summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--common.yml2
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf3
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf35
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-master.conf14
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf16
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf109
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf3
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf25
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext2
-rw-r--r--roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext5
-rw-r--r--roles/IMAP/tasks/imap.yml17
-rw-r--r--roles/IMAP/tasks/main.yml2
-rw-r--r--roles/IMAP/templates/etc/postfix/main.cf.j27
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/dovecot-local7
14 files changed, 139 insertions, 108 deletions
diff --git a/common.yml b/common.yml
index 1fe15d5..a4f49e5 100644
--- a/common.yml
+++ b/common.yml
@@ -41,7 +41,7 @@
- common-web
- name: Configure amavis
- hosts: MDA:out
+ hosts: out
gather_facts: False
tags: amavis
roles:
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
index cf0189e..d4f323d 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
@@ -6,7 +6,8 @@
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
-disable_plaintext_auth = yes
+# See also ssl=required setting.
+#disable_plaintext_auth = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
index dcc1d9c..c98d3f6 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
@@ -107,7 +107,7 @@ namespace virtual {
#list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
-#mail_shared_explicit_inbox = yes
+#mail_shared_explicit_inbox = no
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
@@ -133,6 +133,10 @@ mail_gid = vmail
# or ~user/.
#mail_full_filesystem_access = no
+# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
+# soon intended to be used by METADATA as well.
+#mail_attribute_dict =
+
##
## Mail processes
##
@@ -151,13 +155,6 @@ mail_gid = vmail
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
@@ -170,14 +167,14 @@ mail_gid = vmail
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
-first_valid_uid = 1
+#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
-first_valid_gid = 1
+#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
@@ -216,6 +213,10 @@ mail_plugins = virtual zlib
## Mailbox handling optimizations
##
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
@@ -267,6 +268,10 @@ mail_plugins = virtual zlib
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
##
## mbox-specific settings
##
@@ -285,8 +290,14 @@ mail_plugins = virtual zlib
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
+#
+# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
+# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
+# Dovecot: mbox_write_locks = dotlock fcntl
+# Debian: mbox_write_locks = fcntl dotlock
+#
#mbox_read_locks = fcntl
-#mbox_write_locks = dotlock fcntl
+#mbox_write_locks = fcntl dotlock
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
@@ -350,8 +361,6 @@ mail_plugins = virtual zlib
# also allows single instance storage for them. Other backends don't support
# this for now.
-# WARNING: This feature hasn't been tested much yet. Use at your own risk.
-
# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
index 30e9fb6..189e96e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
@@ -8,25 +8,25 @@
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
-default_login_user = dovenull
+#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
-default_internal_user = dovecot
+#default_internal_user = dovecot
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
- port = 993
- ssl = yes
+ #port = 993
+ #ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
- service_count = 1
+ #service_count = 1
# Max. number of IMAP processes (logins)
process_limit = 256
@@ -46,8 +46,6 @@ service pop3-login {
#port = 995
#ssl = yes
}
-
- service_count = 1
}
service lmtp {
@@ -112,7 +110,7 @@ service auth {
}
# Auth process is run as this user.
- user = $default_internal_user
+ #user = $default_internal_user
}
service auth-worker {
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 526da9c..90843b2 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -26,6 +26,13 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
+# /etc/pki/tls/cert.pem in RedHat-based systems.
+#ssl_client_ca_dir =
+#ssl_client_ca_file =
+
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
@@ -35,10 +42,8 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
-# How often to regenerate the SSL parameters file. Generation is quite CPU
-# intensive operation. The value is in hours, 0 disables regeneration
-# entirely.
-#ssl_parameters_regenerate = 168
+# DH parameters length to use.
+#ssl_dh_parameters_length = 1024
# SSL protocols to use
ssl_protocols = !SSLv2
@@ -46,5 +51,8 @@ ssl_protocols = !SSLv2
# SSL ciphers to use
ssl_cipher_list = HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
index 2557b78..1807e05 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
@@ -2,67 +2,70 @@
## IMAP specific settings
##
-protocol imap {
- # Maximum IMAP command line length. Some clients generate very long command
- # lines with huge mailboxes, so you may need to raise this if you get
- # "Too long argument" or "IMAP command line too large" errors often.
