diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf | 68 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf | 21 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext | 2 | ||||
-rw-r--r-- | roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext | 84 | ||||
-rw-r--r-- | roles/IMAP/tasks/imap.yml | 12 | ||||
-rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 7 |
6 files changed, 193 insertions, 1 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf new file mode 100644 index 0000000..6771cc7 --- /dev/null +++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf @@ -0,0 +1,68 @@ +## +## IMAP specific settings +## + +protocol imap { + # Maximum IMAP command line length. Some clients generate very long command + # lines with huge mailboxes, so you may need to raise this if you get + # "Too long argument" or "IMAP command line too large" errors often. + #imap_max_line_length = 64k + + # Maximum number of IMAP connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. + #mail_max_userip_connections = 10 + + # Space separated list of plugins to load (default is global mail_plugins). + #mail_plugins = $mail_plugins antispam + + # IMAP logout format string: + # %i - total number of bytes read from client + # %o - total number of bytes sent to client + #imap_logout_format = bytes=%i/%o + + # Override the IMAP CAPABILITY response. If the value begins with '+', + # add the given capabilities on top of the defaults (e.g. +XFOO XBAR). + #imap_capability = + + # How long to wait between "OK Still here" notifications when client is + # IDLEing. + #imap_idle_notify_interval = 2 mins + + # ID field names and values to send to clients. Using * as the value makes + # Dovecot use the default value. The following fields have default values + # currently: name, version, os, os-version, support-url, support-email. + #imap_id_send = + + # ID fields sent by client to log. * means everything. + #imap_id_log = + + # Workarounds for various client bugs: + # delay-newmail: + # Send EXISTS/RECENT new mail notifications only when replying to NOOP + # and CHECK commands. Some clients ignore them otherwise, for example OSX + # Mail (<v2.1). Outlook Express breaks more badly though, without this it + # may show user "Message no longer in server" errors. Note that OE6 still + # breaks even with this workaround if synchronization is set to + # "Headers Only". + # tb-extra-mailbox-sep: + # Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and + # adds extra '/' suffixes to mailbox names. This option causes Dovecot to + # ignore the extra '/' instead of treating it as invalid mailbox name. + # tb-lsub-flags: + # Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). + # This makes Thunderbird realize they aren't selectable and show them + # greyed out, instead of only later giving "not selectable" popup error. + # + # The list is space-separated. + #imap_client_workarounds = + + # Load the 'antispam' plugin for people using the content filter. + # (Otherwise fallback to the static userdb.) + userdb { + driver = ldap + args = /etc/dovecot/dovecot-ldap-userdb.conf.ext + + # Default fields can be used to specify defaults that LDAP may override + default_fields = home=/home/mail/%d/%n + } +} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf new file mode 100644 index 0000000..6e60f0f --- /dev/null +++ b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf @@ -0,0 +1,21 @@ +## +## Plugin settings +## + +# All wanted plugins must be listed in mail_plugins setting before any of the +# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and +# their configuration. Note that %variable expansion is done for all values. + +plugin { + antispam_backend = spool2dir + + antispam_trash = TRASH + antispam_unsure_pattern_ignorecase = MailTrain;MailTrain/* + antispam_spam = SPAM + + # The first %%lu is replaced by the current time. + # The second %%lu is replaced by a counter to generate unique names. + # These two tokens MUST be present in the template! + antispam_spool2dir_spam = /home/mail/spamspool/%u-%%10lu-%%06lu.spam + antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham +} diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext index 8e88b27..15eb306 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext @@ -23,7 +23,7 @@ passdb { # args = /etc/dovecot/dovecot-ldap-userdb.conf.ext # # # Default fields can be used to specify defaults that LDAP may override -# #default_fields = home=/home/virtual/%u +# default_fields = home=/home/mail/%d/%n #} # If you don't have any user-specific