debops.dovecot default variables

General Dovecot configuration

dovecot_protocols

List of protocols which should be installed and enabled. Supported are:

  • imap
  • pop3
  • managesieve
  • lmtp
dovecot_protocols: [ 'imap' ]
dovecot_auth_mechanisms

List of authentication mechanisms enabled. So far supported are: plain, login

dovecot_auth_mechanisms: [ 'plain', 'login' ]
dovecot_dependencies

Should the Dovecot role manage it's own dependencies?

dovecot_dependencies: True
dovecot__version

Variable which specifies what Dovecot version is installed on the host. It is defined via Ansible local facts and can be used in conditions to modify the configuration as needed.

dovecot__version: '{{ ansible_local.dovecot.version
                      if (ansible_local|d() and ansible_local.dovecot|d() and
                          ansible_local.dovecot.version|d())
                      else "0.0.0" }}'

User database/mailbox configuration

dovecot_user_accounts

User account lookup. So far supported are:

  • deny: Deny access for users
  • system: Mail users are Linux system users
  • sql: Mail users are stored in a SQL database
  • ldap: Mail users are stored in an LDAP directory
  • passwdfile: Users password are stored in a file
dovecot_user_accounts: '{{ [ "deny", "ldap" ]
                           if dovecot__ldap_enabled|bool
                           else [ "deny", "system" ] }}'
dovecot_deny_users

List of users for which mail acess is disabled.

dovecot_deny_users: [ 'root' ]
dovecot_vmail_home

The vmail home directory is a per-user directory where Dovecot can save user-specific files. Dovecot's home directories have nothing to do with system users' home directories. It's irrelevant if it's under /home/ or /var/mail/ or wherever. For more information see: Home Directories for Virtual Users.

dovecot_vmail_home: '/var/vmail/%d/%n'
dovecot_mail_location

Mailbox location. For mbox set something like mbox:~/mail:INBOX=/var/mail/%u. For more information about the supported format, check Dovecot Mail Location

dovecot_mail_location: 'maildir:~/Maildir'
dovecot__auth_default_realm

The default domain (realm) to add to the usernames that don't specify one. Required to correctly point the clients to their mailbox directories.

dovecot__auth_default_realm: '{{ ansible_domain }}'
dovecot_mail_dotlock

Mailbox Locking. The only standard way to lock an mbox is using a method called dotlock. This means that a file named <mailbox-name>.lock is created in the same directory as the mailbox being locked. Documentation Location

dovecot_mail_dotlock: True
dovecot_sql_driver

The SQL driver defines which SQL is used. This can be either mysql or pgsql.

The database should have a structure like this:

CREATE TABLE `users` (
  `userid` varchar(128) NOT NULL,
  `domain` varchar(128) NOT NULL,
  `password` varchar(128) NOT NULL,
  `home` varchar(255) NOT NULL,
  `uid` int(11) NOT NULL,
  `gid` int(11) NOT NULL,
  `active` char(1) NOT NULL DEFAULT 'Y',
  `maildir` varchar(255) NOT NULL
dovecot_sql_driver: 'mysql'
dovecot_sql_host

The hostname of the SQL server.

dovecot_sql_host: ''
dovecot_sql_dbname

The SQL database name.

dovecot_sql_dbname: ''
dovecot_sql_user

The username to access the SQL server.

dovecot_sql_user: ''
dovecot_sql_password

The password to login into the SQL server.

dovecot_sql_password: ''
dovecot_sql_default_pass_scheme

Default passwort scheme for passwords, stored in a SQL database. For more information about the supported schemes, check Authentication / PasswordSchemes

dovecot_sql_default_pass_scheme: 'SSHA512'
dovecot_sql_password_query

SQL query string to get the password. This function should return the values username, domain and password.

dovecot_sql_password_query: "SELECT userid AS username, domain, password FROM users WHERE userid = '%n' AND domain = '%d'"
dovecot_sql_user_query

SQL query string to get the userdb. This function should return the values home, uid and gid.

Optional the mail_location can be defined with the option mail. For more information about the mail_location, check MailLocation

dovecot_sql_user_query: "SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d'"
dovecot_sql_iterate_query

SQL query string to get a list of users. This function should return all values user or both username and domain.

