From 1988a3dea8297735e8a333548815f28bff509107 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Wed, 7 Mar 2018 18:15:08 +0800 Subject: mail/dovecot: use both passdb and userdb files to support user aliases --- roles/mail/tasks/main.yml | 9 ++-- roles/mail/templates/dovecot/dovecot.conf.j2 | 63 +++++++--------------------- roles/mail/templates/dovecot/passdb.j2 | 46 ++++++++++++++++++++ roles/mail/templates/dovecot/passwd.j2 | 31 -------------- roles/mail/templates/dovecot/userdb.j2 | 42 +++++++++++++++++++ 5 files changed, 109 insertions(+), 82 deletions(-) create mode 100644 roles/mail/templates/dovecot/passdb.j2 delete mode 100644 roles/mail/templates/dovecot/passwd.j2 create mode 100644 roles/mail/templates/dovecot/userdb.j2 (limited to 'roles/mail') diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index d33ef1f..968dd2b 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -96,12 +96,15 @@ include_vars: "{{ playbook_dir }}/private/dovecot/passdb.yml" tags: dovecot -- name: dovecot - generate passwd +- name: dovecot - generate passdb and userdb template: - src: dovecot/passwd.j2 - dest: /usr/local/etc/dovecot/passwd + src: dovecot/{{ item }}.j2 + dest: /usr/local/etc/dovecot/{{ item }} group: dovecot mode: 0440 + with_items: + - passdb + - userdb tags: dovecot - name: dovecot - generate config file diff --git a/roles/mail/templates/dovecot/dovecot.conf.j2 b/roles/mail/templates/dovecot/dovecot.conf.j2 index 3f4d627..134a9fd 100644 --- a/roles/mail/templates/dovecot/dovecot.conf.j2 +++ b/roles/mail/templates/dovecot/dovecot.conf.j2 @@ -39,11 +39,6 @@ listen = *, :: # SSL/TLS is used (LOGINDISABLED capability). disable_plaintext_auth = yes -# Space separated list of realms for SASL authentication mechanisms -# that need them. You can leave it empty if you don't want to support -# multiple realms. -#auth_realms = - # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no @@ -59,40 +54,21 @@ disable_plaintext_auth = yes auth_mechanisms = plain login # The password database used by Dovecot to authenticate users. -# See: https://wiki2.dovecot.org/PasswordDatabase +# See: https://wiki.dovecot.org/PasswordDatabase passdb { driver = passwd-file - args = scheme=SHA512-CRYPT username_format=%u /usr/local/etc/dovecot/passwd - - # This is not a database for denied users. - deny = no - # This is not a database for master users, which can log in as - # other users. - master = no - pass = no - skip = never - result_failure = continue - result_internalfail = continue - result_success = return-ok + args = scheme=SHA512-CRYPT \ + username_format=%u \ + /usr/local/etc/dovecot/passdb } # User database, which will be looked up to obtain user's information # after the user has been successfully authenticated. The userdb lookup # is also done by LDA to find out how to deliver mails for the user. -# -# Dovecot doesn't need to verify the username or the password. -# -# See: https://wiki2.dovecot.org/UserDatabase -# +# See: https://wiki.dovecot.org/UserDatabase userdb { - driver = static - # - # Set 'allow_all_users=yes' will make Dovecot ignore the user lookup - # from the userdb and entirely rely on the passdb lookup. Therefore, - # the username may be repeated to have multiple passwords, which can - # be utilized to achieve device-specific passwords. - # - args = allow_all_users=yes + driver = passwd-file + args = username_format=%n /usr/local/etc/dovecot/userdb } @@ -121,7 +97,8 @@ auth_verbose_passwords = sha1 # the client sent before any changes by auth process, to keep track of # the actual usages. # -login_log_format_elements = user=<%{orig_user}> method=%m rip=%r lip=%l mpid=%e %c +login_log_format_elements = user=<%{orig_user}> method=%m \ + rip=%r lip=%l mpid=%e %c ## @@ -129,24 +106,14 @@ login_log_format_elements = user=<%{orig_user}> method=%m rip=%r lip=%l mpid=%e ## Mailbox settings and mail handling. ## -# There are a few special variables you can use, eg.: -# -# %u - username -# %n - user part in user@domain, same as %u if there's no domain -# %d - domain part in user@domain, empty if there's no domain -# %h - home directory -# -# See doc/wiki/Variables.txt for full list. - -# Home directories for virtual users, where Dovecot can save user-specific -# files. Home directory shouldn't be the same as mail directory with mbox -# or Maildir formats (but with dbox/obox it's fine). +# Home for virtual users, where Dovecot can save user-specific files, +# e.g., custom Sieve filters. +# NOTE: home specified in the userdb will override this. mail_home = {{ mail.vuser.home }}/%n -# Location for users' mailboxes. The default is empty, which means that -# Dovecot tries to find the mailboxes automatically. This won't work if -# the user doesn't yet have any mail, so you should