diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 18:41:06 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2018-12-09 20:25:40 +0100 |
commit | e2ddcfc51f66c2a52a401064eab005e793f148ee (patch) | |
tree | 7c14243b2d53f81e54c9ee77dc526c71559e572a /roles | |
parent | 7d9380c2c9dd87876ce4d9f9b30c934505fcba51 (diff) |
Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.
Diffstat (limited to 'roles')
24 files changed, 332 insertions, 114 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf index d4f323d..7213fbb 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf @@ -73,7 +73,7 @@ auth_username_format = %Lu # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. -#auth_krb5_keytab = +#auth_krb5_keytab = # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt> @@ -88,9 +88,9 @@ auth_username_format = %Lu # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no -# Take the username from client's SSL certificate, using +# Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's -# CommonName. +# CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf index c611bfc..848fe69 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf @@ -7,9 +7,9 @@ #log_path = syslog # Log file to use for informational messages. Defaults to log_path. -#info_log_path = +#info_log_path = # Log file to use for debug messages. Defaults to info_log_path. -#debug_log_path = +#debug_log_path = # Syslog facility to use if you're logging to syslog. Usually if you don't # want to use "mail", you'll use local0..local7. Also other standard @@ -69,12 +69,13 @@ log_timestamp = "%Y-%m-%d %H:%M:%S " # Login log format. %s contains login_log_format_elements string, %$ contains # the data we want to log. #login_log_format = %$: %s - + # Log prefix for mail processes. See doc/wiki/Variables.txt for list of # possible variables you can use. #mail_log_prefix = "%s(%u): " -# Format to use for logging mail deliveries. You can use variables: +# Format to use for logging mail deliveries. See doc/wiki/Variables.txt for +# list of all variables you can use. Some of the common ones include: # %$ - Delivery status message (e.g. "saved to INBOX") # %m - Message-ID # %s - Subject diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf index 2e68df4..a781402 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf @@ -50,7 +50,7 @@ namespace inbox { # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". - #prefix = + #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. @@ -133,10 +133,22 @@ mail_gid = vmail # or ~user/. #mail_full_filesystem_access = no -# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but -# soon intended to be used by METADATA as well. +# Dictionary for key=value mailbox attributes. This is used for example by +# URLAUTH and METADATA extensions. #mail_attribute_dict = +# A comment or note that is associated with the server. This value is +# accessible for authenticated users through the IMAP METADATA server +# entry "/shared/comment". +mail_server_comment = "fripost - demokratisk e-post" + +# Indicates a method for contacting the server administrator. According to +# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that +# is currently not enforced. Use for example mailto:admin@example.com. This +# value is accessible for authenticated users through the IMAP METADATA server +# entry "/shared/admin". +mail_server_admin = mailto:postmaster@fripost.org + ## ## Mail processes ## @@ -188,7 +200,7 @@ first_valid_uid = 1 # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. <doc/wiki/Chrooting.txt> -#valid_chroot_dirs = +#valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory @@ -196,7 +208,7 @@ first_valid_uid = 1 # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> -#mail_chroot = +#mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. @@ -207,7 +219,7 @@ first_valid_uid = 1 # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -mail_plugins = stats virtual zlib +mail_plugins = quota stats virtual zlib ## ## Mailbox handling optimizations @@ -224,7 +236,7 @@ mailbox_list_index = yes # When IDLE command is running, mailbox is checked once in a while to see if # there are any new mails or other changes. This setting defines the minimum -# time to wait between those checks. Dovecot can also use dnotify, inotify and +# time to wait between those checks. Dovecot can also use inotify and # kqueue to find out immediately when changes occur. #mailbox_idle_check_interval = 30 secs @@ -313,7 +325,7 @@ mailbox_list_index = yes # fallbacks to re-reading the whole mbox file whenever something in mbox isn't # how it's expected to be. The only real downside to this setting is that if # some other MUA changes message flags, Dovecot doesn't notice it immediately. -# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK # commands. #mbox_dirty_syncs = yes diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index dc0b5bf..250eec5 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -21,7 +21,7 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) -#ssl_ca = +#ssl_ca = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes @@ -46,7 +46,7 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key