diff options
| -rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/10-auth.conf | 2 | ||||
| -rw-r--r--[l---------] | roles/IMAP-proxy/files/etc/dovecot/conf.d/10-logging.conf | 86 | ||||
| -rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf | 22 | ||||
| -rw-r--r-- | roles/IMAP-proxy/files/etc/dovecot/conf.d/10-master.conf | 4 | ||||
| -rw-r--r--[l---------] | roles/IMAP-proxy/files/etc/dovecot/conf.d/15-mailboxes.conf | 77 | ||||
| -rw-r--r-- | roles/IMAP-proxy/tasks/main.yml | 7 | ||||
| -rw-r--r-- | roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 | 3 |
7 files changed, 188 insertions, 13 deletions
diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-auth.conf index 1abea0c..ec8704f 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-auth.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-auth.conf @@ -1,30 +1,30 @@ ## ## Authentication processes ## # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. -disable_plaintext_auth = yes +#disable_plaintext_auth = yes # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. #auth_cache_size = 0 # Time to live for cached data. After TTL expires the cached record is no # longer used, *except* if the main database lookup returns internal failure. # We also try to handle password changes automatically: If user's previous # authentication was successful, but this one wasn't, the cache isn't used. # For now this works only with plaintext authentication. #auth_cache_ttl = 1 hour # TTL for negative hits (user not found, password mismatch). # 0 disables caching them completely. #auth_cache_negative_ttl = 1 hour # Space separated list of realms for SASL authentication mechanisms that need # them. You can leave it empty if you don't want to support multiple realms. # Many clients simply use the first one listed here, so keep the default realm # first. #auth_realms = diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-logging.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-logging.conf index fc1f820..848fe69 120000..100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-logging.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-logging.conf @@ -1 +1,85 @@ -../../../../../IMAP/files/etc/dovecot/conf.d/10-logging.conf
\ No newline at end of file +## +## Log destination. +## + +# Log file to use for error messages. "syslog" logs to syslog, +# /dev/stderr logs to stderr. +#log_path = syslog + +# Log file to use for informational messages. Defaults to log_path. +#info_log_path = +# Log file to use for debug messages. Defaults to info_log_path. +#debug_log_path = + +# Syslog facility to use if you're logging to syslog. Usually if you don't +# want to use "mail", you'll use local0..local7. Also other standard +# facilities are supported. +#syslog_facility = mail + +## +## Logging verbosity and debugging. +## + +# Log unsuccessful authentication attempts and the reasons why they failed. +#auth_verbose = no + +# In case of password mismatches, log the attempted password. Valid values are +# no, plain and sha1. sha1 can be useful for detecting brute force password +# attempts vs. user simply trying the same password over and over again. +# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). +#auth_verbose_passwords = no + +# Even more verbose logging for debugging purposes. Shows for example SQL +# queries. +#auth_debug = no + +# In case of password mismatches, log the passwords and used scheme so the +# problem can be debugged. Enabling this also enables auth_debug. +#auth_debug_passwords = no + +# Enable mail process debugging. This can help you figure out why Dovecot +# isn't finding your mails. +#mail_debug = no + +# Show protocol level SSL errors. +#verbose_ssl = no + +# mail_log plugin provides more event logging for mail processes. +plugin { + # Events to log. Also available: flag_change append + #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename + # Available fields: uid, box, msgid, from, subject, size, vsize, flags + # size and vsize are available only for expunge and copy events. + #mail_log_fields = uid box msgid size +} + +## +## Log formatting. +## + +# Prefix for each line written to log file. % codes are in strftime(3) +# format. +log_timestamp = "%Y-%m-%d %H:%M:%S " + +# Space-separated list of elements we want to log. The elements which have +# a non-empty variable value are joined together to form a comma-separated +# string. +#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c + +# Login log format. %s contains login_log_format_elements string, %$ contains +# the data we want to log. +#login_log_format = %$: %s + +# Log prefix for mail processes. See doc/wiki/Variables.txt for list of +# possible variables you can use. +#mail_log_prefix = "%s(%u): " + +# Format to use for logging mail deliveries. See doc/wiki/Variables.txt for +# list of all variables you can use. Some of the common ones include: +# %$ - Delivery status message (e.g. "saved to INBOX") +# %m - Message-ID +# %s - Subject +# %f - From address +# %p - Physical size +# %w - Virtual size +#deliver_log_format = msgid=%m: %$ diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf index 53e45b5..2264719 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-mail.conf @@ -58,40 +58,42 @@ namespace inbox { # There can be only one INBOX, and this setting defines which namespace # has it. inbox = yes # If namespace is hidden, it's not advertised to clients via NAMESPACE # extension. You'll most likely also want to set list=no. This is mostly # useful when converting from another server with different namespaces which # you want to deprecate but still keep working. For example you can create # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". #hidden = no # Show the mailboxes under this namespace with LIST command. This makes the # namespace visible for clients that don't support NAMESPACE extension. # "children" value lists child mailboxes, but hides the namespace prefix. #list = yes # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") #subscriptions = yes + + # See 15-mailboxes.conf for definitions of special mailboxes. } # Example shared namespace configuration #namespace { #type = shared #separator = / # Mailboxes are visible under "shared/user@domain/" # %%n, %%d and %%u are expanded to the destination user. #prefix = shared/%%u/ # Mail location for other users' mailboxes. Note that %variables and ~/ # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the # destination user's data. #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u # Use the default namespace for saving subscriptions. #subscriptions = no # List the shared/ namespace only if there are visible shared mailboxes. @@ -107,44 +109,56 @@ mail_uid = imapproxy mail_gid = imapproxy # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. #mail_privileged_group = # Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). #mail_access_groups = # Allow full filesystem access to clients. There's no access checks other than # what the operating system does for the active UID/GID. It works with both # maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ # or ~user/. #mail_full_filesystem_access = no -# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but -# soon intended to be used by METADATA as well. +# Dictionary for key=value mailbox attributes. This is used for example by +# URLAUTH and METADATA extensions. #mail_attribute_dict = +# A comment or note that is associated with the server. This value is +# accessible for authenticated users through the IMAP METADATA server +# entry "/shared/comment". +#mail_server_comment = "" + +# Indicates a method for contacting the server administrator. According to +# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that +# is currently not enforced. Use for example mailto:admin@example.com. This +# value is accessible for authenticated users through the IMAP METADATA server +# entry "/shared/admin". +#mail_server_admin = + ## ## Mail processes ## # Don't use mmap() at all. This is required if you store indexes to shared # filesystems (NFS or clustered filesystem). #mmap_disable = no # Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL # since version 3, so this should be safe to use nowadays by default. #dotlock_use_excl = yes # When to use fsync() or fdatasync() calls: # optimized (default): Whenever necessary to avoid losing important data # always: Useful with e.g. NFS when write()s are delayed # never: Never use it (best performance, but crashes can lose data) #mail_fsync = optimized # Locking method for index files. Alternatives are fcntl, flock and dotlock. # Dotlocking uses some tricks which may create more disk I/O than other locking @@ -181,58 +195,58 @@ first_valid_uid = 1 # allow shell access for users. <doc/wiki/Chrooting.txt> #valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory # (eg. /home/./user chroots into /home). Note that usually there is no real # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> #mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. #auth_socket_path = /var/run/dovecot/auth-userdb # Directory where to look up mail plugins. #mail_plugin_dir = /usr/lib/dovecot/modules # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -mail_plugins = virtual zlib +#mail_plugins = ## ## Mailbox handling optimizations ## # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are # also required for IMAP NOTIFY extension to be enabled. mailbox_list_index = yes # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. #mail_cache_min_mail_count = 0 # When IDLE command is running, mailbox is checked once in a while to see if # there are any new mails or other changes. This setting defines the minimum -# time to wait between those checks. Dovecot can also use dnotify, inotify and +# time to wait between those checks. Dovecot can also use inotify and # kqueue to find out immediately when changes occur. #mailbox_idle_check_interval = 30 secs # Save mails with CR+LF instead of plain LF. This makes sending those mails # take less CPU, especially with sendfile() syscall with Linux and FreeBSD. # But it also creates a bit more disk I/O which may just make it slower. # Also note that if other software reads the mboxes/maildirs, they may handle # the extra CRs wrong and cause problems. #mail_save_crlf = no # Max number of mails to keep open and prefetch to memory. This only works with # some mailbox formats and/or operating systems. #mail_prefetch_count = 0 # How often to scan for stale temporary files and delete them (0 = never). # These should exist only after Dovecot dies in the middle of saving mails. #mail_temp_scan_interval = 1w ## ## Maildir-specific settings diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-master.conf index 6ac62ec..76c7ed0 100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-master.