From 9b9fddb8c5f14304689fc74a190ab4d9792855d6 Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Mon, 26 Apr 2021 00:26:46 +0200
Subject: [PATCH] dovecot: add options to finetune security concerns

---
 dovecot/defaults/main.yml                  |  2 ++
 dovecot/templates/conf.d/10-master.conf.j2 | 20 +++++++++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml
index 24ac6b0..144b53f 100644
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
@@ -37,6 +37,8 @@ dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve'
 # They may disappear without prior notice and/or may not work as expected.
 dovecot_process_limit: 100
 dovecot_client_limit: 1000
+dovecot_disable_imap_starttls: false
+dovecot_postfix_public_private_partnership: true
 dovecot_imap_idle_interval: '29 mins'
 dovecot_imap_max_userip_connections: 40
 dovecot_lda_mailbox_autocreate: false
diff --git a/dovecot/templates/conf.d/10-master.conf.j2 b/dovecot/templates/conf.d/10-master.conf.j2
index 957da6b..14440ad 100644
--- a/dovecot/templates/conf.d/10-master.conf.j2
+++ b/dovecot/templates/conf.d/10-master.conf.j2
@@ -15,9 +15,11 @@ default_client_limit = {{ dovecot_client_limit }}
 #default_internal_user = dovecot
 
 service imap-login {
+{% if not dovecot_disable_imap_starttls %}
   inet_listener imap {
     port = 143
   }
+{% endif %}
   inet_listener imaps {
     port = 993
     ssl = yes
@@ -42,10 +44,10 @@ service imap-login {
 #}
 
 service lmtp {
-   unix_listener /var/spool/postfix/private/dovecot-lmtp {
-	group = postfix
-	mode = 0600
-	user = postfix
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    mode = 0600
+    user = postfix
+    group = postfix
   }
 
   # Create inet listener only if you can't use the above UNIX socket
@@ -92,13 +94,17 @@ service auth {
 
   # Postfix smtp-auth
   unix_listener /var/spool/postfix/private/auth {
+{% if dovecot_postfix_public_private_partnership %}
     mode = 0666
+{% else %}
+    mode = 0660
+{% endif %}
+    user = postfix
+    group = postfix
   }
 
   # Auth process is run as this user.
-#  user = $default_internal_user
-   user = dovecot
-   group = dovecot
+  #user = $default_internal_user
 {% if dovecot_client_limit != 1000 %}
   client_limit = {{ dovecot_client_limit * 2 }}
 {% endif %}
-- 
GitLab