Configure dovecot's antispam filter.

Mails to be retrained are stored in the spooldir /home/mail/spamspool;
later a daemon catches them up and feed them to sa-learn(1p). (On busy
systems batch-process the learning should be much more efficient.)

The folder transisition matrix along with the corresponding actions can
be found there:

  http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt

See also dovecot-antispam(7).

4 files changed, 174 insertions, 1 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
new file mode 100644
index 0000000..6771cc7
--- /dev/null
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
@@ -0,0 +1,68 @@
+##
+## IMAP specific settings
+##
+
+protocol imap {
+  # Maximum IMAP command line length. Some clients generate very long command
+  # lines with huge mailboxes, so you may need to raise this if you get
+  # "Too long argument" or "IMAP command line too large" errors often.
+  #imap_max_line_length = 64k
+
+  # Maximum number of IMAP connections allowed for a user from each IP address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+
+  # Space separated list of plugins to load (default is global mail_plugins).
+  #mail_plugins = $mail_plugins antispam
+
+  # IMAP logout format string:
+  #  %i - total number of bytes read from client
+  #  %o - total number of bytes sent to client
+  #imap_logout_format = bytes=%i/%o
+
+  # Override the IMAP CAPABILITY response. If the value begins with '+',
+  # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+  #imap_capability = 
+
+  # How long to wait between "OK Still here" notifications when client is
+  # IDLEing.
+  #imap_idle_notify_interval = 2 mins
+
+  # ID field names and values to send to clients. Using * as the value makes
+  # Dovecot use the default value. The following fields have default values
+  # currently: name, version, os, os-version, support-url, support-email.
+  #imap_id_send = 
+
+  # ID fields sent by client to log. * means everything.
+  #imap_id_log =
+
+  # Workarounds for various client bugs:
+  #   delay-newmail:
+  #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
+  #     and CHECK commands. Some clients ignore them otherwise, for example OSX
+  #     Mail (<v2.1). Outlook Express breaks more badly though, without this it
+  #     may show user "Message no longer in server" errors. Note that OE6 still
+  #     breaks even with this workaround if synchronization is set to
+  #     "Headers Only".
+  #   tb-extra-mailbox-sep:
+  #     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+  #     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+  #     ignore the extra '/' instead of treating it as invalid mailbox name.
+  #   tb-lsub-flags:
+  #     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+  #     This makes Thunderbird realize they aren't selectable and show them
+  #     greyed out, instead of only later giving "not selectable" popup error.
+  #
+  # The list is space-separated.
+  #imap_client_workarounds = 
+
+  # Load the 'antispam' plugin for people using the content filter.
+  # (Otherwise fallback to the static userdb.)
+  userdb {
+    driver = ldap
+    args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+
+    # Default fields can be used to specify defaults that LDAP may override
+    default_fields = home=/home/mail/%d/%n
+  }
+}
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf
new file mode 100644
index 0000000..6e60f0f
--- /dev/null
+++ b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf
@@ -0,0 +1,21 @@
+##
+## Plugin settings
+##
+
+# All wanted plugins must be listed in mail_plugins setting before any of the
+# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
+# their configuration. Note that %variable expansion is done for all values.
+
+plugin {
+  antispam_backend = spool2dir
+
+  antispam_trash = TRASH
+  antispam_unsure_pattern_ignorecase = MailTrain;MailTrain/*
+  antispam_spam = SPAM
+
+  # The first %%lu is replaced by the current time.
+  # The second %%lu is replaced by a counter to generate unique names.
+  # These two tokens MUST be present in the template!
+  antispam_spool2dir_spam    = /home/mail/spamspool/%u-%%10lu-%%06lu.spam
+  antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham
+}
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
index 8e88b27..15eb306 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
@@ -23,7 +23,7 @@ passdb {
 #  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
 #  
 #  # Default fields can be used to specify defaults that LDAP may override
-#  #default_fields = home=/home/virtual/%u
+#  default_fields = home=/home/mail/%d/%n
 #}
 
 # If you don't have any user-specific settings, you can avoid the userdb LDAP
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext
new file mode 100644
index 0000000..6c39bf6
--- /dev/null
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext
@@ -0,0 +1,84 @@
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb
+
+# Space separated list of LDAP hosts to use. host:port is allowed too.
+#hosts =
+
+# LDAP URIs to use. You can use this instead of hosts list. Note that this
+# setting isn't supported by all LDAP libraries.
+uris = ldapi://
+
+# Distinguished Name - the username used to login to the LDAP server.
+# Leave it commented out to bind anonymously.
+#dn =
+
+# Password for LDAP server, if dn is specified.
+#dnpass =
+
+# Use SASL binding instead of the simple binding. Note that this changes
+# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
+# and auth_bind=yes don't work together.
+sasl_bind = yes
+# SASL mechanism name to use.
+sasl_mech = EXTERNAL
+# SASL realm to use.
+#sasl_realm =
+# SASL authorization ID, ie. the dnpass is for this "master user", but the
+# dn is still the logged in user. Normally you want to keep this empty.
+#sasl_authz_id =
+
+# Use TLS to connect to the LDAP server.
+#tls = no
+# TLS options, currently supported only with OpenLDAP:
+#tls_ca_cert_file =
+#tls_ca_cert_dir =
+#tls_cipher_suite =
+# TLS cert/key is used only if LDAP server requires a client certificate.
+#tls_cert_file =
+#tls_key_file =
+# Valid values: never, hard, demand, allow, try
+#tls_require_cert =
+
+# Use the given ldaprc path.
+#ldaprc_path =
+
+# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
+# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
+# to get enough output.
+#debug_level = 0
+
+# LDAP protocol version to use. Likely 2 or 3.
+ldap_version = 3
+
+# LDAP base. %variables can be used here.
+# For example: dc=mail, dc=example, dc=org
+base = fvl=%n,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+
+# Dereference: never, searching, finding, always
+deref = never
+
+# Search scope: base, onelevel, subtree
+scope = base
+
+# User attributes are given in LDAP-name=dovecot-internal-name list. The
+# internal names are:
+#   uid - System UID
+#   gid - System GID
+#   home - Home directory
+#   mail - Mail location
+#
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+user_attrs = =mail_plugins=antispam
+
+# Filter for user lookup. Some variables can be used (see
+# http://wiki2.dovecot.org/Variables for full list):
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if user there's no domain
+user_filter = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount))
+
+# Attributes and filter to get a list of all users
+#iterate_attrs = uid=user
+#iterate_filter = (objectClass=posixAccount)