8 files changed, 100 insertions, 112 deletions

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf
deleted file mode 100644
index 848fe69..0000000
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf
+++ /dev/null
@@ -1,85 +0,0 @@
-##
-## Log destination.
-##
-
-# Log file to use for error messages. "syslog" logs to syslog,
-# /dev/stderr logs to stderr.
-#log_path = syslog
-
-# Log file to use for informational messages. Defaults to log_path.
-#info_log_path =
-# Log file to use for debug messages. Defaults to info_log_path.
-#debug_log_path =
-
-# Syslog facility to use if you're logging to syslog. Usually if you don't
-# want to use "mail", you'll use local0..local7. Also other standard
-# facilities are supported.
-#syslog_facility = mail
-
-##
-## Logging verbosity and debugging.
-##
-
-# Log unsuccessful authentication attempts and the reasons why they failed.
-#auth_verbose = no
-
-# In case of password mismatches, log the attempted password. Valid values are
-# no, plain and sha1. sha1 can be useful for detecting brute force password
-# attempts vs. user simply trying the same password over and over again.
-# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
-#auth_verbose_passwords = no
-
-# Even more verbose logging for debugging purposes. Shows for example SQL
-# queries.
-#auth_debug = no
-
-# In case of password mismatches, log the passwords and used scheme so the
-# problem can be debugged. Enabling this also enables auth_debug.
-#auth_debug_passwords = no
-
-# Enable mail process debugging. This can help you figure out why Dovecot
-# isn't finding your mails.
-#mail_debug = no
-
-# Show protocol level SSL errors.
-#verbose_ssl = no
-
-# mail_log plugin provides more event logging for mail processes.
-plugin {
-  # Events to log. Also available: flag_change append
-  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
-  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
-  # size and vsize are available only for expunge and copy events.
-  #mail_log_fields = uid box msgid size
-}
-
-##
-## Log formatting.
-##
-
-# Prefix for each line written to log file. % codes are in strftime(3)
-# format.
-log_timestamp = "%Y-%m-%d %H:%M:%S "
-
-# Space-separated list of elements we want to log. The elements which have
-# a non-empty variable value are joined together to form a comma-separated
-# string.
-#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
-
-# Login log format. %s contains login_log_format_elements string, %$ contains
-# the data we want to log.
-#login_log_format = %$: %s
-
-# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
-# possible variables you can use.
-#mail_log_prefix = "%s(%u): "
-
-# Format to use for logging mail deliveries. See doc/wiki/Variables.txt for
-# list of all variables you can use. Some of the common ones include:
-#  %$ - Delivery status message (e.g. "saved to INBOX")
-#  %m - Message-ID
-#  %s - Subject
-#  %f - From address
-#  %p - Physical size
-#  %w - Virtual size
-#deliver_log_format = msgid=%m: %$
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
index a781402..d74b026 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
@@ -101,41 +101,41 @@ namespace virtual {
   #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
 
   # Use the default namespace for saving subscriptions.
   #subscriptions = no
 
   # List the shared/ namespace only if there are visible shared mailboxes.
   #list = children
 #}
 # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
 #mail_shared_explicit_inbox = no
 
 # System user and group used to access mails. If you use multiple, userdb
 # can override these by returning uid or gid fields. You can use either numbers
 # or names. <doc/wiki/UserIds.txt>
 mail_uid = vmail
 mail_gid = vmail
 
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
-#mail_privileged_group =
+mail_privileged_group =
 
 # Grant access to these supplementary groups for mail processes. Typically
 # these are used to set up access to shared mailboxes. Note that it may be
 # dangerous to set these if users can create symlinks (e.g. if "mail" group is
 # set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
 # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
 #mail_access_groups =
 
 # Allow full filesystem access to clients. There's no access checks other than
 # what the operating system does for the active UID/GID. It works with both
 # maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
 # or ~user/.
 #mail_full_filesystem_access = no
 
 # Dictionary for key=value mailbox attributes. This is used for example by
 # URLAUTH and METADATA extensions.
 #mail_attribute_dict =
 
 # A comment or note that is associated with the server. This value is
 # accessible for authenticated users through the IMAP METADATA server
@@ -155,41 +155,44 @@ mail_server_admin = mailto:postmaster@fripost.org
 
