dovecot: add options to finetune security concerns

dovecot/defaults/main.yml

@@ -37,6 +37,8 @@ dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve'
 # They may disappear without prior notice and/or may not work as expected.
 dovecot_process_limit: 100
 dovecot_client_limit: 1000
+dovecot_disable_imap_starttls: false
+dovecot_postfix_public_private_partnership: true
 dovecot_imap_idle_interval: '29 mins'
 dovecot_imap_max_userip_connections: 40
 dovecot_lda_mailbox_autocreate: false

dovecot/templates/conf.d/10-master.conf.j2

@@ -15,9 +15,11 @@ default_client_limit = {{ dovecot_client_limit }}
 #default_internal_user = dovecot
 
 service imap-login {
+{% if not dovecot_disable_imap_starttls %}
   inet_listener imap {
     port = 143
   }
+{% endif %}
   inet_listener imaps {
     port = 993
     ssl = yes
@@ -42,10 +44,10 @@ service imap-login {
 #}
 
 service lmtp {
-   unix_listener /var/spool/postfix/private/dovecot-lmtp {
-	group = postfix
-	mode = 0600
-	user = postfix
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    mode = 0600
+    user = postfix
+    group = postfix
   }
 
   # Create inet listener only if you can't use the above UNIX socket
@@ -92,13 +94,17 @@ service auth {
 
   # Postfix smtp-auth
   unix_listener /var/spool/postfix/private/auth {
+{% if dovecot_postfix_public_private_partnership %}
     mode = 0666
+{% else %}
+    mode = 0660
+{% endif %}
+    user = postfix
+    group = postfix
   }
 
   # Auth process is run as this user.
-#  user = $default_internal_user
-   user = dovecot
-   group = dovecot
+  #user = $default_internal_user
 {% if dovecot_client_limit != 1000 %}
   client_limit = {{ dovecot_client_limit * 2 }}
 {% endif %}