Merge branch 'bullseye' into 'master'

Bullseye Compatibility

See merge request !15

dovecot/templates/conf.d/10-auth.conf.j2

@@ -10,7 +10,7 @@
 disable_plaintext_auth = yes
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
-# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+# bsdauth and PAM require cache_key to be set for caching to be used.
 #auth_cache_size = 0
 # Time to live for cached data. After TTL expires the cached record is no
 # longer used, *except* if the main database lookup returns internal failure.
@@ -98,7 +98,7 @@ auth_username_format = %Ln
 #auth_ssl_username_from_cert = no
 
 # Space separated list of wanted authentication mechanisms:
-#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
 auth_mechanisms = plain
@@ -128,5 +128,4 @@ auth_mechanisms = plain
 #!include auth-sql.conf.ext
 #!include auth-ldap.conf.ext
 #!include auth-checkpassword.conf.ext
-#!include auth-vpopmail.conf.ext
 #!include auth-static.conf.ext

dovecot/templates/conf.d/10-mail.conf.j2

@@ -165,7 +165,10 @@ mail_server_admin = {{ dovecot_admin_mail }}
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
 #lock_method = fcntl
 
-# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
+# Directory where mails can be temporarily stored. Usually it's used only for
+# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
+# example LDA/LMTP while delivering large mails or zlib plugin for keeping
+# uncompressed mails.
 #mail_temp_dir = /tmp
 
 # Valid UID range for users, defaults to 500 and above. This is mostly
@@ -220,7 +223,16 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
 
 # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
 # also required for IMAP NOTIFY extension to be enabled.
-#mailbox_list_index = no
+#mailbox_list_index = yes
+
+# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
+# of potentially returning out-of-date results after e.g. server crashes.
+# The results will be automatically fixed once the folders are opened.
+#mailbox_list_index_very_dirty_syncs = yes
+
+# Should INBOX be kept up-to-date in the mailbox list index? By default it's
+# not, because most of the mailbox accesses will open INBOX anyway.
+#mailbox_list_index_include_inbox = no
 
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
@@ -248,6 +260,21 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
 # These should exist only after Dovecot dies in the middle of saving mails.
 #mail_temp_scan_interval = 1w
 
+# How many slow mail accesses sorting can perform before it returns failure.
+# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
+# The untagged SORT reply is still returned, but it's likely not correct.
+#mail_sort_max_read_count = 0
+
+{% if ansible_distribution_major_version|int(default=99) > 10 %}
+protocol !indexer-worker {
+  # If folder vsize calculation requires opening more than this many mails from
+  # disk (i.e. mail sizes aren't in cache already), return failure and finish
+  # the calculation via indexer process. Disabled by default. This setting must
+  # be 0 for indexer-worker processes.
+  #mail_vsize_bg_after_count = 0
+}
+{% endif %}
+
 ##
 ## Maildir-specific settings
 ##
@@ -347,7 +374,7 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
 ##
 
 # Maximum dbox file size until it's rotated.
-#mdbox_rotate_size = 2M
+#mdbox_rotate_size = 10M
 
 # Maximum dbox file age until it's rotated. Typically in days. Day begins
 # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
@@ -383,3 +410,14 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
 # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
 # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
 #mail_attachment_hash = %{sha1}
+
+# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
+# By default, all MIME parts with Content-Disposition=attachment, or inlines
+# with filename parameter are consired attachments.
+#   add-flags - Add the keywords when saving new mails or when fetching can
+#      do it efficiently.
+#   content-type=type or !type - Include/exclude content type. Excluding will
+#     never consider the matched MIME part as attachment. Including will only
+#     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
+#   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
+#mail_attachment_detection_options =

dovecot/templates/conf.d/10-master.conf.j2

@@ -35,6 +35,12 @@ service imap-login {
   #vsz_limit = $default_vsz_limit
 }
 
+#service submission-login {
+#  inet_listener submission {
+#    #port = 587
+#  }
+#}
+
 service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
 	group = postfix
@@ -59,6 +65,11 @@ service imap {
   #process_limit = 1024
 }
 
