Merge branch 'confd' of mauro/ansible-role-dovecot-docker into master

defaults/main.yml

@@ -15,7 +15,7 @@ dovecot_volume_mail: dovecot_mail
 dovecot_volume_ssl: dovecot_ssl
 
 # nombre red docker (definido por rol docker)
-docker_network_name: dockernet
+docker_network: dockernet
 
 # Auth
 
@@ -25,9 +25,6 @@ dovecot_auth_mechanisms: plain
 # como transformar el nombre de usuario antes de autenticar
 dovecot_auth_username_format: "%Lu"
 
-# habilitar userdb/passdb de usuarios del sistema?
-dovecot_auth_system_enable: no
-
 # habilitar usuarios master?
 dovecot_auth_master_enable: no
 
@@ -36,10 +33,16 @@ dovecot_auth_master_enable: no
 # habilitar userdb/passdb ldap?
 dovecot_ldap_enable: yes
 
+# servidores ldap
+dovecot_ldap_hosts: []
+
 # servidores ldap
 dovecot_ldap_uris:
   - "{{ ldap_uri | default('ldap://localhost') }}"
 
+# autenticar con clave provista por usuario
+dovecot_ldap_bind: yes
+
 # version del protocolo LDAP
 dovecot_ldap_version: 3
 
@@ -97,3 +100,16 @@ dovecot_quota_additional_limit:
 
 # gracia (en porcentaje o M)
 dovecot_quota_grace: 10%
+
+# submission
+dovecot_submission_enable: yes
+dovecot_submission_hostname: "{{ dovecot_container }}.{{ docker_network }}"
+dovecot_submission_relay_host: postfix
+dovecot_submission_relay_port: 25
+dovecot_submission_relay_trusted: yes
+# FIXME: add ssl/tls support
+dovecot_submission_relay_ssl: "no"
+dovecot_submission_relay_ssl_verify: no
+
+# antispam
+dovecot_antispam_enable: yes

files/10-mail.conf

@@ -2,12 +2,13 @@
 ## Mailbox locations and namespaces
 ##
 mail_location = mdbox:~/dbox
+mail_attribute_dict = file:~/dovecot-attributes
 
 namespace inbox {
   # Namespace type: private, shared or public
   #type = private
   separator = /
-  #prefix = 
+  #prefix =
   #location =
 
   # There can be only one INBOX, and this setting defines which namespace
@@ -51,7 +52,7 @@ mail_gid = vmail
 
 # A comment or note that is associated with the server. This value is
 # accessible for authenticated users through the IMAP METADATA server
-# entry "/shared/comment". 
+# entry "/shared/comment".
 #mail_server_comment = ""
 
 # Indicates a method for contacting the server administrator. According to
@@ -59,7 +60,7 @@ mail_gid = vmail
 # is currently not enforced. Use for example mailto:admin@example.com. This
 # value is accessible for authenticated users through the IMAP METADATA server
 # entry "/shared/admin".
-#mail_server_admin = 
+#mail_server_admin =
 
 ##
 ## Mail processes
@@ -112,7 +113,7 @@ mail_gid = vmail
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
-#valid_chroot_dirs = 
+#valid_chroot_dirs =
 
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
@@ -120,7 +121,7 @@ mail_gid = vmail
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
-#mail_chroot = 
+#mail_chroot =
 
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
@@ -237,7 +238,7 @@ mailbox_list_index = yes
 # fallbacks to re-reading the whole mbox file whenever something in mbox isn't
 # how it's expected to be. The only real downside to this setting is that if
 # some other MUA changes message flags, Dovecot doesn't notice it immediately.
-# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
 # commands.
 #mbox_dirty_syncs = yes
 

files/10-master.conf

@@ -88,8 +88,8 @@ service auth {
   # permissions (e.g. 0777 allows everyone full permissions).
   unix_listener auth-userdb {
     #mode = 0666
-    #user = 
-    #group = 
+    #user =
+    #group =
   }
 
   inet_listener {
@@ -112,7 +112,7 @@ service dict {
   # For example: mode=0660, group=vmail and global mail_access_groups=vmail
   unix_listener dict {
     #mode = 0600
-    #user = 
-    #group = 
+    #user =
+    #group =
   }
 }

files/10-ssl.conf

@@ -21,7 +21,7 @@ ssl_key = </ssl/key.pem
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-#ssl_ca = 
+#ssl_ca =
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes

files/11-quota.conf

@@ -1,2 +0,0 @@
-# Enable quota plugin
-mail_plugins = $mail_plugins quota

files/15-mailboxes.conf

@@ -11,11 +11,11 @@
 #   implicitly when it is first accessed. The user can also be automatically
 #   subscribed to the mailbox after creation. The following values are
 #   defined for this setting:
-# 
+#
 #     no        - Never created automatically.
 #     create    - Automatically created, but no automatic subscription.
 #     subscribe - Automatically created and subscribed.
-#  
+#
 # special_use:
 #   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
 #   mailbox. There are no validity checks, so you could specify anything
@@ -23,7 +23,7 @@
 #   standard ones specified in the RFC:
 #
 #     \All      - This (virtual) mailbox presents all messages in the
-#                 user's message store. 
+#                 user's message store.
 #     \Archive  - This mailbox is used to archive messages.
 #     \Drafts   - This mailbox is used to hold draft messages.
 #     \Flagged  - This (virtual) mailbox presents all messages in the

files/20-imap.conf

@@ -37,7 +37,7 @@ imap_capability = +SPECIAL_USE
 # ID field names and values to send to clients. Using * as the value makes
 # Dovecot use the default value. The following fields have default values
 # currently: name, version, os, os-version, support-url, support-email.
-#imap_id_send = 
+#imap_id_send =
 
