diff options
Diffstat (limited to 'ansible/roles/dovecot/files/dovecot/conf.d')
10 files changed, 269 insertions, 0 deletions
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/10-acl.conf b/ansible/roles/dovecot/files/dovecot/conf.d/10-acl.conf new file mode 100644 index 0000000..f9fa335 --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/10-acl.conf | |||
@@ -0,0 +1,15 @@ | |||
1 | mail_plugins = $mail_plugins acl | ||
2 | |||
3 | protocol imap { | ||
4 | mail_plugins = $mail_plugins imap_acl | ||
5 | } | ||
6 | |||
7 | plugin { | ||
8 | acl_defaults_from_inbox = yes | ||
9 | } | ||
10 | |||
11 | # Should saving a mail to a nonexistent mailbox automatically create it? | ||
12 | lda_mailbox_autocreate = yes | ||
13 | |||
14 | # Should automatically created mailboxes be also automatically subscribed? | ||
15 | lda_mailbox_autosubscribe = yes | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/10-auth.conf b/ansible/roles/dovecot/files/dovecot/conf.d/10-auth.conf new file mode 100644 index 0000000..4e23fa8 --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/10-auth.conf | |||
@@ -0,0 +1,46 @@ | |||
1 | # cache all authentication results for one hour | ||
2 | #auth_cache_size = 10M | ||
3 | #auth_cache_ttl = 1 hour | ||
4 | #auth_cache_negative_ttl = 1 hour | ||
5 | |||
6 | # Don't cache password details, otherwise password changes require a server HUP | ||
7 | # before the server will re-query the password data source. | ||
8 | auth_cache_size = 0 | ||
9 | |||
10 | # only use plain username/password auth - OK since everything is over TLS | ||
11 | auth_mechanisms = plain | ||
12 | |||
13 | # passdb specifies how users are authenticated - sql here, and | ||
14 | # our sql config specifies the sqlite filename with queries to use | ||
15 | passdb { | ||
16 | driver = sql | ||
17 | args = /etc/dovecot/dovecot-sql.conf.ext | ||
18 | } | ||
19 | |||
20 | # userdb specifies the location of users' "home" directories - where their | ||
21 | # mail is stored. e.g. /var/mail/vhosts/exmaple.com/user | ||
22 | # %d = domain, %n = user | ||
23 | # We can't use "prefetch" because postfix can't read users from "prefetch" db, | ||
24 | # and we can't use 'static' because the doveadm tool needs to iterate users | ||
25 | # for purging zero refcount deleted mails, so we give a userdb of sql here | ||
26 | # and specify a "get all users" SQL query in the configuration file. | ||
27 | userdb { | ||
28 | driver = sql | ||
29 | args = /etc/dovecot/dovecot-sql.conf.ext | ||
30 | } | ||
31 | |||
32 | # UNIX socket path to master authentication server to find users. | ||
33 | # This is used by imap (for shared users) and lda. | ||
34 | auth_socket_path = /var/run/dovecot/auth-userdb | ||
35 | |||
36 | # Respect /etc/hosts.deny (populated by fail2ban) | ||
37 | # You can use /etc/hosts.allow to countermand fail2ban decisions. | ||
38 | login_access_sockets = tcpwrap | ||
39 | |||
40 | service tcpwrap { | ||
41 | unix_listener login/tcpwrap { | ||
42 | group = $default_login_user | ||
43 | mode = 0600 | ||
44 | user = $default_login_user | ||
45 | } | ||
46 | } | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/10-mail.conf b/ansible/roles/dovecot/files/dovecot/conf.d/10-mail.conf new file mode 100644 index 0000000..6c03965 --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/10-mail.conf | |||
@@ -0,0 +1,28 @@ | |||
1 | # default home directory location for all users | ||
2 | mail_home = /var/mail/vhosts/%d/%n | ||
3 | |||
4 | # directory to store mail. The tilda makes it relative to the *dovecot* | ||
5 | # virtual home directory. | ||
6 | # | ||
7 | # I use mdbox - this is Dovecot's own high-performance mail store format. | ||
8 | # There are other slower, more "traditional" formats you can choose from. | ||
9 | # Read about them here: https://wiki2.dovecot.org/MailboxFormat | ||
10 | mail_location = mdbox:~/mdbox | ||
11 | |||
12 | # nothing fancy - just a standard default namespace with '/' as the | ||
13 | # hierarchy separator | ||
14 | namespace inbox { | ||
15 | separator = / | ||
16 | inbox = yes | ||
17 | } | ||
18 | |||
19 | # set this to the group that owns your vmail directory. | ||
20 | mail_privileged_group = vmail | ||
21 | |||
22 | # these lines enable attachment deduplication. Attachments must be somewhat | ||
