From 5ad1ea21a7d46f687a3289de836cf6c76415c87f Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Thu, 30 Apr 2026 07:44:56 -0400 Subject: Updated for Debian 13 and dovecot 2.4 --- roles/dovecot/files/conf.d/10-auth.conf | 11 ++- roles/dovecot/files/conf.d/10-mail.conf | 18 +++-- roles/dovecot/files/conf.d/10-master.conf | 2 +- roles/dovecot/files/conf.d/10-tcpwrapper.conf | 14 ---- roles/dovecot/files/conf.d/15-lda.conf | 4 -- roles/dovecot/files/conf.d/90-acl.conf | 19 ----- roles/dovecot/files/conf.d/90-plugin.conf | 11 --- roles/dovecot/files/conf.d/90-quota.conf | 83 ---------------------- .../dovecot/files/conf.d/90-sieve-extprograms.conf | 44 ------------ roles/dovecot/files/conf.d/90-sieve.conf | 10 +-- .../files/conf.d/auth-checkpassword.conf.ext | 21 ------ roles/dovecot/files/conf.d/auth-deny.conf.ext | 15 ---- roles/dovecot/files/conf.d/auth-dict.conf.ext | 16 ----- roles/dovecot/files/conf.d/auth-master.conf.ext | 16 ----- .../dovecot/files/conf.d/auth-passwdfile.conf.ext | 20 ------ roles/dovecot/files/conf.d/auth-sql.conf.ext | 30 -------- roles/dovecot/files/conf.d/auth-static.conf.ext | 24 ------- roles/dovecot/files/conf.d/auth-system.conf.ext | 74 ------------------- 18 files changed, 23 insertions(+), 409 deletions(-) delete mode 100644 roles/dovecot/files/conf.d/10-tcpwrapper.conf delete mode 100644 roles/dovecot/files/conf.d/15-lda.conf delete mode 100644 roles/dovecot/files/conf.d/90-acl.conf delete mode 100644 roles/dovecot/files/conf.d/90-plugin.conf delete mode 100644 roles/dovecot/files/conf.d/90-quota.conf delete mode 100644 roles/dovecot/files/conf.d/90-sieve-extprograms.conf delete mode 100644 roles/dovecot/files/conf.d/auth-checkpassword.conf.ext delete mode 100644 roles/dovecot/files/conf.d/auth-deny.conf.ext delete mode 100644 roles/dovecot/files/conf.d/auth-dict.conf.ext delete mode 100644 roles/dovecot/files/conf.d/auth-master.conf.ext delete mode 100644 roles/dovecot/files/conf.d/auth-passwdfile.conf.ext delete mode 100644 roles/dovecot/files/conf.d/auth-sql.conf.ext delete mode 100644 roles/dovecot/files/conf.d/auth-static.conf.ext delete mode 100644 roles/dovecot/files/conf.d/auth-system.conf.ext (limited to 'roles/dovecot/files/conf.d') diff --git a/roles/dovecot/files/conf.d/10-auth.conf b/roles/dovecot/files/conf.d/10-auth.conf index 7ac1eee..d6a6417 100644 --- a/roles/dovecot/files/conf.d/10-auth.conf +++ b/roles/dovecot/files/conf.d/10-auth.conf @@ -1,10 +1,9 @@ # Authentication -disable_plaintext_auth = yes -auth_username_format = %n +auth_allow_cleartext = no +auth_username_format = %{user | username} auth_mechanisms = plain -userdb { - driver = passwd +userdb passwd { } -passdb { - driver = pam +passdb pam { + failure_show_msg = yes } diff --git a/roles/dovecot/files/conf.d/10-mail.conf b/roles/dovecot/files/conf.d/10-mail.conf index 683c5e9..8a5b61c 100644 --- a/roles/dovecot/files/conf.d/10-mail.conf +++ b/roles/dovecot/files/conf.d/10-mail.conf @@ -1,10 +1,14 @@ # Mail location -mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs +mail_driver = maildir +mail_path = ~/Mail +mail_inbox_path = ~/Mail/Inbox +mailbox_list_layout = fs namespace inbox { - type = private - prefix = - separator = / - inbox = yes - subscriptions = yes - list = yes + type = private + prefix = + separator = / + inbox = yes + subscriptions = yes + list = yes } + diff --git a/roles/dovecot/files/conf.d/10-master.conf b/roles/dovecot/files/conf.d/10-master.conf index c2c9493..013ebfd 100644 --- a/roles/dovecot/files/conf.d/10-master.conf +++ b/roles/dovecot/files/conf.d/10-master.conf @@ -1,7 +1,7 @@ # Master Configuration service imap-login { # Run login processes in high-security mode (see: LoginProcess.txt in dovecot docs) - service_count = 1 + service_restart_request_count = 1 # Disable unencrypted IMAP by setting port for plain IMAP to 0 inet_listener imap { port = 0 diff --git a/roles/dovecot/files/conf.d/10-tcpwrapper.conf b/roles/dovecot/files/conf.d/10-tcpwrapper.conf deleted file mode 100644 index b237d96..0000000 --- a/roles/dovecot/files/conf.d/10-tcpwrapper.conf +++ /dev/null @@ -1,14 +0,0 @@ -# 10-tcpwrapper.conf -# -# service name for hosts.