For more information about the iterate query , check AuthDatabase/SQL <https://wiki2.dovecot.org/AuthDatabase/SQL#User_iteration> _

dovecot_sql_iterate_query: "SELECT userid AS username, domain FROM users"
dovecot_passwdfile_scheme

Scheme method use by dovecot with password authentication

dovecot_passwdfile_scheme: 'sha512-crypt'
dovecot_passwdfile_path

Path to the dovecot password file

dovecot_passwdfile_path: '/etc/dovecot/private/'
dovecot_passwdfile_name

Name to the dovecot password file

dovecot_passwdfile_name: 'passwd'
dovecot_passwdfile_uid

uid use by Dovecot when it store mail in mailbox

dovecot_passwdfile_uid: 'dovecot-vmail'
dovecot_passwdfile_gid

gid use by Dovecot when it store mail in mailbox

dovecot_passwdfile_gid: 'dovecot-vmail'
dovecot_passwdfile_home

Path to the mailbox

dovecot_passwdfile_home: '{{ (ansible_local.root.home
                             if (ansible_local|d() and ansible_local.root|d() and
                                  ansible_local.root.home|d())
                             else "/var/local") + "/" + dovecot_passwdfile_uid }}'
dovecot_passwdfile_mailbox_path

Path inside the mailbox home directory

dovecot_passwdfile_mailbox_path: '%u'

PKI / TLS configuration

dovecot_pki

Enable or disable support for TLS in Dovecot (using debops.pki)

dovecot_pki: '{{ (True
                  if (ansible_local|d() and ansible_local.pki|d() and
                    ansible_local.pki.enabled|d() | bool)
                  else False) | bool }}'
dovecot_pki_path

Base PKI directory

dovecot_pki_path: '{{ ansible_local.pki.path
                      if (ansible_local|d() and ansible_local.pki|d() and
                        ansible_local.pki.path|d())
                      else "/etc/pki/realms" }}'
dovecot_pki_realm

Default PKI realm used by Dovecot

dovecot_pki_realm: '{{ ansible_local.pki.realm
                      if (ansible_local|d() and ansible_local.pki|d() and
                        ansible_local.pki.realm|d())
                      else "domain" }}'
dovecot__pki_ca

Name of the Root Certificate Authority certificate file used by Postfix, relative to the PKI realm directory.

dovecot__pki_ca: '{{ ansible_local.pki.ca
                    if (ansible_local|d() and ansible_local.pki|d() and
                      ansible_local.pki.ca|d())
                    else "CA.crt" }}'
dovecot_pki_crt

Default certificate, relative to dovecot_pki_realm variable

dovecot_pki_crt: '{{ ansible_local.pki.crt
                    if (ansible_local|d() and ansible_local.pki|d() and
                      ansible_local.pki.crt|d())
                    else "default.crt" }}'
dovecot_pki_key

Default private key, relative to dovecot_pki_realm variable

dovecot_pki_key: '{{ ansible_local.pki.key
                    if (ansible_local|d() and ansible_local.pki|d() and
                      ansible_local.pki.key|d())
                    else "default.key" }}'
dovecot__tls_ca_cert_dir

Directory containing X509 Certification Authority certificates in PEM format which are to be recognized by the client in SSL/TLS connections. The files each contain one CA certificate.

dovecot__tls_ca_cert_dir: '/etc/ssl/certs/'
dovecot_ssl_required

Requires SSL/TLS also for non-plaintext authentication. For more information check ssl_required in Dovecot SSL Configuration

dovecot_ssl_required: True
dovecot_ssl_min_protocol

SSL ciphers to use. On new distros you only specify the minimum ssl protocol version Dovecot accepts, defaulting to TLSv1. On old distros disable SSLv2,3 and allow TLSv1.0 or better.

dovecot_ssl_min_protocol: '{{ "!SSLv2 !SSLv3"
                              if (ansible_distribution_release in
                                [ "wheezy", "jessie", "precise", "trusty" ])
                              else "TLSv1" }}'
dovecot_ssl_dh_parameters_length

Diffie-Hellman parameters length Only needed for Dovecot v2.2.x in old-distros.

dovecot_ssl_dh_parameters_length: 4096
dovecot_ssl_cipher_list

SSL ciphers to use

dovecot_ssl_cipher_list: '{{ dovecot_ssl_cipher_list_default }}'
dovecot_ssl_cipher_list_default

Default SSL ciphers

dovecot_ssl_cipher_list_default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:[email protected]'
dovecot_ssl_cipher_list_better_cypto

https://bettercrypto.org/

dovecot_ssl_cipher_list_better_cypto: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
dovecot_ssl_cipher_list_ncsc_nl

https://www.ncsc.nl/english/current-topics/factsheets/it-security-guidelines-for-transport-layer-security-tls.html

dovecot_ssl_cipher_list_ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'
dovecot_pki_hook_name

Name of the hook script which will be stored in hook directory.

dovecot_pki_hook_name: 'dovecot'
dovecot_pki_hook_path

Directory with PKI hooks.

dovecot_pki_hook_path: '{{ ansible_local.pki.hooks
                         if (ansible_local|d() and ansible_local.pki|d() and
                             ansible_local.pki.hooks|d())
                         else "/etc/pki/hooks" }}'
dovecot_pki_hook_action

Specify how changes in PKI should affect dovecot, either 'reload' or 'restart'.

dovecot_pki_hook_action: 'reload'

Diffie-Hellman parameters

dovecot__dhparam

Enable or disable support for custom Diffie-Hellman parameters managed by the debops.dhparam Ansible role.

dovecot__dhparam: '{{ ansible_local.dhparam.enabled
                      if (ansible_local|d() and ansible_local.dhparam|d() and
                          ansible_local.dhparam.enabled is defined)
                      else False }}'
dovecot__dhparam_set

Name of the Diffie-Hellman parameter set to use in Dovecot configuration. See debops.dhparam Ansible role for more details.

dovecot__dhparam_set: 'default'
dovecot__ssl_dh_file

Absolute path to Diffie-Hellman parameters file which should be used by Dovecot.

dovecot__ssl_dh_file: '{{ ansible_local.dhparam[dovecot__dhparam_set]
                          if (ansible_local|d() and ansible_local.dhparam|d() and
                            ansible_local.dhparam[dovecot__dhparam_set]|d())
                          else "" }}'

Dovecot custom configuration

dovecot_imap_listeners

List of IMAP inet_listeners which will be enabled. See dovecot_imap_listeners for more details.

dovecot_imap_listeners: '{{ [ "imap", "imaps" ]
                            if ( dovecot_pki|d(True) )
                            else [ "imap" ] }}'
dovecot_imap_default_config_map

Default IMAP configuration properties. See dovecot_imap_config_map for more details.

dovecot_imap_default_config_map:
  login-service:
    inet_listener:
      imap:
        # Use only localhost when PKI is false, otherwise listen on all IPs
        address: '{{ "0.0.0.0, [::]"
                      if (dovecot_pki|d(True))
                      else
                        "127.0.0.1, [::0]" }}'
        port: 143
      imaps:
        address: '0.0.0.0, [::]'
        # Disable IMAPS if PKI is false
        port: '{{ 993 if (dovecot_pki|d(True)) else 0 }}'
        ssl: 'yes'
dovecot_mail_plugins

Mail plugins enabled in dovecot.

dovecot_mail_plugins: '$mail_plugins {{ "sieve"
                                        if ("managesieve" in dovecot_protocols|d([]) and
                                        dovecot_sieve_enabled|bool) else "" }}'
dovecot_imap_config_map

Custom IMAP configuration properties. See dovecot_imap_config_map for more details.

dovecot_imap_config_map: {}
dovecot_imap_combined_config_map

Combined IMAP configuration properties.

dovecot_imap_combined_config_map: '{{ dovecot_imap_default_config_map
                                      |combine(
                                        dovecot_imap_config_map,
                                        recursive=True) }}'
dovecot_pop3_listeners

List of POP3 inet_listeners which will be enabled. See dovecot_pop3_listeners for more details.

dovecot_pop3_listeners: '{{ [ "pop3", "pop3s" ]
                              if ( dovecot_pki|d(True) )
                              else
                                [ "pop3" ] }}'
dovecot_pop3_config_map

Custom POP3 configuration properties. See dovecot_pop3_config_map for more details.

dovecot_pop3_config_map: {}
dovecot_sieve_enabled

Enable/disable the sieve mail plugin

dovecot_sieve_enabled: true
dovecot_sieve_port

Managesieve port

dovecot_sieve_port: 4190
dovecot_sieve_active_script

Location of link to active sieve script

dovecot_sieve_active_script: '~/.dovecot.sieve'
dovecot_sieve_dir

Storage directory for sieve scripts uploaded by ManageSieve

dovecot_sieve_dir: 'file:~/sieve'
dovecot_managesieve_listeners

List of ManageSieve inet_listeners which will be enabled. See dovecot_managesieve_listeners for more details.

dovecot_managesieve_listeners: [ 'sieve' ]
dovecot_managesieve_config_map

Custom ManageSieve configuration properties. See dovecot_managesieve_config_map for more details.

dovecot_managesieve_config_map:

  login-service:
    inet_listener:
      sieve:
        port: '{{ dovecot_sieve_port|int }}'

  plugin:
    sieve: '{{ dovecot_sieve_dir }}'
    active: '{{ dovecot_sieve_active_script }}'
dovecot_lda_config_map

Custom LDA configuration properties. See dovecot_lda_config_map for more details.

dovecot_lda_config_map:
  protocol:
    mail_plugins: '{{ dovecot_mail_plugins }}'
dovecot_lmtp_listeners

List of LMTP inet_listeners or unix_listeners which will be enabled. See dovecot_lmtp_listeners for more details.

dovecot_lmtp_listeners: [ '/var/spool/postfix/private/dovecot-lmtp' ]
dovecot_lmtp_config_map

Custom LMTP configuration properties. See dovecot_lmtp_config_map for more details.

dovecot_lmtp_config_map:
  service:
    unix_listener:
      /var/spool/postfix/private/dovecot-lmtp:
        user: 'postfix'
        group: 'postfix'
        mode: '0600'

  protocol:
    mail_plugins: '{{ dovecot_mail_plugins }}'
dovecot_postfix_transport

Postfix mail transport target if LMTP is enabled. For more details see dovecot_postfix_transport.

dovecot_postfix_transport: 'lmtp:unix:private/dovecot-lmtp'
dovecot_auth_listeners

List of AUTH unix_listeners which will be enabled. See dovecot_auth_listeners for more details.

dovecot_auth_listeners: [ '/var/spool/postfix/private/auth' ]
dovecot_auth_config_map

Custom AUTH service configuration properties. See dovecot_auth_config_map for more details.

dovecot_auth_config_map:
  service:
    # Postfix smtp-auth socket.
    unix_listener:
      /var/spool/postfix/private/auth:
        user: 'postfix'
        group: 'postfix'
        mode: '0600'
dovecot_custom_localconf

Dovecot custom configuration added at the end of /etc/dovecot/local.conf in a text block format

dovecot_custom_localconf: False

Firewall configuration

dovecot__accept_any

Specofy the default firewall policy for dovecot IMAP services.

If True, any host can connect to the dovecot daemon unless allow restrictions are defined using the variables below.

If False, no hosts can connect to the dovecot daemon by default. You need to specify IP addresses or subnets that can access the services using the variables below.

dovecot__accept_any: True
dovecot__allow_imap

List of hosts/networks that can access the imap port (143).

dovecot__allow_imap: []
dovecot__allow_imaps

List of hosts/networks that can access the imaps port (993).

dovecot__allow_imaps: []
dovecot__allow_pop3

List of hosts/networks that can access the pop3 port (110).

dovecot__allow_pop3: []
dovecot__allow_pop3s

List of hosts/networks that can access the pop3s port (995).

dovecot__allow_pop3s: []
dovecot__allow_sieve

List of hosts/networks that can access the ManageSieve Protocol port (4190).

dovecot__allow_sieve: []

Virtual Mail

This settings help to configure to enable postfix to host multiple (virtual) domains, and thus provide email to several domains with just one mail server. Currently the Virtual Mail support works only with LDAP enabled, in the future mariaDB could be enabled.

dovecot__vmail_posix_user

Virtual Mail POSIX username For the accesses to the mailbox directories a separate user vmail (Virtual Mail) is created, under which the accesses of Postfix, Dovecot and other components of the mail server should take place. On the one hand this prevents mail server components from accessing sensitive system directories, on the other hand it protects the mailboxes from external access. Only vmail (and root) are allowed to access the mailboxes.

dovecot__vmail_posix_user: '{{ ansible_local.postldap.vmail_posix_user
                              if (ansible_local|d() and ansible_local.postldap|d() and
                                ansible_local.postldap.vmail_posix_user|d())
                              else "vmail" }}'
dovecot__vmail_posix_group

Virtual Mail POSIX group

dovecot__vmail_posix_group: '{{ ansible_local.postldap.vmail_posix_group
                                if (ansible_local|d() and ansible_local.postldap|d() and
                                  ansible_local.postldap.vmail_posix_group|d())
                                else "vmail" }}'

LDAP

LDAP authentication

dovecot__ldap_enabled

In order to enable Virtual Mail support LDAP authentication needs to be enabled. When enabled, dovecot will authenticate users against LDAP and authorize access to the user's mailbox.

dovecot__ldap_enabled: '{{ True
                           if (ansible_local|d() and ansible_local.ldap|d() and
                              (ansible_local.ldap.enabled|d())|bool)
                           else False }}'
dovecot__ldap_base_dn

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list.

dovecot__ldap_base_dn: '{{ ansible_local.ldap.base_dn
                           if (ansible_local|d() and ansible_local.ldap|d() and
                             ansible_local.ldap.base_dn|d())
                           else [] }}'
dovecot__ldap_device_dn

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the Postfix/Dovecot Virtual Mail service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

dovecot__ldap_device_dn: '{{ ansible_local.ldap.device_dn
                             if (ansible_local|d() and ansible_local.ldap|d() and
                                ansible_local.ldap.device_dn|d())
                             else [] }}'
dovecot__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the dovecot service to access the LDAP directory.

dovecot__ldap_self_rdn: 'uid=dovecot'
dovecot__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the dovecot service to access the LDAP directory.

dovecot__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
dovecot__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the dovecot service to access the LDAP directory.

dovecot__ldap_self_attributes:
  uid: '{{ dovecot__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ dovecot__ldap_bindpw }}'
  host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
  description: 'Account used by the "Dovecot" service to access the LDAP directory'

  # ]]]
dovecot__ldap_binddn

The Distinguished Name of the account LDAP object used by the Dovecot service to bind to the LDAP directory.

dovecot__ldap_binddn: '{{ ([ dovecot__ldap_self_rdn ]
                             + dovecot__ldap_device_dn) | join(",") }}'
dovecot__ldap_bindpw

The password stored in the account LDAP object used by the dovecot service to bind to the LDAP directory.

dovecot__ldap_bindpw: '{{ lookup("password", secret + "/ldap/credentials/"
                          + dovecot__ldap_binddn | to_uuid + ".password length=32 "
                          + "chars=alpha,digits,[email protected]_$%^&*") }}'
dovecot__ldap_people_rdn

The Relative Distinguished Name of the LDAP object which contains the user accounts stored in LDAP.

dovecot__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn
                              if (ansible_local|d() and ansible_local.ldap|d() and
                                 ansible_local.ldap.people_rdn|d())
                              else "ou=People" }}'
dovecot__ldap_people_dn

The Distinguished Name of the LDAP object which contains the user accounts used by Postfix and Dovecot.

dovecot__ldap_people_dn: '{{ [ dovecot__ldap_people_rdn ]
                               + dovecot__ldap_base_dn }}'

LDAP connection options

dovecot__ldap_uri

List of LDAP URIs that point to the directory servers which should be used by dovecot service.

dovecot__ldap_uri: '{{ ansible_local.ldap.uri
                       if (ansible_local|d() and ansible_local.ldap|d() and
                         ansible_local.ldap.uri|d())
                       else [""] }}'
dovecot__ldap_server_port

The TCP port which should be used for connections to the LDAP server.

dovecot__ldap_server_port: '{{ ansible_local.ldap.port
                               if (ansible_local|d() and ansible_local.ldap|d() and
                                  ansible_local.ldap.port|d())
                               else ("389" if dovecot__ldap_start_tls|bool else "636") }}'
dovecot__ldap_start_tls

If True, Postfix will use STARTTLS extension to make encrypted connections to the LDAP server.

dovecot__ldap_start_tls: '{{ ansible_local.ldap.start_tls
                             if (ansible_local|d() and ansible_local.ldap|d() and
                                (ansible_local.ldap.start_tls|d())|bool)
                             else True }}'

LDAP settings

dovecot__ldap_user_filter

The LDAP filter used to look up user accounts in the directory. See LDAP tasks and administrative operations for more information.

dovecot__ldap_user_filter: '(&
                              (objectClass=inetOrgPerson)
                              (|
                                (uid=%u)
                                (mail=%u)
                              )
                              (|
                                (authorizedService=all)
                                (authorizedService=mail:access)
                              )
                            )'
dovecot__ldap_quota_attribute

Set the LDAP attribute value to be read by Postfix in order to get the user quota.

dovecot__ldap_quota_attribute: 'mailQuota'
dovecot__ldap_quota_default

User default LDAP quota. Use human-readable values, e.g. "2 GB".

dovecot__ldap_quota_default: '10 GB'
dovecot__ldap_default_config

The LDAP configuration options defined by default.

dovecot__ldap_default_config: []
dovecot__ldap_config

List of custom LDAP configuration options defined for all hosts in the Ansible inventory.

dovecot__ldap_config: []
dovecot__group_ldap_config

List of custom LDAP configuration options defined on hosts in a specific Ansible inventory group.

dovecot__group_ldap_config: []
dovecot__host_ldap_config

List of custom LDAP configuration options defined on specific hosts in the Ansible inventory.

dovecot__host_ldap_config: []
dovecot__ldap_combined_config

The variable that combines default and user LDAP configuration and is used in the role tasks and templates.

dovecot__ldap_combined_config: '{{ dovecot__ldap_default_config
                                   + dovecot__ldap_config
                                   + dovecot__group_ldap_config
                                   + dovecot__host_ldap_config }}'

Configuration for other Ansible roles

dovecot__ldap__dependent_tasks

Configuration for the debops.ldap Ansible role.

dovecot__ldap__dependent_tasks:
  - name: 'Create Postfix account for {{ dovecot__ldap_device_dn | join(",") }}'
    dn: '{{ dovecot__ldap_binddn }}'
    objectClass: '{{ dovecot__ldap_self_object_classes }}'
    attributes: '{{ dovecot__ldap_self_attributes }}'
    no_log: '{{ dovecot__no_log|d(True) }}'
    state: '{{ "present"
                if (dovecot__ldap_enabled|bool and
                    dovecot__ldap_device_dn|d())
                else "ignore" }}'
dovecot__postfix__dependent_maincf

The main.cf configuration for debops.postfix Ansible role.

dovecot__postfix__dependent_maincf:

  # The default TLS security level set by the 'postfix' role is "may", however
  # when the mail is delivered over local UNIX socket, this results in
  # a warning in the mail logs: "warning: smtp_connect_local: opportunistic TLS
  # encryption is not appropriate for unix-domain destinations". Therefore if
  # we know that Dovecot is installed locally and we deliver over an UNIX
  # socket, we can disable the opportunistic TLS encryption for the LMTP
  # protocol.
  - name: 'lmtp_tls_security_level'
    comment: |
      Security level overridden via local Dovecot installation
    value: '{{ "none"
               if dovecot_postfix_transport.startswith("lmtp:unix:")
               else "may" }}'
    state: '{{ "present" if "lmtp" in dovecot_protocols else "ignore" }}'

  # We don't care about the STARTTLS offer when we talk to Dovecot over an UNIX
  # socket.
  - name: 'lmtp_tls_note_starttls_offer'
    value: '{{ False
               if dovecot_postfix_transport.startswith("lmtp:unix:")
               else True }}'
    state: '{{ "present" if "lmtp" in dovecot_protocols else "ignore" }}'

  - name: 'virtual_transport'
    value: '{{ dovecot_postfix_transport }}'
    state: '{{ "present"
               if ("lmtp" in dovecot_protocols and
                   dovecot__ldap_enabled|bool)
               else "ignore" }}'

  - name: 'mailbox_transport'
    value: '{{ dovecot_postfix_transport }}'
    state: '{{ "present"
               if ("lmtp" in dovecot_protocols and
                   not dovecot__ldap_enabled|bool)
               else "ignore" }}'
dovecot__postfix__dependent_mastercf

The master.cf configuration for debops.postfix Ansible role.

dovecot__postfix__dependent_mastercf: []
dovecot__ferm__dependent_rules

Configuration for debops.ferm Ansible role.

dovecot__ferm__dependent_rules:

  - name: 'dovecot_imap'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'imap2' ]
    saddr: '{{ dovecot__allow_imap }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("imap" in dovecot_protocols|d([]))
                    else "absent" }}'

  - name: 'dovecot_imaps'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'imaps' ]
    saddr: '{{ dovecot__allow_imaps }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("imap" in dovecot_protocols|d([])
                         and dovecot_pki|d(True))
                    else "absent" }}'

  - name: 'dovecot_pop3'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'pop3' ]
    saddr: '{{ dovecot__allow_pop3 }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("pop3" in dovecot_protocols|d([]))
                    else "absent" }}'

  - name: 'dovecot_pop3s'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'pop3s' ]
    saddr: '{{ dovecot__allow_pop3s }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("pop3" in dovecot_protocols|d([])
                         and dovecot_pki|d(True))
                    else "absent" }}'

  - name: 'dovecot_sieve'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'sieve' ]
    saddr: '{{ dovecot__allow_sieve }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("managesieve" in dovecot_protocols|d([])
                         and dovecot_pki|d(True))
                    else "absent" }}'