23 | # large (64k) to store them separately from the mail store. | ||
24 | mail_attachment_dir = /var/mail/attachments | ||
25 | mail_attachment_min_size = 64k | ||
26 | |||
27 | # we'll uncomment this after we set up Solr in the following section: | ||
28 | # mail_plugins = $mail_plugins fts fts_solr | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/10-master.conf b/ansible/roles/dovecot/files/dovecot/conf.d/10-master.conf new file mode 100644 index 0000000..f99d0f4 --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/10-master.conf | |||
@@ -0,0 +1,82 @@ | |||
1 | # to improve performance, disable fsync globally - we will enable it for | ||
2 | # some specific services later on | ||
3 | mail_fsync = never | ||
4 | |||
5 | service imap-login { | ||
6 | # plain-text IMAP should only be accessible from localhost | ||
7 | inet_listener imap { | ||
8 | address = 127.0.0.1, ::1 | ||
9 | } | ||
10 | |||
11 | # enable high-performance mode, described here: | ||
12 | # https://wiki.dovecot.org/LoginProcess | ||
13 | service_count = 0 | ||
14 | |||
15 | # set to the number of CPU cores on your server | ||
16 | process_min_avail = 3 | ||
17 | vsz_limit = 1G | ||
18 | } | ||
19 | |||
20 | # disable POP3 altogether | ||
21 | service pop3-login { | ||
22 | inet_listener pop3 { | ||
23 | port = 0 | ||
24 | } | ||
25 | |||
26 | inet_listener pop3s { | ||
27 | port = 0 | ||
28 | } | ||
29 | } | ||
30 | |||
31 | # enable semi-long-lived IMAP processes to improve performance | ||
32 | service imap { | ||
33 | service_count = 256 | ||
34 | # set to the number of CPU cores on your server | ||
35 | process_min_avail = 3 | ||
36 | } | ||
37 | |||
38 | # expose an LMTP socket for postfix to deliver mail | ||
39 | service lmtp { | ||
40 | unix_listener /var/spool/postfix/private/dovecot-lmtp { | ||
41 | group = postfix | ||
42 | mode = 0600 | ||
43 | user = postfix | ||
44 | } | ||
45 | } | ||
46 | |||
47 | service auth { | ||
48 | # auth_socket_path points to this userdb socket by default. It's typically | ||
49 | # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have | ||
50 | # full permissions to this socket are able to get a list of all usernames and | ||
51 | # get the results of everyone's userdb lookups. | ||
52 | # | ||
53 | # The default 0666 mode allows anyone to connect to the socket, but the | ||
54 | # userdb lookups will succeed only if the userdb returns an "uid" field that | ||
55 | # matches the caller process's UID. Also if caller's uid or gid matches the | ||
56 | # socket's uid or gid the lookup succeeds. Anything else causes a failure. | ||
57 | # | ||
58 | # To give the caller full permissions to lookup all users, set the mode to | ||
59 | # something else than 0666 and Dovecot lets the kernel enforce the | ||
60 | # permissions (e.g. 0777 allows everyone full permissions). | ||
61 | |||
62 | # auth for postfix | ||
63 | unix_listener /var/spool/postfix/private/auth { | ||
64 | mode = 0666 | ||
65 | user = postfix | ||
66 | group = postfix | ||
67 | } | ||
68 | |||
69 | # auth for doveadm tools | ||
70 | unix_listener auth-userdb { | ||
71 | mode = 0666 | ||
72 | user = vmail | ||
73 | group = vmail | ||
74 | } | ||
75 | |||
76 | client_limit = 840 | ||
77 | } | ||
78 | |||
79 | # no need to run this as root | ||
80 | service auth-worker { | ||
81 | user = vmail | ||
82 | } | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/15-lda.conf b/ansible/roles/dovecot/files/dovecot/conf.d/15-lda.conf new file mode 100644 index 0000000..32ca50d --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/15-lda.conf | |||
@@ -0,0 +1,7 @@ | |||
1 | # configuration for mail delivered by the `dovecot-lda` command. Shouldn't | ||
2 | # be needed since we are using LMTP, but kept for backwards compatibility. | ||
3 | protocol lda { | ||
4 | # use fsync for write-safety - this deals with delivering actual mail | ||
5 | mail_fsync = optimized | ||
6 | mail_plugins = $mail_plugins sieve | ||
7 | } | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/15-mailboxes.conf b/ansible/roles/dovecot/files/dovecot/conf.d/15-mailboxes.conf new file mode 100644 index 0000000..8674b0b --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/15-mailboxes.conf | |||
