2019-09-11 02:17:10 +00:00 · 2019-09-11 02:20:08 +00:00
29 changed files with 312 additions and 460 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -15,7 +15,7 @@ dovecot_volume_mail: dovecot_mail
 dovecot_volume_ssl: dovecot_ssl
 # nombre red docker (definido por rol docker)
-docker_network_name: dockernet
+docker_network: dockernet
 # Auth
@ -25,9 +25,6 @@ dovecot_auth_mechanisms: plain
 # como transformar el nombre de usuario antes de autenticar
 dovecot_auth_username_format: "%Lu"
 # habilitar userdb/passdb de usuarios del sistema?
 dovecot_auth_system_enable: no
 # habilitar usuarios master?
 dovecot_auth_master_enable: no
@ -36,10 +33,16 @@ dovecot_auth_master_enable: no
 # habilitar userdb/passdb ldap?
 dovecot_ldap_enable: yes
 # servidores ldap
 dovecot_ldap_hosts: []
 # servidores ldap
 dovecot_ldap_uris:
  - "{{ ldap_uri | default('ldap://localhost') }}"
 # autenticar con clave provista por usuario
 dovecot_ldap_bind: yes
 # version del protocolo LDAP
 dovecot_ldap_version: 3
@ -97,3 +100,16 @@ dovecot_quota_additional_limit:
 # gracia (en porcentaje o M)
 dovecot_quota_grace: 10%
 # submission
 dovecot_submission_enable: yes
 dovecot_submission_hostname: "{{ dovecot_container }}.{{ docker_network }}"
 dovecot_submission_relay_host: postfix
 dovecot_submission_relay_port: 25
 dovecot_submission_relay_trusted: yes
 # FIXME: add ssl/tls support
 dovecot_submission_relay_ssl: "no"
 dovecot_submission_relay_ssl_verify: no
 # antispam
 dovecot_antispam_enable: yes
--- a/files/10-mail.conf
+++ b/files/10-mail.conf
@ -2,12 +2,13 @@
 ## Mailbox locations and namespaces
 ##
 mail_location = mdbox:~/dbox
 mail_attribute_dict = file:~/dovecot-attributes
 namespace inbox {
  # Namespace type: private, shared or public
  #type = private
  separator = /
-  #prefix = 
+  #prefix =
  #location =
  # There can be only one INBOX, and this setting defines which namespace
@ -51,7 +52,7 @@ mail_gid = vmail
 # A comment or note that is associated with the server. This value is
 # accessible for authenticated users through the IMAP METADATA server
-# entry "/shared/comment". 
+# entry "/shared/comment".
 #mail_server_comment = ""
 # Indicates a method for contacting the server administrator. According to
@ -59,7 +60,7 @@ mail_gid = vmail
 # is currently not enforced. Use for example mailto:admin@example.com. This
 # value is accessible for authenticated users through the IMAP METADATA server
 # entry "/shared/admin".
-#mail_server_admin = 
+#mail_server_admin =
 ##
 ## Mail processes
@ -112,7 +113,7 @@ mail_gid = vmail
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
-#valid_chroot_dirs = 
+#valid_chroot_dirs =
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
@ -120,7 +121,7 @@ mail_gid = vmail
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
-#mail_chroot = 
+#mail_chroot =
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
@ -237,7 +238,7 @@ mailbox_list_index = yes
 # fallbacks to re-reading the whole mbox file whenever something in mbox isn't
 # how it's expected to be. The only real downside to this setting is that if
 # some other MUA changes message flags, Dovecot doesn't notice it immediately.
-# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
 # commands.
 #mbox_dirty_syncs = yes
--- a/files/10-master.conf
+++ b/files/10-master.conf
@ -88,8 +88,8 @@ service auth {
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
-    #user = 
+    #user =
-    #group = 
+    #group =
  }
  inet_listener {
@ -112,7 +112,7 @@ service dict {
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
-    #user = 
+    #user =
-    #group = 
+    #group =
  }
 }
--- a/files/10-ssl.conf
+++ b/files/10-ssl.conf
@ -21,7 +21,7 @@ ssl_key = </ssl/key.pem
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-#ssl_ca = 
+#ssl_ca =
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
--- a/files/11-quota.conf
+++ b/files/11-quota.conf
@ -1,2 +0,0 @@
 # Enable quota plugin
 mail_plugins = $mail_plugins quota
--- a/files/15-mailboxes.conf
+++ b/files/15-mailboxes.conf
@ -11,11 +11,11 @@
 #   implicitly when it is first accessed. The user can also be automatically
 #   subscribed to the mailbox after creation. The following values are
 #   defined for this setting:
-# 
+#
 #     no        - Never created automatically.
 #     create    - Automatically created, but no automatic subscription.
 #     subscribe - Automatically created and subscribed.
-#  
+#
 # special_use:
 #   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
 #   mailbox. There are no validity checks, so you could specify anything
@ -23,7 +23,7 @@
 #   standard ones specified in the RFC:
 #
 #     \All      - This (virtual) mailbox presents all messages in the
-#                 user's message store. 
+#                 user's message store.
