debops.dovecot default variables

General Dovecot configuration

dovecot__features

List of features which should be installed and enabled. See dovecot__features for details.

dovecot__features: [ 'imap', 'imaps', 'lmtp', 'sieve', 'quota' ]
dovecot__auth_mechanisms

List of enabled authentication mechanisms. Currently plain and login are supported.

dovecot__auth_mechanisms: [ 'plain', 'login' ]
dovecot__version

Variable which specifies what Dovecot version is installed on the host. It is defined via Ansible local facts and can be used in conditions to modify the configuration as needed.

dovecot__version: '{{ ansible_local.dovecot.version | d("0.0.0") }}'

User database/mailbox configuration

dovecot__user_accounts

User account lookup mechanisms, see dovecot__user_accounts for details.

dovecot__user_accounts: '{{ ["deny", "ldap"]
                            if dovecot__ldap_enabled | bool
                            else ["deny", "system"] }}'
dovecot__deny_users

List of users for which mail access is disabled.

dovecot__deny_users: [ 'root' ]
dovecot__mail_location

Mailbox location. For mbox set something like mbox:~/mail:INBOX=/var/mail/%u. For more information about the supported format, see the Dovecot Mail Location documentation.

dovecot__mail_location: 'maildir:~/Maildir'
dovecot__auth_default_realm

The default domain (realm) to add to the usernames that don't include one. Required to correctly point the clients to their mailbox directories.

dovecot__auth_default_realm: '{{ ansible_domain }}'

Virtual Mail

These settings makes it possible to host multiple (virtual) domains and to manage mail for users which do not need to have a local system account.

dovecot__vmail_enabled

Whether the virtual mail support should be enabled.

dovecot__vmail_enabled: '{{ True if (dovecot__user_accounts |
                                     intersect(["mysql", "pgsql", "sqlite",
                                                "ldap", "passwdfile"]))
                            else False }}'
dovecot__vmail_posix_user

A separate user vmail (Virtual Mail), which owns the mailbox directories and is used by the various mail daemons to store and access the stored email, can be used. On the one hand this prevents mail daemons components from accessing sensitive system directories, on the other hand it protects the mailboxes from external access. Only the vmail user (and root) are allowed to access the mailboxes.

dovecot__vmail_posix_user: '{{ ansible_local.postldap.vmail_posix_user
                               | d("vmail") }}'
dovecot__vmail_posix_group

Virtual Mail POSIX group.

dovecot__vmail_posix_group: '{{ ansible_local.postldap.vmail_posix_group
                                | d("vmail") }}'
dovecot__vmail_base

The base directory where user mail directories are located, which also serves as the home directory for the dovecot__vmail_posix_user. This directory is used as the base for the virtual mail home directory paths and is used e.g. as a prefix for the mailHomeDirectory LDAP attribute if it's found in the LDAP lookups.

dovecot__vmail_base: '/var/vmail'
dovecot__vmail_home

The vmail home directory is a per-user directory where Dovecot can save user-specific files. Dovecot's home directories have nothing to do with system users' home directories. For more information, see Home Directories for Virtual Users.

dovecot__vmail_home: '{{ dovecot__vmail_base ~ "/%d/%n" }}'

DSync Settings

Dovecot supports master/master replication using dsync. For more information, see DSync Replication.

dovecot__dsync_port

Port to use for dsync, defaults to 12345.

dovecot__dsync_port: '12345'
dovecot__dsync_host

Remote host to sync with, required.

dovecot__dsync_host: ''
dovecot__dsync_replica

Remote host to sync with, specified in the form tcp[s]:host[:port].

dovecot__dsync_replica: '{{ ("tcps" if dovecot__pki | d(True) else "tcp") ~ ":" ~
                            dovecot__dsync_host ~ ":" ~
                            dovecot__dsync_port }}'
dovecot__dsync_password_path