 # ID fields sent by client to log. * means everything.
 #imap_id_log =
@@ -60,7 +60,7 @@ imap_capability = +SPECIAL_USE
 #     greyed out, instead of only later giving "not selectable" popup error.
 #
 # The list is space-separated.
-#imap_client_workarounds = 
+#imap_client_workarounds =
 
 # Host allowed in URLAUTH URLs sent by client. "*" allows all.
 #imap_urlauth_host =

files/90-sieve.conf

@@ -16,7 +16,7 @@
 #
 # location = [<type>:]path[;<option>[=<value>][;...]]
 #
-# If the type prefix is omitted, the script location type is 'file' and the 
+# If the type prefix is omitted, the script location type is 'file' and the
 # location is interpreted as a local filesystem path pointing to a Sieve script
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
@@ -27,7 +27,7 @@ plugin {
   # delivery. The "include" extension uses this location for retrieving
   # :personal" scripts. This is also where the  ManageSieve service will store
   # the user's scripts, if supported.
-  # 
+  #
   # Currently only the 'file:' location type supports ManageSieve operation.
   # Other location types like 'dict:' and 'ldap:' can currently only
   # be used as a read-only script source ().
@@ -46,9 +46,9 @@ plugin {
   #     script.
   #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
-  # The name by which the default Sieve script (as configured by the 
-  # sieve_default setting) is visible to the user through ManageSieve. 
-  #sieve_default_name = 
+  # The name by which the default Sieve script (as configured by the
+  # sieve_default setting) is visible to the user through ManageSieve.
+  #sieve_default_name =
 
   # Location for ":global" include scripts as used by the "include" extension.
   #sieve_global =
@@ -63,7 +63,7 @@ plugin {
   #sieve_discard =
 
   # Location Sieve of scripts that need to be executed before the user's
-  # personal script. If a 'file' location path points to a directory, all the 
+  # personal script. If a 'file' location path points to a directory, all the
   # Sieve scripts contained therein (with the proper `.sieve' extension) are
   # executed. The order of execution within that directory is determined by the
   # file names, using a normal 8bit per-character comparison.
@@ -181,18 +181,18 @@ plugin {
   ## TRACE DEBUGGING
   # Trace debugging provides detailed insight in the operations performed by
   # the Sieve script. These settings apply to both the LDA Sieve plugin and the
-  # IMAPSIEVE plugin. 
+  # IMAPSIEVE plugin.
   #
   # WARNING: On a busy server, this functionality can quickly fill up the trace
   # directory with a lot of trace files. Enable this only temporarily and as
   # selective as possible.
-  
+
   # The directory where trace files are written. Trace debugging is disabled if
-  # this setting is not configured or if the directory does not exist. If the 
+  # this setting is not configured or if the directory does not exist. If the
   # path is relative or it starts with "~/" it is interpreted relative to the
   # current user's home directory.
   #sieve_trace_dir =
-  
+
   # The verbosity level of the trace messages. Trace debugging is disabled if
   # this setting is not configured. Possible values are:
   #
@@ -203,12 +203,12 @@ plugin {
   #   "matching"       - Print all executed commands, performed tests and the
   #                      values matched in those tests.
   #sieve_trace_level =
-  
+
   # Enables highly verbose debugging messages that are usually only useful for
   # developers.
   #sieve_trace_debug = no
-  
+
   # Enables showing byte code addresses in the trace output, rather than only
   # the source line numbers.
-  #sieve_trace_addresses = no 
+  #sieve_trace_addresses = no
 }

