diff options
Diffstat (limited to 'roles/IMAP/files/etc')
22 files changed, 79 insertions, 1066 deletions
diff --git a/roles/IMAP/files/etc/cron.d/doveadm b/roles/IMAP/files/etc/cron.d/doveadm new file mode 100644 index 0000000..b0551e4 --- /dev/null +++ b/roles/IMAP/files/etc/cron.d/doveadm @@ -0,0 +1,4 @@ +MAILTO=root + +59 * * * * vmail test -x /usr/bin/doveadm && nice -n 19 /usr/bin/doveadm sis deduplicate /home/mail/attachments /home/mail/attachments/queue +37 5 * * * vmail test -x /usr/bin/doveadm && nice -n 19 /usr/bin/doveadm purge -A diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf index d4f323d..f34bdeb 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf @@ -1,71 +1,71 @@ ## ## Authentication processes ## # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. #disable_plaintext_auth = yes # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that -# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. +# bsdauth and PAM require cache_key to be set for caching to be used. #auth_cache_size = 0 # Time to live for cached data. After TTL expires the cached record is no # longer used, *except* if the main database lookup returns internal failure. # We also try to handle password changes automatically: If user's previous # authentication was successful, but this one wasn't, the cache isn't used. # For now this works only with plaintext authentication. #auth_cache_ttl = 1 hour # TTL for negative hits (user not found, password mismatch). # 0 disables caching them completely. #auth_cache_negative_ttl = 1 hour # Space separated list of realms for SASL authentication mechanisms that need # them. You can leave it empty if you don't want to support multiple realms. # Many clients simply use the first one listed here, so keep the default realm # first. #auth_realms = # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. -auth_default_realm = fripost.org +#auth_default_realm = # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ # Username character translations before it's looked up from databases. The # value contains series of from -> to characters. For example "#@/@" means # that '#' and '/' characters are translated to '@'. #auth_username_translation = # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. -auth_username_format = %Lu +#auth_username_format = %Lu # If you want to allow master users to log in by specifying the master # username within the normal username string (ie. not using SASL mechanism's # support for it), you can specify the separator character here. The format # is then <username><separator><master username>. UW-IMAP uses "*" as the # separator, so that could be a good choice. #auth_master_user_separator = # Username to use for users logging in with ANONYMOUS SASL mechanism #auth_anonymous_username = anonymous # Maximum number of dovecot-auth worker processes. They're used to execute # blocking passdb and userdb queries (eg. MySQL and PAM). They're # automatically created and destroyed as needed. #auth_worker_max_count = 30 # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab # entries. #auth_gssapi_hostname = @@ -77,52 +77,51 @@ auth_username_format = %Lu # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt> #auth_use_winbind = no # Path for Samba's ntlm_auth helper binary. #auth_winbind_helper_path = /usr/bin/ntlm_auth # Time to delay before replying to failed authentications. #auth_failure_delay = 2 secs # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no # Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: -# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey +# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. -auth_mechanisms = plain login +auth_mechanisms = plain ## ## Password and user databases ## # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # <doc/wiki/PasswordDatabase.txt> # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # <doc/wiki/UserDatabase.txt> #!include auth-deny.conf.ext #!include auth-master.conf.ext #!include auth-system.conf.ext #!include auth-sql.conf.ext !include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext -#!include auth-vpopmail.conf.ext #!include auth-static.conf.ext diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf deleted file mode 100644 index c611bfc..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf +++ /dev/null @@ -1,84 +0,0 @@ -## -## Log destination. -## - -# Log file to use for error messages. "syslog" logs to syslog, -# /dev/stderr logs to stderr. -#log_path = syslog - -# Log file to use for informational messages. Defaults to log_path. -#info_log_path = -# Log file to use for debug messages. Defaults to info_log_path. -#debug_log_path = - -# Syslog facility to use if you're logging to syslog. Usually if you don't -# want to use "mail", you'll use local0..local7. Also other standard -# facilities are supported. -#syslog_facility = mail - -## -## Logging verbosity and debugging. -## - -# Log unsuccessful authentication attempts and the reasons why they failed. -#auth_verbose = no - -# In case of password mismatches, log the attempted password. Valid values are -# no, plain and sha1. sha1 can be useful for detecting brute force password -# attempts vs. user simply trying the same password over and over again. -# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6). -#auth_verbose_passwords = no - -# Even more verbose logging for debugging purposes. Shows for example SQL -# queries. -#auth_debug = no - -# In case of password mismatches, log the passwords and used scheme so the -# problem can be debugged. Enabling this also enables auth_debug. -#auth_debug_passwords = no - -# Enable mail process debugging. This can help you figure out why Dovecot -# isn't finding your mails. -#mail_debug = no - -# Show protocol level SSL errors. -#verbose_ssl = no - -# mail_log plugin provides more event logging for mail processes. -plugin { - # Events to log. Also available: flag_change append - #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename - # Available fields: uid, box, msgid, from, subject, size, vsize, flags - # size and vsize are available only for expunge and copy events. - #mail_log_fields = uid box msgid size -} - -## -## Log formatting. -## - -# Prefix for each line written to log file. % codes are in strftime(3) -# format. -log_timestamp = "%Y-%m-%d %H:%M:%S " - -# Space-separated list of elements we want to log. The elements which have -# a non-empty variable value are joined together to form a comma-separated -# string. -#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c - -# Login log format. %s contains login_log_format_elements string, %$ contains -# the data we want to log. -#login_log_format = %$: %s - -# Log prefix for mail processes. See doc/wiki/Variables.txt for list of -# possible variables you can use. -#mail_log_prefix = "%s(%u): " - -# Format to use for logging mail deliveries. You can use variables: -# %$ - Delivery status message (e.g. "saved to INBOX") -# %m - Message-ID -# %s - Subject -# %f - From address -# %p - Physical size -# %w - Virtual size -#deliver_log_format = msgid=%m: %$ diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf deleted file mode 100644 index 902f58b..