diff options
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf | 85 | ||||
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf | 45 | ||||
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 33 | ||||
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf | 2 | ||||
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf | 29 | ||||
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf | 5 | ||||
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext | 2 | ||||
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext | 11 | ||||
| -rw-r--r-- | roles/IMAP/tasks/imap.yml | 1 | ||||
| -rw-r--r-- | roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 | 28 | ||||
| -rw-r--r-- | roles/IMAP/templates/etc/dovecot/conf.d/15-lda.conf | 0 | ||||
| -rw-r--r-- | roles/common/files/etc/fail2ban/filter.d/dovecot.conf | 39 |
12 files changed, 148 insertions, 132 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf deleted file mode 100644 index 848fe69..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf +++ /dev/null @@ -1,85 +0,0 @@ -## -## Log destination. -## - -# Log file to use for error messages. "syslog" logs to syslog, -# /dev/stderr logs to stderr. -#log_path = syslog - -# Log file to use for informational messages. Defaults to log_path. -#info_log_path = -# Log file to use for debug messages. Defaults to info_log_path. -#debug_log_path = - -# Syslog facility to use if you're logging to syslog. Usually if you don't -# want to use "mail", you'll use local0..local7. Also other standard -# facilities are supported. -#syslog_facility = mail - -## -## Logging verbosity and debugging. -## - -# Log unsuccessful authentication attempts and the reasons why they failed. -#auth_verbose = no - -# In case of password mismatches, log the attempted password. Valid values are -# no, plain and sha1. sha1 can be useful for detecting brute force password -# attempts vs. user simply trying the same password over and over again. -# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). -#auth_verbose_passwords = no - -# Even more verbose logging for debugging purposes. Shows for example SQL -# queries. -#auth_debug = no - -# In case of password mismatches, log the passwords and used scheme so the -# problem can be debugged. Enabling this also enables auth_debug. -#auth_debug_passwords = no - -# Enable mail process debugging. This can help you figure out why Dovecot -# isn't finding your mails. -#mail_debug = no - -# Show protocol level SSL errors. -#verbose_ssl = no - -# mail_log plugin provides more event logging for mail processes. -plugin { - # Events to log. Also available: flag_change append - #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename - # Available fields: uid, box, msgid, from, subject, size, vsize, flags - # size and vsize are available only for expunge and copy events. - #mail_log_fields = uid box msgid size -} - -## -## Log formatting. -## - -# Prefix for each line written to log file. % codes are in strftime(3) -# format. -log_timestamp = "%Y-%m-%d %H:%M:%S " - -# Space-separated list of elements we want to log. The elements which have -# a non-empty variable value are joined together to form a comma-separated -# string. -#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c - -# Login log format. %s contains login_log_format_elements string, %$ contains -# the data we want to log. -#login_log_format = %$: %s - -# Log prefix for mail processes. See doc/wiki/Variables.txt for list of -# possible variables you can use. -#mail_log_prefix = "%s(%u): " - -# Format to use for logging mail deliveries. See doc/wiki/Variables.txt for -# list of all variables you can use. Some of the common ones include: -# %$ - Delivery status message (e.g. "saved to INBOX") -# %m - Message-ID -# %s - Subject -# %f - From address -# %p - Physical size -# %w - Virtual size -#deliver_log_format = msgid=%m: %$ diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf index a781402..d74b026 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf @@ -101,41 +101,41 @@ namespace virtual { #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u # Use the default namespace for saving subscriptions. #subscriptions = no # List the shared/ namespace only if there are visible shared mailboxes. #list = children #} # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? #mail_shared_explicit_inbox = no # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. <doc/wiki/UserIds.txt> mail_uid = vmail mail_gid = vmail # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. -#mail_privileged_group = +mail_privileged_group = # Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). #mail_access_groups = # Allow full filesystem access to clients. There's no access checks other than # what the operating system does for the active UID/GID. It works with both # maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ # or ~user/. #mail_full_filesystem_access = no # Dictionary for key=value mailbox attributes. This is used for example by # URLAUTH and METADATA extensions. #mail_attribute_dict = # A comment or note that is associated with the server. This value is # accessible for authenticated users through the IMAP METADATA