settings, you can avoid the userdb LDAP diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext new file mode 100644 index 0000000..6c39bf6 --- /dev/null +++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext @@ -0,0 +1,84 @@ +# This file is opened as root, so it should be owned by root and mode 0600. +# +# http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb + +# Space separated list of LDAP hosts to use. host:port is allowed too. +#hosts = + +# LDAP URIs to use. You can use this instead of hosts list. Note that this +# setting isn't supported by all LDAP libraries. +uris = ldapi:// + +# Distinguished Name - the username used to login to the LDAP server. +# Leave it commented out to bind anonymously. +#dn = + +# Password for LDAP server, if dn is specified. +#dnpass = + +# Use SASL binding instead of the simple binding. Note that this changes +# ldap_version automatically to be 3 if it's lower. Also note that SASL binds +# and auth_bind=yes don't work together. +sasl_bind = yes +# SASL mechanism name to use. +sasl_mech = EXTERNAL +# SASL realm to use. +#sasl_realm = +# SASL authorization ID, ie. the dnpass is for this "master user", but the +# dn is still the logged in user. Normally you want to keep this empty. +#sasl_authz_id = + +# Use TLS to connect to the LDAP server. +#tls = no +# TLS options, currently supported only with OpenLDAP: +#tls_ca_cert_file = +#tls_ca_cert_dir = +#tls_cipher_suite = +# TLS cert/key is used only if LDAP server requires a client certificate. +#tls_cert_file = +#tls_key_file = +# Valid values: never, hard, demand, allow, try +#tls_require_cert = + +# Use the given ldaprc path. +#ldaprc_path = + +# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. +# -1 = everything. You may need to recompile OpenLDAP with debugging enabled +# to get enough output. +#debug_level = 0 + +# LDAP protocol version to use. Likely 2 or 3. +ldap_version = 3 + +# LDAP base. %variables can be used here. +# For example: dc=mail, dc=example, dc=org +base = fvl=%n,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org + +# Dereference: never, searching, finding, always +deref = never + +# Search scope: base, onelevel, subtree +scope = base + +# User attributes are given in LDAP-name=dovecot-internal-name list. The +# internal names are: +# uid - System UID +# gid - System GID +# home - Home directory +# mail - Mail location +# +# There are also other special fields which can be returned, see +# http://wiki2.dovecot.org/UserDatabase/ExtraFields +user_attrs = =mail_plugins=antispam + +# Filter for user lookup. Some variables can be used (see +# http://wiki2.dovecot.org/Variables for full list): +# %u - username +# %n - user part in user@domain, same as %u if there's no domain +# %d - domain part in user@domain, empty if user there's no domain +user_filter = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)) + +# Attributes and filter to get a list of all users +#iterate_attrs = uid=user +#iterate_filter = (objectClass=posixAccount) diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml index d8bb352..e39e4bf 100644 --- a/roles/IMAP/tasks/imap.yml +++ b/roles/IMAP/tasks/imap.yml @@ -5,6 +5,7 @@ - dovecot-ldap - dovecot-imapd - dovecot-lmtpd + - dovecot-antispam - name: Create a user 'vmail' user: name=vmail system=yes @@ -42,6 +43,14 @@ - recent - unseen +- name: Create directory /home/mail/spamspool + # There is no possibility for a name clash, since 'spamspool' isn't a + # valid domain + file: path=/home/mail/spamspool + state=directory + owner=vmail group=vmail + mode=0700 + - name: Configure Dovecot copy: src=etc/dovecot/{{ item }} dest=/etc/dovecot/{{ item }} @@ -55,9 +64,12 @@ - conf.d/10-master.conf - conf.d/10-ssl.conf - conf.d/15-mailboxes.conf + - conf.d/20-imap.conf - conf.d/20-lmtp.conf + - conf.d/90-plugin.conf - conf.d/auth-ldap.conf.ext - dovecot-ldap.conf.ext + - dovecot-ldap-userdb.conf.ext notify: - Restart Dovecot diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index c7a4379..56cd110 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -147,6 +147,13 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)) by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =rsd by users =0 break +# +# The following is required for the userdb +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" + attrs=entry,objectClass + filter=(objectClass=FripostVirtualUser) + by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" =rsd + by users =0 break {% endif %} # # Anonymous can authenticate into the services. (But not read or write the password.) |