 # Don't use mmap() at all. This is required if you store indexes to shared
 # filesystems (NFS or clustered filesystem).
 #mmap_disable = no
 
 # Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
 # since version 3, so this should be safe to use nowadays by default.
 #dotlock_use_excl = yes
 
 # When to use fsync() or fdatasync() calls:
 #   optimized (default): Whenever necessary to avoid losing important data
 #   always: Useful with e.g. NFS when write()s are delayed
 #   never: Never use it (best performance, but crashes can lose data)
 #mail_fsync = optimized
 
 # Locking method for index files. Alternatives are fcntl, flock and dotlock.
 # Dotlocking uses some tricks which may create more disk I/O than other locking
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
 #lock_method = fcntl
 
-# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
+# Directory where mails can be temporarily stored. Usually it's used only for
+# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
+# example LDA/LMTP while delivering large mails or zlib plugin for keeping
+# uncompressed mails.
 #mail_temp_dir = /tmp
 
 # Valid UID range for users, defaults to 500 and above. This is mostly
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
 first_valid_uid = 1
 #last_valid_uid = 0
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
 #first_valid_gid = 1
 #last_valid_gid = 0
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
 # to create new keywords.
 #mail_max_keyword_length = 50
 
@@ -202,76 +205,98 @@ first_valid_uid = 1
 # allow shell access for users. <doc/wiki/Chrooting.txt>
 #valid_chroot_dirs =
 
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
 # (eg. /home/./user chroots into /home). Note that usually there is no real
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
 #mail_chroot =
 
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
 #auth_socket_path = /var/run/dovecot/auth-userdb
 
 # Directory where to look up mail plugins.
 #mail_plugin_dir = /usr/lib/dovecot/modules
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = quota stats virtual zlib
+mail_plugins = quota virtual zlib
 
 ##
 ## Mailbox handling optimizations
 ##
 
 # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
 # also required for IMAP NOTIFY extension to be enabled.
-mailbox_list_index = yes
+#mailbox_list_index = yes
+
+# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
+# of potentially returning out-of-date results after e.g. server crashes.
+# The results will be automatically fixed once the folders are opened.
+#mailbox_list_index_very_dirty_syncs = yes
+
+# Should INBOX be kept up-to-date in the mailbox list index? By default it's
+# not, because most of the mailbox accesses will open INBOX anyway.
+#mailbox_list_index_include_inbox = no
 
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
 # the cost of more disk reads.
 #mail_cache_min_mail_count = 0
 
 # When IDLE command is running, mailbox is checked once in a while to see if
 # there are any new mails or other changes. This setting defines the minimum
 # time to wait between those checks. Dovecot can also use inotify and
 # kqueue to find out immediately when changes occur.
 #mailbox_idle_check_interval = 30 secs
 
 # Save mails with CR+LF instead of plain LF. This makes sending those mails
 # take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
 # But it also creates a bit more disk I/O which may just make it slower.
 # Also note that if other software reads the mboxes/maildirs, they may handle
 # the extra CRs wrong and cause problems.
 #mail_save_crlf = no
 
 # Max number of mails to keep open and prefetch to memory. This only works with
 # some mailbox formats and/or operating systems.
 #mail_prefetch_count = 0
 
 # How often to scan for stale temporary files and delete them (0 = never).
 # These should exist only after Dovecot dies in the middle of saving mails.
 #mail_temp_scan_interval = 1w
 
+# How many slow mail accesses sorting can perform before it returns failure.
+# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
+# The untagged SORT reply is still returned, but it's likely not correct.
+#mail_sort_max_read_count = 0
+
+protocol !indexer-worker {
+  # If folder vsize calculation requires opening more than this many mails from
+  # disk (i.e. mail sizes aren't in cache already), return failure and finish
+  # the calculation via indexer process. Disabled by default. This setting must
+  # be 0 for indexer-worker processes.
+  #mail_vsize_bg_after_count = 0
+}
+
 ##
 ## Maildir-specific settings
 ##
 
 # By default LIST command returns all entries in maildir beginning with a dot.
 # Enabling this option makes Dovecot return only entries which are directories.
 # This is done by stat()ing each entry, so it causes more disk I/O.
 # (For systems setting struct dirent->d_type, this check is free and it's
 # done always regardless of this setting)
 #maildir_stat_dirs = no
 
 # When copying a message, do it with hard links whenever possible. This makes
 # the performance much better, and it's unlikely to have any side effects.
 #maildir_copy_with_hardlinks = yes
 
 # Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
 # when its mtime changes unexpectedly or when we can't find the mail otherwise.
 #maildir_very_dirty_syncs = no
 
 # If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
@@ -337,56 +362,66 @@ mailbox_list_index = yes
 # commands and when closing the mailbox). This is especially useful for POP3
 # where clients often delete all mails. The downside is that our changes
 # aren't immediately visible to other MUAs.
 #mbox_lazy_writes = yes
 
 # If mbox size is smaller than this (e.g. 100k), don't write index files.
 # If an index file already exists it's still read, just not updated.
 #mbox_min_index_size = 0
 
 # Mail header selection algorithm to use for MD5 POP3 UIDLs when
 # pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
 # algorithm, but it fails if the first Received: header isn't unique in all
 # mails. An alternative algorithm is "all" that selects all headers.
 #mbox_md5 = apop3d
 
 ##
 ## mdbox-specific settings
 ##
 
 # Maximum dbox file size until it's rotated.
-#mdbox_rotate_size = 2M
+#mdbox_rotate_size = 10M
 
 # Maximum dbox file age until it's rotated. Typically in days. Day begins
 # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
 #mdbox_rotate_interval = 0
 
 # When creating new mdbox files, immediately preallocate their size to
 # mdbox_rotate_size. This setting currently works only in Linux with some
 # filesystems (ext4, xfs).
 mdbox_preallocate_space = yes
 
 ##
 ## Mail attachments
 ##
 
 # sdbox and mdbox support saving mail attachments to external files, which
 # also allows single instance storage for them. Other backends don't support
 # this for now.
 
 # Directory root where to store mail attachments. Disabled, if empty.
 mail_attachment_dir = /home/mail/attachments
 
 # Attachments smaller than this aren't saved externally. It's also possible to
 # write a plugin to disable saving specific attachments externally.
 #mail_attachment_min_size = 128k
 
 # Filesystem backend to use for saving attachments:
 #  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
 #  sis posix : SiS with immediate byte-by-byte comparison during saving
 #  sis-queue posix : SiS with delayed comparison and deduplication
 mail_attachment_fs = sis-queue /home/mail/attachments/queue:posix
 
 # Hash format to use in attachment filenames. You can add any text and
 # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
 # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
 mail_attachment_hash = %{sha256}
+
+# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
+# By default, all MIME parts with Content-Disposition=attachment, or inlines
+# with filename parameter are consired attachments.
+#   add-flags-on-save - Add the keywords when saving new mails.
+#   content-type=type or !type - Include/exclude content type. Excluding will
+#     never consider the matched MIME part as attachment. Including will only
+#     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
+#   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
+#mail_attachment_detection_options =
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 209347f..adeb879 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -10,53 +10,64 @@ ssl = required
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
 ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
 ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
 # world-readable, you may want to place this setting instead to a different
 # root owned 0600 file by using ssl_key_password = <path.
 #ssl_key_password =
 
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
 #ssl_ca =
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
 
 # Directory and/or file for trusted SSL CA certificates. These are used only
-# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
-# directory is usually /etc/ssl/certs in Debian-based systems and the file is
-# /etc/pki/tls/cert.pem in RedHat-based systems.
-#ssl_client_ca_dir =
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
 #ssl_client_ca_file =
 
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
 
 # Which field from certificate to use for username. commonName and
 # x500UniqueIdentifier are the usual choices. You'll also need to set
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
-# DH parameters length to use.
-ssl_dh_parameters_length = 2048
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+ssl_dh = </etc/ssl/dhparams.pem
 
-# SSL protocols to use
-#ssl_protocols = !SSLv3
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+ssl_min_protocol = TLSv1.2
 
 # SSL ciphers to use
-ssl_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
 
 # Prefer the server's order of ciphers over client's.
 #ssl_prefer_server_ciphers = no
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
 
 # SSL extra options. Currently supported options are:
-#   no_compression - Disable compression.
-ssl_options = no_compression
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+#ssl_options =
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf b/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf
index 2a7bd27..4bfd8a5 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf
@@ -1,26 +1,26 @@
 ##
 ## LDA specific settings (also used by LMTP)
 ##
 
 # Address to use when sending rejection mails.
-# Default is postmaster@<your domain>. %d expands to recipient domain.
+# Default is postmaster@%d. %d expands to recipient domain.
 #postmaster_address =
 
 # Hostname to use in various parts of sent mails (e.g. in Message-Id) and
 # in LMTP replies. Default is the system's real hostname@domain.
 #hostname =
 
 # If user is over quota, return with temporary failure instead of
 # bouncing the mail.
 #quota_full_tempfail = no
 
 # Binary to use for sending mails.
 sendmail_path = /usr/sbin/postmulti -i msa -x /usr/sbin/sendmail
 
 # If non-empty, send mails via this SMTP host[:port] instead of sendmail.
 #submission_host =
 
 # Subject: header to use for rejection mails. You can use the same variables
 # as for rejection_reason below.
 #rejection_subject = Rejected: %s
 
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
index 3ddedce..de1fbbb 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
@@ -4,82 +4,105 @@
 
 # If nothing happens for this long while client is IDLEing, move the connection
 # to imap-hibernate process and close the old imap process. This saves memory,
 # because connections use very little memory in imap-hibernate process. The
 # downside is that recreating the imap process back uses some resources.
 imap_hibernate_timeout = 15s
 
 # Maximum IMAP command line length. Some clients generate very long command
 # lines with huge mailboxes, so you may need to raise this if you get
 # "Too long argument" or "IMAP command line too large" errors often.
 #imap_max_line_length = 64k
 
 # IMAP logout format string:
 #  %i - total number of bytes read from client
 #  %o - total number of bytes sent to client
 #  %{fetch_hdr_count} - Number of mails with mail header data sent to client
 #  %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
 #  %{fetch_body_count} - Number of mails with mail body data sent to client
 #  %{fetch_body_bytes} - Number of bytes with mail body data sent to client
 #  %{deleted} - Number of mails where client added \Deleted flag
-#  %{expunged} - Number of mails that client expunged
+#  %{expunged} - Number of mails that client expunged, which does not
+#                include automatically expunged mails
+#  %{autoexpunged} - Number of mails that were automatically expunged after
+#                    client disconnected
 #  %{trashed} - Number of mails that client copied/moved to the
 #               special_use=\Trash mailbox.
-#imap_logout_format = in=%i out=%o
+#  %{appended} - Number of mails saved during the session
+#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
+#  trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
+#  hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
+#  body_bytes=%{fetch_body_bytes}
 
 # Override the IMAP CAPABILITY response. If the value begins with '+',
 # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
 #imap_capability =
 
 # How long to wait between "OK Still here" notifications when client is
 # IDLEing.
 #imap_idle_notify_interval = 2 mins
 
 # ID field names and values to send to clients. Using * as the value makes
 # Dovecot use the default value. The following fields have default values
 # currently: name, version, os, os-version, support-url, support-email.
 #imap_id_send =
 
 # ID fields sent by client to log. * means everything.
 #imap_id_log =
 
 # Workarounds for various client bugs:
 #   delay-newmail:
 #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
 #     and CHECK commands. Some clients ignore them otherwise, for example OSX
 #     Mail (<v2.1). Outlook Express breaks more badly though, without this it
 #     may show user "Message no longer in server" errors. Note that OE6 still
 #     breaks even with this workaround if synchronization is set to
 #     "Headers Only".
 #   tb-extra-mailbox-sep:
 #     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
 #     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
 #     ignore the extra '/' instead of treating it as invalid mailbox name.
 #   tb-lsub-flags:
 #     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
 #     This makes Thunderbird realize they aren't selectable and show them
 #     greyed out, instead of only later giving "not selectable" popup error.
 #
 # The list is space-separated.
 #imap_client_workarounds =
 
 # Host allowed in URLAUTH URLs sent by client. "*" allows all.
 #imap_urlauth_host =
 
+# Enable IMAP LITERAL- extension (replaces LITERAL+)
+#imap_literal_minus = no
+
+# What happens when FETCH fails due to some internal error:
+#   disconnect-immediately:
+#     The FETCH is aborted immediately and the IMAP client is disconnected.
+#   disconnect-after:
+#     The FETCH runs for all the requested mails returning as much data as
+#     possible. The client is finally disconnected without a tagged reply.
+#   no-after:
+#     Same as disconnect-after, but tagged NO reply is sent instead of
+#     disconnecting the client. If the client attempts to FETCH the same failed
+#     mail more than once, the client is disconnected. This is to avoid clients
+#     from going into infinite loops trying to FETCH a broken mail.
+#imap_fetch_failure = disconnect-immediately
+
 protocol imap {
   # Space separated list of plugins to load (default is global mail_plugins).
-  mail_plugins = $mail_plugins imap_stats imap_zlib
+  mail_plugins = $mail_plugins imap_zlib
 
   # Maximum number of IMAP connections allowed for a user from each IP address.
   # NOTE: The username is compared case-sensitively.
   mail_max_userip_connections = 16
 
 #  # TODO Load the 'antispam' plugin for people using the content filter.
 #  # (Otherwise fallback to the static userdb.)
 #  userdb {
 #    driver = ldap
 #    args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
 #
 #    # Default fields can be used to specify defaults that LDAP may override
 #    default_fields = home=/home/mail/virtual/%d/%n
 #  }
 }
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf
index 9583b6d..52a81ca 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf
@@ -6,28 +6,23 @@
 # settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
 # their configuration. Note that %variable expansion is done for all values.
 
 plugin {
   antispam_backend = spool2dir
 
   antispam_trash = Trash
   antispam_unsure_pattern_ignorecase = MailTrain;MailTrain/*
   antispam_spam = Junk
 
   # The first %%lu is replaced by the current time.
   # The second %%lu is replaced by a counter to generate unique names.
   # These two tokens MUST be present in the template!
   antispam_spool2dir_spam    = /home/mail/spamspool/%u-%%10lu-%%06lu.spam
   antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham
 
   quota_rule = *:storage=0
   quota = count:User quota
   quota_vsizes = yes
 
-  # how often to session statistics
-  stats_refresh = 30 secs
-  # track per-IMAP command statistics
-  stats_track_cmds = yes
-
   zlib_save = gz
   zlib_save_level = 6
 }
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext
index ecd7134..a054ffe 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-dict-auth.conf.ext
@@ -1,12 +1,12 @@
 # This file is commonly accessed via passdb {} or userdb {} section in
 # conf.d/auth-dict.conf.ext
 
 # Dictionary URI
-uri = proxy:/var/run/dovecot/auth-proxy:
+uri = proxy:/run/dovecot/auth-proxy:
 
 # Username iteration prefix. Keys under this are assumed to contain usernames.
 iterate_prefix = userdb/
 
 # Should iteration be disabled for this userdb? If this userdb acts only as a
 # cache there's no reason to try to iterate the (partial & duplicate) users.
 iterate_disable = no
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
index 1b97a0e..a455616 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
@@ -113,30 +113,39 @@ user_attrs =
 #   %u - username
 #   %n - user part in user@domain, same as %u if there's no domain
 #   %d - domain part in user@domain, empty if user there's no domain
 user_filter =
 
 # Password checking attributes:
 #  user: Virtual user name (user@domain), if you wish to change the
 #        user-given username to something else
 #  password: Password, may optionally start with {type}, eg. {crypt}
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
 pass_attrs =
 
 # If you wish to avoid two LDAP lookups (passdb + userdb), you can use
 # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
 # also have to include user_attrs in pass_attrs field prefixed with "userdb_"
 # string. For example:
 #pass_attrs = uid=user,userPassword=password,\
 #  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
 
-# Filter for password lookups (ignored for auth binds)
+# Filter for password lookups
 pass_filter = (&(objectClass=FripostVirtualUser)(fvl=%n)(fripostIsStatusActive=TRUE))
 
 # Attributes and filter to get a list of all users
 #iterate_attrs = uid=user
 #iterate_filter = (objectClass=posixAccount)
 
 # Default password scheme. "{scheme}" before password overrides this.
 # List of supported schemes is in: http://wiki2.dovecot.org/Authentication
 #default_pass_scheme = CRYPT
+
+# By default all LDAP lookups are performed by the auth master process.
+# If blocking=yes, auth worker processes are used to perform the lookups.
+# Each auth worker process creates its own LDAP connection so this can
+# increase parallelism. With blocking=no the auth master process can
+# keep 8 requests pipelined for the LDAP connection, while with blocking=yes
+# each connection has a maximum of 1 request running. For small systems the
+# blocking=no is sufficient and uses less resources.
+#blocking = no