mauro/ansible-role-dovecot-docker
1
0
Fork 0
forked from mauro/ansible-role-dovecot
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: mauro:master
Branches Tags
mauro:master
mauro/ansible-role-dovecot:master
..
compare: mauro/ansible-role-dovecot:master
Branches Tags
mauro/ansible-role-dovecot:master
mauro:master

No commits in common. "master" and "master" have entirely different histories.
master ... master

17 changed files with 1696 additions and 156 deletions
Show Stats Expand all files Collapse all files

194
defaults/main.yml
View File

@ -1,21 +1,38 @@
--- ---
# nombre del container
dovecot_container: dovecot
# nombre de la imagen # Mail
dovecot_image: eumau/dovecot
# nombre volumen config # carpeta por defecto para el mail
dovecot_volume_config: dovecot_config dovecot_mail_home: "{{ vmail_home | default('/srv/mail') }}"
# nombre volumen mail # usuario por defecto para el mail
dovecot_volume_mail: dovecot_mail dovecot_mail_user: "{{ vmail_user | default('vmail') }}"
# nombre volumen ssl # uid por defecto para vmail
dovecot_volume_ssl: dovecot_ssl dovecot_mail_uid: "{{ vmail_uid | default(5000) }}"
# nombre red docker (definido por rol docker) # grupo por defecto para vmail
docker_network: dockernet dovecot_mail_group: "{{ vmail_group | default('vmail') }}"
# gid por defecto para vmail
dovecot_mail_gid: "{{ vmail_gid | default(5000) }}"
# carpeta de mail de cada usuario
dovecot_user_home: "{{ dovecot_mail_home }}/mail/%d/%n"
# formato del mailbox: dbox, mdbox, sdbox, maildir
dovecot_mailbox_format: dbox
# ubicacion de mails de dovecot (~ = dovecot_user_home)
dovecot_mail_location:
"{%- if 'dbox' in dovecot_mailbox_format -%}\
{{dovecot_mailbox_format}}:~/dbox\
{%- else -%}\
{{dovecot_mailbox_format}}:~/Maildir\
{%- endif %}"
# nombre de la carpeta de spam
dovecot_mailbox_junk: Junk
# Auth # Auth
@ -25,23 +42,54 @@ dovecot_auth_mechanisms: plain
# como transformar el nombre de usuario antes de autenticar # como transformar el nombre de usuario antes de autenticar
dovecot_auth_username_format: "%Lu" dovecot_auth_username_format: "%Lu"
# habilitar userdb/passdb de usuarios del sistema?
dovecot_auth_system_enable: no
# habilitar usuarios master? # habilitar usuarios master?
dovecot_auth_master_enable: no dovecot_auth_master_enable: no
# Protocolos
# activar IMAP?
dovecot_proto_imap_enable: yes
# activar IMAPS?
dovecot_proto_imaps_enable: no
# activar POP3?
dovecot_proto_pop3_enable: no
# activar POP3S?
dovecot_proto_pop3s_enable: no
# activar managesieve?
dovecot_proto_managesieve_enable: yes
# TLS
# habilitar ssl
dovecot_ssl_enable: yes
# requerir ssl
dovecot_ssl_require: no
# path absoluto al certificado SSL
dovecot_ssl_cert:
"{{ tls_certificate | default('/etc/ssl/certs/ssl-cert-snakeoil.pem') }}"
# path absoluto a la clave privada SSL
dovecot_ssl_key:
"{{ tls_certificate_key | \
default('/etc/ssl/private/ssl-cert-snakeoil.key') }}"
# LDAP # LDAP
# habilitar userdb/passdb ldap? # habilitar userdb/passdb ldap?
dovecot_ldap_enable: yes dovecot_ldap_enable: yes
# servidores ldap # servidores ldap
dovecot_ldap_hosts: [] dovecot_ldap_servers:
- localhost
# servidores ldap
dovecot_ldap_uris:
- "{{ ldap_uri | default('ldap://localhost') }}"
# autenticar con clave provista por usuario
dovecot_ldap_bind: yes
# version del protocolo LDAP # version del protocolo LDAP
dovecot_ldap_version: 3 dovecot_ldap_version: 3
@ -61,13 +109,14 @@ dovecot_ldap_pass_filter: "(&(objectClass=inetOrgPerson)(uid=%n))"
# atributos del usuario leidos de LDAP # atributos del usuario leidos de LDAP
# por defecto, usar valores pre-calculados # por defecto, usar valores pre-calculados
dovecot_ldap_user_attrs: dovecot_ldap_user_attrs:
"=home=/vmail/mail/%d/%n, =uid=5000, =gid=5000" "=home={{ dovecot_user_home }}, =uid={{ dovecot_mail_user }}, \
=gid={{ dovecot_mail_group }}"
# clave + atributos del usuario leidos de LDAP # clave + atributos del usuario leidos de LDAP
# por defecto, usar valores pre-calculados # por defecto, usar valores pre-calculados
dovecot_ldap_pass_attrs: dovecot_ldap_pass_attrs:
"userPassword=password, =userdb_home=/vmail/mail/%d/%n, \ "userPassword=password, =userdb_home={{ dovecot_user_home }}, \
=userdb_uid=5000, =userdb_gid=5000" =userdb_uid={{ dovecot_mail_user }}, =userdb_gid={{ dovecot_mail_group }}"
# iteracion con doveadm # iteracion con doveadm
# CAVEAT: al usar %Dd en ldap_base, no se puede utilizar doveadm -A, # CAVEAT: al usar %Dd en ldap_base, no se puede utilizar doveadm -A,
@ -83,6 +132,50 @@ dovecot_ldap_iterate_filter: "(objectClass=inetOrgPerson)"
# Esquema con que se guarda la clave (no deberia usarse) # Esquema con que se guarda la clave (no deberia usarse)
dovecot_ldap_default_pass_scheme: "CRYPT" dovecot_ldap_default_pass_scheme: "CRYPT"
# Antispam
# Activar el plugin antispam?
dovecot_antispam_enable: yes
# Backend del plugin antispam. Valores posibles:
# crm114, dspam, pipe, spool2dir
dovecot_antispam_backend: pipe
# Header que indica que el mail ha sido escaneado para spam
dovecot_antispam_signature: X-Bogosity
# Pipe: programa que entrena leyendo el mail en STDIN
dovecot_antispam_pipe_program: /usr/bin/bogofilter
# antispam_pipe_program_args = --for;%u
dovecot_antispam_pipe_program_args: "-l"
# Pipe: argumento que indica que el mail NO ES spam
dovecot_antispam_pipe_program_notspam_arg: "-n"
# Pipe: argumento que indica que el mail ES spam
dovecot_antispam_pipe_program_spam_arg: "-s"
# Pipe: directorio temporal (creo que el mail se copia ahi primero)
dovecot_antispam_pipe_tmpdir: /tmp
# accion cuando se mueve un mail que no tiene signature de/hacia spam
# valores posibles:
# error: fallar en la operacion
# move: mover el mensaje de todos modos
dovecot_antispam_signature_missing: error
# nombres de las carpetas de spam
dovecot_antispam_spam: "Junk;junk;Junk Mail;Spam;spam;SPAM"
# nombres de las carpetas de papelera
dovecot_antispam_trash: "Trash;trash;mail/trash;Deleted Messages"
# debug del plugin antispam
dovecot_antispam_debug_enable: no
dovecot_antispam_debug_target: syslog
dovecot_antispam_debug_verbosity: 0
# Quota # Quota
# activar plugin quota? # activar plugin quota?
@ -101,21 +194,44 @@ dovecot_quota_additional_limit:
# gracia (en porcentaje o M) # gracia (en porcentaje o M)
dovecot_quota_grace: 10% dovecot_quota_grace: 10%
# submission # Sieve
dovecot_submission_enable: no
dovecot_submission_hostname: "{{ dovecot_container }}.{{ docker_network }}"
dovecot_submission_relay_host: postfix
dovecot_submission_relay_port: 587
dovecot_submission_relay_trusted: yes
dovecot_submission_relay_ssl: starttls # ssmtp, starttls, no
dovecot_submission_relay_ssl_verify: no
dovecot_submission_relay_user: "%u"
dovecot_submission_relay_password: "%w"
dovecot_submission_relay_master_user: ""
dovecot_submission_relay_rawlog_dir: ""
# ca certs # activar plugin sieve?
ssl_client_ca_dir: /etc/ssl/certs dovecot_sieve_enable: yes
# antispam # dir con scripts ejecutados antes que los del usuario
dovecot_antispam_enable: yes dovecot_sieve_before: /etc/dovecot/sieve/before
# dir con scripts ejecutados luego de los del usuario
dovecot_sieve_after: /etc/dovecot/sieve/after
# activar filtro spam por defecto
dovecot_sieve_global_junk_filter_enable: yes
# Single-instance storage
# activar single-instance storage?
dovecot_sis_enable: yes
# lugar donde se guardan los adjuntos
dovecot_sis_directory: "{{ dovecot_mail_home }}/attachments"
# tamaño minimo de adjuntos a guardar aparte
dovecot_sis_min_size: 128k
# hash a usar para desduplicar
dovecot_sis_hash: "%{sha1}"
# habilitar desduplicacion postergada?
dovecot_sis_queue_enable: no
# carpeta de "encolados para desduplicar
dovecot_sis_queue_directory: "{{ dovecot_mail_home }}/attachments-queue"
# Alt storage
# carpeta alternativa de correo
dovecot_altstorage_enable: no
# carpeta alternativa de correo
dovecot_altstorage_directory: "{{ dovecot_mail_home }}/alt-storage"

