diff options
Diffstat (limited to 'roles/dovecot')
29 files changed, 768 insertions, 0 deletions
diff --git a/roles/dovecot/defaults/main.yml b/roles/dovecot/defaults/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/dovecot/defaults/main.yml | |||
diff --git a/roles/dovecot/files/conf.d/10-auth.conf b/roles/dovecot/files/conf.d/10-auth.conf new file mode 100644 index 0000000..7ac1eee --- /dev/null +++ b/roles/dovecot/files/conf.d/10-auth.conf | |||
@@ -0,0 +1,10 @@ | |||
1 | # Authentication | ||
2 | disable_plaintext_auth = yes | ||
3 | auth_username_format = %n | ||
4 | auth_mechanisms = plain | ||
5 | userdb { | ||
6 | driver = passwd | ||
7 | } | ||
8 | passdb { | ||
9 | driver = pam | ||
10 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-director.conf b/roles/dovecot/files/conf.d/10-director.conf new file mode 100644 index 0000000..073d8a8 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-director.conf | |||
@@ -0,0 +1,60 @@ | |||
1 | ## | ||
2 | ## Director-specific settings. | ||
3 | ## | ||
4 | |||
5 | # Director can be used by Dovecot proxy to keep a temporary user -> mail server | ||
6 | # mapping. As long as user has simultaneous connections, the user is always | ||
7 | # redirected to the same server. Each proxy server is running its own director | ||
8 | # process, and the directors are communicating the state to each others. | ||
9 | # Directors are mainly useful with NFS-like setups. | ||
10 | |||
11 | # List of IPs or hostnames to all director servers, including ourself. | ||
12 | # Ports can be specified as ip:port. The default port is the same as | ||
13 | # what director service's inet_listener is using. | ||
14 | #director_servers = | ||
15 | |||
16 | # List of IPs or hostnames to all backend mail servers. Ranges are allowed | ||
17 | # too, like 10.0.0.10-10.0.0.30. | ||
18 | #director_mail_servers = | ||
19 | |||
20 | # How long to redirect users to a specific server after it no longer has | ||
21 | # any connections. | ||
22 | #director_user_expire = 15 min | ||
23 | |||
24 | # How the username is translated before being hashed. Useful values include | ||
25 | # %Ln if user can log in with or without @domain, %Ld if mailboxes are shared | ||
26 | # within domain. | ||
27 | #director_username_hash = %Lu | ||
28 | |||
29 | # To enable director service, uncomment the modes and assign a port. | ||
30 | service director { | ||
31 | unix_listener login/director { | ||
32 | #mode = 0666 | ||
33 | } | ||
34 | fifo_listener login/proxy-notify { | ||
35 | #mode = 0666 | ||
36 | } | ||
37 | unix_listener director-userdb { | ||
38 | #mode = 0600 | ||
39 | } | ||
40 | inet_listener { | ||
41 | #port = | ||
42 | } | ||
43 | } | ||
44 | |||
45 | # Enable director for the wanted login services by telling them to | ||
46 | # connect to director socket instead of the default login socket: | ||
47 | service imap-login { | ||
48 | #executable = imap-login director | ||
49 | } | ||
50 | service pop3-login { | ||
51 | #executable = pop3-login director | ||
52 | } | ||
53 | service submission-login { | ||
54 | #executable = submission-login director | ||
55 | } | ||
56 | |||
57 | # Enable director for LMTP proxying: | ||
58 | protocol lmtp { | ||
59 | #auth_socket_path = director-userdb | ||
60 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-logging.conf b/roles/dovecot/files/conf.d/10-logging.conf new file mode 100644 index 0000000..bcd6dea --- /dev/null +++ b/roles/dovecot/files/conf.d/10-logging.conf | |||
@@ -0,0 +1,109 @@ | |||
1 | ## | ||
2 | ## Log destination. | ||
3 | ## | ||
4 | |||
5 | # Log file to use for error messages. "syslog" logs to syslog, | ||
6 | # /dev/stderr logs to stderr. | ||
7 | #log_path = syslog | ||
8 | |||
9 | # Log file to use for informational messages. Defaults to log_path. | ||
10 | #info_log_path = | ||
11 | # Log file to use for debug messages. Defaults to info_log_path. | ||
12 | #debug_log_path = | ||
13 | |||
14 | # Syslog facility to use if you're logging to syslog. Usually if you don't | ||
15 | # want to use "mail", you'll use local0..local7. Also other standard | ||
16 | # facilities are supported. | ||
17 | #syslog_facility = mail | ||
18 | |||
19 | ## | ||
20 | ## Logging verbosity and debugging. | ||
21 | ## | ||
22 | |||
23 | # Log filter is a space-separated list conditions. If any of the conditions | ||
24 | # match, the log filter matches (i.e. they're ORed together). Parenthesis | ||
