2 files changed, 370 insertions, 0 deletions
diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
new file mode 100644
index 0000000..d61c11b
--- /dev/null
+++ b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
@@ -0,0 +1,166 @@
+#default_process_limit = 100
+#default_client_limit = 1000
+
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
+# intended to catch and kill processes that leak memory before they eat up
+# everything.
+default_vsz_limit = 1024M
+
+# Login user is internally used by login processes. This is the most untrusted
+# user in Dovecot system. It shouldn't have access to anything at all.
+#default_login_user = dovenull
+
+# Internal user is used by unprivileged processes. It should be separate from
+# login user, so that login processes can't disturb other processes.
+#default_internal_user = dovecot
+
+service imap-login {
+  inet_listener imap {
+{% if groups.all | length > 1 %}
+    address = {{ ipsec[inventory_hostname_short] }}
+    port = 143
+{% else %}
+    port = 0
+{% endif %}
+  }
+  inet_listener imaps {
+    #port = 993
+    #ssl = yes
+  }
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  #service_count = 1
+
+  # Max. number of IMAP processes (logins)
+  process_limit = 256
+
+  # Number of processes to always keep waiting for more connections.
+  process_min_avail = 4
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = $default_vsz_limit
+}
+
+service pop3-login {
+  inet_listener pop3 {
+    #port = 110
+  }
+  inet_listener pop3s {
+    #port = 995
+    #ssl = yes
+  }
+}
+
+service stats {
+  unix_listener stats-writer {
+    user = vmail
+    mode = 0600
+  }
+}
+
+service submission-login {
+  inet_listener submission {
+    port = 0
+  }
+}
+
+service lmtp {
+  user = vmail
+
+  unix_listener /var/spool/postfix-{{ postfix_instance.IMAP.name }}/private/dovecot-lmtpd {
+    user = postfix
+    mode = 0600
+  }
+
+  # Create inet listener only if you can't use the above UNIX socket
+  #inet_listener lmtp {
+    # Avoid making LMTP visible for the entire internet
+    #address =
+    #port = 
+  #}
+
+  # Number of processes to always keep waiting for more connections.
+  process_min_avail = 4
+}
+
+service imap {
+  # Most of the memory goes to mmap()ing files. You may need to increase this
+  # limit if you have huge mailboxes.
+  #vsz_limit = $default_vsz_limit
+
+  # Max. number of IMAP processes (connections)
+  #process_limit = 1024
+
+  unix_listener imap-master {
+    user = $default_internal_user
+    mode = 0600
+  }
+}
+
+service imap-hibernate {
+  unix_listener imap-hibernate {
+    # Match user running imap processes, cf.
+    # https://dovecot.org/pipermail/dovecot/2015-August/101783.html
+    user = vmail
+    mode = 0600
+  }
+}
+
+service pop3 {
+  # Max. number of POP3 processes (connections)
+  #process_limit = 1024
+}
+
+service submission {
+  # Max. number of SMTP Submission processes (connections)
+  #process_limit = 1024
+}
+
+service auth {
+  # auth_socket_path points to this userdb socket by default. It's typically
+  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
+  # full permissions to this socket are able to get a list of all usernames and
+  # get the results of everyone's userdb lookups.
+  #
+  # The default 0666 mode allows anyone to connect to the socket, but the
+  # userdb lookups will succeed only if the userdb returns an "uid" field that
+  # matches the caller process's UID. Also if caller's uid or gid matches the
+  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
+  #
+  # To give the caller full permissions to lookup all users, set the mode to
+  # something else than 0666 and Dovecot lets the kernel enforce the
+  # permissions (e.g. 0777 allows everyone full permissions).
+  unix_listener auth-userdb {
+    user = vmail
+    mode = 0600
+  }
+
+  # Postfix smtp-auth
+  unix_listener /var/spool/postfix-{{ postfix_instance.MSA.name }}/private/dovecot-auth {
+    user = postfix
+    group = postfix
+    mode = 0600
+  }
+
+  # Auth process is run as this user.
+  #user = $default_internal_user
+}
+
+service auth-worker {
+  # Auth worker process is run as root by default, so that it can access
+  # /etc/shadow. If this isn't necessary, the user should be changed to
+  # $default_internal_user.
+  user = $default_internal_user
+}
+
+service dict {
+  # If dict proxy is used, mail processes should have access to its socket.
