Skip to content
Snippets Groups Projects
Commit 63701a03 authored by Hinrikus Wolf's avatar Hinrikus Wolf
Browse files

Merge branch 'bullseye' into 'master'

Bullseye Compatibility

See merge request !15
parents 6d33f02a c29818ef
No related branches found
No related tags found
1 merge request!15Bullseye Compatibility
Pipeline #2909 passed
Showing with 170 additions and 23 deletions
......@@ -10,7 +10,7 @@
disable_plaintext_auth = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
# bsdauth and PAM require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
......@@ -98,7 +98,7 @@ auth_username_format = %Ln
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain
......@@ -128,5 +128,4 @@ auth_mechanisms = plain
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
......@@ -165,7 +165,10 @@ mail_server_admin = {{ dovecot_admin_mail }}
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp
# Valid UID range for users, defaults to 500 and above. This is mostly
......@@ -220,7 +223,16 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = no
#mailbox_list_index = yes
# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes
# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
......@@ -248,6 +260,21 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w
# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0
{% if ansible_distribution_major_version|int(default=99) > 10 %}
protocol !indexer-worker {
# If folder vsize calculation requires opening more than this many mails from
# disk (i.e. mail sizes aren't in cache already), return failure and finish
# the calculation via indexer process. Disabled by default. This setting must
# be 0 for indexer-worker processes.
#mail_vsize_bg_after_count = 0
}
{% endif %}
##
## Maildir-specific settings
##
......@@ -347,7 +374,7 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
##
# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 2M
#mdbox_rotate_size = 10M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
......@@ -383,3 +410,14 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}
# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
# add-flags - Add the keywords when saving new mails or when fetching can
# do it efficiently.
# content-type=type or !type - Include/exclude content type. Excluding will
# never consider the matched MIME part as attachment. Including will only
# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
# exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =
......@@ -35,6 +35,12 @@ service imap-login {
#vsz_limit = $default_vsz_limit
}
#service submission-login {
# inet_listener submission {
# #port = 587
# }
#}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
......@@ -59,6 +65,11 @@ service imap {
#process_limit = 1024
}
#service submission {
# # Max. number of SMTP Submission processes (connections)
# #process_limit = 1024
#}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
......
......@@ -27,12 +27,18 @@ ssl_key = <{{ dovecot_tls_key }}
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
#ssl_client_ca_file =
# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
......@@ -42,7 +48,7 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
{% if ansible_distribution_major_version|int < 10 %}
{% if ansible_distribution_major_version|int(default=99) < 10 %}
# DH parameters length to use.
{% if dovecot_tls_dh_length %}
ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
......@@ -50,7 +56,10 @@ ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
#ssl_dh_parameters_length =
{% endif %}
{% else %}
# DH parameters to use.
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
{% if dovecot_tls_dh_file %}
ssl_dh = </etc/dovecot/dh.pem
{% else %}
......@@ -58,21 +67,30 @@ ssl_dh = </etc/dovecot/dh.pem
{% endif %}
{% endif %}
{% if ansible_distribution_major_version|int < 10 %}
{% if ansible_distribution_major_version|int(default=99) < 10 %}
# SSL protocols to use
ssl_protocols = {{ dovecot_tls_protocols }}
{% else %}
# Minimum TLS version to use
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
ssl_min_protocol = {{ dovecot_tls_min_protocol }}
{% endif %}
# SSL ciphers to use
# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
{% if dovecot_tls_ciphers %}
ssl_cipher_list = {{ dovecot_tls_ciphers }}
{% else %}
#ssl_cipher_list =
{% endif %}
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }}
......@@ -80,5 +98,11 @@ ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else '
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
{% if ansible_distribution_major_version|int(default=99) < 11 %}
# no_compression - Disable compression.
ssl_options = no_compression
{% else %}
# compression - Enable compression.
# no_ticket - Disable SSL session tickets.
ssl_options = no_ticket
{% endif %}
......@@ -3,7 +3,7 @@
##
# Address to use when sending rejection mails.
# Default is postmaster@<your domain>. %d expands to recipient domain.
# Default is postmaster@%d. %d expands to recipient domain.
#postmaster_address =
# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
......
......@@ -21,10 +21,17 @@
# %{fetch_body_count} - Number of mails with mail body data sent to client
# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
# %{deleted} - Number of mails where client added \Deleted flag
# %{expunged} - Number of mails that client expunged
# %{expunged} - Number of mails that client expunged, which does not
# include automatically expunged mails
# %{autoexpunged} - Number of mails that were automatically expunged after
# client disconnected
# %{trashed} - Number of mails that client copied/moved to the
# special_use=\Trash mailbox.
#imap_logout_format = in=%i out=%o
# %{appended} - Number of mails saved during the session
#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
# trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
# hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
# body_bytes=%{fetch_body_bytes}
# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
......@@ -37,7 +44,8 @@ imap_idle_notify_interval = 29 mins
# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email.
# currently: name, version, os, os-version, support-url, support-email,
# revision.
#imap_id_send =
# ID fields sent by client to log. * means everything.
......@@ -66,6 +74,22 @@ imap_idle_notify_interval = 29 mins
# Host allowed in URLAUTH URLs sent by client. "*" allows all.
#imap_urlauth_host =
# Enable IMAP LITERAL- extension (replaces LITERAL+)
#imap_literal_minus = no
# What happens when FETCH fails due to some internal error:
# disconnect-immediately:
# The FETCH is aborted immediately and the IMAP client is disconnected.
# disconnect-after:
# The FETCH runs for all the requested mails returning as much data as
# possible. The client is finally disconnected without a tagged reply.
# no-after:
# Same as disconnect-after, but tagged NO reply is sent instead of
# disconnecting the client. If the client attempts to FETCH the same failed
# mail more than once, the client is disconnected. This is to avoid clients
# from going into infinite loops trying to FETCH a broken mail.
#imap_fetch_failure = disconnect-immediately
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
......
......@@ -13,6 +13,9 @@
# Verify quota before replying to RCPT TO. This adds a small overhead.
#lmtp_rcpt_check_quota = no
# Add "Received:" header to mails delivered.
#lmtp_add_received_header = yes
# Which recipient address to use for Delivered-To: header and Received:
# header. The default is "final", which is the same as the one given to
# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
......@@ -20,6 +23,17 @@
# when a mail has multiple recipients.
#lmtp_hdr_delivery_address = final
# Workarounds for various client bugs:
# whitespace-before-path:
# Allow one or more spaces or tabs between `MAIL FROM:' and path and between
# `RCPT TO:' and path.
# mailbox-for-path:
# Allow using bare Mailbox syntax (i.e., without <...>) instead of full path
# syntax.
#
# The list is space-separated.
#lmtp_client_workarounds =
protocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve
......
......@@ -49,12 +49,20 @@ protocol sieve {
# MANAGESIEVE logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %{put_bytes} - Number of bytes saved using PUTSCRIPT command
# %{put_count} - Number of scripts saved using PUTSCRIPT command
# %{get_bytes} - Number of bytes read using GETCRIPT command
# %{get_count} - Number of scripts read using GETSCRIPT command
# %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
# %{get_count} - Number of scripts checked using CHECKSCRIPT command
# %{deleted_count} - Number of scripts deleted using DELETESCRIPT command
# %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
#managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can
# specify the IMPLEMENTATION capability that Dovecot reports to clients.
# For example: 'Cyrus timsieved v2.2.13'
managesieve_implementation_string = Dovecot Pigeonhole
#managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server
# before login. If left unassigned these will be reported dynamically
......
......@@ -116,6 +116,7 @@ plugin {
# The sieve_extprograms plugin is included in this release.
#sieve_plugins =
{% if ansible_distribution_major_version|int(default=99) < 11 %}
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
......@@ -124,6 +125,7 @@ plugin {
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
recipient_delimiter = +
{% endif %}
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
......
......@@ -79,7 +79,7 @@ virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
{% if ansible_distribution_major_version|int >= 10 %}
{% if ansible_distribution_major_version|int(default=99) >= 10 %}
postlog unix-dgram n - n - 1 postlogd
{% endif %}
......
......@@ -22,8 +22,8 @@
- spamassassin
- name: ensure spamassassin is enabled -- the nasty debian way
copy:
src: defaults
template:
src: defaults.j2
dest: /etc/default/spamassassin
owner: root
group: root
......
......@@ -4,11 +4,18 @@
# WARNING: please read README.spamd before using.
# There may be security risks.
{% if ansible_distribution_major_version|int(default=99) < 11 %}
# If you're using systemd (default for jessie), the ENABLED setting is
# not used. Instead, enable spamd by issuing:
# systemctl enable spamassassin.service
# Change to "1" to enable spamd on systems using sysvinit:
ENABLED=1
{% else %}
# Prior to version 3.4.2-1, spamd could be enabled by setting
# ENABLED=1 in this file. This is no longer supported. Instead, please
# use the update-rc.d command, invoked for example as "update-rc.d
# spamassassin enable", to enable the spamd service.
{% endif %}
# Options
# See man spamd for possible options. The -d option is automatically added.
......
......@@ -57,6 +57,22 @@ required_score {{ spamassassin_required_score }}
#
# normalize_charset 1
# Textual body scan limit (default: 50000)
#
# Amount of data per email text/* mimepart, that will be run through body
# rules. This enables safer and faster scanning of large messages,
# perhaps having very large textual attachments. There should be no need
# to change this well tested default.
#
# body_part_scan_size 50000
# Textual rawbody data scan limit (default: 500000)
#
# Amount of data per email text/* mimepart, that will be run through
# rawbody rules.
#
# rawbody_part_scan_size 500000
# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
......@@ -65,6 +81,10 @@ ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
# SpamAssassin tries hard not to launch DNS queries before priority -100.
# If you want to shortcircuit without launching unneeded queries, make
# sure such rule priority is below -100. These examples are already:
#
# shortcircuit USER_IN_WHITELIST on
# shortcircuit USER_IN_DEF_WHITELIST on
# shortcircuit USER_IN_ALL_SPAM_TO on
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment