diff options
Diffstat (limited to 'roles/IMAP/files')
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf | 3 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf | 35 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-master.conf | 14 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 16 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf | 109 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf | 3 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf | 25 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext | 2 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext | 5 |
9 files changed, 119 insertions, 93 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf index cf0189e..d4f323d 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf @@ -6,7 +6,8 @@ # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. -disable_plaintext_auth = yes +# See also ssl=required setting. +#disable_plaintext_auth = yes # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf index dcc1d9c..c98d3f6 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf @@ -107,7 +107,7 @@ namespace virtual { #list = children #} # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? -#mail_shared_explicit_inbox = yes +#mail_shared_explicit_inbox = no # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers @@ -133,6 +133,10 @@ mail_gid = vmail # or ~user/. #mail_full_filesystem_access = no +# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but +# soon intended to be used by METADATA as well. +#mail_attribute_dict = + ## ## Mail processes ## @@ -151,13 +155,6 @@ mail_gid = vmail # never: Never use it (best performance, but crashes can lose data) #mail_fsync = optimized -# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches -# whenever needed. If you're using only a single mail server this isn't needed. -#mail_nfs_storage = no -# Mail index files also exist in NFS. Setting this to yes requires -# mmap_disable=yes and fsync_disable=no. -#mail_nfs_index = no - # Locking method for index files. Alternatives are fcntl, flock and dotlock. # Dotlocking uses some tricks which may create more disk I/O than other locking # methods. NFS users: flock doesn't work, remember to change mmap_disable. @@ -170,14 +167,14 @@ mail_gid = vmail # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. -first_valid_uid = 1 +#first_valid_uid = 500 #last_valid_uid = 0 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. -first_valid_gid = 1 +#first_valid_gid = 1 #last_valid_gid = 0 # Maximum allowed length for mail keyword name. It's only forced when trying @@ -216,6 +213,10 @@ mail_plugins = virtual zlib ## Mailbox handling optimizations ## +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +mailbox_list_index = yes + # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at # the cost of more disk reads. @@ -267,6 +268,10 @@ mail_plugins = virtual zlib # broken size. The performance hit for enabling this is very small. #maildir_broken_filename_sizes = no +# Always move mails from new/ directory to cur/, even when the \Recent flags +# aren't being reset. +#maildir_empty_new = no + ## ## mbox-specific settings ## @@ -285,8 +290,14 @@ mail_plugins = virtual zlib # in is important to avoid deadlocks if other MTAs/MUAs are using multiple # locking methods as well. Some operating systems don't allow using some of # them simultaneously. +# +# The Debian value for mbox_write_locks differs from upstream Dovecot. It is +# changed to be compliant with Debian Policy (section 11.6) for NFS safety. +# Dovecot: mbox_write_locks = dotlock fcntl +# Debian: mbox_write_locks = fcntl dotlock +# #mbox_read_locks = fcntl -#mbox_write_locks = dotlock fcntl +#mbox_write_locks = fcntl dotlock # Maximum time to wait for lock (all of them) before aborting. #mbox_lock_timeout = 5 mins @@ -350,8 +361,6 @@ mail_plugins = virtual zlib # also allows single instance storage for them. Other backends don't support # this for now. -# WARNING: This feature hasn't been tested much yet. Use at your own risk. - # Directory root where to store mail attachments. Disabled, if empty. #mail_attachment_dir = diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf index 30e9fb6..189e96e 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf @@ -8,25 +8,25 @@ # Login user is internally used by login processes. This is the most untrusted # user in Dovecot system. It shouldn't have access to anything at all. -default_login_user = dovenull +#default_login_user = dovenull # Internal user is used by unprivileged processes. It should be separate from # login user, so that login processes can't disturb other processes. -default_internal_user = dovecot +#default_internal_user = dovecot service imap-login { inet_listener imap { port = 0 } inet_listener imaps { - port = 993 - ssl = yes + #port = 993 + #ssl = yes } # Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. <doc/wiki/LoginProcess.txt> - service_count = 1 + #service_count = 1 # Max. number of IMAP processes (logins) process_limit = 256 @@ -46,8 +46,6 @@ service pop3-login { #port = 995 #ssl = yes } - - service_count = 1 } service lmtp { @@ -112,7 +110,7 @@ service auth { } # Auth process is run as this user. - user = $default_internal_user + #user = $default_internal_user } service auth-worker { diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index 526da9c..90843b2 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -26,6 +26,13 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes +# Directory and/or file for trusted SSL CA certificates. These are used only +# when Dovecot needs to act as an SSL client (e.g. imapc backend). The +# directory is usually /etc/ssl/certs in Debian-based systems and the file is +# /etc/pki/tls/cert.pem in RedHat-based systems. +#ssl_client_ca_dir = +#ssl_client_ca_file = + # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no @@ -35,10 +42,8 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName -# How often to regenerate the SSL parameters file. Generation is quite CPU -# intensive operation. The value is in hours, 0 disables regeneration -# entirely. -#ssl_parameters_regenerate = 168 +# DH parameters length to use. +#ssl_dh_parameters_length = 1024 # SSL protocols to use ssl_protocols = !SSLv2 @@ -46,5 +51,8 @@ ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH +# Prefer the server's order of ciphers over client's. +#ssl_prefer_server_ciphers = no + # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf index 2557b78..1807e05 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf @@ -2,67 +2,70 @@ ## IMAP specific settings ## -protocol imap { - # Maximum IMAP command line length. Some clients generate very long command - # lines with huge mailboxes, so you may need to raise this if you get - # "Too long argument" or "IMAP command line too large" errors often. - #imap_max_line_length = 64k +# Maximum IMAP command line length. Some clients generate very long command +# lines with huge mailboxes, so you may need to raise this if you get +# "Too long argument" or "IMAP command line too large" errors often. +#imap_max_line_length = 64k - # Maximum number of IMAP connections allowed for a user from each IP address. - # NOTE: The username is compared case-sensitively. - mail_max_userip_connections = 16 +# IMAP logout format string: +# %i - total number of bytes read from client +# %o - total number of bytes sent to client +#imap_logout_format = in=%i out=%o - # Space separated list of plugins to load (default is global mail_plugins). - #mail_plugins = $mail_plugins antispam +# Override the IMAP CAPABILITY response. If the value begins with '+', +# add the given capabilities on top of the defaults (e.g. +XFOO XBAR). +#imap_capability = - # IMAP logout format string: - # %i - total number of bytes read from client - # %o - total number of bytes sent to client - #imap_logout_format = bytes=%i/%o +# How long to wait between "OK Still here" notifications when client is +# IDLEing. +#imap_idle_notify_interval = 2 mins - # Override the IMAP CAPABILITY response. If the value begins with '+', - # add the given capabilities on top of the defaults (e.g. +XFOO XBAR). - #imap_capability = +# ID field names and values to send to clients. Using * as the value makes +# Dovecot use the default value. The following fields have default values +# currently: name, version, os, os-version, support-url, support-email. +#imap_id_send = - # How long to wait between "OK Still here" notifications when client is - # IDLEing. - #imap_idle_notify_interval = 2 mins +# ID fields sent by client to log. * means everything. +#imap_id_log = - # ID field names and values to send to clients. Using * as the value makes - # Dovecot use the default value. The following fields have default values - # currently: name, version, os, os-version, support-url, support-email. - #imap_id_send = +# Workarounds for various client bugs: +# delay-newmail: +# Send EXISTS/RECENT new mail notifications only when replying to NOOP +# and CHECK commands. Some clients ignore them otherwise, for example OSX +# Mail (<v2.1). Outlook Express breaks more badly though, without this it +# may show user "Message no longer in server" errors. Note that OE6 still +# breaks even with this workaround if synchronization is set to +# "Headers Only". +# tb-extra-mailbox-sep: +# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and +# adds extra '/' suffixes to mailbox names. This option causes Dovecot to +# ignore the extra '/' instead of treating it as invalid mailbox name. +# tb-lsub-flags: +# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). +# This makes Thunderbird realize they aren't selectable and show them +# greyed out, instead of only later giving "not selectable" popup error. +# +# The list is space-separated. +#imap_client_workarounds = - # ID fields sent by client to log. * means everything. - #imap_id_log = +# Host allowed in URLAUTH URLs sent by client. "*" allows all. +#imap_urlauth_host = - # Workarounds for various client bugs: - # delay-newmail: - # Send EXISTS/RECENT new mail notifications only when replying to NOOP - # and CHECK commands. Some clients ignore them otherwise, for example OSX - # Mail (<v2.1). Outlook Express breaks more badly though, without this it - # may show user "Message no longer in server" errors. Note that OE6 still - # breaks even with this workaround if synchronization is set to - # "Headers Only". - # tb-extra-mailbox-sep: - # Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and - # adds extra '/' suffixes to mailbox names. This option causes Dovecot to - # ignore the extra '/' instead of treating it as invalid mailbox name. - # tb-lsub-flags: - # Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). - # This makes Thunderbird realize they aren't selectable and show them - # greyed out, instead of only later giving "not selectable" popup error. - # - # The list is space-separated. - #imap_client_workarounds = +protocol imap { + # Space separated list of plugins to load (default is global mail_plugins). + #mail_plugins = $mail_plugins - # Load the 'antispam' plugin for people using the content filter. - # (Otherwise fallback to the static userdb.) - userdb { - driver = ldap - args = /etc/dovecot/dovecot-ldap-userdb.conf.ext + # Maximum number of IMAP connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. + mail_max_userip_connections = 16 - # Default fields can be used to specify defaults that LDAP may override - default_fields = home=/home/mail/virtual/%d/%n - } +# # TODO Load the 'antispam' plugin for people using the content filter. +# # (Otherwise fallback to the static userdb.) +# userdb { +# driver = ldap +# args = /etc/dovecot/dovecot-ldap-userdb.conf.ext +# +# # Default fields can be used to specify defaults that LDAP may override +# default_fields = home=/home/mail/virtual/%d/%n +# } } diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf index b0be573..cd48ab8 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf @@ -10,6 +10,9 @@ # lda_mailbox_autocreate settings. #lmtp_save_to_detail_mailbox = no +# Verify quota before replying to RCPT TO. This adds a small overhead. +#lmtp_rcpt_check_quota = no + protocol lmtp { postmaster_address = postmaster@fripost.org # Space separated list of plugins to load (default is global mail_plugins). diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf index 4d0420a..8308adc 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf @@ -1,6 +1,6 @@ ## ## Settings for the Sieve interpreter -## +## # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf # by adding it to the respective mail_plugins= settings. @@ -22,7 +22,7 @@ plugin { # is also where the ManageSieve service stores the user's scripts. sieve_dir = ~/sieve - # Directory for :global include scripts for the include extension. + # Directory for :global include scripts for the include extension. #sieve_global_dir = # Path to a script file or a directory containing script files that need to be @@ -39,17 +39,17 @@ plugin { # user's script (only when keep is still in effect!). Multiple script file or # directory paths can be specified by appending an increasing number. #sieve_after = - #sieve_after2 = + #sieve_after2 = #sieve_after2 = (etc...) - # Which Sieve language extensions are available to users. By default, all + # Which Sieve language extensions are available to users. By default, all # supported extensions are available, except for deprecated extensions or # those that are still under development. Some system administrators may want # to disable certain Sieve extensions or enable those that are not available # by default. This setting can use '+' and '-' to specify differences relative # to the default. For example `sieve_extensions = +imapflags' will enable the # deprecated imapflags extension in addition to all extensions were already - # enabled by default. + # enabled by default. #sieve_extensions = +notify +imapflags # Which Sieve language extensions are ONLY available in global scripts. This @@ -57,7 +57,7 @@ plugin { # control, for instance when these extensions can cause security concerns. # This setting has higher precedence than the `sieve_extensions' setting # (above), meaning that the extensions enabled with this setting are never - # available to the user's personal script no matter what is specified for the + # available to the user's personal script no matter what is specified for the # `sieve_extensions' setting. The syntax of this setting is similar to the # `sieve_extensions' setting, with the difference that extensions are # enabled or disabled for exclusive use in global scripts. Currently, no @@ -68,13 +68,14 @@ plugin { # setting, the used plugins can be specified. Check the Dovecot wiki # (wiki2.dovecot.org) or the pigeonhole website # (http://pigeonhole.dovecot.org) for available plugins. + # The sieve_extprograms plugin is included in this release. #sieve_plugins = - # The separator that is expected between the :user and :detail - # address parts introduced by the subaddress extension. This may - # also be a sequence of characters (e.g. '--'). The current - # implementation looks for the separator from the left of the - # localpart and uses the first one encountered. The :user part is + # The separator that is expected between the :user and :detail + # address parts introduced by the subaddress extension. This may + # also be a sequence of characters (e.g. '--'). The current + # implementation looks for the separator from the left of the + # localpart and uses the first one encountered. The :user part is # left of the separator and the :detail part is right. This setting # is also used by Dovecot's LMTP service. recipient_delimiter = + @@ -99,6 +100,6 @@ plugin { # The maximum amount of disk storage a single user's scripts may occupy. If # set to 0, no limit on the used amount of disk storage is enforced. - # (Currently only relevant for ManageSieve) + # (Currently only relevant for ManageSieve) #sieve_quota_max_storage = 0 } diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext index 5237fc2..360727e 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext @@ -1,4 +1,4 @@ -# Authentication for LDAP users. Included from auth.conf. +# Authentication for LDAP users. Included from 10-auth.conf. # # <doc/wiki/AuthDatabase.LDAP.txt> diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext index 1ffa73d..72f4604 100644 --- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext @@ -1,3 +1,6 @@ +# This file is commonly accessed via passdb {} or userdb {} section in +# conf.d/auth-ldap.conf.ext + # This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki2.dovecot.org/AuthDatabase/LDAP @@ -90,7 +93,7 @@ ldap_version = 3 base = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org # Dereference: never, searching, finding, always -deref = never +#deref = never # Search scope: base, onelevel, subtree scope = base |