files/Dockerfile

@@ -1,43 +1,75 @@
-FROM debian:buster-slim
+FROM eumau/debian:buster-slim
 LABEL maintainer "Mauro Torrez <mauro@mau.ro>"
 ARG DEBIAN_FRONTEND=noninteractive
 ENV LC_ALL C
-RUN apt-get update && apt-get install -y --no-install-recommends \
+ENV \
+    MAIL_DOMAINS= \
+    AUTH_MECHANISMS=plain \
+    AUTH_USERNAME_FORMAT="%Lu" \
+    AUTH_MASTER_ENABLE= \
+    SUBMISSION_HOSTNAME=dovecot.dockernet \
+    SUBMISSION_RELAY_HOST= \
+    SUBMISSION_RELAY_PORT=25 \
+    SUBMISSION_RELAY_TRUSTED=yes \
+    SUBMISSION_RELAY_USER= \
+    SUBMISSION_RELAY_MASTER_USER= \
+    SUBMISSION_RELAY_PASSWORD= \
+    SUBMISSION_RELAY_SSL=starttls \
+    SUBMISSION_RELAY_SSL_VERIFY=no \
+    SUBMISSION_RELAY_RAWLOG_DIR= \
+    LDAP_ENABLE= \
+    LDAP_HOSTS="ldap:389" \
+    LDAP_URIS= \
+    LDAP_BIND=yes \
+    LDAP_VERSION=3 \
+    LDAP_BASE="dc=example,dc=org" \
+    LDAP_SCOPE=sub \
+    LDAP_USER_ATTRS="=home=/vmail/mail/%d/%n, =uid=5000, =gid=5000" \
+    LDAP_USER_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
+    LDAP_PASS_ATTRS="userPassword=password, =userdb_home=/vmail/mail/%d/%n, =userdb_uid=5000, =userdb_gid=5000" \
+    LDAP_PASS_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
+    LDAP_ITERATE_ATTRS="=user=%{ldap:uid}@%d" \
+    LDAP_ITERATE_FILTER="(objectClass=inetOrgPerson)" \
+    LDAP_DEFAULT_PASS_SCHEME=CRYPT \
+    ANTISPAM_ENABLE=yes \
+    IMAP_URLAUTH_HOST="*"
+
+RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
+  && mkdir -p /vmail && chown vmail:vmail /vmail \
+  && apt-get update && apt-get install -y --no-install-recommends \
      dovecot-lmtpd \
      dovecot-imapd \
      dovecot-ldap \
      dovecot-sieve \
+     dovecot-submissiond \
      dovecot-managesieved \
      dovecot-antispam \
      bogofilter \
      ssl-cert \
   && rm -rf /var/lib/apt/lists/* \
-  && groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
-  && mkdir -p /vmail && chown vmail:vmail /vmail \
   && mkdir -p /ssl && chmod 700 /ssl \
   && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
   && cp /etc/ssl/private/ssl-cert-snakeoil.key /ssl/key.pem \
-  && mkdir -p /etc/dovecot/sieve/before /etc/dovecot/sieve/after
+  && mkdir -p /etc/dovecot/local.d /etc/dovecot/sieve/before /etc/dovecot/sieve/after \
+  && printf '!include_try local.d/*.conf\nlog_path = /dev/stdout\n' > /etc/dovecot/local.conf
 
 ADD 10-mail.conf \
   10-master.conf \
   10-ssl.conf \
   11-quota.conf \
   15-mailboxes.conf \
-  20-imap.conf \
   90-antispam.conf \
   90-sieve.conf \
-  auth-ldap.conf.ext \
-  auth-master.conf.ext \
   /etc/dovecot/conf.d/
 
-ADD local.conf /etc/dovecot/
-
 ADD junk-filter.sieve /etc/dovecot/sieve/before/
-RUN sievec /etc/dovecot/sieve/before && sievec /etc/dovecot/sieve/after
+
+ADD confd /etc/confd/
+
+RUN sievec /etc/dovecot/sieve/before
 
 VOLUME /etc/dovecot /ssl /vmail
 
-EXPOSE 143/tcp 993/tcp 110/tcp 995/tcp 2000/tcp
+EXPOSE 110/tcp 143/tcp 587/tcp 993/tcp 995/tcp 2000/tcp
 
-CMD dovecot -F
+CMD ["dovecot","-F"]

files/auth-ldap.conf.ext

@@ -1,37 +0,0 @@
-# Authentication for LDAP users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.LDAP.txt>
-
-# Usar LDAP para validar claves
-passdb {
-  driver = ldap
-
-  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
-  args = /etc/dovecot/dovecot-ldap.conf.ext
-}
-
-# "prefetch" user database means that the passdb already provided the
-# needed information and there's no need to do a separate userdb lookup.
-# <doc/wiki/UserDatabase.Prefetch.txt>
-userdb {
-  driver = prefetch
-}
-
-# Usar LDAP para obtener info de usuario
-# Notar que se usa un enlace al archivo dovecot-ldap.conf.ext,
-# esto es para poder hacer conexiones asíncronas y optimizar performance
-userdb {
-  driver = ldap
-  args = /etc/dovecot/dovecot-ldap2.conf.ext
-
-  # Default fields can be used to specify defaults that LDAP may override
-  #default_fields = home=/home/virtual/%u
-}
-
-# If you don't have any user-specific settings, you can avoid the userdb LDAP
-# lookup by using userdb static instead of userdb ldap, for example:
-# <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-#  driver = static
-#  args = uid=vmail gid=vmail home=/srv/vmail/%d/%n
-#}

files/auth-master.conf.ext

@@ -1,16 +0,0 @@
-# Authentication for master users. Included from 10-auth.conf.
-
-# By adding master=yes setting inside a passdb you make the passdb a list
-# of "master users", who can log in as anyone else.
-# <doc/wiki/Authentication.MasterUsers.txt>
-
-# Example master user passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  master = yes
-  args = /etc/dovecot/master-users
-
-  # Unless you're using PAM, you probably still want the destination user to
-  # be looked up from passdb that it really exists. pass=yes does that.
-  pass = yes
-}

