:User quota
-}
-
-# Multiple quota roots are also possible, for example this gives each user
-# their own 100MB quota and one shared 1GB quota within the domain:
-plugin {
-  #quota = dict:user::proxy::quota
-  #quota2 = dict:domain:%d:proxy::quota_domain
-  #quota_rule = *:storage=102400
-  #quota2_rule = *:storage=1048576
-}
diff --git a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf
deleted file mode 100644
index 17dcb77..0000000
--- a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# Sieve Extprograms plugin configuration
-
-# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
-# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
-# vnd.dovecot.filter and vnd.dovecot.execute) by adding these   to the
-# sieve_extensions or sieve_global_extensions settings. Restricting these
-# extensions to a global context using sieve_global_extensions is recommended.
-
-plugin {
-
-  # The directory where the program sockets are located for the
-  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
-  # respectively. The name of each unix socket contained in that directory
-  # directly maps to a program-name referenced from the Sieve script.
-  #sieve_pipe_socket_dir = sieve-pipe
-  #sieve_filter_socket_dir = sieve-filter
-  #sieve_execute_socket_dir = sieve-execute
-
-  # The directory where the scripts are located for direct execution by the
-  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
-  # respectively. The name of each script contained in that directory
-  # directly maps to a program-name referenced from the Sieve script.
-  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
-  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
-  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
-}
-
-# An example program service called 'do-something' to pipe messages to
-#service do-something {
-  # Define the executed script as parameter to the sieve service
-  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
-
-  # Use some unprivileged user for executing the program
-  #user = dovenull
-
-  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
-  # plugin {} section above)
-  #unix_listener sieve-pipe/do-something {
-    # LDA/LMTP must have access
-  #  user = vmail  
-  #  mode = 0600
-  #}
-#}
-
diff --git a/roles/dovecot/files/conf.d/90-sieve.conf b/roles/dovecot/files/conf.d/90-sieve.conf
index c7ef6c4..a4f70d3 100644
--- a/roles/dovecot/files/conf.d/90-sieve.conf
+++ b/roles/dovecot/files/conf.d/90-sieve.conf
@@ -1,6 +1,8 @@
 # Sieve Configuration
-plugin {
-        sieve = ~/.dovecot.sieve
-        sieve_default = /var/lib/dovecot/sieve/default.sieve
-        sieve_global = /var/lib/dovecot/sieve/
+sieve_script default {
+  type = default
+  name = default
+  driver = file
+  path = /var/lib/dovecot/sieve/default.sieve
+  active_path = ~/.dovecot.sieve
 }
diff --git a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext
deleted file mode 100644
index b2fb13a..0000000
--- a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext
+++ /dev/null
@@ -1,21 +0,0 @@
-# Authentication for checkpassword users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.CheckPassword.txt>
-
-passdb {
-  driver = checkpassword
-  args = /usr/bin/checkpassword
-}
-
-# passdb lookup should return also userdb info
-userdb {
-  driver = prefetch
-}
-
-# Standard checkpassword doesn't support direct userdb lookups.
-# If you need checkpassword userdb, the checkpassword must support
-# Dovecot-specific extensions.
-#userdb {
-#  driver = checkpassword
-#  args = /usr/bin/checkpassword
-#}
diff --git a/roles/dovecot/files/conf.d/auth-deny.conf.ext b/roles/dovecot/files/conf.d/auth-deny.conf.ext
deleted file mode 100644
index ce3f1cf..0000000
--- a/roles/dovecot/files/conf.d/auth-deny.conf.ext
+++ /dev/null
@@ -1,15 +0,0 @@
-# Deny access for users. Included from 10-auth.conf.
-
-# Users can be (temporarily) disabled by adding a passdb with deny=yes.
-# If the user is found from that database, authentication will fail.
-# The deny passdb should always be specified before others, so it gets
-# checked first.
-
-# Example deny passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  deny = yes
-
-  # File contains a list of usernames, one per line
-  args = /etc/dovecot/deny-users
-}
diff --git a/roles/dovecot/files/conf.d/auth-dict.conf.ext b/roles/dovecot/files/conf.d/auth-dict.conf.ext
deleted file mode 100644
index 0be4847..0000000
--- a/roles/dovecot/files/conf.d/auth-dict.conf.ext
+++ /dev/null
@@ -1,16 +0,0 @@
-# Authentication via dict backend. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.Dict.txt>
-
-passdb {
-  driver = dict
-
-  # Path for dict configuration file, see
-  # example-config/dovecot-dict-auth.conf.ext
-  args = /etc/dovecot/dovecot-dict-auth.conf.ext
-}
-
-userdb {
-  driver = dict
-  args = /etc/dovecot/dovecot-dict-auth.conf.ext
-}
diff --git a/roles/dovecot/files/conf.d/auth-master.conf.ext b/roles/dovecot/files/conf.d/auth-master.conf.ext
deleted file mode 100644
index 2cf128f..0000000
--- a/roles/dovecot/files/conf.d/auth-master.conf.ext
+++ /dev/null
@@ -1,16 +0,0 @@
-# Authentication for master users. Included from 10-auth.conf.