 #     \Archive  - This mailbox is used to archive messages.
 #     \Drafts   - This mailbox is used to hold draft messages.
 #     \Flagged  - This (virtual) mailbox presents all messages in the
--- a/files/20-imap.conf
+++ b/files/20-imap.conf
@ -37,7 +37,7 @@ imap_capability = +SPECIAL_USE
 # ID field names and values to send to clients. Using * as the value makes
 # Dovecot use the default value. The following fields have default values
 # currently: name, version, os, os-version, support-url, support-email.
-#imap_id_send = 
+#imap_id_send =
 # ID fields sent by client to log. * means everything.
 #imap_id_log =
@ -60,7 +60,7 @@ imap_capability = +SPECIAL_USE
 #     greyed out, instead of only later giving "not selectable" popup error.
 #
 # The list is space-separated.
-#imap_client_workarounds = 
+#imap_client_workarounds =
 # Host allowed in URLAUTH URLs sent by client. "*" allows all.
 #imap_urlauth_host =
--- a/files/90-sieve.conf
+++ b/files/90-sieve.conf
@ -16,7 +16,7 @@
 #
 # location = [<type>:]path[;<option>[=<value>][;...]]
 #
-# If the type prefix is omitted, the script location type is 'file' and the 
+# If the type prefix is omitted, the script location type is 'file' and the
 # location is interpreted as a local filesystem path pointing to a Sieve script
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
@ -27,7 +27,7 @@ plugin {
  # delivery. The "include" extension uses this location for retrieving
  # :personal" scripts. This is also where the  ManageSieve service will store
  # the user's scripts, if supported.
-  # 
+  #
  # Currently only the 'file:' location type supports ManageSieve operation.
  # Other location types like 'dict:' and 'ldap:' can currently only
  # be used as a read-only script source ().
@ -46,9 +46,9 @@ plugin {
  #     script.
  #sieve_default = /var/lib/dovecot/sieve/default.sieve
-  # The name by which the default Sieve script (as configured by the 
+  # The name by which the default Sieve script (as configured by the
-  # sieve_default setting) is visible to the user through ManageSieve. 
+  # sieve_default setting) is visible to the user through ManageSieve.
-  #sieve_default_name = 
+  #sieve_default_name =
  # Location for ":global" include scripts as used by the "include" extension.
  #sieve_global =
@ -63,7 +63,7 @@ plugin {
  #sieve_discard =
  # Location Sieve of scripts that need to be executed before the user's
-  # personal script. If a 'file' location path points to a directory, all the 
+  # personal script. If a 'file' location path points to a directory, all the
  # Sieve scripts contained therein (with the proper `.sieve' extension) are
  # executed. The order of execution within that directory is determined by the
  # file names, using a normal 8bit per-character comparison.
@ -181,18 +181,18 @@ plugin {
  ## TRACE DEBUGGING
  # Trace debugging provides detailed insight in the operations performed by
  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
-  # IMAPSIEVE plugin. 
+  # IMAPSIEVE plugin.
  #
  # WARNING: On a busy server, this functionality can quickly fill up the trace
  # directory with a lot of trace files. Enable this only temporarily and as
  # selective as possible.
-  
+
  # The directory where trace files are written. Trace debugging is disabled if
-  # this setting is not configured or if the directory does not exist. If the 
+  # this setting is not configured or if the directory does not exist. If the
  # path is relative or it starts with "~/" it is interpreted relative to the
  # current user's home directory.
  #sieve_trace_dir =
-  
+
  # The verbosity level of the trace messages. Trace debugging is disabled if
  # this setting is not configured. Possible values are:
  #
@ -203,12 +203,12 @@ plugin {
  #   "matching"       - Print all executed commands, performed tests and the
  #                      values matched in those tests.
  #sieve_trace_level =
-  
+
  # Enables highly verbose debugging messages that are usually only useful for
  # developers.
  #sieve_trace_debug = no
-  
+
  # Enables showing byte code addresses in the trace output, rather than only
  # the source line numbers.
-  #sieve_trace_addresses = no 
+  #sieve_trace_addresses = no
 }
--- a/files/Dockerfile
+++ b/files/Dockerfile
@ -1,43 +1,75 @@
-FROM debian:buster-slim
+FROM eumau/debian:buster-slim
 LABEL maintainer "Mauro Torrez <mauro@mau.ro>"
 ARG DEBIAN_FRONTEND=noninteractive
 ENV LC_ALL C
-RUN apt-get update && apt-get install -y --no-install-recommends \
+ENV \
    MAIL_DOMAINS= \
    AUTH_MECHANISMS=plain \
    AUTH_USERNAME_FORMAT="%Lu" \
    AUTH_MASTER_ENABLE= \
    SUBMISSION_HOSTNAME=dovecot.dockernet \
    SUBMISSION_RELAY_HOST= \
    SUBMISSION_RELAY_PORT=25 \
    SUBMISSION_RELAY_TRUSTED=yes \
    SUBMISSION_RELAY_USER= \
    SUBMISSION_RELAY_MASTER_USER= \
    SUBMISSION_RELAY_PASSWORD= \
    SUBMISSION_RELAY_SSL=starttls \
    SUBMISSION_RELAY_SSL_VERIFY=no \
    SUBMISSION_RELAY_RAWLOG_DIR= \
    LDAP_ENABLE= \
    LDAP_HOSTS="ldap:389" \
    LDAP_URIS= \
    LDAP_BIND=yes \
    LDAP_VERSION=3 \
    LDAP_BASE="dc=example,dc=org" \
    LDAP_SCOPE=sub \
    LDAP_USER_ATTRS="=home=/vmail/mail/%d/%n, =uid=5000, =gid=5000" \
    LDAP_USER_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
    LDAP_PASS_ATTRS="userPassword=password, =userdb_home=/vmail/mail/%d/%n, =userdb_uid=5000, =userdb_gid=5000" \
    LDAP_PASS_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
    LDAP_ITERATE_ATTRS="=user=%{ldap:uid}@%d" \
    LDAP_ITERATE_FILTER="(objectClass=inetOrgPerson)" \
    LDAP_DEFAULT_PASS_SCHEME=CRYPT \
    ANTISPAM_ENABLE=yes \
    IMAP_URLAUTH_HOST="*"
 RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
  && mkdir -p /vmail && chown vmail:vmail /vmail \
  && apt-get update && apt-get install -y --no-install-recommends \
     dovecot-lmtpd \
     dovecot-imapd \
     dovecot-ldap \
     dovecot-sieve \
     dovecot-submissiond \
     dovecot-managesieved \
     dovecot-antispam \
     bogofilter \
     ssl-cert \
  && rm -rf /var/lib/apt/lists/* \
  && groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
  && mkdir -p /vmail && chown vmail:vmail /vmail \
  && mkdir -p /ssl && chmod 700 /ssl \
  && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
  && cp /etc/ssl/private/ssl-cert-snakeoil.key /ssl/key.pem \
-  && mkdir -p /etc/dovecot/sieve/before /etc/dovecot/sieve/after
+  && mkdir -p /etc/dovecot/local.d /etc/dovecot/sieve/before /etc/dovecot/sieve/after \
  && printf '!include_try local.d/*.conf\nlog_path = /dev/stdout\n' > /etc/dovecot/local.conf
 ADD 10-mail.conf \
  10-master.conf \
  10-ssl.conf \
  11-quota.conf \
  15-mailboxes.conf \
  20-imap.conf \
  90-antispam.conf \
  90-sieve.conf \
  auth-ldap.conf.ext \
  auth-master.conf.ext \
  /etc/dovecot/conf.d/
 ADD local.conf /etc/dovecot/
 ADD junk-filter.sieve /etc/dovecot/sieve/before/
-RUN sievec /etc/dovecot/sieve/before && sievec /etc/dovecot/sieve/after
+
 ADD confd /etc/confd/
 RUN sievec /etc/dovecot/sieve/before
 VOLUME /etc/dovecot /ssl /vmail
-EXPOSE 143/tcp 993/tcp 110/tcp 995/tcp 2000/tcp
+EXPOSE 110/tcp 143/tcp 587/tcp 993/tcp 995/tcp 2000/tcp
-CMD dovecot -F
+CMD ["dovecot","-F"]
