summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/templates/etc/dovecot/conf.d
diff options
context:
space:
mode:
Diffstat (limited to 'roles/IMAP/templates/etc/dovecot/conf.d')
-rw-r--r--roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2166
-rw-r--r--roles/IMAP/templates/etc/dovecot/conf.d/99-local.conf.j2204
2 files changed, 370 insertions, 0 deletions
diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
new file mode 100644
index 0000000..d61c11b
--- /dev/null
+++ b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
@@ -0,0 +1,166 @@
+#default_process_limit = 100
+#default_client_limit = 1000
+
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
+# intended to catch and kill processes that leak memory before they eat up
+# everything.
+default_vsz_limit = 1024M
+
+# Login user is internally used by login processes. This is the most untrusted
+# user in Dovecot system. It shouldn't have access to anything at all.
+#default_login_user = dovenull
+
+# Internal user is used by unprivileged processes. It should be separate from
+# login user, so that login processes can't disturb other processes.
+#default_internal_user = dovecot
+
+service imap-login {
+ inet_listener imap {
+{% if groups.all | length > 1 %}
+ address = {{ ipsec[inventory_hostname_short] }}
+ port = 143
+{% else %}
+ port = 0
+{% endif %}
+ }
+ inet_listener imaps {
+ #port = 993
+ #ssl = yes
+ }
+
+ # Number of connections to handle before starting a new process. Typically
+ # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+ # is faster. <doc/wiki/LoginProcess.txt>
+ #service_count = 1
+
+ # Max. number of IMAP processes (logins)
+ process_limit = 256
+
+ # Number of processes to always keep waiting for more connections.
+ process_min_avail = 4
+
+ # If you set service_count=0, you probably need to grow this.
+ #vsz_limit = $default_vsz_limit
+}
+
+service pop3-login {
+ inet_listener pop3 {
+ #port = 110
+ }
+ inet_listener pop3s {
+ #port = 995
+ #ssl = yes
+ }
+}
+
+service stats {
+ unix_listener stats-writer {
+ user = vmail
+ mode = 0600
+ }
+}
+
+service submission-login {
+ inet_listener submission {
+ port = 0
+ }
+}
+
+service lmtp {
+ user = vmail
+
+ unix_listener /var/spool/postfix-{{ postfix_instance.IMAP.name }}/private/dovecot-lmtpd {
+ user = postfix
+ mode = 0600
+ }
+
+ # Create inet listener only if you can't use the above UNIX socket
+ #inet_listener lmtp {
+ # Avoid making LMTP visible for the entire internet
+ #address =
+ #port =
+ #}
+
+ # Number of processes to always keep waiting for more connections.
+ process_min_avail = 4
+}
+
+service imap {
+ # Most of the memory goes to mmap()ing files. You may need to increase this
+ # limit if you have huge mailboxes.
+ #vsz_limit = $default_vsz_limit
+
+ # Max. number of IMAP processes (connections)
+ #process_limit = 1024
+
+ unix_listener imap-master {
+ user = $default_internal_user
+ mode = 0600
+ }
+}
+
+service imap-hibernate {
+ unix_listener imap-hibernate {
+ # Match user running imap processes, cf.
+ # https://dovecot.org/pipermail/dovecot/2015-August/101783.html
+ user = vmail
+ mode = 0600
+ }
+}
+
+service pop3 {
+ # Max. number of POP3 processes (connections)
+ #process_limit = 1024
+}
+
+service submission {
+ # Max. number of SMTP Submission processes (connections)
+ #process_limit = 1024
+}
+
+service auth {
+ # auth_socket_path points to this userdb socket by default. It's typically
+ # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
+ # full permissions to this socket are able to get a list of all usernames and
+ # get the results of everyone's userdb lookups.
+ #
+ # The default 0666 mode allows anyone to connect to the socket, but the
+ # userdb lookups will succeed only if the userdb returns an "uid" field that
+ # matches the caller process's UID. Also if caller's uid or gid matches the
+ # socket's uid or gid the lookup succeeds. Anything else causes a failure.
+ #
+ # To give the caller full permissions to lookup all users, set the mode to
+ # something else than 0666 and Dovecot lets the kernel enforce the
+ # permissions (e.g. 0777 allows everyone full permissions).
+ unix_listener auth-userdb {
+ user = vmail
+ mode = 0600
+ }
+
+ # Postfix smtp-auth
+ unix_listener /var/spool/postfix-{{ postfix_instance.MSA.name }}/private/dovecot-auth {
+ user = postfix
+ group = postfix
+ mode = 0600
+ }
+
+ # Auth process is run as this user.
+ #user = $default_internal_user
+}
+
+service auth-worker {
+ # Auth worker process is run as root by default, so that it can access
+ # /etc/shadow. If this isn't necessary, the user should be changed to
+ # $default_internal_user.
+ user = $default_internal_user
+}
+
+service dict {
+ # If dict proxy is used, mail processes should have access to its socket.
+ # For example: mode=0660, group=vmail and global mail_access_groups=vmail
+ unix_listener dict {
+ #mode = 0600
+ #user =
+ #group =
+ }
+}
diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/99-local.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/99-local.conf.j2
new file mode 100644
index 0000000..3560193
--- /dev/null
+++ b/roles/IMAP/templates/etc/dovecot/conf.d/99-local.conf.j2
@@ -0,0 +1,204 @@
+auth_default_realm = fripost.org
+auth_username_format = %Lu
+auth_mechanisms = plain login
+
+mail_uid = vmail
+mail_gid = vmail
+mail_privileged_group =
+
+first_valid_uid = 1
+last_valid_uid = 0
+
+default_vsz_limit = 1024M
+
+service imap-login {
+ inet_listener imap {
+{% if groups.all | length > 1 %}
+ address = {{ ipsec[inventory_hostname_short] }}
+ port = 143
+{% else %}
+ port = 0
+{% endif %}
+ }
+ process_limit = 256
+ process_min_avail = 4
+}
+
+service stats {
+ unix_listener stats-writer {
+ user = vmail
+ mode = 0600
+ }
+}
+
+service submission-login {
+ inet_listener submission {
+ port = 0
+ }
+}
+
+service lmtp {
+ user = vmail
+ unix_listener lmtp {
+ mode = 0
+ }
+ unix_listener /var/spool/postfix-mda/private/dovecot-lmtpd {
+ user = postfix
+ mode = 0600
+ }
+ process_min_avail = 4
+}
+
+service imap {
+ unix_listener imap-master {
+ user = $default_internal_user
+ mode = 0600
+ }
+}
+service imap-hibernate {
+ unix_listener imap-hibernate {
+ # Match user running imap processes, cf.
+ # https://dovecot.org/pipermail/dovecot/2015-August/101783.html
+ user = vmail
+ mode = 0600
+ }
+}
+
+service auth {
+ unix_listener auth-userdb {
+ user = vmail
+ mode = 0600
+ }
+
+ # Postfix smtp-auth
+ unix_listener /var/spool/postfix-msa/private/dovecot-auth {
+ user = postfix
+ group = postfix
+ mode = 0600
+ }
+}
+
+service auth-worker {
+ user = $default_internal_user
+}
+
+
+mail_server_comment = "fripost - demokratisk e-post"
+mail_server_admin = mailto:postmaster@fripost.org
+
+mail_plugins = quota virtual zlib
+
+mail_location = mdbox:~/mail
+mdbox_preallocate_space = yes
+
+mail_attachment_dir = /home/mail/attachments
+mail_attachment_fs = sis-queue /home/mail/attachments/queue:posix
+mail_attachment_hash = %{sha256}
+
+sendmail_path = /usr/sbin/postmulti -i msa -x /usr/sbin/sendmail
+
+ssl = required
+# XXX `doveadm exec imap` fails with "ssl_key: Can't open file
+# /etc/dovecot/ssl/imap.fripost.org.key"
+# https://dovecot.org/pipermail/dovecot/2020-August/119642.html
+# TODO bookworm inline the include_try
+!include_try ../ssl/config
+ssl_dh = </etc/ssl/dhparams.pem
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+namespace inbox {
+ inbox = yes
+ separator = /
+
+ mailbox Drafts {
+ auto = create
+ special_use = \Drafts
+ }
+ mailbox Junk {
+ auto = create
+ special_use = \Junk
+ }
+ mailbox "Sent Messages" {
+ auto = no
+ special_use = \Sent
+ }
+ mailbox Sent {
+ auto = subscribe
+ special_use = \Sent
+ }
+ mailbox Trash {
+ auto = create
+ special_use = \Trash
+ }
+ mailbox virtual/All {
+ comment = All messages
+ special_use = \All
+ }
+ mailbox virtual/Flagged {
+ comment = All flagged messages
+ special_use = \Flagged
+ }
+}
+
+namespace virtual {
+ prefix = virtual/
+ separator = /
+ location = virtual:/etc/dovecot/virtual:INDEX=MEMORY
+ list = no
+ hidden = no
+ subscriptions = no
+}
+
+imap_hibernate_timeout = 15s
+protocol imap {
+ mail_plugins = $mail_plugins imap_zlib
+ mail_max_userip_connections = 16
+
+ ## TODO Load the 'antispam' plugin for people using the content filter.
+ ## (Otherwise fallback to the static userdb.)
+ #userdb {
+ # driver = ldap
+ # args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+ #
+ # # Default fields can be used to specify defaults that LDAP may override
+ # default_fields = home=/home/mail/virtual/%d/%n
+ #}
+}
+
+protocol lmtp {
+ postmaster_address = postmaster@fripost.org
+ # Space separated list of plugins to load (default is global mail_plugins).
+ mail_plugins = $mail_plugins sieve
+}
+
+plugin {
+ antispam_backend = spool2dir
+
+ antispam_trash = Trash
+ antispam_unsure_pattern_ignorecase = MailTrain;MailTrain/*
+ antispam_spam = Junk
+
+ # The first %%lu is replaced by the current time.
+ # The second %%lu is replaced by a counter to generate unique names.
+ # These two tokens MUST be present in the template!
+ antispam_spool2dir_spam = /home/mail/spamspool/%u-%%10lu-%%06lu.spam
+ antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham
+}
+
+plugin {
+ quota_rule = *:storage=0
+ quota = count:User quota
+ quota_vsizes = yes
+}
+
+plugin {
+ sieve = file:~/sieve;active=~/dovecot.sieve
+ sieve_extensions = +editheader
+ recipient_delimiter = +
+}
+
+plugin {
+ zlib_save = gz
+ zlib_save_level = 6
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 16:00:37 +0000