-
-# By adding master=yes setting inside a passdb you make the passdb a list
-# of "master users", who can log in as anyone else.
-# <doc/wiki/Authentication.MasterUsers.txt>
-
-# Example master user passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  master = yes
-  args = /etc/dovecot/master-users
-
-  # Unless you're using PAM, you probably still want the destination user to
-  # be looked up from passdb that it really exists. pass=yes does that.
-  pass = yes
-}
diff --git a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext
deleted file mode 100644
index c89d28c..0000000
--- a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext
+++ /dev/null
@@ -1,20 +0,0 @@
-# Authentication for passwd-file users. Included from 10-auth.conf.
-#
-# passwd-like file with specified location.
-# <doc/wiki/AuthDatabase.PasswdFile.txt>
-
-passdb {
-  driver = passwd-file
-  args = scheme=CRYPT username_format=%u /etc/dovecot/users
-}
-
-userdb {
-  driver = passwd-file
-  args = username_format=%u /etc/dovecot/users
-
-  # Default fields that can be overridden by passwd-file
-  #default_fields = quota_rule=*:storage=1G
-
-  # Override fields from passwd-file
-  #override_fields = home=/home/virtual/%u
-}
diff --git a/roles/dovecot/files/conf.d/auth-sql.conf.ext b/roles/dovecot/files/conf.d/auth-sql.conf.ext
deleted file mode 100644
index ccbea86..0000000
--- a/roles/dovecot/files/conf.d/auth-sql.conf.ext
+++ /dev/null
@@ -1,30 +0,0 @@
-# Authentication for SQL users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.SQL.txt>
-
-passdb {
-  driver = sql
-
-  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
-  args = /etc/dovecot/dovecot-sql.conf.ext
-}
-
-# "prefetch" user database means that the passdb already provided the
-# needed information and there's no need to do a separate userdb lookup.
-# <doc/wiki/UserDatabase.Prefetch.txt>
-#userdb {
-#  driver = prefetch
-#}
-
-userdb {
-  driver = sql
-  args = /etc/dovecot/dovecot-sql.conf.ext
-}
-
-# If you don't have any user-specific settings, you can avoid the user_query
-# by using userdb static instead of userdb sql, for example:
-# <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-  #driver = static
-  #args = uid=vmail gid=vmail home=/var/vmail/%u
-#}
diff --git a/roles/dovecot/files/conf.d/auth-static.conf.ext b/roles/dovecot/files/conf.d/auth-static.conf.ext
deleted file mode 100644
index 90890c5..0000000
--- a/roles/dovecot/files/conf.d/auth-static.conf.ext
+++ /dev/null
@@ -1,24 +0,0 @@
-# Static passdb. Included from 10-auth.conf.
-
-# This can be used for situations where Dovecot doesn't need to verify the
-# username or the password, or if there is a single password for all users:
-#
-#  - proxy frontend, where the backend verifies the password
-#  - proxy backend, where the frontend already verified the password
-#  - authentication with SSL certificates
-#  - simple testing
-
-#passdb {
-#  driver = static
-#  args = proxy=y host=%1Mu.example.com nopassword=y
-#}
-
-#passdb {
-#  driver = static
-#  args = password=test
-#}
-
-#userdb {
-#  driver = static
-#  args = uid=vmail gid=vmail home=/home/%u
-#}
diff --git a/roles/dovecot/files/conf.d/auth-system.conf.ext b/roles/dovecot/files/conf.d/auth-system.conf.ext
deleted file mode 100644
index dadb9f7..0000000
--- a/roles/dovecot/files/conf.d/auth-system.conf.ext
+++ /dev/null
@@ -1,74 +0,0 @@
-# Authentication for system users. Included from 10-auth.conf.
-#
-# <doc/wiki/PasswordDatabase.txt>
-# <doc/wiki/UserDatabase.txt>
-
-# PAM authentication. Preferred nowadays by most systems.
-# PAM is typically used with either userdb passwd or userdb static.
-# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
-# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
-passdb {
-  driver = pam
-  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
-  # [cache_key=<key>] [<service name>]
-  #args = dovecot
-}
-
-# System users (NSS, /etc/passwd, or similar).
-# In many systems nowadays this uses Name Service Switch, which is
-# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
-#passdb {
-  #driver = passwd
-  # [blocking=no]
-  #args = 
-#}
-
-# Shadow passwords for system users (NSS, /etc/shadow or similar).
-# Deprecated by PAM nowadays.
-# <doc/wiki/PasswordDatabase.Shadow.txt>
-#passdb {
-  #driver = shadow
-  # [blocking=no]
-  #args = 
-#}
-
-# PAM-like authentication for OpenBSD.