server @@ -155,41 +155,44 @@ mail_server_admin = mailto:postmaster@fripost.org # Don't use mmap() at all. This is required if you store indexes to shared # filesystems (NFS or clustered filesystem). #mmap_disable = no # Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL # since version 3, so this should be safe to use nowadays by default. #dotlock_use_excl = yes # When to use fsync() or fdatasync() calls: # optimized (default): Whenever necessary to avoid losing important data # always: Useful with e.g. NFS when write()s are delayed # never: Never use it (best performance, but crashes can lose data) #mail_fsync = optimized # Locking method for index files. Alternatives are fcntl, flock and dotlock. # Dotlocking uses some tricks which may create more disk I/O than other locking # methods. NFS users: flock doesn't work, remember to change mmap_disable. #lock_method = fcntl -# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. +# Directory where mails can be temporarily stored. Usually it's used only for +# mails larger than >= 128 kB. It's used by various parts of Dovecot, for +# example LDA/LMTP while delivering large mails or zlib plugin for keeping +# uncompressed mails. #mail_temp_dir = /tmp # Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. first_valid_uid = 1 #last_valid_uid = 0 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. #first_valid_gid = 1 #last_valid_gid = 0 # Maximum allowed length for mail keyword name. It's only forced when trying # to create new keywords. #mail_max_keyword_length = 50 @@ -202,76 +205,98 @@ first_valid_uid = 1 # allow shell access for users. <doc/wiki/Chrooting.txt> #valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory # (eg. /home/./user chroots into /home). Note that usually there is no real # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> #mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. #auth_socket_path = /var/run/dovecot/auth-userdb # Directory where to look up mail plugins. #mail_plugin_dir = /usr/lib/dovecot/modules # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -mail_plugins = quota stats virtual zlib +mail_plugins = quota virtual zlib ## ## Mailbox handling optimizations ## # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are # also required for IMAP NOTIFY extension to be enabled. -mailbox_list_index = yes +#mailbox_list_index = yes + +# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost +# of potentially returning out-of-date results after e.g. server crashes. +# The results will be automatically fixed once the folders are opened. +#mailbox_list_index_very_dirty_syncs = yes + +# Should INBOX be kept up-to-date in the mailbox list index? By default it's +# not, because most of the mailbox accesses will open INBOX anyway. +#mailbox_list_index_include_inbox = no # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. #mail_cache_min_mail_count = 0 # When IDLE command is running, mailbox is checked once in a while to see if # there are any new mails or other changes. This setting defines the minimum # time to wait between those checks. Dovecot can also use inotify and # kqueue to find out immediately when changes occur. #mailbox_idle_check_interval = 30 secs # Save mails with CR+LF instead of plain LF. This makes sending those mails # take less CPU, especially with sendfile() syscall with Linux and FreeBSD. # But it also creates a bit more disk I/O which may just make it slower. # Also note that if other software reads the mboxes/maildirs, they may handle # the extra CRs wrong and cause problems. #mail_save_crlf = no # Max number of mails to keep open and prefetch to memory. This only works with # some mailbox formats and/or operating systems. #mail_prefetch_count = 0 # How often to scan for stale temporary files and delete them (0 = never). # These should exist only after Dovecot dies in the middle of saving mails. #mail_temp_scan_interval = 1w +# How many slow mail accesses sorting can perform before it returns failure. +# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long. +# The untagged SORT reply is still returned, but it's likely not correct. +#mail_sort_max_read_count = 0 + +protocol !indexer-worker { + # If folder vsize calculation requires opening more than this many mails from + # disk (i.e. mail sizes aren't in cache already), return failure and finish + # the calculation via indexer process. Disabled by default. This setting must + # be 0 for indexer-worker processes. + #mail_vsize_bg_after_count = 0 +} + ## ## Maildir-specific settings ## # By default LIST command returns all entries in maildir beginning with a dot. # Enabling this option makes Dovecot return only entries which are directories. # This is done by stat()ing each entry, so it causes more disk I/O. # (For systems setting struct dirent->d_type, this check is free and it's # done always regardless of this setting) #maildir_stat_dirs = no # When copying a message, do it with hard links whenever possible. This makes # the performance much better, and it's unlikely to have any side effects. #maildir_copy_with_hardlinks = yes # Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only # when its mtime changes