ssl_dh_parameters_length = 2048 # SSL protocols to use -ssl_protocols = !SSLv2 !SSLv3 +#ssl_protocols = !SSLv3 # SSL ciphers to use ssl_cipher_list = HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH @@ -56,3 +56,7 @@ ssl_cipher_list = HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = + +# SSL extra options. Currently supported options are: +# no_compression - Disable compression. +ssl_options = no_compression diff --git a/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf b/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf index bdf045d..2a7bd27 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf @@ -8,7 +8,7 @@ # Hostname to use in various parts of sent mails (e.g. in Message-Id) and # in LMTP replies. Default is the system's real hostname@domain. -#hostname = +#hostname = # If user is over quota, return with temporary failure instead of # bouncing the mail. @@ -32,7 +32,7 @@ sendmail_path = /usr/sbin/postmulti -i msa -x /usr/sbin/sendmail #recipient_delimiter = + # Header where the original recipient address (SMTP's RCPT TO: address) is taken -# from if not available elsewhere. With dovecot-lda -a parameter overrides this. +# from if not available elsewhere. With dovecot-lda -a parameter overrides this. # A commonly used header for this is X-Original-To. #lda_original_recipient_header = diff --git a/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf b/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf index 6aa5c22..9c330be 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf @@ -2,19 +2,48 @@ ## Mailbox definitions ## +# Each mailbox is specified in a separate mailbox section. The section name +# specifies the mailbox name. If it has spaces, you can put the name +# "in quotes". These sections can contain the following mailbox settings: +# +# auto: +# Indicates whether the mailbox with this name is automatically created +# implicitly when it is first accessed. The user can also be automatically +# subscribed to the mailbox after creation. The following values are +# defined for this setting: +# +# no - Never created automatically. +# create - Automatically created, but no automatic subscription. +# subscribe - Automatically created and subscribed. +# +# special_use: +# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the +# mailbox. There are no validity checks, so you could specify anything +# you want in here, but it's not a good idea to use flags other than the +# standard ones specified in the RFC: +# +# \All - This (virtual) mailbox presents all messages in the +# user's message store. +# \Archive - This mailbox is used to archive messages. +# \Drafts - This mailbox is used to hold draft messages. +# \Flagged - This (virtual) mailbox presents all messages in the +# user's message store marked with the IMAP \Flagged flag. +# \Junk - This mailbox is where messages deemed to be junk mail +# are held. +# \Sent - This mailbox is used to hold copies of messages that +# have been sent. +# \Trash - This mailbox is used to hold messages that have been +# deleted. +# +# comment: +# Defines a default comment or note associated with the mailbox. This +# value is accessible through the IMAP METADATA mailbox entries +# "/shared/comment" and "/private/comment". Users with sufficient +# privileges can override the default value for entries with a custom +# value. + # NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. namespace inbox { - - #mailbox name { - # auto=create will automatically create this mailbox. - # auto=subscribe will both create and subscribe to the mailbox. - #auto = no - - # Space separated list of IMAP SPECIAL-USE attributes as specified by - # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash - #special_use = - #} - # These mailboxes are widely used and could perhaps be created automatically: mailbox Trash { auto = create @@ -36,10 +65,12 @@ namespace inbox { # If you have a virtual "All messages" mailbox: mailbox virtual/All { special_use = \All + comment = All messages } # If you have a virtual "Flagged" mailbox: mailbox virtual/Flagged { special_use = \Flagged + comment = All flagged messages } } diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf index b62f6ef..3ddedce 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf @@ -2,6 +2,12 @@ ## IMAP specific settings ## +# If nothing happens for this long while client is IDLEing, move the connection +# to imap-hibernate process and close the old imap process. This saves memory, +# because connections use very little memory in imap-hibernate process. The +# downside is that recreating the imap process back uses some resources. +imap_hibernate_timeout = 15s + # Maximum IMAP command line length. Some clients generate very long command # lines with huge mailboxes, so you may need to raise this if you get # "Too long argument" or "IMAP command line too large" errors often. @@ -10,11 +16,19 @@ # IMAP logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client +# %{fetch_hdr_count} - Number of mails with mail header data sent to client +# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client +# %{fetch_body_count} - Number of mails with mail body data sent to client +# %{fetch_body_bytes} - Number of bytes with mail body data sent to client +# %{deleted} - Number of mails where client added \Deleted flag +# %{expunged} - Number of mails that client expunged +# %{trashed} - Number of mails that client copied/moved to the +# special_use=\Trash mailbox. #imap_logout_format = in=%i out=%o # Override the IMAP CAPABILITY response. If the value begins with '+', # add the given capabilities on top of the defaults (e.g. +XFOO XBAR). -#imap_capability = +#imap_capability = # How long to wait between "OK Still here" notifications when client is # IDLEing. @@ -23,7 +37,7 @@ # ID field names and values to send to clients. Using * as the value makes # Dovecot use the default value. The following fields have default values # currently: name, version, os, os-version, support-url, support-email. -#imap_id_send = +#imap_id_send = # ID fields sent by client to log. * means everything. #imap_id_log = @@ -46,7 +60,7 @@ # greyed out, instead of only later giving "not selectable" popup error. # # The list is space-separated. -#imap_client_workarounds = +#imap_client_workarounds = # Host allowed in URLAUTH URLs sent by client. "*" allows all. #imap_urlauth_host = diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf index cd48ab8..8fc5fa0 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf @@ -13,6 +13,13 @@ # Verify quota before replying to RCPT TO. This adds a small overhead. #lmtp_rcpt_check_quota = no +# Which recipient address to use for Delivered-To: header and Received: +# header. The default is "final", which is the same as the one given to +# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT +# parameter, "none" uses nothing. Note that "none" is currently always used +# when a mail has multiple recipients. +#lmtp_hdr_delivery_address = final + protocol lmtp { postmaster_address = postmaster@fripost.org # Space separated list of plugins to load (default is global mail_plugins). diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf index b6fcd3b..9583b6d 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf @@ -19,13 +19,15 @@ plugin { antispam_spool2dir_spam = /home/mail/spamspool/%u-%%10lu-%%06lu.spam antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham - - zlib_save = gz - zlib_save_level = 6 - + quota_rule = *:storage=0 + quota = count:User quota + quota_vsizes = yes # how often to session statistics stats_refresh = 30 secs # track per-IMAP command statistics stats_track_cmds = yes + + zlib_save = gz + zlib_save_level = 6 } diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf index afee135..c1ff93e 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf @@ -5,39 +5,81 @@ # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf # by adding it to the respective mail_plugins= settings. +# The Sieve interpreter can retrieve Sieve scripts from several types of +# locations. The default `file' location type is a local filesystem path +# pointing to a Sieve script file or a directory containing multiple Sieve +# script files. More complex setups can use other location types such as +# `ldap' or `dict' to fetch Sieve scripts from remote databases. +# +# All settings that specify the location of one ore more Sieve scripts accept +# the following syntax: +# +# location = [<type>:]path[;<option>[=<value>][;...]] +# +# If the type prefix is omitted, the script location type is 'file' and the +# location is interpreted as a local filesystem path pointing to a Sieve script +# file or directory. Refer to Pigeonhole wiki or INSTALL file for more +# information. + plugin { - # The path to the user's main active script. If ManageSieve is used, this the - # location of the symbolic link controlled by ManageSieve. - sieve = ~/dovecot.sieve - - # The default Sieve script when the user has none. This is a path to a global - # sieve script file, which gets executed ONLY if user's private Sieve script - # doesn't exist. Be sure to pre-compile this script manually using the sievec - # command line tool. - # --> See sieve_before fore executing scripts before the user's personal + # The location of the user's main Sieve script or script storage. The LDA + # Sieve plugin uses this to find the active script for Sieve filtering at + # delivery. The "include" extension uses this location for retrieving + # :personal" scripts. This is also where the ManageSieve service will store + # the user's scripts, if supported. + # + # Currently only the 'file:' location type supports ManageSieve operation. + # Other location types like 'dict:' and 'ldap:' can currently only + # be used as a read-only script source (). + # + # For the 'file:' type: use the ';active=' parameter to specify where the + # active script symlink is located. + # For other types: use the ';name=' parameter to specify the name of the + # default/active script. + sieve = file:~/sieve;active=~/dovecot.sieve + + # The default Sieve script when the user has none. This is the location of a + # global sieve script file, which gets executed ONLY if user's personal Sieve + # script doesn't exist. Be sure to pre-compile this script manually using the + # sievec