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf +++ /dev/null @@ -1,380 +0,0 @@ -## -## Mailbox locations and namespaces -## - -# Location for users' mailboxes. The default is empty, which means that Dovecot -# tries to find the mailboxes automatically. This won't work if the user -# doesn't yet have any mail, so you should explicitly tell Dovecot the full -# location. -# -# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) -# isn't enough. You'll also need to tell Dovecot where the other mailboxes are -# kept. This is called the "root mail directory", and it must be the first -# path given in the mail_location setting. -# -# There are a few special variables you can use, eg.: -# -# %u - username -# %n - user part in user@domain, same as %u if there's no domain -# %d - domain part in user@domain, empty if there's no domain -# %h - home directory -# -# See doc/wiki/Variables.txt for full list. Some examples: -# -# mail_location = maildir:~/Maildir -# mail_location = mbox:~/mail:INBOX=/var/mail/%u -# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n -# -# <doc/wiki/MailLocation.txt> -# -mail_location = mdbox:~/mail - -# If you need to set multiple mailbox locations or want to change default -# namespace settings, you can do it by defining namespace sections. -# -# You can have private, shared and public namespaces. Private namespaces -# are for user's personal mails. Shared namespaces are for accessing other -# users' mailboxes that have been shared. Public namespaces are for shared -# mailboxes that are managed by sysadmin. If you create any shared or public -# namespaces you'll typically want to enable ACL plugin also, otherwise all -# users can access all the shared mailboxes, assuming they have permissions -# on filesystem level to do so. -namespace inbox { - # Namespace type: private, shared or public - #type = private - - # Hierarchy separator to use. You should use the same separator for all - # namespaces or some clients get confused. '/' is usually a good one. - # The default however depends on the underlying mail storage format. - separator = / - - # Prefix required to access this namespace. This needs to be different for - # all namespaces. For example "Public/". - #prefix = - - # Physical location of the mailbox. This is in same format as - # mail_location, which is also the default for it. - #location = - - # There can be only one INBOX, and this setting defines which namespace - # has it. - inbox = yes - - # If namespace is hidden, it's not advertised to clients via NAMESPACE - # extension. You'll most likely also want to set list=no. This is mostly - # useful when converting from another server with different namespaces which - # you want to deprecate but still keep working. For example you can create - # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". - #hidden = no - - # Show the mailboxes under this namespace with LIST command. This makes the - # namespace visible for clients that don't support NAMESPACE extension. - # "children" value lists child mailboxes, but hides the namespace prefix. - #list = yes - - # Namespace handles its own subscriptions. If set to "no", the parent - # namespace handles them (empty prefix should always have this as "yes") - #subscriptions = yes -} - -namespace virtual { - prefix = virtual/ - separator = / - location = virtual:/etc/dovecot/virtual:INDEX=~/virtual - list = yes - hidden = no - subscriptions = no -} - -# Example shared namespace configuration -#namespace { - #type = shared - #separator = / - - # Mailboxes are visible under "shared/user@domain/" - # %%n, %%d and %%u are expanded to the destination user. - #prefix = shared/%%u/ - - # Mail location for other users' mailboxes. Note that %variables and ~/ - # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the - # destination user's data. - #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u - - # Use the default namespace for saving subscriptions. - #subscriptions = no - - # List the shared/ namespace only if there are visible shared mailboxes. - #list = children -#} -# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? -#mail_shared_explicit_inbox = no - -# System user and group used to access mails. If you use multiple, userdb -# can override these by returning uid or gid fields. You can use either numbers -# or names. <doc/wiki/UserIds.txt> -mail_uid = vmail -mail_gid = vmail - -# Group to enable temporarily for privileged operations. Currently this is -# used only with INBOX when either its initial creation or dotlocking fails. -# Typically this is set to "mail" to give access to /var/mail. -#mail_privileged_group = - -# Grant access to these supplementary groups for mail processes. Typically -# these are used to set up access to shared mailboxes. Note that it may be -# dangerous to set these if users can create symlinks (e.g. if "mail" group is -# set here, ln -s /var/mail ~/mail/var could allow a user to delete others' -# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). -#mail_access_groups = - -# Allow full filesystem access to clients. There's no access checks other than -# what the operating system does for the active UID/GID. It works with both -# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ -# or ~user/. -#mail_full_filesystem_access = no - -# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but -# soon intended to be used by METADATA as well. -#mail_attribute_dict = - -## -## Mail processes -## - -# Don't use mmap() at all. This is required if you store indexes to shared -# filesystems (NFS or clustered filesystem). -#mmap_disable = no - -# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL -# since version 3, so this should be