@@ -0,0 +1,24 @@ | |||
1 | # define any special IMAP folders here. You can force them to be created or | ||
2 | # created+subscribed automatically used the `auto` option. | ||
3 | namespace inbox { | ||
4 | mailbox Drafts { | ||
5 | auto = subscribe | ||
6 | special_use = \Drafts | ||
7 | } | ||
8 | mailbox Junk { | ||
9 | auto = create | ||
10 | special_use = \Junk | ||
11 | } | ||
12 | mailbox Trash { | ||
13 | auto = create | ||
14 | special_use = \Trash | ||
15 | } | ||
16 | mailbox Archive { | ||
17 | auto = subscribe | ||
18 | special_use = \Archive | ||
19 | } | ||
20 | mailbox Sent { | ||
21 | auto = subscribe | ||
22 | special_use = \Sent | ||
23 | } | ||
24 | } | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/20-imap.conf b/ansible/roles/dovecot/files/dovecot/conf.d/20-imap.conf new file mode 100644 index 0000000..7b32396 --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/20-imap.conf | |||
@@ -0,0 +1,10 @@ | |||
1 | # Use a longer IDLE interval to reduce network chatter and save battery | ||
2 | # life. Max is 30 minutes. | ||
3 | imap_idle_notify_interval = 29 mins | ||
4 | |||
5 | protocol imap { | ||
6 | # max IMAP connections per IP address | ||
7 | mail_max_userip_connections = 50 | ||
8 | # imap_sieve will be used for spam training by rspamd | ||
9 | mail_plugins = $mail_plugins imap_sieve | ||
10 | } | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/20-lmtp.conf b/ansible/roles/dovecot/files/dovecot/conf.d/20-lmtp.conf new file mode 100644 index 0000000..a51ee42 --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/20-lmtp.conf | |||
@@ -0,0 +1,5 @@ | |||
1 | protocol lmtp { | ||
2 | # use fsync for write-safety - this deals with delivering actual mail | ||
3 | mail_fsync = optimized | ||
4 | mail_plugins = $mail_plugins sieve | ||
5 | } | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/90-imapsieve.conf b/ansible/roles/dovecot/files/dovecot/conf.d/90-imapsieve.conf new file mode 100644 index 0000000..26987b1 --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/90-imapsieve.conf | |||
@@ -0,0 +1,18 @@ | |||
1 | plugin { | ||
2 | sieve_plugins = sieve_imapsieve sieve_extprograms | ||
3 | |||
4 | # From elsewhere to Junk folder | ||
5 | imapsieve_mailbox1_name = Junk | ||
6 | imapsieve_mailbox1_causes = COPY | ||
7 | imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve | ||
8 | |||
9 | # From Junk folder to elsewhere | ||
10 | imapsieve_mailbox2_name = * | ||
11 | imapsieve_mailbox2_from = Junk | ||
12 | imapsieve_mailbox2_causes = COPY | ||
13 | imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve | ||
14 | |||
15 | sieve_pipe_bin_dir = /etc/dovecot/sieve | ||
16 | |||
17 | sieve_global_extensions = +vnd.dovecot.pipe | ||
18 | } | ||
diff --git a/ansible/roles/dovecot/files/dovecot/conf.d/90-sieve.conf b/ansible/roles/dovecot/files/dovecot/conf.d/90-sieve.conf new file mode 100644 index 0000000..9a753bf --- /dev/null +++ b/ansible/roles/dovecot/files/dovecot/conf.d/90-sieve.conf | |||
@@ -0,0 +1,34 @@ | |||
1 | plugin { | ||
2 | # 'active' is a symlink to one sieve source script inside directory at 'file' | ||
3 | sieve = file:~/sieve;active=~/.dovecot.sieve | ||
4 | |||
5 | # directory of global sieve scripts to run before and after processing ALL | ||
6 | # incoming mail | ||
7 | sieve_before = /etc/dovecot/sieve-before.d | ||
8 | sieve_after = /etc/dovecot/sieve-after.d | ||
9 | |||
10 | # make sieve aware of [email protected] aliases | ||
11 | recipient_delimiter = + | ||
12 | |||
13 | |||
14 | # no limits on script size or actions | ||
15 | sieve_quota_max_storage = 0 | ||
16 | sieve_max_script_size = 0 | ||
17 | sieve_max_actions = 0 | ||
18 | |||
19 | sieve_extensions = +spamtest +spamtestplus | ||
20 | |||
21 | sieve_spamtest_status_header = X-Spam-Score | ||
22 | sieve_spamtest_status_type = strlen | ||
23 | |||
24 | # X-Spamd-Bar: +++++++++ | ||
25 | sieve_spamtest_max_value = 9 | ||
26 | |||
27 | |||
28 | # X-Spamd-Result: default: False [9.19 / 15.00]; | ||
29 | # (regex not fixed to capture the above) | ||
30 | #sieve_spamtest_status_type = score | ||
31 | #sieve_spamtest_status_header = \ | ||
32 | # X-Spamd-Result: [[:alnum:]]+, score=(-?[[:digit:]]+\.[[:digit:]]) | ||
33 | #sieve_spamtest_max_value = 5.0 | ||
34 | } | ||