-# <doc/wiki/PasswordDatabase.BSDAuth.txt>
-#passdb {
-  #driver = bsdauth
-  # [blocking=no] [cache_key=<key>]
-  #args =
-#}
-
-##
-## User databases
-##
-
-# System users (NSS, /etc/passwd, or similar). In many systems nowadays this
-# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
-userdb {
-  # <doc/wiki/AuthDatabase.Passwd.txt>
-  driver = passwd
-  # [blocking=no]
-  #args = 
-
-  # Override fields from passwd
-  #override_fields = home=/home/virtual/%u
-}
-
-# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-  #driver = static
-  # Can return anything a userdb could normally return. For example:
-  #
-  #  args = uid=500 gid=500 home=/var/mail/%u
-  #
-  # LDA and LMTP needs to look up users only from the userdb. This of course
-  # doesn't work with static userdb because there is no list of users.
-  # Normally static userdb handles this by doing a passdb lookup. This works
-  # with most passdbs, with PAM being the most notable exception. If you do
-  # the user verification another way, you can add allow_all_users=yes to
-  # the args in which case the passdb lookup is skipped.
-  #
-  #args =
-#}
diff --git a/roles/dovecot/files/dovecot.conf b/roles/dovecot/files/dovecot.conf
index 14a4cf0..ee7eb33 100644
--- a/roles/dovecot/files/dovecot.conf
+++ b/roles/dovecot/files/dovecot.conf
@@ -1,10 +1,81 @@
-# Enable installed protocols
+## Dovecot configuration file
+
+# If you're in a hurry, see https://doc.dovecot.org/latest/core/config/guides/quick.html
+
+# "doveconf -n" command gives a clean output of the changed settings. Use it
+# instead of copy&pasting files when posting to the Dovecot mailing list.
+
+# '#' character and everything after it is treated as comments. Extra spaces
+# and tabs are ignored. If you want to use either of these explicitly, put the
+# value inside quotes, eg.: key = "# char and trailing whitespace  "
+
+# Default values are shown for each setting, it's not required to uncomment
+# those. These are exceptions to this though: No sections (e.g. namespace {})
+# or plugin settings are added by default, they're listed only as examples.
+# Paths are also just examples with the real defaults being based on configure
+# options. The paths listed here are for configure --prefix=/usr/local
+# --sysconfdir=/usr/local/etc --localstatedir=/var
+
+dovecot_config_version = 2.4.0
+dovecot_storage_version = 2.4.0
+
+# Protocols we want to be serving.
+#protocols = imap pop3 lmtp
 !include_try /usr/share/dovecot/protocols.d/*.protocol
 
-dict {
-  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
-  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
-}
+# A comma separated list of IPs or hosts where to listen in for connections. 
+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+# If you want to specify non-default ports or anything more complex,
+# edit conf.d/master.conf.
+#listen = *, ::
+
+# Base directory where to store runtime data.
+#base_dir = /var/run/dovecot/
+
+# Name of this instance. In multi-instance setup doveadm and other commands
+# can use -i <instance_name> to select which instance is used (an alternative
+# to -c <config_path>). The instance name is also added to Dovecot processes
+# in ps output.
+#instance_name = dovecot
+
+# Greeting message for clients.
+#login_greeting = Dovecot ready.
+
+# Space separated list of trusted network ranges. Connections from these
+# IPs are allowed to override their IP addresses and ports (for logging and
+# for authentication checks). disable_plaintext_auth is also ignored for
+# these networks, unless ssl=required.
+# Typically you'd specify your IMAP proxy servers here.
+#login_trusted_networks =
+
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
+# proxying. This isn't necessary normally, but may be useful if the destination
+# IP is e.g. a load balancer's IP.
+#auth_proxy_self =
+
+# Show more verbose process titles (in ps). Currently shows user name and
+# IP address. Useful for seeing who are actually using the IMAP processes
+# (eg. shared mailboxes or if same uid is used for multiple accounts).
+#verbose_proctitle = yes
+
+# Should all processes be killed when Dovecot master process shuts down.
+# Setting this to "no" means that Dovecot can be upgraded without
+# forcing existing client connections to close (although that could also be
+# a problem if the upgrade is e.g. because of a security fix).
+#shutdown_clients = yes
+
+# If non-zero, run mail commands via this many connections to doveadm server,
+# instead of running them directly in the same process.
+#doveadm_worker_count = 0
+# UNIX socket or host:port used for connecting to doveadm server
+#doveadm_socket_path = doveadm-server
+
+# Space separated list of environment variables that are preserved on Dovecot
+# startup and passed down to all of its child processes. You can also give
+# key=value pairs to always set specific settings.
+#import_environment {
+#  TZ=%{env:TZ}
+#}
 
 # Most of the actual configuration gets included below. The filenames are
 # first sorted by their ASCII value and parsed in that order. The 00-prefixes