safe to use nowadays by default. -#dotlock_use_excl = yes - -# When to use fsync() or fdatasync() calls: -# optimized (default): Whenever necessary to avoid losing important data -# always: Useful with e.g. NFS when write()s are delayed -# never: Never use it (best performance, but crashes can lose data) -#mail_fsync = optimized - -# Locking method for index files. Alternatives are fcntl, flock and dotlock. -# Dotlocking uses some tricks which may create more disk I/O than other locking -# methods. NFS users: flock doesn't work, remember to change mmap_disable. -#lock_method = fcntl - -# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. -#mail_temp_dir = /tmp - -# Valid UID range for users, defaults to 500 and above. This is mostly -# to make sure that users can't log in as daemons or other system users. -# Note that denying root logins is hardcoded to dovecot binary and can't -# be done even if first_valid_uid is set to 0. -first_valid_uid = 1 -#last_valid_uid = 0 - -# Valid GID range for users, defaults to non-root/wheel. Users having -# non-valid GID as primary group ID aren't allowed to log in. If user -# belongs to supplementary groups with non-valid GIDs, those groups are -# not set. -#first_valid_gid = 1 -#last_valid_gid = 0 - -# Maximum allowed length for mail keyword name. It's only forced when trying -# to create new keywords. -#mail_max_keyword_length = 50 - -# ':' separated list of directories under which chrooting is allowed for mail -# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). -# This setting doesn't affect login_chroot, mail_chroot or auth chroot -# settings. If this setting is empty, "/./" in home dirs are ignored. -# WARNING: Never add directories here which local users can modify, that -# may lead to root exploit. Usually this should be done only if you don't -# allow shell access for users. <doc/wiki/Chrooting.txt> -#valid_chroot_dirs = - -# Default chroot directory for mail processes. This can be overridden for -# specific users in user database by giving /./ in user's home directory -# (eg. /home/./user chroots into /home). Note that usually there is no real -# need to do chrooting, Dovecot doesn't allow users to access files outside -# their mail directory anyway. If your home directories are prefixed with -# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> -#mail_chroot = - -# UNIX socket path to master authentication server to find users. -# This is used by imap (for shared users) and lda. -#auth_socket_path = /var/run/dovecot/auth-userdb - -# Directory where to look up mail plugins. -#mail_plugin_dir = /usr/lib/dovecot/modules - -# Space separated list of plugins to load for all services. Plugins specific to -# IMAP, LDA, etc. are added to this list in their own .conf files. -mail_plugins = stats virtual zlib - -## -## Mailbox handling optimizations -## - -# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are -# also required for IMAP NOTIFY extension to be enabled. -mailbox_list_index = yes - -# The minimum number of mails in a mailbox before updates are done to cache -# file. This allows optimizing Dovecot's behavior to do less disk writes at -# the cost of more disk reads. -#mail_cache_min_mail_count = 0 - -# When IDLE command is running, mailbox is checked once in a while to see if -# there are any new mails or other changes. This setting defines the minimum -# time to wait between those checks. Dovecot can also use dnotify, inotify and -# kqueue to find out immediately when changes occur. -#mailbox_idle_check_interval = 30 secs - -# Save mails with CR+LF instead of plain LF. This makes sending those mails -# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. -# But it also creates a bit more disk I/O which may just make it slower. -# Also note that if other software reads the mboxes/maildirs, they may handle -# the extra CRs wrong and cause problems. -#mail_save_crlf = no - -# Max number of mails to keep open and prefetch to memory. This only works with -# some mailbox formats and/or operating systems. -#mail_prefetch_count = 0 - -# How often to scan for stale temporary files and delete them (0 = never). -# These should exist only after Dovecot dies in the middle of saving mails. -#mail_temp_scan_interval = 1w - -## -## Maildir-specific settings -## - -# By default LIST command returns all entries in maildir beginning with a dot. -# Enabling this option makes Dovecot return only entries which are directories. -# This is done by stat()ing each entry, so it causes more disk I/O. -# (For systems setting struct dirent->d_type, this check is free and it's -# done always regardless of this setting) -#maildir_stat_dirs = no - -# When copying a message, do it with hard links whenever possible. This makes -# the performance much better, and it's unlikely to have any side effects. -#maildir_copy_with_hardlinks = yes - -# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only -# when its mtime changes unexpectedly or when we can't find the mail otherwise. -#maildir_very_dirty_syncs = no - -# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for -# getting the mail's physical size, except when recalculating Maildir++ quota. -# This can be useful in systems where a lot of the Maildir filenames have a -# broken size. The performance hit for enabling this is very small. -#maildir_broken_filename_sizes = no - -# Always move mails from new/ directory to cur/, even when the \Recent flags -# aren't being reset. -#maildir_empty_new = no - -## -## mbox-specific settings -## - -# Which locking methods to use for locking mbox. There are four available: -# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe -# solution. If you want to use /var/mail/ like directory, the users -# will need write access to that directory. -# dotlock_try: Same as dotlock, but if it fails because of permissions or -# because there isn't enough disk space, just skip it. -# fcntl : Use this if possible. Works with NFS too if lockd is used. -# flock : May not exist in all systems. Doesn't work with NFS. -# lockf : May not exist in all systems. Doesn't work with NFS. -# -# You can use multiple locking methods; if you do the order they're declared -# in is important to avoid deadlocks if other MTAs/MUAs are using multiple -# locking methods as well. Some operating systems don't allow using some of -# them simultaneously. -# -# The Debian value for mbox_write_locks differs from upstream Dovecot. It is -# changed