Commit 63701a03 authored by Hinrikus Wolf's avatar Hinrikus Wolf
Browse files

Merge branch 'bullseye' into 'master'

Bullseye Compatibility

See merge request !15
parents 6d33f02a c29818ef
Pipeline #2909 passed with stage
in 36 seconds
......@@ -10,7 +10,7 @@
disable_plaintext_auth = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
# bsdauth and PAM require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
......@@ -98,7 +98,7 @@ auth_username_format = %Ln
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain
......@@ -128,5 +128,4 @@ auth_mechanisms = plain
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
......@@ -165,7 +165,10 @@ mail_server_admin = {{ dovecot_admin_mail }}
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp
# Valid UID range for users, defaults to 500 and above. This is mostly
......@@ -220,7 +223,16 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = no
#mailbox_list_index = yes
# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes
# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
......@@ -248,6 +260,21 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w
# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0
{% if ansible_distribution_major_version|int(default=99) > 10 %}
protocol !indexer-worker {
# If folder vsize calculation requires opening more than this many mails from
# disk (i.e. mail sizes aren't in cache already), return failure and finish
# the calculation via indexer process. Disabled by default. This setting must
# be 0 for indexer-worker processes.
#mail_vsize_bg_after_count = 0
}
{% endif %}
##
## Maildir-specific settings
##
......@@ -347,7 +374,7 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
##
# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 2M
#mdbox_rotate_size = 10M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
......@@ -383,3 +410,14 @@ mail_plugins = $mail_plugins notify {{ "replication" if dovecot_dsync else "" }}
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}
# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
# add-flags - Add the keywords when saving new mails or when fetching can
# do it efficiently.
# content-type=type or !type - Include/exclude content type. Excluding will
# never consider the matched MIME part as attachment. Including will only
# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
# exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =
......@@ -35,6 +35,12 @@ service imap-login {
#vsz_limit = $default_vsz_limit
}
#service submission-login {
# inet_listener submission {
# #port = 587
# }
#}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
......@@ -59,6 +65,11 @@ service imap {
#process_limit = 1024
}
#service submission {
# # Max. number of SMTP Submission processes (connections)
# #process_limit = 1024
#}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
......
......@@ -27,12 +27,18 @@ ssl_key = <{{ dovecot_tls_key }}
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
#ssl_client_ca_file =
# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
......@@ -42,7 +48,7 @@ ssl_client_ca_dir = {{ dovecot_tls_ca_dir }}
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
{% if ansible_distribution_major_version|int < 10 %}
{% if ansible_distribution_major_version|int(default=99) < 10 %}
# DH parameters length to use.
{% if dovecot_tls_dh_length %}
ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
......@@ -50,7 +56,10 @@ ssl_dh_parameters_length = {{ dovecot_tls_dh_length }}
#ssl_dh_parameters_length =
{% endif %}
{% else %}
# DH parameters to use.
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
{% if dovecot_tls_dh_file %}
ssl_dh = </etc/dovecot/dh.pem
{% else %}
......@@ -58,21 +67,30 @@ ssl_dh = </etc/dovecot/dh.pem
{% endif %}
{% endif %}
{% if ansible_distribution_major_version|int < 10 %}
{% if ansible_distribution_major_version|int(default=99) < 10 %}
# SSL protocols to use
ssl_protocols = {{ dovecot_tls_protocols }}
{% else %}
# Minimum TLS version to use
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
ssl_min_protocol = {{ dovecot_tls_min_protocol }}
{% endif %}
# SSL ciphers to use
# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
{% if dovecot_tls_ciphers %}
ssl_cipher_list = {{ dovecot_tls_ciphers }}
{% else %}
#ssl_cipher_list =
{% endif %}
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else 'no' }}
......@@ -80,5 +98,11 @@ ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else '
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
{% if ansible_distribution_major_version|int(default=99) < 11 %}
# no_compression - Disable compression.
ssl_options = no_compression
{% else %}
# compression - Enable compression.
# no_ticket - Disable SSL session tickets.
ssl_options = no_ticket
{% endif %}
......@@ -3,7 +3,7 @@
##
# Address to use when sending rejection mails.
# Default is postmaster@<your domain>. %d expands to recipient domain.
# Default is postmaster@%d. %d expands to recipient domain.
#postmaster_address =
# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
......
......@@ -21,10 +21,17 @@
# %{fetch_body_count} - Number of mails with mail body data sent to client
# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
# %{deleted} - Number of mails where client added \Deleted flag
# %{expunged} - Number of mails that client expunged
# %{expunged} - Number of mails that client expunged, which does not
# include automatically expunged mails
# %{autoexpunged} - Number of mails that were automatically expunged after
# client disconnected
# %{trashed} - Number of mails that client copied/moved to the
# special_use=\Trash mailbox.
#imap_logout_format = in=%i out=%o
# %{appended} - Number of mails saved during the session
#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
# trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
# hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
# body_bytes=%{fetch_body_bytes}
# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
......@@ -37,7 +44,8 @@ imap_idle_notify_interval = 29 mins
# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email.
# currently: name, version, os, os-version, support-url, support-email,
# revision.
#imap_id_send =
