debops.dovecot default variables

General Dovecot configuration

dovecot_protocols

List of protocols which should be installed and enabled. Supported are: imap, pop3, managesieve, lmtp

dovecot_protocols: [ 'imap' ]
dovecot_auth_mechanisms

List of authentication mechanisms enabled. So far supported are: plain, login

dovecot_auth_mechanisms: [ 'plain', 'login' ]
dovecot_dependencies

Should the Dovecot role manage it's own dependencies?

dovecot_dependencies: True

User database/mailbox configuration

dovecot_user_accounts

User account lookup. So far supported are:

  • deny: Deny access for users
  • system: Mail users are Linux system users
  • sql: Mail users are stored in a SQL database
  • passwdfile: Users password are stored in a file
dovecot_user_accounts: [ 'deny', 'system' ]
dovecot_deny_users

List of users for which mail acess is disabled.

dovecot_deny_users: [ 'root' ]
dovecot_mail_location

Mailbox location. For maildir set something like maildir:~/Maildir. For more information about the supported format, check Dovecot Mail Location

dovecot_mail_location: 'mbox:~/mail:INBOX=/var/mail/%u'
dovecot_mail_dotlock

Mailbox Locking. The only standard way to lock an mbox is using a method called dotlock. This means that a file named <mailbox-name>.lock is created in the same directory as the mailbox being locked. Documentation Location

dovecot_mail_dotlock: True
dovecot_sql_driver

The SQL driver defines which SQL is used. This can be either mysql or pgsql.

The database should have a structure like this:

CREATE TABLE `users` (
  `userid` varchar(128) NOT NULL,
  `domain` varchar(128) NOT NULL,
  `password` varchar(128) NOT NULL,
  `home` varchar(255) NOT NULL,
  `uid` int(11) NOT NULL,
  `gid` int(11) NOT NULL,
  `active` char(1) NOT NULL DEFAULT 'Y',
  `maildir` varchar(255) NOT NULL
dovecot_sql_driver: 'mysql'
dovecot_sql_host

The hostname of the SQL server.

dovecot_sql_host: ''
dovecot_sql_dbname

The SQL database name.

dovecot_sql_dbname: ''
dovecot_sql_user

The username to access the SQL server.

dovecot_sql_user: ''
dovecot_sql_password

The password to login into the SQL server.

dovecot_sql_password: ''
dovecot_sql_default_pass_scheme

Default passwort scheme for passwords, stored in a SQL database. For more information about the supported schemes, check Authentication / PasswordSchemes

dovecot_sql_default_pass_scheme: 'SSHA512'
dovecot_sql_password_query

SQL query string to get the password. This function should return the values username, domain and password.

dovecot_sql_password_query: "SELECT userid AS username, domain, password FROM users WHERE userid = '%n' AND domain = '%d'"
dovecot_sql_user_query

SQL query string to get the userdb. This function should return the values home, uid and gid.

Optional the mail_location can be defined with the option mail. For more information about the mail_location, check MailLocation

dovecot_sql_user_query: "SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d'"
dovecot_sql_iterate_query

SQL query string to get a list of users. This function should return all values user or both username and domain.

For more information about the iterate query , check AuthDatabase/SQL <https://wiki2.dovecot.org/AuthDatabase/SQL#User_iteration> _

dovecot_sql_iterate_query: "SELECT userid AS username, domain FROM users"
dovecot_passwdfile_scheme

Scheme method use by dovecot with password authentication

dovecot_passwdfile_scheme: 'sha512-crypt'
dovecot_passwdfile_path

Path to the dovecot password file

dovecot_passwdfile_path: '/etc/dovecot/private/'
dovecot_passwdfile_name

Name to the dovecot password file

dovecot_passwdfile_name: 'passwd'
dovecot_passwdfile_uid

uid use by Dovecot when it store mail in mailbox

dovecot_passwdfile_uid: 'dovecot-vmail'
dovecot_passwdfile_gid

gid use by Dovecot when it store mail in mailbox

dovecot_passwdfile_gid: 'dovecot-vmail'
dovecot_passwdfile_home

Path to the mailbox

dovecot_passwdfile_home: '{{ (ansible_local.root.home
                             if (ansible_local|d() and ansible_local.root|d() and
                                  ansible_local.root.home|d())
                             else "/var/local") + "/" + dovecot_passwdfile_uid }}'
dovecot_passwdfile_mailbox_path

Path inside the mailbox home directory

dovecot_passwdfile_mailbox_path: '%u'

PKI / TLS configuration

dovecot_pki

Enable or disable support for TLS in Dovecot (using debops.pki)

dovecot_pki: True
dovecot_pki_path

Base PKI directory

dovecot_pki_path: '{% if (ansible_local is defined and ansible_local.pki is defined) %}{{ ansible_local.pki.base_path }}{% else %}/etc/pki{% endif %}'
dovecot_pki_realm

Default PKI realm used by Dovecot

dovecot_pki_realm: '{% if (ansible_local is defined and ansible_local.pki is defined) %}{{ ansible_local.pki.realm }}{% else %}system{% endif %}'
dovecot_pki_crt

Default certificate, relative to dovecot_pki_realm variable

dovecot_pki_crt: 'default.crt'
dovecot_pki_key

Default private key, relative to dovecot_pki_realm variable

dovecot_pki_key: 'default.key'
dovecot_ssl_required

Requires SSL/TLS also for non-plaintext authentication. For more information check ssl_required in Dovecot SSL Configuration

dovecot_ssl_required: True
dovecot_ssl_protocols

SSL ciphers to use. On new distros you only specify the minimum ssl protocol version Dovecot accepts, defaulting to TLSv1. On old distros disable SSLv2,3 and allow TLSv1.0 or better.

dovecot_ssl_protocols: '{{ "!SSLv2 !SSLv3"
                           if (ansible_distribution_release in
                               [ "wheezy", "jessie", "precise", "trusty" ])
                           else "TLSv1" }}'
dovecot_ssl_dh_parameters_length

Diffie-Hellman parameters length

dovecot_ssl_dh_parameters_length: 2048
dovecot_ssl_cipher_list

SSL ciphers to use

dovecot_ssl_cipher_list: '{{ dovecot_ssl_cipher_list_default }}'
dovecot_ssl_cipher_list_default

Default SSL ciphers

dovecot_ssl_cipher_list_default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH'
dovecot_ssl_cipher_list_better_cypto

https://bettercrypto.org/

dovecot_ssl_cipher_list_better_cypto: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
dovecot_ssl_cipher_list_ncsc_nl

https://www.ncsc.nl/english/current-topics/factsheets/it-security-guidelines-for-transport-layer-security-tls.html

dovecot_ssl_cipher_list_ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'

Dovecot custom configuration

dovecot_imap_listeners

List of IMAP inet_listeners which will be enabled. See dovecot_imap_listeners for more details.

dovecot_imap_listeners: [ 'imap', 'imaps' ]
dovecot_imap_config_map

Custom IMAP configuration properties. See dovecot_imap_config_map for more details.

dovecot_imap_config_map: {}
dovecot_pop3_listeners

List of POP3 inet_listeners which will be enabled. See dovecot_pop3_listeners for more details.

dovecot_pop3_listeners: [ 'pop3', 'pop3s' ]
dovecot_pop3_config_map

Custom POP3 configuration properties. See dovecot_pop3_config_map for more details.

dovecot_pop3_config_map: {}
dovecot_sieve

Location of link to active sieve script

dovecot_sieve: '~/.dovecot.sieve'
dovecot_sieve_dir

Storage directory for sieve scripts uploaded by ManageSieve

dovecot_sieve_dir: '~/sieve'
dovecot_managesieve_listeners

List of ManageSieve inet_listeners which will be enabled. See dovecot_managesieve_listeners for more details.

dovecot_managesieve_listeners: [ 'sieve' ]
dovecot_managesieve_config_map

Custom ManageSieve configuration properties. See dovecot_managesieve_config_map for more details.

dovecot_managesieve_config_map: {}
dovecot_lda_config_map

Custom LDA configuration properties. See dovecot_lda_config_map for more details.

dovecot_lda_config_map: {}
dovecot_lmtp_listeners

List of LMTP inet_listeners or unix_listeners which will be enabled. See dovecot_lmtp_listeners for more details.

dovecot_lmtp_listeners: [ '/var/spool/postfix/private/dovecot-lmtp' ]
dovecot_lmtp_config_map

Custom LMTP configuration properties. See dovecot_lmtp_config_map for more details.

dovecot_lmtp_config_map:
  service:
    unix_listener:
      /var/spool/postfix/private/dovecot-lmtp:
        user: 'postfix'
        group: 'postfix'
        mode: 0600
dovecot_postfix_transport

Postfix mail transport target if LMTP is enabled. For more details see dovecot_postfix_transport.

dovecot_postfix_transport: 'lmtp:unix:private/dovecot-lmtp'
dovecot_custom_localconf

Dovecot custom configuration added at the end of /etc/dovecot/local.conf in a text block format

dovecot_custom_localconf: False
dovecot_firewall

Choose to use firewall with debops.ferm to drive iptables or not.

dovecot_firewall: True

Configuration for other Ansible roles

dovecot__postfix__dependent_maincf

The main.cf configuration for debops.postfix Ansible role.

dovecot__postfix__dependent_maincf:

  - name: 'mailbox_transport'
    value: '{{ dovecot_postfix_transport }}'
    state: '{{ "present" if "lmtp" in dovecot_protocols else "ignore" }}'
dovecot__postfix__dependent_mastercf

The master.cf configuration for debops.postfix Ansible role.

dovecot__postfix__dependent_mastercf: []