dovecot: refactor role

20a1bc5f · Lars Beckers · 6208b487 · 20a1bc5f · 20a1bc5f · 20a1bc5f
Commit 20a1bc5f authored Jul 15, 2018 by Lars Beckers
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
+---
+
+dovecot_admin_mail: "postmaster@{{ domain }}"
+dovecot_protocols: imap lmtp sieve
+dovecot_mail_location: "maildir:~/mail:LAYOUT=fs"
+dovecot_maildir_separator: /
+dovecot_deny_users: []
+dovecot_users_group: users
+dovecot_auth_virtual: no
+dovecot_auth_system: yes
+dovecot_min_uid: 500
+dovecot_max_uid: 0
+
+dovecot_tls_cert: /etc/ssl/private/fullchain.pem
+dovecot_tls_key: /etc/ssl/private/privkey.pem
+dovecot_tls_ca_dir: /etc/ssl/certs
+dovecot_tls_ciphers: "{{ tls_ciphers }}"
+dovecot_tls_dh_length: 4096
+dovecot_tls_protocols: TLSv1.1 TLSv1.2 !SSLv3
+
+dovecot_dsync: yes
+dovecot_dsync_tls: no
+dovecot_dsync_group: dovecot
+dovecot_dsync_address: '0.0.0.0'
+dovecot_dsync_password: "{{ lookup('passwordstore', dovecot_dsync_passwordstore ~ ' create=true length=20') }}"
+dovecot_dsync_passwordstore: selfhosted/dsync
+dovecot_dsync_host_attribute: ansible_host
+
+dovecot_content_filter: yes
+dovecot_spam_folder: Spam
+
--- a/dovecot/files/sa-learn-ham.sh
+++ b/dovecot/files/sa-learn-ham.sh
+#!/bin/sh
+# you can also use tcp/ip here, consult spamc(1)
+exec /usr/bin/spamc -u ${1} -L ham -C report
--- a/dovecot/files/sa-learn-spam.sh
+++ b/dovecot/files/sa-learn-spam.sh
+#!/bin/sh
+# you can also use tcp/ip here, consult spamc(1)
+exec /usr/bin/spamc -u ${1} -L spam -C report
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
 ---

 - name: ensure all required dovecot packages are installed
-  apt: name={{ item }} state=present 
+  apt:
+    name: "{{ item }}"
+    state: present
  with_items:
    - dovecot-core
    - dovecot-imapd
@@ -13,18 +15,22 @@
    - mail

 - name: ensure all configs are present
-  template: src={{item.src}} dest={{item.dest}}
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/dovecot/{{ item }}"
  with_items:
-    - { src: 'templates/dovecot.conf.j2', dest: '/etc/dovecot/dovecot.conf' }
-    - { src: 'templates/conf.d/10-auth.conf.j2', dest: '/etc/dovecot/conf.d/10-auth.conf' }
-    - { src: 'templates/conf.d/10-mail.conf.j2', dest: '/etc/dovecot/conf.d/10-mail.conf' }
-    - { src: 'templates/conf.d/10-master.conf.j2', dest: '/etc/dovecot/conf.d/10-master.conf' }
-    - { src: 'templates/conf.d/10-ssl.conf.j2', dest: '/etc/dovecot/conf.d/10-ssl.conf' }
-    - { src: 'templates/conf.d/20-managesieve.conf.j2', dest: '/etc/dovecot/conf.d/20-managesieve.conf' }
-    - { src: 'templates/conf.d/20-imap.conf.j2', dest: '/etc/dovecot/conf.d/20-imap.conf' }
-    - { src: 'templates/conf.d/20-lmtp.conf.j2', dest: '/etc/dovecot/conf.d/20-lmtp.conf' }
-    - { src: 'templates/conf.d/90-sieve.conf.j2', dest: '/etc/dovecot/conf.d/90-sieve.conf' }
-    - { src: 'templates/conf.d/auth-passwdfile.conf.ext.j2', dest: '/etc/dovecot/conf.d/auth-passwdfile.conf.ext' }
+    - dovecot.conf
+    - deny-users
+    - conf.d/10-auth.conf
+    - conf.d/10-mail.conf
+    - conf.d/10-master.conf
+    - conf.d/10-ssl.conf
+    - conf.d/15-lda.conf
+    - conf.d/20-managesieve.conf
+    - conf.d/20-imap.conf
+    - conf.d/20-lmtp.conf
+    - conf.d/90-sieve.conf
+    - conf.d/auth-passwdfile.conf.ext
  notify:
    - restart dovecot
  tags:
@@ -32,31 +38,68 @@
    - mail

 - name: ensure there is a folder for global sieve scripts
-  file: dest=/var/lib/dovecot/sieve.d state=directory owner=dovecot group=vmail mode=0770
+  file:
+    dest: /var/lib/dovecot/sieve.d
+    state: directory
+    owner: dovecot
+    group: "{{ dovecot_users_group }}"
+    mode: 0770
  tags:
    - dovecot
    - mail
-  when: content_filter is defined

 - name: ensure the global spam filter and learning sieve script is present
-  copy: src="files/{{ item }}" dest="/var/lib/dovecot/sieve.d/{{ item }}" mode=0550 owner=dovecot group=vmail
-  with_items: 
-    - filter_junk.sieve
+  template:
+    src: "sieve/{{ item }}.j2"
+    dest: "/var/lib/dovecot/sieve.d/{{ item }}"
+    mode: 0550
+    owner: dovecot
+    group: "{{ dovecot_users_group }}"
+  with_items:
+    - filter-spam.sieve
    - report-spam.sieve
    - report-ham.sieve
+  when: dovecot_content_filter
  notify:
    - compile sieve scripts
  tags:
    - dovecot
+    - spamassassin
+    - mail
+
+- name: ensure scripts for learning spam are present
+  copy:
+    src: "{{ item }}"
+    dest: "/var/lib/dovecot/sieve.d/{{ item }}"
+    mode: 0750
+    owner: dovecot
+    group: "{{ dovecot_users_group }}"
+  with_items:
+    - sa-learn-ham.sh
+    - sa-learn-spam.sh
+  when: dovecot_content_filter
+  tags:
+    - dovecot
+    - spamassassin
    - mail
-  when: content_filter is defined

 - name: ensure dsync config is present
-  template: src=templates/conf.d/99-dsync.conf.j2 dest=/etc/dovecot/conf.d/99-dsync.conf
-  when: dsync == True
+  template:
+    src: conf.d/99-dsync.conf.j2
+    dest: /etc/dovecot/conf.d/99-dsync.conf
+  when: dovecot_dsync
  notify:
    - restart dovecot
  tags:
    - dovecot
    - mail

+- name: ensure dovecot is enabled and running
+  service:
+    name: dovecot
+    state: started
+    enabled: yes
+  tags:
+    - dovecot
+    - mail
+
--- a/dovecot/templates/conf.d/10-auth.conf.j2
+++ b/dovecot/templates/conf.d/10-auth.conf.j2
@@ -7,7 +7,7 @@
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
 # See also ssl=required setting.
-disable_plaintext_auth = no
+disable_plaintext_auth = yes

 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
 # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
@@ -116,13 +116,13 @@ auth_mechanisms = plain
 #
 # <doc/wiki/UserDatabase.txt>

-#!include auth-deny.conf.ext
-#!include auth-master.conf.ext
+!include auth-deny.conf.ext
+{{ '' if dovecot_auth_system else '#' }}!include auth-system.conf.ext
+{{ '' if dovecot_auth_virtual else '#' }}!include auth-passwdfile.conf.ext

-#!include auth-system.conf.ext
+#!include auth-master.conf.ext
 #!include auth-sql.conf.ext
 #!include auth-ldap.conf.ext
-!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
 #!include auth-vpopmail.conf.ext
 #!include auth-static.conf.ext
--- a/dovecot/templates/conf.d/10-mail.conf.j2
+++ b/dovecot/templates/conf.d/10-mail.conf.j2
@@ -27,7 +27,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_location = {{ mail_location }} 
+mail_location = {{ dovecot_mail_location }} 

 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -46,7 +46,7 @@ namespace inbox {
  # Hierarchy separator to use. You should use the same separator for all
  # namespaces or some clients get confused. '/' is usually a good one.
  # The default however depends on the underlying mail storage format.
-  separator = {{ seperator }}
+  separator = {{ dovecot_maildir_separator }}
 
  # Prefix required to access this namespace. This needs to be different for
  # all namespaces. For example "Public/".
@@ -140,7 +140,7 @@ namespace inbox {
 # is currently not enforced. Use for example mailto:admin@example.com. This
 # value is accessible for authenticated users through the IMAP METADATA server
 # entry "/shared/admin".
-#mail_server_admin = 
+mail_server_admin = {{ dovecot_admin_mail }}

 ##
 ## Mail processes
@@ -172,8 +172,8 @@ namespace inbox {
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-#first_valid_uid = 500
-#last_valid_uid = 0
+first_valid_uid = {{ dovecot_min_uid }}
+last_valid_uid = {{ dovecot_max_uid }}

 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
@@ -212,12 +212,7 @@ namespace inbox {

 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-{% if dsync is defined  %}
-mail_plugins = $mail_plugins notify replication
-{% else %}
-mail_plugins = $mail_plugins notify
-{% endif %}
-#mail_plugins = 
+mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}

 ##
 ## Mailbox handling optimizations

--- a/dovecot/templates/conf.d/10-ssl.conf.j2
+++ b/dovecot/templates/conf.d/10-ssl.conf.j2
@@ -9,8 +9,8 @@ ssl = required
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = <{{ ssl_cert }}
-ssl_key = <{{ ssl_key }}
+ssl_cert = <{{ dovecot_tls_cert }}
+ssl_key = <{{ dovecot_tls_key }}

 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -30,7 +30,7 @@ ssl_key = <{{ ssl_key }}
 # when Dovecot needs to act as an SSL client (e.g. imapc backend). The
 # directory is usually /etc/ssl/certs in Debian-based systems and the file is
 # /etc/pki/tls/cert.pem in RedHat-based systems.
-#ssl_client_ca_dir =
+ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
 #ssl_client_ca_file =

 # Request client to send a certificate. If you also want to require it, set
@@ -43,15 +43,15 @@ ssl_key = <{{ ssl_key }}
 #ssl_cert_username_field = commonName

 # DH parameters length to use.
-ssl_dh_parameters_length = 4096
+ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}

 # SSL protocols to use
-ssl_protocols = TLSv1.1 TLSv1.2 !SSLv3
+ssl_protocols = {{ dovecot_tls_protocols }}

 # SSL ciphers to use
 #ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
 #Supported Ciphers downto Android 2.3
-ssl_cipher_list = {{ tls_ciphers }}
+ssl_cipher_list = {{ dovecot_tls_ciphers }}

 # Prefer the server's order of ciphers over client's.
 ssl_prefer_server_ciphers = yes

--- a/dovecot/templates/conf.d/15-lda.conf.j2
+++ b/dovecot/templates/conf.d/15-lda.conf.j2
+##
+## LDA specific settings (also used by LMTP)
+##
+
+# Address to use when sending rejection mails.
+# Default is postmaster@<your domain>. %d expands to recipient domain.
+#postmaster_address =
+
+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
+# in LMTP replies. Default is the system's real hostname@domain.
+#hostname = 
+
+# If user is over quota, return with temporary failure instead of
+# bouncing the mail.
+#quota_full_tempfail = no
+
+# Binary to use for sending mails.
+#sendmail_path = /usr/sbin/sendmail
+
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
+#submission_host =
+
+# Subject: header to use for rejection mails. You can use the same variables
+# as for rejection_reason below.
+#rejection_subject = Rejected: %s
+
+# Human readable error message for rejection mails. You can use variables:
+#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+#lda_mailbox_autocreate = no
+
+# Should automatically created mailboxes be also automatically subscribed?
+#lda_mailbox_autosubscribe = no
+
+protocol lda {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins sieve
+}
--- a/dovecot/templates/conf.d/20-imap.conf.j2
+++ b/dovecot/templates/conf.d/20-imap.conf.j2
@@ -76,24 +76,22 @@ protocol imap {
  mail_max_userip_connections = 40
 }

-{% if content_filter is defined %}
-
+{% if dovecot_content_filter %}
 plugin {
  sieve_plugins = sieve_imapsieve sieve_extprograms

  # From elsewhere to Spam folder
-  imapsieve_mailbox1_name = Junk
+  imapsieve_mailbox1_name = {{ dovecot_spam_folder }}
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve.d/report-spam.sieve

  # From Spam folder to elsewhere
  imapsieve_mailbox2_name = *
-  imapsieve_mailbox2_from = Junk
+  imapsieve_mailbox2_from = {{ dovecot_spam_folder }}
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve.d/report-ham.sieve

  sieve_pipe_bin_dir = /var/lib/dovecot/sieve.d
-
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
 }
 {% endif %}
--- a/dovecot/templates/conf.d/20-managesieve.conf.j2
+++ b/dovecot/templates/conf.d/20-managesieve.conf.j2
@@ -12,10 +12,6 @@ service managesieve-login {
    port = 4190
  }

-  #inet_listener sieve_deprecated {
-  #  port = 2000
-  #}
-
  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>

--- a/dovecot/templates/conf.d/90-sieve.conf.j2
+++ b/dovecot/templates/conf.d/90-sieve.conf.j2
@@ -76,8 +76,8 @@ plugin {
  #sieve_before = /var/lib/dovecot/sieve.d/
  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
  #sieve_before3 = (etc...)
-{% if content_filter is defined %}
-  sieve_before = /var/lib/dovecot/sieve.d/filter_junk.sieve
+{% if dovecot_content_filter %}
+  sieve_before = /var/lib/dovecot/sieve.d/filter-spam.sieve
 {% endif %}

  # Identical to sieve_before, only the specified scripts are executed after the

--- a/dovecot/templates/conf.d/99-dsync.conf.j2
+++ b/dovecot/templates/conf.d/99-dsync.conf.j2
@@ -4,26 +4,22 @@ service replicator {
    mode = 0666
    user = dovecot
  }
-  group = vmail
+  group = {{ dovecot_dsync_group }}
 }

 replication_max_conns = 10

-
-# there was a problem with the oom-killer 
-#plugin {
-#  # When saving a new mail via IMAP or delivering a mail via LDA/LMTP,
-#  # wait for the mail to be synced to the remote site. If it doesn't finish
-#  # in 2 seconds, return success anyway.
-#  replication_sync_timeout = 2 
-#}
-
 service doveadm {
  inet_listener {
-    address = {{ tinc_vpnip  }}
+{% if dovecot_dsync_address != '0.0.0.0' %}
+    address = {{ dovecot_dsync_address }}
+{% endif %}
    port = 37962
+{% if dovecot_dsync_tls %}
+    ssl = yes
+{% endif %}
  }
-  group = vmail
+  group = {{ dovecot_dsync_group }}
 }

 service aggregator {
@@ -38,14 +34,13 @@ service aggregator {
 }

 doveadm_port = 37962
-
-doveadm_password = {{ lookup('passwordstore', 'wolfscloud/dsync_secret create=true length=20') }}
+doveadm_password = {{ dovecot_dsync_password }}

 plugin {

 {% for partner in groups['mail'] %}
  {% if partner != ansible_hostname %}
-mail_replica = tcp:{{hostvars[partner]["tinc_vpnip"]}}:37962
+mail_replica = tcp{{ 's' if dovecot_dsync_tls else '' }}:{{ hostvars[partner][dovecot_dsync_host_attribute] }}:37962
  {% endif %}
 {% endfor %}


--- a/dovecot/templates/deny-users.j2
+++ b/dovecot/templates/deny-users.j2
+{{ dovecot_deny_users|join('\n') }}
--- a/dovecot/templates/dovecot.conf.j2
+++ b/dovecot/templates/dovecot.conf.j2
@@ -96,7 +96,7 @@ dict {
 # first sorted by their ASCII value and parsed in that order. The 00-prefixes
 # in filenames are intended to make it easier to understand the ordering.
 !include conf.d/*.conf
-protocols = {{ protocols }}
+protocols = {{ dovecot_protocols }}

 # A config file can also tried to be included without giving an error if
 # it's not found:

--- a/dovecot/files/filter_junk.sieve
+++ b/dovecot/files/filter_junk.sieve
 require ["fileinto", "mailbox"];

 if header :contains "X-Spam-Flag" "YES" {
- fileinto :create "Junk";
+	fileinto :create "{{ dovecot_spam_folder }}";
 }
-
-if header :contains "Subject" "*SPAM*" {
-  fileinto :create "Junk";
-}
-
--- a/dovecot/files/report-ham.sieve
+++ b/dovecot/files/report-ham.sieve
--- a/dovecot/files/report-spam.sieve
+++ b/dovecot/files/report-spam.sieve