summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/files/etc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-06-02 14:25:21 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-05 16:44:46 +0200
commitb7a7ceb88ed5b44959920cde170bc6aaa83026bb (patch)
tree57b529319a012b73d1f2b460c2484220e5203b7c /roles/IMAP/files/etc
parent1395cc86969823d9972517833c614becba8660a0 (diff)
dovecot: enable user iteration and add a cronjob for `doveadm purge -A`
Diffstat (limited to 'roles/IMAP/files/etc')
-rw-r--r--roles/IMAP/files/etc/cron.d/doveadm1
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext8
-rw-r--r--roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext12
-rw-r--r--roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service23
-rw-r--r--roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket8
5 files changed, 52 insertions, 0 deletions
diff --git a/roles/IMAP/files/etc/cron.d/doveadm b/roles/IMAP/files/etc/cron.d/doveadm
index 1cb0ed8..b0551e4 100644
--- a/roles/IMAP/files/etc/cron.d/doveadm
+++ b/roles/IMAP/files/etc/cron.d/doveadm
@@ -1,3 +1,4 @@
MAILTO=root
59 * * * * vmail test -x /usr/bin/doveadm && nice -n 19 /usr/bin/doveadm sis deduplicate /home/mail/attachments /home/mail/attachments/queue
+37 5 * * * vmail test -x /usr/bin/doveadm && nice -n 19 /usr/bin/doveadm purge -A
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
index 360727e..9917753 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
@@ -37,3 +37,11 @@ userdb {
# so we can skip the passdb lookup here.
args = home=/home/mail/virtual/%d/%n allow_all_users=yes
}
+
+# Used only for iteration as the static userdb above always succeeds
+userdb {
+ driver = dict
+ skip = found
+ result_internalfail = return-fail
+ args = /etc/dovecot/dovecot-dict-auth.conf.ext
+}
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext
new file mode 100644
index 0000000..ecd7134
--- /dev/null
+++ b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext
@@ -0,0 +1,12 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-dict.conf.ext
+
+# Dictionary URI
+uri = proxy:/var/run/dovecot/auth-proxy:
+
+# Username iteration prefix. Keys under this are assumed to contain usernames.
+iterate_prefix = userdb/
+
+# Should iteration be disabled for this userdb? If this userdb acts only as a
+# cache there's no reason to try to iterate the (partial & duplicate) users.
+iterate_disable = no
diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
new file mode 100644
index 0000000..ea5895c
--- /dev/null
+++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Dovecot authentication proxy
+After=dovecot.target
+Requires=dovecot-auth-proxy.socket
+
+[Service]
+User=vmail
+Group=vmail
+StandardInput=null
+SyslogFacility=mail
+ExecStart=/usr/local/bin/dovecot-auth-proxy.pl
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=read-only
+ReadOnlyDirectories=/
+RestrictAddressFamilies=
+
+[Install]
+WantedBy=multi-user.target
+Also=postfix-sender-login.socket
diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket
new file mode 100644
index 0000000..6dee91a
--- /dev/null
+++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket
@@ -0,0 +1,8 @@
+[Socket]
+SocketUser=dovecot
+SocketGroup=dovecot
+SocketMode=0600
+ListenStream=/run/dovecot/auth-proxy
+
+[Install]
+WantedBy=sockets.target