Upgrade Dovecot config to Jessie.

13 files changed, 138 insertions, 107 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
index cf0189e..d4f323d 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
@@ -1,29 +1,30 @@
 ##
 ## Authentication processes
 ##
 
 # Disable LOGIN command and all other plaintext authentications unless
 # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
-disable_plaintext_auth = yes
+# See also ssl=required setting.
+#disable_plaintext_auth = yes
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
 # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
 #auth_cache_size = 0
 # Time to live for cached data. After TTL expires the cached record is no
 # longer used, *except* if the main database lookup returns internal failure.
 # We also try to handle password changes automatically: If user's previous
 # authentication was successful, but this one wasn't, the cache isn't used.
 # For now this works only with plaintext authentication.
 #auth_cache_ttl = 1 hour
 # TTL for negative hits (user not found, password mismatch).
 # 0 disables caching them completely.
 #auth_cache_negative_ttl = 1 hour
 
 # Space separated list of realms for SASL authentication mechanisms that need
 # them. You can leave it empty if you don't want to support multiple realms.
 # Many clients simply use the first one listed here, so keep the default realm
 # first.
 #auth_realms =
 
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
index dcc1d9c..c98d3f6 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
@@ -90,149 +90,150 @@ namespace virtual {
 #namespace {
   #type = shared
   #separator = /
 
   # Mailboxes are visible under "shared/user@domain/"
   # %%n, %%d and %%u are expanded to the destination user.
   #prefix = shared/%%u/
 
   # Mail location for other users' mailboxes. Note that %variables and ~/
   # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
   # destination user's data.
   #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
 
   # Use the default namespace for saving subscriptions.
   #subscriptions = no
 
   # List the shared/ namespace only if there are visible shared mailboxes.
   #list = children
 #}
 # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
-#mail_shared_explicit_inbox = yes
+#mail_shared_explicit_inbox = no
 
 # System user and group used to access mails. If you use multiple, userdb
 # can override these by returning uid or gid fields. You can use either numbers
 # or names. <doc/wiki/UserIds.txt>
 mail_uid = vmail
 mail_gid = vmail
 
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
 #mail_privileged_group =
 
 # Grant access to these supplementary groups for mail processes. Typically
 # these are used to set up access to shared mailboxes. Note that it may be
 # dangerous to set these if users can create symlinks (e.g. if "mail" group is
 # set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
 # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
 #mail_access_groups =
 
 # Allow full filesystem access to clients. There's no access checks other than
 # what the operating system does for the active UID/GID. It works with both
 # maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
 # or ~user/.
 #mail_full_filesystem_access = no
 
+# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
+# soon intended to be used by METADATA as well.
+#mail_attribute_dict =
+
 ##
 ## Mail processes
 ##
 
 # Don't use mmap() at all. This is required if you store indexes to shared
 # filesystems (NFS or clustered filesystem).
 #mmap_disable = no
 
 # Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
 # since version 3, so this should be safe to use nowadays by default.
 #dotlock_use_excl = yes
 
 # When to use fsync() or fdatasync() calls:
 #   optimized (default): Whenever necessary to avoid losing important data
 #   always: Useful with e.g. NFS when write()s are delayed
 #   never: Never use it (best performance, but crashes can lose data)
 #mail_fsync = optimized
 
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
 # Locking method for index files. Alternatives are fcntl, flock and dotlock.
 # Dotlocking uses some tricks which may create more disk I/O than other locking
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
 #lock_method = fcntl
 
 # Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
 #mail_temp_dir = /tmp
 
 # Valid UID range for users, defaults to 500 and above. This is mostly
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-first_valid_uid = 1
+#first_valid_uid = 500
 #last_valid_uid = 0
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-first_valid_gid = 1
+#first_valid_gid = 1
 #last_valid_gid = 0
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
 # to create new keywords.
 #mail_max_keyword_length = 50
 
 # ':' separated list of directories under which chrooting is allowed for mail
 # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
 # This setting doesn't affect login_chroot, mail_chroot or auth chroot
 # settings. If this setting is empty, "/./" in home dirs are ignored.
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
 #valid_chroot_dirs = 
 
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
 # (eg. /home/./user chroots into /home). Note that usually there is no real
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
 #mail_chroot = 
 