files/confd/conf.d/auth.toml

@@ -0,0 +1,10 @@
+[template]
+src = "10-auth.conf.tmpl"
+dest = "/etc/dovecot/local.d/10-auth.conf"
+keys = [
+    "/mail/domains",
+    "/auth/username/format",
+    "/auth/mechanisms",
+    "/auth/master/enable",
+    "/ldap/enable"
+]

files/confd/conf.d/imap.toml

@@ -0,0 +1,7 @@
+[template]
+src = "20-imap.conf.tmpl"
+dest = "/etc/dovecot/local.d/20-imap.conf"
+keys = [
+    "/antispam/enable",
+    "/imap/urlauth/host"
+]

files/confd/conf.d/ldap.toml

@@ -0,0 +1,18 @@
+[template]
+src = "ldap.conf.ext.tmpl"
+dest = "/etc/dovecot/local.d/ldap.conf.ext"
+keys = [
+    "/ldap/hosts",
+    "/ldap/uris",
+    "/ldap/bind",
+    "/ldap/version",
+    "/ldap/base",
+    "/ldap/scope",
+    "/ldap/user/attrs",
+    "/ldap/user/filter",
+    "/ldap/pass/attrs",
+    "/ldap/pass/filter",
+    "/ldap/iterate/attrs",
+    "/ldap/iterate/filter",
+    "/ldap/default/pass/scheme",
+]

files/confd/conf.d/ldap2.toml

@@ -0,0 +1,18 @@
+[template]
+src = "ldap.conf.ext.tmpl"
+dest = "/etc/dovecot/local.d/ldap2.conf.ext"
+keys = [
+    "/ldap/hosts",
+    "/ldap/uris",
+    "/ldap/bind",
+    "/ldap/version",
+    "/ldap/base",
+    "/ldap/scope",
+    "/ldap/user/attrs",
+    "/ldap/user/filter",
+    "/ldap/pass/attrs",
+    "/ldap/pass/filter",
+    "/ldap/iterate/attrs",
+    "/ldap/iterate/filter",
+    "/ldap/default/pass/scheme",
+]

files/confd/conf.d/lmtp.toml

@@ -0,0 +1,6 @@
+[template]
+src = "20-lmtp.conf.tmpl"
+dest = "/etc/dovecot/local.d/20-lmtp.conf"
+keys = [
+    "/mail/domains"
+]

files/confd/conf.d/submission.toml

@@ -0,0 +1,15 @@
+[template]
+src = "submission.conf.tmpl"
+dest = "/etc/dovecot/local.d/submission.conf"
+keys = [
+    "/submission/hostname",
+    "/submission/relay/host",
+    "/submission/relay/port",
+    "/submission/relay/trusted",
+    "/submission/relay/user",
+    "/submission/relay/master/user",
+    "/submission/relay/password",
+    "/submission/relay/ssl",
+    "/submission/relay/ssl/verify",
+    "/submission/relay/rawlog/dir"
+]

files/confd/templates/10-auth.conf.tmpl

@@ -0,0 +1,32 @@
+auth_realms = {{ getv "/mail/domains" }}
+auth_default_realm = {{ index (split (getv "/mail/domains") " ") 0 }}
+auth_username_format = {{ getv "/auth/username/format" }}
+auth_mechanisms = {{ getv "/auth/mechanisms" }}
+
+
+{{ if eq (getv "/auth/master/enable") "yes"}}
+passdb {
+  driver = passwd-file
+  master = yes
+  args = /etc/dovecot/master-users
+
+# Unless you're using PAM, you probably still want the destination user to
+  # be looked up from passdb that it really exists. pass=yes does that.
+  pass = yes
+}
+{{ end }}
+
+
+{{ if eq (getv "/ldap/enable") "yes"}}
+passdb {
+  driver = ldap
+  args = /etc/dovecot/local.d/ldap.conf.ext
+}
+userdb {
+  driver = prefetch
+}
+userdb {
+  driver = ldap
+  args = /etc/dovecot/local.d/ldap2.conf.ext
+}
+{{ end }}

files/confd/templates/20-imap.conf.tmpl

@@ -0,0 +1,6 @@
+imap_capability = +SPECIAL_USE
+imap_urlauth_host = {{ getv "/imap/urlauth/host" }}
+protocol imap {
+  mail_plugins = $mail_plugins {{ if eq (getv "/antispam/enable") "yes" }}antispam{{ end }}
+  imap_metadata = yes
+}

files/confd/templates/20-lmtp.conf.tmpl

@@ -0,0 +1,5 @@
+protocol lmtp {
+  # postmaster_address aparentemente es obligatorio
+  postmaster_address = postmaster@{{ index (split (getv "/mail/domains") " ") 0 }}
+  mail_plugins = $mail_plugins sieve
+}