to be compliant with Debian Policy (section 11.6) for NFS safety. -# Dovecot: mbox_write_locks = dotlock fcntl -# Debian: mbox_write_locks = fcntl dotlock -# -#mbox_read_locks = fcntl -#mbox_write_locks = fcntl dotlock - -# Maximum time to wait for lock (all of them) before aborting. -#mbox_lock_timeout = 5 mins - -# If dotlock exists but the mailbox isn't modified in any way, override the -# lock file after this much time. -#mbox_dotlock_change_timeout = 2 mins - -# When mbox changes unexpectedly we have to fully read it to find out what -# changed. If the mbox is large this can take a long time. Since the change -# is usually just a newly appended mail, it'd be faster to simply read the -# new mails. If this setting is enabled, Dovecot does this but still safely -# fallbacks to re-reading the whole mbox file whenever something in mbox isn't -# how it's expected to be. The only real downside to this setting is that if -# some other MUA changes message flags, Dovecot doesn't notice it immediately. -# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK -# commands. -#mbox_dirty_syncs = yes - -# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, -# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. -#mbox_very_dirty_syncs = no - -# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK -# commands and when closing the mailbox). This is especially useful for POP3 -# where clients often delete all mails. The downside is that our changes -# aren't immediately visible to other MUAs. -#mbox_lazy_writes = yes - -# If mbox size is smaller than this (e.g. 100k), don't write index files. -# If an index file already exists it's still read, just not updated. -#mbox_min_index_size = 0 - -# Mail header selection algorithm to use for MD5 POP3 UIDLs when -# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired -# algorithm, but it fails if the first Received: header isn't unique in all -# mails. An alternative algorithm is "all" that selects all headers. -#mbox_md5 = apop3d - -## -## mdbox-specific settings -## - -# Maximum dbox file size until it's rotated. -#mdbox_rotate_size = 2M - -# Maximum dbox file age until it's rotated. Typically in days. Day begins -# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. -#mdbox_rotate_interval = 0 - -# When creating new mdbox files, immediately preallocate their size to -# mdbox_rotate_size. This setting currently works only in Linux with some -# filesystems (ext4, xfs). -#mdbox_preallocate_space = no - -## -## Mail attachments -## - -# sdbox and mdbox support saving mail attachments to external files, which -# also allows single instance storage for them. Other backends don't support -# this for now. - -# Directory root where to store mail attachments. Disabled, if empty. -#mail_attachment_dir = - -# Attachments smaller than this aren't saved externally. It's also possible to -# write a plugin to disable saving specific attachments externally. -#mail_attachment_min_size = 128k - -# Filesystem backend to use for saving attachments: -# posix : No SiS done by Dovecot (but this might help FS's own deduplication) -# sis posix : SiS with immediate byte-by-byte comparison during saving -# sis-queue posix : SiS with delayed comparison and deduplication -#mail_attachment_fs = sis posix - -# Hash format to use in attachment filenames. You can add any text and -# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. -# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits -#mail_attachment_hash = %{sha1} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf deleted file mode 100644 index 9fcc549..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf +++ /dev/null @@ -1,138 +0,0 @@ -#default_process_limit = 100 -#default_client_limit = 1000 - -# Default VSZ (virtual memory size) limit for service processes. This is mainly -# intended to catch and kill processes that leak memory before they eat up -# everything. -#default_vsz_limit = 256M - -# Login user is internally used by login processes. This is the most untrusted -# user in Dovecot system. It shouldn't have access to anything at all. -#default_login_user = dovenull - -# Internal user is used by unprivileged processes. It should be separate from -# login user, so that login processes can't disturb other processes. -#default_internal_user = dovecot - -service imap-login { - inet_listener imap { - port = 0 - } - inet_listener imaps { - #port = 993 - #ssl = yes - } - - # Number of connections to handle before starting a new process. Typically - # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 - # is faster. <doc/wiki/LoginProcess.txt> - #service_count = 1 - - # Max. number of IMAP processes (logins) - process_limit = 256 - - # Number of processes to always keep waiting for more connections. - process_min_avail = 4 - - # If you set service_count=0, you probably need to grow this. - #vsz_limit = $default_vsz_limit -} - -service pop3-login { - inet_listener pop3 { - #port = 110 - } - inet_listener pop3s { - #port = 995 - #ssl = yes - } -} - -service lmtp { - user = vmail - - unix_listener /var/spool/postfix-mda/private/dovecot-lmtpd { - group = postfix - user = postfix - mode = 0600 - } - - # Create inet listener only if you can't use the above UNIX socket - #inet_listener lmtp { - # Avoid making LMTP visible for the entire internet - #address = - #port = - #} - - # Number of processes to always keep waiting for more connections. - process_min_avail = 4 -} - -service imap { - # Most of the memory goes to mmap()ing files. You may need to increase this - # limit if you have huge mailboxes. - #vsz_limit = $default_vsz_limit - - # Max. number of IMAP processes (connections) - #process_limit = 1024 -} - -service pop3 { - # Max. number of POP3 processes (connections) - #process_limit = 1024 -} - -service auth { - # auth_socket_path points to this userdb socket by default. It's typically - # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have - # full permissions to this socket are able to get a list of all usernames and - # get the results of everyone's userdb lookups. - # - # The default 0666 mode allows anyone to connect to the socket, but the - # userdb lookups will succeed only if the userdb returns an "uid" field that - # matches the caller process's UID. Also if caller's uid or gid matches the - # socket's uid or gid the lookup succeeds. Anything else causes a failure. - # - # To give the caller full permissions to lookup all