summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf6
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf9
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf28
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf8
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf4
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf53
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf20
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf7
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf10
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf165
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext3
-rw-r--r--roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext3
-rwxr-xr-xroles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl14
-rw-r--r--roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j217
-rw-r--r--roles/IMAP/templates/etc/postfix/main.cf.j28
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j29
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j22
-rw-r--r--roles/common/files/etc/fail2ban/filter.d/dovecot.conf34
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/dovecot-local33
-rw-r--r--roles/common/files/etc/logcheck/ignore.d.server/postfix-local7
-rw-r--r--roles/common/tasks/fail2ban.yml1
-rw-r--r--roles/common/templates/etc/fail2ban/jail.local.j22
-rw-r--r--roles/common/templates/etc/iptables/services.j21
-rw-r--r--roles/lacme/templates/etc/lacme/lacme-certs.conf.j22
24 files changed, 332 insertions, 114 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
index d4f323d..7213fbb 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
@@ -73,7 +73,7 @@ auth_username_format = %Lu
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
-#auth_krb5_keytab =
+#auth_krb5_keytab =
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
@@ -88,9 +88,9 @@ auth_username_format = %Lu
# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no
-# Take the username from client's SSL certificate, using
+# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
-# CommonName.
+# CommonName.
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf
index c611bfc..848fe69 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-logging.conf
@@ -7,9 +7,9 @@
#log_path = syslog
# Log file to use for informational messages. Defaults to log_path.
-#info_log_path =
+#info_log_path =
# Log file to use for debug messages. Defaults to info_log_path.
-#debug_log_path =
+#debug_log_path =
# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
@@ -69,12 +69,13 @@ log_timestamp = "%Y-%m-%d %H:%M:%S "
# Login log format. %s contains login_log_format_elements string, %$ contains
# the data we want to log.
#login_log_format = %$: %s
-
+
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
# possible variables you can use.
#mail_log_prefix = "%s(%u): "
-# Format to use for logging mail deliveries. You can use variables:
+# Format to use for logging mail deliveries. See doc/wiki/Variables.txt for
+# list of all variables you can use. Some of the common ones include:
# %$ - Delivery status message (e.g. "saved to INBOX")
# %m - Message-ID
# %s - Subject
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
index 2e68df4..a781402 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
@@ -50,7 +50,7 @@ namespace inbox {
# Prefix required to access this namespace. This needs to be different for
# all namespaces. For example "Public/".
- #prefix =
+ #prefix =
# Physical location of the mailbox. This is in same format as
# mail_location, which is also the default for it.
@@ -133,10 +133,22 @@ mail_gid = vmail
# or ~user/.
#mail_full_filesystem_access = no
-# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
-# soon intended to be used by METADATA as well.
+# Dictionary for key=value mailbox attributes. This is used for example by
+# URLAUTH and METADATA extensions.
#mail_attribute_dict =
+# A comment or note that is associated with the server. This value is
+# accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/comment".
+mail_server_comment = "fripost - demokratisk e-post"
+
+# Indicates a method for contacting the server administrator. According to
+# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
+# is currently not enforced. Use for example mailto:admin@example.com. This
+# value is accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/admin".
+mail_server_admin = mailto:postmaster@fripost.org
+
##
## Mail processes
##
@@ -188,7 +200,7 @@ first_valid_uid = 1
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
-#valid_chroot_dirs =
+#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
@@ -196,7 +208,7 @@ first_valid_uid = 1
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
-#mail_chroot =
+#mail_chroot =
# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
@@ -207,7 +219,7 @@ first_valid_uid = 1
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = stats virtual zlib
+mail_plugins = quota stats virtual zlib
##
## Mailbox handling optimizations
@@ -224,7 +236,7 @@ mailbox_list_index = yes
# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
-# time to wait between those checks. Dovecot can also use dnotify, inotify and
+# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs
@@ -313,7 +325,7 @@ mailbox_list_index = yes
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
-# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
# commands.
#mbox_dirty_syncs = yes
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index dc0b5bf..250eec5 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -21,7 +21,7 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-#ssl_ca =
+#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
@@ -46,7 +46,7 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
ssl_dh_parameters_length = 2048
# SSL protocols to use
-ssl_protocols = !SSLv2 !SSLv3
+#ssl_protocols = !SSLv3
# SSL ciphers to use
ssl_cipher_list = HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
@@ -56,3 +56,7 @@ ssl_cipher_list = HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+# no_compression - Disable compression.
