From f7c8011b39044a69daa091ef2c0f7a7aefacb663 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 14 May 2015 23:14:25 +0200
Subject: Upgrade Dovecot config to Jessie.

---
 roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf   |   3 +-
 roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf   |  35 ++++---
 roles/IMAP/files/etc/dovecot/conf.d/10-master.conf |  14 ++-
 roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf    |  16 ++-
 roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf   | 109 +++++++++++----------
 roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf   |   3 +
 roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf  |  25 ++---
 .../files/etc/dovecot/conf.d/auth-ldap.conf.ext    |   2 +-
 roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext |   5 +-
 roles/IMAP/tasks/imap.yml                          |  17 ++--
 roles/IMAP/tasks/main.yml                          |   2 +-
 roles/IMAP/templates/etc/postfix/main.cf.j2        |   7 +-
 .../etc/logcheck/ignore.d.server/dovecot-local     |   7 +-
 13 files changed, 138 insertions(+), 107 deletions(-)

(limited to 'roles')

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
index cf0189e..d4f323d 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-auth.conf
@@ -6,7 +6,8 @@
 # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
-disable_plaintext_auth = yes
+# See also ssl=required setting.
+#disable_plaintext_auth = yes
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
 # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
index dcc1d9c..c98d3f6 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-mail.conf
@@ -107,7 +107,7 @@ namespace virtual {
   #list = children
 #}
 # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
-#mail_shared_explicit_inbox = yes
+#mail_shared_explicit_inbox = no
 
 # System user and group used to access mails. If you use multiple, userdb
 # can override these by returning uid or gid fields. You can use either numbers
@@ -133,6 +133,10 @@ mail_gid = vmail
 # or ~user/.
 #mail_full_filesystem_access = no
 
+# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
+# soon intended to be used by METADATA as well.
+#mail_attribute_dict =
+
 ##
 ## Mail processes
 ##
@@ -151,13 +155,6 @@ mail_gid = vmail
 #   never: Never use it (best performance, but crashes can lose data)
 #mail_fsync = optimized
 
-# Mail storage exists in NFS. Set this to yes to make Dovecot flush NFS caches
-# whenever needed. If you're using only a single mail server this isn't needed.
-#mail_nfs_storage = no
-# Mail index files also exist in NFS. Setting this to yes requires
-# mmap_disable=yes and fsync_disable=no.
-#mail_nfs_index = no
-
 # Locking method for index files. Alternatives are fcntl, flock and dotlock.
 # Dotlocking uses some tricks which may create more disk I/O than other locking
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
@@ -170,14 +167,14 @@ mail_gid = vmail
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-first_valid_uid = 1
+#first_valid_uid = 500
 #last_valid_uid = 0
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-first_valid_gid = 1
+#first_valid_gid = 1
 #last_valid_gid = 0
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
@@ -216,6 +213,10 @@ mail_plugins = virtual zlib
 ## Mailbox handling optimizations
 ##
 
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
 # the cost of more disk reads.
@@ -267,6 +268,10 @@ mail_plugins = virtual zlib
 # broken size. The performance hit for enabling this is very small.
 #maildir_broken_filename_sizes = no
 
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
 ##
 ## mbox-specific settings
 ##
@@ -285,8 +290,14 @@ mail_plugins = virtual zlib
 # in is important to avoid deadlocks if other MTAs/MUAs are using multiple
 # locking methods as well. Some operating systems don't allow using some of
 # them simultaneously.
+#
+# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
+# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
+#       Dovecot: mbox_write_locks = dotlock fcntl
+#       Debian:  mbox_write_locks = fcntl dotlock
+#
 #mbox_read_locks = fcntl
-#mbox_write_locks = dotlock fcntl
+#mbox_write_locks = fcntl dotlock
 
 # Maximum time to wait for lock (all of them) before aborting.
 #mbox_lock_timeout = 5 mins
@@ -350,8 +361,6 @@ mail_plugins = virtual zlib
 # also allows single instance storage for them. Other backends don't support
 # this for now.
 