25 | # are supported if multiple conditions need to be matched together. | ||
26 | # Supported conditions are: | ||
27 | # event:<name wildcard> - Match event name. '*' and '?' wildcards supported. | ||
28 | # source:<filename>[:<line number>] - Match source code filename [and line] | ||
29 | # field:<key>=<value wildcard> - Match field key to a value. Can be specified | ||
30 | # multiple times to match multiple keys. | ||
31 | # cat[egory]:<value> - Match a category. Can be specified multiple times to | ||
32 | # match multiple categories. | ||
33 | # For example: event:http_request_* (cat:error cat:storage) | ||
34 | |||
35 | # Filter to specify what debug logging to enable. This will eventually replace | ||
36 | # mail_debug and auth_debug settings. | ||
37 | #log_debug = | ||
38 | |||
39 | # Crash after logging a matching event. For example category:error will crash | ||
40 | # any time an error is logged, which can be useful for debugging. | ||
41 | #log_core_filter = | ||
42 | |||
43 | # Log unsuccessful authentication attempts and the reasons why they failed. | ||
44 | #auth_verbose = no | ||
45 | |||
46 | # In case of password mismatches, log the attempted password. Valid values are | ||
47 | # no, plain and sha1. sha1 can be useful for detecting brute force password | ||
48 | # attempts vs. user simply trying the same password over and over again. | ||
49 | # You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). | ||
50 | #auth_verbose_passwords = no | ||
51 | |||
52 | # Even more verbose logging for debugging purposes. Shows for example SQL | ||
53 | # queries. | ||
54 | #auth_debug = no | ||
55 | |||
56 | # In case of password mismatches, log the passwords and used scheme so the | ||
57 | # problem can be debugged. Enabling this also enables auth_debug. | ||
58 | #auth_debug_passwords = no | ||
59 | |||
60 | # Enable mail process debugging. This can help you figure out why Dovecot | ||
61 | # isn't finding your mails. | ||
62 | #mail_debug = no | ||
63 | |||
64 | # Show protocol level SSL errors. | ||
65 | #verbose_ssl = no | ||
66 | |||
67 | # mail_log plugin provides more event logging for mail processes. | ||
68 | plugin { | ||
69 | # Events to log. Also available: flag_change append | ||
70 | #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename | ||
71 | # Available fields: uid, box, msgid, from, subject, size, vsize, flags | ||
72 | # size and vsize are available only for expunge and copy events. | ||
73 | #mail_log_fields = uid box msgid size | ||
74 | } | ||
75 | |||
76 | ## | ||
77 | ## Log formatting. | ||
78 | ## | ||
79 | |||
80 | # Prefix for each line written to log file. % codes are in strftime(3) | ||
81 | # format. | ||
82 | #log_timestamp = "%b %d %H:%M:%S " | ||
83 | |||
84 | # Space-separated list of elements we want to log. The elements which have | ||
85 | # a non-empty variable value are joined together to form a comma-separated | ||
86 | # string. | ||
87 | #login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c | ||
88 | |||
89 | # Login log format. %s contains login_log_format_elements string, %$ contains | ||
90 | # the data we want to log. | ||
91 | #login_log_format = %$: %s | ||
92 | |||
93 | # Log prefix for mail processes. See doc/wiki/Variables.txt for list of | ||
94 | # possible variables you can use. | ||
95 | #mail_log_prefix = "%s(%u)<%{pid}><%{session}>: " | ||
96 | |||
97 | # Format to use for logging mail deliveries: | ||
98 | # %$ - Delivery status message (e.g. "saved to INBOX") | ||
99 | # %m / %{msgid} - Message-ID | ||
100 | # %s / %{subject} - Subject | ||
101 | # %f / %{from} - From address | ||
102 | # %p / %{size} - Physical size | ||
103 | # %w / %{vsize} - Virtual size | ||
104 | # %e / %{from_envelope} - MAIL FROM envelope | ||
105 | # %{to_envelope} - RCPT TO envelope | ||
106 | # %{delivery_time} - How many milliseconds it took to deliver the mail | ||
107 | # %{session_time} - How long LMTP session took, not including delivery_time | ||
108 | # %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename | ||
109 | #deliver_log_format = msgid=%m: %$ | ||
diff --git a/roles/dovecot/files/conf.d/10-mail.conf b/roles/dovecot/files/conf.d/10-mail.conf new file mode 100644 index 0000000..683c5e9 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-mail.conf | |||
@@ -0,0 +1,10 @@ | |||
1 | # Mail location | ||
2 | mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs | ||
3 | namespace inbox { | ||
4 | type = private | ||
5 | prefix = | ||
6 | separator = / | ||
7 | inbox = yes | ||
8 | subscriptions = yes | ||
9 | list = yes | ||
10 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-master.conf b/roles/dovecot/files/conf.d/10-master.conf new file mode 100644 index 0000000..c2c9493 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-master.conf | |||
@@ -0,0 +1,22 @@ | |||
1 | # Master Configuration | ||
2 | service imap-login { | ||
3 | # Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs) | ||
4 | service_count = 1 | ||
5 | # Disable unencrypted IMAP by setting port for plain IMAP to 0 | ||
6 | inet_listener imap { | ||
7 | port = 0 | ||
8 | } | ||
9 | inet_listener imaps { | ||
10 | port = 993 | ||
11 | ssl = yes | ||
12 | } | ||
13 | } | ||
14 | |||
15 | # Allow postfix to user dovecot SASL | ||
16 | service auth { | ||
17 | unix_listener /var/spool/postfix/private/auth { | ||
18 | mode = 0660 | ||
19 | user = postfix | ||
20 | group = postfix | ||
21 | } | ||
22 | } | ||
diff --git a/roles/dovecot/files/conf.d/10-tcpwrapper.conf b/roles/dovecot/files/conf.d/10-tcpwrapper.conf new file mode 100644 index 0000000..b237d96 --- /dev/null +++ b/roles/dovecot/files/conf.d/10-tcpwrapper.conf | |||
@@ -0,0 +1,14 @@ | |||
1 | # 10-tcpwrapper.conf | ||
2 | # | ||
3 | # service name for hosts.{allow|deny} are those defined as | ||
4 | # inet_listener in master.conf | ||
5 | # | ||
6 | #login_access_sockets = tcpwrap | ||
7 | # | ||
8 | #service tcpwrap { | ||
9 | # unix_listener login/tcpwrap { | ||
10 | # group = $default_login_user | ||
11 | # mode = 0600 | ||
12 | # user = $default_login_user | ||
13 | # } | ||
14 | #} | ||
diff --git a/roles/dovecot/files/conf.d/15-lda.conf b/roles/dovecot/files/conf.d/15-lda.conf new file mode 100644 index 0000000..8538f79 --- /dev/null +++ b/roles/dovecot/files/conf.d/15-lda.conf | |||
@@ -0,0 +1,4 @@ | |||
1 | # Local Delivery Agent | ||
2 | protocol lda { | ||
3 | mail_plugins = $mail_plugins sieve | ||
4 | } | ||
diff --git a/roles/dovecot/files/conf.d/15-mailboxes.conf b/roles/dovecot/files/conf.d/15-mailboxes.conf new file mode 100644 index 0000000..4de88b0 --- /dev/null +++ b/roles/dovecot/files/conf.d/15-mailboxes.conf | |||
@@ -0,0 +1,25 @@ | |||
1 | # Mailboxes | ||
2 | namespace inbox { | ||
3 | mailbox Sent { | ||
4 | special_use = \Sent | ||
5 | auto = subscribe | ||
6 | } | ||
7 | mailbox Trash { | ||
8 | special_use = \Trash | ||
9 | auto = create | ||
10 | autoexpunge = 30d | ||
11 | } | ||
12 | mailbox Drafts { | ||
13 | special_use = \Drafts | ||
14 | auto = subscribe | ||
15 | } | ||
16 | mailbox Spam { | ||
17 | special_use = \Junk | ||
18 | auto = create | ||
19 | autoexpunge = 30d | ||
20 | } | ||
21 | mailbox Archive { | ||
22 | special_use = \Archive | ||
23 | auto = create | ||
24 | } | ||
25 | } | ||
diff --git a/roles/dovecot/files/conf.d/20-imap.conf b/roles/dovecot/files/conf.d/20-imap.conf new file mode 100644 index 0000000..0e7d4ae --- /dev/null +++ b/roles/dovecot/files/conf.d/20-imap.conf | |||
@@ -0,0 +1,2 @@ | |||
1 | # IMAP | ||
2 | imap_capability = +SPECIAL-USE | ||
diff --git a/roles/dovecot/files/conf.d/90-acl.conf b/roles/dovecot/files/conf.d/90-acl.conf new file mode 100644 index 0000000..f0c0e7a --- /dev/null +++ b/roles/dovecot/files/conf.d/90-acl.conf | |||
@@ -0,0 +1,19 @@ | |||
1 | ## | ||
2 | ## Mailbox access control lists. | ||
3 | ## | ||
4 | |||
5 | # vfile backend reads ACLs from "dovecot-acl" file from mail directory. | ||
6 | # You can also optionally give a global ACL directory path where ACLs are | ||
7 | # applied to all users' mailboxes. The global ACL directory contains | ||
8 | # one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter | ||
9 | # specifies how many seconds to wait between stat()ing dovecot-acl file | ||
10 | # to see if it changed. | ||
11 | plugin { | ||
12 | #acl = vfile:/etc/dovecot/global-acls:cache_secs=300 | ||
13 | } | ||
14 | |||
15 | # To let users LIST mailboxes shared by other users, Dovecot needs a | ||
16 | # shared mailbox dictionary. For example: | ||
17 | plugin { | ||
18 | #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes | ||
19 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-plugin.conf b/roles/dovecot/files/conf.d/90-plugin.conf new file mode 100644 index 0000000..8c8fccf --- /dev/null +++ b/roles/dovecot/files/conf.d/90-plugin.conf | |||
