From f57bcbe5c40f0ce0bae678d741de185d664778cd Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Mon, 26 Apr 2021 00:21:46 +0200
Subject: [PATCH] dovecot: allow configuration of authentication mechanisms

---
 dovecot/defaults/main.yml                | 8 ++++++++
 dovecot/templates/conf.d/10-auth.conf.j2 | 8 ++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml
index 9d03d8a..dcf1bde 100644
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
@@ -32,4 +32,12 @@ dovecot_content_filter: false
 dovecot_spam_folder: Spam
 dovecot_spam_user: "${1}"  # debian-spamd
 dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve'
+
+# These variables were introduced for compatibility to a certain setup.
+# They may disappear without prior notice and/or may not work as expected.
+dovecot_auth_realms: []
+dovecot_auth_default_realm: ''
+dovecot_auth_krb5_keytab: ''
+dovecot_auth_mechanisms:
+  - plain
 dovecot_special_mailbox_auto_subscribe: false
diff --git a/dovecot/templates/conf.d/10-auth.conf.j2 b/dovecot/templates/conf.d/10-auth.conf.j2
index 5daa65e..7c8a79a 100644
--- a/dovecot/templates/conf.d/10-auth.conf.j2
+++ b/dovecot/templates/conf.d/10-auth.conf.j2
@@ -26,11 +26,11 @@ disable_plaintext_auth = yes
 # them. You can leave it empty if you don't want to support multiple realms.
 # Many clients simply use the first one listed here, so keep the default realm
 # first.
-#auth_realms =
+auth_realms = {{ dovecot_auth_realms|join(" ") }}
 
 # Default realm/domain to use if none was specified. This is used for both
 # SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm = 
+auth_default_realm = {{ dovecot_auth_default_realm }}
 
 # List of allowed characters in username. If the user-given username contains
 # a character not listed in here, the login automatically fails. This is just
@@ -77,7 +77,7 @@ auth_username_format = %Ln
 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system
 # default (usually /etc/krb5.keytab) if not specified. You may need to change
 # the auth service to run as root to be able to read this file.
-#auth_krb5_keytab = 
+auth_krb5_keytab = {{ dovecot_auth_krb5_keytab }}
 
 # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
 # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
@@ -101,7 +101,7 @@ auth_username_format = %Ln
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain
+auth_mechanisms = {{ dovecot_auth_mechanisms|join(" ") }}
 
 ##
 ## Password and user databases
-- 
GitLab