unexpectedly or when we can't find the mail otherwise. #maildir_very_dirty_syncs = no # If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for @@ -337,56 +362,66 @@ mailbox_list_index = yes # commands and when closing the mailbox). This is especially useful for POP3 # where clients often delete all mails. The downside is that our changes # aren't immediately visible to other MUAs. #mbox_lazy_writes = yes # If mbox size is smaller than this (e.g. 100k), don't write index files. # If an index file already exists it's still read, just not updated. #mbox_min_index_size = 0 # Mail header selection algorithm to use for MD5 POP3 UIDLs when # pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired # algorithm, but it fails if the first Received: header isn't unique in all # mails. An alternative algorithm is "all" that selects all headers. #mbox_md5 = apop3d ## ## mdbox-specific settings ## # Maximum dbox file size until it's rotated. -#mdbox_rotate_size = 2M +#mdbox_rotate_size = 10M # Maximum dbox file age until it's rotated. Typically in days. Day begins # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. #mdbox_rotate_interval = 0 # When creating new mdbox files, immediately preallocate their size to # mdbox_rotate_size. This setting currently works only in Linux with some # filesystems (ext4, xfs). mdbox_preallocate_space = yes ## ## Mail attachments ## # sdbox and mdbox support saving mail attachments to external files, which # also allows single instance storage for them. Other backends don't support # this for now. # Directory root where to store mail attachments. Disabled, if empty. mail_attachment_dir = /home/mail/attachments # Attachments smaller than this aren't saved externally. It's also possible to # write a plugin to disable saving specific attachments externally. #mail_attachment_min_size = 128k # Filesystem backend to use for saving attachments: # posix : No SiS done by Dovecot (but this might help FS's own deduplication) # sis posix : SiS with immediate byte-by-byte comparison during saving # sis-queue posix : SiS with delayed comparison and deduplication mail_attachment_fs = sis-queue /home/mail/attachments/queue:posix # Hash format to use in attachment filenames. You can add any text and # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits mail_attachment_hash = %{sha256} + +# Settings to control adding $HasAttachment or $HasNoAttachment keywords. +# By default, all MIME parts with Content-Disposition=attachment, or inlines +# with filename parameter are consired attachments. +# add-flags-on-save - Add the keywords when saving new mails. +# content-type=type or !type - Include/exclude content type. Excluding will +# never consider the matched MIME part as attachment. Including will only +# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar). +# exclude-inlined - Exclude any Content-Disposition=inline MIME part. +#mail_attachment_detection_options = diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index 209347f..adeb879 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -10,53 +10,64 @@ ssl = required # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only -# when Dovecot needs to act as an SSL client (e.g. imapc backend). The -# directory is usually /etc/ssl/certs in Debian-based systems and the file is -# /etc/pki/tls/cert.pem in RedHat-based systems. -#ssl_client_ca_dir = +# when Dovecot needs to act as an SSL client (e.g. imapc backend or +# submission service). The directory is usually /etc/ssl/certs in +# Debian-based systems and the file is /etc/pki/tls/cert.pem in +# RedHat-based systems. +ssl_client_ca_dir = /etc/ssl/certs #ssl_client_ca_file = # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName -# DH parameters length to use. -ssl_dh_parameters_length = 2048 +# SSL DH parameters +# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` +# Or migrate from old ssl-parameters.dat file with the command dovecot +# gives on startup when ssl_dh is unset. +ssl_dh = </etc/ssl/dhparams.pem -# SSL protocols to use -#ssl_protocols = !SSLv3 +# Minimum SSL protocol version to use. Potentially recognized values are SSLv3, +# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. +ssl_min_protocol = TLSv1.2 # SSL ciphers to use -ssl_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL +ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + +# Colon separated list of elliptic curves to use. Empty value (the default) +# means use the defaults from the SSL library. P-521:P-384:P-256 would be an +# example of a valid value. +#ssl_curve_list = # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: -# no_compression - Disable compression. -ssl_options = no_compression +# compression - Enable compression. +# no_ticket - Disable SSL session tickets. +#ssl_options = diff --git a/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf b/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf index 2a7bd27..4bfd8a5 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf @@ -1,26 +1,26 @@ ## ## LDA specific settings (also used by LMTP) ## # Address to use when sending rejection mails. -# Default is postmaster@<your domain>. %d expands to recipient domain. +# Default