+  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
+  unix_listener dict {
+    #mode = 0600
+    #user = 
+    #group = 
+  }
+}
diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/99-local.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/99-local.conf.j2
new file mode 100644
index 0000000..3560193
--- /dev/null
+++ b/roles/IMAP/templates/etc/dovecot/conf.d/99-local.conf.j2
@@ -0,0 +1,204 @@
+auth_default_realm = fripost.org
+auth_username_format = %Lu
+auth_mechanisms = plain login
+
+mail_uid = vmail
+mail_gid = vmail
+mail_privileged_group =
+
+first_valid_uid = 1
+last_valid_uid = 0
+
+default_vsz_limit = 1024M
+
+service imap-login {
+  inet_listener imap {
+{% if groups.all | length > 1 %}
+    address = {{ ipsec[inventory_hostname_short] }}
+    port = 143
+{% else %}
+    port = 0
+{% endif %}
+  }
+  process_limit = 256
+  process_min_avail = 4
+}
+
+service stats {
+  unix_listener stats-writer {
+    user = vmail
+    mode = 0600
+  }
+}
+
+service submission-login {
+  inet_listener submission {
+    port = 0
+  }
+}
+
+service lmtp {
+  user = vmail
+  unix_listener lmtp {
+    mode = 0
+  }
+  unix_listener /var/spool/postfix-mda/private/dovecot-lmtpd {
+    user = postfix
+    mode = 0600
+  }
+  process_min_avail = 4
+}
+
+service imap {
+  unix_listener imap-master {
+    user = $default_internal_user
+    mode = 0600
+  }
+}
+service imap-hibernate {
+  unix_listener imap-hibernate {
+    # Match user running imap processes, cf.
+    # https://dovecot.org/pipermail/dovecot/2015-August/101783.html
+    user = vmail
+    mode = 0600
+  }
+}
+
+service auth {
+  unix_listener auth-userdb {
+    user = vmail
+    mode = 0600
+  }
+
+  # Postfix smtp-auth
+  unix_listener /var/spool/postfix-msa/private/dovecot-auth {
+    user = postfix
+    group = postfix
+    mode = 0600
+  }
+}
+
+service auth-worker {
+  user = $default_internal_user
+}
+
+
+mail_server_comment = "fripost - demokratisk e-post"
+mail_server_admin = mailto:postmaster@fripost.org
+
+mail_plugins = quota virtual zlib
+
+mail_location = mdbox:~/mail
+mdbox_preallocate_space = yes
+
+mail_attachment_dir = /home/mail/attachments
+mail_attachment_fs = sis-queue /home/mail/attachments/queue:posix
+mail_attachment_hash = %{sha256}
+
+sendmail_path = /usr/sbin/postmulti -i msa -x /usr/sbin/sendmail
+
+ssl = required
+# XXX `doveadm exec imap` fails with "ssl_key: Can't open file
+# /etc/dovecot/ssl/imap.fripost.org.key"
+# https://dovecot.org/pipermail/dovecot/2020-August/119642.html
+# TODO bookworm inline the include_try
+!include_try ../ssl/config
+ssl_dh = </etc/ssl/dhparams.pem
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+namespace inbox {
+  inbox = yes
+  separator = /
+
+  mailbox Drafts {
+    auto = create
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    auto = create
+    special_use = \Junk
+  }
+  mailbox "Sent Messages" {
+    auto = no
+    special_use = \Sent
+  }
+  mailbox Sent {
+    auto = subscribe
+    special_use = \Sent
+  }
+  mailbox Trash {
+    auto = create
+    special_use = \Trash
+  }
+  mailbox virtual/All {
+    comment = All messages
+    special_use = \All
+  }
+  mailbox virtual/Flagged {
+    comment = All flagged messages
+    special_use = \Flagged
+  }
+}
+
+namespace virtual {
+  prefix = virtual/
+  separator = /
+  location = virtual:/etc/dovecot/virtual:INDEX=MEMORY
+  list = no
+  hidden = no
+  subscriptions = no
+}
+
+imap_hibernate_timeout = 15s
+protocol imap {
+  mail_plugins = $mail_plugins imap_zlib
+  mail_max_userip_connections = 16
+
+  ## TODO Load the 'antispam' plugin for people using the content filter.
+  ## (Otherwise fallback to the static userdb.)
+  #userdb {
+  #  driver = ldap
+  #  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+  #
+  #  # Default fields can be used to specify defaults that LDAP may override
+  #  default_fields = home=/home/mail/virtual/%d/%n
+  #}
+}
+
+protocol lmtp {
+  postmaster_address = postmaster@fripost.org
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins sieve
+}
+
+plugin {
+  antispam_backend = spool2dir
+
+  antispam_trash = Trash
+  antispam_unsure_pattern_ignorecase = MailTrain;MailTrain/*
+  antispam_spam = Junk
+
+  # The first %%lu is replaced by the current time.
+  # The second %%lu is replaced by a counter to generate unique names.
+  # These two tokens MUST be present in the template!
+  antispam_spool2dir_spam    = /home/mail/spamspool/%u-%%10lu-%%06lu.spam
+  antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham
+}
+
+plugin {
+  quota_rule = *:storage=0
+  quota = count:User quota
+  quota_vsizes = yes
+}
+
+plugin {
+  sieve = file:~/sieve;active=~/dovecot.sieve
+  sieve_extensions = +editheader
+  recipient_delimiter = +
+}
+
+plugin {
+  zlib_save = gz
+  zlib_save_level = 6
+}