# ID fields sent by client to log. * means everything.
......@@ -66,6 +74,22 @@ imap_idle_notify_interval = 29 mins
# Host allowed in URLAUTH URLs sent by client. "*" allows all.
#imap_urlauth_host =
# Enable IMAP LITERAL- extension (replaces LITERAL+)
#imap_literal_minus = no
# What happens when FETCH fails due to some internal error:
# disconnect-immediately:
# The FETCH is aborted immediately and the IMAP client is disconnected.
# disconnect-after:
# The FETCH runs for all the requested mails returning as much data as
# possible. The client is finally disconnected without a tagged reply.
# no-after:
# Same as disconnect-after, but tagged NO reply is sent instead of
# disconnecting the client. If the client attempts to FETCH the same failed
# mail more than once, the client is disconnected. This is to avoid clients
# from going into infinite loops trying to FETCH a broken mail.
#imap_fetch_failure = disconnect-immediately
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
......
......@@ -13,6 +13,9 @@
# Verify quota before replying to RCPT TO. This adds a small overhead.
#lmtp_rcpt_check_quota = no
# Add "Received:" header to mails delivered.
#lmtp_add_received_header = yes
# Which recipient address to use for Delivered-To: header and Received:
# header. The default is "final", which is the same as the one given to
# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
......@@ -20,6 +23,17 @@
# when a mail has multiple recipients.
#lmtp_hdr_delivery_address = final
# Workarounds for various client bugs:
# whitespace-before-path:
# Allow one or more spaces or tabs between `MAIL FROM:' and path and between
# `RCPT TO:' and path.
# mailbox-for-path:
# Allow using bare Mailbox syntax (i.e., without <...>) instead of full path
# syntax.
#
# The list is space-separated.
#lmtp_client_workarounds =
protocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve
......
......@@ -49,12 +49,20 @@ protocol sieve {
# MANAGESIEVE logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %{put_bytes} - Number of bytes saved using PUTSCRIPT command
# %{put_count} - Number of scripts saved using PUTSCRIPT command
# %{get_bytes} - Number of bytes read using GETCRIPT command
# %{get_count} - Number of scripts read using GETSCRIPT command
# %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
# %{get_count} - Number of scripts checked using CHECKSCRIPT command
# %{deleted_count} - Number of scripts deleted using DELETESCRIPT command
# %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
#managesieve_logout_format = bytes=%i/%o
# To fool ManageSieve clients that are focused on CMU's timesieved you can
# specify the IMPLEMENTATION capability that Dovecot reports to clients.
# For example: 'Cyrus timsieved v2.2.13'
managesieve_implementation_string = Dovecot Pigeonhole
#managesieve_implementation_string = Dovecot Pigeonhole
# Explicitly specify the SIEVE and NOTIFY capability reported by the server
# before login. If left unassigned these will be reported dynamically
......
......@@ -116,6 +116,7 @@ plugin {
# The sieve_extprograms plugin is included in this release.
#sieve_plugins =
{% if ansible_distribution_major_version|int(default=99) < 11 %}
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
......@@ -124,6 +125,7 @@ plugin {
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
recipient_delimiter = +
{% endif %}
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
......
......@@ -79,7 +79,7 @@ virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
{% if ansible_distribution_major_version|int >= 10 %}
{% if ansible_distribution_major_version|int(default=99) >= 10 %}
postlog unix-dgram n - n - 1 postlogd
{% endif %}
......
......@@ -22,8 +22,8 @@
- spamassassin
- name: ensure spamassassin is enabled -- the nasty debian way
copy:
src: defaults
template:
src: defaults.j2
dest: /etc/default/spamassassin
owner: root
group: root
......
......@@ -4,11 +4,18 @@
# WARNING: please read README.spamd before using.
# There may be security risks.
{% if ansible_distribution_major_version|int(default=99) < 11 %}
# If you're using systemd (default for jessie), the ENABLED setting is
# not used. Instead, enable spamd by issuing:
# systemctl enable spamassassin.service
# Change to "1" to enable spamd on systems using sysvinit:
ENABLED=1
{% else %}
# Prior to version 3.4.2-1, spamd could be enabled by setting
# ENABLED=1 in this file. This is no longer supported. Instead, please
# use the update-rc.d command, invoked for example as "update-rc.d
# spamassassin enable", to enable the spamd service.
{% endif %}
# Options
# See man spamd for possible options. The -d option is automatically added.
......
......@@ -9,7 +9,7 @@
# Add *****SPAM***** to the Subject header of spam e-mails
#
{{ '' if spamassassin_rewrite_subject else '#' }}rewrite_header Subject *****SPAM*****
{{ '' if spamassassin_rewrite_subject else '# ' }}rewrite_header Subject *****SPAM*****
# Save spam messages as a message/rfc822 MIME attachment instead of
......@@ -57,6 +57,22 @@ required_score {{ spamassassin_required_score }}
#
# normalize_charset 1
# Textual body scan limit (default: 50000)
#
# Amount of data per email text/* mimepart, that will be run through body
# rules. This enables safer and faster scanning of large messages,
# perhaps having very large textual attachments. There should be no need
# to change this well tested default.
#
# body_part_scan_size 50000
# Textual rawbody data scan limit (default: 500000)
#
# Amount of data per email text/* mimepart, that will be run through
# rawbody rules.
#
# rawbody_part_scan_size 500000
# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
......@@ -65,6 +81,10 @@ ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
# SpamAssassin tries hard not to launch DNS queries before priority -100.
# If you want to shortcircuit without launching unneeded queries, make
# sure such rule priority is below -100. These examples are already:
#
# shortcircuit USER_IN_WHITELIST on
# shortcircuit USER_IN_DEF_WHITELIST on
# shortcircuit USER_IN_ALL_SPAM_TO on
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment