20 files changed, 101 insertions, 418 deletions

diff --git a/README.md b/README.md
index 0318337..2335ab0 100644
--- a/README.md
+++ b/README.md
@@ -62,9 +62,7 @@ The records are in BIND9 format but the values can be extracted for use on any p
 ## FAQ
 
 ### Distros
-I have only tested this on Debian 12 and that is currently the only "supported" distro.  
-
-This will likely not work on Debian 11 due to some changes with the spamassassin package, but could easily be modified to work.  
+I have only tested this on Debian 12 and 13 and that is currently the only "supported" distro.  
 
 It will likely also work with current versions of Ubuntu but may require some modifications there also.
 
@@ -98,5 +96,5 @@ As a security precaution, the user's shell is set to /usr/sbin/nologin to preven
 management access to the server.
 
 ### Multiple Domains
-The playbook will configure the mail server for a single domain.  However, there is nothing in the configuration preventing a mult-domain setup.
+The playbook will configure the mail server for a single domain.  However, there is nothing in the configuration preventing a multi-domain setup.
 Setting up multiple domains will require some manual configuration of postfix main.cf.
diff --git a/roles/dovecot/files/conf.d/10-auth.conf b/roles/dovecot/files/conf.d/10-auth.conf
index 7ac1eee..d6a6417 100644
--- a/roles/dovecot/files/conf.d/10-auth.conf
+++ b/roles/dovecot/files/conf.d/10-auth.conf
@@ -1,10 +1,9 @@
 # Authentication
-disable_plaintext_auth = yes
-auth_username_format = %n
+auth_allow_cleartext = no
+auth_username_format = %{user | username}
 auth_mechanisms = plain
-userdb {
-        driver = passwd
+userdb passwd {
 }
-passdb {
-        driver = pam
+passdb pam {
+  failure_show_msg = yes
 }
diff --git a/roles/dovecot/files/conf.d/10-mail.conf b/roles/dovecot/files/conf.d/10-mail.conf
index 683c5e9..8a5b61c 100644
--- a/roles/dovecot/files/conf.d/10-mail.conf
+++ b/roles/dovecot/files/conf.d/10-mail.conf
@@ -1,10 +1,14 @@
 # Mail location
-mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+mail_driver = maildir
+mail_path = ~/Mail
+mail_inbox_path = ~/Mail/Inbox
+mailbox_list_layout = fs
 namespace inbox {
-        type = private
-        prefix = 
-        separator = /
-        inbox = yes
-        subscriptions = yes
-        list = yes
+        type = private
+        prefix =
+        separator = /
+        inbox = yes
+        subscriptions = yes
+        list = yes
 }
+
diff --git a/roles/dovecot/files/conf.d/10-master.conf b/roles/dovecot/files/conf.d/10-master.conf
index c2c9493..013ebfd 100644
--- a/roles/dovecot/files/conf.d/10-master.conf
+++ b/roles/dovecot/files/conf.d/10-master.conf
@@ -1,7 +1,7 @@
 # Master Configuration
 service imap-login {
         # Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs)
-        service_count = 1
+        service_restart_request_count = 1
         # Disable unencrypted IMAP by setting port for plain IMAP to 0
         inet_listener imap {
                 port = 0
diff --git a/roles/dovecot/files/conf.d/10-tcpwrapper.conf b/roles/dovecot/files/conf.d/10-tcpwrapper.conf
deleted file mode 100644
index b237d96..0000000
--- a/roles/dovecot/files/conf.d/10-tcpwrapper.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# 10-tcpwrapper.conf
-#
-# service name for hosts.{allow|deny} are those defined as
-# inet_listener in master.conf
-#
-#login_access_sockets = tcpwrap
-#
-#service tcpwrap {
-#  unix_listener login/tcpwrap {
-#    group = $default_login_user
-#    mode = 0600
-#    user = $default_login_user
-#  }
-#}
diff --git a/roles/dovecot/files/conf.d/15-lda.conf b/roles/dovecot/files/conf.d/15-lda.conf
deleted file mode 100644
index 8538f79..0000000
--- a/roles/dovecot/files/conf.d/15-lda.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# Local Delivery Agent
-protocol lda {
-        mail_plugins = $mail_plugins sieve
-}
diff --git a/roles/dovecot/files/conf.d/90-acl.conf b/roles/dovecot/files/conf.d/90-acl.conf
deleted file mode 100644
index f0c0e7a..0000000
--- a/roles/dovecot/files/conf.d/90-acl.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-##
-## Mailbox access control lists.
-##
-
-# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
-# You can also optionally give a global ACL directory path where ACLs are
-# applied to all users' mailboxes. The global ACL directory contains
-# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
-# specifies how many seconds to wait between stat()ing dovecot-acl file
-# to see if it changed.
-plugin {
-  #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
-}
-
-# To let users LIST mailboxes shared by other users, Dovecot needs a
-# shared mailbox dictionary. For example:
-plugin {
-  #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
-}
diff --git a/roles/dovecot/files/conf.d/90-plugin.conf b/roles/dovecot/files/conf.d/90-plugin.conf
deleted file mode 100644
index 8c8fccf..0000000
--- a/roles/dovecot/files/conf.d/90-plugin.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-##
-## Plugin settings
-##
-
-# All wanted plugins must be listed in mail_plugins setting before any of the
-# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
-# their configuration. Note that %variable expansion is done for all values.
-
-plugin {
-  #setting_name = value
-}
diff --git a/roles/dovecot/files/conf.d/90-quota.conf b/roles/dovecot/files/conf.d/90-quota.conf
deleted file mode 100644
index 3308c05..0000000
--- a/roles/dovecot/files/conf.d/90-quota.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-##
-## Quota configuration.
-##
-
-# Note that you also have to enable quota plugin in mail_plugins setting.
-# <doc/wiki/Quota.txt>
-
-##
-## Quota limits
-##
-
-# Quota limits are set using "quota_rule" parameters. To get per-user quota
-# limits, you can set/override them by returning "quota_rule" extra field
-# from userdb. It's also possible to give mailbox-specific limits, for example
-# to give additional 100 MB when saving to Trash:
-
-plugin {
-  #quota_rule = *:storage=1G
-  #quota_rule2 = Trash:storage=+100M
-
-  # LDA/LMTP allows saving the last mail to bring user from under quota to
-  # over quota, if the quota doesn't grow too high. Default is to allow as
-  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
-  #quota_grace = 10%%
-
-  # Quota plugin can also limit the maximum accepted mail size.
-  #quota_max_mail_size = 100M
-}
-
-##
-## Quota warnings
-##
-
-# You can execute a given command when user exceeds a specified quota limit.
-# Each quota root has separate limits. Only the command for the first
-# exceeded limit is executed, so put the highest limit first.
-# The commands are executed via script service by connecting to the named
-# UNIX socket (quota-warning below).
-# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
-
-plugin {
-  #quota_warning = storage=95%% quota-warning 95 %u
-  #quota_warning2 = storage=80%% quota-warning 80 %u
-}
-
-# Example quota-warning service. The unix listener's permissions should be
-# set in a way that mail processes can connect to it. Below example assumes
-# that mail processes run as vmail user. If you use mode=0666, all system users
-# can generate quota warnings to anyone.
-#service quota-warning {
-#  executable = script /usr/local/bin/quota-warning.sh
-#  user = dovecot
-#  unix_listener quota-warning {
-#    user = vmail
-#  }
-#}
-
-##
-## Quota backends
-##
-
-# Multiple backends are supported:
-#   dirsize: Find and sum all the files found from mail directory.
-#            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
-#   dict: Keep quota stored in dictionary (eg. SQL)
-#   maildir: Maildir++ quota
-#   fs: Read-only support for filesystem quota
-
-plugin {
-  #quota = dirsize:User quota
-  #quota = maildir:User quota
-  #quota = dict:User quota::proxy::quota
-  #quota = fs:User quota
-}
-
-# Multiple quota roots are also possible, for example this gives each user
-# their own 100MB quota and one shared 1GB quota within the domain:
-plugin {
-  #quota = dict:user::proxy::quota
-  #quota2 = dict:domain:%d:proxy::quota_domain
-  #quota_rule = *:storage=102400
-  #quota2_rule = *:storage=1048576
-}
diff --git a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf
deleted file mode 100644
index 17dcb77..0000000
--- a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# Sieve Extprograms plugin configuration
-
-# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
-# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
-# vnd.dovecot.filter and vnd.dovecot.execute) by adding these   to the
-# sieve_extensions or sieve_global_extensions settings. Restricting these
-# extensions to a global context using sieve_global_extensions is recommended.
-
-plugin {
-
-  # The directory where the program sockets are located for the
-  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
-  # respectively. The name of each unix socket contained in that directory
-  # directly maps to a program-name referenced from the Sieve script.
-  #sieve_pipe_socket_dir = sieve-pipe
-  #sieve_filter_socket_dir = sieve-filter
-  #sieve_execute_socket_dir = sieve-execute
-
-  # The directory where the scripts are located for direct execution by the
-  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
-  # respectively. The name of each script contained in that directory
-  # directly maps to a program-name referenced from the Sieve script.
-  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
-  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
-  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
-}
-
-# An example program service called 'do-something' to pipe messages to
-#service do-something {
-  # Define the executed script as parameter to the sieve service
-  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
-
-  # Use some unprivileged user for executing the program
-  #user = dovenull
-
-  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
-  # plugin {} section above)
-  #unix_listener sieve-pipe/do-something {
-    # LDA/LMTP must have access
-  #  user = vmail  
-  #  mode = 0600
-  #}
-#}
-
diff --git a/roles/dovecot/files/conf.d/90-sieve.conf b/roles/dovecot/files/conf.d/90-sieve.conf
index c7ef6c4..a4f70d3 100644
--- a/roles/dovecot/files/conf.d/90-sieve.conf
+++ b/roles/dovecot/files/conf.d/90-sieve.conf
@@ -1,6 +1,8 @@
 # Sieve Configuration
-plugin {
-        sieve = ~/.dovecot.sieve
-        sieve_default = /var/lib/dovecot/sieve/default.sieve
-        sieve_global = /var/lib/dovecot/sieve/
+sieve_script default {
+  type = default
+  name = default
+  driver = file
+  path = /var/lib/dovecot/sieve/default.sieve
+  active_path = ~/.dovecot.sieve
 }
diff --git a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext
deleted file mode 100644
index b2fb13a..0000000
--- a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext
+++ /dev/null
@@ -1,21 +0,0 @@
-# Authentication for checkpassword users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.CheckPassword.txt>
-
-passdb {
-  driver = checkpassword
-  args = /usr/bin/checkpassword
-}
-
-# passdb lookup should return also userdb info
-userdb {
-  driver = prefetch
-}
-
-# Standard checkpassword doesn't support direct userdb lookups.
-# If you need checkpassword userdb, the checkpassword must support
-# Dovecot-specific extensions.
-#userdb {
-#  driver = checkpassword
-#  args = /usr/bin/checkpassword
-#}
diff --git a/roles/dovecot/files/conf.d/auth-deny.conf.ext b/roles/dovecot/files/conf.d/auth-deny.conf.ext
deleted file mode 100644
index ce3f1cf..0000000
--- a/roles/dovecot/files/conf.d/auth-deny.conf.ext
+++ /dev/null
@@ -1,15 +0,0 @@
-# Deny access for users. Included from 10-auth.conf.
-
-# Users can be (temporarily) disabled by adding a passdb with deny=yes.
-# If the user is found from that database, authentication will fail.
-# The deny passdb should always be specified before others, so it gets
-# checked first.
-
-# Example deny passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  deny = yes
-
-  # File contains a list of usernames, one per line
-  args = /etc/dovecot/deny-users
-}
diff --git a/roles/dovecot/files/conf.d/auth-dict.conf.ext b/roles/dovecot/files/conf.d/auth-dict.conf.ext
deleted file mode 100644
index 0be4847..0000000
--- a/roles/dovecot/files/conf.d/auth-dict.conf.ext
+++ /dev/null
@@ -1,16 +0,0 @@
-# Authentication via dict backend. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.Dict.txt>
-
-passdb {
-  driver = dict
-
-  # Path for dict configuration file, see
-  # example-config/dovecot-dict-auth.conf.ext
-  args = /etc/dovecot/dovecot-dict-auth.conf.ext
-}
-
-userdb {
-  driver = dict
-  args = /etc/dovecot/dovecot-dict-auth.conf.ext
-}
diff --git a/roles/dovecot/files/conf.d/auth-master.conf.ext b/roles/dovecot/files/conf.d/auth-master.conf.ext
deleted file mode 100644
index 2cf128f..0000000
--- a/roles/dovecot/files/conf.d/auth-master.conf.ext
+++ /dev/null
@@ -1,16 +0,0 @@
-# Authentication for master users. Included from 10-auth.conf.
-
-# By adding master=yes setting inside a passdb you make the passdb a list
-# of "master users", who can log in as anyone else.
-# <doc/wiki/Authentication.MasterUsers.txt>
-
-# Example master user passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  master = yes
-  args = /etc/dovecot/master-users
-
-  # Unless you're using PAM, you probably still want the destination user to
-  # be looked up from passdb that it really exists. pass=yes does that.
