diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-22 18:02:37 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-22 18:02:37 +0200 |
commit | 73b2a602ee85706b2a1797632142058c6253ea5d (patch) | |
tree | d764d4483f1d7f2be1ff7df431d632afc8788648 /roles/IMAP/templates | |
parent | b536632f32d81dceb11f2b7ebf2ec1a284498901 (diff) |
dovecot: also listen on the virtual IP dedicated to IPSec.
(On port 143.) Moreover, add the whole IPSec virtual subnet to
‘login_trusted_networks’ since our IPSec tunnels provide end-to-end
encryption and we therefore don't need the extra SSL/TLS protection.
Diffstat (limited to 'roles/IMAP/templates')
-rw-r--r-- | roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 new file mode 100644 index 0000000..4969550 --- /dev/null +++ b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 @@ -0,0 +1,139 @@ +#default_process_limit = 100 +#default_client_limit = 1000 + +# Default VSZ (virtual memory size) limit for service processes. This is mainly +# intended to catch and kill processes that leak memory before they eat up +# everything. +#default_vsz_limit = 256M + +# Login user is internally used by login processes. This is the most untrusted +# user in Dovecot system. It shouldn't have access to anything at all. +#default_login_user = dovenull + +# Internal user is used by unprivileged processes. It should be separate from +# login user, so that login processes can't disturb other processes. +#default_internal_user = dovecot + +service imap-login { + inet_listener imap { + address = {{ ipsec[inventory_hostname_short] }} + port = 143 + } + inet_listener imaps { + #port = 993 + #ssl = yes + } + + # Number of connections to handle before starting a new process. Typically + # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 + # is faster. <doc/wiki/LoginProcess.txt> + #service_count = 1 + + # Max. number of IMAP processes (logins) + process_limit = 256 + + # Number of processes to always keep waiting for more connections. + process_min_avail = 4 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = $default_vsz_limit +} + +service pop3-login { + inet_listener pop3 { + #port = 110 + } + inet_listener pop3s { + #port = 995 + #ssl = yes + } +} + +service lmtp { + user = vmail + + unix_listener /var/spool/postfix-mda/private/dovecot-lmtpd { + group = postfix + user = postfix + mode = 0600 + } + + # Create inet listener only if you can't use the above UNIX socket + #inet_listener lmtp { + # Avoid making LMTP visible for the entire internet + #address = + #port = + #} + + # Number of processes to always keep waiting for more connections. + process_min_avail = 4 +} + +service imap { + # Most of the memory goes to mmap()ing files. You may need to increase this + # limit if you have huge mailboxes. + #vsz_limit = $default_vsz_limit + + # Max. number of IMAP processes (connections) + #process_limit = 1024 +} + +service pop3 { + # Max. number of POP3 processes (connections) + #process_limit = 1024 +} + +service auth { + # auth_socket_path points to this userdb socket by default. It's typically + # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have + # full permissions to this socket are able to get a list of all usernames and + # get the results of everyone's userdb lookups. + # + # The default 0666 mode allows anyone to connect to the socket, but the + # userdb lookups will succeed only if the userdb returns an "uid" field that + # matches the caller process's UID. Also if caller's uid or gid matches the + # socket's uid or gid the lookup succeeds. Anything else causes a failure. + # + # To give the caller full permissions to lookup all users, set the mode to + # something else than 0666 and Dovecot lets the kernel enforce the + # permissions (e.g. 0777 allows everyone full permissions). + unix_listener auth-userdb { + mode = 0600 + user = vmail + group = root + } + + # Postfix smtp-auth + unix_listener /var/spool/postfix-msa/private/dovecot-auth { + group = postfix + user = postfix + mode = 0600 + } + + # Auth process is run as this user. + #user = $default_internal_user +} + +service auth-worker { + # Auth worker process is run as root by default, so that it can access + # /etc/shadow. If this isn't necessary, the user should be changed to + # $default_internal_user. + user = $default_internal_user +} + +service dict { + # If dict proxy is used, mail processes should have access to its socket. + # For example: mode=0660, group=vmail and global mail_access_groups=vmail + unix_listener dict { + #mode = 0600 + #user = + #group = + } +} + +service stats { + fifo_listener stats-mail { + user = vmail + mode = 0600 + } +} |