-# WARNING: This feature hasn't been tested much yet. Use at your own risk.
-
 # Directory root where to store mail attachments. Disabled, if empty.
 #mail_attachment_dir =
 
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
index 30e9fb6..189e96e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-master.conf
@@ -8,25 +8,25 @@
 
 # Login user is internally used by login processes. This is the most untrusted
 # user in Dovecot system. It shouldn't have access to anything at all.
-default_login_user = dovenull
+#default_login_user = dovenull
 
 # Internal user is used by unprivileged processes. It should be separate from
 # login user, so that login processes can't disturb other processes.
-default_internal_user = dovecot
+#default_internal_user = dovecot
 
 service imap-login {
   inet_listener imap {
     port = 0
   }
   inet_listener imaps {
-    port = 993
-    ssl = yes
+    #port = 993
+    #ssl = yes
   }
 
   # Number of connections to handle before starting a new process. Typically
   # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
   # is faster. <doc/wiki/LoginProcess.txt>
-  service_count = 1
+  #service_count = 1
 
   # Max. number of IMAP processes (logins)
   process_limit = 256
@@ -46,8 +46,6 @@ service pop3-login {
     #port = 995
     #ssl = yes
   }
-
-  service_count = 1
 }
 
 service lmtp {
@@ -112,7 +110,7 @@ service auth {
   }
 
   # Auth process is run as this user.
-  user = $default_internal_user
+  #user = $default_internal_user
 }
 
 service auth-worker {
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 526da9c..90843b2 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -26,6 +26,13 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
 
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
+# /etc/pki/tls/cert.pem in RedHat-based systems.
+#ssl_client_ca_dir =
+#ssl_client_ca_file =
+
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
@@ -35,10 +42,8 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
-# How often to regenerate the SSL parameters file. Generation is quite CPU
-# intensive operation. The value is in hours, 0 disables regeneration
-# entirely.
-#ssl_parameters_regenerate = 168
+# DH parameters length to use.
+#ssl_dh_parameters_length = 1024
 
 # SSL protocols to use
 ssl_protocols = !SSLv2
@@ -46,5 +51,8 @@ ssl_protocols = !SSLv2
 # SSL ciphers to use
 ssl_cipher_list = HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
 
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
index 2557b78..1807e05 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-imap.conf
@@ -2,67 +2,70 @@
 ## IMAP specific settings
 ##
 
-protocol imap {
-  # Maximum IMAP command line length. Some clients generate very long command
-  # lines with huge mailboxes, so you may need to raise this if you get
-  # "Too long argument" or "IMAP command line too large" errors often.
-  #imap_max_line_length = 64k
+# Maximum IMAP command line length. Some clients generate very long command
+# lines with huge mailboxes, so you may need to raise this if you get
+# "Too long argument" or "IMAP command line too large" errors often.
+#imap_max_line_length = 64k
 
-  # Maximum number of IMAP connections allowed for a user from each IP address.
-  # NOTE: The username is compared case-sensitively.
-  mail_max_userip_connections = 16
+# IMAP logout format string:
+#  %i - total number of bytes read from client
+#  %o - total number of bytes sent to client
+#imap_logout_format = in=%i out=%o
 
-  # Space separated list of plugins to load (default is global mail_plugins).
-  #mail_plugins = $mail_plugins antispam
+# Override the IMAP CAPABILITY response. If the value begins with '+',
+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+#imap_capability = 
 
-  # IMAP logout format string:
-  #  %i - total number of bytes read from client
-  #  %o - total number of bytes sent to client
-  #imap_logout_format = bytes=%i/%o
+# How long to wait between "OK Still here" notifications when client is
+# IDLEing.
+#imap_idle_notify_interval = 2 mins
 
-  # Override the IMAP CAPABILITY response. If the value begins with '+',
-  # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
-  #imap_capability = 
+# ID field names and values to send to clients. Using * as the value makes
+# Dovecot use the default value. The following fields have default values
+# currently: name, version, os, os-version, support-url, support-email.
+#imap_id_send = 
 
-  # How long to wait between "OK Still here" notifications when client is
-  # IDLEing.
-  #imap_idle_notify_interval = 2 mins
+# ID fields sent by client to log. * means everything.
+#imap_id_log =
 