+ssl_options = no_compression
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf b/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf
index bdf045d..2a7bd27 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/15-lda.conf
@@ -8,7 +8,7 @@
# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
# in LMTP replies. Default is the system's real hostname@domain.
-#hostname =
+#hostname =
# If user is over quota, return with temporary failure instead of
# bouncing the mail.
@@ -32,7 +32,7 @@ sendmail_path = /usr/sbin/postmulti -i msa -x /usr/sbin/sendmail
#recipient_delimiter = +
# Header where the original recipient address (SMTP's RCPT TO: address) is taken
-# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
# A commonly used header for this is X-Original-To.
#lda_original_recipient_header =
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf b/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf
index 6aa5c22..9c330be 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/15-mailboxes.conf
@@ -2,19 +2,48 @@
## Mailbox definitions
##
+# Each mailbox is specified in a separate mailbox section. The section name
+# specifies the mailbox name. If it has spaces, you can put the name
+# "in quotes". These sections can contain the following mailbox settings:
+#
+# auto:
+# Indicates whether the mailbox with this name is automatically created
+# implicitly when it is first accessed. The user can also be automatically
+# subscribed to the mailbox after creation. The following values are
+# defined for this setting:
+#
+# no - Never created automatically.
+# create - Automatically created, but no automatic subscription.
+# subscribe - Automatically created and subscribed.
+#
+# special_use:
+# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
+# mailbox. There are no validity checks, so you could specify anything
+# you want in here, but it's not a good idea to use flags other than the
+# standard ones specified in the RFC:
+#
+# \All - This (virtual) mailbox presents all messages in the
+# user's message store.
+# \Archive - This mailbox is used to archive messages.
+# \Drafts - This mailbox is used to hold draft messages.
+# \Flagged - This (virtual) mailbox presents all messages in the
+# user's message store marked with the IMAP \Flagged flag.
+# \Junk - This mailbox is where messages deemed to be junk mail
+# are held.
+# \Sent - This mailbox is used to hold copies of messages that
+# have been sent.
+# \Trash - This mailbox is used to hold messages that have been
+# deleted.
+#
+# comment:
+# Defines a default comment or note associated with the mailbox. This
+# value is accessible through the IMAP METADATA mailbox entries
+# "/shared/comment" and "/private/comment". Users with sufficient
+# privileges can override the default value for entries with a custom
+# value.
+
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
-
- #mailbox name {
- # auto=create will automatically create this mailbox.
- # auto=subscribe will both create and subscribe to the mailbox.
- #auto = no
-
- # Space separated list of IMAP SPECIAL-USE attributes as specified by
- # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
- #special_use =
- #}
-
# These mailboxes are widely used and could perhaps be created automatically:
mailbox Trash {
auto = create
@@ -36,10 +65,12 @@ namespace inbox {
# If you have a virtual "All messages" mailbox:
mailbox virtual/All {
special_use = \All
+ comment = All messages
}
# If you have a virtual "Flagged" mailbox:
mailbox virtual/Flagged {
special_use = \Flagged
+ comment = All flagged messages
}
}
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
index b62f6ef..3ddedce 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
@@ -2,6 +2,12 @@
## IMAP specific settings
##
+# If nothing happens for this long while client is IDLEing, move the connection
+# to imap-hibernate process and close the old imap process. This saves memory,
+# because connections use very little memory in imap-hibernate process. The
+# downside is that recreating the imap process back uses some resources.
+imap_hibernate_timeout = 15s
+
# Maximum IMAP command line length. Some clients generate very long command
# lines with huge mailboxes, so you may need to raise this if you get
# "Too long argument" or "IMAP command line too large" errors often.
@@ -10,11 +16,19 @@
# IMAP logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
+# %{fetch_hdr_count} - Number of mails with mail header data sent to client
+# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
+# %{fetch_body_count} - Number of mails with mail body data sent to client
+# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
+# %{deleted} - Number of mails where client added \Deleted flag
+# %{expunged} - Number of mails that client expunged
+# %{trashed} - Number of mails that client copied/moved to the
+# special_use=\Trash mailbox.
#imap_logout_format = in=%i out=%o
# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
-#imap_capability =
+#imap_capability =
# How long to wait between "OK Still here" notifications when client is
# IDLEing.
@@ -23,7 +37,7 @@
# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email.