13
handlers/main.yml
View File

@ -1,12 +1,11 @@
--- ---
- name: restart dovecot - name: restart dovecot
docker_container: service:
name: "{{ dovecot_container}}" name: dovecot
state: started state: restarted
restart: yes
- name: recompile sieve scripts - name: recompile sieve scripts
shell: docker exec {{ dovecot_container }} sievec {{ item }} shell: sievec {{ item }}
loop: loop:
- /etc/postfix/sieve/before - "{{ dovecot_sieve_before }}"
- /etc/postfix/sieve/after - "{{ dovecot_sieve_after }}"

186
tasks/main.yml
View File

@ -1,119 +1,85 @@
--- ---
- name: Activar container dovecot - name: Instalar paquetes
docker_container: apt:
name: "{{ dovecot_container }}" state: present
state: started name: >-
restart_policy: unless-stopped [ "dovecot-lmtpd",
image: "{{ dovecot_image }}" "ssl-cert",
volumes: {% if dovecot_proto_imap_enable or dovecot_proto_imaps_enable -%}
- "{{ dovecot_volume_config }}:/etc/dovecot/" "dovecot-imapd",
- "{{ dovecot_volume_mail }}:/vmail/" {% endif %}
- "{{ dovecot_volume_ssl }}:/ssl/" {% if dovecot_proto_pop3_enable or dovecot_proto_pop3s_enable -%}
networks: "dovecot-pop3d",
- name: "{{ docker_network }}" {% endif %}
ports: >- {% if dovecot_ldap_enable -%}
[ "143:143", "dovecot-ldap",
{{ '"587:587",' if dovecot_submission_enable else '' }} {% endif %}
"2000:2000" {% if dovecot_sieve_enable -%}
"dovecot-sieve",
{% endif %}
{% if dovecot_proto_managesieve_enable -%}
"dovecot-managesieved",
{% endif %}
{% if dovecot_antispam_enable -%}
"dovecot-antispam",
{% endif %}
] ]
env: - name: Crear grupo para el mail
MAIL_DOMAINS: "{{ mail_domains.keys() | list | join(' ') }}" group:
AUTH_MECHANISMS: "{{ dovecot_auth_mechanisms }}" name: "{{ dovecot_mail_group }}"
AUTH_USERNAME_FORMAT: "{{ dovecot_auth_username_format }}" gid: "{{ dovecot_mail_gid }}"
AUTH_MASTER_ENABLE: "{{ 'yes' if dovecot_auth_master_enable else '' }}"
SUBMISSION_HOSTNAME: "{{ dovecot_submission_hostname }}"
SUBMISSION_RELAY_HOST: "{{ dovecot_submission_relay_host }}"
SUBMISSION_RELAY_PORT: "{{ dovecot_submission_relay_port | string }}"
SUBMISSION_RELAY_TRUSTED: "{{ 'yes' if dovecot_submission_relay_trusted else 'no' }}"
SUBMISSION_RELAY_SSL_VERIFY: "{{ 'yes' if dovecot_submission_relay_ssl_verify else 'no' }}"
SUBMISSION_RELAY_SSL: "{{ dovecot_submission_relay_ssl }}"
SUBMISSION_RELAY_USER: "{{ dovecot_submission_relay_user }}"
SUBMISSION_RELAY_PASSWORD: "{{ dovecot_submission_relay_password }}"
SUBMISSION_RELAY_MASTER_USER: "{{ dovecot_submission_relay_master_user }}"
SUBMISSION_RELAY_RAWLOG_DIR: "{{ dovecot_submission_relay_rawlog_dir }}"
LDAP_ENABLE: "{{ 'yes' if dovecot_ldap_enable else '' }}"
LDAP_HOSTS: "{{ dovecot_ldap_hosts | join(' ') }}"
LDAP_URIS: "{{ dovecot_ldap_uris | join(' ') }}"
LDAP_BIND: "{{ 'yes' if dovecot_ldap_bind else 'no' }}"
LDAP_VERSION: "{{ dovecot_ldap_version | string }}"
LDAP_BASE: "{{ dovecot_ldap_base }}"
LDAP_SCOPE: "{{ dovecot_ldap_scope }}"
LDAP_USER_ATTRS: "{{ dovecot_ldap_user_attrs }}"
LDAP_USER_FILTER: "{{ dovecot_ldap_user_filter }}"
LDAP_PASS_ATTRS: "{{ dovecot_ldap_pass_attrs }}"
LDAP_PASS_FILTER: "{{ dovecot_ldap_pass_filter }}"
LDAP_ITERATE_ATTRS: "{{ dovecot_ldap_iterate_attrs }}"
LDAP_ITERATE_FILTER: "{{ dovecot_ldap_iterate_filter }}"
LDAP_DEFAULT_PASS_SCHEME: "{{ dovecot_ldap_default_pass_scheme }}"
ANTISPAM_ENABLE: "{{ 'yes' if dovecot_antispam_enable else '' }}"
SSL_CLIENT_CA_DIR: "{{ ssl_client_ca_dir }}"
register: container
- name: Exportar informacion de container - name: Crear usuario para el mail
set_fact: user:
dovecot_container: "{{ lookup('vars','dovecot_container') }}" name: "{{ dovecot_mail_user }}"
uid: "{{ dovecot_mail_uid }}"
group: "{{ dovecot_mail_group }}"
home: "{{ dovecot_mail_home }}"
shell: /bin/false
- when: dovecot_volume_config[0] != '/' - name: Directorios de configuración de Dovecot
block: file:
- name: Leer info de volumen {{ dovecot_volume_config }} path: "{{ item }}"
docker_volume_info: state: directory
name: "{{ dovecot_volume_config }}" loop:
register: res_cfg - /etc/dovecot/conf.d
- name: Exportar informacion de volumen - "{{ dovecot_sieve_before }}"
set_fact: - "{{ dovecot_sieve_after }}"
dovecot_volume_config: "{{ lookup('vars','dovecot_volume_config') }}"
dovecot_mountpoint_config: "{{ res_cfg.volume.Mountpoint }}"
- when: dovecot_volume_config[0] == '/' - name: Configuración de Dovecot (1)
block: template:
- name: Exportar informacion de volumen dest: "/etc/dovecot/conf.d/{{ item }}"
set_fact: src: "{{item}}.j2"
dovecot_volume_config: "{{ lookup('vars','dovecot_volume_config') }}" loop:
dovecot_mountpoint_config: "{{ lookup('vars','dovecot_volume_config') }}" - 10-mail.conf
- 10-auth.conf
- 10-ssl.conf
- 20-lmtp.conf
- 20-imap.conf
- 10-master.conf
- auth-ldap.conf.ext
- 15-mailboxes.conf
- 90-sieve.conf
- 90-quota.conf
- 90-antispam.conf
notify: restart dovecot
- when: dovecot_volume_mail[0] != '/' - name: Configuración de Dovecot (2-LDAP)
block: template:
- name: Leer info de volumen {{ dovecot_volume_mail }} dest: "/etc/dovecot/dovecot-ldap.conf.ext"
docker_volume_info: src: "dovecot-ldap.conf.ext.j2"
name: "{{ dovecot_volume_mail }}" notify: restart dovecot
register: res_mail
- name: Exportar informacion de volumen
set_fact:
dovecot_volume_mail: "{{ lookup('vars','dovecot_volume_mail') }}"
dovecot_mountpoint_mail: "{{ res_mail.volume.Mountpoint }}"
- when: dovecot_volume_mail[0] == '/' - name: Configuración de Dovecot (3-LDAP)
block: file:
- name: Exportar informacion de volumen src: dovecot-ldap.conf.ext
set_fact: dest: /etc/dovecot/dovecot-ldap2.conf.ext
dovecot_volume_mail: "{{ lookup('vars','dovecot_volume_mail') }}" state: link
dovecot_mountpoint_mail: "{{ lookup('vars','dovecot_volume_mail') }}" notify: restart dovecot
- when: dovecot_volume_ssl[0] != '/' - name: Filtro de spam global
block: template:
- name: Leer info de volumen {{ dovecot_volume_ssl }} src: junk-filter.sieve.j2
docker_volume_info: dest: "{{ dovecot_sieve_before }}/junk-filter.sieve"
name: "{{ dovecot_volume_ssl }}" notify: recompile sieve scripts
register: res_ssl
- name: Exportar informacion de volumen
set_fact:
dovecot_volume_ssl: "{{ lookup('vars','dovecot_volume_ssl') }}"
dovecot_mountpoint_ssl: "{{ res_ssl.volume.Mountpoint }}"
- when: dovecot_volume_ssl[0] == '/'
block:
- name: Exportar informacion de volumen
set_fact:
dovecot_volume_ssl: "{{ lookup('vars','dovecot_volume_ssl') }}"
dovecot_mountpoint_ssl: "{{ lookup('vars','dovecot_volume_ssl') }}"
# FIXME: configurar quota mediante confd
#
# - name: Configuración de Dovecot (1)
# template:
# dest: "{{ dovecot_mountpoint_config }}/conf.d/{{ item }}"
# src: "{{item}}.j2"
# loop:
# - 90-quota.conf
# notify: restart dovecot

135
templates/10-auth.conf.j2 Normal file
View File

@ -0,0 +1,135 @@
##
## Authentication processes
##
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
auth_realms = {{ mail_domains | join(" ") }}
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
auth_default_realm = {{ mail_domains | first }}
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =
# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
auth_username_format = {{ dovecot_auth_username_format }}
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =
# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no
# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth
# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs
# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
# el mecanismo "login" es para compatibilidad para Outlooks viejos
auth_mechanisms = {{ dovecot_auth_mechanisms }}
##
## Password and user databases
##
#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
{% if dovecot_auth_master_enable %}
!include auth-master.conf.ext
{% endif %}
#!include auth-passwdfile.conf.ext
{% if dovecot_auth_system_enable %}
!include auth-system.conf.ext
{% endif %}
#!include auth-sql.conf.ext
{% if dovecot_ldap_enable %}
!include auth-ldap.conf.ext
{% endif %}
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

317
templates/10-mail.conf.j2 Normal file
View File

@ -0,0 +1,317 @@
##
## Mailbox locations and namespaces
##
mail_location = {{ dovecot_mail_location }}
{%- if "dbox" in dovecot_mailbox_format and dovecot_altstorage_enable -%}
:ALT={{ dovecot_altstorage_directory }}/%d/%n/dbox
{% endif %}
namespace inbox {
# Namespace type: private, shared or public
#type = private
separator = /
#prefix =
#location =
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
#hidden = no
#list = yes
#subscriptions = yes
# See 15-mailboxes.conf for definitions of special mailboxes.
}
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
mail_uid = {{ dovecot_mail_user }}
mail_gid = {{ dovecot_mail_group }}
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
#mail_privileged_group =
# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =
# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no
# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
#mail_attribute_dict =
# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# entry "/shared/comment".
#mail_server_comment = ""
# Indicates a method for contacting the server administrator. According to
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
# is currently not enforced. Use for example mailto:admin@example.com. This
# value is accessible for authenticated users through the IMAP METADATA server
# entry "/shared/admin".
#mail_server_admin =
##
## Mail processes
##
# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no
# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes
# When to use fsync() or fdatasync() calls:
# optimized (default): Whenever necessary to avoid losing important data
# always: Useful with e.g. NFS when write()s are delayed
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
#mail_temp_dir = /tmp
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50
# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot =
# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb
# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot/modules
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
mail_plugins = $mail_plugins {% if dovecot_quota_enable -%}
quota
{% endif %}
##
## Mailbox handling optimizations
##
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
{% if dovecot_quota_enable and dovecot_quota_driver == "count" -%}
mailbox_list_index = yes
{% endif %}
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0
# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs
# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no
# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0
# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w
##
## Maildir-specific settings
##
# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no
# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no
##
## mbox-specific settings
##
# Which locking methods to use for locking mbox. There are four available:
# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
# solution. If you want to use /var/mail/ like directory, the users
# will need write access to that directory.
# dotlock_try: Same as dotlock, but if it fails because of permissions or
# because there isn't enough disk space, just skip it.
# fcntl : Use this if possible. Works with NFS too if lockd is used.
# flock : May not exist in all systems. Doesn't work with NFS.
# lockf : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#
# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
# Dovecot: mbox_write_locks = dotlock fcntl
# Debian: mbox_write_locks = fcntl dotlock
#
#mbox_read_locks = fcntl
#mbox_write_locks = fcntl dotlock
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins
# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
# commands.
#mbox_dirty_syncs = yes
# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no
# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes
# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0
# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d
##
## mdbox-specific settings
##
# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 2M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0
# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no
##
## Mail attachments
##
# sdbox and mdbox support saving mail attachments to external files, which
# also allows single instance storage for them. Other backends don't support
# this for now.
# Directory root where to store mail attachments. Disabled, if empty.
mail_attachment_dir = {% if dovecot_sis_enable -%}
{{ dovecot_sis_directory }}
{% endif %}
# Attachments smaller than this aren't saved externally. It's also possible to
# write a plugin to disable saving specific attachments externally.
mail_attachment_min_size = {{ dovecot_sis_min_size }}
# Filesystem backend to use for saving attachments:
# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
# sis posix : SiS with immediate byte-by-byte comparison during saving
# sis-queue posix : SiS with delayed comparison and deduplication
mail_attachment_fs = {% if dovecot_sis_queue_enable -%}
sis-queue {{ dovecot_sis_queue_directory }}:posix
{%- else -%}
sis posix
{% endif %}
# Hash format to use in attachment filenames. You can add any text and
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
mail_attachment_hash = {{ dovecot_sis_hash }}

126
templates/10-master.conf.j2 Normal file
View File

@ -0,0 +1,126 @@
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
{% if not dovecot_proto_imap_enable -%}
port = 0
{% endif -%}
#port = 143
}
inet_listener imaps {
{% if not dovecot_proto_imaps_enable -%}
port = 0
{% endif -%}
#port = 993
#ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
service_count = 0
# Number of processes to always keep waiting for more connections.
process_min_avail = 1
# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
service pop3-login {
inet_listener pop3 {
{% if not dovecot_proto_pop3_enable -%}
port = 0
{% endif -%}
#port = 110
}
inet_listener pop3s {
{% if not dovecot_proto_pop3s_enable -%}
port = 0
{% endif -%}
#port = 995
#ssl = yes
}
}
service lmtp {
unix_listener lmtp {
#mode = 0666
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
# full permissions to this socket are able to get a list of all usernames and
# get the results of everyone's userdb lookups.
#
# The default 0666 mode allows anyone to connect to the socket, but the
# userdb lookups will succeed only if the userdb returns an "uid" field that
# matches the caller process's UID. Also if caller's uid or gid matches the
# socket's uid or gid the lookup succeeds. Anything else causes a failure.
#
# To give the caller full permissions to lookup all users, set the mode to
# something else than 0666 and Dovecot lets the kernel enforce the
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener auth-userdb {
#mode = 0666
#user =
#group =
}
# Auth process is run as this user.
#user = $default_internal_user
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
#user = root
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}

70
templates/10-ssl.conf.j2 Normal file
View File

@ -0,0 +1,70 @@
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = {% if dovecot_ssl_enable -%}
{% if dovecot_ssl_require -%}
required
{%- else -%}
yes
{% endif %}
{%- else -%}
no
{% endif %}
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = <{{ dovecot_ssl_cert }}
ssl_key = <{{ dovecot_ssl_key }}
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
#ssl_dh_parameters_length = 1024
# SSL protocols to use
#ssl_protocols = !SSLv3
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# no_compression - Disable compression.
#ssl_options =

81
templates/15-mailboxes.conf.j2 Normal file
View File

@ -0,0 +1,81 @@
##
## Mailbox definitions
##
# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
# Indicates whether the mailbox with this name is automatically created
# implicitly when it is first accessed. The user can also be automatically
# subscribed to the mailbox after creation. The following values are
# defined for this setting:
#
# no - Never created automatically.
# create - Automatically created, but no automatic subscription.
# subscribe - Automatically created and subscribed.
#
# special_use:
# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
# mailbox. There are no validity checks, so you could specify anything
# you want in here, but it's not a good idea to use flags other than the
# standard ones specified in the RFC:
#
# \All - This (virtual) mailbox presents all messages in the
# user's message store.
# \Archive - This mailbox is used to archive messages.
# \Drafts - This mailbox is used to hold draft messages.
# \Flagged - This (virtual) mailbox presents all messages in the
# user's message store marked with the IMAP \Flagged flag.
# \Junk - This mailbox is where messages deemed to be junk mail
# are held.
# \Sent - This mailbox is used to hold copies of messages that
# have been sent.
# \Trash - This mailbox is used to hold messages that have been
# deleted.
#
# comment:
# Defines a default comment or note associated with the mailbox. This
# value is accessible through the IMAP METADATA mailbox entries
# "/shared/comment" and "/private/comment". Users with sufficient
# privileges can override the default value for entries with a custom
# value.
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
# These mailboxes are widely used and could perhaps be created automatically:
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox {{ dovecot_mailbox_junk }} {
special_use = \Junk
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = subscribe
}
# For \Sent mailboxes there are two widely used names. We'll mark both of
# them as \Sent. User typically deletes one of them if duplicates are created.
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
# If you have a virtual "All messages" mailbox:
mailbox virtual/All {
special_use = \All
comment = Todos los mensajes
}
# If you have a virtual "Flagged" mailbox:
mailbox virtual/Flagged {
special_use = \Flagged
comment = Mensajes marcados
}
}

75
templates/20-imap.conf.j2 Normal file
View File

@ -0,0 +1,75 @@
##
## IMAP specific settings
##
# If nothing happens for this long while client is IDLEing, move the connection
# to imap-hibernate process and close the old imap process. This saves memory,
# because connections use very little memory in imap-hibernate process. The
# downside is that recreating the imap process back uses some resources.
#imap_hibernate_timeout = 0
# Maximum IMAP command line length. Some clients generate very long command
# lines with huge mailboxes, so you may need to raise this if you get
# "Too long argument" or "IMAP command line too large" errors often.
#imap_max_line_length = 64k
# IMAP logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %{fetch_hdr_count} - Number of mails with mail header data sent to client
# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
# %{fetch_body_count} - Number of mails with mail body data sent to client
# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
# %{deleted} - Number of mails where client added \Deleted flag
# %{expunged} - Number of mails that client expunged
# %{trashed} - Number of mails that client copied/moved to the
# special_use=\Trash mailbox.
#imap_logout_format = in=%i out=%o
# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
#imap_capability =
# How long to wait between "OK Still here" notifications when client is
# IDLEing.
#imap_idle_notify_interval = 2 mins
# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email.
#imap_id_send =
# ID fields sent by client to log. * means everything.
#imap_id_log =
# Workarounds for various client bugs:
# delay-newmail:
# Send EXISTS/RECENT new mail notifications only when replying to NOOP
# and CHECK commands. Some clients ignore them otherwise, for example OSX
# Mail (<v2.1). Outlook Express breaks more badly though, without this it
# may show user "Message no longer in server" errors. Note that OE6 still
# breaks even with this workaround if synchronization is set to
# "Headers Only".
# tb-extra-mailbox-sep:
# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
# adds extra '/' suffixes to mailbox names. This option causes Dovecot to
# ignore the extra '/' instead of treating it as invalid mailbox name.
# tb-lsub-flags:
# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
# This makes Thunderbird realize they aren't selectable and show them
# greyed out, instead of only later giving "not selectable" popup error.
#
# The list is space-separated.
#imap_client_workarounds =
# Host allowed in URLAUTH URLs sent by client. "*" allows all.
#imap_urlauth_host =
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins {{ 'antispam' if dovecot_antispam_enable else '' }}
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
}

28
templates/20-lmtp.conf.j2 Normal file
View File

@ -0,0 +1,28 @@
##
## LMTP specific settings
##
# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
#lmtp_proxy = no
# When recipient address includes the detail (e.g. user+detail), try to save
# the mail to the detail mailbox. See also recipient_delimiter and
# lda_mailbox_autocreate settings.
#lmtp_save_to_detail_mailbox = no
# Verify quota before replying to RCPT TO. This adds a small overhead.
#lmtp_rcpt_check_quota = no
# Which recipient address to use for Delivered-To: header and Received:
# header. The default is "final", which is the same as the one given to
# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
# parameter, "none" uses nothing. Note that "none" is currently always used
# when a mail has multiple recipients.
#lmtp_hdr_delivery_address = final
protocol lmtp {
# postmaster_address aparentemente es obligatorio
postmaster_address = postmaster@{{ mail_domains | first }}
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins {{ 'sieve' if dovecot_sieve_enable else '' }}
}

185
templates/90-antispam.conf.j2 Normal file
View File

@ -0,0 +1,185 @@
plugin {
##################
# GENERIC OPTIONS
# Debugging options
# Uncomment to get the desired debugging behaviour.
# Note that in some cases stderr debugging will not be as
# verbose as syslog debugging due to internal limitations.
#
# antispam_debug_target = syslog
# antispam_debug_target = stderr
# antispam_verbose_debug = 1
{%- if dovecot_antispam_debug_enable %}
antispam_debug_target = {{ dovecot_antispam_debug_target }}
antispam_verbose_debug = {{ dovecot_antispam_debug_verbosity }}
{%- endif %}
# backend selection, MUST be configured first,
# there's no default so you need to set one of
# these options:
# antispam_backend = crm114
# antispam_backend = dspam
# antispam_backend = pipe
# antispam_backend = spool2dir
antispam_backend = {{ dovecot_antispam_backend }}
# mail signature (used with any backend requiring a signature)
antispam_signature = {{ dovecot_antispam_signature }}
# action to take on mails without signature
# (used with any backend requiring a signature)
# (we recommend only setting this to 'move' after verifying that the
# whole setup is working)
# antispam_signature_missing = move # move silently without training
antispam_signature_missing = {{ dovecot_antispam_signature_missing }}
# The list of folders for trash, spam and unsure can be given
# with three options, e.g. "trash" matches the given folders
# exactly as written, "trash_pattern" accept the * wildcard at
# the end of the foldername, "trash_pattern_ignorecase"
# accepts the * wildcard at the end of the foldername _and_
# matches the name case insensitivly.
# the *-wildcard with the following meaning:
# * at the end: any folder that _start_ with the string
# e.g.:
# antispam_trash_pattern = deleted *;Gel&APY-schte *
# match any folders that start with "deleted " or "Gelöschte "
# match is _case_senstive_!
#
# antispam_trash_pattern_ignorecase = deleted *;Gel&APY-schte *
# match any folders that start with "deleted " or "gelöschte "
# match is _case_insenstive_, except the non-USASCII letters,
# "ö" in this example.
# To match the upper-case Ö, too, you need to add yet another
# pattern "gel&ANY-schte *", note the different UTF7 encoding:
# &ANY- instead of &APY-.
# semicolon-separated list of Trash folders (default unset i.e. none)
# antispam_trash =
# antispam_trash = trash;Trash;Deleted Items; Deleted Messages
# antispam_trash_pattern = trash;Trash;Deleted *
# antispam_trash_pattern_ignorecase =trash;deleted *
antispam_trash = {{ dovecot_antispam_trash }}
# semicolon-separated list of spam folders
# antispam_spam = SPAM
# antispam_spam_pattern = SPAM
# antispam_spam_pattern_ignorecase = junk*;spam*
antispam_spam = {{ dovecot_antispam_spam }}
# semicolon-separated list of unsure folders (default unset i.e. none)
# antispam_unsure =
# antispam_unsure_pattern =
# antispam_unsure_pattern_ignorecase =
# Whether to allow APPENDing to SPAM folders or not. Must be set to
# "yes" (case insensitive) to be activated. Before activating, please
# read the discussion below.
# antispam_allow_append_to_spam = no
###########################
# BACKEND SPECIFIC OPTIONS
#
#===================
# dspam plugin
# dspam binary
# antispam_dspam_binary = /usr/bin/dspam
# semicolon-separated list of extra arguments to dspam
# (default unset i.e. none)
# antispam_dspam_args =
# antispam_dspam_args = --deliver=;--user;%u # % expansion done by dovecot
# antispam_dspam_args = --mode=teft
# Ignore mails where the DSPAM result header contains any of the
# strings listed in the blacklist
# (default unset i.e. none)
# antispam_dspam_result_header = X-DSPAM-Result
# semicolon-separated list of blacklisted results, case insensitive
# antispam_dspam_result_blacklist = Virus
# semicolon-separated list of environment variables to set
# (default unset i.e. none)
# antispam_dspam_env =
# antispam_dspam_env = HOME=%h;USER=%u
#=====================
# pipe plugin
#
# This plug can be used to train via an arbitrary program that
# receives the message on standard input. Since sendmail can be
# such a program, it can be used to send the message to another
# email address for training there.
#
# For example:
# antispam_pipe_program = /path/to/mailtrain
# (defaults to /usr/sbin/sendmail)
# antispam_pipe_program_args = --for;%u
# antispam_pipe_program_spam_arg = --spam
# antispam_pipe_program_notspam_arg = --ham
# antispam_pipe_tmpdir = /tmp
# will call it, for example, like this:
# /path/to/mailtrain --for jberg --spam
#
# The old configuration options from when this plugin was called
# "mailtrain" are still valid, these are, in the same order as
# above: antispam_mail_sendmail, antispam_mail_sendmail_args,
# antispam_mail_spam, antispam_mail_notspam and antispam_mail_tmpdir.
#
# Alternatively, if you need to give multiple options, you can use
# the spam_args/notspam_args parameters (which are used in preference
# of the singular form):
# antispam_pipe_program_spam_args = --spam;--my-other-param1
# antispam_pipe_program_notspam_args = --ham;--my-other-param2
# which will then call
# /path/to/mailtrain --for jberg --spam --my-other-param1
# temporary directory
antispam_pipe_tmpdir = {{ dovecot_antispam_pipe_tmpdir }}
# spam/not-spam argument (default unset which will is not what you want)
antispam_pipe_program_spam_arg = {{ dovecot_antispam_pipe_program_spam_arg }}
antispam_pipe_program_notspam_arg = {{ dovecot_antispam_pipe_program_notspam_arg }}
# binary to pipe mail to
antispam_pipe_program = {{ dovecot_antispam_pipe_program }}
#antispam_pipe_program_args = -f;%u@example.com # % expansion done by dovecot
antispam_pipe_program_args = {{ dovecot_antispam_pipe_program_args }}
#===================
# crm114 plugin
# mailreaver binary
# antispam_crm_binary = /bin/false
# antispam_crm_binary = /usr/share/crm114/mailreaver.crm
# semicolon-separated list of extra arguments to crm114
# (default unset i.e. none)
# antispam_crm_args =
# antispam_crm_args = --config=/path/to/config
# semicolon-separated list of environment variables to set
# (default unset i.e. none)
# antispam_crm_env =
# antispam_crm_env = HOME=%h;USER=%u
# NOTE: you need to set the signature for this backend
# antispam_signature = X-CRM114-CacheID
#===================
# spool2dir plugin
# spam/not-spam spool2dir drop (default unset which will give errors)
# The first %%lu is replaced by the current time.
# The second %%lu is replaced by a counter to generate unique names.
# These two tokens MUST be present in the template! However
# you can insert any C-style modifier as shown.
# antispam_spool2dir_spam = /tmp/spamspool/%%020lu-%u-%%05lus
# antispam_spool2dir_notspam = /tmp/spamspool/%%020lu-%u-%%05luh
}

91
templates/90-quota.conf.j2 Normal file
View File

@ -0,0 +1,91 @@
#jinja2: lstrip_blocks: True
##
## Quota configuration.
##
# Note that you also have to enable quota plugin in mail_plugins setting.
# <doc/wiki/Quota.txt>
##
## Quota limits
##
# Quota limits are set using "quota_rule" parameters. To get per-user quota
# limits, you can set/override them by returning "quota_rule" extra field
# from userdb. It's also possible to give mailbox-specific limits, for example
# to give additional 100 MB when saving to Trash:
plugin {
#quota_rule = *:storage=1G
#quota_rule2 = Trash:storage=+100M
quota_rule = *:storage={{ dovecot_quota_limit }}
{% for key, value in dovecot_quota_additional_limit.items() %}
quota_rule{{ loop.index + 1 }} = {{ key }}:storage=+{{ value }}
{% endfor %}
# LDA/LMTP allows saving the last mail to bring user from under quota to
# over quota, if the quota doesn't grow too high. Default is to allow as
# long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
#quota_grace = 10%%
quota_grace = {{ dovecot_quota_grace | regex_replace("%.*$","%%") }}
{% if dovecot_quota_driver == "count" %}
quota_vsizes = yes
{% endif %}
}
##
## Quota warnings
##
# You can execute a given command when user exceeds a specified quota limit.
# Each quota root has separate limits. Only the command for the first
# exceeded limit is excecuted, so put the highest limit first.
# The commands are executed via script service by connecting to the named
# UNIX socket (quota-warning below).
# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
plugin {
#quota_warning = storage=95%% quota-warning 95 %u
#quota_warning2 = storage=80%% quota-warning 80 %u
}
# Example quota-warning service. The unix listener's permissions should be
# set in a way that mail processes can connect to it. Below example assumes
# that mail processes run as vmail user. If you use mode=0666, all system users
# can generate quota warnings to anyone.
#service quota-warning {
# executable = script /usr/local/bin/quota-warning.sh
# user = dovecot
# unix_listener quota-warning {
# user = vmail
# }
#}
##
## Quota backends
##
# Multiple backends are supported:
# dirsize: Find and sum all the files found from mail directory.
# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
# dict: Keep quota stored in dictionary (eg. SQL)
# maildir: Maildir++ quota
# fs: Read-only support for filesystem quota
plugin {
quota = {{ dovecot_quota_driver }}:User quota
#quota = dirsize:User quota
#quota = maildir:User quota
#quota = dict:User quota::proxy::quota
#quota = fs:User quota
}
# Multiple quota roots are also possible, for example this gives each user
# their own 100MB quota and one shared 1GB quota within the domain:
plugin {
#quota = dict:user::proxy::quota
#quota2 = dict:domain:%d:proxy::quota_domain
#quota_rule = *:storage=102400
#quota2_rule = *:storage=1048576
}

214
templates/90-sieve.conf.j2 Normal file
View File

@ -0,0 +1,214 @@
##
## Settings for the Sieve interpreter
##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
# The Sieve interpreter can retrieve Sieve scripts from several types of
# locations. The default `file' location type is a local filesystem path
# pointing to a Sieve script file or a directory containing multiple Sieve
# script files. More complex setups can use other location types such as
# `ldap' or `dict' to fetch Sieve scripts from remote databases.
#
# All settings that specify the location of one ore more Sieve scripts accept
# the following syntax:
#
# location = [<type>:]path[;<option>[=<value>][;...]]
#
# If the type prefix is omitted, the script location type is 'file' and the
# location is interpreted as a local filesystem path pointing to a Sieve script
# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
# information.
plugin {
# The location of the user's main Sieve script or script storage. The LDA
# Sieve plugin uses this to find the active script for Sieve filtering at
# delivery. The "include" extension uses this location for retrieving
# :personal" scripts. This is also where the ManageSieve service will store
# the user's scripts, if supported.
#
# Currently only the 'file:' location type supports ManageSieve operation.
# Other location types like 'dict:' and 'ldap:' can currently only
# be used as a read-only script source ().
#
# For the 'file:' type: use the ';active=' parameter to specify where the
# active script symlink is located.
# For other types: use the ';name=' parameter to specify the name of the
# default/active script.
sieve = file:~/sieve;active=~/.dovecot.sieve
# The default Sieve script when the user has none. This is the location of a
# global sieve script file, which gets executed ONLY if user's personal Sieve
# script doesn't exist. Be sure to pre-compile this script manually using the
# sievec command line tool if the binary is not stored in a global location.
# --> See sieve_before for executing scripts before the user's personal
# script.
#sieve_default = /var/lib/dovecot/sieve/default.sieve
# The name by which the default Sieve script (as configured by the
# sieve_default setting) is visible to the user through ManageSieve.
#sieve_default_name =
# Location for ":global" include scripts as used by the "include" extension.
#sieve_global =
# The location of a Sieve script that is run for any message that is about to
# be discarded; i.e., it is not delivered anywhere by the normal Sieve
# execution. This only happens when the "implicit keep" is canceled, by e.g.
# the "discard" action, and no actions that deliver the message are executed.
# This "discard script" can prevent discarding the message, by executing
# alternative actions. If the discard script does nothing, the message is
# still discarded as it would be when no discard script is configured.
#sieve_discard =
# Location Sieve of scripts that need to be executed before the user's
# personal script. If a 'file' location path points to a directory, all the
# Sieve scripts contained therein (with the proper `.sieve' extension) are
# executed. The order of execution within that directory is determined by the
# file names, using a normal 8bit per-character comparison.
#
# Multiple script locations can be specified by appending an increasing number
# to the setting name. The Sieve scripts found from these locations are added
# to the script execution sequence in the specified order. Reading the
# numbered sieve_before settings stops at the first missing setting, so no
# numbers may be skipped.
sieve_before = {{ dovecot_sieve_before }}
#sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
#sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
# user's script (only when keep is still in effect!). Multiple script
# locations can be specified by appending an increasing number.
sieve_after = {{ dovecot_sieve_after }}
#sieve_after2 =
#sieve_after2 = (etc...)
# Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags extension in addition to all extensions were already
# enabled by default.
#sieve_extensions = +notify +imapflags
# Which Sieve language extensions are ONLY available in global scripts. This
# can be used to restrict the use of certain Sieve extensions to administrator
# control, for instance when these extensions can cause security concerns.
# This setting has higher precedence than the `sieve_extensions' setting
# (above), meaning that the extensions enabled with this setting are never
# available to the user's personal script no matter what is specified for the
# `sieve_extensions' setting. The syntax of this setting is similar to the
# `sieve_extensions' setting, with the difference that extensions are
# enabled or disabled for exclusive use in global scripts. Currently, no
# extensions are marked as such by default.
#sieve_global_extensions =
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
# The sieve_extprograms plugin is included in this release.
#sieve_plugins =
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
# implementation looks for the separator from the left of the
# localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
#recipient_delimiter = +
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
# enforced.
#sieve_max_script_size = 1M
# The maximum number of actions that can be performed during a single script
# execution. If set to 0, no limit on the total number of actions is enforced.
#sieve_max_actions = 32
# The maximum number of redirect actions that can be performed during a single
# script execution. If set to 0, no redirect actions are allowed.
#sieve_max_redirects = 4
# The maximum number of personal Sieve scripts a single user can have. If set
# to 0, no limit on the number of scripts is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_scripts = 0
# The maximum amount of disk storage a single user's scripts may occupy. If
# set to 0, no limit on the used amount of disk storage is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
# The primary e-mail address for the user. This is used as a default when no
# other appropriate address is available for sending messages. If this setting
# is not configured, either the postmaster or null "<>" address is used as a
# sender, depending on the action involved. This setting is important when
# there is no message envelope to extract addresses from, such as when the
# script is executed in IMAP.
#sieve_user_email =
# The path to the file where the user log is written. If not configured, a
# default location is used. If the main user's personal Sieve (as configured
# with sieve=) is a file, the logfile is set to <filename>.log by default. If
# it is not a file, the default user log file is ~/.dovecot.sieve.log.
#sieve_user_log =
# Specifies what envelope sender address is used for redirected messages.
# The following values are supported for this setting:
#
# "sender" - The sender address is used (default).
# "recipient" - The final recipient address is used.
# "orig_recipient" - The original recipient is used.
# "user_email" - The user's primary address is used. This is
# configured with the "sieve_user_email" setting. If
# that setting is unconfigured, "user_mail" is equal to
# "recipient".
# "postmaster" - The postmaster_address configured for the LDA.
# "<user@domain>" - Redirected messages are always sent from user@domain.
# The angle brackets are mandatory. The null "<>" address
# is also supported.
#
# This setting is ignored when the envelope sender is "<>". In that case the
# sender of the redirected message is also always "<>".
#sieve_redirect_envelope_from = sender
## TRACE DEBUGGING
# Trace debugging provides detailed insight in the operations performed by
# the Sieve script. These settings apply to both the LDA Sieve plugin and the
# IMAPSIEVE plugin.
#
# WARNING: On a busy server, this functionality can quickly fill up the trace
# directory with a lot of trace files. Enable this only temporarily and as
# selective as possible.
# The directory where trace files are written. Trace debugging is disabled if
# this setting is not configured or if the directory does not exist. If the
# path is relative or it starts with "~/" it is interpreted relative to the
# current user's home directory.
#sieve_trace_dir =
# The verbosity level of the trace messages. Trace debugging is disabled if
# this setting is not configured. Possible values are:
#
# "actions" - Only print executed action commands, like keep,
# fileinto, reject and redirect.
# "commands" - Print any executed command, excluding test commands.
# "tests" - Print all executed commands and performed tests.
# "matching" - Print all executed commands, performed tests and the
# values matched in those tests.
#sieve_trace_level =
# Enables highly verbose debugging messages that are usually only useful for
# developers.
#sieve_trace_debug = no
# Enables showing byte code addresses in the trace output, rather than only
# the source line numbers.
#sieve_trace_addresses = no
}