-  # ID field names and values to send to clients. Using * as the value makes
-  # Dovecot use the default value. The following fields have default values
-  # currently: name, version, os, os-version, support-url, support-email.
-  #imap_id_send = 
+# Workarounds for various client bugs:
+#   delay-newmail:
+#     Send EXISTS/RECENT new mail notifications only when replying to NOOP
+#     and CHECK commands. Some clients ignore them otherwise, for example OSX
+#     Mail (<v2.1). Outlook Express breaks more badly though, without this it
+#     may show user "Message no longer in server" errors. Note that OE6 still
+#     breaks even with this workaround if synchronization is set to
+#     "Headers Only".
+#   tb-extra-mailbox-sep:
+#     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+#     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+#     ignore the extra '/' instead of treating it as invalid mailbox name.
+#   tb-lsub-flags:
+#     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+#     This makes Thunderbird realize they aren't selectable and show them
+#     greyed out, instead of only later giving "not selectable" popup error.
+#
+# The list is space-separated.
+#imap_client_workarounds = 
 
-  # ID fields sent by client to log. * means everything.
-  #imap_id_log =
+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
+#imap_urlauth_host =
 
-  # Workarounds for various client bugs:
-  #   delay-newmail:
-  #     Send EXISTS/RECENT new mail notifications only when replying to NOOP
-  #     and CHECK commands. Some clients ignore them otherwise, for example OSX
-  #     Mail (<v2.1). Outlook Express breaks more badly though, without this it
-  #     may show user "Message no longer in server" errors. Note that OE6 still
-  #     breaks even with this workaround if synchronization is set to
-  #     "Headers Only".
-  #   tb-extra-mailbox-sep:
-  #     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
-  #     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
-  #     ignore the extra '/' instead of treating it as invalid mailbox name.
-  #   tb-lsub-flags:
-  #     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
-  #     This makes Thunderbird realize they aren't selectable and show them
-  #     greyed out, instead of only later giving "not selectable" popup error.
-  #
-  # The list is space-separated.
-  #imap_client_workarounds = 
+protocol imap {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  #mail_plugins = $mail_plugins
 
-  # Load the 'antispam' plugin for people using the content filter.
-  # (Otherwise fallback to the static userdb.)
-  userdb {
-    driver = ldap
-    args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+  # Maximum number of IMAP connections allowed for a user from each IP address.
+  # NOTE: The username is compared case-sensitively.
+  mail_max_userip_connections = 16
 
-    # Default fields can be used to specify defaults that LDAP may override
-    default_fields = home=/home/mail/virtual/%d/%n
-  }
+#  # TODO Load the 'antispam' plugin for people using the content filter.
+#  # (Otherwise fallback to the static userdb.)
+#  userdb {
+#    driver = ldap
+#    args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
+#
+#    # Default fields can be used to specify defaults that LDAP may override
+#    default_fields = home=/home/mail/virtual/%d/%n
+#  }
 }
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
index b0be573..cd48ab8 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/20-lmtp.conf
@@ -10,6 +10,9 @@
 # lda_mailbox_autocreate settings.
 #lmtp_save_to_detail_mailbox = no
 
+# Verify quota before replying to RCPT TO. This adds a small overhead.
+#lmtp_rcpt_check_quota = no
+
 protocol lmtp {
   postmaster_address = postmaster@fripost.org
   # Space separated list of plugins to load (default is global mail_plugins).
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
index 4d0420a..8308adc 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/90-sieve.conf
@@ -1,6 +1,6 @@
 ##
 ## Settings for the Sieve interpreter
-## 
+##
 
 # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
 # by adding it to the respective mail_plugins= settings.
@@ -22,7 +22,7 @@ plugin {
   # is also where the ManageSieve service stores the user's scripts.
   sieve_dir = ~/sieve
 
-  # Directory for :global include scripts for the include extension. 
+  # Directory for :global include scripts for the include extension.
   #sieve_global_dir =
 
   # Path to a script file or a directory containing script files that need to be
@@ -39,17 +39,17 @@ plugin {
   # user's script (only when keep is still in effect!). Multiple script file or
   # directory paths can be specified by appending an increasing number.
   #sieve_after =
-  #sieve_after2 = 
+  #sieve_after2 =
   #sieve_after2 = (etc...)
 