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/10-master.conf @@ -1,39 +1,39 @@ #default_process_limit = 100 #default_client_limit = 1000 # Default VSZ (virtual memory size) limit for service processes. This is mainly # intended to catch and kill processes that leak memory before they eat up # everything. #default_vsz_limit = 256M # Login user is internally used by login processes. This is the most untrusted # user in Dovecot system. It shouldn't have access to anything at all. default_login_user = dovenull # Internal user is used by unprivileged processes. It should be separate from # login user, so that login processes can't disturb other processes. default_internal_user = dovecot service imap-login { inet_listener imap { - address = 127.0.0.1 ::1 + address = 127.0.0.1 port = 143 ssl = no } inet_listener imaps { port = 0 } # Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. <doc/wiki/LoginProcess.txt> service_count = 1 # Max. number of IMAP processes (logins) process_limit = 256 # Number of processes to always keep waiting for more connections. process_min_avail = 4 # If you set service_count=0, you probably need to grow this. #vsz_limit = $default_vsz_limit @@ -47,34 +47,34 @@ service imap { # Max. number of IMAP processes (connections) #process_limit = 1024 } service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { #mode = 0666 - #user = $default_internal_user + #user = #group = } # Auth process is run as this user. user = $default_internal_user } service auth-worker { # Auth worker process is run as root by default, so that it can access # /etc/shadow. If this isn't necessary, the user should be changed to # $default_internal_user. user = $default_internal_user } diff --git a/roles/IMAP-proxy/files/etc/dovecot/conf.d/15-mailboxes.conf b/roles/IMAP-proxy/files/etc/dovecot/conf.d/15-mailboxes.conf index 1883eda..8366e95 120000..100644 --- a/roles/IMAP-proxy/files/etc/dovecot/conf.d/15-mailboxes.conf +++ b/roles/IMAP-proxy/files/etc/dovecot/conf.d/15-mailboxes.conf @@ -1 +1,76 @@ -../../../../../IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf
\ No newline at end of file +## +## Mailbox definitions +## + +# Each mailbox is specified in a separate mailbox section. The section name +# specifies the mailbox name. If it has spaces, you can put the name +# "in quotes". These sections can contain the following mailbox settings: +# +# auto: +# Indicates whether the mailbox with this name is automatically created +# implicitly when it is first accessed. The user can also be automatically +# subscribed to the mailbox after creation. The following values are +# defined for this setting: +# +# no - Never created automatically. +# create - Automatically created, but no automatic subscription. +# subscribe - Automatically created and subscribed. +# +# special_use: +# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the +# mailbox. There are no validity checks, so you could specify anything +# you want in here, but it's not a good idea to use flags other than the +# standard ones specified in the RFC: +# +# \All - This (virtual) mailbox presents all messages in the +# user's message store. +# \Archive - This mailbox is used to archive messages. +# \Drafts - This mailbox is used to hold draft messages. +# \Flagged - This (virtual) mailbox presents all messages in the +# user's message store marked with the IMAP \Flagged flag. +# \Junk - This mailbox is where messages deemed to be junk mail +# are held. +# \Sent - This mailbox is used to hold copies of messages that +# have been sent. +# \Trash - This mailbox is used to hold messages that have been +# deleted. +# +# comment: +# Defines a default comment or note associated with the mailbox. This +# value is accessible through the IMAP METADATA mailbox entries +# "/shared/comment" and "/private/comment". Users with sufficient +# privileges can override the default value for entries with a custom +# value. + +# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. +namespace inbox { + # These mailboxes are widely used and could perhaps be created automatically: + mailbox Drafts { + auto = create + special_use = \Drafts + } + mailbox Junk { + auto = create + special_use = \Junk + } + mailbox Trash { + auto = create + special_use = \Trash + } + mailbox Sent { + auto = subscribe + special_use = \Sent + } + + # If you have a virtual "All messages" mailbox: + mailbox virtual/All { + special_use = \All + comment = All my messages + } + + # If you have a virtual "Flagged" mailbox: + mailbox virtual/Flagged { + special_use = \Flagged + comment = All my flagged messages + } +} diff --git a/roles/IMAP-proxy/tasks/main.yml b/roles/IMAP-proxy/tasks/main.yml index 93a5181..50cfc2d 100644 --- a/roles/IMAP-proxy/tasks/main.yml +++ b/roles/IMAP-proxy/tasks/main.yml @@ -1,23 +1,26 @@ - name: Install Dovecot - #apt: pkg={{ item }} default_release={{ ansible_lsb.codename }}-backports - apt: pkg={{ item }} + # WARNING: "The destination servers don't need to be running Dovecot, + # but you should make sure that the Dovecot proxy doesn't advertise + # more capabilities than the destination server can handle." + # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy + apt: pkg={{ item }} default_release={{ ansible_lsb.codename }}-backports with_items: - dovecot-core - dovecot-imapd - name: Create a user 'imapproxy' user: name=imapproxy system=yes createhome=no home=/var/lib/imapproxy shell=/usr/sbin/nologin password=! state=present - name: Create a home directory for user 'imapproxy' file: path=/var/lib/imapproxy state=directory owner=imapproxy group=imapproxy mode=0700 - name: Configure Dovecot copy: src=etc/dovecot/conf.d/{{ item }} diff --git a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 b/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 index 39dbbd6..6284f67 100644 --- a/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 +++ b/roles/IMAP-proxy/templates/etc/dovecot/conf.d/20-imapc.conf.j2 @@ -1,18 +1,17 @@ # Smart IMAP proxying with imapc storage # # http://dovecot.org/pipermail/dovecot/2011-January/056975.html # http://wiki2.dovecot.org/HowTo/ImapcProxy # http://wiki2.dovecot.org/MailboxFormat/imapc # http://wiki2.dovecot.org/Migration/Dsync imapc_host = {{ ipsec[imapsvr.inventory_hostname_short] }} imapc_port = 143 # Read multiple mails in parallel, improves performance mail_prefetch_count = 25 # The list of valid features can be found at # https://github.com/dovecot/core/blob/master/src/lib-storage/index/imapc/imapc-settings.c # (in the struct 'imapc_feature_list imapc_feature_list') -imapc_features = rfc822.size fetch-headers -#imapc_features = rfc822.size fetch-headers search +imapc_features = rfc822.size fetch-headers search |