users, set the mode to - # something else than 0666 and Dovecot lets the kernel enforce the - # permissions (e.g. 0777 allows everyone full permissions). - unix_listener auth-userdb { - mode = 0600 - user = vmail - group = root - } - - # Postfix smtp-auth - unix_listener /var/spool/postfix-msa/private/dovecot-auth { - group = postfix - user = postfix - mode = 0600 - } - - # Auth process is run as this user. - #user = $default_internal_user -} - -service auth-worker { - # Auth worker process is run as root by default, so that it can access - # /etc/shadow. If this isn't necessary, the user should be changed to - # $default_internal_user. - user = $default_internal_user -} - -service dict { - # If dict proxy is used, mail processes should have access to its socket. - # For example: mode=0660, group=vmail and global mail_access_groups=vmail - unix_listener dict { - #mode = 0600 - #user = - #group = - } -} - -service stats { - fifo_listener stats-mail { - user = vmail - mode = 0600 - } -} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf deleted file mode 100644 index b401c93..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ /dev/null @@ -1,58 +0,0 @@ -## -## SSL settings -## - -# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> -ssl = required - -# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before -# dropping root privileges, so keep the key file unreadable by anyone but -# root. Included doc/mkcert.sh can be used to easily generate self-signed -# certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem -ssl_key = </etc/dovecot/ssl/imap.fripost.org.key - -# If key file is password protected, give the password here. Alternatively -# give it when starting dovecot with -p parameter. Since this file is often -# world-readable, you may want to place this setting instead to a different -# root owned 0600 file by using ssl_key_password = <path. -#ssl_key_password = - -# PEM encoded trusted certificate authority. Set this only if you intend to use -# ssl_verify_client_cert=yes. The file should contain the CA certificate(s) -# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) -#ssl_ca = - -# Require that CRL check succeeds for client certificates. -#ssl_require_crl = yes - -# Directory and/or file for trusted SSL CA certificates. These are used only -# when Dovecot needs to act as an SSL client (e.g. imapc backend). The -# directory is usually /etc/ssl/certs in Debian-based systems and the file is -# /etc/pki/tls/cert.pem in RedHat-based systems. -#ssl_client_ca_dir = -#ssl_client_ca_file = - -# Request client to send a certificate. If you also want to require it, set -# auth_ssl_require_client_cert=yes in auth section. -#ssl_verify_client_cert = no - -# Which field from certificate to use for username. commonName and -# x500UniqueIdentifier are the usual choices. You'll also need to set -# auth_ssl_username_from_cert=yes. -#ssl_cert_username_field = commonName - -# DH parameters length to use. -ssl_dh_parameters_length = 2048 - -# SSL protocols to use -ssl_protocols = !SSLv2 !SSLv3 - -# SSL ciphers to use -ssl_cipher_list = HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH - -# Prefer the server's order of ciphers over client's. -#ssl_prefer_server_ciphers = no - -# SSL crypto device to use, for valid values run "openssl engine" -#ssl_crypto_device = diff --git a/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf b/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf deleted file mode 100644 index 6aa5c22..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf +++ /dev/null @@ -1,45 +0,0 @@ -## -## Mailbox definitions -## - -# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. -namespace inbox { - - #mailbox name { - # auto=create will automatically create this mailbox. - # auto=subscribe will both create and subscribe to the mailbox. - #auto = no - - # Space separated list of IMAP SPECIAL-USE attributes as specified by - # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash - #special_use = - #} - - # These mailboxes are widely used and could perhaps be created automatically: - mailbox Trash { - auto = create - special_use = \Trash - } - mailbox Drafts { - auto = create - special_use = \Drafts - } - mailbox Sent { - auto = subscribe - special_use = \Sent - } - mailbox Junk { - auto = create - special_use = \Junk - } - - # If you have a virtual "All messages" mailbox: - mailbox virtual/All { - special_use = \All - } - - # If you have a virtual "Flagged" mailbox: - mailbox virtual/Flagged { - special_use = \Flagged - } -} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf deleted file mode 100644 index b62f6ef..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf +++ /dev/null @@ -1,71 +0,0 @@ -## -## IMAP specific settings -## - -# Maximum IMAP command line length. Some clients generate very long command -# lines with huge mailboxes, so you may need to raise this if you get -# "Too long argument" or "IMAP command line too large" errors often. -#imap_max_line_length = 64k - -# IMAP logout format string: -# %i - total number of bytes read from client -# %o - total number of bytes sent to client -#imap_logout_format = in=%i out=%o - -# Override the IMAP CAPABILITY response. If the value begins with '+', -# add the given capabilities on top of the defaults (e.g. +XFOO XBAR). -#imap_capability = - -# How long to wait between "OK Still here" notifications when client is -# IDLEing. -#imap_idle_notify_interval = 2 mins - -# ID field names and values to send to clients. Using * as the value makes -# Dovecot use the default value. The following fields have default values -# currently: name, version, os, os-version, support-url, support-email. -#imap_id_send = - -# ID fields sent by client to log. * means everything. -#imap_id_log = - -# Workarounds for various client bugs: -# delay-newmail: -# Send EXISTS/RECENT new mail notifications only when replying to NOOP -# and CHECK commands. Some clients ignore them otherwise, for example OSX -# Mail (<v2.1). Outlook Express breaks more badly though, without this it -# may show user "Message no longer in server" errors. Note that OE6 still -# breaks even with this workaround if synchronization is set to -# "Headers Only". -# tb-extra-mailbox-sep: -# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and -# adds extra '/' suffixes to mailbox names. This option causes Dovecot to -# ignore the extra '/' instead of treating it as invalid mailbox