- #imap_max_line_length = 64k
+# Maximum IMAP command line length. Some clients generate very long command
+# lines with huge mailboxes, so you may need to raise this if you get
+# "Too long argument" or "IMAP command line too large" errors often.
+#imap_max_line_length = 64k
- # Maximum number of IMAP connections allowed for a user from each IP address.
- # NOTE: The username is compared case-sensitively.
- mail_max_userip_connections = 16
+# IMAP logout format string:
+# %i - total number of bytes read from client
+# %o - total number of bytes sent to client
+#imap_logout_format = in=%i out=%o
- # Space separated list of plugins to load (default is global mail_plugins).
- #mail_plugins = $mail_plugins antispam
+# Override the IMAP CAPABILITY response. If the value begins with '+',
+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+#imap_capability =
- # IMAP logout format string:
- # %i - total number of bytes read from client
- # %o - total number of bytes sent to client
- #imap_logout_format = bytes=%i/%o
+# How long to wait between "OK Still here" notifications when client is
+# IDLEing.
+#imap_idle_notify_interval = 2 mins
- # Override the IMAP CAPABILITY response. If the value begins with '+',
- # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
- #imap_capability =
+# ID field names and values to send to clients. Using * as the value makes
+# Dovecot use the default value. The following fields have default values
+# currently: name, version, os, os-version, support-url, support-email.
+#imap_id_send =
- # How long to wait between "OK Still here" notifications when client is
- # IDLEing.
- #imap_idle_notify_interval = 2 mins
+# ID fields sent by client to log. * means everything.
+#imap_id_log =
- # ID field names and values to send to clients. Using * as the value makes
- # Dovecot use the default value. The following fields have default values
- # currently: name, version, os, os-version, support-url, support-email.
- #imap_id_send =
+# Workarounds for various client bugs:
+# delay-newmail:
+# Send EXISTS/RECENT new mail notifications only when replying to NOOP
+# and CHECK commands. Some clients ignore them otherwise, for example OSX
+# Mail (<v2.1). Outlook Express breaks more badly though, without this it
+# may show user "Message no longer in server" errors. Note that OE6 still
+# breaks even with this workaround if synchronization is set to
+# "Headers Only".
+# tb-extra-mailbox-sep:
+# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+# adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+# ignore the extra '/' instead of treating it as invalid mailbox name.
+# tb-lsub-flags:
+# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+# This makes Thunderbird realize they aren't selectable and show them
+# greyed out, instead of only later giving "not selectable" popup error.
+#
+# The list is space-separated.
+#imap_client_workarounds =
- # ID fields sent by client to log. * means everything.
- #imap_id_log =
+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
+#imap_urlauth_host =
- # Workarounds for various client bugs:
- # delay-newmail:
- # Send EXISTS/RECENT new mail notifications only when replying to NOOP
- # and CHECK commands. Some clients ignore them otherwise, for example OSX
- # Mail (<v2.1). Outlook Express breaks more badly though, without this it
- # may show user "Message no longer in server" errors. Note that OE6 still
- # breaks even with this workaround if synchronization is set to
- # "Headers Only".
- # tb-extra-mailbox-sep:
- # Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
- # adds extra '/' suffixes to mailbox names. This option causes Dovecot to
- # ignore the extra '/' instead of treating it as invalid mailbox name.
- # tb-lsub-flags:
- # Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
- # This makes Thunderbird realize they aren't selectable and show them
- # greyed out, instead of only later giving "not selectable" popup error.
- #
- # The list is space-separated.
- #imap_client_workarounds =
+protocol imap {
+ # Space separated list of plugins to load (default is global mail_plugins).
+ #mail_plugins = $mail_plugins
- # Load the 'antispam' plugin for people using the content filter.
- # (Otherwise fallback to the static userdb.)
- userdb {
- driver = ldap
- args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+ # Maximum number of IMAP connections allowed for a user from each IP address.
+ # NOTE: The username is compared case-sensitively.
+ mail_max_userip_connections = 16
- # Default fields can be used to specify defaults that LDAP may override
- default_fields = home=/home/mail/virtual/%d/%n
- }
+# # TODO Load the 'antispam' plugin for people using the content filter.
+# # (Otherwise fallback to the static userdb.)
+# userdb {
+# driver = ldap
+# args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+#
+# # Default fields can be used to specify defaults that LDAP may override
+# default_fields = home=/home/mail/virtual/%d/%n
+# }
}
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
index b0be573..cd48ab8 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
@@ -10,6 +10,9 @@
# lda_mailbox_autocreate settings.
#lmtp_save_to_detail_mailbox = no
+# Verify quota before replying to RCPT TO. This adds a small overhead.
+#lmtp_rcpt_check_quota = no
+
protocol lmtp {
postmaster_address = postmaster@fripost.org
# Space separated list of plugins to load (default is global mail_plugins).
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
index 4d0420a..8308adc 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
@@ -1,6 +1,6 @@
##
## Settings for the Sieve interpreter
-##
+##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
@@ -22,7 +22,7 @@ plugin {
# is also where the ManageSieve service stores the user's scripts.
sieve_dir = ~/sieve
- # Directory for :global include scripts for the include extension.
+ # Directory for :global include scripts for the include extension.
#sieve_global_dir =
# Path to a script file or a directory containing script files that need to be
@@ -39,17 +39,17 @@ plugin {
# user's script (only when keep is still in effect!). Multiple script file or
# directory paths can be specified by appending an increasing number.
#sieve_after =
- #sieve_after2 =
+ #sieve_after2 =
#sieve_after2 = (etc...)
- # Which Sieve language extensions are available to users. By default, all
+ # Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags extension in addition to all extensions were already
- # enabled by default.
+ # enabled by default.
#sieve_extensions = +notify +imapflags
# Which Sieve language extensions are ONLY available in global scripts. This
@@ -57,7 +57,7 @@ plugin {
# control, for instance when these extensions can cause security concerns.
# This setting has higher precedence than the `sieve_extensions' setting
# (above), meaning that the extensions enabled with this setting are never
- # available to the user's personal script no matter what is specified for the
+ # available to the user's personal script no matter what is specified for the
# `sieve_extensions' setting. The syntax of this setting is similar to the
# `sieve_extensions' setting, with the difference that extensions are
# enabled or disabled for exclusive use in global scripts. Currently, no
@@ -68,13 +68,14 @@ plugin {
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
+ # The sieve_extprograms plugin is included in this release.
#sieve_plugins =
- # The separator that is expected between the :user and :detail
- # address parts introduced by the subaddress extension. This may
- # also be a sequence of characters (e.g. '--'). The current
- # implementation looks for the separator from the left of the
- # localpart and uses the first one encountered. The :user part is
+ # The separator that is expected between the :user and :detail
+ # address parts introduced by the subaddress extension. This may
+ # also be a sequence of characters (e.g. '--'). The current
+ # implementation looks for the separator from the left of the
+ # localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
recipient_delimiter = +
@@ -99,6 +100,6 @@ plugin {
# The maximum amount of disk storage a single user's scripts may occupy. If
# set to 0, no limit on the used amount of disk storage is enforced.
- # (Currently only relevant for ManageSieve)
+ # (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
}
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
index 5237fc2..360727e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
@@ -1,4 +1,4 @@
-# Authentication for LDAP users. Included from auth.conf.
+# Authentication for LDAP users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.LDAP.txt>
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
index 1ffa73d..72f4604 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
@@ -1,3 +1,6 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-ldap.conf.ext
+
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/LDAP
@@ -90,7 +93,7 @@ ldap_version = 3
base = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org
# Dereference: never, searching, finding, always
-deref = never
+#deref = never
# Search scope: base, onelevel, subtree
scope = base
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index b142ba6..9365640 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -17,13 +17,16 @@
password=!
state=present
-# Required for dbox, see
-# http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
-- name: Create a nightly cron job to purge expunged messages
- cron: name="Purge expunged messages"
- minute=7 hour=5
- user=vmail cron_file=doveadm-purge
- job="/usr/bin/doveadm purge -A"
+## TODO: make a LDAP query listing all users using iterate_attrs and
+## iterate_filter. (Alternatively, use a dict, see
+## https://www.opensource.apple.com/source/dovecot/dovecot-293/dovecot.Config/dovecot-dict-auth.conf.ext)
+## Required for dbox, see
+## http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
+#- name: Create a nightly cron job to purge expunged messages
+# cron: name="Purge expunged messages"
+# minute=7 hour=5
+# user=vmail cron_file=doveadm-purge
+# job="/usr/bin/doveadm purge -A"
# The ownership and permissions ensure that dovecot won't try to
# deliver mails under an umounted mountpoint.
diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml
index c6fbbd9..9ed2ea6 100644
--- a/roles/IMAP/tasks/main.yml
+++ b/roles/IMAP/tasks/main.yml
@@ -1,4 +1,4 @@
---
- include: imap.yml tags=imap,dovecot
- include: mda.yml tags=mda,mail,postfix
-- include: spam.yml tags=spam,spamassassin
+#- include: spam.yml tags=spam,spamassassin # TODO spam filter
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index c775a73..ef2f0d6 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -91,13 +91,14 @@ smtpd_helo_restrictions =
smtpd_sender_restrictions =
reject_non_fqdn_sender
-smtpd_recipient_restrictions =
- # RFC requirements
- reject_non_fqdn_recipient
+smtpd_relay_restrictions =
permit_mynetworks
permit_tls_clientcerts
reject
+smtpd_recipient_restrictions =
+ reject_non_fqdn_recipient
+
smtpd_data_restrictions =
reject_unauth_pipelining
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
index d6826a1..b27e736 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
@@ -6,9 +6,10 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed(: Connection reset by peer)?( in=[[:digit:]]+ out=[[:digit:]]+)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+(, (TLS|secured), session=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted login( \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\))?: (user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, )?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS, session=<[^>]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? (\(no auth attempts in [[:digit:]]+ secs\):( user=<>,)?|\(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]+>, method=PLAIN,|\(aborted authentication\): method=PLAIN,) rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|SSL)( handshaking)?(: SSL_(accept|read)\(\) (syscall failed: Connection reset by peer|failed: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure: SSL alert number 10|failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46|failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48|failed: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))|: Disconnected)?|, secured)?, session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? (\(no auth attempts in [[:digit:]]+ secs\):( user=<>,)?|\(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]+>, method=PLAIN,|\(aborted authentication\): method=PLAIN,) rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|SSL)( handshaking)?(: SSL_(accept|read)\(\) (syscall failed: Connection reset by peer|failed: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure: SSL alert number 10|failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42|failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46|failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48|failed: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))|: Disconnected)?|, secured)?, session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: auth client [[:digit:]]+ disconnected with [[:digit:]]+ pending requests: EOF$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: Auth connection closed with [[:digit:]]+ pending requests \(max [[:digit:]]+ secs, pid=[[:digit:]]+, EOF\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \((auth process communication failure|client didn't finish SASL auth, waited [[:digit:]]+ secs)\): user=<>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: SSL_read\(\) syscall failed: Connection reset by peer)?, session=<[^>]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \((auth process communication failure|client didn't finish SASL auth, waited [[:digit:]]+ secs)\): user=<>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: SSL_read\(\) syscall failed: Connection reset by peer|: Disconnected)?, session=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: (Disconnected: Inactivity during authentication|Aborted login) \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: Disconnected)?, session=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected \(tried to use unsupported auth mechanism\): user=<>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$
@@ -16,7 +17,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Connect from local$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Disconnect from local: (Client quit|Connection closed) \(in reset\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: msgid=(<[^>]+>|unspecified): (stored mail into mailbox '|marked message to be discarded if not explicitly delivered \(discard action\)$)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: msgid=(\S+ )?|<[^>]*>( \(added by \S+\))?: (stored mail into mailbox '|marked message to be discarded if not explicitly delivered \(discard action\)$|forwarded to )
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): Error: [+/[:alnum:]]{22}: sieve: execution of script \S+ failed, but implicit keep was successful \(user logfile \S+ may reveal additional details\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([0-9]+\): Disconnect from local: Successful quit$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+(, TLS, session=<[^>]+>)?$