Directory on the Ansible Host where the dsync password will be stored. By default it's stored relative to the secret/ directory in the DebOps project directory. See the debops.secret role for more details.

dovecot__dsync_password_path: '{{ "dovecot/credentials/dsync.password" }}'
dovecot__dsync_password

Password to use for the dsync protocol. Must be the same on both hosts of a replica pair.

dovecot__dsync_password: '{{ lookup("password", secret + "/"
                                    + dovecot__dsync_password_path
                                    + " length=32") }}'

SQL Authentication Settings

dovecot__sql_connect

Database-driver specific database connection string. See SQL User Databases for more details.

dovecot__sql_connect: ''
dovecot__sql_default_pass_scheme

Default password scheme for passwords, stored in a SQL database. For more information about the supported schemes, check Authentication / PasswordSchemes.

dovecot__sql_default_pass_scheme: 'SSHA512'
dovecot__sql_password_query

SQL query string to get the password. This function should return the values username, domain and password.

dovecot__sql_password_query: "SELECT userid AS username, domain, password FROM users WHERE userid = '%n' AND domain = '%d'"
dovecot__sql_user_query

SQL query string to get the userdb. This function should return the values home, uid and gid.

Optionally the mail_location can be defined with the option mail, see MailLocation.

dovecot__sql_user_query: "SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d'"
dovecot__sql_iterate_query

SQL query string to get a list of users. This function should return all valid users (user or username and domain).

For more information about the iterate query , see the Dovecot SQL documentation.

dovecot__sql_iterate_query: "SELECT userid AS username, domain FROM users"
dovecot__passwdfile_scheme

Encryption scheme to use with password authentication.

dovecot__passwdfile_scheme: 'sha512-crypt'
dovecot__passwdfile_path

Path to the dovecot password file.

dovecot__passwdfile_path: '/etc/dovecot/private/'
dovecot__passwdfile_name

Name of the dovecot password file.

dovecot__passwdfile_name: 'passwd'
dovecot__checkpassword_passdb_command

Command to fetch the password database in checkpassword auth mode.

dovecot__checkpassword_passdb_command: '/usr/bin/checkpassword'
dovecot__checkpassword_userdb_command

Command to fetch the user database in checkpassword auth mode.

dovecot__checkpassword_userdb_command: '/usr/bin/checkpassword'

PKI / TLS configuration

dovecot__pki

Enable or disable support for TLS/SSL using debops.pki.

dovecot__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
dovecot__pki_path

Base PKI directory.

dovecot__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
dovecot__pki_realm

Default PKI realm.

dovecot__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
dovecot__pki_ca

Name of the Root Certificate Authority certificate file, relative to the PKI realm directory.

dovecot__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
dovecot__pki_crt

Default certificate, relative to the dovecot__pki_realm variable.

dovecot__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
dovecot__pki_key

Default private key, relative to the dovecot__pki_realm variable.

dovecot__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
dovecot__tls_ca_cert_dir

Directory containing X509 Certification Authority certificates.

dovecot__tls_ca_cert_dir: '/etc/ssl/certs/'
dovecot__ssl_required

Requires SSL/TLS also for non-plaintext authentication. For more information check ssl_required in the Dovecot SSL Configuration.

dovecot__ssl_required: True
dovecot__ssl_min_protocol

SSL ciphers to use.

dovecot__ssl_min_protocol: '{{ "TLSv1.2" }}'
dovecot__ssl_dh_parameters_length

Diffie-Hellman parameters length.

dovecot__ssl_dh_parameters_length: 4096
dovecot__ssl_cipher_list

SSL ciphers to use.

dovecot__ssl_cipher_list: '{{ dovecot__ssl_cipher_list_default }}'
dovecot__ssl_cipher_list_default

Default SSL ciphers.

dovecot__ssl_cipher_list_default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH'
dovecot__ssl_cipher_list_better_crypto

See the bettercrypto.org guide.