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
 #auth_socket_path = /var/run/dovecot/auth-userdb
 
 # Directory where to look up mail plugins.
 #mail_plugin_dir = /usr/lib/dovecot/modules
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
 mail_plugins = virtual zlib
 
 ##
 ## Mailbox handling optimizations
 ##
 
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
 # the cost of more disk reads.
 #mail_cache_min_mail_count = 0
 
 # When IDLE command is running, mailbox is checked once in a while to see if
 # there are any new mails or other changes. This setting defines the minimum
 # time to wait between those checks. Dovecot can also use dnotify, inotify and
 # kqueue to find out immediately when changes occur.
 #mailbox_idle_check_interval = 30 secs
 
 # Save mails with CR+LF instead of plain LF. This makes sending those mails
 # take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
 # But it also creates a bit more disk I/O which may just make it slower.
 # Also note that if other software reads the mboxes/maildirs, they may handle
 # the extra CRs wrong and cause problems.
 #mail_save_crlf = no
 
 # Max number of mails to keep open and prefetch to memory. This only works with
 # some mailbox formats and/or operating systems.
@@ -250,60 +251,70 @@ mail_plugins = virtual zlib
 # Enabling this option makes Dovecot return only entries which are directories.
 # This is done by stat()ing each entry, so it causes more disk I/O.
 # (For systems setting struct dirent->d_type, this check is free and it's
 # done always regardless of this setting)
 #maildir_stat_dirs = no
 
 # When copying a message, do it with hard links whenever possible. This makes
 # the performance much better, and it's unlikely to have any side effects.
 #maildir_copy_with_hardlinks = yes
 
 # Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
 # when its mtime changes unexpectedly or when we can't find the mail otherwise.
 #maildir_very_dirty_syncs = no
 
 # If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
 # getting the mail's physical size, except when recalculating Maildir++ quota.
 # This can be useful in systems where a lot of the Maildir filenames have a
 # broken size. The performance hit for enabling this is very small.
 #maildir_broken_filename_sizes = no
 
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
 ##
 ## mbox-specific settings
 ##
 
 # Which locking methods to use for locking mbox. There are four available:
 #  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
 #           solution. If you want to use /var/mail/ like directory, the users
 #           will need write access to that directory.
 #  dotlock_try: Same as dotlock, but if it fails because of permissions or
 #               because there isn't enough disk space, just skip it.
 #  fcntl  : Use this if possible. Works with NFS too if lockd is used.
 #  flock  : May not exist in all systems. Doesn't work with NFS.
 #  lockf  : May not exist in all systems. Doesn't work with NFS.
 #
 # You can use multiple locking methods; if you do the order they're declared
 # in is important to avoid deadlocks if other MTAs/MUAs are using multiple
 # locking methods as well. Some operating systems don't allow using some of
 # them simultaneously.
+#
+# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
+# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
+#       Dovecot: mbox_write_locks = dotlock fcntl
+#       Debian:  mbox_write_locks = fcntl dotlock
+#
 #mbox_read_locks = fcntl
-#mbox_write_locks = dotlock fcntl
+#mbox_write_locks = fcntl dotlock
 
 # Maximum time to wait for lock (all of them) before aborting.
 #mbox_lock_timeout = 5 mins
 
 # If dotlock exists but the mailbox isn't modified in any way, override the
 # lock file after this much time.
 #mbox_dotlock_change_timeout = 2 mins
 
 # When mbox changes unexpectedly we have to fully read it to find out what
 # changed. If the mbox is large this can take a long time. Since the change
 # is usually just a newly appended mail, it'd be faster to simply read the
 # new mails. If this setting is enabled, Dovecot does this but still safely
 # fallbacks to re-reading the whole mbox file whenever something in mbox isn't
 # how it's expected to be. The only real downside to this setting is that if
 # some other MUA changes message flags, Dovecot doesn't notice it immediately.
 # Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
 # commands.
 #mbox_dirty_syncs = yes
 
 # Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
@@ -333,39 +344,37 @@ mail_plugins = virtual zlib
 # Maximum dbox file size until it's rotated.
 #mdbox_rotate_size = 2M
 
 # Maximum dbox file age until it's rotated. Typically in days. Day begins
 # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
 #mdbox_rotate_interval = 0
 
 # When creating new mdbox files, immediately preallocate their size to
 # mdbox_rotate_size. This setting currently works only in Linux with some
 # filesystems (ext4, xfs).
 #mdbox_preallocate_space = no
 
 ##
 ## Mail attachments
 ##
 
 # sdbox and mdbox support saving mail attachments to external files, which
 # also allows single instance storage for them. Other backends don't support
 # this for now.
 
