From 35fba2ec5aa5a4f61ed4e8d805fab294549daa13 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Tue, 6 Mar 2018 15:59:39 +0800 Subject: mail/dovecot: generate passwd from template --- roles/mail/tasks/main.yml | 14 +- roles/mail/templates/dovecot.conf.j2 | 471 --------------------------- roles/mail/templates/dovecot/dovecot.conf.j2 | 465 ++++++++++++++++++++++++++ roles/mail/templates/dovecot/passwd.j2 | 31 ++ 4 files changed, 505 insertions(+), 476 deletions(-) delete mode 100644 roles/mail/templates/dovecot.conf.j2 create mode 100644 roles/mail/templates/dovecot/dovecot.conf.j2 create mode 100644 roles/mail/templates/dovecot/passwd.j2 (limited to 'roles/mail') diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index c0f3d4f..9718db9 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -92,17 +92,21 @@ -exec sievec '{}' ';' tags: dovecot -- name: dovecot - copy passwd - copy: - src: "{{ playbook_dir }}/private/dovecot/passwd" +- name: dovecot - include passdb vars file + include_vars: "{{ playbook_dir }}/private/dovecot/passdb.yml" + tags: dovecot + +- name: dovecot - generate passwd + template: + src: dovecot/passwd.j2 dest: /usr/local/etc/dovecot/passwd group: dovecot mode: 0440 tags: dovecot -- name: opendkim - generate config file +- name: dovecot - generate config file template: - src: dovecot.conf.j2 + src: dovecot/dovecot.conf.j2 dest: /usr/local/etc/dovecot/dovecot.conf notify: reload-dovecot tags: dovecot diff --git a/roles/mail/templates/dovecot.conf.j2 b/roles/mail/templates/dovecot.conf.j2 deleted file mode 100644 index ee13a19..0000000 --- a/roles/mail/templates/dovecot.conf.j2 +++ /dev/null @@ -1,471 +0,0 @@ -# -# /usr/local/etc/dovecot/dovecot.conf -# Dovecot configuration file -# -# References -# ---------- -# * Dovecot - Quick Configuration -# http://wiki2.dovecot.org/QuickConfiguration -# * Dovecot - SSL Configuration -# https://wiki.dovecot.org/SSL/DovecotConfiguration -# * Multiple domains and virtual users (Postfix/Dovecot/SASL) -# http://void.ideabite.org/2013/07/28/multiple-domains-and-virtual-users/ -# -# Aaron LI -# - -{% set mydomain = mail.domains[0] %} - -# NOTE -# ---- -# "doveconf -n" command gives a clean output of the changed settings. -# Use it instead of copy/pasting files when posting to the mailing list. - -# Protocols want to be serving. -protocols = imap - -# A comma separated list of IPs or hosts where to listen. -# - "*" listens in all IPv4 interfaces -# - "::" listens in all IPv6 interfaces -listen = *, :: - - -## -## 10-auth.conf -## Authentication process, password and user database -## - -# Disable LOGIN command and all other plaintext authentications unless -# SSL/TLS is used (LOGINDISABLED capability). -disable_plaintext_auth = yes - -# Space separated list of realms for SASL authentication mechanisms -# that need them. You can leave it empty if you don't want to support -# multiple realms. -#auth_realms = - -# Require a valid SSL client certificate or the authentication fails. -#auth_ssl_require_client_cert = no - -# Take the username from client's SSL certificate, using -# X509_NAME_get_text_by_NID() which returns the subject's DN's -# CommonName. -#auth_ssl_username_from_cert = no - -# Space separated list of wanted authentication mechanisms: -# plain login digest-md5 cram-md5 ntlm rpa apop anonymous -# gssapi otp skey gss-spnego -# NOTE: See also disable_plaintext_auth setting. -auth_mechanisms = plain login - -# The password database used by Dovecot to authenticate users. -# -# See: https://wiki2.dovecot.org/PasswordDatabase -# -# Generate the password with: -# $ doveadm pw -s SSHA512 -# -passdb { - driver = passwd-file - args = scheme=SSHA512 username_format=%u /usr/local/etc/dovecot/passwd - - # This is not a database for denied users. - deny = no - # This is not a database for master users, which can log in as - # other users. - master = no - pass = no - skip = never - result_failure = continue - result_internalfail = continue - result_success = return-ok -} - -# User database, which will be looked up to obtain user's information -# after the user has been successfully authenticated. The userdb lookup -# is also done by LDA to find out how to deliver mails for the user. -# -# Dovecot doesn't need to verify the username or the password. -# -# See: https://wiki2.dovecot.org/UserDatabase -# -userdb { - driver = static - # - # Set 'allow_all_users=yes' will make Dovecot ignore the user lookup - # from the userdb and entirely rely on the passdb lookup. Therefore, - # the username may be repeated to have multiple passwords, which can - # be utilized to achieve device-specific passwords. - # - args = allow_all_users=yes -} - - -## -## 10-logging.conf -## Log destination, verbosity, and debugging. -## - -# Log unsuccessful authentication attempts and the reasons why they -# failed. -auth_verbose = yes - -# In case of password mismatches, log the attempted password. -# Valid values are no, plain and sha1. -# sha1 can be useful for detecting brute force password attempts vs. -# user simply trying the same password over and over again. -auth_verbose_passwords = sha1 - -# Space-separated list of elements we want to log. The elements which -# have a non-empty variable value are joined together to form a -# comma-separated string. -# -# Since we set up device-specific passwords, therefore the full -# username (%u) is the authenticated user after replacing by the auth -# process. Use %{orig_user}, which expands to the original username -# the client sent before any changes by auth process, to keep track of -# the actual usages. -# -login_log_format_elements = user=<%{orig_user}> method=%m rip=%r lip=%l mpid=%e %c - - -## -## 10-mail.conf -## Mailbox settings and mail handling. -## - -# There are a few special variables you can use, eg.: -# -# %u - username -# %n - user part in user@domain, same as %u if there's no domain -# %d - domain part in user@domain, empty if there's no domain -# %h - home directory -# -# See doc/wiki/Variables.txt for full list. - -# Home directories for virtual users, where Dovecot can save user-specific -# files. Home directory shouldn't be the same as mail directory with mbox -# or Maildir formats (but with dbox/obox it's fine). -mail_home = {{ mail.vuser.home }}/%d/%n - -# Location for users' mailboxes. The default is empty, which means that -# Dovecot tries to find the mailboxes automatically. This won't work if -# the user doesn't yet have any mail, so you should explicitly tell -# Dovecot the full location. -mail_location = maildir:~/mail:LAYOUT=fs - -# System user and group used to access mails. If you use multiple, -# userdb can override these by returning uid or gid fields. You can -# use either numbers or names. -mail_uid = {{ mail.vuser.name }} -mail_gid = {{ mail.vuser.name }} - -# Use the dedicated virtual mail user to restrict the temporary -# privileged operations. -mail_privileged_group = {{ mail.vuser.name }} - -# Only allow Dovecot use the dedicated virtual mail user. -first_valid_uid = {{ mail.vuser.id }} -last_valid_uid = {{ mail.vuser.id }} -first_valid_gid = {{ mail.vuser.id }} -last_valid_gid = {{ mail.vuser.id }} - -# Mailbox list indexes can be used to optimize IMAP STATUS commands. -# They are also required for IMAP NOTIFY extension to be enabled. -mailbox_list_index = yes - -# Assume Dovecot is the only MUA accessing Maildir: -# Scan cur/ directory only when its mtime changes unexpectedly or when -# we can't find the mail otherwise. -maildir_very_dirty_syncs = no - -# If enabled, Dovecot doesn't use the S= in the Maildir filenames -# for getting the mail's physical size, except when recalculating -# Maildir++ quota. This can be useful in systems where a lot of the -# Maildir filenames have a broken size. The performance hit for -# enabling this is very small. -#maildir_broken_filename_sizes = no - -# If you need to set multiple mailbox locations or want to change default -# namespace settings, you can do it by defining namespace sections. -# -namespace inbox { - # There can be only one INBOX, and this setting defines which namespace - # has it. - inbox = yes - - # 15-mailboxes.conf - # Mailbox definitions - # - # Each mailbox is specified in a separate mailbox section. The - # section name specifies the mailbox name. If it has spaces, you can - # put the name "in quotes". These sections can contain the following - # mailbox settings: - # - # auto: - # Indicates whether the mailbox with this name is automatically - # created implicitly when it is first accessed. The user can also - # be automatically subscribed to the mailbox after creation. The - # following values are defined for this setting: - # - # no - Never created automatically. - # create - Automatically created, but no automatic subscription. - # subscribe - Automatically created and subscribed. - # - # special_use: - # A space-separated list of SPECIAL-USE flags (RFC 6154) to use for - # the mailbox. There are no validity checks, so you could specify - # anything you want in here, but it's not a good idea to use flags - # other than the standard ones specified in the RFC: - # - # \All - This (virtual) mailbox presents all messages in the - # user's message store. - # \Archive - This mailbox is used to archive messages. - # \Drafts - This mailbox is used to hold draft messages. - # \Flagged - This (virtual) mailbox presents all messages in the - # user's message store marked with the IMAP \Flagged - # flag. - # \Junk - This mailbox is where messages deemed to be junk - # mail are held. - # \Sent - This mailbox is used to hold copies of messages that - # have been sent. - # \Trash - This mailbox is used to hold messages that have been - # deleted. - # - # comment: - # Defines a default comment or note associated with the mailbox. - # This value is accessible through the IMAP METADATA mailbox entries - # "/shared/comment" and "/private/comment". Users with sufficient - # privileges can override the default value for entries with a custom - # value. - # - mailbox Drafts { - special_use = \Drafts - # Automatically created and subscribed. - auto = subscribe - } - mailbox Junk { - special_use = \Junk - auto = subscribe - } - mailbox Trash { - special_use = \Trash - auto = subscribe - } - mailbox Sent { - special_use = \Sent - auto = subscribe - } - - mailbox Archive { - special_use = \Archive - auto = subscribe - } - - # If you have a virtual "All messages" mailbox: - #mailbox virtual/All { - # special_use = \All - # comment = All my messages - #} - - # If you have a virtual "Flagged" mailbox: - #mailbox virtual/Flagged { - # special_use = \Flagged - # comment = All my flagged messages - #} -} - - -## -## 10-master.conf -## - -service imap-login { - inet_listener imap { - # Disable non-SSL IMAP! - port = 0 - } - - inet_listener imaps { - #port = 993 - #ssl = yes - } -} - -service auth { - # This userdb socket is typically used by dovecot-lda, doveadm, - # possibly imap process, etc. Users that have full permissions to - # this socket are able to get a list of all usernames and get the - # results of everyone's userdb lookups. - # - # The default 0666 mode allows anyone to connect to the socket, but - # the userdb lookups will succeed only if the userdb returns an "uid" - # field that matches the caller process's UID. Also if caller's uid - # or gid matches the socket's uid or gid the lookup succeeds. - # Anything else causes a failure. - unix_listener auth-userdb { - mode = 0600 - user = {{ mail.vuser.name }} - group = {{ mail.vuser.name }} - } - - # Postfix smtp-auth - unix_listener /var/spool/postfix/private/auth { - mode = 0660 - user = postfix - group = postfix - } -} - - -## -## 10-ssl.conf -## - -# SSL/TLS support: yes, no, required. -# NOTE: If only plaintext auth mechanisms enabled (e.g., "plain", -# "login"), "ssl=yes" and "ssl=required" is equivalent. -ssl = required - -# PEM encoded X.509 SSL/TLS certificate and private key. -# They're opened before dropping root privileges, so preferred -# permissions is: root:root, 0400. -ssl_cert = method=%m rip=%r lip=%l mpid=%e %c + + +## +## 10-mail.conf +## Mailbox settings and mail handling. +## + +# There are a few special variables you can use, eg.: +# +# %u - username +# %n - user part in user@domain, same as %u if there's no domain +# %d - domain part in user@domain, empty if there's no domain +# %h - home directory +# +# See doc/wiki/Variables.txt for full list. + +# Home directories for virtual users, where Dovecot can save user-specific +# files. Home directory shouldn't be the same as mail directory with mbox +# or Maildir formats (but with dbox/obox it's fine). +mail_home = {{ mail.vuser.home }}/%n + +# Location for users' mailboxes. The default is empty, which means that +# Dovecot tries to find the mailboxes automatically. This won't work if +# the user doesn't yet have any mail, so you should explicitly tell +# Dovecot the full location. +mail_location = maildir:~/mail:LAYOUT=fs + +# System user and group used to access mails. If you use multiple, +# userdb can override these by returning uid or gid fields. You can +# use either numbers or names. +mail_uid = {{ mail.vuser.name }} +mail_gid = {{ mail.vuser.name }} + +# Use the dedicated virtual mail user to restrict the temporary +# privileged operations. +mail_privileged_group = {{ mail.vuser.name }} + +# Only allow Dovecot use the dedicated virtual mail user. +first_valid_uid = {{ mail.vuser.id }} +last_valid_uid = {{ mail.vuser.id }} +first_valid_gid = {{ mail.vuser.id }} +last_valid_gid = {{ mail.vuser.id }} + +# Mailbox list indexes can be used to optimize IMAP STATUS commands. +# They are also required for IMAP NOTIFY extension to be enabled. +mailbox_list_index = yes + +# Assume Dovecot is the only MUA accessing Maildir: +# Scan cur/ directory only when its mtime changes unexpectedly or when +# we can't find the mail otherwise. +maildir_very_dirty_syncs = no + +# If enabled, Dovecot doesn't use the S= in the Maildir filenames +# for getting the mail's physical size, except when recalculating +# Maildir++ quota. This can be useful in systems where a lot of the +# Maildir filenames have a broken size. The performance hit for +# enabling this is very small. +#maildir_broken_filename_sizes = no + +# If you need to set multiple mailbox locations or want to change default +# namespace settings, you can do it by defining namespace sections. +# +namespace inbox { + # There can be only one INBOX, and this setting defines which namespace + # has it. + inbox = yes + + # 15-mailboxes.conf + # Mailbox definitions + # + # Each mailbox is specified in a separate mailbox section. The + # section name specifies the mailbox name. If it has spaces, you can + # put the name "in quotes". These sections can contain the following + # mailbox settings: + # + # auto: + # Indicates whether the mailbox with this name is automatically + # created implicitly when it is first accessed. The user can also + # be automatically subscribed to the mailbox after creation. The + # following values are defined for this setting: + # + # no - Never created automatically. + # create - Automatically created, but no automatic subscription. + # subscribe - Automatically created and subscribed. + # + # special_use: + # A space-separated list of SPECIAL-USE flags (RFC 6154) to use for + # the mailbox. There are no validity checks, so you could specify + # anything you want in here, but it's not a good idea to use flags + # other than the standard ones specified in the RFC: + # + # \All - This (virtual) mailbox presents all messages in the + # user's message store. + # \Archive - This mailbox is used to archive messages. + # \Drafts - This mailbox is used to hold draft messages. + # \Flagged - This (virtual) mailbox presents all messages in the + # user's message store marked with the IMAP \Flagged + # flag. + # \Junk - This mailbox is where messages deemed to be junk + # mail are held. + # \Sent - This mailbox is used to hold copies of messages that + # have been sent. + # \Trash - This mailbox is used to hold messages that have been + # deleted. + # + # comment: + # Defines a default comment or note associated with the mailbox. + # This value is accessible through the IMAP METADATA mailbox entries + # "/shared/comment" and "/private/comment". Users with sufficient + # privileges can override the default value for entries with a custom + # value. + # + mailbox Drafts { + special_use = \Drafts + # Automatically created and subscribed. + auto = subscribe + } + mailbox Junk { + special_use = \Junk + auto = subscribe + } + mailbox Trash { + special_use = \Trash + auto = subscribe + } + mailbox Sent { + special_use = \Sent + auto = subscribe + } + + mailbox Archive { + special_use = \Archive + auto = subscribe + } + + # If you have a virtual "All messages" mailbox: + # mailbox virtual/All { + # special_use = \All + # comment = All my messages + # } + + # If you have a virtual "Flagged" mailbox: + # mailbox virtual/Flagged { + # special_use = \Flagged + # comment = All my flagged messages + # } +} + + +## +## 10-master.conf +## + +service imap-login { + inet_listener imap { + # Disable non-SSL IMAP! + port = 0 + } + + inet_listener imaps { + #port = 993 + #ssl = yes + } +} + +service auth { + # This userdb socket is typically used by dovecot-lda, doveadm, + # possibly imap process, etc. Users that have full permissions to + # this socket are able to get a list of all usernames and get the + # results of everyone's userdb lookups. + # + # The default 0666 mode allows anyone to connect to the socket, but + # the userdb lookups will succeed only if the userdb returns an "uid" + # field that matches the caller process's UID. Also if caller's uid + # or gid matches the socket's uid or gid the lookup succeeds. + # Anything else causes a failure. + unix_listener auth-userdb { + mode = 0600 + user = {{ mail.vuser.name }} + group = {{ mail.vuser.name }} + } + + # Postfix smtp-auth + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } +} + + +## +## 10-ssl.conf +## + +# SSL/TLS support: yes, no, required. +# NOTE: If only plaintext auth mechanisms enabled (e.g., "plain", +# "login"), "ssl=yes" and "ssl=required" is equivalent. +ssl = required + +# PEM encoded X.509 SSL/TLS certificate and private key. +# They're opened before dropping root privileges, so preferred +# permissions is: root:root, 0400. +ssl_cert =