command line tool if the binary is not stored in a global location. + # --> See sieve_before for executing scripts before the user's personal # script. #sieve_default = /var/lib/dovecot/sieve/default.sieve - # Directory for :personal include scripts for the include extension. This - # is also where the ManageSieve service stores the user's scripts. - sieve_dir = ~/sieve - - # Directory for :global include scripts for the include extension. - #sieve_global_dir = - - # Path to a script file or a directory containing script files that need to be - # executed before the user's script. If the path points to a directory, all - # the Sieve scripts contained therein (with the proper .sieve extension) are - # executed. The order of execution within a directory is determined by the - # file names, using a normal 8bit per-character comparison. Multiple script - # file or directory paths can be specified by appending an increasing number. - #sieve_before = - #sieve_before2 = + # The name by which the default Sieve script (as configured by the + # sieve_default setting) is visible to the user through ManageSieve. + #sieve_default_name = + + # Location for ":global" include scripts as used by the "include" extension. + #sieve_global = + + # The location of a Sieve script that is run for any message that is about to + # be discarded; i.e., it is not delivered anywhere by the normal Sieve + # execution. This only happens when the "implicit keep" is canceled, by e.g. + # the "discard" action, and no actions that deliver the message are executed. + # This "discard script" can prevent discarding the message, by executing + # alternative actions. If the discard script does nothing, the message is + # still discarded as it would be when no discard script is configured. + #sieve_discard = + + # Location Sieve of scripts that need to be executed before the user's + # personal script. If a 'file' location path points to a directory, all the + # Sieve scripts contained therein (with the proper `.sieve' extension) are + # executed. The order of execution within that directory is determined by the + # file names, using a normal 8bit per-character comparison. + # + # Multiple script locations can be specified by appending an increasing number + # to the setting name. The Sieve scripts found from these locations are added + # to the script execution sequence in the specified order. Reading the + # numbered sieve_before settings stops at the first missing setting, so no + # numbers may be skipped. + #sieve_before = /var/lib/dovecot/sieve.d/ + #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain #sieve_before3 = (etc...) # Identical to sieve_before, only the specified scripts are executed after the - # user's script (only when keep is still in effect!). Multiple script file or - # directory paths can be specified by appending an increasing number. + # user's script (only when keep is still in effect!). Multiple script + # locations can be specified by appending an increasing number. #sieve_after = #sieve_after2 = #sieve_after2 = (etc...) @@ -48,7 +90,7 @@ plugin { # to disable certain Sieve extensions or enable those that are not available # by default. This setting can use '+' and '-' to specify differences relative # to the default. For example `sieve_extensions = +imapflags' will enable the - # deprecated imapflags extension in addition to all extensions were already + # deprecated imapflags extension in addition to all extensions were already # enabled by default. sieve_extensions = +editheader @@ -68,7 +110,7 @@ plugin { # setting, the used plugins can be specified. Check the Dovecot wiki # (wiki2.dovecot.org) or the pigeonhole website # (http://pigeonhole.dovecot.org) for available plugins. - # The sieve_extprograms plugin is included in this release. + # The sieve_extprograms plugin is included in this release. #sieve_plugins = # The separator that is expected between the :user and :detail @@ -102,4 +144,71 @@ plugin { # set to 0, no limit on the used amount of disk storage is enforced. # (Currently only relevant for ManageSieve) #sieve_quota_max_storage = 0 + + # The primary e-mail address for the user. This is used as a default when no + # other appropriate address is available for sending messages. If this setting + # is not configured, either the postmaster or null "<>" address is used as a + # sender, depending on the action involved. This setting is important when + # there is no message envelope to extract addresses from, such as when the + # script is executed in IMAP. + #sieve_user_email = + + # The path to the file where the user log is written. If not configured, a + # default location is used. If the main user's personal Sieve (as configured + # with sieve=) is a file, the logfile is set to <filename>.log by default. If + # it is not a file, the default user log file is ~/.dovecot.sieve.log. + #sieve_user_log = + + # Specifies what envelope sender address is used for redirected messages. + # The following values are supported for this setting: + # + # "sender" - The sender address is used (default). + # "recipient" - The final recipient address is used. + # "orig_recipient" - The