@@ -0,0 +1,11 @@ | |||
1 | ## | ||
2 | ## Plugin settings | ||
3 | ## | ||
4 | |||
5 | # All wanted plugins must be listed in mail_plugins setting before any of the | ||
6 | # settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and | ||
7 | # their configuration. Note that %variable expansion is done for all values. | ||
8 | |||
9 | plugin { | ||
10 | #setting_name = value | ||
11 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-quota.conf b/roles/dovecot/files/conf.d/90-quota.conf new file mode 100644 index 0000000..3308c05 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-quota.conf | |||
@@ -0,0 +1,83 @@ | |||
1 | ## | ||
2 | ## Quota configuration. | ||
3 | ## | ||
4 | |||
5 | # Note that you also have to enable quota plugin in mail_plugins setting. | ||
6 | # <doc/wiki/Quota.txt> | ||
7 | |||
8 | ## | ||
9 | ## Quota limits | ||
10 | ## | ||
11 | |||
12 | # Quota limits are set using "quota_rule" parameters. To get per-user quota | ||
13 | # limits, you can set/override them by returning "quota_rule" extra field | ||
14 | # from userdb. It's also possible to give mailbox-specific limits, for example | ||
15 | # to give additional 100 MB when saving to Trash: | ||
16 | |||
17 | plugin { | ||
18 | #quota_rule = *:storage=1G | ||
19 | #quota_rule2 = Trash:storage=+100M | ||
20 | |||
21 | # LDA/LMTP allows saving the last mail to bring user from under quota to | ||
22 | # over quota, if the quota doesn't grow too high. Default is to allow as | ||
23 | # long as quota will stay under 10% above the limit. Also allowed e.g. 10M. | ||
24 | #quota_grace = 10%% | ||
25 | |||
26 | # Quota plugin can also limit the maximum accepted mail size. | ||
27 | #quota_max_mail_size = 100M | ||
28 | } | ||
29 | |||
30 | ## | ||
31 | ## Quota warnings | ||
32 | ## | ||
33 | |||
34 | # You can execute a given command when user exceeds a specified quota limit. | ||
35 | # Each quota root has separate limits. Only the command for the first | ||
36 | # exceeded limit is executed, so put the highest limit first. | ||
37 | # The commands are executed via script service by connecting to the named | ||
38 | # UNIX socket (quota-warning below). | ||
39 | # Note that % needs to be escaped as %%, otherwise "% " expands to empty. | ||
40 | |||
41 | plugin { | ||
42 | #quota_warning = storage=95%% quota-warning 95 %u | ||
43 | #quota_warning2 = storage=80%% quota-warning 80 %u | ||
44 | } | ||
45 | |||
46 | # Example quota-warning service. The unix listener's permissions should be | ||
47 | # set in a way that mail processes can connect to it. Below example assumes | ||
48 | # that mail processes run as vmail user. If you use mode=0666, all system users | ||
49 | # can generate quota warnings to anyone. | ||
50 | #service quota-warning { | ||
51 | # executable = script /usr/local/bin/quota-warning.sh | ||
52 | # user = dovecot | ||
53 | # unix_listener quota-warning { | ||
54 | # user = vmail | ||
55 | # } | ||
56 | #} | ||
57 | |||
58 | ## | ||
59 | ## Quota backends | ||
60 | ## | ||
61 | |||
62 | # Multiple backends are supported: | ||
63 | # dirsize: Find and sum all the files found from mail directory. | ||
64 | # Extremely SLOW with Maildir. It'll eat your CPU and disk I/O. | ||
65 | # dict: Keep quota stored in dictionary (eg. SQL) | ||
66 | # maildir: Maildir++ quota | ||
67 | # fs: Read-only support for filesystem quota | ||
68 | |||
69 | plugin { | ||
70 | #quota = dirsize:User quota | ||
71 | #quota = maildir:User quota | ||
72 | #quota = dict:User quota::proxy::quota | ||
73 | #quota = fs:User quota | ||
74 | } | ||
75 | |||
76 | # Multiple quota roots are also possible, for example this gives each user | ||
77 | # their own 100MB quota and one shared 1GB quota within the domain: | ||
78 | plugin { | ||
79 | #quota = dict:user::proxy::quota | ||
80 | #quota2 = dict:domain:%d:proxy::quota_domain | ||
81 | #quota_rule = *:storage=102400 | ||
82 | #quota2_rule = *:storage=1048576 | ||
83 | } | ||
diff --git a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf new file mode 100644 index 0000000..17dcb77 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf | |||
@@ -0,0 +1,44 @@ | |||
1 | # Sieve Extprograms plugin configuration | ||
2 | |||
3 | # Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting. | ||
4 | # Also enable the extensions you need (one or more of vnd.dovecot.pipe, | ||
5 | # vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the | ||
6 | # sieve_extensions or sieve_global_extensions settings. Restricting these | ||
7 | # extensions to a global context using sieve_global_extensions is recommended. | ||
8 | |||
9 | plugin { | ||
10 | |||
11 | # The directory where the program sockets are located for the | ||
12 | # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension | ||
13 | # respectively. The name of each unix socket contained in that directory | ||
14 | # directly maps to a program-name referenced from the Sieve script. | ||
15 | #sieve_pipe_socket_dir = sieve-pipe | ||
16 | #sieve_filter_socket_dir = sieve-filter | ||
17 | #sieve_execute_socket_dir = sieve-execute | ||
18 | |||
19 | # The directory where the scripts are located for direct execution by the | ||
20 | # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension | ||
21 | # respectively. The name of each script contained in that directory | ||
22 | # directly maps to a program-name referenced from the Sieve script. | ||
23 | #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe | ||
24 | #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter | ||
25 | #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute | ||
26 | } | ||
27 | |||
28 | # An example program service called 'do-something' to pipe messages to | ||
29 | #service do-something { | ||
30 | # Define the executed script as parameter to the sieve service | ||
31 | #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh | ||
32 | |||
33 | # Use some unprivileged user for executing the program | ||
34 | #user = dovenull | ||
35 | |||
36 | # The unix socket located in the sieve_pipe_socket_dir (as defined in the | ||
37 | # plugin {} section above) | ||
38 | #unix_listener sieve-pipe/do-something { | ||
39 | # LDA/LMTP must have access | ||
40 | # user = vmail | ||
41 | # mode = 0600 | ||
42 | #} | ||
43 | #} | ||
44 | |||
diff --git a/roles/dovecot/files/conf.d/90-sieve.conf b/roles/dovecot/files/conf.d/90-sieve.conf new file mode 100644 index 0000000..c7ef6c4 --- /dev/null +++ b/roles/dovecot/files/conf.d/90-sieve.conf | |||
@@ -0,0 +1,6 @@ | |||
1 | # Sieve Configuration | ||
2 | plugin { | ||
3 | sieve = ~/.dovecot.sieve | ||
4 | sieve_default = /var/lib/dovecot/sieve/default.sieve | ||
5 | sieve_global = /var/lib/dovecot/sieve/ | ||
6 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext new file mode 100644 index 0000000..b2fb13a --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext | |||
@@ -0,0 +1,21 @@ | |||
1 | # Authentication for checkpassword users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.CheckPassword.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = checkpassword | ||
7 | args = /usr/bin/checkpassword | ||
8 | } | ||
9 | |||
10 | # passdb lookup should return also userdb info | ||
11 | userdb { | ||
12 | driver = prefetch | ||
13 | } | ||
14 | |||
15 | # Standard checkpassword doesn't support direct userdb lookups. | ||
16 | # If you need checkpassword userdb, the checkpassword must support | ||
17 | # Dovecot-specific extensions. | ||
18 | #userdb { | ||
19 | # driver = checkpassword | ||
20 | # args = /usr/bin/checkpassword | ||
21 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-deny.conf.ext b/roles/dovecot/files/conf.d/auth-deny.conf.ext new file mode 100644 index 0000000..ce3f1cf --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-deny.conf.ext | |||
@@ -0,0 +1,15 @@ | |||
1 | # Deny access for users. Included from 10-auth.conf. | ||
2 | |||
3 | # Users can be (temporarily) disabled by adding a passdb with deny=yes. | ||
4 | # If the user is found from that database, authentication will fail. | ||
5 | # The deny passdb should always be specified before others, so it gets | ||
6 | # checked first. | ||
7 | |||
8 | # Example deny passdb using passwd-file. You can use any passdb though. | ||
9 | passdb { | ||
10 | driver = passwd-file | ||
11 | deny = yes | ||
12 | |||
13 | # File contains a list of usernames, one per line | ||
14 | args = /etc/dovecot/deny-users | ||
15 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-dict.conf.ext b/roles/dovecot/files/conf.d/auth-dict.conf.ext new file mode 100644 index 0000000..0be4847 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-dict.conf.ext | |||
@@ -0,0 +1,16 @@ | |||