-  # Which Sieve language extensions are available to users. By default, all 
+  # Which Sieve language extensions are available to users. By default, all
   # supported extensions are available, except for deprecated extensions or
   # those that are still under development. Some system administrators may want
   # to disable certain Sieve extensions or enable those that are not available
   # by default. This setting can use '+' and '-' to specify differences relative
   # to the default. For example `sieve_extensions = +imapflags' will enable the
 	# deprecated imapflags extension in addition to all extensions were already
-  # enabled by default. 
+  # enabled by default.
   #sieve_extensions = +notify +imapflags
 
   # Which Sieve language extensions are ONLY available in global scripts. This
@@ -57,7 +57,7 @@ plugin {
   # control, for instance when these extensions can cause security concerns.
   # This setting has higher precedence than the `sieve_extensions' setting
   # (above), meaning that the extensions enabled with this setting are never
-  # available to the user's personal script no matter what is specified for the 
+  # available to the user's personal script no matter what is specified for the
   # `sieve_extensions' setting. The syntax of this setting is similar to the
   # `sieve_extensions' setting, with the difference that extensions are
   # enabled or disabled for exclusive use in global scripts. Currently, no
@@ -68,13 +68,14 @@ plugin {
   # setting, the used plugins can be specified. Check the Dovecot wiki
   # (wiki2.dovecot.org) or the pigeonhole website
   # (http://pigeonhole.dovecot.org) for available plugins.
+	# The sieve_extprograms plugin is included in this release.
   #sieve_plugins =
 
-  # The separator that is expected between the :user and :detail 
-  # address parts introduced by the subaddress extension. This may 
-  # also be a sequence of characters (e.g. '--'). The current 
-  # implementation looks for the separator from the left of the 
-  # localpart and uses the first one encountered. The :user part is 
+  # The separator that is expected between the :user and :detail
+  # address parts introduced by the subaddress extension. This may
+  # also be a sequence of characters (e.g. '--'). The current
+  # implementation looks for the separator from the left of the
+  # localpart and uses the first one encountered. The :user part is
   # left of the separator and the :detail part is right. This setting
   # is also used by Dovecot's LMTP service.
   recipient_delimiter = +
@@ -99,6 +100,6 @@ plugin {
 
   # The maximum amount of disk storage a single user's scripts may occupy. If
   # set to 0, no limit on the used amount of disk storage is enforced.
-  # (Currently only relevant for ManageSieve) 
+  # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
 }
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
index 5237fc2..360727e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
@@ -1,4 +1,4 @@
-# Authentication for LDAP users. Included from auth.conf.
+# Authentication for LDAP users. Included from 10-auth.conf.
 #
 # <doc/wiki/AuthDatabase.LDAP.txt>
 
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
index 1ffa73d..72f4604 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
@@ -1,3 +1,6 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-ldap.conf.ext
+
 # This file is opened as root, so it should be owned by root and mode 0600.
 #
 # http://wiki2.dovecot.org/AuthDatabase/LDAP
@@ -90,7 +93,7 @@ ldap_version = 3
 base = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org
 
 # Dereference: never, searching, finding, always
-deref = never
+#deref = never
 
 # Search scope: base, onelevel, subtree
 scope = base
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index b142ba6..9365640 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -17,13 +17,16 @@
         password=!
         state=present
 
-# Required for dbox, see
-# http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
-- name: Create a nightly cron job to purge expunged messages
-  cron: name="Purge expunged messages"
-        minute=7 hour=5
-        user=vmail cron_file=doveadm-purge
-        job="/usr/bin/doveadm purge -A"
+## TODO: make a LDAP query listing all users using iterate_attrs and
+## iterate_filter.  (Alternatively, use a dict, see
+## https://www.opensource.apple.com/source/dovecot/dovecot-293/dovecot.Config/dovecot-dict-auth.conf.ext)
+## Required for dbox, see
+## http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
+#- name: Create a nightly cron job to purge expunged messages
+#  cron: name="Purge expunged messages"
+#        minute=7 hour=5
+#        user=vmail cron_file=doveadm-purge
+#        job="/usr/bin/doveadm purge -A"
 
 # The ownership and permissions ensure that dovecot won't try to
 # deliver mails under an umounted mountpoint.
diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml
index c6fbbd9..9ed2ea6 100644
--- a/roles/IMAP/tasks/main.yml
+++ b/roles/IMAP/tasks/main.yml
@@ -1,4 +1,4 @@
 ---
 - include: imap.yml   tags=imap,dovecot
 - include: mda.yml    tags=mda,mail,postfix
-- include: spam.yml   tags=spam,spamassassin
+#- include: spam.yml   tags=spam,spamassassin # TODO spam filter
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index c775a73..ef2f0d6 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -91,13 +91,14 @@ smtpd_helo_restrictions =
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
 
-smtpd_recipient_restrictions =
-    # RFC requirements
-    reject_non_fqdn_recipient
+smtpd_relay_restrictions =
     permit_mynetworks
     permit_tls_clientcerts
     reject
 
+smtpd_recipient_restrictions =
+    reject_non_fqdn_recipient
+
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
index d6826a1..b27e736 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/dovecot-local
@@ -6,9 +6,10 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed(: Connection reset by peer)?( in=[[:digit:]]+ out=[[:digit:]]+)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+(, (TLS|secured), session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Aborted login( \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\))?: (user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, )?rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, TLS, session=<[^>]+>$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? (\(no auth attempts in [[:digit:]]+ secs\):( user=<>,)?|\(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]+>, method=PLAIN,|\(aborted authentication\): method=PLAIN,) rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|SSL)( handshaking)?(: SSL_(accept|read)\(\) (syscall failed: Connection reset by peer|failed: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure: SSL alert number 10|failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46|failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48|failed: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))|: Disconnected)?|, secured)?, session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? (\(no auth attempts in [[:digit:]]+ secs\):( user=<>,)?|\(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]+>, method=PLAIN,|\(aborted authentication\): method=PLAIN,) rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|SSL)( handshaking)?(: SSL_(accept|read)\(\) (syscall failed: Connection reset by peer|failed: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure: SSL alert number 10|failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42|failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46|failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48|failed: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))|: Disconnected)?|, secured)?, session=<[^>]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth: Warning: auth client [[:digit:]]+ disconnected with [[:digit:]]+ pending requests: EOF$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: Auth connection closed with [[:digit:]]+ pending requests \(max [[:digit:]]+ secs, pid=[[:digit:]]+, EOF\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \((auth process communication failure|client didn't finish SASL auth, waited [[:digit:]]+ secs)\): user=<>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: SSL_read\(\) syscall failed: Connection reset by peer)?, session=<[^>]+>)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \((auth process communication failure|client didn't finish SASL auth, waited [[:digit:]]+ secs)\): user=<>, method=PLAIN, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: SSL_read\(\) syscall failed: Connection reset by peer|: Disconnected)?, session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: (Disconnected: Inactivity during authentication|Aborted login) \(client didn't finish SASL auth, waited [[:digit:]]+ secs\): user=<[-_.@[:alnum:]]*>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured)(: Disconnected)?, session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Disconnected \(tried to use unsupported auth mechanism\): user=<>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$
@@ -16,7 +17,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Maximum number of connections from user\+IP exceeded \(mail_max_userip_connections=[[:digit:]]+\): user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, (TLS|secured), session=<[^>]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Connect from local$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+\): Disconnect from local: (Client quit|Connection closed) \(in reset\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: msgid=(<[^>]+>|unspecified): (stored mail into mailbox '|marked message to be discarded if not explicitly delivered \(discard action\)$)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): [+/[:alnum:]]{22}: sieve: msgid=(\S+ )?|<[^>]*>( \(added by \S+\))?: (stored mail into mailbox '|marked message to be discarded if not explicitly delivered \(discard action\)$|forwarded to )
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([-_.@[:alnum:]]+, [^@]+@[^@]+\): Error: [+/[:alnum:]]{22}: sieve: execution of script \S+ failed, but implicit keep was successful \(user logfile \S+ may reveal additional details\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([0-9]+\): Disconnect from local: Successful quit$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[0-9]+(, TLS, session=<[^>]+>)?$
-- 
cgit v1.2.3