use confd for most settings

files/10-auth.conf.tmpl

@@ -0,0 +1,32 @@
+auth_realms = {{ getv "/mail/domains" }}
+auth_default_realm = {{ first 1 (split (getv "/mail/domains") " ") }}
+auth_username_format = {{ getv "/auth/username/format" }}
+auth_mechanisms = {{ getv "/auth/mechanisms" }}
+
+
+{{ if eq (getv "/auth/master/enable") "yes"}}
+passdb {
+  driver = passwd-file
+  master = yes
+  args = /etc/dovecot/master-users
+
+# Unless you're using PAM, you probably still want the destination user to
+  # be looked up from passdb that it really exists. pass=yes does that.
+  pass = yes
+}
+{{ end }}
+
+
+{{ if eq (getv "/auth/ldap/enable") "yes"}}
+passdb {
+  driver = ldap
+  args = /etc/dovecot/local.d/ldap.conf.ext
+}
+userdb {
+  driver = prefetch
+}
+userdb {
+  driver = ldap
+  args = /etc/dovecot/local.d/ldap2.conf.ext
+}
+{{ end }}

files/10-mail.conf

@@ -7,7 +7,7 @@ namespace inbox {
   # Namespace type: private, shared or public
   #type = private
   separator = /
-  #prefix = 
+  #prefix =
   #location =
 
   # There can be only one INBOX, and this setting defines which namespace
@@ -51,7 +51,7 @@ mail_gid = vmail
 
 # A comment or note that is associated with the server. This value is
 # accessible for authenticated users through the IMAP METADATA server
-# entry "/shared/comment". 
+# entry "/shared/comment".
 #mail_server_comment = ""
 
 # Indicates a method for contacting the server administrator. According to
@@ -59,7 +59,7 @@ mail_gid = vmail
 # is currently not enforced. Use for example mailto:admin@example.com. This
 # value is accessible for authenticated users through the IMAP METADATA server
 # entry "/shared/admin".
-#mail_server_admin = 
+#mail_server_admin =
 
 ##
 ## Mail processes
@@ -112,7 +112,7 @@ mail_gid = vmail
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
-#valid_chroot_dirs = 
+#valid_chroot_dirs =
 
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
@@ -120,7 +120,7 @@ mail_gid = vmail
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
-#mail_chroot = 
+#mail_chroot =
 
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
@@ -237,7 +237,7 @@ mailbox_list_index = yes
 # fallbacks to re-reading the whole mbox file whenever something in mbox isn't
 # how it's expected to be. The only real downside to this setting is that if
 # some other MUA changes message flags, Dovecot doesn't notice it immediately.
-# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
 # commands.
 #mbox_dirty_syncs = yes
 

files/10-master.conf

@@ -88,8 +88,8 @@ service auth {
   # permissions (e.g. 0777 allows everyone full permissions).
   unix_listener auth-userdb {
     #mode = 0666
-    #user = 
-    #group = 
+    #user =
+    #group =
   }
 
   inet_listener {
@@ -112,7 +112,7 @@ service dict {
   # For example: mode=0660, group=vmail and global mail_access_groups=vmail
   unix_listener dict {
     #mode = 0600
-    #user = 
-    #group = 
+    #user =
+    #group =
   }
 }

files/10-ssl.conf

@@ -21,7 +21,7 @@ ssl_key = </ssl/key.pem
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-#ssl_ca = 
+#ssl_ca =
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes

files/11-quota.conf

@@ -1,2 +0,0 @@
-# Enable quota plugin
-mail_plugins = $mail_plugins quota

files/15-mailboxes.conf

@@ -11,11 +11,11 @@
 #   implicitly when it is first accessed. The user can also be automatically
 #   subscribed to the mailbox after creation. The following values are
 #   defined for this setting:
-# 
+#
 #     no        - Never created automatically.
 #     create    - Automatically created, but no automatic subscription.
 #     subscribe - Automatically created and subscribed.
-#  
+#
 # special_use:
 #   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
 #   mailbox. There are no validity checks, so you could specify anything
@@ -23,7 +23,7 @@
 #   standard ones specified in the RFC:
 #
 #     \All      - This (virtual) mailbox presents all messages in the
-#                 user's message store. 
+#                 user's message store.
 #     \Archive  - This mailbox is used to archive messages.
 #     \Drafts   - This mailbox is used to hold draft messages.
 #     \Flagged  - This (virtual) mailbox presents all messages in the

files/20-imap.conf

@@ -37,7 +37,7 @@ imap_capability = +SPECIAL_USE
 # ID field names and values to send to clients. Using * as the value makes
 # Dovecot use the default value. The following fields have default values
 # currently: name, version, os, os-version, support-url, support-email.
-#imap_id_send = 
+#imap_id_send =
 
 # ID fields sent by client to log. * means everything.
 #imap_id_log =
@@ -60,7 +60,7 @@ imap_capability = +SPECIAL_USE
 #     greyed out, instead of only later giving "not selectable" popup error.
 #
 # The list is space-separated.
-#imap_client_workarounds = 
+#imap_client_workarounds =
 
 # Host allowed in URLAUTH URLs sent by client. "*" allows all.
 #imap_urlauth_host =

files/20-lmtp.conf.tmpl

@@ -0,0 +1,5 @@
+protocol lmtp {
+  # postmaster_address aparentemente es obligatorio
+  postmaster_address = postmaster@{{ first 1 (split (getv "/mail/domains") " ") }}
+  mail_plugins = $mail_plugins sieve
+}

files/90-quota.conf.tmpl

@@ -0,0 +1,27 @@
+plugin {
+  #quota_rule = *:storage=1G
+  #quota_rule2 = Trash:storage=+100M
+  quota_rule = *:storage={{ dovecot_quota_limit }}
+  {% for key, value in dovecot_quota_additional_limit.items() %}
+  quota_rule{{ loop.index + 1 }} = {{ key }}:storage=+{{ value }}
+  {% endfor %}
+
+  # LDA/LMTP allows saving the last mail to bring user from under quota to
+  # over quota, if the quota doesn't grow too high. Default is to allow as
+  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+  #quota_grace = 10%%
+  quota_grace = {{ dovecot_quota_grace | regex_replace("%.*$","%%") }}
+
+  {% if dovecot_quota_driver == "count" %}
+  quota_vsizes = yes
+  {% endif %}
+}
+
+
+plugin {
+  quota = {{ dovecot_quota_driver }}:User quota
+  #quota = dirsize:User quota
+  #quota = maildir:User quota
+  #quota = dict:User quota::proxy::quota
+  #quota = fs:User quota
+}

files/90-sieve.conf

@@ -16,7 +16,7 @@
 #
 # location = [<type>:]path[;<option>[=<value>][;...]]
 #
-# If the type prefix is omitted, the script location type is 'file' and the 
+# If the type prefix is omitted, the script location type is 'file' and the
 # location is interpreted as a local filesystem path pointing to a Sieve script
 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
 # information.
@@ -27,7 +27,7 @@ plugin {
   # delivery. The "include" extension uses this location for retrieving
   # :personal" scripts. This is also where the  ManageSieve service will store
   # the user's scripts, if supported.
-  # 
+  #
   # Currently only the 'file:' location type supports ManageSieve operation.
   # Other location types like 'dict:' and 'ldap:' can currently only
   # be used as a read-only script source ().
@@ -46,9 +46,9 @@ plugin {
   #     script.
   #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
-  # The name by which the default Sieve script (as configured by the 
-  # sieve_default setting) is visible to the user through ManageSieve. 
-  #sieve_default_name = 
+  # The name by which the default Sieve script (as configured by the
+  # sieve_default setting) is visible to the user through ManageSieve.
+  #sieve_default_name =
 
   # Location for ":global" include scripts as used by the "include" extension.
   #sieve_global =
@@ -63,7 +63,7 @@ plugin {
   #sieve_discard =
 