original recipient is used. + # "user_email" - The user's primary address is used. This is + # configured with the "sieve_user_email" setting. If + # that setting is unconfigured, "user_mail" is equal to + # "recipient". + # "postmaster" - The postmaster_address configured for the LDA. + # "<user@domain>" - Redirected messages are always sent from user@domain. + # The angle brackets are mandatory. The null "<>" address + # is also supported. + # + # This setting is ignored when the envelope sender is "<>". In that case the + # sender of the redirected message is also always "<>". + #sieve_redirect_envelope_from = sender + + ## TRACE DEBUGGING + # Trace debugging provides detailed insight in the operations performed by + # the Sieve script. These settings apply to both the LDA Sieve plugin and the + # IMAPSIEVE plugin. + # + # WARNING: On a busy server, this functionality can quickly fill up the trace + # directory with a lot of trace files. Enable this only temporarily and as + # selective as possible. + + # The directory where trace files are written. Trace debugging is disabled if + # this setting is not configured or if the directory does not exist. If the + # path is relative or it starts with "~/" it is interpreted relative to the + # current user's home directory. + #sieve_trace_dir = + + # The verbosity level of the trace messages. Trace debugging is disabled if + # this setting is not configured. Possible values are: + # + # "actions" - Only print executed action commands, like keep, + # fileinto, reject and redirect. + # "commands" - Print any executed command, excluding test commands. + # "tests" - Print all executed commands and performed tests. + # "matching" - Print all executed commands, performed tests and the + # values matched in those tests. + #sieve_trace_level = + + # Enables highly verbose debugging messages that are usually only useful for + # developers. + #sieve_trace_debug = no + + # Enables showing byte code addresses in the trace output, rather than only + # the source line numbers. + #sieve_trace_addresses = no } diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext index 9917753..8c33c6d 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext @@ -18,9 +18,6 @@ passdb { #userdb { # driver = ldap -# # This should be a different file from the passdb's, in order to perform -# # asynchronous requests. -# # args = /etc/dovecot/dovecot-ldap-userdb.conf.ext # # # Default fields can be used to specify defaults that LDAP may override diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext index 72f4604..1b97a0e 100644 --- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext @@ -31,8 +31,7 @@ uris = ldapi:// #dnpass = # Use SASL binding instead of the simple binding. Note that this changes -# ldap_version automatically to be 3 if it's lower. Also note that SASL binds -# and auth_bind=yes don't work together. +# ldap_version automatically to be 3 if it's lower. #sasl_bind = no # SASL mechanism name to use. #sasl_mech = diff --git a/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl b/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl index 399e65f..5b2c74e 100755 --- a/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl +++ b/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl @@ -74,15 +74,15 @@ sub server() { next; } # <major-version> <minor-version> <value type> - unless ($1 == 2 and $2 == 0 and $3 == 0) { + unless ($1 == 2 and $2 == 1 and $3 == 0) { warn "Unsupported protocol version $1.$2 (or value type $3)\n"; close $conn or warn "Can't close: $!"; next; } my $cmd = $conn->getline() // ''; - if ($cmd =~ /\AI(\d+)\t(.*)\n\z/) { - iterate($conn, $1, $2); + if ($cmd =~ /\AI(\d+)\t(\d+)\t(.*)\n\z/) { + iterate($conn, $1, $2, $3); } else { fail($conn => "Unknown command line: $cmd"); @@ -98,8 +98,8 @@ sub fail($;$) { } # list all users, even the inactive ones -sub iterate($$$) { - my ($fh, $flags, $prefix) = @_; +sub iterate($$$$) { + my ($fh, $flags, $max_rows, $prefix) = @_; unless ($flags == 0) { fail($fh => "Unsupported iterate flags $flags"); return; @@ -109,17 +109,19 @@ sub iterate($$$) { fail($fh => "opendir: $!"); return; }; + my $count = 0; while (defined (my $d = readdir $dh)) { next if $d eq '.' or $d eq '..'; opendir my $dh, $d or do { fail($fh => "opendir: $!"); return; }; - while (defined (my $l = readdir $dh)) { + while (defined (my $l = readdir $dh) and ($max_rows <= 0 or $count < $max_rows)) { next if $l eq '.' or $l eq '..'; my $user = $l.'@'.$d; next unless $user =~ /\A[a-zA-Z0-9\.