1 | # Authentication via dict backend. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.Dict.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = dict | ||
7 | |||
8 | # Path for dict configuration file, see | ||
9 | # example-config/dovecot-dict-auth.conf.ext | ||
10 | args = /etc/dovecot/dovecot-dict-auth.conf.ext | ||
11 | } | ||
12 | |||
13 | userdb { | ||
14 | driver = dict | ||
15 | args = /etc/dovecot/dovecot-dict-auth.conf.ext | ||
16 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-master.conf.ext b/roles/dovecot/files/conf.d/auth-master.conf.ext new file mode 100644 index 0000000..2cf128f --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-master.conf.ext | |||
@@ -0,0 +1,16 @@ | |||
1 | # Authentication for master users. Included from 10-auth.conf. | ||
2 | |||
3 | # By adding master=yes setting inside a passdb you make the passdb a list | ||
4 | # of "master users", who can log in as anyone else. | ||
5 | # <doc/wiki/Authentication.MasterUsers.txt> | ||
6 | |||
7 | # Example master user passdb using passwd-file. You can use any passdb though. | ||
8 | passdb { | ||
9 | driver = passwd-file | ||
10 | master = yes | ||
11 | args = /etc/dovecot/master-users | ||
12 | |||
13 | # Unless you're using PAM, you probably still want the destination user to | ||
14 | # be looked up from passdb that it really exists. pass=yes does that. | ||
15 | pass = yes | ||
16 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext new file mode 100644 index 0000000..c89d28c --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext | |||
@@ -0,0 +1,20 @@ | |||
1 | # Authentication for passwd-file users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # passwd-like file with specified location. | ||
4 | # <doc/wiki/AuthDatabase.PasswdFile.txt> | ||
5 | |||
6 | passdb { | ||
7 | driver = passwd-file | ||
8 | args = scheme=CRYPT username_format=%u /etc/dovecot/users | ||
9 | } | ||
10 | |||
11 | userdb { | ||
12 | driver = passwd-file | ||
13 | args = username_format=%u /etc/dovecot/users | ||
14 | |||
15 | # Default fields that can be overridden by passwd-file | ||
16 | #default_fields = quota_rule=*:storage=1G | ||
17 | |||
18 | # Override fields from passwd-file | ||
19 | #override_fields = home=/home/virtual/%u | ||
20 | } | ||
diff --git a/roles/dovecot/files/conf.d/auth-sql.conf.ext b/roles/dovecot/files/conf.d/auth-sql.conf.ext new file mode 100644 index 0000000..ccbea86 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-sql.conf.ext | |||
@@ -0,0 +1,30 @@ | |||
1 | # Authentication for SQL users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/AuthDatabase.SQL.txt> | ||
4 | |||
5 | passdb { | ||
6 | driver = sql | ||
7 | |||
8 | # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext | ||
9 | args = /etc/dovecot/dovecot-sql.conf.ext | ||
10 | } | ||
11 | |||
12 | # "prefetch" user database means that the passdb already provided the | ||
13 | # needed information and there's no need to do a separate userdb lookup. | ||
14 | # <doc/wiki/UserDatabase.Prefetch.txt> | ||
15 | #userdb { | ||
16 | # driver = prefetch | ||
17 | #} | ||
18 | |||
19 | userdb { | ||
20 | driver = sql | ||
21 | args = /etc/dovecot/dovecot-sql.conf.ext | ||
22 | } | ||
23 | |||
24 | # If you don't have any user-specific settings, you can avoid the user_query | ||
25 | # by using userdb static instead of userdb sql, for example: | ||
26 | # <doc/wiki/UserDatabase.Static.txt> | ||
27 | #userdb { | ||
28 | #driver = static | ||
29 | #args = uid=vmail gid=vmail home=/var/vmail/%u | ||
30 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-static.conf.ext b/roles/dovecot/files/conf.d/auth-static.conf.ext new file mode 100644 index 0000000..90890c5 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-static.conf.ext | |||
@@ -0,0 +1,24 @@ | |||
1 | # Static passdb. Included from 10-auth.conf. | ||
2 | |||
3 | # This can be used for situations where Dovecot doesn't need to verify the | ||
4 | # username or the password, or if there is a single password for all users: | ||
5 | # | ||
6 | # - proxy frontend, where the backend verifies the password | ||
7 | # - proxy backend, where the frontend already verified the password | ||
8 | # - authentication with SSL certificates | ||
9 | # - simple testing | ||
10 | |||
11 | #passdb { | ||
12 | # driver = static | ||
13 | # args = proxy=y host=%1Mu.example.com nopassword=y | ||
14 | #} | ||
15 | |||
16 | #passdb { | ||
17 | # driver = static | ||