files/confd/templates/90-quota.conf.tmpl

@@ -0,0 +1,27 @@
+plugin {
+  #quota_rule = *:storage=1G
+  #quota_rule2 = Trash:storage=+100M
+  quota_rule = *:storage={{ dovecot_quota_limit }}
+  {% for key, value in dovecot_quota_additional_limit.items() %}
+  quota_rule{{ loop.index + 1 }} = {{ key }}:storage=+{{ value }}
+  {% endfor %}
+
+  # LDA/LMTP allows saving the last mail to bring user from under quota to
+  # over quota, if the quota doesn't grow too high. Default is to allow as
+  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+  #quota_grace = 10%%
+  quota_grace = {{ dovecot_quota_grace | regex_replace("%.*$","%%") }}
+
+  {% if dovecot_quota_driver == "count" %}
+  quota_vsizes = yes
+  {% endif %}
+}
+
+
+plugin {
+  quota = {{ dovecot_quota_driver }}:User quota
+  #quota = dirsize:User quota
+  #quota = maildir:User quota
+  #quota = dict:User quota::proxy::quota
+  #quota = fs:User quota
+}

files/confd/templates/ldap.conf.ext.tmpl

@@ -0,0 +1,16 @@
+{{ if (getv "/ldap/hosts") }}
+hosts = {{ getv "/ldap/hosts" }}
+{{ else }}
+uris = {{ getv "/ldap/uris" }}
+{{ end }}
+auth_bind = {{ getv "/ldap/bind" }}
+ldap_version = {{ getv "/ldap/version" }}
+base = {{ getv "/ldap/base" }}
+scope = {{ getv "/ldap/scope" }}
+user_attrs = {{ getv "/ldap/user/attrs" }}
+user_filter = {{ getv "/ldap/user/filter" }}
+pass_attrs = {{ getv "/ldap/pass/attrs" }}
+pass_filter = {{ getv "/ldap/pass/filter" }}
+iterate_attrs = {{ getv "/ldap/iterate/attrs" }}
+iterate_filter = {{ getv "/ldap/iterate/filter" }}
+default_pass_scheme = {{ getv "/ldap/default/pass/scheme" }}

files/confd/templates/submission.conf.tmpl

@@ -0,0 +1,10 @@
+hostname = {{getv "/submission/hostname"}}
+submission_relay_host = {{getv "/submission/relay/host"}}
+submission_relay_port = {{getv "/submission/relay/port"}}
+submission_relay_trusted = {{getv "/submission/relay/trusted"}}
+submission_relay_user = {{getv "/submission/relay/user"}}
+submission_relay_master_user = {{getv "/submission/relay/master/user"}}
+submission_relay_password = {{getv "/submission/relay/password"}}
+submission_relay_ssl = {{getv "/submission/relay/ssl"}}
+submission_relay_ssl_verify = {{getv "/submission/relay/ssl/verify"}}
+submission_relay_rawlog_dir = {{getv "/submission/relay/rawlog/dir"}}

files/local.conf

@@ -1 +1,2 @@
+!include_try local.d/*.conf
 log_path = /dev/stdout

tasks/main.yml

@@ -14,15 +14,11 @@
     - 10-mail.conf
     - 10-master.conf
     - 10-ssl.conf
-    - 11-quota.conf
     - 15-mailboxes.conf
-    - 20-imap.conf
     - 90-antispam.conf
     - 90-sieve.conf
-    - auth-ldap.conf.ext
-    - auth-master.conf.ext
     - junk-filter.sieve
-    - local.conf
+    - confd
   tags: skip_me
 
 - name: Crear imagen {{ dovecot_image }}
@@ -43,11 +39,43 @@
       - "{{ dovecot_volume_mail }}:/vmail/"
       - "{{ dovecot_volume_ssl }}:/ssl/"
     networks:
-      - name: "{{ docker_network_name }}"
-    ports:
-      - 143:143
-      - 2000:2000
+      - name: "{{ docker_network }}"
+    ports: >-
+      [ "143:143",
+        {{ '"587:587",' if dovecot_submission_enable else '' }}
+        "2000:2000"
+      ]
+
     env:
+      MAIL_DOMAINS: "{{ mail_domains.keys() | list | join(' ') }}"
+      AUTH_MECHANISMS: "{{ dovecot_auth_mechanisms }}"
+      AUTH_USERNAME_FORMAT: "{{ dovecot_auth_username_format }}"
+      AUTH_MASTER_ENABLE: "{{ 'yes' if dovecot_auth_master_enable else '' }}"
+      SUBMISSION_HOSTNAME: "{{ dovecot_submission_hostname }}"
+      SUBMISSION_RELAY_HOST: "{{ dovecot_submission_relay_host }}"
+      SUBMISSION_RELAY_PORT: "{{ dovecot_submission_relay_port | string }}"
+      SUBMISSION_RELAY_TRUSTED: "{{ 'yes' if dovecot_submission_relay_trusted else 'no' }}"
+      SUBMISSION_RELAY_SSL_VERIFY: "{{ 'yes' if dovecot_submission_relay_ssl_verify else 'no' }}"
+      SUBMISSION_RELAY_SSL: "{{ dovecot_submission_relay_ssl }}"
+      # SUBMISSION_RELAY_USER:
+      # SUBMISSION_RELAY_MASTER_USER:
+      # SUBMISSION_RELAY_PASSWORD:
+      # SUBMISSION_RELAY_RAWLOG_DIR:
+      LDAP_ENABLE: "{{ 'yes' if dovecot_ldap_enable else '' }}"
+      LDAP_HOSTS: "{{ dovecot_ldap_hosts | join(' ') }}"
+      LDAP_URIS: "{{ dovecot_ldap_uris | join(' ') }}"
+      LDAP_BIND: "{{ 'yes' if dovecot_ldap_bind else 'no' }}"
+      LDAP_VERSION: "{{ dovecot_ldap_version | string }}"
+      LDAP_BASE: "{{ dovecot_ldap_base }}"
+      LDAP_SCOPE: "{{ dovecot_ldap_scope }}"
+      LDAP_USER_ATTRS: "{{ dovecot_ldap_user_attrs }}"
+      LDAP_USER_FILTER: "{{ dovecot_ldap_user_filter }}"
+      LDAP_PASS_ATTRS: "{{ dovecot_ldap_pass_attrs }}"
+      LDAP_PASS_FILTER: "{{ dovecot_ldap_pass_filter }}"
+      LDAP_ITERATE_ATTRS: "{{ dovecot_ldap_iterate_attrs }}"
+      LDAP_ITERATE_FILTER: "{{ dovecot_ldap_iterate_filter }}"
+      LDAP_DEFAULT_PASS_SCHEME: "{{ dovecot_ldap_default_pass_scheme }}"
+      ANTISPAM_ENABLE: "{{ 'yes' if dovecot_antispam_enable else '' }}"
   register: container
 
