Configure Sieve and ManageSieve.

Also, add the 'managesieve' RoundCube plugin to communicate with our
server.

6 files changed, 182 insertions, 2 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 4eabe53..c727f4b 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -1,33 +1,37 @@
 ##
 ## SSL settings
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
 ssl = required
 
 # No need for SSL if the packets are protected by IPSec.
 local 172.16.0.1 {
     protocol imap {
         disable_plaintext_auth = no
         ssl = no
     }
+    protocol sieve {
+        disable_plaintext_auth = no
+        ssl = no
+    }
 }
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
 ssl_cert = </etc/dovecot/dovecot.pem
 ssl_key = </etc/dovecot/private/dovecot.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
 # world-readable, you may want to place this setting instead to a different
 # root owned 0600 file by using ssl_key_password = <path.
 #ssl_key_password =
 
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
 #ssl_ca = 
 
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
new file mode 100644
index 0000000..4d0420a
--- /dev/null
+++ b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
@@ -0,0 +1,104 @@
+##
+## Settings for the Sieve interpreter
+## 
+
+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
+# by adding it to the respective mail_plugins= settings.
+
+plugin {
+  # The path to the user's main active script. If ManageSieve is used, this the
+  # location of the symbolic link controlled by ManageSieve.
+  sieve = ~/dovecot.sieve
+
+  # The default Sieve script when the user has none. This is a path to a global
+  # sieve script file, which gets executed ONLY if user's private Sieve script
+  # doesn't exist. Be sure to pre-compile this script manually using the sievec
+  # command line tool.
+  # --> See sieve_before fore executing scripts before the user's personal
+  #     script.
+  #sieve_default = /var/lib/dovecot/sieve/default.sieve
+
+  # Directory for :personal include scripts for the include extension. This
+  # is also where the ManageSieve service stores the user's scripts.
+  sieve_dir = ~/sieve
+
+  # Directory for :global include scripts for the include extension. 
+  #sieve_global_dir =
+
+  # Path to a script file or a directory containing script files that need to be
+  # executed before the user's script. If the path points to a directory, all
+  # the Sieve scripts contained therein (with the proper .sieve extension) are
+  # executed. The order of execution within a directory is determined by the
+  # file names, using a normal 8bit per-character comparison. Multiple script
+  # file or directory paths can be specified by appending an increasing number.
+  #sieve_before =
+  #sieve_before2 =
+  #sieve_before3 = (etc...)
+
+  # Identical to sieve_before, only the specified scripts are executed after the
+  # user's script (only when keep is still in effect!). Multiple script file or
+  # directory paths can be specified by appending an increasing number.
+  #sieve_after =
+  #sieve_after2 = 
+  #sieve_after2 = (etc...)
+
+  # Which Sieve language extensions are available to users. By default, all 
+  # supported extensions are available, except for deprecated extensions or
+  # those that are still under development. Some system administrators may want
+  # to disable certain Sieve extensions or enable those that are not available
+  # by default. This setting can use '+' and '-' to specify differences relative
+  # to the default. For example `sieve_extensions = +imapflags' will enable the
+	# deprecated imapflags extension in addition to all extensions were already
+  # enabled by default. 
+  #sieve_extensions = +notify +imapflags
+
+  # Which Sieve language extensions are ONLY available in global scripts. This
+  # can be used to restrict the use of certain Sieve extensions to administrator
+  # control, for instance when these extensions can cause security concerns.
+  # This setting has higher precedence than the `sieve_extensions' setting
+  # (above), meaning that the extensions enabled with this setting are never
+  # available to the user's personal script no matter what is specified for the 
+  # `sieve_extensions' setting. The syntax of this setting is similar to the
+  # `sieve_extensions' setting, with the difference that extensions are
+  # enabled or disabled for exclusive use in global scripts. Currently, no
+  # extensions are marked as such by default.
+  #sieve_global_extensions =
+
+  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
+  # setting, the used plugins can be specified. Check the Dovecot wiki
+  # (wiki2.dovecot.org) or the pigeonhole website
+  # (http://pigeonhole.dovecot.org) for available plugins.
+  #sieve_plugins =
+
+  # The separator that is expected between the :user and :detail 
+  # address parts introduced by the subaddress extension. This may 
+  # also be a sequence of characters (e.g. '--'). The current 
+  # implementation looks for the separator from the left of the 
+  # localpart and uses the first one encountered. The :user part is 
+  # left of the separator and the :detail part is right. This setting
+  # is also used by Dovecot's LMTP service.
+  recipient_delimiter = +
+
+  # The maximum size of a Sieve script. The compiler will refuse to compile any
+  # script larger than this limit. If set to 0, no limit on the script size is
+  # enforced.
+  #sieve_max_script_size = 1M
+
+  # The maximum number of actions that can be performed during a single script
+  # execution. If set to 0, no limit on the total number of actions is enforced.
+  #sieve_max_actions = 32
+
+  # The maximum number of redirect actions that can be performed during a single
+  # script execution. If set to 0, no redirect actions are allowed.
+  #sieve_max_redirects = 4
+
+  # The maximum number of personal Sieve scripts a single user can have. If set
+  # to 0, no limit on the number of scripts is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_scripts = 0
+
+  # The maximum amount of disk storage a single user's scripts may occupy. If
+  # set to 0, no limit on the used amount of disk storage is enforced.
+  # (Currently only relevant for ManageSieve) 
+  #sieve_quota_max_storage = 0
+}
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index e39e4bf..163e10d 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -1,28 +1,30 @@
 - name: Install Dovecot
   apt: pkg={{ item }}
   with_items:
     - dovecot-core
     - dovecot-ldap
     - dovecot-imapd
     - dovecot-lmtpd
     - dovecot-antispam
+    - dovecot-managesieved
+    - dovecot-sieve
 