--- a/files/auth-ldap.conf.ext
+++ b/files/auth-ldap.conf.ext
@ -1,37 +0,0 @@
 # Authentication for LDAP users. Included from 10-auth.conf.
 #
 # <doc/wiki/AuthDatabase.LDAP.txt>
 # Usar LDAP para validar claves
 passdb {
  driver = ldap
  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
  args = /etc/dovecot/dovecot-ldap.conf.ext
 }
 # "prefetch" user database means that the passdb already provided the
 # needed information and there's no need to do a separate userdb lookup.
 # <doc/wiki/UserDatabase.Prefetch.txt>
 userdb {
  driver = prefetch
 }
 # Usar LDAP para obtener info de usuario
 # Notar que se usa un enlace al archivo dovecot-ldap.conf.ext,
 # esto es para poder hacer conexiones asíncronas y optimizar performance
 userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap2.conf.ext
  # Default fields can be used to specify defaults that LDAP may override
  #default_fields = home=/home/virtual/%u
 }
 # If you don't have any user-specific settings, you can avoid the userdb LDAP
 # lookup by using userdb static instead of userdb ldap, for example:
 # <doc/wiki/UserDatabase.Static.txt>
 #userdb {
 #  driver = static
 #  args = uid=vmail gid=vmail home=/srv/vmail/%d/%n
 #}
--- a/files/auth-master.conf.ext
+++ b/files/auth-master.conf.ext
@ -1,16 +0,0 @@
 # Authentication for master users. Included from 10-auth.conf.
 # By adding master=yes setting inside a passdb you make the passdb a list
 # of "master users", who can log in as anyone else.
 # <doc/wiki/Authentication.MasterUsers.txt>
 # Example master user passdb using passwd-file. You can use any passdb though.
 passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users
  # Unless you're using PAM, you probably still want the destination user to
  # be looked up from passdb that it really exists. pass=yes does that.
  pass = yes
 }
--- a/files/confd/conf.d/auth.toml
+++ b/files/confd/conf.d/auth.toml
@ -0,0 +1,10 @@
 [template]
 src = "10-auth.conf.tmpl"
 dest = "/etc/dovecot/local.d/10-auth.conf"
 keys = [
    "/mail/domains",
    "/auth/username/format",
    "/auth/mechanisms",
    "/auth/master/enable",
    "/ldap/enable"
 ]
--- a/files/confd/conf.d/imap.toml
+++ b/files/confd/conf.d/imap.toml
@ -0,0 +1,7 @@
 [template]
 src = "20-imap.conf.tmpl"
 dest = "/etc/dovecot/local.d/20-imap.conf"
 keys = [
    "/antispam/enable",
    "/imap/urlauth/host"
 ]
--- a/files/confd/conf.d/ldap.toml
+++ b/files/confd/conf.d/ldap.toml
@ -0,0 +1,18 @@
 [template]
 src = "ldap.conf.ext.tmpl"
 dest = "/etc/dovecot/local.d/ldap.conf.ext"
 keys = [
    "/ldap/hosts",
    "/ldap/uris",
    "/ldap/bind",
    "/ldap/version",
    "/ldap/base",
    "/ldap/scope",
    "/ldap/user/attrs",
    "/ldap/user/filter",
    "/ldap/pass/attrs",
    "/ldap/pass/filter",
    "/ldap/iterate/attrs",
    "/ldap/iterate/filter",
    "/ldap/default/pass/scheme",
 ]
--- a/files/confd/conf.d/ldap2.toml
+++ b/files/confd/conf.d/ldap2.toml
@ -0,0 +1,18 @@
 [template]
 src = "ldap.conf.ext.tmpl"
 dest = "/etc/dovecot/local.d/ldap2.conf.ext"
 keys = [
    "/ldap/hosts",
    "/ldap/uris",
    "/ldap/bind",
    "/ldap/version",
    "/ldap/base",
    "/ldap/scope",
    "/ldap/user/attrs",
    "/ldap/user/filter",
    "/ldap/pass/attrs",
    "/ldap/pass/filter",
    "/ldap/iterate/attrs",
    "/ldap/iterate/filter",
    "/ldap/default/pass/scheme",
 ]
--- a/files/confd/conf.d/lmtp.toml
+++ b/files/confd/conf.d/lmtp.toml
@ -0,0 +1,6 @@
 [template]
 src = "20-lmtp.conf.tmpl"
 dest = "/etc/dovecot/local.d/20-lmtp.conf"
 keys = [
    "/mail/domains"
 ]
--- a/files/confd/conf.d/submission.toml
+++ b/files/confd/conf.d/submission.toml
@ -0,0 +1,15 @@
 [template]
 src = "submission.conf.tmpl"
 dest = "/etc/dovecot/local.d/submission.conf"
 keys = [
    "/submission/hostname",
    "/submission/relay/host",
    "/submission/relay/port",
    "/submission/relay/trusted",
    "/submission/relay/user",
    "/submission/relay/master/user",
    "/submission/relay/password",
    "/submission/relay/ssl",
    "/submission/relay/ssl/verify",
    "/submission/relay/rawlog/dir"
 ]
--- a/files/confd/templates/10-auth.conf.tmpl
+++ b/files/confd/templates/10-auth.conf.tmpl
@ -0,0 +1,32 @@
 auth_realms = {{ getv "/mail/domains" }}
 auth_default_realm = {{ index (split (getv "/mail/domains") " ") 0 }}
 auth_username_format = {{ getv "/auth/username/format" }}
 auth_mechanisms = {{ getv "/auth/mechanisms" }}
 {{ if eq (getv "/auth/master/enable") "yes"}}
 passdb {
  driver = passwd-file
  master = yes
  args = /etc/dovecot/master-users
 # Unless you're using PAM, you probably still want the destination user to
  # be looked up from passdb that it really exists. pass=yes does that.
  pass = yes
 }
 {{ end }}
 {{ if eq (getv "/ldap/enable") "yes"}}
 passdb {
  driver = ldap
  args = /etc/dovecot/local.d/ldap.conf.ext
 }
 userdb {
  driver = prefetch
 }
 userdb {
  driver = ldap
  args = /etc/dovecot/local.d/ldap2.conf.ext
 }
 {{ end }}
--- a/files/confd/templates/20-imap.conf.tmpl
+++ b/files/confd/templates/20-imap.conf.tmpl
@ -0,0 +1,6 @@
 imap_capability = +SPECIAL_USE
 imap_urlauth_host = {{ getv "/imap/urlauth/host" }}
 protocol imap {
  mail_plugins = $mail_plugins {{ if eq (getv "/antispam/enable") "yes" }}antispam{{ end }}
  imap_metadata = yes
 }
--- a/files/confd/templates/20-lmtp.conf.tmpl
+++ b/files/confd/templates/20-lmtp.conf.tmpl
@ -0,0 +1,5 @@
 protocol lmtp {
  # postmaster_address aparentemente es obligatorio
  postmaster_address = postmaster@{{ index (split (getv "/mail/domains") " ") 0 }}
  mail_plugins = $mail_plugins sieve
 }
--- a/files/confd/templates/90-quota.conf.tmpl
+++ b/files/confd/templates/90-quota.conf.tmpl
@ -0,0 +1,27 @@
 plugin {
  #quota_rule = *:storage=1G
  #quota_rule2 = Trash:storage=+100M
  quota_rule = *:storage={{ dovecot_quota_limit }}
  {% for key, value in dovecot_quota_additional_limit.items() %}
  quota_rule{{ loop.index + 1 }} = {{ key }}:storage=+{{ value }}
  {% endfor %}
  # LDA/LMTP allows saving the last mail to bring user from under quota to
  # over quota, if the quota doesn't grow too high. Default is to allow as
  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
  #quota_grace = 10%%
  quota_grace = {{ dovecot_quota_grace | regex_replace("%.*$","%%") }}
  {% if dovecot_quota_driver == "count" %}
  quota_vsizes = yes
  {% endif %}
 }
 plugin {
  quota = {{ dovecot_quota_driver }}:User quota
  #quota = dirsize:User quota
  #quota = maildir:User quota
  #quota = dict:User quota::proxy::quota
  #quota = fs:User quota
 }
--- a/files/confd/templates/ldap.conf.ext.tmpl
+++ b/files/confd/templates/ldap.conf.ext.tmpl
@ -0,0 +1,16 @@
 {{ if (getv "/ldap/hosts") }}
 hosts = {{ getv "/ldap/hosts" }}
 {{ else }}
 uris = {{ getv "/ldap/uris" }}
 {{ end }}
 auth_bind = {{ getv "/ldap/bind" }}
 ldap_version = {{ getv "/ldap/version" }}
 base = {{ getv "/ldap/base" }}
 scope = {{ getv "/ldap/scope" }}
 user_attrs = {{ getv "/ldap/user/attrs" }}
 user_filter = {{ getv "/ldap/user/filter" }}
 pass_attrs = {{ getv "/ldap/pass/attrs" }}
 pass_filter = {{ getv "/ldap/pass/filter" }}
 iterate_attrs = {{ getv "/ldap/iterate/attrs" }}
 iterate_filter = {{ getv "/ldap/iterate/filter" }}
 default_pass_scheme = {{ getv "/ldap/default/pass/scheme" }}
--- a/files/confd/templates/submission.conf.tmpl
+++ b/files/confd/templates/submission.conf.tmpl
@ -0,0 +1,10 @@
 hostname = {{getv "/submission/hostname"}}
 submission_relay_host = {{getv "/submission/relay/host"}}
 submission_relay_port = {{getv "/submission/relay/port"}}
 submission_relay_trusted = {{getv "/submission/relay/trusted"}}
 submission_relay_user = {{getv "/submission/relay/user"}}
 submission_relay_master_user = {{getv "/submission/relay/master/user"}}
 submission_relay_password = {{getv "/submission/relay/password"}}
 submission_relay_ssl = {{getv "/submission/relay/ssl"}}
 submission_relay_ssl_verify = {{getv "/submission/relay/ssl/verify"}}
 submission_relay_rawlog_dir = {{getv "/submission/relay/rawlog/dir"}}
--- a/files/local.conf
+++ b/files/local.conf
@ -1 +1,2 @@
 !include_try local.d/*.conf
 log_path = /dev/stdout
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -14,15 +14,11 @@
    - 10-mail.conf
    - 10-master.conf
    - 10-ssl.conf
    - 11-quota.conf
    - 15-mailboxes.conf
    - 20-imap.conf
    - 90-antispam.conf
    - 90-sieve.conf
    - auth-ldap.conf.ext
    - auth-master.conf.ext
    - junk-filter.sieve
-    - local.conf
+    - confd
  tags: skip_me
 - name: Crear imagen {{ dovecot_image }}
@ -43,11 +39,43 @@
      - "{{ dovecot_volume_mail }}:/vmail/"
      - "{{ dovecot_volume_ssl }}:/ssl/"
    networks:
-      - name: "{{ docker_network_name }}"
+      - name: "{{ docker_network }}"
-    ports:
+    ports: >-
-      - 143:143
+      [ "143:143",
-      - 2000:2000
+        {{ '"587:587",' if dovecot_submission_enable else '' }}
        "2000:2000"
      ]
    env:
      MAIL_DOMAINS: "{{ mail_domains.keys() | list | join(' ') }}"
      AUTH_MECHANISMS: "{{ dovecot_auth_mechanisms }}"
      AUTH_USERNAME_FORMAT: "{{ dovecot_auth_username_format }}"
      AUTH_MASTER_ENABLE: "{{ 'yes' if dovecot_auth_master_enable else '' }}"
      SUBMISSION_HOSTNAME: "{{ dovecot_submission_hostname }}"
      SUBMISSION_RELAY_HOST: "{{ dovecot_submission_relay_host }}"
      SUBMISSION_RELAY_PORT: "{{ dovecot_submission_relay_port | string }}"
      SUBMISSION_RELAY_TRUSTED: "{{ 'yes' if dovecot_submission_relay_trusted else 'no' }}"
      SUBMISSION_RELAY_SSL_VERIFY: "{{ 'yes' if dovecot_submission_relay_ssl_verify else 'no' }}"
      SUBMISSION_RELAY_SSL: "{{ dovecot_submission_relay_ssl }}"
      # SUBMISSION_RELAY_USER:
      # SUBMISSION_RELAY_MASTER_USER:
      # SUBMISSION_RELAY_PASSWORD:
      # SUBMISSION_RELAY_RAWLOG_DIR:
      LDAP_ENABLE: "{{ 'yes' if dovecot_ldap_enable else '' }}"
      LDAP_HOSTS: "{{ dovecot_ldap_hosts | join(' ') }}"
      LDAP_URIS: "{{ dovecot_ldap_uris | join(' ') }}"
      LDAP_BIND: "{{ 'yes' if dovecot_ldap_bind else 'no' }}"
      LDAP_VERSION: "{{ dovecot_ldap_version | string }}"
      LDAP_BASE: "{{ dovecot_ldap_base }}"
      LDAP_SCOPE: "{{ dovecot_ldap_scope }}"
      LDAP_USER_ATTRS: "{{ dovecot_ldap_user_attrs }}"
      LDAP_USER_FILTER: "{{ dovecot_ldap_user_filter }}"
      LDAP_PASS_ATTRS: "{{ dovecot_ldap_pass_attrs }}"
      LDAP_PASS_FILTER: "{{ dovecot_ldap_pass_filter }}"
      LDAP_ITERATE_ATTRS: "{{ dovecot_ldap_iterate_attrs }}"
      LDAP_ITERATE_FILTER: "{{ dovecot_ldap_iterate_filter }}"
      LDAP_DEFAULT_PASS_SCHEME: "{{ dovecot_ldap_default_pass_scheme }}"
      ANTISPAM_ENABLE: "{{ 'yes' if dovecot_antispam_enable else '' }}"
  register: container
 - name: Leer info de volumen {{ dovecot_volume_config }}
@ -75,24 +103,12 @@
    dovecot_volume_ssl: "{{ lookup('vars','dovecot_volume_ssl') }}"
    dovecot_mountpoint_ssl: "{{ res_ssl.volume.Mountpoint }}"
- name: Configuración de Dovecot (1)
+# FIXME: configurar quota mediante confd
-  template:
+#
-    dest: "{{ dovecot_mountpoint_config }}/conf.d/{{ item }}"
+# - name: Configuración de Dovecot (1)
-    src: "{{item}}.j2"
+#   template:
-  loop:
+#     dest: "{{ dovecot_mountpoint_config }}/conf.d/{{ item }}"
-    - 10-auth.conf
+#     src: "{{item}}.j2"
-    - 20-lmtp.conf
+#   loop:
-    - 90-quota.conf
+#     - 90-quota.conf
-  notify: restart dovecot
+#   notify: restart dovecot
 - name: Configuración de Dovecot (2-LDAP)
  template:
    dest: "{{ dovecot_mountpoint_config }}/dovecot-ldap.conf.ext"
    src: "dovecot-ldap.conf.ext.j2"
  notify: restart dovecot
 - name: Configuración de Dovecot (3-LDAP)
  template:
    dest: "{{ dovecot_mountpoint_config }}/dovecot-ldap2.conf.ext"
    src: "dovecot-ldap.conf.ext.j2"
  notify: restart dovecot
--- a/templates/10-auth.conf.j2
+++ b/templates/10-auth.conf.j2
@ -1,135 +0,0 @@
 ##
 ## Authentication processes
 ##
 # Disable LOGIN command and all other plaintext authentications unless
 # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
 # See also ssl=required setting.
 #disable_plaintext_auth = yes
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
 # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
 #auth_cache_size = 0
 # Time to live for cached data. After TTL expires the cached record is no
 # longer used, *except* if the main database lookup returns internal failure.
 # We also try to handle password changes automatically: If user's previous
 # authentication was successful, but this one wasn't, the cache isn't used.
 # For now this works only with plaintext authentication.
 #auth_cache_ttl = 1 hour
 # TTL for negative hits (user not found, password mismatch).
 # 0 disables caching them completely.
 #auth_cache_negative_ttl = 1 hour
 # Space separated list of realms for SASL authentication mechanisms that need
 # them. You can leave it empty if you don't want to support multiple realms.
 # Many clients simply use the first one listed here, so keep the default realm
 # first.
 auth_realms = {{ mail_domains | join(" ") }}
 # Default realm/domain to use if none was specified. This is used for both
 # SASL realms and appending @domain to username in plaintext logins.
 auth_default_realm = {{ mail_domains | first }}
 # List of allowed characters in username. If the user-given username contains
 # a character not listed in here, the login automatically fails. This is just
 # an extra check to make sure user can't exploit any potential quote escaping
 # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
 # set this value to empty.
 #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
 # Username character translations before it's looked up from databases. The
 # value contains series of from -> to characters. For example "#@/@" means
 # that '#' and '/' characters are translated to '@'.
 #auth_username_translation =
 # Username formatting before it's looked up from databases. You can use
 # the standard variables here, eg. %Lu would lowercase the username, %n would
 # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
 # "-AT-". This translation is done after auth_username_translation changes.
 auth_username_format = {{ dovecot_auth_username_format }}
 # If you want to allow master users to log in by specifying the master
 # username within the normal username string (ie. not using SASL mechanism's
 # support for it), you can specify the separator character here. The format
 # is then <username><separator><master username>. UW-IMAP uses "*" as the
 # separator, so that could be a good choice.
 #auth_master_user_separator =
 # Username to use for users logging in with ANONYMOUS SASL mechanism
 #auth_anonymous_username = anonymous
 # Maximum number of dovecot-auth worker processes. They're used to execute
 # blocking passdb and userdb queries (eg. MySQL and PAM). They're
 # automatically created and destroyed as needed.
 #auth_worker_max_count = 30
 # Host name to use in GSSAPI principal names. The default is to use the
 # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
 # entries.
 #auth_gssapi_hostname =
 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
 # default (usually /etc/krb5.keytab) if not specified. You may need to change
 # the auth service to run as root to be able to read this file.
 #auth_krb5_keytab = 
 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
 # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
 #auth_use_winbind = no
 # Path for Samba's ntlm_auth helper binary.
 #auth_winbind_helper_path = /usr/bin/ntlm_auth
 # Time to delay before replying to failed authentications.
 #auth_failure_delay = 2 secs
 # Require a valid SSL client certificate or the authentication fails.
 #auth_ssl_require_client_cert = no
 # Take the username from client's SSL certificate, using 
 # X509_NAME_get_text_by_NID() which returns the subject's DN's
 # CommonName. 
 #auth_ssl_username_from_cert = no
 # Space separated list of wanted authentication mechanisms:
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
 # el mecanismo "login" es para compatibilidad para Outlooks viejos
 auth_mechanisms = {{ dovecot_auth_mechanisms }}
 ##
 ## Password and user databases
 ##
 #
 # Password database is used to verify user's password (and nothing more).
 # You can have multiple passdbs and userdbs. This is useful if you want to
 # allow both system users (/etc/passwd) and virtual users to login without
 # duplicating the system users into virtual database.
 #
 # <doc/wiki/PasswordDatabase.txt>
 #
 # User database specifies where mails are located and what user/group IDs
 # own them. For single-UID configuration use "static" userdb.
 #
 # <doc/wiki/UserDatabase.txt>
 #!include auth-deny.conf.ext
 {% if dovecot_auth_master_enable %}
 !include auth-master.conf.ext
 {% endif %}
 #!include auth-passwdfile.conf.ext
 {% if dovecot_auth_system_enable %}
 !include auth-system.conf.ext
 {% endif %}
 #!include auth-sql.conf.ext
 {% if dovecot_ldap_enable %}
 !include auth-ldap.conf.ext
 {% endif %}
 #!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
 #!include auth-vpopmail.conf.ext
 #!include auth-static.conf.ext
--- a/templates/20-lmtp.conf.j2
+++ b/templates/20-lmtp.conf.j2
@ -1,28 +0,0 @@
 ##
 ## LMTP specific settings
 ##
 # Support proxying to other LMTP/SMTP servers by performing passdb lookups.
 #lmtp_proxy = no
 # When recipient address includes the detail (e.g. user+detail), try to save
 # the mail to the detail mailbox. See also recipient_delimiter and
 # lda_mailbox_autocreate settings.
 #lmtp_save_to_detail_mailbox = no
 # Verify quota before replying to RCPT TO. This adds a small overhead.
 #lmtp_rcpt_check_quota = no
 # Which recipient address to use for Delivered-To: header and Received:
 # header. The default is "final", which is the same as the one given to
 # RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
 # parameter, "none" uses nothing. Note that "none" is currently always used
 # when a mail has multiple recipients.
 #lmtp_hdr_delivery_address = final
 protocol lmtp {
  # postmaster_address aparentemente es obligatorio
  postmaster_address = postmaster@{{ mail_domains | first }}
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
 }
--- a/templates/90-quota.conf.j2
+++ b/templates/90-quota.conf.j2
@ -1,91 +0,0 @@
 #jinja2: lstrip_blocks: True
 ##
 ## Quota configuration.
 ##
 # Note that you also have to enable quota plugin in mail_plugins setting.
 # <doc/wiki/Quota.txt>
 ##
 ## Quota limits
 ##
 # Quota limits are set using "quota_rule" parameters. To get per-user quota
 # limits, you can set/override them by returning "quota_rule" extra field
 # from userdb. It's also possible to give mailbox-specific limits, for example
 # to give additional 100 MB when saving to Trash:
 plugin {
  #quota_rule = *:storage=1G
  #quota_rule2 = Trash:storage=+100M
  quota_rule = *:storage={{ dovecot_quota_limit }}
  {% for key, value in dovecot_quota_additional_limit.items() %}
  quota_rule{{ loop.index + 1 }} = {{ key }}:storage=+{{ value }}
  {% endfor %}
  # LDA/LMTP allows saving the last mail to bring user from under quota to
  # over quota, if the quota doesn't grow too high. Default is to allow as
  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
  #quota_grace = 10%%
  quota_grace = {{ dovecot_quota_grace | regex_replace("%.*$","%%") }}
  {% if dovecot_quota_driver == "count" %}
  quota_vsizes = yes
  {% endif %}
 }
 ##
 ## Quota warnings
 ##
 # You can execute a given command when user exceeds a specified quota limit.
 # Each quota root has separate limits. Only the command for the first
 # exceeded limit is excecuted, so put the highest limit first.
 # The commands are executed via script service by connecting to the named
 # UNIX socket (quota-warning below).
 # Note that % needs to be escaped as %%, otherwise "% " expands to empty.
 plugin {
  #quota_warning = storage=95%% quota-warning 95 %u
  #quota_warning2 = storage=80%% quota-warning 80 %u
 }
 # Example quota-warning service. The unix listener's permissions should be
 # set in a way that mail processes can connect to it. Below example assumes
 # that mail processes run as vmail user. If you use mode=0666, all system users
 # can generate quota warnings to anyone.
 #service quota-warning {
 #  executable = script /usr/local/bin/quota-warning.sh
 #  user = dovecot
 #  unix_listener quota-warning {
 #    user = vmail
 #  }
 #}
 ##
 ## Quota backends
 ##
 # Multiple backends are supported:
 #   dirsize: Find and sum all the files found from mail directory.
 #            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
 #   dict: Keep quota stored in dictionary (eg. SQL)
 #   maildir: Maildir++ quota
 #   fs: Read-only support for filesystem quota
 plugin {
  quota = {{ dovecot_quota_driver }}:User quota
  #quota = dirsize:User quota
  #quota = maildir:User quota
  #quota = dict:User quota::proxy::quota
  #quota = fs:User quota
 }
 # Multiple quota roots are also possible, for example this gives each user
 # their own 100MB quota and one shared 1GB quota within the domain:
 plugin {
  #quota = dict:user::proxy::quota
  #quota2 = dict:domain:%d:proxy::quota_domain
  #quota_rule = *:storage=102400
  #quota2_rule = *:storage=1048576
 }
--- a/templates/dovecot-ldap.conf.ext.j2
+++ b/templates/dovecot-ldap.conf.ext.j2
@ -1,75 +0,0 @@
 # This file is commonly accessed via passdb {} or userdb {} section in
 # conf.d/auth-ldap.conf.ext
 # This file is opened as root, so it should be owned by root and mode 0600.
 # http://wiki2.dovecot.org/AuthDatabase/LDAP
 # Space separated list of LDAP hosts to use. host:port is allowed too.
 uris = {{ dovecot_ldap_uris | join(" ") }}
 # Use authentication binding for verifying password's validity. This works by
 # logging into LDAP server using the username and password given by client.
 # The pass_filter is used to find the DN for the user. Note that the pass_attrs
 # is still used, only the password field is ignored in it. Before doing any
 # search, the binding is switched back to the default DN.
 auth_bind = yes
 # If authentication binding is used, you can save one LDAP request per login
 # if users' DN can be specified with a common template. The template can use
 # the standard %variables (see user_filter). Note that you can't
 # use any pass_attrs if you use this setting.
 # auth_bind_userdn =
 # LDAP protocol version to use. Likely 2 or 3.
 ldap_version = {{ dovecot_ldap_version }}
 # LDAP base. %variables can be used here.
 # For example: dc=mail, dc=example, dc=org
 base = {{ dovecot_ldap_base }}
 # Search scope: base, onelevel, subtree
 scope = {{ dovecot_ldap_scope }}
 # User attributes are given in LDAP-name=dovecot-internal-name list. The
 # internal names are:
 #   uid - System UID
 #   gid - System GID
 #   home - Home directory
 #   mail - Mail location
 #
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/UserDatabase/ExtraFields
 #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
 user_attrs = {{ dovecot_ldap_user_attrs }}
 # Filter for user lookup. Some variables can be used (see
 # http://wiki2.dovecot.org/Variables for full list):
 #   %u - username
 #   %n - user part in user@domain, same as %u if there's no domain
 #   %d - domain part in user@domain, empty if user there's no domain
 user_filter = {{ dovecot_ldap_user_filter }}
 # Password checking attributes:
 #  user: Virtual user name (user@domain), if you wish to change the
 #        user-given username to something else
 #  password: Password, may optionally start with {type}, eg. {crypt}
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
 # pass_attrs = uid=user,userPassword=password
 # If you wish to avoid two LDAP lookups (passdb + userdb), you can use
 # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
 # also have to include user_attrs in pass_attrs field prefixed with "userdb_"
 # string. For example:
 pass_attrs = {{ dovecot_ldap_pass_attrs }}
 # Filter for password lookups
 pass_filter = {{ dovecot_ldap_pass_filter }}
 # Attributes and filter to get a list of all users
 iterate_attrs = {{ dovecot_ldap_iterate_attrs }}
 iterate_filter = {{ dovecot_ldap_iterate_filter }}
 # Default password scheme. "{scheme}" before password overrides this.
 # List of supported schemes is in: http://wiki2.dovecot.org/Authentication
 default_pass_scheme = {{ dovecot_ldap_default_pass_scheme }}
		`@ -1,2 +0,0 @@`
			`# Enable quota plugin`
			`mail_plugins = $mail_plugins quota`
`@ -1 +1,2 @@`
		`!include_try local.d/*.conf`
	`log_path = /dev/stdout`	`log_path = /dev/stdout`