 - name: Leer info de volumen {{ dovecot_volume_config }}
@@ -75,24 +103,12 @@
     dovecot_volume_ssl: "{{ lookup('vars','dovecot_volume_ssl') }}"
     dovecot_mountpoint_ssl: "{{ res_ssl.volume.Mountpoint }}"
 
-- name: Configuración de Dovecot (1)
-  template:
-    dest: "{{ dovecot_mountpoint_config }}/conf.d/{{ item }}"
-    src: "{{item}}.j2"
-  loop:
-    - 10-auth.conf
-    - 20-lmtp.conf
-    - 90-quota.conf
-  notify: restart dovecot
-
-- name: Configuración de Dovecot (2-LDAP)
-  template:
-    dest: "{{ dovecot_mountpoint_config }}/dovecot-ldap.conf.ext"
-    src: "dovecot-ldap.conf.ext.j2"
-  notify: restart dovecot
-
-- name: Configuración de Dovecot (3-LDAP)
-  template:
-    dest: "{{ dovecot_mountpoint_config }}/dovecot-ldap2.conf.ext"
-    src: "dovecot-ldap.conf.ext.j2"
-  notify: restart dovecot
+# FIXME: configurar quota mediante confd
+#
+# - name: Configuración de Dovecot (1)
+#   template:
+#     dest: "{{ dovecot_mountpoint_config }}/conf.d/{{ item }}"
+#     src: "{{item}}.j2"
+#   loop:
+#     - 90-quota.conf
+#   notify: restart dovecot

templates/10-auth.conf.j2

@@ -1,135 +0,0 @@
-##
-## Authentication processes
-##
-
-# Disable LOGIN command and all other plaintext authentications unless
-# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
-# matches the local IP (ie. you're connecting from the same computer), the
-# connection is considered secure and plaintext authentication is allowed.
-# See also ssl=required setting.
-#disable_plaintext_auth = yes
-
-# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
-# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
-#auth_cache_size = 0
-# Time to live for cached data. After TTL expires the cached record is no
-# longer used, *except* if the main database lookup returns internal failure.
-# We also try to handle password changes automatically: If user's previous
-# authentication was successful, but this one wasn't, the cache isn't used.
-# For now this works only with plaintext authentication.
-#auth_cache_ttl = 1 hour
-# TTL for negative hits (user not found, password mismatch).
-# 0 disables caching them completely.
-#auth_cache_negative_ttl = 1 hour
-
-# Space separated list of realms for SASL authentication mechanisms that need
-# them. You can leave it empty if you don't want to support multiple realms.
-# Many clients simply use the first one listed here, so keep the default realm
-# first.
-auth_realms = {{ mail_domains | join(" ") }}
-
-# Default realm/domain to use if none was specified. This is used for both
-# SASL realms and appending @domain to username in plaintext logins.
-auth_default_realm = {{ mail_domains | first }}
-
-# List of allowed characters in username. If the user-given username contains
-# a character not listed in here, the login automatically fails. This is just
-# an extra check to make sure user can't exploit any potential quote escaping
-# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
-# set this value to empty.
-#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
-
-# Username character translations before it's looked up from databases. The
-# value contains series of from -> to characters. For example "#@/@" means
-# that '#' and '/' characters are translated to '@'.
-#auth_username_translation =
-
-# Username formatting before it's looked up from databases. You can use
-# the standard variables here, eg. %Lu would lowercase the username, %n would
-# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
-# "-AT-". This translation is done after auth_username_translation changes.
-auth_username_format = {{ dovecot_auth_username_format }}
-
-# If you want to allow master users to log in by specifying the master
-# username within the normal username string (ie. not using SASL mechanism's
-# support for it), you can specify the separator character here. The format
-# is then <username><separator><master username>. UW-IMAP uses "*" as the
-# separator, so that could be a good choice.
-#auth_master_user_separator =
-
-# Username to use for users logging in with ANONYMOUS SASL mechanism
-#auth_anonymous_username = anonymous
-
-# Maximum number of dovecot-auth worker processes. They're used to execute
-# blocking passdb and userdb queries (eg. MySQL and PAM). They're
-# automatically created and destroyed as needed.
-#auth_worker_max_count = 30
-
-# Host name to use in GSSAPI principal names. The default is to use the
-# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
-# entries.
-#auth_gssapi_hostname =
-
-# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
-# default (usually /etc/krb5.keytab) if not specified. You may need to change
-# the auth service to run as root to be able to read this file.
-#auth_krb5_keytab = 
-
-# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
-# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
-#auth_use_winbind = no
-
-# Path for Samba's ntlm_auth helper binary.
-#auth_winbind_helper_path = /usr/bin/ntlm_auth
-
-# Time to delay before replying to failed authentications.
-#auth_failure_delay = 2 secs
-
-# Require a valid SSL client certificate or the authentication fails.
-#auth_ssl_require_client_cert = no
-
-# Take the username from client's SSL certificate, using 
-# X509_NAME_get_text_by_NID() which returns the subject's DN's
-# CommonName. 
-#auth_ssl_username_from_cert = no
-
-# Space separated list of wanted authentication mechanisms:
-#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
-#   gss-spnego
-# NOTE: See also disable_plaintext_auth setting.
-# el mecanismo "login" es para compatibilidad para Outlooks viejos
-auth_mechanisms = {{ dovecot_auth_mechanisms }}
-
-##
-## Password and user databases
-##
-
-#
-# Password database is used to verify user's password (and nothing more).
-# You can have multiple passdbs and userdbs. This is useful if you want to
-# allow both system users (/etc/passwd) and virtual users to login without
-# duplicating the system users into virtual database.
-#
-# <doc/wiki/PasswordDatabase.txt>
-#
-# User database specifies where mails are located and what user/group IDs
-# own them. For single-UID configuration use "static" userdb.
-#
-# <doc/wiki/UserDatabase.txt>
-
-#!include auth-deny.conf.ext
-{% if dovecot_auth_master_enable %}
-!include auth-master.conf.ext
-{% endif %}
-#!include auth-passwdfile.conf.ext
-{% if dovecot_auth_system_enable %}
-!include auth-system.conf.ext
-{% endif %}
-#!include auth-sql.conf.ext
-{% if dovecot_ldap_enable %}
-!include auth-ldap.conf.ext
-{% endif %}
-#!include auth-passwdfile.conf.ext
-#!include auth-checkpassword.conf.ext
-#!include auth-vpopmail.conf.ext
-#!include auth-static.conf.ext

templates/20-lmtp.conf.j2

@@ -1,28 +0,0 @@
-##
-## LMTP specific settings
-##
-
-# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
-#lmtp_proxy = no
-
-# When recipient address includes the detail (e.g. user+detail), try to save
-# the mail to the detail mailbox. See also recipient_delimiter and
-# lda_mailbox_autocreate settings.
-#lmtp_save_to_detail_mailbox = no
-
-# Verify quota before replying to RCPT TO. This adds a small overhead.
-#lmtp_rcpt_check_quota = no
-
-# Which recipient address to use for Delivered-To: header and Received:
-# header. The default is "final", which is the same as the one given to
-# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
-# parameter, "none" uses nothing. Note that "none" is currently always used
-# when a mail has multiple recipients.
-#lmtp_hdr_delivery_address = final
-
-protocol lmtp {
-  # postmaster_address aparentemente es obligatorio
-  postmaster_address = postmaster@{{ mail_domains | first }}
-  # Space separated list of plugins to load (default is global mail_plugins).
-  mail_plugins = $mail_plugins sieve
-}

templates/90-quota.conf.j2

@@ -1,91 +0,0 @@
-#jinja2: lstrip_blocks: True
-##
-## Quota configuration.
-##
-
-# Note that you also have to enable quota plugin in mail_plugins setting.
-# <doc/wiki/Quota.txt>
-
-##
-## Quota limits
-##
-
-# Quota limits are set using "quota_rule" parameters. To get per-user quota
-# limits, you can set/override them by returning "quota_rule" extra field
-# from userdb. It's also possible to give mailbox-specific limits, for example
-# to give additional 100 MB when saving to Trash:
-
-plugin {
-  #quota_rule = *:storage=1G
-  #quota_rule2 = Trash:storage=+100M
-  quota_rule = *:storage={{ dovecot_quota_limit }}
-  {% for key, value in dovecot_quota_additional_limit.items() %}
-  quota_rule{{ loop.index + 1 }} = {{ key }}:storage=+{{ value }}
-  {% endfor %}
-
-  # LDA/LMTP allows saving the last mail to bring user from under quota to
-  # over quota, if the quota doesn't grow too high. Default is to allow as
-  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
-  #quota_grace = 10%%
-  quota_grace = {{ dovecot_quota_grace | regex_replace("%.*$","%%") }}
-
-  {% if dovecot_quota_driver == "count" %}
-  quota_vsizes = yes
-  {% endif %}
-}
-
-##
-## Quota warnings
-##
-
-# You can execute a given command when user exceeds a specified quota limit.
-# Each quota root has separate limits. Only the command for the first
-# exceeded limit is excecuted, so put the highest limit first.
-# The commands are executed via script service by connecting to the named
-# UNIX socket (quota-warning below).
-# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
-
-plugin {
-  #quota_warning = storage=95%% quota-warning 95 %u
-  #quota_warning2 = storage=80%% quota-warning 80 %u
-}
-
-# Example quota-warning service. The unix listener's permissions should be
-# set in a way that mail processes can connect to it. Below example assumes
-# that mail processes run as vmail user. If you use mode=0666, all system users
-# can generate quota warnings to anyone.
-#service quota-warning {
-#  executable = script /usr/local/bin/quota-warning.sh
-#  user = dovecot
-#  unix_listener quota-warning {
-#    user = vmail
-#  }
-#}
-
-##
-## Quota backends
-##
-
-# Multiple backends are supported:
-#   dirsize: Find and sum all the files found from mail directory.
-#            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
-#   dict: Keep quota stored in dictionary (eg. SQL)
-#   maildir: Maildir++ quota
-#   fs: Read-only support for filesystem quota
-
-plugin {
-  quota = {{ dovecot_quota_driver }}:User quota
-  #quota = dirsize:User quota
-  #quota = maildir:User quota
-  #quota = dict:User quota::proxy::quota
-  #quota = fs:User quota
-}
-
-# Multiple quota roots are also possible, for example this gives each user
-# their own 100MB quota and one shared 1GB quota within the domain:
-plugin {
-  #quota = dict:user::proxy::quota
-  #quota2 = dict:domain:%d:proxy::quota_domain
-  #quota_rule = *:storage=102400
-  #quota2_rule = *:storage=1048576
-}

templates/dovecot-ldap.conf.ext.j2

@@ -1,75 +0,0 @@
-# This file is commonly accessed via passdb {} or userdb {} section in
-# conf.d/auth-ldap.conf.ext
-
-# This file is opened as root, so it should be owned by root and mode 0600.
-# http://wiki2.dovecot.org/AuthDatabase/LDAP
-
-# Space separated list of LDAP hosts to use. host:port is allowed too.
-uris = {{ dovecot_ldap_uris | join(" ") }}
-
-# Use authentication binding for verifying password's validity. This works by
-# logging into LDAP server using the username and password given by client.
-# The pass_filter is used to find the DN for the user. Note that the pass_attrs
-# is still used, only the password field is ignored in it. Before doing any
-# search, the binding is switched back to the default DN.
-auth_bind = yes
-
-# If authentication binding is used, you can save one LDAP request per login
-# if users' DN can be specified with a common template. The template can use
-# the standard %variables (see user_filter). Note that you can't
-# use any pass_attrs if you use this setting.
-# auth_bind_userdn =
-
-# LDAP protocol version to use. Likely 2 or 3.
-ldap_version = {{ dovecot_ldap_version }}
-
-# LDAP base. %variables can be used here.
-# For example: dc=mail, dc=example, dc=org
-base = {{ dovecot_ldap_base }}
-
-# Search scope: base, onelevel, subtree
-scope = {{ dovecot_ldap_scope }}
-
-# User attributes are given in LDAP-name=dovecot-internal-name list. The
-# internal names are:
-#   uid - System UID
-#   gid - System GID
-#   home - Home directory
-#   mail - Mail location
-#
-# There are also other special fields which can be returned, see
-# http://wiki2.dovecot.org/UserDatabase/ExtraFields
-#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
-user_attrs = {{ dovecot_ldap_user_attrs }}
-
-# Filter for user lookup. Some variables can be used (see
-# http://wiki2.dovecot.org/Variables for full list):
-#   %u - username
-#   %n - user part in user@domain, same as %u if there's no domain
-#   %d - domain part in user@domain, empty if user there's no domain
-user_filter = {{ dovecot_ldap_user_filter }}
-
-# Password checking attributes:
-#  user: Virtual user name (user@domain), if you wish to change the
-#        user-given username to something else
-#  password: Password, may optionally start with {type}, eg. {crypt}
-# There are also other special fields which can be returned, see
-# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
-# pass_attrs = uid=user,userPassword=password
-
-# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
-# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
-# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
-# string. For example:
-pass_attrs = {{ dovecot_ldap_pass_attrs }}
-
-# Filter for password lookups
-pass_filter = {{ dovecot_ldap_pass_filter }}
-
-# Attributes and filter to get a list of all users
-iterate_attrs = {{ dovecot_ldap_iterate_attrs }}
-iterate_filter = {{ dovecot_ldap_iterate_filter }}
-
-# Default password scheme. "{scheme}" before password overrides this.
-# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
-default_pass_scheme = {{ dovecot_ldap_default_pass_scheme }}