is postmaster@%d. %d expands to recipient domain. #postmaster_address = # Hostname to use in various parts of sent mails (e.g. in Message-Id) and # in LMTP replies. Default is the system's real hostname@domain. #hostname = # If user is over quota, return with temporary failure instead of # bouncing the mail. #quota_full_tempfail = no # Binary to use for sending mails. sendmail_path = /usr/sbin/postmulti -i msa -x /usr/sbin/sendmail # If non-empty, send mails via this SMTP host[:port] instead of sendmail. #submission_host = # Subject: header to use for rejection mails. You can use the same variables # as for rejection_reason below. #rejection_subject = Rejected: %s diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf index 3ddedce..de1fbbb 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf @@ -4,82 +4,105 @@ # If nothing happens for this long while client is IDLEing, move the connection # to imap-hibernate process and close the old imap process. This saves memory, # because connections use very little memory in imap-hibernate process. The # downside is that recreating the imap process back uses some resources. imap_hibernate_timeout = 15s # Maximum IMAP command line length. Some clients generate very long command # lines with huge mailboxes, so you may need to raise this if you get # "Too long argument" or "IMAP command line too large" errors often. #imap_max_line_length = 64k # IMAP logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client # %{fetch_hdr_count} - Number of mails with mail header data sent to client # %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client # %{fetch_body_count} - Number of mails with mail body data sent to client # %{fetch_body_bytes} - Number of bytes with mail body data sent to client # %{deleted} - Number of mails where client added \Deleted flag -# %{expunged} - Number of mails that client expunged +# %{expunged} - Number of mails that client expunged, which does not +# include automatically expunged mails +# %{autoexpunged} - Number of mails that were automatically expunged after +# client disconnected # %{trashed} - Number of mails that client copied/moved to the # special_use=\Trash mailbox. -#imap_logout_format = in=%i out=%o +# %{appended} - Number of mails saved during the session +#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \ +# trashed=%{trashed} hdr_count=%{fetch_hdr_count} \ +# hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \ +# body_bytes=%{fetch_body_bytes} # Override the IMAP CAPABILITY response. If the value begins with '+', # add the given capabilities on top of the defaults (e.g. +XFOO XBAR). #imap_capability = # How long to wait between "OK Still here" notifications when client is # IDLEing. #imap_idle_notify_interval = 2 mins # ID field names and values to send to clients. Using * as the value makes # Dovecot use the default value. The following fields have default values # currently: name, version, os, os-version, support-url, support-email. #imap_id_send = # ID fields sent by client to log. * means everything. #imap_id_log = # Workarounds for various client bugs: # delay-newmail: # Send EXISTS/RECENT new mail notifications only when replying to NOOP # and CHECK commands. Some clients ignore them otherwise, for example OSX # Mail (<v2.1). Outlook Express breaks more badly though, without this it # may show user "Message no longer in server" errors. Note that OE6 still # breaks even with this workaround if synchronization is set to # "Headers Only". # tb-extra-mailbox-sep: # Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and # adds extra '/' suffixes to mailbox names. This option causes Dovecot to # ignore the extra '/' instead of treating it as invalid mailbox name. # tb-lsub-flags: # Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). # This makes Thunderbird realize they aren't selectable and show them # greyed out, instead of only later giving "not selectable" popup error. # # The list is space-separated. #imap_client_workarounds = # Host allowed in URLAUTH URLs sent by client. "*" allows all. #imap_urlauth_host = +# Enable IMAP LITERAL- extension (replaces LITERAL+) +#imap_literal_minus = no + +# What happens when FETCH fails due to some internal error: +# disconnect-immediately: +# The FETCH is aborted immediately and the IMAP client is disconnected. +# disconnect-after: +# The FETCH runs for all the requested mails returning as much data as +# possible. The client is finally disconnected without a tagged reply. +# no-after: +# Same as disconnect-after, but tagged NO reply is sent instead of +# disconnecting the client. If the client attempts to FETCH the same failed +# mail more than once, the client is disconnected. This is to avoid clients +# from going into infinite loops trying to FETCH a broken mail. +#imap_fetch_failure = disconnect-immediately + protocol imap { # Space separated list of plugins to load (default is global mail_plugins). - mail_plugins = $mail_plugins imap_stats imap_zlib + mail_plugins = $mail_plugins imap_zlib # Maximum number of IMAP connections allowed for a user from each IP address. # NOTE: The username is compared case-sensitively. mail_max_userip_connections = 16 # # TODO Load the 'antispam' plugin for people using the content filter. # # (Otherwise fallback to the static userdb.) # userdb { # driver = ldap # args = /etc/dovecot/dovecot-ldap-userdb.conf.ext # # # Default fields can be used to specify defaults that LDAP may override # default_fields = home=/home/mail/virtual/%d/%n # } } diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf index 9583b6d..52a81ca 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf @@ -6,28 +6,23 @@ # settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and # their configuration. Note that %variable expansion is done for all values. plugin { antispam_backend = spool2dir antispam_trash = Trash antispam_unsure_pattern_ignorecase = MailTrain;MailTrain/* antispam_spam = Junk # The first %%lu is replaced by the current time. # The second %%lu is replaced by a counter to generate unique names. # These two tokens MUST be present in the template! antispam_spool2dir_spam = /home/mail/spamspool/%u-%%10lu-%%06lu.spam antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham quota_rule = *:storage=0 quota = count:User quota quota_vsizes = yes - # how often to session statistics - stats_refresh = 30 secs - # track per-IMAP command statistics - stats_track_cmds = yes - zlib_save = gz zlib_save_level = 6 } diff --git a/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext index ecd7134..a054ffe 100644 --- a/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext +++ b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext @@ -1,12 +1,12 @@ # This file is commonly accessed via passdb {} or userdb {} section in # conf.d/auth-dict.conf.ext # Dictionary URI -uri = proxy:/var/run/dovecot/auth-proxy: +uri = proxy:/run/dovecot/auth-proxy: # Username iteration prefix. Keys under this are assumed to contain usernames. iterate_prefix = userdb/ # Should iteration be disabled for this userdb? If this userdb acts only as a # cache there's no reason to try to iterate the (partial & duplicate) users. iterate_disable = no diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext index 1b97a0e..a455616 100644 --- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext @@ -113,30 +113,39 @@ user_attrs = # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if user there's no domain user_filter = # Password checking attributes: # user: Virtual user name (user@domain), if you wish to change the # user-given username to something else # password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = # If you wish to avoid two LDAP lookups (passdb + userdb), you can use # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll # also have to include user_attrs in pass_attrs field prefixed with "userdb_" # string. For example: #pass_attrs = uid=user,userPassword=password,\ # homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid -# Filter for password lookups (ignored for auth binds) +# Filter for password lookups pass_filter = (&(objectClass=FripostVirtualUser)(fvl=%n)(fripostIsStatusActive=TRUE)) # Attributes and filter to get a list of all users #iterate_attrs = uid=user #iterate_filter = (objectClass=posixAccount) # Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication #default_pass_scheme = CRYPT + +# By default all LDAP lookups are performed by the auth master process. +# If blocking=yes, auth worker processes are used to perform the lookups. +# Each auth worker process creates its own LDAP connection so this can +# increase parallelism. With blocking=no the auth master process can +# keep 8 requests pipelined for the LDAP connection, while with blocking=yes +# each connection has a maximum of 1 request running. For small systems the +# blocking=no is sufficient and uses less resources. +#blocking = no diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index 231c759..429854e 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -106,41 +106,40 @@ mode=0755 - name: Fetch Dovecot's X.509 certificate # Ensure we don't fetch private data become: False fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/dovecot/ssl/imap.fripost.org.pem dest=certs/public/imap.fripost.org.pub tags: - genkey - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 register: r1 with_items: - conf.d/10-auth.conf - - conf.d/10-logging.conf - conf.d/10-mail.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf # LDA is also used by LMTP - conf.d/15-lda.conf - conf.d/20-imap.conf - conf.d/20-lmtp.conf - conf.d/90-plugin.conf - conf.d/90-sieve.conf - conf.d/auth-ldap.conf.ext - dovecot-ldap.conf.ext - dovecot-ldap-userdb.conf.ext notify: - Restart Dovecot - name: Configure Dovecot (2) template: src=etc/dovecot/{{ item }}.j2 dest=/etc/dovecot/{{ item }} owner=root group=root mode=0644 diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 index 8eef8a1..daeecf4 100644 --- a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 +++ b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 @@ -36,117 +36,131 @@ service imap-login { # Max. number of IMAP processes (logins) process_limit = 256 # Number of processes to always keep waiting for more connections. process_min_avail = 4 # If you set service_count=0, you probably need to grow this. #vsz_limit = $default_vsz_limit } service pop3-login { inet_listener pop3 { #port = 110 } inet_listener pop3s { #port = 995 #ssl = yes } } +service stats { + unix_listener stats-writer { + user = vmail + mode = 0600 + } +} + +service submission-login { + inet_listener submission { + port = 0 + } +} + service lmtp { user = vmail unix_listener /var/spool/postfix-{{ postfix_instance.IMAP.name }}/private/dovecot-lmtpd { user = postfix mode = 0600 } # Create inet listener only if you can't use the above UNIX socket #inet_listener lmtp { # Avoid making LMTP visible for the entire internet #address = #port = #} # Number of processes to always keep waiting for more connections. process_min_avail = 4 } service imap { # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = $default_vsz_limit # Max. number of IMAP processes (connections) #process_limit = 1024 unix_listener imap-master { user = $default_internal_user mode = 0600 } } service imap-hibernate { unix_listener imap-hibernate { + # Match user running imap processes, cf. + # https://dovecot.org/pipermail/dovecot/2015-August/101783.html user = vmail mode = 0600 } } service pop3 { # Max. number of POP3 processes (connections) #process_limit = 1024 } +service submission { + # Max. number of SMTP Submission processes (connections) + #process_limit = 1024 +} + service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have # full permissions to this socket are able to get a list of all usernames and # get the results of everyone's userdb lookups. # # The default 0666 mode allows anyone to connect to the socket, but the # userdb lookups will succeed only if the userdb returns an "uid" field that # matches the caller process's UID. Also if caller's uid or gid matches the # socket's uid or gid the lookup succeeds. Anything else causes a failure. # # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { user = vmail mode = 0600 } # Postfix smtp-auth unix_listener /var/spool/postfix-{{ postfix_instance.MSA.name }}/private/dovecot-auth { user = postfix + group = postfix mode = 0600 } # Auth process is run as this user. #user = $default_internal_user } service auth-worker { # Auth worker process is run as root by default, so that it can access # /etc/shadow. If this isn't necessary, the user should be changed to # $default_internal_user. user = $default_internal_user } service dict { # If dict proxy is used, mail processes should have access to its socket. # For example: mode=0660, group=vmail and global mail_access_groups=vmail unix_listener dict { #mode = 0600 #user = #group = } } - -service stats { - fifo_listener stats-mail { - user = vmail - mode = 0600 - } -} diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/15-lda.conf b/roles/IMAP/templates/etc/dovecot/conf.d/15-lda.conf deleted file mode 100644 index e69de29..0000000 --- a/roles/IMAP/templates/etc/dovecot/conf.d/15-lda.conf +++ /dev/null diff --git a/roles/common/files/etc/fail2ban/filter.d/dovecot.conf b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf index 4d4ea16..c8f5345 100644 --- a/roles/common/files/etc/fail2ban/filter.d/dovecot.conf +++ b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf @@ -1,34 +1,49 @@ -# Fail2Ban filter Dovecot authentication and pop3/imap server +# Fail2Ban filter Dovecot authentication and pop3/imap/managesieve server +# guilhem 2020-05-19: This is the filter from Buster (fail2ban +# 0.10.2-2.1) with managesieve to the list of protected services # [INCLUDES] before = common.conf [Definition] -_daemon = (auth|dovecot(-auth)?|auth-worker) +_auth_worker = (?:dovecot: )?auth(?:-worker)? +_daemon = (?:dovecot(?:-auth)?|auth) -# Take the filter from Stretch and add managesieve to the list of protected services -failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ - ^%(__prefix_line)s(?:pop3|imap|managesieve)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ - ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ - ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ - ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$ +prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$ -ignoreregex = +failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ + ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$ + ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$ + <mdre-<mode>> -[Init] +mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ + +mdre-normal = + +# Parameter `mode` - `normal` or `aggressive`. +# Aggressive mode can be used to match log-entries like: +# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'. +# Note it may produce lots of false positives on misconfigured MTAs. +# Ex.: +# filter = dovecot[mode=aggressive] +mode = normal + +ignoreregex = journalmatch = _SYSTEMD_UNIT=dovecot.service +datepattern = {^LN-BEG}TAI64N + {^LN-BEG} + # DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) -# * Removed the 'no auth attempts' log lines from the matches because produces -# lots of false positives on misconfigured MTAs making regexp unusable # # Author: Martin Waschbuesch # Daniel Black (rewrote with begin and end anchors) # Martin O'Neal (added LDAP authentication failure regex) # Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) |