18 | # args = password=test | ||
19 | #} | ||
20 | |||
21 | #userdb { | ||
22 | # driver = static | ||
23 | # args = uid=vmail gid=vmail home=/home/%u | ||
24 | #} | ||
diff --git a/roles/dovecot/files/conf.d/auth-system.conf.ext b/roles/dovecot/files/conf.d/auth-system.conf.ext new file mode 100644 index 0000000..dadb9f7 --- /dev/null +++ b/roles/dovecot/files/conf.d/auth-system.conf.ext | |||
@@ -0,0 +1,74 @@ | |||
1 | # Authentication for system users. Included from 10-auth.conf. | ||
2 | # | ||
3 | # <doc/wiki/PasswordDatabase.txt> | ||
4 | # <doc/wiki/UserDatabase.txt> | ||
5 | |||
6 | # PAM authentication. Preferred nowadays by most systems. | ||
7 | # PAM is typically used with either userdb passwd or userdb static. | ||
8 | # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM | ||
9 | # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt> | ||
10 | passdb { | ||
11 | driver = pam | ||
12 | # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] | ||
13 | # [cache_key=<key>] [<service name>] | ||
14 | #args = dovecot | ||
15 | } | ||
16 | |||
17 | # System users (NSS, /etc/passwd, or similar). | ||
18 | # In many systems nowadays this uses Name Service Switch, which is | ||
19 | # configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt> | ||
20 | #passdb { | ||
21 | #driver = passwd | ||
22 | # [blocking=no] | ||
23 | #args = | ||
24 | #} | ||
25 | |||
26 | # Shadow passwords for system users (NSS, /etc/shadow or similar). | ||
27 | # Deprecated by PAM nowadays. | ||
28 | # <doc/wiki/PasswordDatabase.Shadow.txt> | ||
29 | #passdb { | ||
30 | #driver = shadow | ||
31 | # [blocking=no] | ||
32 | #args = | ||
33 | #} | ||
34 | |||
35 | # PAM-like authentication for OpenBSD. | ||
36 | # <doc/wiki/PasswordDatabase.BSDAuth.txt> | ||
37 | #passdb { | ||
38 | #driver = bsdauth | ||
39 | # [blocking=no] [cache_key=<key>] | ||
40 | #args = | ||
41 | #} | ||
42 | |||
43 | ## | ||
44 | ## User databases | ||
45 | ## | ||
46 | |||
47 | # System users (NSS, /etc/passwd, or similar). In many systems nowadays this | ||
48 | # uses Name Service Switch, which is configured in /etc/nsswitch.conf. | ||
49 | userdb { | ||
50 | # <doc/wiki/AuthDatabase.Passwd.txt> | ||
51 | driver = passwd | ||
52 | # [blocking=no] | ||
53 | #args = | ||
54 | |||
55 | # Override fields from passwd | ||
56 | #override_fields = home=/home/virtual/%u | ||
57 | } | ||
58 | |||
59 | # Static settings generated from template <doc/wiki/UserDatabase.Static.txt> | ||
60 | #userdb { | ||
61 | #driver = static | ||
62 | # Can return anything a userdb could normally return. For example: | ||
63 | # | ||
64 | # args = uid=500 gid=500 home=/var/mail/%u | ||
65 | # | ||
66 | # LDA and LMTP needs to look up users only from the userdb. This of course | ||
67 | # doesn't work with static userdb because there is no list of users. | ||
68 | # Normally static userdb handles this by doing a passdb lookup. This works | ||
69 | # with most passdbs, with PAM being the most notable exception. If you do | ||
70 | # the user verification another way, you can add allow_all_users=yes to | ||
71 | # the args in which case the passdb lookup is skipped. | ||
72 | # | ||
73 | #args = | ||
74 | #} | ||
diff --git a/roles/dovecot/files/default.sieve b/roles/dovecot/files/default.sieve new file mode 100644 index 0000000..6709988 --- /dev/null +++ b/roles/dovecot/files/default.sieve | |||
@@ -0,0 +1,22 @@ | |||
1 | require ["fileinto", "mailbox"]; | ||
2 | /* | ||
3 | * Discard mail that has a spam score greater than or equal to 5 | ||
4 | */ | ||
5 | if header :contains "X-Spam-Level" "*****" { | ||
6 | discard; | ||
7 | stop; | ||
8 | } | ||
9 | /* | ||
10 | * Discard messages marked as infected by virus scanner | ||
11 | */ | ||
12 | if header :contains "X-Virus-Scan" "infected" { | ||
13 | discard; | ||
14 | stop; | ||
15 | } | ||
16 | /* | ||
17 | * If message is marked as spam (and falls below discard threshold) put into spam mailbox | ||
18 | */ | ||
19 | if header :contains "X-Spam-Flag" "YES" { | ||
20 | fileinto "Spam"; | ||
21 | } | ||
22 | |||
diff --git a/roles/dovecot/files/dovecot.conf b/roles/dovecot/files/dovecot.conf new file mode 100644 index 0000000..14a4cf0 --- /dev/null +++ b/roles/dovecot/files/dovecot.conf | |||
@@ -0,0 +1,16 @@ | |||
1 | # Enable installed protocols | ||
2 | !include_try /usr/share/dovecot/protocols.d/*.protocol | ||
3 | |||
4 | dict { | ||