+#service submission {
+#  # Max. number of SMTP Submission processes (connections)
+#  #process_limit = 1024
+#}
+
 service auth {
   # auth_socket_path points to this userdb socket by default. It's typically
   # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have

dovecot/templates/conf.d/10-ssl.conf.j2

@@ -27,12 +27,18 @@ ssl_key = <{{ dovecot_tls_key }}
 #ssl_require_crl = yes
 
 # Directory and/or file for trusted SSL CA certificates. These are used only
-# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
-# directory is usually /etc/ssl/certs in Debian-based systems and the file is
-# /etc/pki/tls/cert.pem in RedHat-based systems.
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
+# large CA bundles, because it leads to excessive memory usage.
+#ssl_client_ca_dir =
 ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
 #ssl_client_ca_file =
 
+# Require valid cert when connecting to a remote server
+#ssl_client_require_valid_cert = yes
+
 # Request client to send a certificate. If you also want to require it, set
 # auth_ssl_require_client_cert=yes in auth section.
 #ssl_verify_client_cert = no
@@ -42,7 +48,7 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
-{% if ansible_distribution_major_version|int < 10 %}
+{% if ansible_distribution_major_version|int(default=99) < 10 %}
 # DH parameters length to use.
 {% if dovecot_tls_dh_length %}
 ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
@@ -50,7 +56,10 @@ ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
 #ssl_dh_parameters_length =
 {% endif %}
 {% else %}
-# DH parameters to use.
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
 {% if dovecot_tls_dh_file %}
 ssl_dh = </etc/dovecot/dh.pem
 {% else %}
@@ -58,21 +67,30 @@ ssl_dh = </etc/dovecot/dh.pem
 {% endif %}
 {% endif %}
 
-{% if ansible_distribution_major_version|int < 10 %}
+{% if ansible_distribution_major_version|int(default=99) < 10 %}
 # SSL protocols to use
 ssl_protocols = {{ dovecot_tls_protocols }}
 {% else %}
-# Minimum TLS version to use
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
 ssl_min_protocol = {{ dovecot_tls_min_protocol }}
 {% endif %}
 
-# SSL ciphers to use
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 {% if dovecot_tls_ciphers %}
 ssl_cipher_list = {{ dovecot_tls_ciphers }}
 {% else %}
 #ssl_cipher_list =
 {% endif %}
 
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
+
 # Prefer the server's order of ciphers over client's.
 ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }}
 
@@ -80,5 +98,11 @@ ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else '
 #ssl_crypto_device =
 
 # SSL extra options. Currently supported options are:
+{% if ansible_distribution_major_version|int(default=99) < 11 %}
 #   no_compression - Disable compression.
 ssl_options = no_compression
+{% else %}
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+ssl_options = no_ticket
+{% endif %}

dovecot/templates/conf.d/15-lda.conf.j2

@@ -3,7 +3,7 @@
 ##
 
 # Address to use when sending rejection mails.
-# Default is postmaster@<your domain>. %d expands to recipient domain.
+# Default is postmaster@%d. %d expands to recipient domain.
 #postmaster_address =
 
 # Hostname to use in various parts of sent mails (e.g. in Message-Id) and

dovecot/templates/conf.d/20-imap.conf.j2

@@ -21,10 +21,17 @@
 #  %{fetch_body_count} - Number of mails with mail body data sent to client
 #  %{fetch_body_bytes} - Number of bytes with mail body data sent to client
 #  %{deleted} - Number of mails where client added \Deleted flag
-#  %{expunged} - Number of mails that client expunged
+#  %{expunged} - Number of mails that client expunged, which does not
+#                include automatically expunged mails
+#  %{autoexpunged} - Number of mails that were automatically expunged after
+#                    client disconnected
 #  %{trashed} - Number of mails that client copied/moved to the
 #               special_use=\Trash mailbox.
-#imap_logout_format = in=%i out=%o
+#  %{appended} - Number of mails saved during the session
+#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
+#  trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
+#  hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
+#  body_bytes=%{fetch_body_bytes}
 
 # Override the IMAP CAPABILITY response. If the value begins with '+',
 # add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
@@ -37,7 +44,8 @@ imap_idle_notify_interval = 29 mins
 
 # ID field names and values to send to clients. Using * as the value makes
 # Dovecot use the default value. The following fields have default values
-# currently: name, version, os, os-version, support-url, support-email.
+# currently: name, version, os, os-version, support-url, support-email,
+# revision.
 #imap_id_send = 
 
 # ID fields sent by client to log. * means everything.
@@ -66,6 +74,22 @@ imap_idle_notify_interval = 29 mins
 # Host allowed in URLAUTH URLs sent by client. "*" allows all.
 #imap_urlauth_host =
 
+# Enable IMAP LITERAL- extension (replaces LITERAL+)
+#imap_literal_minus = no
+
+# What happens when FETCH fails due to some internal error:
+#   disconnect-immediately:
+#     The FETCH is aborted immediately and the IMAP client is disconnected.
+#   disconnect-after:
+#     The FETCH runs for all the requested mails returning as much data as
+#     possible. The client is finally disconnected without a tagged reply.
+#   no-after:
+#     Same as disconnect-after, but tagged NO reply is sent instead of
+#     disconnecting the client. If the client attempts to FETCH the same failed
+#     mail more than once, the client is disconnected. This is to avoid clients
+#     from going into infinite loops trying to FETCH a broken mail.
+#imap_fetch_failure = disconnect-immediately
+
 protocol imap {
   # Space separated list of plugins to load (default is global mail_plugins).
   #mail_plugins = $mail_plugins

dovecot/templates/conf.d/20-lmtp.conf.j2

@@ -13,6 +13,9 @@
 # Verify quota before replying to RCPT TO. This adds a small overhead.
 #lmtp_rcpt_check_quota = no
 
+# Add "Received:" header to mails delivered.
+#lmtp_add_received_header = yes
+
 # Which recipient address to use for Delivered-To: header and Received:
 # header. The default is "final", which is the same as the one given to
 # RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
@@ -20,6 +23,17 @@
 # when a mail has multiple recipients.
 #lmtp_hdr_delivery_address = final
 
+# Workarounds for various client bugs:
+#   whitespace-before-path:
+#     Allow one or more spaces or tabs between `MAIL FROM:' and path and between
+#     `RCPT TO:' and path.
+#   mailbox-for-path:
+#     Allow using bare Mailbox syntax (i.e., without <...>) instead of full path
+#     syntax.
+#
+# The list is space-separated.
+#lmtp_client_workarounds =
+
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
   mail_plugins = $mail_plugins sieve

dovecot/templates/conf.d/20-managesieve.conf.j2

@@ -49,12 +49,20 @@ protocol sieve {
   # MANAGESIEVE logout format string:
   #  %i - total number of bytes read from client
   #  %o - total number of bytes sent to client
+  #  %{put_bytes} - Number of bytes saved using PUTSCRIPT command
+  #  %{put_count} - Number of scripts saved using PUTSCRIPT command
+  #  %{get_bytes} - Number of bytes read using GETCRIPT command
+  #  %{get_count} - Number of scripts read using GETSCRIPT command
+  #  %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
+  #  %{get_count} - Number of scripts checked using CHECKSCRIPT command
+  #  %{deleted_count} - Number of scripts deleted using DELETESCRIPT command
+  #  %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
   #managesieve_logout_format = bytes=%i/%o
 