-#imap_id_send =
+#imap_id_send =
# ID fields sent by client to log. * means everything.
#imap_id_log =
@@ -46,7 +60,7 @@
# greyed out, instead of only later giving "not selectable" popup error.
#
# The list is space-separated.
-#imap_client_workarounds =
+#imap_client_workarounds =
# Host allowed in URLAUTH URLs sent by client. "*" allows all.
#imap_urlauth_host =
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
index cd48ab8..8fc5fa0 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
@@ -13,6 +13,13 @@
# Verify quota before replying to RCPT TO. This adds a small overhead.
#lmtp_rcpt_check_quota = no
+# Which recipient address to use for Delivered-To: header and Received:
+# header. The default is "final", which is the same as the one given to
+# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
+# parameter, "none" uses nothing. Note that "none" is currently always used
+# when a mail has multiple recipients.
+#lmtp_hdr_delivery_address = final
+
protocol lmtp {
postmaster_address = postmaster@fripost.org
# Space separated list of plugins to load (default is global mail_plugins).
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf
index b6fcd3b..9583b6d 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/90-plugin.conf
@@ -19,13 +19,15 @@ plugin {
antispam_spool2dir_spam = /home/mail/spamspool/%u-%%10lu-%%06lu.spam
antispam_spool2dir_notspam = /home/mail/spamspool/%u-%%10lu-%%06lu.ham
-
- zlib_save = gz
- zlib_save_level = 6
-
+ quota_rule = *:storage=0
+ quota = count:User quota
+ quota_vsizes = yes
# how often to session statistics
stats_refresh = 30 secs
# track per-IMAP command statistics
stats_track_cmds = yes
+
+ zlib_save = gz
+ zlib_save_level = 6
}
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
index afee135..c1ff93e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
@@ -5,39 +5,81 @@
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
+# The Sieve interpreter can retrieve Sieve scripts from several types of
+# locations. The default `file' location type is a local filesystem path
+# pointing to a Sieve script file or a directory containing multiple Sieve
+# script files. More complex setups can use other location types such as
+# `ldap' or `dict' to fetch Sieve scripts from remote databases.
+#
+# All settings that specify the location of one ore more Sieve scripts accept
+# the following syntax:
+#
+# location = [<type>:]path[;<option>[=<value>][;...]]
+#
+# If the type prefix is omitted, the script location type is 'file' and the
+# location is interpreted as a local filesystem path pointing to a Sieve script
+# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
+# information.
+
plugin {
- # The path to the user's main active script. If ManageSieve is used, this the
- # location of the symbolic link controlled by ManageSieve.
- sieve = ~/dovecot.sieve
-
- # The default Sieve script when the user has none. This is a path to a global
- # sieve script file, which gets executed ONLY if user's private Sieve script
- # doesn't exist. Be sure to pre-compile this script manually using the sievec
- # command line tool.
- # --> See sieve_before fore executing scripts before the user's personal
+ # The location of the user's main Sieve script or script storage. The LDA
+ # Sieve plugin uses this to find the active script for Sieve filtering at
+ # delivery. The "include" extension uses this location for retrieving
+ # :personal" scripts. This is also where the ManageSieve service will store
+ # the user's scripts, if supported.
+ #
+ # Currently only the 'file:' location type supports ManageSieve operation.
+ # Other location types like 'dict:' and 'ldap:' can currently only
+ # be used as a read-only script source ().
+ #
+ # For the 'file:' type: use the ';active=' parameter to specify where the
+ # active script symlink is located.
+ # For other types: use the ';name=' parameter to specify the name of the
+ # default/active script.
+ sieve = file:~/sieve;active=~/dovecot.sieve
+
+ # The default Sieve script when the user has none. This is the location of a
+ # global sieve script file, which gets executed ONLY if user's personal Sieve
+ # script doesn't exist. Be sure to pre-compile this script manually using the
+ # sievec command line tool if the binary is not stored in a global location.
+ # --> See sieve_before for executing scripts before the user's personal
# script.
#sieve_default = /var/lib/dovecot/sieve/default.sieve
- # Directory for :personal include scripts for the include extension. This
- # is also where the ManageSieve service stores the user's scripts.
- sieve_dir = ~/sieve
-
- # Directory for :global include scripts for the include extension.
- #sieve_global_dir =
-
- # Path to a script file or a directory containing script files that need to be
- # executed before the user's script. If the path points to a directory, all
- # the Sieve scripts contained therein (with the proper .sieve extension) are
- # executed. The order of execution within a directory is determined by the
- # file names, using a normal 8bit per-character comparison. Multiple script
- # file or directory paths can be specified by appending an increasing number.
- #sieve_before =
- #sieve_before2 =
+ # The name by which the default Sieve script (as configured by the
+ # sieve_default setting) is visible to the user through ManageSieve.
+ #sieve_default_name =
+
+ # Location for ":global" include scripts as used by the "include" extension.
+ #sieve_global =
+
+ # The location of a Sieve script that is run for any message that is about to
+ # be discarded; i.e., it is not delivered anywhere by the normal Sieve
+ # execution. This only happens when the "implicit keep" is canceled, by e.g.
+ # the "discard" action, and no actions that deliver the message are executed.
+ # This "discard script" can prevent discarding the message, by executing
+ # alternative actions. If the discard script does nothing, the message is
+ # still discarded as it would be when no discard script is configured.
+ #sieve_discard =
+
+ # Location Sieve of scripts that need to be executed before the user's
+ # personal script. If a 'file' location path points to a directory, all the
+ # Sieve scripts contained therein (with the proper `.sieve' extension) are
+ # executed. The order of execution within that directory is determined by the
+ # file names, using a normal 8bit per-character comparison.
+ #
+ # Multiple script locations can be specified by appending an increasing number
+ # to the setting name. The Sieve scripts found from these locations are added
+ # to the script execution sequence in the specified order. Reading the
+ # numbered sieve_before settings stops at the first missing setting, so no
+ # numbers may be skipped.
+ #sieve_before = /var/lib/dovecot/sieve.d/
+ #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
#sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
- # user's script (only when keep is still in effect!). Multiple script file or
- # directory paths can be specified by appending an increasing number.
+ # user's script (only when keep is still in effect!). Multiple script
+ # locations can be specified by appending an increasing number.
#sieve_after =
#sieve_after2 =
#sieve_after2 = (etc...)
@@ -48,7 +90,7 @@ plugin {
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
- # deprecated imapflags extension in addition to all extensions were already
+ # deprecated imapflags extension in addition to all extensions were already
# enabled by default.
sieve_extensions = +editheader
@@ -68,7 +110,7 @@ plugin {
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
- # The sieve_extprograms plugin is included in this release.
+ # The sieve_extprograms plugin is included in this release.
#sieve_plugins =
# The separator that is expected between the :user and :detail
@@ -102,4 +144,71 @@ plugin {
# set to 0, no limit on the used amount of disk storage is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
+
+ # The primary e-mail address for the user. This is used as a default when no
+ # other appropriate address is available for sending messages. If this setting
+ # is not configured, either the postmaster or null "<>" address is used as a
+ # sender, depending on the action involved. This setting is important when
+ # there is no message envelope to extract addresses from, such as when the
+ # script is executed in IMAP.
+ #sieve_user_email =
+
+ # The path to the file where the user log is written. If not configured, a
+ # default location is used. If the main user's personal Sieve (as configured
+ # with sieve=) is a file, the logfile is set to <filename>.log by default. If
+ # it is not a file, the default user log file is ~/.dovecot.sieve.log.
+ #sieve_user_log =
+
+ # Specifies what envelope sender address is used for redirected messages.
+ # The following values are supported for this setting:
+ #
+ # "sender" - The sender address is used (default).
+ # "recipient" - The final recipient address is used.
+ # "orig_recipient" - The original recipient is used.
+ # "user_email" - The user's primary address is used. This is
+ # configured with the "sieve_user_email" setting. If
+ # that setting is unconfigured, "user_mail" is equal to
+ # "recipient".
+ # "postmaster" - The postmaster_address configured for the LDA.
+ # "<user@domain>" - Redirected messages are always sent from user@domain.
+ # The angle brackets are mandatory. The null "<>" address
+ # is also supported.
+ #
+ # This setting is ignored when the envelope sender is "<>". In that case the
+ # sender of the redirected message is also always "<>".
+ #sieve_redirect_envelope_from = sender
+
+ ## TRACE DEBUGGING
+ # Trace debugging provides detailed insight in the operations performed by
+ # the Sieve script. These settings apply to both the LDA Sieve plugin and the
+ # IMAPSIEVE plugin.
+ #
+ # WARNING: On a busy server, this functionality can quickly fill up the trace
+ # directory with a lot of trace files. Enable this only temporarily and as
+ # selective as possible.
+
+ # The directory where trace files are written. Trace debugging is disabled if
+ # this setting is not configured or if the directory does not exist. If the
+ # path is relative or it starts with "~/" it is interpreted relative to the
+ # current user's home directory.
+ #sieve_trace_dir =
+
+ # The verbosity level of the trace messages. Trace debugging is disabled if
+ # this setting is not configured. Possible values are:
+ #
+ # "actions" - Only print executed action commands, like keep,
+ # fileinto, reject and redirect.
+ # "commands" - Print any executed command, excluding test commands.
+ # "tests" - Print all executed commands and performed tests.
+ # "matching" - Print all executed commands, performed tests and the
+ # values matched in those tests.
+ #sieve_trace_level =
+
+ # Enables highly verbose debugging messages that are usually only useful for
+ # developers.
+ #sieve_trace_debug = no
+
+ # Enables showing byte code addresses in the trace output, rather than only
+ # the source line numbers.
+ #sieve_trace_addresses = no
}
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
index 9917753..8c33c6d 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
@@ -18,9 +18,6 @@ passdb {
#userdb {
# driver = ldap
-# # This should be a different file from the passdb's, in order to perform
-# # asynchronous requests.
-#
# args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
#
# # Default fields can be used to specify defaults that LDAP may override
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
index 72f4604..1b97a0e 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
@@ -31,8 +31,7 @@ uris = ldapi://
#dnpass =
# Use SASL binding instead of the simple binding. Note that this changes
-# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
-# and auth_bind=yes don't work together.
+# ldap_version automatically to be 3 if it's lower.
#sasl_bind = no
# SASL mechanism name to use.
#sasl_mech =
diff --git a/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl b/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl
index 399e65f..5b2c74e 100755
--- a/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl
+++ b/roles/IMAP/files/usr/local/bin/dovecot-auth-proxy.pl
@@ -74,15 +74,15 @@ sub server() {
next;
}
# <major-version> <minor-version> <value type>
- unless ($1 == 2 and $2 == 0 and $3 == 0) {
+ unless ($1 == 2 and $2 == 1 and $3 == 0) {
warn "Unsupported protocol version $1.$2 (or value type $3)\n";
close $conn or warn "Can't close: $!";
next;
}
my $cmd = $conn->getline() // '';
- if ($cmd =~ /\AI(\d+)\t(.*)\n\z/) {
- iterate($conn, $1, $2);
+ if ($cmd =~ /\AI(\d+)\t(\d+)\t(.*)\n\z/) {
+ iterate($conn, $1, $2, $3);
}
else {
fail($conn => "Unknown command line: $cmd");
@@ -98,8 +98,8 @@ sub fail($;$) {
}
# list all users, even the inactive ones
-sub iterate($$$) {
- my ($fh, $flags, $prefix) = @_;
+sub iterate($$$$) {
+ my ($fh, $flags, $max_rows, $prefix) = @_;
unless ($flags == 0) {
fail($fh => "Unsupported iterate flags $flags");
return;
@@ -109,17 +109,19 @@ sub iterate($$$) {
fail($fh => "opendir: $!");
return;
};
+ my $count = 0;
while (defined (my $d = readdir $dh)) {
next if $d eq '.' or $d eq '..';
opendir my $dh, $d or do {
fail($fh => "opendir: $!");
return;
};
- while (defined (my $l = readdir $dh)) {
+ while (defined (my $l = readdir $dh) and ($max_rows <= 0 or $count < $max_rows)) {
next if $l eq '.' or $l eq '..';
my $user = $l.'@'.$d;
next unless $user =~ /\A[a-zA-Z0-9\.\-_@]+\z/; # skip invalid user names
$fh->printf("O%s%s\t\n", $prefix, $user);
+ $count++;
}
closedir $dh or warn "closedir: $!";
}
diff --git a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2 b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
index b7aead3..1bf13b0 100644
--- a/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
+++ b/roles/IMAP/templates/etc/dovecot/conf.d/10-master.conf.j2
@@ -57,7 +57,6 @@ service lmtp {
user = vmail
unix_listener /var/spool/postfix-{{ postfix_instance.IMAP.name }}/private/dovecot-lmtpd {
- group = postfix
user = postfix
mode = 0600
}
@@ -80,6 +79,18 @@ service imap {
# Max. number of IMAP processes (connections)
#process_limit = 1024
+
+ unix_listener imap-master {
+ user = $default_internal_user
+ mode = 0600
+ }
+}
+
+service imap-hibernate {
+ unix_listener imap-hibernate {
+ user = vmail
+ mode = 0600
+ }
}
service pop3 {
@@ -102,14 +113,12 @@ service auth {
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
- mode = 0600
user = vmail
- group = root
+ mode = 0600
}
# Postfix smtp-auth
unix_listener /var/spool/postfix-{{ postfix_instance.MSA.name }}/private/dovecot-auth {
- group = postfix
user = postfix
mode = 0600
}
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index f819b19..2105d29 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -4,9 +4,11 @@
# {{ ansible_managed }}
# Do NOT edit this file directly!
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-readme_directory = no
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+compatibility_level = 2
+smtputf8_enable = no
delay_warning_time = 4h
maximal_queue_lifetime = 5d
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index b54f84c..50ea6b0 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -4,9 +4,11 @@
# {{ ansible_managed }}
# Do NOT edit this file directly!
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-readme_directory = no
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+readme_directory = no
+compatibility_level = 2
+smtputf8_enable = no
delay_warning_time = 4h
maximal_queue_lifetime = 5d
@@ -89,6 +91,7 @@ address_verify_sender_ttl = 8069m
address_verify_negative_refresh_time = 5m
unverified_recipient_defer_code = 250
unverified_recipient_reject_code = 550
+address_verify_map = lmdb:$data_directory/verify_cache
smtpd_client_restrictions =
permit_sasl_authenticated
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 7372304..b9f282f 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -36,7 +36,7 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
olcTLSVerifyClient: try
olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
- "$1,dc=fripost,dc=org"
+ "dn.exact:$1,dc=fripost,dc=org"
olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1
{% endif %}
diff --git a/roles/common/files/etc/fail2ban/filter.d/dovecot.conf b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf
new file mode 100644
index 0000000..4d4ea16
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/filter.d/dovecot.conf
@@ -0,0 +1,34 @@
+# Fail2Ban filter Dovecot authentication and pop3/imap server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (auth|dovecot(-auth)?|auth-worker)
+
+# Take the filter from Stretch and add managesieve to the list of protected services
+failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
+ ^%(__prefix_line)s(?:pop3|imap|managesieve)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
+ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
+
+ignoreregex =
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=dovecot.service
+
+# DEV Notes:
+# * the first regex is essentially a copy of pam-generic.conf
+# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
+# * Removed the 'no auth attempts' log lines from the matches because produces
+# lots of false positives on misconfigured MTAs making regexp unusable
+#
+# Author: Martin Waschbuesch
+# Daniel Black (rewrote with begin and end anchors)
+# Martin O'Neal (added LDAP authentication failure regex)
+# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
index aca4794..66c8101 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
@@ -1,28 +1,17 @@
# Ansible Managed
# Do NOT edit this file directly!
#
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected(: Logged out| for inactivity( in reading our output)?|: Disconnected( in [[:upper:]]+)?| in [[:upper:]]+( \([[:digit:]]+ msgs, [[:digit:]]+ secs, [[:digit:]]+/[[:digit:]]+ bytes\))?|: Too many invalid IMAP commands\.|: IMAP session state is inconsistent, please relogin\.)? in=[[:digit:]]+ out=[[:digit:]]+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: managesieve\([-_.@[:alnum:]]+\): (Connection closed|Disconnected for inactivity) bytes=[[:digit:]]+/[[:digit:]]+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed(: Connection reset by peer|: Invalid argument)?( in=[[:digit:]]+ out=[[:digit:]]+)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+(, (TLS|secured)(: Disconnected)?, session=<[^>]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted login( \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\))?: (user=<[^>]*>, method=[[:alnum:]-]+, )?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS, session=<[^>]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? (\(no auth attempts in [[:digit:]]+ secs\):( user=<>,)?|\(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[^>]*>, method=PLAIN,|\(aborted authentication\): method=PLAIN,) rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|SSL)( handshaking)?(: SSL_(accept|read)\(\) (syscall failed: Connection reset by peer|failed: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure: SSL alert number 10|failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42|failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46|failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48|failed: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|unsupported protocol|http request|no shared cipher|wrong version number)|failed: error:[[:xdigit:]]+:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback)|: Disconnected)?|, secured)?, session=<[^>]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: auth client [[:digit:]]+ disconnected with [[:digit:]]+ pending requests: EOF$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: Auth connection closed with [[:digit:]]+ pending requests \(max [[:digit:]]+ secs, pid=[[:digit:]]+, EOF\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \((auth process communication failure|client didn't finish SASL auth, waited [[:digit:]]+ secs)\): user=<>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: SSL_read\(\) syscall failed: Connection reset by peer|: Disconnected)?, session=<[^>]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: (Disconnected: Inactivity during authentication|Aborted login) \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: Disconnected)?, session=<[^>]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected \(tried to use unsupported auth mechanism\): user=<>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([0-9]+, [-_.@[:alnum:]]+\): [^:]{22}: msgid=<?.*>?( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?[[:space:]]*: (saved mail to [-_.[:alnum:]]+|(forwarded|discarded duplicate forward) to <[^[:space:]]+>)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): (Logged out|Disconnected for inactivity) in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed( \(IDLE running for .*\))? in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-hibernate\([-_.@[:alnum:]]+\): Connection closed in=[[:digit:]]+ out=[[:digit:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+, (TLS|secured), session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Aborted login|Disconnected) \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS(: Disconnected)?|secured), session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Aborted login|Disconnected(: Inactivity)?) \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS( handshaking|: Disconnected)?(: SSL_(accept|read)\(\) syscall failed: (Connection reset by peer|Success))?, session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected(: Inactivity during authentication)? \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS(: SSL_read\(\) syscall failed: Connection reset by peer)?, session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): [+/[:alnum:]]{22}: msgid=((\? )?<[^>]*>|unspecified): saved mail to\s
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): [+/[:alnum:]]{22}(:[0-9]+)?: sieve: msgid=((\? )?<[^>]*>|unspecified): (stored mail into mailbox '|(forwarded|discarded duplicate forward) to <[^[:space:]]+>$|marked message to be discarded if not explicitly delivered \(discard action\)$)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([^@]+@[^@]+\): [+/[:alnum:]]{22}:[0-9]+: sieve: Execution of script \S+ failed, but implicit keep was successful \(user logfile \S+ may reveal additional details\)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[^>]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS, session=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Connect from local$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Disconnect from local: (Client quit|Connection closed) \(in reset\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: msgid=(\S+ )?|<[^>]*>( \(added by \S+\))?: (stored mail into mailbox '|marked message to be discarded if not explicitly delivered \(discard action\)$|forwarded to )
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: execution of script \S+ script failed, but implicit keep was successful \(user logfile \S+ may reveal additional details\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([0-9]+\): Disconnect from local: Successful quit$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: managesieve\([-_.@[:alnum:]]+\): Disconnected: Logged out bytes=[[:digit:]]+/[[:digit:]]+?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating SSL parameters|SSL parameters regeneration completed)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: stats: Warning: UPDATE-CMD: Already expired$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: stats: Warning: Couldn't find session GUID: [[:xdigit:]]{32}$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: stats: Error: Mail server input error: UPDATE-SESSION [-_.@[:alnum:]]+ imap: stats shrank: (mcache|mlpath|mrbytes|mrcount) [[:digit:]]+ < [[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Dovecot authentication proxy\.(\.\.)?$
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
index 7df68c4..6a11392 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/postfix-local
@@ -19,15 +19,15 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: message-id=(<[^>]*>|[[:alnum:]_/+.$@-]+)( \(added by [^[:space:]]+\))?