{allow|deny} are those defined as -# inet_listener in master.conf -# -#login_access_sockets = tcpwrap -# -#service tcpwrap { -# unix_listener login/tcpwrap { -# group = $default_login_user -# mode = 0600 -# user = $default_login_user -# } -#} diff --git a/roles/dovecot/files/conf.d/15-lda.conf b/roles/dovecot/files/conf.d/15-lda.conf deleted file mode 100644 index 8538f79..0000000 --- a/roles/dovecot/files/conf.d/15-lda.conf +++ /dev/null @@ -1,4 +0,0 @@ -# Local Delivery Agent -protocol lda { - mail_plugins = $mail_plugins sieve -} diff --git a/roles/dovecot/files/conf.d/90-acl.conf b/roles/dovecot/files/conf.d/90-acl.conf deleted file mode 100644 index f0c0e7a..0000000 --- a/roles/dovecot/files/conf.d/90-acl.conf +++ /dev/null @@ -1,19 +0,0 @@ -## -## Mailbox access control lists. -## - -# vfile backend reads ACLs from "dovecot-acl" file from mail directory. -# You can also optionally give a global ACL directory path where ACLs are -# applied to all users' mailboxes. The global ACL directory contains -# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter -# specifies how many seconds to wait between stat()ing dovecot-acl file -# to see if it changed. -plugin { - #acl = vfile:/etc/dovecot/global-acls:cache_secs=300 -} - -# To let users LIST mailboxes shared by other users, Dovecot needs a -# shared mailbox dictionary. For example: -plugin { - #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes -} diff --git a/roles/dovecot/files/conf.d/90-plugin.conf b/roles/dovecot/files/conf.d/90-plugin.conf deleted file mode 100644 index 8c8fccf..0000000 --- a/roles/dovecot/files/conf.d/90-plugin.conf +++ /dev/null @@ -1,11 +0,0 @@ -## -## Plugin settings -## - -# All wanted plugins must be listed in mail_plugins setting before any of the -# settings take effect. See for list of plugins and -# their configuration. Note that %variable expansion is done for all values. - -plugin { - #setting_name = value -} diff --git a/roles/dovecot/files/conf.d/90-quota.conf b/roles/dovecot/files/conf.d/90-quota.conf deleted file mode 100644 index 3308c05..0000000 --- a/roles/dovecot/files/conf.d/90-quota.conf +++ /dev/null @@ -1,83 +0,0 @@ -## -## Quota configuration. -## - -# Note that you also have to enable quota plugin in mail_plugins setting. -# - -## -## Quota limits -## - -# Quota limits are set using "quota_rule" parameters. To get per-user quota -# limits, you can set/override them by returning "quota_rule" extra field -# from userdb. It's also possible to give mailbox-specific limits, for example -# to give additional 100 MB when saving to Trash: - -plugin { - #quota_rule = *:storage=1G - #quota_rule2 = Trash:storage=+100M - - # LDA/LMTP allows saving the last mail to bring user from under quota to - # over quota, if the quota doesn't grow too high. Default is to allow as - # long as quota will stay under 10% above the limit. Also allowed e.g. 10M. - #quota_grace = 10%% - - # Quota plugin can also limit the maximum accepted mail size. - #quota_max_mail_size = 100M -} - -## -## Quota warnings -## - -# You can execute a given command when user exceeds a specified quota limit. -# Each quota root has separate limits. Only the command for the first -# exceeded limit is executed, so put the highest limit first. -# The commands are executed via script service by connecting to the named -# UNIX socket (quota-warning below). -# Note that % needs to be escaped as %%, otherwise "% " expands to