37
templates/auth-ldap.conf.ext.j2 Normal file
View File

@ -0,0 +1,37 @@
# Authentication for LDAP users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.LDAP.txt>
# Usar LDAP para validar claves
passdb {
driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
args = /etc/dovecot/dovecot-ldap.conf.ext
}
# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
userdb {
driver = prefetch
}
# Usar LDAP para obtener info de usuario
# Notar que se usa un enlace al archivo dovecot-ldap.conf.ext,
# esto es para poder hacer conexiones asíncronas y optimizar performance
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap2.conf.ext
# Default fields can be used to specify defaults that LDAP may override
#default_fields = home=/home/virtual/%u
}
# If you don't have any user-specific settings, you can avoid the userdb LDAP
# lookup by using userdb static instead of userdb ldap, for example:
# <doc/wiki/UserDatabase.Static.txt>
#userdb {
# driver = static
# args = uid=vmail gid=vmail home=/srv/vmail/%d/%n
#}

16
templates/auth-master.conf.ext.j2 Normal file
View File

@ -0,0 +1,16 @@
# Authentication for master users. Included from 10-auth.conf.
# By adding master=yes setting inside a passdb you make the passdb a list
# of "master users", who can log in as anyone else.
# <doc/wiki/Authentication.MasterUsers.txt>
# Example master user passdb using passwd-file. You can use any passdb though.
passdb {
driver = passwd-file
master = yes
args = /etc/dovecot/master-users
# Unless you're using PAM, you probably still want the destination user to
# be looked up from passdb that it really exists. pass=yes does that.
pass = yes
}

75
templates/dovecot-ldap.conf.ext.j2 Normal file
View File

@ -0,0 +1,75 @@
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600.
# http://wiki2.dovecot.org/AuthDatabase/LDAP
# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = {{ dovecot_ldap_servers | join(" ") }}
# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = yes
# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
# auth_bind_userdn =
# LDAP protocol version to use. Likely 2 or 3.
ldap_version = {{ dovecot_ldap_version }}
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
base = {{ dovecot_ldap_base }}
# Search scope: base, onelevel, subtree
scope = {{ dovecot_ldap_scope }}
# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
# uid - System UID
# gid - System GID
# home - Home directory
# mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs = {{ dovecot_ldap_user_attrs }}
# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if user there's no domain
user_filter = {{ dovecot_ldap_user_filter }}
# Password checking attributes:
# user: Virtual user name (user@domain), if you wish to change the
# user-given username to something else
# password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
# pass_attrs = uid=user,userPassword=password
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
pass_attrs = {{ dovecot_ldap_pass_attrs }}
# Filter for password lookups
pass_filter = {{ dovecot_ldap_pass_filter }}
# Attributes and filter to get a list of all users
iterate_attrs = {{ dovecot_ldap_iterate_attrs }}
iterate_filter = {{ dovecot_ldap_iterate_filter }}
# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
default_pass_scheme = {{ dovecot_ldap_default_pass_scheme }}

9
templates/junk-filter.sieve.j2 Normal file
View File

@ -0,0 +1,9 @@
require ["regex","fileinto", "mailbox"];
# rule:[SPAM]
if anyof(
header :contains "X-Spam-Flag" "YES",
header :contains "X-Bogosity" "Spam" )
{
fileinto :create "{{ dovecot_mailbox_junk }}";
stop;
}