diff options
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 4 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf | 104 | ||||
-rw-r--r-- | roles/IMAP/tasks/imap.yml | 3 | ||||
-rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 1 | ||||
-rw-r--r-- | roles/webmail/tasks/roundcube.yml | 5 | ||||
-rw-r--r-- | roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 | 67 |
6 files changed, 182 insertions, 2 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index 4eabe53..c727f4b 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -11,6 +11,10 @@ local 172.16.0.1 { disable_plaintext_auth = no ssl = no } + protocol sieve { + disable_plaintext_auth = no + ssl = no + } } # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf new file mode 100644 index 0000000..4d0420a --- /dev/null +++ b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf @@ -0,0 +1,104 @@ +## +## Settings for the Sieve interpreter +## + +# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf +# by adding it to the respective mail_plugins= settings. + +plugin { + # The path to the user's main active script. If ManageSieve is used, this the + # location of the symbolic link controlled by ManageSieve. + sieve = ~/dovecot.sieve + + # The default Sieve script when the user has none. This is a path to a global + # sieve script file, which gets executed ONLY if user's private Sieve script + # doesn't exist. Be sure to pre-compile this script manually using the sievec + # command line tool. + # --> See sieve_before fore executing scripts before the user's personal + # script. + #sieve_default = /var/lib/dovecot/sieve/default.sieve + + # Directory for :personal include scripts for the include extension. This + # is also where the ManageSieve service stores the user's scripts. + sieve_dir = ~/sieve + + # Directory for :global include scripts for the include extension. + #sieve_global_dir = + + # Path to a script file or a directory containing script files that need to be + # executed before the user's script. If the path points to a directory, all + # the Sieve scripts contained therein (with the proper .sieve extension) are + # executed. The order of execution within a directory is determined by the + # file names, using a normal 8bit per-character comparison. Multiple script + # file or directory paths can be specified by appending an increasing number. + #sieve_before = + #sieve_before2 = + #sieve_before3 = (etc...) + + # Identical to sieve_before, only the specified scripts are executed after the + # user's script (only when keep is still in effect!). Multiple script file or + # directory paths can be specified by appending an increasing number. + #sieve_after = + #sieve_after2 = + #sieve_after2 = (etc...) + + # Which Sieve language extensions are available to users. By default, all + # supported extensions are available, except for deprecated extensions or + # those that are still under development. Some system administrators may want + # to disable certain Sieve extensions or enable those that are not available + # by default. This setting can use '+' and '-' to specify differences relative + # to the default. For example `sieve_extensions = +imapflags' will enable the + # deprecated imapflags extension in addition to all extensions were already + # enabled by default. + #sieve_extensions = +notify +imapflags + + # Which Sieve language extensions are ONLY available in global scripts. This + # can be used to restrict the use of certain Sieve extensions to administrator + # control, for instance when these extensions can cause security concerns. + # This setting has higher precedence than the `sieve_extensions' setting + # (above), meaning that the extensions enabled with this setting are never + # available to the user's personal script no matter what is specified for the + # `sieve_extensions' setting. The syntax of this setting is similar to the + # `sieve_extensions' setting, with the difference that extensions are + # enabled or disabled for exclusive use in global scripts. Currently, no + # extensions are marked as such by default. + #sieve_global_extensions = + + # The Pigeonhole Sieve interpreter can have plugins of its own. Using this + # setting, the used plugins can be specified. Check the Dovecot wiki + # (wiki2.dovecot.org) or the pigeonhole website + # (http://pigeonhole.dovecot.org) for available plugins. + #sieve_plugins = + + # The separator that is expected between the :user and :detail + # address parts introduced by the subaddress extension. This may + # also be a sequence of characters (e.g. '--'). The current + # implementation looks for the separator from the left of the + # localpart and uses the first one encountered. The :user part is + # left of the separator and the :detail part is right. This setting + # is also used by Dovecot's LMTP service. + recipient_delimiter = + + + # The maximum size of a Sieve script. The compiler will refuse to compile any + # script larger than this limit. If set to 0, no limit on the script size is + # enforced. + #sieve_max_script_size = 1M + + # The maximum number of actions that can be performed during a single script + # execution. If set to 0, no limit on the total number of actions is enforced. + #sieve_max_actions = 32 + + # The maximum number of redirect actions that can be performed during a single + # script execution. If set to 0, no redirect actions are allowed. + #sieve_max_redirects = 4 + + # The maximum number of personal Sieve scripts a single user can have. If set + # to 0, no limit on the number of scripts is enforced. + # (Currently only relevant for ManageSieve) + #sieve_quota_max_scripts = 0 + + # The maximum amount of disk storage a single user's scripts may occupy. If + # set to 0, no limit on the used amount of disk storage is enforced. + # (Currently only relevant for ManageSieve) + #sieve_quota_max_storage = 0 +} diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index e39e4bf..163e10d 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -6,6 +6,8 @@ - dovecot-imapd - dovecot-lmtpd - dovecot-antispam + - dovecot-managesieved + - dovecot-sieve - name: Create a user 'vmail' user: name=vmail system=yes @@ -67,6 +69,7 @@ - conf.d/20-imap.conf - conf.d/20-lmtp.conf - conf.d/90-plugin.conf + - conf.d/90-sieve.conf - conf.d/auth-ldap.conf.ext - dovecot-ldap.conf.ext - dovecot-ldap-userdb.conf.ext diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 3ddb87e..4e21dfc 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -21,6 +21,7 @@ in tcp 25 # SMTP {% endif %} {% if 'IMAP' in group_names %} in tcp 993 # IMAPS +in tcp 4190 # ManageSieve {% endif %} {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index 21d4dff..2d8a8b9 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -37,7 +37,7 @@ - { var: username_domain, value: "'fripost.org'" } - { var: product_name, value: "'Fripost'" } # Plugins - - { var: plugins, value: "array('password','additional_message_headers')" } + - { var: plugins, value: "array('additional_message_headers','managesieve','password')" } # User Interface - { var: language, value: "'sv_SE'" } - { var: create_default_folders, value: "TRUE" } @@ -60,8 +60,9 @@ owner=root group=root mode=0644 with_items: - - password - additional_message_headers + - managesieve + - password - name: Start php5-fpm service: name=php5-fpm state=started diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 new file mode 100644 index 0000000..27b5b44 --- /dev/null +++ b/roles/webmail/templates/usr/share/roundcube/plugins/managesieve/config.inc.php.j2 @@ -0,0 +1,67 @@ +<?php + +// managesieve server port +$rcmail_config['managesieve_port'] = 4190; + +// managesieve server address, default is localhost. +// Replacement variables supported in host name: +// %h - user's IMAP hostname +// %n - http hostname ($_SERVER['SERVER_NAME']) +// %d - domain (http hostname without the first part) +// For example %n = mail.domain.tld, %d = domain.tld +$rcmail_config['managesieve_host'] = '{{ IMAP }}'; + +// authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL +// or none. Optional, defaults to best method supported by server. +$rcmail_config['managesieve_auth_type'] = 'PLAIN'; + +// Optional managesieve authentication identifier to be used as authorization proxy. +// Authenticate as a different user but act on behalf of the logged in user. +// Works with PLAIN and DIGEST-MD5 auth. +$rcmail_config['managesieve_auth_cid'] = null; + +// Optional managesieve authentication password to be used for imap_auth_cid +$rcmail_config['managesieve_auth_pw'] = null; + +// use or not TLS for managesieve server connection +// it's because I've problems with TLS and dovecot's managesieve plugin +// and it's not needed on localhost +$rcmail_config['managesieve_usetls'] = FALSE; + +// default contents of filters script (eg. default spam filter) +$rcmail_config['managesieve_default'] = '/etc/dovecot/sieve/global'; + +// The name of the script which will be used when there's no user script +$rcmail_config['managesieve_script_name'] = 'managesieve'; + +// Sieve RFC says that we should use UTF-8 endcoding for mailbox names, +// but some implementations does not covert UTF-8 to modified UTF-7. +// Defaults to UTF7-IMAP +$rcmail_config['managesieve_mbox_encoding'] = 'UTF-8'; + +// I need this because my dovecot (with listescape plugin) uses +// ':' delimiter, but creates folders with dot delimiter +$rcmail_config['managesieve_replace_delimiter'] = ''; + +// disabled sieve extensions (body, copy, date, editheader, encoded-character, +// envelope, environment, ereject, fileinto, ihave, imap4flags, index, +// mailbox, mboxmetadata, regex, reject, relational, servermetadata, +// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc. +// Note: not all extensions are implemented +$rcmail_config['managesieve_disabled_extensions'] = array(); + +// Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve +$rcmail_config['managesieve_debug'] = false; + +// Enables features described in http://wiki.kolab.org/KEP:14 +$rcmail_config['managesieve_kolab_master'] = false; + +// Script name extension used for scripts including. Dovecot uses '.sieve', +// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled. +$rcmail_config['managesieve_filename_extension'] = '.sieve'; + +// List of reserved script names (without extension). +// Scripts listed here will be not presented to the user. +$rcmail_config['managesieve_filename_exceptions'] = array(); + +?> |