empty. - -plugin { - #quota_warning = storage=95%% quota-warning 95 %u - #quota_warning2 = storage=80%% quota-warning 80 %u -} - -# Example quota-warning service. The unix listener's permissions should be -# set in a way that mail processes can connect to it. Below example assumes -# that mail processes run as vmail user. If you use mode=0666, all system users -# can generate quota warnings to anyone. -#service quota-warning { -# executable = script /usr/local/bin/quota-warning.sh -# user = dovecot -# unix_listener quota-warning { -# user = vmail -# } -#} - -## -## Quota backends -## - -# Multiple backends are supported: -# dirsize: Find and sum all the files found from mail directory. -# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O. -# dict: Keep quota stored in dictionary (eg. SQL) -# maildir: Maildir++ quota -# fs: Read-only support for filesystem quota - -plugin { - #quota = dirsize:User quota - #quota = maildir:User quota - #quota = dict:User quota::proxy::quota - #quota = fs:User quota -} - -# Multiple quota roots are also possible, for example this gives each user -# their own 100MB quota and one shared 1GB quota within the domain: -plugin { - #quota = dict:user::proxy::quota - #quota2 = dict:domain:%d:proxy::quota_domain - #quota_rule = *:storage=102400 - #quota2_rule = *:storage=1048576 -} diff --git a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf b/roles/dovecot/files/conf.d/90-sieve-extprograms.conf deleted file mode 100644 index 17dcb77..0000000 --- a/roles/dovecot/files/conf.d/90-sieve-extprograms.conf +++ /dev/null @@ -1,44 +0,0 @@ -# Sieve Extprograms plugin configuration - -# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting. -# Also enable the extensions you need (one or more of vnd.dovecot.pipe, -# vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the -# sieve_extensions or sieve_global_extensions settings. Restricting these -# extensions to a global context using sieve_global_extensions is recommended. - -plugin { - - # The directory where the program sockets are located for the - # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension - # respectively. The name of each unix socket contained in that directory - # directly maps to a program-name referenced from the Sieve script. - #sieve_pipe_socket_dir = sieve-pipe - #sieve_filter_socket_dir = sieve-filter - #sieve_execute_socket_dir = sieve-execute - - # The directory where the scripts are located for direct execution by the - # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension - # respectively. The name of each script contained in that directory - # directly maps to a program-name referenced from the Sieve script. - #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe - #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter - #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute -} - -# An example program service called 'do-something' to pipe messages to -#service do-something { - # Define the executed script as parameter to the sieve service - #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh - - # Use some unprivileged user for executing the program - #user = dovenull - - # The unix socket located in the sieve_pipe_socket_dir (as defined in the - # plugin {} section above) - #unix_listener sieve-pipe/do-something { - # LDA/LMTP must have access - # user = vmail - # mode = 0600 - #} -#} - diff --git a/roles/dovecot/files/conf.d/90-sieve.conf b/roles/dovecot/files/conf.d/90-sieve.conf index c7ef6c4..a4f70d3 100644 --- a/roles/dovecot/files/conf.d/90-sieve.conf +++ b/roles/dovecot/files/conf.d/90-sieve.conf @@ -1,6 +1,8 @@ # Sieve Configuration -plugin { - sieve = ~/.dovecot.sieve - sieve_default = /var/lib/dovecot/sieve/default.sieve - sieve_global = /var/lib/dovecot/sieve/ +sieve_script default { + type = default + name = default + driver = file + path = /var/lib/dovecot/sieve/default.sieve + active_path = ~/.dovecot.sieve } diff --git a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext b/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext deleted file mode 100644 index b2fb13a..0000000 --- a/roles/dovecot/files/conf.d/auth-checkpassword.conf.ext +++ /dev/null @@ -1,21 +0,0 @@ -# Authentication for checkpassword users. Included from 10-auth.conf. -# -# - -passdb { - driver = checkpassword - args = /usr/bin/checkpassword -} - -# passdb lookup should return also userdb info -userdb { - driver = prefetch -} - -# Standard checkpassword doesn't support direct userdb lookups. -# If you need checkpassword userdb, the checkpassword must support -# Dovecot-specific extensions. -#userdb { -# driver = checkpassword -# args = /usr/bin/checkpassword -#} diff --git a/roles/dovecot/files/conf.d/auth-deny.conf.ext b/roles/dovecot/files/conf.d/auth-deny.conf.ext deleted file mode 100644 index ce3f1cf..0000000 --- a/roles/dovecot/files/conf.d/auth-deny.conf.ext +++ /dev/null @@ -1,15 +0,0 @@ -# Deny access for users. Included from 10-auth.conf. - -# Users can be (temporarily) disabled by adding a passdb with deny=yes. -# If the user is found from that database, authentication will fail. -# The deny passdb should always be specified before others, so it gets -# checked first. - -# Example deny passdb using passwd-file. You can use any passdb though. -passdb { - driver = passwd-file - deny = yes - - # File contains a list of usernames, one per line - args = /etc/dovecot/deny-users -} diff --git a/roles/dovecot/files/conf.d/auth-dict.conf.ext b/roles/dovecot/files/conf.d/auth-dict.conf.ext deleted file mode 100644 index 0be4847..0000000 --- a/roles/dovecot/files/conf.d/auth-dict.conf.ext +++ /dev/null @@ -1,16 +0,0 @@ -# Authentication via dict backend. Included from 10-auth.conf. -# -# - -passdb { - driver = dict - - # Path for dict configuration file, see - # example-config/dovecot-dict-auth.conf.ext - args = /etc/dovecot/dovecot-dict-auth.conf.ext -} - -userdb { - driver = dict - args = /etc/dovecot/dovecot-dict-auth.conf.ext -} diff --git a/roles/dovecot/files/conf.d/auth-master.conf.ext b/roles/dovecot/files/conf.d/auth-master.conf.ext deleted file mode 100644 index 2cf128f..0000000 --- a/roles/dovecot/files/conf.d/auth-master.conf.ext +++ /dev/null @@ -1,16 +0,0 @@ -# Authentication for master users. Included from 10-auth.conf. - -# By adding master=yes setting inside a passdb you make the passdb a list -# of "master users", who can log in as anyone else. -# - -# Example master user passdb using passwd-file. You can use any passdb though. -passdb { - driver = passwd-file - master = yes - args = /etc/dovecot/master-users - - # Unless you're using PAM, you probably still want the destination user to - # be looked up from passdb that it really exists. pass=yes does that. - pass = yes -} diff --git a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext b/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext deleted file mode 100644 index c89d28c..0000000 --- a/roles/dovecot/files/conf.d/auth-passwdfile.conf.ext +++ /dev/null @@ -1,20 +0,0 @@ -# Authentication for passwd-file users. Included from 10-auth.conf. -# -# passwd-like file with specified location. -# - -passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users -} - -userdb { - driver = passwd-file - args = username_format=%u /etc/dovecot/users - - # Default fields that can be overridden by passwd-file - #default_fields = quota_rule=*:storage=1G - - # Override fields from passwd-file - #override_fields = home=/home/virtual/%u -} diff --git a/roles/dovecot/files/conf.d/auth-sql.conf.ext b/roles/dovecot/files/conf.d/auth-sql.conf.ext deleted file mode 100644 index ccbea86..0000000 --- a/roles/dovecot/files/conf.d/auth-sql.conf.ext +++ /dev/null @@ -1,30 +0,0 @@ -# Authentication for SQL users. Included from 10-auth.conf. -# -# - -passdb { - driver = sql - - # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext - args = /etc/dovecot/dovecot-sql.conf.ext -} - -# "prefetch" user database means that the passdb already provided the -# needed information and there's no need to do a separate userdb lookup. -# -#userdb { -# driver = prefetch -#} - -userdb { - driver = sql - args = /etc/dovecot/dovecot-sql.conf.ext -} - -# If you don't have any user-specific settings, you can avoid the user_query -# by using userdb static instead of userdb sql, for example: -# -#userdb { - #driver = static - #args = uid=vmail gid=vmail home=/var/vmail/%u -#} diff --git a/roles/dovecot/files/conf.d/auth-static.conf.ext b/roles/dovecot/files/conf.d/auth-static.conf.ext deleted file mode 100644 index 90890c5..0000000 --- a/roles/dovecot/files/conf.d/auth-static.conf.ext +++ /dev/null @@ -1,24 +0,0 @@ -# Static passdb. Included from 10-auth.conf. - -# This can be used for situations where Dovecot doesn't need to verify the -# username or the password, or if there is a single password for all users: -# -# - proxy frontend, where the backend verifies the password -# - proxy backend, where the frontend already verified the password -# - authentication with SSL certificates -# - simple testing - -#passdb { -# driver = static -# args = proxy=y host=%1Mu.example.com nopassword=y -#} - -#passdb { -# driver = static -# args = password=test -#} - -#userdb { -# driver = static -# args = uid=vmail gid=vmail home=/home/%u -#} diff --git a/roles/dovecot/files/conf.d/auth-system.conf.ext b/roles/dovecot/files/conf.d/auth-system.conf.ext deleted file mode 100644 index dadb9f7..0000000 --- a/roles/dovecot/files/conf.d/auth-system.conf.ext +++ /dev/null @@ -1,74 +0,0 @@ -# Authentication for system users. Included from 10-auth.conf. -# -# -# - -# PAM authentication. Preferred nowadays by most systems. -# PAM is typically used with either userdb passwd or userdb static. -# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM -# authentication to actually work. -passdb { - driver = pam - # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=] - # [cache_key=] [] - #args = dovecot -} - -# System users (NSS, /etc/passwd, or similar). -# In many systems nowadays this uses Name Service Switch, which is -# configured in /etc/nsswitch.conf. -#passdb { - #driver = passwd - # [blocking=no] - #args = -#} - -# Shadow passwords for system users (NSS, /etc/shadow or similar). -# Deprecated by PAM nowadays. -# -#passdb { - #driver = shadow - # [blocking=no] - #args = -#} - -# PAM-like authentication for OpenBSD. -# -#passdb { - #driver = bsdauth - # [blocking=no] [cache_key=] - #args = -#} - -## -## User databases -## - -# System users (NSS, /etc/passwd, or similar). In many systems nowadays this -# uses Name Service Switch, which is configured in /etc/nsswitch.conf. -userdb { - # - driver = passwd - # [blocking=no] - #args = - - # Override fields from passwd - #override_fields = home=/home/virtual/%u -} - -# Static settings generated from template -#userdb { - #driver = static - # Can return anything a userdb could normally return. For example: - # - # args = uid=500 gid=500 home=/var/mail/%u - # - # LDA and LMTP needs to look up users only from the userdb. This of course - # doesn't work with static userdb because there is no list of users. - # Normally static userdb handles this by doing a passdb lookup. This works - # with most passdbs, with PAM being the most notable exception. If you do - # the user verification another way, you can add allow_all_users=yes to - # the args in which case the passdb lookup is skipped. - # - #args = -#} -- cgit v1.2.3