\-_@]+\z/; # skip invalid user names $fh->printf("O%s%s\t\n", $prefix, $user); + $count++; } closedir $dh or warn "closedir: $!"; } diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 index b7aead3..1bf13b0 100644 --- a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 +++ b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 @@ -57,7 +57,6 @@ service lmtp { user = vmail unix_listener /var/spool/postfix-{{ postfix_instance.IMAP.name }}/private/dovecot-lmtpd { - group = postfix user = postfix mode = 0600 } @@ -80,6 +79,18 @@ service imap { # Max. number of IMAP processes (connections) #process_limit = 1024 + + unix_listener imap-master { + user = $default_internal_user + mode = 0600 + } +} + +service imap-hibernate { + unix_listener imap-hibernate { + user = vmail + mode = 0600 + } } service pop3 { @@ -102,14 +113,12 @@ service auth { # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { - mode = 0600 user = vmail - group = root + mode = 0600 } # Postfix smtp-auth unix_listener /var/spool/postfix-{{ postfix_instance.MSA.name }}/private/dovecot-auth { - group = postfix user = postfix mode = 0600 } diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index f819b19..2105d29 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -4,9 +4,11 @@ # {{ ansible_managed }} # Do NOT edit this file directly! -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no -readme_directory = no +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +compatibility_level = 2 +smtputf8_enable = no delay_warning_time = 4h maximal_queue_lifetime = 5d diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index b54f84c..50ea6b0 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -4,9 +4,11 @@ # {{ ansible_managed }} # Do NOT edit this file directly! -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no -readme_directory = no +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +readme_directory = no +compatibility_level = 2 +smtputf8_enable = no delay_warning_time = 4h maximal_queue_lifetime = 5d @@ -89,6 +91,7 @@ address_verify_sender_ttl = 8069m address_verify_negative_refresh_time = 5m unverified_recipient_defer_code = 250 unverified_recipient_reject_code = 550 +address_verify_map = lmdb:$data_directory/verify_cache smtpd_client_restrictions = permit_sasl_authenticated diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 7372304..b9f282f 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -36,7 +36,7 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key olcTLSVerifyClient: try olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" - "$1,dc=fripost,dc=org" + "dn.exact:$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1 {% endif %} diff --git a/roles/common/files/etc/fail2ban/filter.d/dovecot.conf b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf new file mode 100644 index 0000000..4d4ea16 --- /dev/null +++ b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf @@ -0,0 +1,34 @@ +# Fail2Ban filter Dovecot authentication and pop3/imap server +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (auth|dovecot(-auth)?|auth-worker) + +# Take the filter from Stretch and add managesieve to the list of protected services +failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ + ^%(__prefix_line)s(?:pop3|imap|managesieve)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ + ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ + ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ + ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ + +ignoreregex = + +[Init] + +journalmatch = _SYSTEMD_UNIT=dovecot.service + +# DEV Notes: +# * the first regex is essentially a copy of pam-generic.conf +# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) +# * Removed the 'no auth attempts' log lines from the matches because produces +# lots of false positives on misconfigured MTAs making regexp unusable +# +# Author: Martin Waschbuesch +# Daniel Black (rewrote with begin and end anchors) +# Martin O'Neal (added LDAP authentication failure regex) +# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) diff --git a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local index aca4794..66c8101 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local @@ -1,28 +1,17 @@ # Ansible Managed # Do NOT edit this file directly! # -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected(: Logged out| for inactivity( in reading our output)?|: Disconnected( in [[:upper:]]+)?| in [[:upper:]]+( \([[:digit:]]+ msgs, [[:digit:]]+ secs, [[:digit:]]+/[[:digit:]]+ bytes\))?|: Too many invalid IMAP commands\.|: IMAP session state is inconsistent, please relogin\.)? in=[[:digit:]]+ out=[[:digit:]]+$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: managesieve\([-_.@[:alnum:]]+\): (Connection closed|Disconnected for inactivity) bytes=[[:digit:]]+/[[:digit:]]+$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed(: Connection reset by peer|: Invalid argument)?( in=[[:digit:]]+ out=[[:digit:]]+)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+(, (TLS|secured)(: Disconnected)?, session=<[^>]+>)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted login( \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\))?: (user=<[^>]*>, method=[[:alnum:]-]+, )?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS, session=<[^>]+>$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? (\(no auth attempts in [[:digit:]]+ secs\):( user=<>,)?|\(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[^>]*>, method=PLAIN,|\(aborted authentication\): method=PLAIN,) rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|SSL)( handshaking)?