-# WARNING: This feature hasn't been tested much yet. Use at your own risk.
-
 # Directory root where to store mail attachments. Disabled, if empty.
 #mail_attachment_dir =
 
 # Attachments smaller than this aren't saved externally. It's also possible to
 # write a plugin to disable saving specific attachments externally.
 #mail_attachment_min_size = 128k
 
 # Filesystem backend to use for saving attachments:
 #  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
 #  sis posix : SiS with immediate byte-by-byte comparison during saving
 #  sis-queue posix : SiS with delayed comparison and deduplication
 #mail_attachment_fs = sis posix
 
 # Hash format to use in attachment filenames. You can add any text and
 # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
 # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
 #mail_attachment_hash = %{sha1}
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
index 30e9fb6..189e96e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
@@ -1,70 +1,68 @@
 #default_process_limit = 100
 #default_client_limit = 1000
 
 # Default VSZ (virtual memory size) limit for service processes. This is mainly
 # intended to catch and kill processes that leak memory before they eat up
 # everything.
 #default_vsz_limit = 256M
 
 # Login user is internally used by login processes. This is the most untrusted
 # user in Dovecot system. It shouldn't have access to anything at all.
-default_login_user = dovenull
+#default_login_user = dovenull
 
 # Internal user is used by unprivileged processes. It should be separate from
 # login user, so that login processes can't disturb other processes.
-default_internal_user = dovecot
+#default_internal_user = dovecot
 
 service imap-login {
   inet_listener imap {
     port = 0
   }
   inet_listener imaps {
-    port = 993
-    ssl = yes
+    #port = 993
+    #ssl = yes
   }
 
   # Number of connections to handle before starting a new process. Typically
   # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
   # is faster. <doc/wiki/LoginProcess.txt>
-  service_count = 1
+  #service_count = 1
 
   # Max. number of IMAP processes (logins)
   process_limit = 256
 
   # Number of processes to always keep waiting for more connections.
   process_min_avail = 4
 
   # If you set service_count=0, you probably need to grow this.
   #vsz_limit = $default_vsz_limit
 }
 
 service pop3-login {
   inet_listener pop3 {
     #port = 110
   }
   inet_listener pop3s {
     #port = 995
     #ssl = yes
   }
-
-  service_count = 1
 }
 
 service lmtp {
   user = vmail
 
   unix_listener /var/spool/postfix-mda/private/dovecot-lmtpd {
     group = postfix
     user = postfix
     mode = 0600
   }
 
   # Create inet listener only if you can't use the above UNIX socket
   #inet_listener lmtp {
     # Avoid making LMTP visible for the entire internet
     #address =
     #port = 
   #}
 
   # Number of processes to always keep waiting for more connections.
   process_min_avail = 4
@@ -95,39 +93,39 @@ service auth {
   # matches the caller process's UID. Also if caller's uid or gid matches the
   # socket's uid or gid the lookup succeeds. Anything else causes a failure.
   #
   # To give the caller full permissions to lookup all users, set the mode to
   # something else than 0666 and Dovecot lets the kernel enforce the
   # permissions (e.g. 0777 allows everyone full permissions).
   unix_listener auth-userdb {
     mode = 0600
     user = vmail
     group = root
   }
 
   # Postfix smtp-auth
   unix_listener /var/spool/postfix-msa/private/dovecot-auth {
     group = postfix
     user = postfix
     mode = 0600
   }
 
   # Auth process is run as this user.
-  user = $default_internal_user
+  #user = $default_internal_user
 }
 
 service auth-worker {
   # Auth worker process is run as root by default, so that it can access
   # /etc/shadow. If this isn't necessary, the user should be changed to
   # $default_internal_user.
   user = $default_internal_user
 }
 
 service dict {
   # If dict proxy is used, mail processes should have access to its socket.
   # For example: mode=0660, group=vmail and global mail_access_groups=vmail
   unix_listener dict {
     #mode = 0600
     #user = 
     #group = 
   }
 }
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 526da9c..90843b2 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -9,42 +9,50 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
 ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
 ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
 # world-readable, you may want to place this setting instead to a different
 # root owned 0600 file by using ssl_key_password = <path.
 #ssl_key_password =
 
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
 #ssl_ca = 
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
 
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
+# /etc/pki/tls/cert.pem in RedHat-based systems.
+#ssl_client_ca_dir =
+#ssl_client_ca_file =
+
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
 
 # Which field from certificate to use for username. commonName and
 # x500UniqueIdentifier are the usual choices. You'll also need to set
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
-# How often to regenerate the SSL parameters file. Generation is quite CPU
-# intensive operation. The value is in hours, 0 disables regeneration
-# entirely.
-#ssl_parameters_regenerate = 168
+# DH parameters length to use.
+#ssl_dh_parameters_length = 1024
 
 # SSL protocols to use
 ssl_protocols = !SSLv2
 
 # SSL ciphers to use
 ssl_cipher_list = HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
 
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
index 2557b78..1807e05 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
@@ -1,68 +1,71 @@
 ##
 ## IMAP specific settings
 ##
 
-protocol imap {
-  # Maximum IMAP command line length. Some clients generate very long command
-  # lines with huge mailboxes, so you may need to raise this if you get
-  # "Too long argument" or "IMAP command line too large" errors often.
-  #imap_max_line_length = 64k
+# Maximum IMAP command line length. Some clients generate very long command
+# lines with huge mailboxes, so you may need to raise this if you get
+# "Too long argument" or "IMAP command line too large" errors often.
+#imap_max_line_length = 64k
 
-  # Maximum number of IMAP connections allowed for a user from each IP address.
-  # NOTE: The username is compared case-sensitively.
-  mail_max_userip_connections = 16
+# IMAP logout format string:
+#  %i - total number of bytes read from client
+#  %o - total number of bytes sent to client
+#imap_logout_format = in=%i out=%o
 
-  # Space separated list of plugins to load (default is global mail_plugins).
-  #mail_plugins = $mail_plugins antispam
+# Override the IMAP CAPABILITY response. If the value begins with '+',
+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+#imap_capability = 
 
-  # IMAP logout format string:
-  #  %i - total number of bytes read from client
-  #  %o - total number of bytes sent to client
-  #imap_logout_format = bytes=%i/%o
+# How long to wait between "OK Still here" notifications when client is
+# IDLEing.
+#imap_idle_notify_interval = 2 mins
 
-  # Override the IMAP CAPABILITY response. If the value begins with '+',
-  # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
-  #imap_capability = 
+# ID field names and values to send to clients. Using * as the value makes
+# Dovecot use the default value. The following fields have default values
+# currently: name, version, os, os-version, support-url, support-email.
+#imap_id_send = 
 
-  # How long to wait between "OK Still here" notifications when client is
-  # IDLEing.
-  #imap_idle_notify_interval = 2 mins
+# ID fields sent by client to log. * means everything.
+#imap_id_log =
 
-  # ID field names and values to send to clients. Using * as the value makes
-  # Dovecot use the default value. The following fields have default values
-  # currently: name, version, os, os-version, support-url, support-email.
-  #imap_id_send = 
+# Workarounds for various client bugs:
+#   delay-newmail:
+#     Send EXISTS/RECENT new mail notifications only when replying to NOOP
+#     and CHECK commands. Some clients ignore them otherwise, for example OSX
+#     Mail (<v2.1). Outlook Express breaks more badly though, without this it
+#     may show user "Message no longer in server" errors. Note that OE6 still
+#     breaks even with this workaround if synchronization is set to
+#     "Headers Only".
+#   tb-extra-mailbox-sep:
+#     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+#     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+#     ignore the extra '/' instead of treating it as invalid mailbox name.
+#   tb-lsub-flags:
+#     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+#     This makes Thunderbird realize they aren't selectable and show them
+#     greyed out, instead of only later giving "not selectable" popup error.
+#
+# The list is space-separated.
+#imap_client_workarounds = 
 
-  # ID fields sent by client to log. * means everything.
-  #imap_id_log =
+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
+#imap_urlauth_host =
 
-  # Workarounds for various client bugs:
-  #   delay-newmail:
-  #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
-  #     and CHECK commands. Some clients ignore them otherwise, for example OSX
-  #     Mail (<v2.1). Outlook Express breaks more badly though, without this it
-  #     may show user "Message no longer in server" errors. Note that OE6 still
-  #     breaks even with this workaround if synchronization is set to
-  #     "Headers Only".
-  #   tb-extra-mailbox-sep:
-  #     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
-  #     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
-  #     ignore the extra '/' instead of treating it as invalid mailbox name.
-  #   tb-lsub-flags:
-  #     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
-  #     This makes Thunderbird realize they aren't selectable and show them
-  #     greyed out, instead of only later giving "not selectable" popup error.
-  #
-  # The list is space-separated.
-  #imap_client_workarounds = 
+protocol imap {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  #mail_plugins = $mail_plugins
 
-  # Load the 'antispam' plugin for people using the content filter.
-  # (Otherwise fallback to the static userdb.)
-  userdb {
-    driver = ldap
-    args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+  # Maximum number of IMAP connections allowed for a user from each IP address.
+  # NOTE: The username is compared case-sensitively.
+  mail_max_userip_connections = 16
 
-    # Default fields can be used to specify defaults that LDAP may override
-    default_fields = home=/home/mail/virtual/%d/%n
-  }
+#  # TODO Load the 'antispam' plugin for people using the content filter.
+#  # (Otherwise fallback to the static userdb.)
+#  userdb {
+#    driver = ldap
+#    args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+#
+#    # Default fields can be used to specify defaults that LDAP may override
+#    default_fields = home=/home/mail/virtual/%d/%n
+#  }
 }
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
index b0be573..cd48ab8 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
@@ -1,17 +1,20 @@
 ##
 ## LMTP specific settings
 ##
 
 # Support proxying to other LMTP/SMTP servers by performing passdb lookups.
 #lmtp_proxy = no
 
 # When recipient address includes the detail (e.g. user+detail), try to save
 # the mail to the detail mailbox. See also recipient_delimiter and
 # lda_mailbox_autocreate settings.
 #lmtp_save_to_detail_mailbox = no
 
+# Verify quota before replying to RCPT TO. This adds a small overhead.
+#lmtp_rcpt_check_quota = no
+
 protocol lmtp {
   postmaster_address = postmaster@fripost.org
   # Space separated list of plugins to load (default is global mail_plugins).
   mail_plugins = $mail_plugins sieve
 }
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
index 4d0420a..8308adc 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
@@ -1,104 +1,105 @@
 ##
 ## Settings for the Sieve interpreter
-## 
+##
 
 # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
 # by adding it to the respective mail_plugins= settings.
 
 plugin {
   # The path to the user's main active script. If ManageSieve is used, this the
   # location of the symbolic link controlled by ManageSieve.
   sieve = ~/dovecot.sieve
 
   # The default Sieve script when the user has none. This is a path to a global
   # sieve script file, which gets executed ONLY if user's private Sieve script
   # doesn't exist. Be sure to pre-compile this script manually using the sievec
   # command line tool.
   # --> See sieve_before fore executing scripts before the user's personal
   #     script.
   #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
   # Directory for :personal include scripts for the include extension. This
   # is also where the ManageSieve service stores the user's scripts.
   sieve_dir = ~/sieve
 
-  # Directory for :global include scripts for the include extension. 
+  # Directory for :global include scripts for the include extension.
   #sieve_global_dir =
 
   # Path to a script file or a directory containing script files that need to be
   # executed before the user's script. If the path points to a directory, all
   # the Sieve scripts contained therein (with the proper .sieve extension) are
   # executed. The order of execution within a directory is determined by the
   # file names, using a normal 8bit per-character comparison. Multiple script
   # file or directory paths can be specified by appending an increasing number.
   #sieve_before =
   #sieve_before2 =
   #sieve_before3 = (etc...)
 
   # Identical to sieve_before, only the specified scripts are executed after the
   # user's script (only when keep is still in effect!). Multiple script file or
   # directory paths can be specified by appending an increasing number.
   #sieve_after =
-  #sieve_after2 = 
+  #sieve_after2 =
   #sieve_after2 = (etc...)
 