 - name: Create a user 'vmail'
   user: name=vmail system=yes
         home=/home/mail
         shell=/bin/false
         password=!
         state=present
 
 - name: Create a home directory for user 'vmail'
   file: path=/home/mail
         state=directory
         owner=vmail group=vmail
         mode=0700
 
 - name: Create virtual mailbox directories
   file: path=/etc/dovecot/virtual{{ item }}
         state=directory
         owner=root group=root
         mode=0755
   with_items:
@@ -50,31 +52,32 @@
         state=directory
         owner=vmail group=vmail
         mode=0700
 
 - name: Configure Dovecot
   copy: src=etc/dovecot/{{ item }}
         dest=/etc/dovecot/{{ item }}
         owner=root group=root
         mode=0644
   register: r
   with_items:
     - conf.d/10-auth.conf
     - conf.d/10-logging.conf
     - conf.d/10-mail.conf
     - conf.d/10-master.conf
     - conf.d/10-ssl.conf
     - conf.d/15-mailboxes.conf
     - conf.d/20-imap.conf
     - conf.d/20-lmtp.conf
     - conf.d/90-plugin.conf
+    - conf.d/90-sieve.conf
     - conf.d/auth-ldap.conf.ext
     - dovecot-ldap.conf.ext
     - dovecot-ldap-userdb.conf.ext
   notify:
     - Restart Dovecot
 
 - name: Start Dovecot
   service: name=dovecot state=started
   when: not r.changed
 
 - meta: flush_handlers
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 3ddb87e..4e21dfc 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -4,27 +4,28 @@
 # direction              protocol     destination port            source port
 # (in|out|inout)[46]?    (tcp|udp|..) (port|port:port|port,port)  (port|port:port|port,port)
 
 inout   udp     500      500                            # ISAKMP
 #inout   udp     4500    4500    # IPSec NAT Traversal
 
 out     tcp     80,443                                  # HTTP/HTTPS
 out     udp     53                                      # DNS
 out     udp     67                                      # DHCP
 
 {% if 'NTP-master' in group_names %}
 out     udp     123      123                            # NTP
 {% endif %}
 
 in      tcp     {{ ansible_ssh_port|default('22') }}    # SSH
 {% if 'MX' in group_names %}
 in      tcp     25                                      # SMTP
 {% endif %}
 {% if 'IMAP' in group_names %}
 in      tcp     993                                     # IMAPS
+in      tcp     4190                                    # ManageSieve
 {% endif %}
 {% if 'MSA' in group_names %}
 in      tcp     587                                     # SMTP-AUTH
 {% endif %}
 {% if 'webmail' in group_names %}
 in     tcp      80,443                                  # HTTP/HTTPS
 {% endif %}
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index 21d4dff..2d8a8b9 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -20,65 +20,66 @@
               owner=root group=www-data
               mode=0640
   with_items:
     # Logging/Debugging
     - { var: smtp_log,               value: "FALSE" }
     # IMAP
     - { var: default_host,           value: "'localhost'" }
     - { var: imap_auth_type,         value: "'plain'"     }
     - { var: imap_cache,             value: "null"        }
     - { var: message_cache,          value: "null"        }
     # SMTP
     - { var: smtp_server,            value: "localhost" }
     - { var: smtp_port,              value: "2580"      }
     # System
     - { var: force_https,            value: "TRUE"                                    }
     - { var: login_autocomplete,     value: "2"                                       }
     - { var: skin_logo,              value: "'skins/default/images/logo_webmail.png'" }
     - { var: username_domain,        value: "'fripost.org'"                           }
     - { var: product_name,           value: "'Fripost'"                               }
     # Plugins
-    - { var: plugins,                value: "array('password','additional_message_headers')" }
+    - { var: plugins,                value: "array('additional_message_headers','managesieve','password')" }
     # User Interface
     - { var: language,               value: "'sv_SE'" }
     - { var: create_default_folders, value: "TRUE"    }
     # User Preferences
     - { var: htmleditor,             value: "TRUE"  }
     - { var: skip_deleted,           value: "TRUE"  }
     - { var: check_all_folders,      value: "FALSE" }
 