(: SSL_(accept|read)\(\) (syscall failed: Connection reset by peer|failed: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure: SSL alert number 10|failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42|failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46|failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48|failed: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|unsupported protocol|http request|no shared cipher|wrong version number)|failed: error:[[:xdigit:]]+:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback)|: Disconnected)?|, secured)?, session=<[^>]+>$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: auth client [[:digit:]]+ disconnected with [[:digit:]]+ pending requests: EOF$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: Auth connection closed with [[:digit:]]+ pending requests \(max [[:digit:]]+ secs, pid=[[:digit:]]+, EOF\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \((auth process communication failure|client didn't finish SASL auth, waited [[:digit:]]+ secs)\): user=<>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: SSL_read\(\) syscall failed: Connection reset by peer|: Disconnected)?, session=<[^>]+>)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: (Disconnected: Inactivity during authentication|Aborted login) \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: Disconnected)?, session=<[^>]+>)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected \(tried to use unsupported auth mechanism\): user=<>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([0-9]+, [-_.@[:alnum:]]+\): [^:]{22}: msgid=<?.*>?( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?[[:space:]]*: (saved mail to [-_.[:alnum:]]+|(forwarded|discarded duplicate forward) to <[^[:space:]]+>)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): (Logged out|Disconnected for inactivity) in=[[:digit:]]+ out=[[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed( \(IDLE running for .*\))? in=[[:digit:]]+ out=[[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-hibernate\([-_.@[:alnum:]]+\): Connection closed in=[[:digit:]]+ out=[[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+, (TLS|secured), session=<[^>]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Aborted login|Disconnected) \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS(: Disconnected)?|secured), session=<[^>]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Aborted login|Disconnected(: Inactivity)?) \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS( handshaking|: Disconnected)?(: SSL_(accept|read)\(\) syscall failed: (Connection reset by peer|Success))?, session=<[^>]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected(: Inactivity during authentication)? \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS(: SSL_read\(\) syscall failed: Connection reset by peer)?, session=<[^>]+>$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): [+/[:alnum:]]{22}: msgid=((\? )?<[^>]*>|unspecified): saved mail to\s +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): [+/[:alnum:]]{22}(:[0-9]+)?: sieve: msgid=((\? )?<[^>]*>|unspecified): (stored mail into mailbox '|(forwarded|discarded duplicate forward) to <[^[:space:]]+>$|marked message to be discarded if not explicitly delivered \(discard action\)$) +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([^@]+@[^@]+\): [+/[:alnum:]]{22}:[0-9]+: sieve: Execution of script \S+ failed, but implicit keep was successful \(user logfile \S+ may reveal additional details\)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS, session=<[^>]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Connect from local$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Disconnect from local: (Client quit|Connection closed) \(in reset\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: msgid=(\S+ )?|<[^>]*>( \(added by \S+\))?: (stored mail into mailbox '|marked message to be discarded if not explicitly delivered \(discard action\)$|forwarded to ) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: execution of script \S+ script failed, but implicit keep was successful \(user logfile \S+ may reveal additional details\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([0-9]+\): Disconnect from local: Successful quit$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: managesieve\([-_.@[:alnum:]]+\): Disconnected: Logged out bytes=[[:digit:]]+/[[:digit:]]+?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating SSL parameters|SSL parameters regeneration completed)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: stats: Warning: UPDATE-CMD: Already expired$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: stats: Warning: Couldn't find session GUID: [[:xdigit:]]{32}$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: stats: Error: Mail server input error: UPDATE-SESSION [-_.@[:alnum:]]+ imap: stats shrank: (mcache|mlpath|mrbytes|mrcount) [[:digit:]]+ < [[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Dovecot authentication proxy\.(\.\.)?$ diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local index 7df68c4..6a11392 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local @@ -19,15 +19,15 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: message-id=(<[^>]*>|[[:alnum:]_/+.$@-]+)( \(added by [^[:space:]]+\))? ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: removed$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: skipped, still being delivered$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: cache \S+A partial cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: cache [a-z]+:\S+ (partial|full) cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: disconnect from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]( (ehlo|helo|xforward|starttls|auth|mail|rcpt|data|noop|rset|quit|commands|unknown)=[0-9]+(/[0-9]+)?)+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/pickup\[[[:digit:]]+\]: [[:xdigit:]]+: uid=[[:digit:]]+ from=<[^>]*>$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/cleanup\[[[:digit:]]+\]: [[:xdigit:]]+: replace: header\s ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+(, sasl_sender=[-_.@[:alnum:]]+)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL (PLAIN|LOGIN) authentication (failed|aborted)(:[ [:alnum:]]*)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[[[:xdigit:].:]{3,39}\]: SASL (PLAIN|LOGIN) authentication (failed|aborted)(:[ [:alnum:]]*)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: improper command pipelining after (EHLO|HELO|MAIL|QUIT) from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: hostname [._[:alnum:]-]+ does not resolve to address [[:xdigit:].:]{3,39}(: Name or service not known)?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: Connection concurrency limit exceeded: [0-9]+ from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] for service smtpd$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: Connection concurrency limit exceeded: [0-9]+ from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] for service (submission|smtpd)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} <[^>]+>: Helo command rejected: need fully-qualified hostname;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 4[[:digit:]]{2} 4(\.[[:digit:]]){2} <[^>]+>: Sender address rejected: Domain not found;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} Service unavailable; (Unverified Client host|Sender address) \[\S+\] blocked using [._[:alnum:]-]+; https?://[^[:blank:];]+; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$ @@ -72,6 +72,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: ([-._[:alnum:]]+): RBL lookup error: Host or domain name not found\. Name service error for name=\1 type=A(AAA)?: Host not found, try again$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:SSL2?3_(GET_RECORD:(decryption failed or bad record mac|wrong version number):s3_pkt\.c:[0-9]+:|READ_BYTES:(reason\([[:digit:]]+\)|sslv3 alert (unexpected message|bad certificate)):s3_pkt\.c:[[:digit:]]+:SSL alert number (0|10|42):|GET_CLIENT_HELLO:(unsupported protocol|no shared cipher|unknown protocol|wrong version number):s2?3_srvr\.c:[0-9]+:)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/tlsproxy\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:tls_post_process_client_hello:no shared cipher:\.\./ssl/statem/statem_srvr\.c:[0-9]+:$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:tls_process_client_hello:(no shared cipher|unknown protocol|version too low):\.\./ssl/statem/statem_srvr\.c:[0-9]+:$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 554( 5\.1\.[01])? <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: reject: RCPT from [^[:space:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Helo command rejected: .+; from=<[^>]*> to=<[^>]+> proto=E?SMTP helo=<[^[:space:]]+>$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: too many errors after ([[:upper:]]{4}|END-OF-MESSAGE|UNKNOWN|DATA \(0 bytes\)) from [._[:alnum:]-]+\[[.[:digit:]]+\]$ diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index be26c79..da4db51 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -8,6 +8,7 @@ mode=0644 register: r1 with_items: + - dovecot.conf - roundcube.conf notify: - Restart fail2ban diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index eb6a7fb..c493958 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -65,7 +65,7 @@ maxretry = 10 [dovecot] enabled = true -port = imap2,imap3,imaps,pop3,pop3s +port = imap2,imaps,pop3,pop3s,sieve filter = dovecot logpath = /var/log/mail.log {% endif %} diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 87e54d6..93342cb 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -33,6 +33,7 @@ out tcp 25 # SMTP {% if 'IMAP' in group_names %} in tcp 993 # IMAPS in tcp 4190 # MANAGESIEVE +out tcp 2703 # Razor2 {% endif %} {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH diff --git a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 index 8550d0f..6694a0c 100644 --- a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 +++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 @@ -7,7 +7,7 @@ certificate-key = /etc/dovecot/ssl/imap.fripost.org.key certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem subject = /O=Fripost/CN=imap.fripost.org subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org -notify = /usr/bin/doveadm reload +notify = /bin/systemctl reload dovecot {% endif %} {% if 'MSA' in group_names %} |