dovecot: add options to finetune security concerns

9b9fddb8 · Lars Beckers · 6b97c423 · 9b9fddb8 · 9b9fddb8
Commit 9b9fddb8 authored 4 years ago by Lars Beckers
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
@@ -37,6 +37,8 @@ dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve'
 # They may disappear without prior notice and/or may not work as expected.
 dovecot_process_limit: 100
 dovecot_client_limit: 1000
+dovecot_disable_imap_starttls: false
+dovecot_postfix_public_private_partnership: true
 dovecot_imap_idle_interval: '29 mins'
 dovecot_imap_max_userip_connections: 40
 dovecot_lda_mailbox_autocreate: false

--- a/dovecot/templates/conf.d/10-master.conf.j2
+++ b/dovecot/templates/conf.d/10-master.conf.j2
@@ -15,9 +15,11 @@ default_client_limit = {{ dovecot_client_limit }}
 #default_internal_user = dovecot

 service imap-login {
+{% if not dovecot_disable_imap_starttls %}
  inet_listener imap {
    port = 143
  }
+{% endif %}
  inet_listener imaps {
    port = 993
    ssl = yes
@@ -43,9 +45,9 @@ service imap-login {

 service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
-	group = postfix
    mode = 0600
    user = postfix
+    group = postfix
  }

  # Create inet listener only if you can't use the above UNIX socket
@@ -92,13 +94,17 @@ service auth {

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
+{% if dovecot_postfix_public_private_partnership %}
    mode = 0666
+{% else %}
+    mode = 0660
+{% endif %}
+    user = postfix
+    group = postfix
  }

  # Auth process is run as this user.
  #user = $default_internal_user
-   user = dovecot
-   group = dovecot
 {% if dovecot_client_limit != 1000 %}
  client_limit = {{ dovecot_client_limit * 2 }}
 {% endif %}