   # To fool ManageSieve clients that are focused on CMU's timesieved you can
   # specify the IMPLEMENTATION capability that Dovecot reports to clients.
   # For example: 'Cyrus timsieved v2.2.13'
-  managesieve_implementation_string = Dovecot Pigeonhole
+  #managesieve_implementation_string = Dovecot Pigeonhole
 
   # Explicitly specify the SIEVE and NOTIFY capability reported by the server
   # before login. If left unassigned these will be reported dynamically

dovecot/templates/conf.d/90-sieve.conf.j2

@@ -116,6 +116,7 @@ plugin {
   # The sieve_extprograms plugin is included in this release.
   #sieve_plugins =
 
+{% if ansible_distribution_major_version|int(default=99) < 11 %}
   # The separator that is expected between the :user and :detail
   # address parts introduced by the subaddress extension. This may
   # also be a sequence of characters (e.g. '--'). The current
@@ -124,6 +125,7 @@ plugin {
   # left of the separator and the :detail part is right. This setting
   # is also used by Dovecot's LMTP service.
   recipient_delimiter = +
+{% endif %}
 
   # The maximum size of a Sieve script. The compiler will refuse to compile any
   # script larger than this limit. If set to 0, no limit on the script size is

postfix/templates/master.cf.j2

@@ -79,7 +79,7 @@ virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
-{% if ansible_distribution_major_version|int >= 10 %}
+{% if ansible_distribution_major_version|int(default=99) >= 10 %}
 postlog   unix-dgram n  -       n       -       1       postlogd
 {% endif %}
 

spamassassin/tasks/main.yml

@@ -22,8 +22,8 @@
     - spamassassin
 
 - name: ensure spamassassin is enabled -- the nasty debian way
-  copy:
-    src: defaults
+  template:
+    src: defaults.j2
     dest: /etc/default/spamassassin
     owner: root
     group: root

spamassassin/files/defaults → spamassassin/templates/defaults.j2

@@ -4,11 +4,18 @@
 # WARNING: please read README.spamd before using.
 # There may be security risks.
 
+{% if ansible_distribution_major_version|int(default=99) < 11 %}
 # If you're using systemd (default for jessie), the ENABLED setting is
 # not used. Instead, enable spamd by issuing:
 # systemctl enable spamassassin.service
 # Change to "1" to enable spamd on systems using sysvinit:
 ENABLED=1
+{% else %}
+# Prior to version 3.4.2-1, spamd could be enabled by setting
+# ENABLED=1 in this file. This is no longer supported. Instead, please
+# use the update-rc.d command, invoked for example as "update-rc.d
+# spamassassin enable", to enable the spamd service.
+{% endif %}
 
 # Options
 # See man spamd for possible options. The -d option is automatically added.

spamassassin/templates/local.cf.j2

@@ -57,6 +57,22 @@ required_score {{ spamassassin_required_score }}
 #
 # normalize_charset 1
 
+#   Textual body scan limit    (default: 50000)
+#
+#   Amount of data per email text/* mimepart, that will be run through body
+#   rules.  This enables safer and faster scanning of large messages,
+#   perhaps having very large textual attachments.  There should be no need
+#   to change this well tested default.
+#
+# body_part_scan_size 50000
+
+#   Textual rawbody data scan limit    (default: 500000)
+#
+#   Amount of data per email text/* mimepart, that will be run through
+#   rawbody rules.
+#
+# rawbody_part_scan_size 500000
+
 #   Some shortcircuiting, if the plugin is enabled
 #
 ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
@@ -65,6 +81,10 @@ ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
 #   shortcircuiting plugin is active, causing early exit to save CPU load.
 #   Uncomment to turn this on
 #
+#   SpamAssassin tries hard not to launch DNS queries before priority -100.
+#   If you want to shortcircuit without launching unneeded queries, make
+#   sure such rule priority is below -100. These examples are already:
+#
 # shortcircuit USER_IN_WHITELIST       on
 # shortcircuit USER_IN_DEF_WHITELIST   on
 # shortcircuit USER_IN_ALL_SPAM_TO     on