   # Location Sieve of scripts that need to be executed before the user's
-  # personal script. If a 'file' location path points to a directory, all the 
+  # personal script. If a 'file' location path points to a directory, all the
   # Sieve scripts contained therein (with the proper `.sieve' extension) are
   # executed. The order of execution within that directory is determined by the
   # file names, using a normal 8bit per-character comparison.
@@ -181,18 +181,18 @@ plugin {
   ## TRACE DEBUGGING
   # Trace debugging provides detailed insight in the operations performed by
   # the Sieve script. These settings apply to both the LDA Sieve plugin and the
-  # IMAPSIEVE plugin. 
+  # IMAPSIEVE plugin.
   #
   # WARNING: On a busy server, this functionality can quickly fill up the trace
   # directory with a lot of trace files. Enable this only temporarily and as
   # selective as possible.
-  
+
   # The directory where trace files are written. Trace debugging is disabled if
-  # this setting is not configured or if the directory does not exist. If the 
+  # this setting is not configured or if the directory does not exist. If the
   # path is relative or it starts with "~/" it is interpreted relative to the
   # current user's home directory.
   #sieve_trace_dir =
-  
+
   # The verbosity level of the trace messages. Trace debugging is disabled if
   # this setting is not configured. Possible values are:
   #
@@ -203,12 +203,12 @@ plugin {
   #   "matching"       - Print all executed commands, performed tests and the
   #                      values matched in those tests.
   #sieve_trace_level =
-  
+
   # Enables highly verbose debugging messages that are usually only useful for
   # developers.
   #sieve_trace_debug = no
-  
+
   # Enables showing byte code addresses in the trace output, rather than only
   # the source line numbers.
-  #sieve_trace_addresses = no 
+  #sieve_trace_addresses = no
 }

files/Dockerfile

@@ -38,18 +38,20 @@ ADD 10-mail.conf \
   20-imap.conf \
   90-antispam.conf \
   90-sieve.conf \
-  auth-ldap.conf.ext \
-  auth-master.conf.ext \
   /etc/dovecot/conf.d/
 
 ADD local.conf /etc/dovecot/
+ADD junk-filter.sieve /etc/dovecot/sieve/before/
 
-ADD submission.conf.tmpl \
+ADD \
+  10-auth.conf.tmpl \
+  20-lmtp.conf.tmpl \
+  ldap.conf.ext.tmpl \
+  submission.conf.tmpl \
   /etc/confd/templates/
 ADD confd.toml /etc/confd/conf.d/
 
-ADD junk-filter.sieve /etc/dovecot/sieve/before/
-# RUN sievec /etc/dovecot/sieve/before && sievec /etc/dovecot/sieve/after
+RUN sievec /etc/dovecot/sieve/before/junk-filter.sieve
 
 VOLUME /etc/dovecot /ssl /vmail
 

files/auth-ldap.conf.ext

@@ -1,37 +0,0 @@
-# Authentication for LDAP users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.LDAP.txt>
-
-# Usar LDAP para validar claves
-passdb {
-  driver = ldap
-
-  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
-  args = /etc/dovecot/dovecot-ldap.conf.ext
-}
-
-# "prefetch" user database means that the passdb already provided the
-# needed information and there's no need to do a separate userdb lookup.
-# <doc/wiki/UserDatabase.Prefetch.txt>
-userdb {
-  driver = prefetch
-}
-
-# Usar LDAP para obtener info de usuario
-# Notar que se usa un enlace al archivo dovecot-ldap.conf.ext,
-# esto es para poder hacer conexiones asíncronas y optimizar performance
-userdb {
-  driver = ldap
-  args = /etc/dovecot/dovecot-ldap2.conf.ext
-
-  # Default fields can be used to specify defaults that LDAP may override
-  #default_fields = home=/home/virtual/%u
-}
-
-# If you don't have any user-specific settings, you can avoid the userdb LDAP
-# lookup by using userdb static instead of userdb ldap, for example:
-# <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-#  driver = static
-#  args = uid=vmail gid=vmail home=/srv/vmail/%d/%n
-#}

files/auth-master.conf.ext

@@ -1,16 +0,0 @@
-# Authentication for master users. Included from 10-auth.conf.
-
-# By adding master=yes setting inside a passdb you make the passdb a list
-# of "master users", who can log in as anyone else.
-# <doc/wiki/Authentication.MasterUsers.txt>
-
-# Example master user passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  master = yes
-  args = /etc/dovecot/master-users
-
-  # Unless you're using PAM, you probably still want the destination user to
-  # be looked up from passdb that it really exists. pass=yes does that.
-  pass = yes
-}

files/confd.toml

@@ -2,14 +2,70 @@
 src = "submission.conf.tmpl"
 dest = "/etc/dovecot/local.d/submission.conf"
 keys = [
-    "submission/enable",
-    "submission/relay/host",
-    "submission/relay/port",
-    "submission/relay/trusted",
-    "submission/relay/user", 
-    "submission/relay/master/user", 
-    "submission/relay/password", 
-    "submission/relay/ssl", 
-    "submission/relay/ssl/verify", 
-    "submission/relay/rawlog/dir"
+    "/submission/enable",
+    "/submission/relay/host",
+    "/submission/relay/port",
+    "/submission/relay/trusted",
+    "/submission/relay/user",
+    "/submission/relay/master/user",
+    "/submission/relay/password",
+    "/submission/relay/ssl",
+    "/submission/relay/ssl/verify",
+    "/submission/relay/rawlog/dir"
+]
+
+[template]
+src = "10-auth.conf.tmpl"
+dest = "/etc/dovecot/local.d/10-auth.conf"
+keys = [
+    "/mail/domains",
+    "/auth/username/format",
+    "/auth/mechanisms",
+    "/auth/master/enable",
+    "/auth/ldap/enable"
+]
+
+[template]
+src = "20-lmtp.conf.tmpl"
+dest = "/etc/dovecot/local.d/20-lmtp.conf"
+keys = [
+    "/mail/domains"
+]
+
+[template]
+src = "ldap.conf.ext.tmpl"
+dest = "/etc/dovecot/local.d/ldap.conf.ext"
+keys = [
+    "/ldap/hosts",
+    "/ldap/uris",
+    "/ldap/bind",
+    "/ldap/version",
+    "/ldap/base",
+    "/ldap/scope",
+    "/ldap/user/attrs",
+    "/ldap/user/filter",
+    "/ldap/pass/attrs",
+    "/ldap/pass/filter",
+    "/ldap/iterate/attrs",
+    "/ldap/iterate/filter",
+    "/ldap/default/pass/scheme",
+]
+
+[template]
+src = "ldap.conf.ext.tmpl"
+dest = "/etc/dovecot/local.d/ldap2.conf.ext"
+keys = [
+    "/ldap/hosts",
+    "/ldap/uris",
+    "/ldap/bind",
+    "/ldap/version",
+    "/ldap/base",
+    "/ldap/scope",
+    "/ldap/user/attrs",
+    "/ldap/user/filter",
+    "/ldap/pass/attrs",
+    "/ldap/pass/filter",
+    "/ldap/iterate/attrs",
+    "/ldap/iterate/filter",
+    "/ldap/default/pass/scheme",
 ]

files/ldap.conf.ext.tmpl

@@ -0,0 +1,16 @@
+{{ if (getv "/ldap/hosts") }}
+hosts = {{ getv "/ldap/hosts" }}
+{{ else }}
+uris = {{ getv "/ldap/uris" }}
+{{ end }}
+auth_bind = {{ getv "/ldap/bind" }}
+ldap_version = {{ getv "/ldap/version" }}
+base = {{ getv "/ldap/base" }}
+scope = {{ getv "/ldap/scope" }}
+user_attrs = {{ getv "/ldap/user/attrs" }}
+user_filter = {{ getv "/ldap/user/filter" }}
+pass_attrs = {{ getv "/ldap/pass/attrs" }}
+pass_filter = {{ getv "/ldap/pass/filter" }}
+iterate_attrs = {{ getv "/ldap/iterate/attrs" }}
+iterate_filter = {{ getv "/ldap/iterate/filter" }}
+default_pass_scheme = {{ getv "/ldap/default/pass/scheme" }}