add ssl client config

Dockerfile

@@ -32,7 +32,8 @@ ENV \
     LDAP_ITERATE_FILTER="(objectClass=inetOrgPerson)" \
     LDAP_DEFAULT_PASS_SCHEME=CRYPT \
     ANTISPAM_ENABLE=yes \
-    IMAP_URLAUTH_HOST="*"
+    IMAP_URLAUTH_HOST="*" \
+    SSL_CLIENT_CA_DIR="/etc/ssl/certs"
 
 RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
   && mkdir -p /vmail && chown vmail:vmail /vmail \
@@ -46,6 +47,7 @@ RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
      dovecot-antispam \
      bogofilter \
      ssl-cert \
+     ca-certificates \
   && rm -rf /var/lib/apt/lists/* \
   && mkdir -p /ssl && chmod 700 /ssl \
   && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
@@ -55,7 +57,6 @@ RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
 
 ADD 10-mail.conf \
   10-master.conf \
-  10-ssl.conf \
   15-mailboxes.conf \
   90-antispam.conf \
   90-sieve.conf \

confd/conf.d/ssl.toml

@@ -0,0 +1,6 @@
+[template]
+src = "10-ssl.conf.tmpl"
+dest = "/etc/dovecot/local.d/10-ssl.conf"
+keys = [
+    "/ssl/client/ca/dir",
+]

confd/templates/10-ssl.conf.tmpl

@@ -30,7 +30,7 @@ ssl_key = </ssl/key.pem
 # when Dovecot needs to act as an SSL client (e.g. imapc backend). The
 # directory is usually /etc/ssl/certs in Debian-based systems and the file is
 # /etc/pki/tls/cert.pem in RedHat-based systems.
-#ssl_client_ca_dir =
+{{ with getv "/ssl/client/ca/dir" }}ssl_client_ca_dir = {{.}}{{ end }}
 #ssl_client_ca_file =
 
 # Request client to send a certificate. If you also want to require it, set