-  # Which Sieve language extensions are available to users. By default, all 
+  # Which Sieve language extensions are available to users. By default, all
   # supported extensions are available, except for deprecated extensions or
   # those that are still under development. Some system administrators may want
   # to disable certain Sieve extensions or enable those that are not available
   # by default. This setting can use '+' and '-' to specify differences relative
   # to the default. For example `sieve_extensions = +imapflags' will enable the
 	# deprecated imapflags extension in addition to all extensions were already
-  # enabled by default. 
+  # enabled by default.
   #sieve_extensions = +notify +imapflags
 
   # Which Sieve language extensions are ONLY available in global scripts. This
   # can be used to restrict the use of certain Sieve extensions to administrator
   # control, for instance when these extensions can cause security concerns.
   # This setting has higher precedence than the `sieve_extensions' setting
   # (above), meaning that the extensions enabled with this setting are never
-  # available to the user's personal script no matter what is specified for the 
+  # available to the user's personal script no matter what is specified for the
   # `sieve_extensions' setting. The syntax of this setting is similar to the
   # `sieve_extensions' setting, with the difference that extensions are
   # enabled or disabled for exclusive use in global scripts. Currently, no
   # extensions are marked as such by default.
   #sieve_global_extensions =
 
   # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
   # setting, the used plugins can be specified. Check the Dovecot wiki
   # (wiki2.dovecot.org) or the pigeonhole website
   # (http://pigeonhole.dovecot.org) for available plugins.
+	# The sieve_extprograms plugin is included in this release.
   #sieve_plugins =
 
-  # The separator that is expected between the :user and :detail 
-  # address parts introduced by the subaddress extension. This may 
-  # also be a sequence of characters (e.g. '--'). The current 
-  # implementation looks for the separator from the left of the 
-  # localpart and uses the first one encountered. The :user part is 
+  # The separator that is expected between the :user and :detail
+  # address parts introduced by the subaddress extension. This may
+  # also be a sequence of characters (e.g. '--'). The current
+  # implementation looks for the separator from the left of the
+  # localpart and uses the first one encountered. The :user part is
   # left of the separator and the :detail part is right. This setting
   # is also used by Dovecot's LMTP service.
   recipient_delimiter = +
 
   # The maximum size of a Sieve script. The compiler will refuse to compile any
   # script larger than this limit. If set to 0, no limit on the script size is
   # enforced.
   #sieve_max_script_size = 1M
 
   # The maximum number of actions that can be performed during a single script
   # execution. If set to 0, no limit on the total number of actions is enforced.
   #sieve_max_actions = 32
 
   # The maximum number of redirect actions that can be performed during a single
   # script execution. If set to 0, no redirect actions are allowed.
   #sieve_max_redirects = 4
 
   # The maximum number of personal Sieve scripts a single user can have. If set
   # to 0, no limit on the number of scripts is enforced.
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_scripts = 0
 
   # The maximum amount of disk storage a single user's scripts may occupy. If
   # set to 0, no limit on the used amount of disk storage is enforced.
-  # (Currently only relevant for ManageSieve) 
+  # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
 }
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
index 5237fc2..360727e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
@@ -1,21 +1,21 @@
-# Authentication for LDAP users. Included from auth.conf.
+# Authentication for LDAP users. Included from 10-auth.conf.
 #
 # <doc/wiki/AuthDatabase.LDAP.txt>
 
 passdb {
   driver = ldap
 
   # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
   args = /etc/dovecot/dovecot-ldap.conf.ext
 }
 
 # "prefetch" user database means that the passdb already provided the
 # needed information and there's no need to do a separate userdb lookup.
 # <doc/wiki/UserDatabase.Prefetch.txt>
 #userdb {
 #  driver = prefetch
 #}
 
 #userdb {
 #  driver = ldap
 #  # This should be a different file from the passdb's, in order to perform
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
index 1ffa73d..72f4604 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
@@ -1,20 +1,23 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-ldap.conf.ext
+
 # This file is opened as root, so it should be owned by root and mode 0600.
 #
 # http://wiki2.dovecot.org/AuthDatabase/LDAP
 #
 # NOTE: If you're not using authentication binds, you'll need to give
 # dovecot-auth read access to userPassword field in the LDAP server.
 # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
 # already be something like this:
 
 # access to attribute=userPassword
 #        by dn="<dovecot's dn>" read # add this
 #        by anonymous auth
 #        by self write
 #        by * none
 
 # Space separated list of LDAP hosts to use. host:port is allowed too.
 #hosts =
 
 # LDAP URIs to use. You can use this instead of hosts list. Note that this
 # setting isn't supported by all LDAP libraries.
@@ -73,41 +76,41 @@ auth_bind = yes
 #
 # If you use this setting, it's a good idea to use a different
 # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
 # the filename is different in userdb's args). That way one connection is used
 # only for LDAP binds and another connection is used for user lookups.
 # Otherwise the binding is changed to the default DN before each user lookup.
 #
 # For example:
 #   auth_bind_userdn = cn=%u,ou=people,o=org
 #
 auth_bind_userdn = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org
 
 # LDAP protocol version to use. Likely 2 or 3.
 ldap_version = 3
 
 # LDAP base. %variables can be used here.
 # For example: dc=mail, dc=example, dc=org
 base = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org
 
 # Dereference: never, searching, finding, always
-deref = never
+#deref = never
 
 # Search scope: base, onelevel, subtree
 scope = base
 
 # User attributes are given in LDAP-name=dovecot-internal-name list. The
 # internal names are:
 #   uid - System UID
 #   gid - System GID
 #   home - Home directory
 #   mail - Mail location
 #
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/UserDatabase/ExtraFields
 user_attrs =
 
 # Filter for user lookup. Some variables can be used (see
 # http://wiki2.dovecot.org/Variables for full list):
 #   %u - username
 #   %n - user part in user@domain, same as %u if there's no domain
 #   %d - domain part in user@domain, empty if user there's no domain
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index b142ba6..9365640 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -1,46 +1,49 @@
 - name: Install Dovecot
   apt: pkg={{ item }}
   with_items:
     - dovecot-core
     - dovecot-ldap
     - dovecot-imapd
     - dovecot-lmtpd
     - dovecot-antispam
     - dovecot-managesieved
     - dovecot-sieve
 
 - name: Create a user 'vmail'
   user: name=vmail system=yes
         createhome=no
         home=/home/mail
         shell=/bin/false
         password=!
         state=present
 
-# Required for dbox, see
-# http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
-- name: Create a nightly cron job to purge expunged messages
-  cron: name="Purge expunged messages"
-        minute=7 hour=5
-        user=vmail cron_file=doveadm-purge
-        job="/usr/bin/doveadm purge -A"
+## TODO: make a LDAP query listing all users using iterate_attrs and
+## iterate_filter.  (Alternatively, use a dict, see
+## https://www.opensource.apple.com/source/dovecot/dovecot-293/dovecot.Config/dovecot-dict-auth.conf.ext)
+## Required for dbox, see
+## http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
+#- name: Create a nightly cron job to purge expunged messages
+#  cron: name="Purge expunged messages"
+#        minute=7 hour=5
+#        user=vmail cron_file=doveadm-purge
+#        job="/usr/bin/doveadm purge -A"
 
 # The ownership and permissions ensure that dovecot won't try to
 # deliver mails under an umounted mountpoint.
 - name: Create a home directory for user 'vmail'
   file: path=/home/mail
         state=directory
         owner=root group=root
         mode=0755
 
 - name: Create /home/mail/virtual
   file: path=/home/mail/virtual
         state=directory
         owner=vmail group=vmail
         mode=0700
 
 - name: Create virtual mailbox directories
   file: path=/etc/dovecot/virtual/{{ item }}
         state=directory
         owner=root group=root
         mode=0755
diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml
index c6fbbd9..9ed2ea6 100644
--- a/roles/IMAP/tasks/main.yml
+++ b/roles/IMAP/tasks/main.yml
@@ -1,4 +1,4 @@
 ---
 - include: imap.yml   tags=imap,dovecot
 - include: mda.yml    tags=mda,mail,postfix
-- include: spam.yml   tags=spam,spamassassin
+#- include: spam.yml   tags=spam,spamassassin # TODO spam filter
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index c775a73..ef2f0d6 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -74,31 +74,32 @@ smtpd_tls_fingerprint_digest    = sha256
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 smtpd_client_restrictions =
     permit_mynetworks
     permit_tls_clientcerts
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why
     defer
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
-smtpd_recipient_restrictions =
-    # RFC requirements
-    reject_non_fqdn_recipient
+smtpd_relay_restrictions =
     permit_mynetworks
     permit_tls_clientcerts
     reject
 