explicitly tell -# Dovecot the full location. +# Format and location for users' mailboxes. +# * '~' will be expanded to $mail_home (i.e., user's home) +# * LAYOUT=fs : use filesystem directories for mailbox folders mail_location = maildir:~/mail:LAYOUT=fs # System user and group used to access mails. If you use multiple, diff --git a/roles/mail/templates/dovecot/passdb.j2 b/roles/mail/templates/dovecot/passdb.j2 new file mode 100644 index 0000000..a8c4ab7 --- /dev/null +++ b/roles/mail/templates/dovecot/passdb.j2 @@ -0,0 +1,46 @@ +# +# /usr/local/etc/dovecot/passdb +# Dovecot authentication database in passwd-file format. +# +# References: +# * Dovecot - PasswordDatabase +# https://wiki.dovecot.org/PasswordDatabase +# * Dovecot - AuthDatabase / PasswdFile +# https://wiki.dovecot.org/AuthDatabase/PasswdFile +# +# +# Aaron LI +# + +# Fields +# ------ +# user:password:(uid):(gid):(gecos):(home):(shell):extra_fields +# The ()-enclosed fields are ignored by Dovecot passdb lookup. +# ---------------------------------------------------------------------- +{% set mydomain = mail.domains[0] %} +{% for domain in mail.domains %} +# [domain: {{ domain }}] +{% for user in mail.userdb %} +{% set name = user.name %} +{% set email = name + "@" + domain %} +{% set pass = passdb[name].pass %} +# (user: {{ name }}) +{{ email }}:{{ pass }}::::::user={{ email }} +{% for dev in user.devices|default([]) %} +{% set pass = passdb[name].devices[dev] %} +{{ email }}@{{ dev }}:{{ pass }}::::::user={{ email }} +{% endfor %}{# devices #} +{% if name != "root" and user.aliases is defined %} +# aliases +{% for alias in user.aliases|default([]) %} +{% set email = alias + "@" + domain %} +{{ email }}:{{ pass }}::::::user={{ email }} +{% for dev in user.devices|default([]) %} +{% set pass = passdb[name].devices[dev] %} +{{ email }}@{{ dev }}:{{ pass }}::::::user={{ email }} +{% endfor %}{# devices #} +{% endfor %}{# alias #} +{% endif %}{# aliases #} +{% endfor %}{# user #} +{% endfor %}{# domain #} +# EOF diff --git a/roles/mail/templates/dovecot/passwd.j2 b/roles/mail/templates/dovecot/passwd.j2 deleted file mode 100644 index e2552f2..0000000 --- a/roles/mail/templates/dovecot/passwd.j2 +++ /dev/null @@ -1,31 +0,0 @@ -# -# /usr/local/etc/dovecot/passwd -# Dovecot authentication database in passwd-file format. -# -# Format: -# user:password:uid:gid:(gecos):home:(shell):extra_fields -# -# Aaron LI -# - -{% set mydomain = mail.domains[0] %} -{% for domain in mail.domains %} -# [domain: {{ domain }}] -{% for user in mail.userdb %} -{% set name = user.name %} -# (user: {{ name }}) -{{ name }}@{{ domain }}:{{ passdb[name].pass }}::::::user={{ name }}@{{ mydomain }} -{% for dev in user.devices|default([]) %} -{{ name }}@{{ domain }}@{{ dev }}:{{ passdb[name].devices[dev] }}::::::user={{ name }}@{{ mydomain }} -{% endfor %}{# devices #} -{% if user.name != "root" and user.aliases is defined %} -# aliases -{% for alias in user.aliases|default([]) %} -{{ alias }}@{{ domain }}:{{ passdb[name].pass }}::::::user={{ name }}@{{ mydomain }} -{% for dev in user.devices|default([]) %} -{{ alias }}@{{ domain }}@{{ dev }}:{{ passdb[name].devices[dev] }}::::::user={{ name }}@{{ mydomain }} -{% endfor %}{# devices #} -{% endfor %}{# alias #} -{% endif %}{# aliases #} -{% endfor %}{# user #} -{% endfor %}{# domain #} diff --git a/roles/mail/templates/dovecot/userdb.j2 b/roles/mail/templates/dovecot/userdb.j2 new file mode 100644 index 0000000..c15df05 --- /dev/null +++ b/roles/mail/templates/dovecot/userdb.j2 @@ -0,0 +1,42 @@ +# +# /usr/local/etc/dovecot/userdb +# Dovecot user database in passwd-file format. +# +# References: +# * Dovecot - UserDatabase +# https://wiki.dovecot.org/UserDatabase +# * Dovecot - VirtualUsers +# https://wiki.dovecot.org/VirtualUsers +# * Dovecot - AuthDatabase / PasswdFile +# https://wiki.dovecot.org/AuthDatabase/PasswdFile +# +# +# Aaron LI +# + +# NOTE +# ---- +# We explicitly specify the *home* here, allowing that a user has the +# same mailboxes with all its alias(es). +# +# Fields +# ------ +# user:(password):uid:gid:(gecos):home:(shell):extra_fields +# * uid - override the global $mail_uid +# * gid - override the global $mail_gid +# * home - override the global $mail_home +# The ()-enclosed fields are ignored by Dovecot userdb lookup. +# ---------------------------------------------------------------------- +{% for user in mail.userdb %} +{% set name = user.name %} +{% set home = mail.vuser.home + "/" + name %} +# (user: {{ name }}) +{{ name }}:::::{{ home }}:: +{% if name != "root" and user.aliases is defined %} +# aliases +{% for alias in user.aliases|default([]) %} +{{ alias }}:::::{{ home }}:: +{% endfor %}{# alias #} +{% endif %}{# aliases #} +{% endfor %}{# user #} +# EOF -- cgit v1.2.2