diff options
| -rw-r--r-- | roles/mail/tasks/main.yml | 14 | ||||
| -rw-r--r-- | roles/mail/templates/dovecot/dovecot.conf.j2 (renamed from roles/mail/templates/dovecot.conf.j2) | 62 | ||||
| -rw-r--r-- | roles/mail/templates/dovecot/passwd.j2 | 31 |
3 files changed, 68 insertions, 39 deletions
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index c0f3d4f..9718db9 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -92,17 +92,21 @@ -exec sievec '{}' ';' tags: dovecot -- name: dovecot - copy passwd - copy: - src: "{{ playbook_dir }}/private/dovecot/passwd" +- name: dovecot - include passdb vars file + include_vars: "{{ playbook_dir }}/private/dovecot/passdb.yml" + tags: dovecot + +- name: dovecot - generate passwd + template: + src: dovecot/passwd.j2 dest: /usr/local/etc/dovecot/passwd group: dovecot mode: 0440 tags: dovecot -- name: opendkim - generate config file +- name: dovecot - generate config file template: - src: dovecot.conf.j2 + src: dovecot/dovecot.conf.j2 dest: /usr/local/etc/dovecot/dovecot.conf notify: reload-dovecot tags: dovecot diff --git a/roles/mail/templates/dovecot.conf.j2 b/roles/mail/templates/dovecot/dovecot.conf.j2 index ee13a19..7fcb821 100644 --- a/roles/mail/templates/dovecot.conf.j2 +++ b/roles/mail/templates/dovecot/dovecot.conf.j2 @@ -47,9 +47,9 @@ disable_plaintext_auth = yes # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no -# Take the username from client's SSL certificate, using +# Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's -# CommonName. +# CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: @@ -59,15 +59,10 @@ disable_plaintext_auth = yes auth_mechanisms = plain login # The password database used by Dovecot to authenticate users. -# # See: https://wiki2.dovecot.org/PasswordDatabase -# -# Generate the password with: -# $ doveadm pw -s SSHA512 -# passdb { driver = passwd-file - args = scheme=SSHA512 username_format=%u /usr/local/etc/dovecot/passwd + args = scheme=SHA512-CRYPT username_format=%u /usr/local/etc/dovecot/passwd # This is not a database for denied users. deny = no @@ -146,7 +141,7 @@ login_log_format_elements = user=<%{orig_user}> method=%m rip=%r lip=%l mpid=%e # Home directories for virtual users, where Dovecot can save user-specific # files. Home directory shouldn't be the same as mail directory with mbox # or Maildir formats (but with dbox/obox it's fine). -mail_home = {{ mail.vuser.home }}/%d/%n +mail_home = {{ mail.vuser.home }}/%n # Location for users' mailboxes. The default is empty, which means that # Dovecot tries to find the mailboxes automatically. This won't work if @@ -207,11 +202,11 @@ namespace inbox { # created implicitly when it is first accessed. The user can also # be automatically subscribed to the mailbox after creation. The # following values are defined for this setting: - # + # # no - Never created automatically. # create - Automatically created, but no automatic subscription. # subscribe - Automatically created and subscribed. - # + # # special_use: # A space-separated list of SPECIAL-USE flags (RFC 6154) to use for # the mailbox. There are no validity checks, so you could specify @@ -219,7 +214,7 @@ namespace inbox { # other than the standard ones specified in the RFC: # # \All - This (virtual) mailbox presents all messages in the - # user's message store. + # user's message store. # \Archive - This mailbox is used to archive messages. # \Drafts - This mailbox is used to hold draft messages. # \Flagged - This (virtual) mailbox presents all messages in the @@ -263,16 +258,16 @@ namespace inbox { } # If you have a virtual "All messages" mailbox: - #mailbox virtual/All { - # special_use = \All - # comment = All my messages - #} + # mailbox virtual/All { + # special_use = \All + # comment = All my messages + # } # If you have a virtual "Flagged" mailbox: - #mailbox virtual/Flagged { - # special_use = \Flagged - # comment = All my flagged messages - #} + # mailbox virtual/Flagged { + # special_use = \Flagged + # comment = All my flagged messages + # } } @@ -348,7 +343,7 @@ ssl_dh_parameters_length = 2048 # Set this only if you intend to use "ssl_verify_client_cert=yes". # The file should contain the CA certificate(s) followed by the # matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) -#ssl_ca = +#ssl_ca = # Request client to send a certificate. If you also want to require # it, set "auth_ssl_require_client_cert=yes" in auth section. @@ -392,29 +387,28 @@ imap_idle_notify_interval = 4 mins # Workarounds for various client bugs: # delay-newmail: -# Send EXISTS/RECENT new mail notifications only when replying to NOOP -# and CHECK commands. Some clients ignore them otherwise, for example OSX -# Mail (<v2.1). Outlook Express breaks more badly though, without this it -# may show user "Message no longer in server" errors. Note that OE6 still -# breaks even with this workaround if synchronization is set to -# "Headers Only". +# Send EXISTS/RECENT new mail notifications only when replying to +# NOOP and CHECK commands. # tb-extra-mailbox-sep: -# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and -# adds extra '/' suffixes to mailbox names. This option causes Dovecot to -# ignore the extra '/' instead of treating it as invalid mailbox name. +# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) +# and adds extra '/' suffixes to mailbox names. This option causes +# Dovecot to ignore the extra '/' instead of treating it as invalid +# mailbox name. # tb-lsub-flags: # Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox). -# This makes Thunderbird realize they aren't selectable and show them -# greyed out, instead of only later giving "not selectable" popup error. +# This makes Thunderbird realize they aren't selectable and show +# them greyed out, instead of only later giving "not selectable" +# popup error. # # The list is space-separated. imap_client_workarounds = delay-newmail tb-extra-mailbox-sep protocol imap { - # Space separated list of plugins to load (default is global mail_plugins). + # Space separated list of plugins to load #mail_plugins = $mail_plugins - # Maximum number of IMAP connections allowed for a user from each IP address. + # Maximum number of IMAP connections allowed for a user from each IP + # address. # NOTE: The username is compared case-sensitively. #mail_max_userip_connections = 10 } diff --git a/roles/mail/templates/dovecot/passwd.j2 b/roles/mail/templates/dovecot/passwd.j2 new file mode 100644 index 0000000..b62ba2e --- /dev/null +++ b/roles/mail/templates/dovecot/passwd.j2 @@ -0,0 +1,31 @@ +# +# /usr/local/etc/dovecot/passwd +# Dovecot authentication database in passwd-file format. +# +# Format: +# user:password:uid:gid:(gecos):home:(shell):extra_fields +# +# Aaron LI +# + +{% set mydomain = mail.domains[0] %} +{% for domain in mail.domains %} +# [domain: {{ domain }}] +{% for user in mail.userdb %} +{% set name = user.name %} +# (user: {{ name }}) +{{ name }}@{{ domain }}:{{ passdb[name].pass }}::::::user={{ name }}@{{ mydomain }} +{% for dev in user.devices|default([]) %} +{{ name }}@{{ domain }}@{{ dev }}:{{ passdb[name].devices[dev] }}::::::user={{ name }}@{{ mydomain }} +{% endfor %}{# devices #} +{% if user.name != "root" and "aliases" in user %} +# aliases +{% for alias in user.aliases|default([]) %} +{{ alias }}@{{ domain }}:{{ passdb[name].pass }}::::::user={{ name }}@{{ mydomain }} +{% for dev in user.devices|default([]) %} +{{ alias }}@{{ domain }}@{{ dev }}:{{ passdb[name].devices[dev] }}::::::user={{ name }}@{{ mydomain }} +{% endfor %}{# devices #} +{% endfor %}{# alias #} +{% endif %}{# alias #} +{% endfor %}{# user #} +{% endfor %}{# domain #} |