5 | #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext | ||
6 | #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext | ||
7 | } | ||
8 | |||
9 | # Most of the actual configuration gets included below. The filenames are | ||
10 | # first sorted by their ASCII value and parsed in that order. The 00-prefixes | ||
11 | # in filenames are intended to make it easier to understand the ordering. | ||
12 | !include conf.d/*.conf | ||
13 | |||
14 | # A config file can also tried to be included without giving an error if | ||
15 | # it's not found: | ||
16 | !include_try local.conf | ||
diff --git a/roles/dovecot/files/dovecot_pam b/roles/dovecot/files/dovecot_pam new file mode 100644 index 0000000..af0e0dd --- /dev/null +++ b/roles/dovecot/files/dovecot_pam | |||
@@ -0,0 +1,8 @@ | |||
1 | #%PAM-1.0 | ||
2 | |||
3 | @include common-auth | ||
4 | @include common-account | ||
5 | @include common-session | ||
6 | |||
7 | auth required pam_unix.so | ||
8 | account required pam_unix.so | ||
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/roles/dovecot/handlers/main.yml | |||
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml new file mode 100644 index 0000000..ce5eb2c --- /dev/null +++ b/roles/dovecot/tasks/main.yml | |||
@@ -0,0 +1,67 @@ | |||
1 | - name: install packages | ||
2 | package: | ||
3 | name: | ||
4 | - dovecot-imapd | ||
5 | - dovecot-sieve | ||
6 | state: latest | ||
7 | |||
8 | - name: deploy dovecot.conf | ||
9 | copy: | ||
10 | src: dovecot.conf | ||
11 | dest: /etc/dovecot/dovecot.conf | ||
12 | owner: root | ||
13 | group: root | ||
14 | mode: '0644' | ||
15 | |||
16 | - name: deploy dovecot configuration files | ||
17 | copy: | ||
18 | src: "{{ item }}" | ||
19 | dest: /etc/dovecot/conf.d/ | ||
20 | owner: root | ||
21 | group: root | ||
22 | mode: '0644' | ||
23 | with_fileglob: "files/conf.d/*" | ||
24 | |||
25 | - name: deploy dovecot tls configuration file | ||
26 | template: | ||
27 | src: templates/10-ssl.conf.j2 | ||
28 | dest: /etc/dovecot/conf.d/10-ssl.conf | ||
29 | owner: root | ||
30 | group: root | ||
31 | mode: '0644' | ||
32 | |||
33 | - name: create sieve dir | ||
34 | file: | ||
35 | path: /var/lib/dovecot/sieve | ||
36 | state: directory | ||
37 | |||
38 | - name: deploy default sieve script | ||
39 | copy: | ||
40 | src: default.sieve | ||
41 | dest: /var/lib/dovecot/sieve/default.sieve | ||
42 | owner: root | ||
43 | group: root | ||
44 | mode: '0644' | ||
45 | |||
46 | - name: compile default sieve script | ||
47 | command: | ||
48 | cmd: sievec /var/lib/dovecot/sieve/default.sieve | ||
49 | |||
50 | - name: deploy dovecot PAM configuration | ||
51 | copy: | ||
52 | src: dovecot_pam | ||
53 | dest: /etc/pam.d/dovecot | ||
54 | owner: root | ||
55 | group: root | ||
56 | mode: '0644' | ||
57 | |||
58 | - name: enable dovecot | ||
59 | systemd: | ||
60 | enabled: yes | ||
61 | masked: no | ||
62 | name: dovecot | ||
63 | |||
64 | - name: restart dovecot | ||
65 | service: | ||
66 | name: dovecot | ||
67 | state: restarted | ||
diff --git a/roles/dovecot/templates/10-ssl.conf.j2 b/roles/dovecot/templates/10-ssl.conf.j2 new file mode 100644 index 0000000..8efa1d2 --- /dev/null +++ b/roles/dovecot/templates/10-ssl.conf.j2 | |||
@@ -0,0 +1,20 @@ | |||
1 | # SSL/TLS Configuration | ||
2 | ssl = required | ||
3 | ssl_key = "</etc/letsencrypt/live/{{ mail_domain }}/privkey.pem" | ||
4 | ssl_cert = "</etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem" | ||
5 | ssl_client_ca_dir = /etc/ssl/certs | ||
6 | ssl_dh = </usr/share/dovecot/dh.pem | ||
7 | |||
8 | # Mozilla modern compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS) | ||
9 | # This is here for future use - Dovecot does not support using only TLSv1.3 right now. | ||
10 | #ssl_min_protocol = TLSv1.3 | ||
11 | # Ciphers listed here are just for reference, DO NOT uncomment, this is not a valid | ||
12 | # openssl cipherlist | ||
13 | #ssl_cipher_list = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 | ||
14 | |||
15 | # Mozilla intermediate compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS) | ||
16 | ssl_min_protocol = TLSv1.2 | ||
17 | ssl_cipher_list = ECDHE+ECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+ECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:DHE+aRSA+AESGCM:!aNULL:!eNULL | ||
18 | |||
19 | ssl_prefer_server_ciphers = yes | ||
20 | ssl_client_require_valid_cert = yes | ||