-  pass = yes
-}
diff --git a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext
deleted file mode 100644
index c89d28c..0000000
--- a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext
+++ /dev/null
@@ -1,20 +0,0 @@
-# Authentication for passwd-file users. Included from 10-auth.conf.
-#
-# passwd-like file with specified location.
-# <doc/wiki/AuthDatabase.PasswdFile.txt>
-
-passdb {
-  driver = passwd-file
-  args = scheme=CRYPT username_format=%u /etc/dovecot/users
-}
-
-userdb {
-  driver = passwd-file
-  args = username_format=%u /etc/dovecot/users
-
-  # Default fields that can be overridden by passwd-file
-  #default_fields = quota_rule=*:storage=1G
-
-  # Override fields from passwd-file
-  #override_fields = home=/home/virtual/%u
-}
diff --git a/roles/dovecot/files/conf.d/auth-sql.conf.ext b/roles/dovecot/files/conf.d/auth-sql.conf.ext
deleted file mode 100644
index ccbea86..0000000
--- a/roles/dovecot/files/conf.d/auth-sql.conf.ext
+++ /dev/null
@@ -1,30 +0,0 @@
-# Authentication for SQL users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.SQL.txt>
-
-passdb {
-  driver = sql
-
-  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
-  args = /etc/dovecot/dovecot-sql.conf.ext
-}
-
-# "prefetch" user database means that the passdb already provided the
-# needed information and there's no need to do a separate userdb lookup.
-# <doc/wiki/UserDatabase.Prefetch.txt>
-#userdb {
-#  driver = prefetch
-#}
-
-userdb {
-  driver = sql
-  args = /etc/dovecot/dovecot-sql.conf.ext
-}
-
-# If you don't have any user-specific settings, you can avoid the user_query
-# by using userdb static instead of userdb sql, for example:
-# <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-  #driver = static
-  #args = uid=vmail gid=vmail home=/var/vmail/%u
-#}
diff --git a/roles/dovecot/files/conf.d/auth-static.conf.ext b/roles/dovecot/files/conf.d/auth-static.conf.ext
deleted file mode 100644
index 90890c5..0000000
--- a/roles/dovecot/files/conf.d/auth-static.conf.ext
+++ /dev/null
@@ -1,24 +0,0 @@
-# Static passdb. Included from 10-auth.conf.
-
-# This can be used for situations where Dovecot doesn't need to verify the
-# username or the password, or if there is a single password for all users:
-#
-#  - proxy frontend, where the backend verifies the password
-#  - proxy backend, where the frontend already verified the password
-#  - authentication with SSL certificates
-#  - simple testing
-
-#passdb {
-#  driver = static
-#  args = proxy=y host=%1Mu.example.com nopassword=y
-#}
-
-#passdb {
-#  driver = static
-#  args = password=test
-#}
-
-#userdb {
-#  driver = static
-#  args = uid=vmail gid=vmail home=/home/%u
-#}
diff --git a/roles/dovecot/files/conf.d/auth-system.conf.ext b/roles/dovecot/files/conf.d/auth-system.conf.ext
deleted file mode 100644
index dadb9f7..0000000
--- a/roles/dovecot/files/conf.d/auth-system.conf.ext
+++ /dev/null
@@ -1,74 +0,0 @@
-# Authentication for system users. Included from 10-auth.conf.
-#
-# <doc/wiki/PasswordDatabase.txt>
-# <doc/wiki/UserDatabase.txt>
-
-# PAM authentication. Preferred nowadays by most systems.
-# PAM is typically used with either userdb passwd or userdb static.
-# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
-# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
-passdb {
-  driver = pam
-  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
-  # [cache_key=<key>] [<service name>]
-  #args = dovecot
-}
-
-# System users (NSS, /etc/passwd, or similar).
-# In many systems nowadays this uses Name Service Switch, which is
-# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
-#passdb {
-  #driver = passwd
-  # [blocking=no]
-  #args = 
-#}
-
-# Shadow passwords for system users (NSS, /etc/shadow or similar).
-# Deprecated by PAM nowadays.
-# <doc/wiki/PasswordDatabase.Shadow.txt>
-#passdb {
-  #driver = shadow
-  # [blocking=no]
-  #args = 
-#}
-
-# PAM-like authentication for OpenBSD.
-# <doc/wiki/PasswordDatabase.BSDAuth.txt>
-#passdb {
-  #driver = bsdauth
-  # [blocking=no] [cache_key=<key>]
-  #args =
-#}
-
-##
-## User databases
-##
-
-# System users (NSS, /etc/passwd, or similar). In many systems nowadays this
-# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
-userdb {
-  # <doc/wiki/AuthDatabase.Passwd.txt>
-  driver = passwd
-  # [blocking=no]
-  #args = 
-
-  # Override fields from passwd
-  #override_fields = home=/home/virtual/%u
-}
-
-# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-  #driver = static
-  # Can return anything a userdb could normally return. For example:
-  #
-  #  args = uid=500 gid=500 home=/var/mail/%u
-  #
-  # LDA and LMTP needs to look up users only from the userdb. This of course
-  # doesn't work with static userdb because there is no list of users.
-  # Normally static userdb handles this by doing a passdb lookup. This works
-  # with most passdbs, with PAM being the most notable exception. If you do
-  # the user verification another way, you can add allow_all_users=yes to
-  # the args in which case the passdb lookup is skipped.
-  #
-  #args =
-#}
diff --git a/roles/dovecot/files/dovecot.conf b/roles/dovecot/files/dovecot.conf
index 14a4cf0..ee7eb33 100644
--- a/roles/dovecot/files/dovecot.conf
+++ b/roles/dovecot/files/dovecot.conf
@@ -1,10 +1,81 @@
-# Enable installed protocols
+## Dovecot configuration file
+
+# If you're in a hurry, see https://doc.dovecot.org/latest/core/config/guides/quick.html
+
+# "doveconf -n" command gives a clean output of the changed settings. Use it
+# instead of copy&pasting files when posting to the Dovecot mailing list.
+
+# '#' character and everything after it is treated as comments. Extra spaces
+# and tabs are ignored. If you want to use either of these explicitly, put the
+# value inside quotes, eg.: key = "# char and trailing whitespace  "
+
+# Default values are shown for each setting, it's not required to uncomment
+# those. These are exceptions to this though: No sections (e.g. namespace {})
+# or plugin settings are added by default, they're listed only as examples.
+# Paths are also just examples with the real defaults being based on configure
+# options. The paths listed here are for configure --prefix=/usr/local
+# --sysconfdir=/usr/local/etc --localstatedir=/var
+
+dovecot_config_version = 2.4.0
+dovecot_storage_version = 2.4.0
+
+# Protocols we want to be serving.
+#protocols = imap pop3 lmtp
 !include_try /usr/share/dovecot/protocols.d/*.protocol
 
-dict {
-  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
-  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
-}
+# A comma separated list of IPs or hosts where to listen in for connections. 
+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+# If you want to specify non-default ports or anything more complex,
+# edit conf.d/master.conf.
+#listen = *, ::
+
+# Base directory where to store runtime data.
+#base_dir = /var/run/dovecot/
+
+# Name of this instance. In multi-instance setup doveadm and other commands
+# can use -i <instance_name> to select which instance is used (an alternative
+# to -c <config_path>). The instance name is also added to Dovecot processes
+# in ps output.
+#instance_name = dovecot
+
+# Greeting message for clients.
+#login_greeting = Dovecot ready.
+
+# Space separated list of trusted network ranges. Connections from these
+# IPs are allowed to override their IP addresses and ports (for logging and
+# for authentication checks). disable_plaintext_auth is also ignored for
+# these networks, unless ssl=required.
+# Typically you'd specify your IMAP proxy servers here.
+#login_trusted_networks =
+
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
+# proxying. This isn't necessary normally, but may be useful if the destination
+# IP is e.g. a load balancer's IP.
+#auth_proxy_self =
+
+# Show more verbose process titles (in ps). Currently shows user name and
+# IP address. Useful for seeing who are actually using the IMAP processes
+# (eg. shared mailboxes or if same uid is used for multiple accounts).
+#verbose_proctitle = yes
+
+# Should all processes be killed when Dovecot master process shuts down.
+# Setting this to "no" means that Dovecot can be upgraded without
+# forcing existing client connections to close (although that could also be
+# a problem if the upgrade is e.g. because of a security fix).
+#shutdown_clients = yes
+
+# If non-zero, run mail commands via this many connections to doveadm server,
+# instead of running them directly in the same process.
+#doveadm_worker_count = 0
+# UNIX socket or host:port used for connecting to doveadm server
+#doveadm_socket_path = doveadm-server
+
+# Space separated list of environment variables that are preserved on Dovecot
+# startup and passed down to all of its child processes. You can also give
+# key=value pairs to always set specific settings.
+#import_environment {
+#  TZ=%{env:TZ}
+#}
 
 # Most of the actual configuration gets included below. The filenames are
 # first sorted by their ASCII value and parsed in that order. The 00-prefixes