name. -# tb-lsub-flags: -# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). -# This makes Thunderbird realize they aren't selectable and show them -# greyed out, instead of only later giving "not selectable" popup error. -# -# The list is space-separated. -#imap_client_workarounds = - -# Host allowed in URLAUTH URLs sent by client. "*" allows all. -#imap_urlauth_host = - -protocol imap { - # Space separated list of plugins to load (default is global mail_plugins). - mail_plugins = $mail_plugins imap_stats imap_zlib - - # Maximum number of IMAP connections allowed for a user from each IP address. - # NOTE: The username is compared case-sensitively. - mail_max_userip_connections = 16 - -# # TODO Load the 'antispam' plugin for people using the content filter. -# # (Otherwise fallback to the static userdb.) -# userdb { -# driver = ldap -# args = /etc/dovecot/dovecot-ldap-userdb.conf.ext -# -# # Default fields can be used to specify defaults that LDAP may override -# default_fields = home=/home/mail/virtual/%d/%n -# } -} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf deleted file mode 100644 index cd48ab8..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf +++ /dev/null @@ -1,20 +0,0 @@ -## -## LMTP specific settings -## - -# Support proxying to other LMTP/SMTP servers by performing passdb lookups. -#lmtp_proxy = no - -# When recipient address includes the detail (e.g. user+detail), try to save -# the mail to the detail mailbox. See also recipient_delimiter and -# lda_mailbox_autocreate settings. -#lmtp_save_to_detail_mailbox = no - -# Verify quota before replying to RCPT TO. This adds a small overhead. -#lmtp_rcpt_check_quota = no - -protocol lmtp { - postmaster_address = postmaster@fripost.org - # Space separated list of plugins to load (default is global mail_plugins). - mail_plugins = $mail_plugins sieve -} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf deleted file mode 100644 index b6fcd3b..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf +++ /dev/null @@ -1,31 +0,0 @@ -## -## Plugin settings -## - -# All wanted plugins must be listed in mail_plugins setting before any of the -# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and -# their configuration. Note that %variable expansion is done for all values. - -plugin { - antispam_backend = spool2dir - - antispam_trash = Trash - antispam_unsure_pattern_ignorecase = MailTrain;MailTrain/* - antispam_spam = Junk - - # The first %%lu is replaced by the current time. - # The second %%lu is replaced by a counter to generate unique names. - # These two tokens MUST be present in the template! - antispam_spool2dir_spam = /home/mail/spamspool/%u-%%10lu-%%06lu.spam - antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham - - - zlib_save = gz - zlib_save_level = 6 - - - # how often to session statistics - stats_refresh = 30 secs - # track per-IMAP command statistics - stats_track_cmds = yes -} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf deleted file mode 100644 index 8308adc..0000000 --- a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf +++ /dev/null @@ -1,105 +0,0 @@ -## -## Settings for the Sieve interpreter -## - -# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf -# by adding it to the respective mail_plugins= settings. - -plugin { - # The path to the user's main active script. If ManageSieve is used, this the - # location of the symbolic link controlled by ManageSieve. - sieve = ~/dovecot.sieve - - # The default Sieve script when the user has none. This is a path to a global - # sieve script file, which gets executed ONLY if user's private Sieve script - # doesn't exist. Be sure to pre-compile this script manually using the sievec - # command line tool. - # --> See sieve_before fore executing scripts before the user's personal - # script. - #sieve_default = /var/lib/dovecot/sieve/default.sieve - - # Directory for :personal include scripts for the include extension. This - # is also where the ManageSieve service stores the user's scripts. - sieve_dir = ~/sieve - - # Directory for :global include scripts for the include extension. - #sieve_global_dir = - - # Path to a script file or a directory containing script files that need to be - # executed before the user's script. If the path points to a directory, all - # the Sieve scripts contained therein (with the proper .sieve extension) are - # executed. The order of execution within a directory is determined by the - # file names, using a normal 8bit per-character comparison. Multiple script - # file or directory paths can be specified by appending an increasing number. - #sieve_before = - #sieve_before2 = - #sieve_before3 = (etc...) - - # Identical to sieve_before, only the specified scripts are executed after the - # user's script (only when keep is still in effect!). Multiple script file or - # directory paths can be specified by appending an increasing number. - #sieve_after = - #sieve_after2 = - #sieve_after2 = (etc...) - - # Which Sieve language extensions are available to users. By default, all - # supported extensions are available, except for deprecated extensions or - # those that are still under development. Some system administrators may want - # to disable certain Sieve extensions or enable those that are not available - # by default. This setting can use '+' and '-' to specify differences relative - # to the default. For example `sieve_extensions = +imapflags' will enable the - # deprecated imapflags extension in addition to all extensions were already - # enabled by default. - #sieve_extensions = +notify +imapflags - - # Which Sieve language extensions are ONLY available in global scripts. This - # can be used to restrict the use of certain Sieve extensions to administrator - # control, for instance when these extensions can cause security concerns. - # This setting has higher precedence than the `sieve_extensions' setting - # (above), meaning that the extensions enabled with this setting are never - # available to the user's personal script no matter what is specified for the - # `sieve_extensions' setting. The syntax of this setting is similar to the - # `sieve_extensions' setting, with the difference that extensions are - # enabled or disabled for exclusive use in global scripts. Currently, no - # extensions are marked as such by default. - #sieve_global_extensions = - - # The Pigeonhole Sieve interpreter can have plugins of its own. Using this - # setting, the used plugins can be specified. Check the Dovecot wiki - # (wiki2.dovecot.org) or the pigeonhole website - # (http://pigeonhole.dovecot.org) for available plugins. - # The sieve_extprograms plugin is included in this release. - #sieve_plugins = - - # The separator that is expected between the :user and :detail - # address parts introduced by the subaddress extension. This may - # also be a sequence of characters (e.g. '--'). The current - # implementation looks for the separator from the left of the - # localpart and uses the first one encountered. The :user part is - # left of the separator and the :detail part is right. This setting - # is also used by Dovecot's LMTP service. - recipient_delimiter = + - - # The maximum size of a Sieve script. The compiler will refuse to compile any - # script larger than this limit. If set to 0, no limit on the script size is - # enforced. - #sieve_max_script_size = 1M - - # The maximum number of actions that can be performed during a single script - # execution. If set to 0, no limit on the total number of actions is enforced. - #sieve_max_actions = 32 - - # The maximum number of redirect actions that can be performed during a single - # script execution. If set to 0, no redirect actions are allowed. - #sieve_max_redirects = 4 - - # The maximum number of personal Sieve scripts a single user can have. If set - # to 0, no limit on the number of scripts is enforced. - # (Currently only relevant for ManageSieve) - #sieve_quota_max_scripts = 0 - - # The maximum amount of disk storage a single user's scripts may occupy. If - # set to 0, no limit on the used amount of disk storage is enforced. - # (Currently only relevant for ManageSieve) - #sieve_quota_max_storage = 0 -} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext index 360727e..8c33c6d 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext @@ -1,39 +1,44 @@ # Authentication for LDAP users. Included from 10-auth.conf. # # <doc/wiki/AuthDatabase.LDAP.txt> passdb { driver = ldap # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext args = /etc/dovecot/dovecot-ldap.conf.ext } # "prefetch" user database means that the passdb already provided the # needed information and there's no need to do a separate userdb lookup. # <doc/wiki/UserDatabase.Prefetch.txt> #userdb { # driver = prefetch #} #userdb { # driver = ldap -# # This should be a different file from the passdb's, in order to perform -# # asynchronous requests. -# # args = /etc/dovecot/dovecot-ldap-userdb.conf.ext # # # Default fields can be used to specify defaults that LDAP may override # default_fields = home=/home/mail/virtual/%d/%n #} # If you don't have any user-specific settings, you can avoid the userdb LDAP # lookup by using userdb static instead of userdb ldap, for example: # <doc/wiki/UserDatabase.Static.txt> userdb { driver = static # The MTA has already verified the existence of users when doing alias resolution, # so we can skip the passdb lookup here. args = home=/home/mail/virtual/%d/%n allow_all_users=yes } + +# Used only for iteration as the static userdb above always succeeds +userdb { + driver = dict + skip = found + result_internalfail = return-fail + args = /etc/dovecot/dovecot-dict-auth.conf.ext +} diff --git a/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext new file mode 100644 index 0000000..a054ffe --- /dev/null +++ b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext @@ -0,0 +1,12 @@ +# This file is commonly accessed via passdb {} or userdb {} section in +# conf.d/auth-dict.conf.ext + +# Dictionary URI +uri = proxy:/run/dovecot/auth-proxy: + +# Username iteration prefix. Keys under this are assumed to contain usernames. +iterate_prefix = userdb/ + +# Should iteration be disabled for this userdb? If this userdb acts only as a +# cache there's no reason to try to iterate the (partial & duplicate) users. +iterate_disable = no diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext index 72f4604..a455616 100644 --- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext @@ -14,42 +14,41 @@ # by dn="<dovecot's dn>" read # add this # by anonymous auth # by self write # by * none # Space separated list of LDAP hosts to use. host:port is allowed too. #hosts = # LDAP URIs to use. You can use this instead of hosts list. Note that this # setting isn't supported by all LDAP libraries. uris = ldapi:// # Distinguished Name - the username used to login to the LDAP server. # Leave it commented out to bind anonymously (useful with auth_bind=yes). #dn = # Password for LDAP server, if dn is specified. #dnpass = # Use SASL binding instead of the simple binding. Note that this changes -# ldap_version automatically to be 3 if it's lower. Also note that SASL binds -# and auth_bind=yes don't work together. +# ldap_version automatically to be 3 if it's lower. #sasl_bind = no # SASL mechanism name to use. #sasl_mech = # SASL realm to use. #sasl_realm = # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. #sasl_authz_id = # Use TLS to connect to the LDAP server. #tls = no # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file = #tls_key_file = # Valid values: never, hard, demand, allow, try #tls_require_cert = @@ -114,30 +113,39 @@ user_attrs = # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if user there's no domain user_filter = # Password checking attributes: # user: Virtual user name (user@domain), if you wish to change the # user-given username to something else # password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = # If you wish to avoid two LDAP lookups (passdb + userdb), you can use # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll # also have to include user_attrs in pass_attrs field prefixed with "userdb_" # string. For example: #pass_attrs = uid=user,userPassword=password,\ # homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid -# Filter for password lookups (ignored for auth binds) +# Filter for password lookups pass_filter = (&(objectClass=FripostVirtualUser)(fvl=%n)(fripostIsStatusActive=TRUE)) # Attributes and filter to get a list of all users #iterate_attrs = uid=user #iterate_filter = (objectClass=posixAccount) # Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication #default_pass_scheme = CRYPT + +# By default all LDAP lookups are performed by the auth master process. +# If blocking=yes, auth worker processes are used to perform the lookups. +# Each auth worker process creates its own LDAP connection so this can +# increase parallelism. With blocking=no the auth master process can +# keep 8 requests pipelined for the LDAP connection, while with blocking=yes +# each connection has a maximum of 1 request running. For small systems the +# blocking=no is sufficient and uses less resources. +#blocking = no diff --git a/roles/IMAP/files/etc/dovecot/ssl/config b/roles/IMAP/files/etc/dovecot/ssl/config new file mode 100644 index 0000000..e5359de --- /dev/null +++ b/roles/IMAP/files/etc/dovecot/ssl/config @@ -0,0 +1,2 @@ +ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem +ssl_key = </etc/dovecot/ssl/imap.fripost.org.key diff --git a/roles/IMAP/files/etc/dovecot/virtual/all/dovecot-virtual b/roles/IMAP/files/etc/dovecot/virtual/all/dovecot-virtual index 31d3e06..a106be4 100644 --- a/roles/IMAP/files/etc/dovecot/virtual/all/dovecot-virtual +++ b/roles/IMAP/files/etc/dovecot/virtual/all/dovecot-virtual @@ -1,6 +1,6 @@ !INBOX -Junk -Junk/* -Trash -* ++* ALL diff --git a/roles/IMAP/files/etc/dovecot/virtual/flagged/dovecot-virtual b/roles/IMAP/files/etc/dovecot/virtual/flagged/dovecot-virtual index 18845c6..cf24b79 100644 --- a/roles/IMAP/files/etc/dovecot/virtual/flagged/dovecot-virtual +++ b/roles/IMAP/files/etc/dovecot/virtual/flagged/dovecot-virtual @@ -1,2 +1,2 @@ -* ++* FLAGGED diff --git a/roles/IMAP/files/etc/dovecot/virtual/recent/dovecot-virtual b/roles/IMAP/files/etc/dovecot/virtual/recent/dovecot-virtual index 601ce28..4df62b0 100644 --- a/roles/IMAP/files/etc/dovecot/virtual/recent/dovecot-virtual +++ b/roles/IMAP/files/etc/dovecot/virtual/recent/dovecot-virtual @@ -1,5 +1,5 @@ -Junk -Junk/* -Trash -* ++* YOUNGER 2592000 diff --git a/roles/IMAP/files/etc/dovecot/virtual/unseen/dovecot-virtual b/roles/IMAP/files/etc/dovecot/virtual/unseen/dovecot-virtual index 3dc4a3b..09b818d 100644 --- a/roles/IMAP/files/etc/dovecot/virtual/unseen/dovecot-virtual +++ b/roles/IMAP/files/etc/dovecot/virtual/unseen/dovecot-virtual @@ -1,6 +1,6 @@ -Drafts -Junk -Junk/* -Trash -* ++* UNSEEN diff --git a/roles/IMAP/files/etc/spamassassin/local.cf b/roles/IMAP/files/etc/spamassassin/local.cf deleted file mode 100644 index 8ae4a4b..0000000 --- a/roles/IMAP/files/etc/spamassassin/local.cf +++ /dev/null @@ -1,118 +0,0 @@ -# This is the right place to customize your installation of SpamAssassin. -# -# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be -# tweaked. -# -# Only a small subset of options are listed below -# -########################################################################### - -# Add *****SPAM***** to the Subject header of spam e-mails -# -rewrite_header Subject [*****SPAM*****] - - -# Save spam messages as a message/rfc822 MIME attachment instead of -# modifying the original message (0: off, 2: use text/plain instead) -# -report_safe 0 - - -# Set which networks or hosts are considered 'trusted' by your mail -# server (i.e. not spammers) -# -# TODO: Unclear how to do with IPSec and dynamic IPs. -clear_trusted_networks -trusted_networks 192.168.122.2 192.168.122.3 - -clear_internal_networks -internal_networks 192.168.122.2 192.168.122.3 - - -# Set file-locking method (flock is not safe over NFS, but is faster) -# -lock_method flock - - -# Set the threshold at which a message is considered spam (default: 5.0) -# -required_score 5.0 - - -# Use Bayesian classifier (default: 1) -# -use_bayes 1 - - -# Bayesian classifier auto-learning (default: 1) -# -bayes_auto_learn 1 -bayes_auto_expire 0 - - -# Enable or disable network checks -# -# http://en.linuxreviews.org/Spam_blacklists -# The best bets are zen.spamhaus.org and bl.spamcop.net . -skip_rbl_checks 0 -use_razor2 1 -use_pyzor 0 -use_auto_whitelist 1 - -# http://www.spamtips.org/2011/01/disable-dnsfromahblrhsbl.html -score DNS_FROM_AHBL_RHSBL 0 -# http://www.spamtips.org/2011/01/disable-rfc-ignorantorg-rules.html -score __RFC_IGNORANT_ENVFROM 0 -score DNS_FROM_RFC_DSN 0 -score DNS_FROM_RFC_BOGUSMX 0 -score __DNS_FROM_RFC_POST 0 -score __DNS_FROM_RFC_ABUSE 0 -score __DNS_FROM_RFC_WHOIS 0 - -# Set headers which may provide inappropriate cues to the Bayesian -# classifier -# -# bayes_ignore_header X-Bogosity -# bayes_ignore_header X-Spam-Flag -# bayes_ignore_header X-Spam-Status - - -# Some shortcircuiting, if the plugin is enabled -# -ifplugin Mail::SpamAssassin::Plugin::Shortcircuit -# -# default: strongly-whitelisted mails are *really* whitelisted now, if the -# shortcircuiting plugin is active, causing early exit to save CPU load. -# Uncomment to turn this on -# -# shortcircuit USER_IN_WHITELIST on -# shortcircuit USER_IN_DEF_WHITELIST on -# shortcircuit USER_IN_ALL_SPAM_TO on -# shortcircuit SUBJECT_IN_WHITELIST on - -# the opposite; blacklisted mails can also save CPU -# -# shortcircuit USER_IN_BLACKLIST on -# shortcircuit USER_IN_BLACKLIST_TO on -# shortcircuit SUBJECT_IN_BLACKLIST on - -# if you have taken the time to correctly specify your "trusted_networks", -# this is another good way to save CPU -# -# shortcircuit ALL_TRUSTED on - -# and a well-trained bayes DB can save running rules, too -# -# shortcircuit BAYES_99 spam -# shortcircuit BAYES_00 ham - -endif # Mail::SpamAssassin::Plugin::Shortcircuit - - -bayes_store_module Mail::SpamAssassin::BayesStore::MySQL -bayes_sql_dsn DBI:mysql:spamassassin -bayes_sql_username amavis - -auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList -user_awl_dsn DBI:mysql:spamassassin -user_awl_sql_username amavis diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service new file mode 100644 index 0000000..3ac0b31 --- /dev/null +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service @@ -0,0 +1,25 @@ +[Unit] +Description=Dovecot authentication proxy +After=dovecot.target +Requires=dovecot-auth-proxy.socket + +[Service] +User=_dovecot-auth-proxy +StandardInput=null +SyslogFacility=mail +ExecStart=/usr/local/bin/dovecot-auth-proxy.pl + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +PrivateNetwork=yes +ProtectHome=yes +ProtectSystem=strict +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX + +[Install] +WantedBy=multi-user.target +Also=postfix-sender-login.socket diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket new file mode 100644 index 0000000..6dee91a --- /dev/null +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.socket @@ -0,0 +1,8 @@ +[Socket] +SocketUser=dovecot +SocketGroup=dovecot +SocketMode=0600 +ListenStream=/run/dovecot/auth-proxy + +[Install] +WantedBy=sockets.target |