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: removed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/n?qmgr\[[[:digit:]]+\]: [[:xdigit:]]+: skipped, still being delivered$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: cache \S+A partial cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/verify\[[[:digit:]]+\]: cache [a-z]+:\S+ (partial|full) cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(-\w+)?/smtpd\[[[:digit:]]+\]: disconnect from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]( (ehlo|helo|xforward|starttls|auth|mail|rcpt|data|noop|rset|quit|commands|unknown)=[0-9]+(/[0-9]+)?)+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/pickup\[[[:digit:]]+\]: [[:xdigit:]]+: uid=[[:digit:]]+ from=<[^>]*>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/cleanup\[[[:digit:]]+\]: [[:xdigit:]]+: replace: header\s
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: client=[^[:space:]]+, sasl_method=[-[:alnum:]]+, sasl_username=[-_.@[:alnum:]]+(, sasl_sender=[-_.@[:alnum:]]+)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[[.[:digit:]]+\]: SASL (PLAIN|LOGIN) authentication (failed|aborted)(:[ [:alnum:]]*)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[[[:xdigit:].:]{3,39}\]: SASL (PLAIN|LOGIN) authentication (failed|aborted)(:[ [:alnum:]]*)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: improper command pipelining after (EHLO|HELO|MAIL|QUIT) from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: hostname [._[:alnum:]-]+ does not resolve to address [[:xdigit:].:]{3,39}(: Name or service not known)?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: Connection concurrency limit exceeded: [0-9]+ from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] for service smtpd$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(msa|mx)/smtpd\[[[:digit:]]+\]: warning: Connection concurrency limit exceeded: [0-9]+ from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\] for service (submission|smtpd)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} <[^>]+>: Helo command rejected: need fully-qualified hostname;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 4[[:digit:]]{2} 4(\.[[:digit:]]){2} <[^>]+>: Sender address rejected: Domain not found;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^>]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from [._[:alnum:]-]+\[[[:xdigit:].:]{3,39}\]: 5[[:digit:]]{2} 5(\.[[:digit:]]){2} Service unavailable; (Unverified Client host|Sender address) \[\S+\] blocked using [._[:alnum:]-]+; https?://[^[:blank:];]+; from=<[^>]*> to=<[^>]+> proto=E?SMTP( helo=<[^>]+>)?$
@@ -72,6 +72,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: warning: ([-._[:alnum:]]+): RBL lookup error: Host or domain name not found\. Name service error for name=\1 type=A(AAA)?: Host not found, try again$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-(mx|msa)/(smtpd|tlsproxy)\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:SSL2?3_(GET_RECORD:(decryption failed or bad record mac|wrong version number):s3_pkt\.c:[0-9]+:|READ_BYTES:(reason\([[:digit:]]+\)|sslv3 alert (unexpected message|bad certificate)):s3_pkt\.c:[[:digit:]]+:SSL alert number (0|10|42):|GET_CLIENT_HELLO:(unsupported protocol|no shared cipher|unknown protocol|wrong version number):s2?3_srvr\.c:[0-9]+:)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/tlsproxy\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:tls_post_process_client_hello:no shared cipher:\.\./ssl/statem/statem_srvr\.c:[0-9]+:$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-msa/smtpd\[[[:digit:]]+\]: warning: TLS library problem: error:[[:xdigit:]]+:SSL routines:tls_process_client_hello:(no shared cipher|unknown protocol|version too low):\.\./ssl/statem/statem_srvr\.c:[0-9]+:$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: (NOQUEUE|[[:xdigit:]]+): reject: [[:upper:]]+ from [^[:space:]]+: 554( 5\.1\.[01])? <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table;( from=<[^>]*> to=<[^>]+>)? proto=E?SMTP( helo=<[^[:space:]]+>)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: reject: RCPT from [^[:space:]]+: [45][[:digit:]][[:digit:]]( [45](\.[[:digit:]]){2})? <[^[:space:]]*>: Helo command rejected: .+; from=<[^>]*> to=<[^>]+> proto=E?SMTP helo=<[^[:space:]]+>$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix-mx/smtpd\[[[:digit:]]+\]: too many errors after ([[:upper:]]{4}|END-OF-MESSAGE|UNKNOWN|DATA \(0 bytes\)) from [._[:alnum:]-]+\[[.[:digit:]]+\]$
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index be26c79..da4db51 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -8,6 +8,7 @@
mode=0644
register: r1
with_items:
+ - dovecot.conf
- roundcube.conf
notify:
- Restart fail2ban
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index eb6a7fb..c493958 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -65,7 +65,7 @@ maxretry = 10
[dovecot]
enabled = true
-port = imap2,imap3,imaps,pop3,pop3s
+port = imap2,imaps,pop3,pop3s,sieve
filter = dovecot
logpath = /var/log/mail.log
{% endif %}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 87e54d6..93342cb 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -33,6 +33,7 @@ out tcp 25 # SMTP
{% if 'IMAP' in group_names %}
in tcp 993 # IMAPS
in tcp 4190 # MANAGESIEVE
+out tcp 2703 # Razor2
{% endif %}
{% if 'MSA' in group_names %}
in tcp 587 # SMTP-AUTH
diff --git a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
index 8550d0f..6694a0c 100644
--- a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
+++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
@@ -7,7 +7,7 @@ certificate-key = /etc/dovecot/ssl/imap.fripost.org.key
certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem
subject = /O=Fripost/CN=imap.fripost.org
subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org
-notify = /usr/bin/doveadm reload
+notify = /bin/systemctl reload dovecot
{% endif %}
{% if 'MSA' in group_names %}