+smtpd_recipient_restrictions =
+    reject_non_fqdn_recipient
+
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 # vim: set filetype=pfmain :
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
index d6826a1..b27e736 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
@@ -1,24 +1,25 @@
 # Ansible Managed
 # Do NOT edit this file directly!
 #
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected(: Logged out| for inactivity( in reading our output)?|: Disconnected( in [[:upper:]]+)?| in [[:upper:]]+( \([[:digit:]]+ msgs, [[:digit:]]+ secs, [[:digit:]]+/[[:digit:]]+ bytes\))?|: Too many invalid IMAP commands\.|: IMAP session state is inconsistent, please relogin\.)? in=[[:digit:]]+ out=[[:digit:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: managesieve\([-_.@[:alnum:]]+\): Disconnected for inactivity bytes=[[:digit:]]+/[[:digit:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed(: Connection reset by peer)?( in=[[:digit:]]+ out=[[:digit:]]+)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+(, (TLS|secured), session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted login( \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\))?: (user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, )?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS, session=<[^>]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? (\(no auth attempts in [[:digit:]]+ secs\):( user=<>,)?|\(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]+>, method=PLAIN,|\(aborted authentication\): method=PLAIN,) rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|SSL)( handshaking)?(: SSL_(accept|read)\(\) (syscall failed: Connection reset by peer|failed: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure: SSL alert number 10|failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46|failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48|failed: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))|: Disconnected)?|, secured)?, session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? (\(no auth attempts in [[:digit:]]+ secs\):( user=<>,)?|\(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]+>, method=PLAIN,|\(aborted authentication\): method=PLAIN,) rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|SSL)( handshaking)?(: SSL_(accept|read)\(\) (syscall failed: Connection reset by peer|failed: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure: SSL alert number 10|failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42|failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46|failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48|failed: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))|: Disconnected)?|, secured)?, session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: auth client [[:digit:]]+ disconnected with [[:digit:]]+ pending requests: EOF$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: Auth connection closed with [[:digit:]]+ pending requests \(max [[:digit:]]+ secs, pid=[[:digit:]]+, EOF\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \((auth process communication failure|client didn't finish SASL auth, waited [[:digit:]]+ secs)\): user=<>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: SSL_read\(\) syscall failed: Connection reset by peer)?, session=<[^>]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \((auth process communication failure|client didn't finish SASL auth, waited [[:digit:]]+ secs)\): user=<>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: SSL_read\(\) syscall failed: Connection reset by peer|: Disconnected)?, session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: (Disconnected: Inactivity during authentication|Aborted login) \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: Disconnected)?, session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected \(tried to use unsupported auth mechanism\): user=<>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([0-9]+, [-_.@[:alnum:]]+\): [^:]{22}: msgid=<?.*>?( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?[[:space:]]*: (saved mail to [-_.[:alnum:]]+|(forwarded|discarded duplicate forward) to <[^[:space:]]+>)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Connect from local$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Disconnect from local: (Client quit|Connection closed) \(in reset\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: msgid=(<[^>]+>|unspecified): (stored mail into mailbox '|marked message to be discarded if not explicitly delivered \(discard action\)$)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: msgid=(\S+ )?|<[^>]*>( \(added by \S+\))?: (stored mail into mailbox '|marked message to be discarded if not explicitly delivered \(discard action\)$|forwarded to )
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): Error: [+/[:alnum:]]{22}: sieve: execution of script \S+ failed, but implicit keep was successful \(user logfile \S+ may reveal additional details\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([0-9]+\): Disconnect from local: Successful quit$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+(, TLS, session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: managesieve\([-_.@[:alnum:]]+\): Disconnected: Logged out bytes=[[:digit:]]+/[[:digit:]]+?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating SSL parameters|SSL parameters regeneration completed)$