 - name: Make the logo a hyperlink to the website
   lineinfile: dest=/usr/share/roundcube/skins/default/templates/login.html
               regexp='^(<roundcube:object name="logo" src="/images/roundcube_logo.png" id="logo" border="0" style="margin:0 11px" />)$'
               line='<a href="https://fripost.org">\1</a>'
               backrefs=yes
               owner=root group=root
               mode=0644
 
 - name: Configure Roundcube plugins
   template: src=usr/share/roundcube/plugins/{{ item }}/config.inc.php.j2
             dest=/usr/share/roundcube/plugins/{{ item }}/config.inc.php
             owner=root group=root
             mode=0644
   with_items:
-    - password
     - additional_message_headers
+    - managesieve
+    - password
 
 - name: Start php5-fpm
   service: name=php5-fpm state=started
 
 - name: Copy /etc/nginx/sites-available/roundcube
   copy: src=etc/nginx/sites-available/roundcube
         dest=/etc/nginx/sites-available/roundcube
         owner=root group=root
         mode=0644
   notify:
     - Restart Nginx
 
 - name: Create /etc/nginx/sites-enabled/roundcube
   file: src=../sites-available/roundcube
         dest=/etc/nginx/sites-enabled/roundcube
         owner=root group=root
         state=link
   notify:
     - Restart Nginx
 
diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2
new file mode 100644
index 0000000..27b5b44
--- /dev/null
+++ b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2
@@ -0,0 +1,67 @@
+<?php
+
+// managesieve server port
+$rcmail_config['managesieve_port'] = 4190;
+
+// managesieve server address, default is localhost.
+// Replacement variables supported in host name:
+// %h - user's IMAP hostname
+// %n - http hostname ($_SERVER['SERVER_NAME'])
+// %d - domain (http hostname without the first part)
+// For example %n = mail.domain.tld, %d = domain.tld
+$rcmail_config['managesieve_host'] = '{{ IMAP }}';
+
+// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
+// or none. Optional, defaults to best method supported by server.
+$rcmail_config['managesieve_auth_type'] = 'PLAIN';
+
+// Optional managesieve authentication identifier to be used as authorization proxy.
+// Authenticate as a different user but act on behalf of the logged in user.
+// Works with PLAIN and DIGEST-MD5 auth.
+$rcmail_config['managesieve_auth_cid'] = null;
+
+// Optional managesieve authentication password to be used for imap_auth_cid
+$rcmail_config['managesieve_auth_pw'] = null;
+
+// use or not TLS for managesieve server connection
+// it's because I've problems with TLS and dovecot's managesieve plugin
+// and it's not needed on localhost
+$rcmail_config['managesieve_usetls'] = FALSE;
+
+// default contents of filters script (eg. default spam filter)
+$rcmail_config['managesieve_default'] = '/etc/dovecot/sieve/global';
+
+// The name of the script which will be used when there's no user script
+$rcmail_config['managesieve_script_name'] = 'managesieve';
+
+// Sieve RFC says that we should use UTF-8 endcoding for mailbox names,
+// but some implementations does not covert UTF-8 to modified UTF-7.
+// Defaults to UTF7-IMAP
+$rcmail_config['managesieve_mbox_encoding'] = 'UTF-8';
+
+// I need this because my dovecot (with listescape plugin) uses
+// ':' delimiter, but creates folders with dot delimiter
+$rcmail_config['managesieve_replace_delimiter'] = '';
+
+// disabled sieve extensions (body, copy, date, editheader, encoded-character,
+// envelope, environment, ereject, fileinto, ihave, imap4flags, index,
+// mailbox, mboxmetadata, regex, reject, relational, servermetadata,
+// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
+// Note: not all extensions are implemented
+$rcmail_config['managesieve_disabled_extensions'] = array();
+
+// Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
+$rcmail_config['managesieve_debug'] = false;
+
+// Enables features described in http://wiki.kolab.org/KEP:14
+$rcmail_config['managesieve_kolab_master'] = false;
+
+// Script name extension used for scripts including. Dovecot uses '.sieve',
+// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
+$rcmail_config['managesieve_filename_extension'] = '.sieve';
+
+// List of reserved script names (without extension).
+// Scripts listed here will be not presented to the user.
+$rcmail_config['managesieve_filename_exceptions'] = array();
+
+?>