dovecot__ssl_cipher_list_better_crypto: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
dovecot__ssl_cipher_list_ncsc_nl

The 'good' cipher suite from the NCSC-NL TLS Guidelines v2.1.

dovecot__ssl_cipher_list_ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'
dovecot__pki_hook_name

Name of the debops.pki hook script.

dovecot__pki_hook_name: 'dovecot'
dovecot__pki_hook_path

Directory for the debops.pki hooks.

dovecot__pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
dovecot__pki_hook_action

Specify how changes in PKI should affect dovecot, either 'reload' or 'restart'.

dovecot__pki_hook_action: 'reload'

Diffie-Hellman parameters

dovecot__dhparam

Enable or disable support for custom Diffie-Hellman parameters managed by the debops.dhparam Ansible role.

dovecot__dhparam: '{{ ansible_local.dhparam.enabled
                      if (ansible_local | d() and ansible_local.dhparam | d() and
                          ansible_local.dhparam.enabled is defined)
                      else False }}'
dovecot__dhparam_set

Name of the Diffie-Hellman parameter set to use. See the debops.dhparam Ansible role for more details.

dovecot__dhparam_set: 'default'
dovecot__ssl_dh_file

Absolute path to the Diffie-Hellman parameters file which should be used.

dovecot__ssl_dh_file: '{{ ansible_local.dhparam[dovecot__dhparam_set]
                          if (ansible_local | d() and ansible_local.dhparam | d() and
                            ansible_local.dhparam[dovecot__dhparam_set] | d())
                          else "" }}'

Dovecot custom configuration

These variables define the contents of the /etc/dovecot/dovecot.conf configuration file.

dovecot__default_configuration

The default dovecot configuration options defined by the role. See Syntax for details.

dovecot__default_configuration:

  - section: 'main'
    title: 'Main Configuration'
    options:

      - name: 'protocols'
        comment: 'Currently active protocols'
        value: |  # noqa jinja[spacing]
          {{ dovecot__features |
             intersect(['imap', 'imaps', 'pop3',
                        'pop3s', 'sieve', 'lmtp']) |
             map("regex_replace", "^(imap|pop3)s$", "\1") |
             list | unique | join(' ') }}

  - section: 'authentication'
    title: 'Client Configuration'
    options:

      - name: 'auth_mechanisms'
        value: '{{ dovecot__auth_mechanisms | join(" ") }}'

      - name: 'disable_plaintext_auth'
        value: 'yes'

      - name: 'auth_default_realm'
        value: '{{ dovecot__auth_default_realm }}'

      - name: 'mail_uid'
        value: '{{ dovecot__vmail_posix_user }}'
        state: '{{ "present" if dovecot__vmail_enabled | d(False) else "absent" }}'

      - name: 'mail_gid'
        value: '{{ dovecot__vmail_posix_group }}'
        state: '{{ "present" if dovecot__vmail_enabled | d(False) else "absent" }}'

      - name: 'mail_privileged_group'
        value: '{{ dovecot__vmail_posix_user }}'
        state: '{{ "present" if dovecot__vmail_enabled | d(False) else "absent" }}'

      - name: 'passdb_deny'
        option: 'passdb'
        state: '{{ "present" if "deny" in dovecot__user_accounts else "absent" }}'
        options:

          - name: 'driver'
            value: 'passwd-file'

          - name: 'deny'
            value: 'yes'

          - name: 'args'
            value: '/etc/dovecot/dovecot.deny'

      - name: 'passdb_system'
        option: 'passdb'
        state: '{{ "present" if "system" in dovecot__user_accounts else "absent" }}'
        options:

          - name: 'driver'
            value: 'pam'

          - name: 'args'
            value: 'session=yes dovecot'

      - name: 'userdb_system'
        option: 'userdb'
        state: '{{ "present" if "system" in dovecot__user_accounts else "absent" }}'
        options:

          - name: 'driver'
            value: 'passwd'

          - name: 'args'
            value: 'blocking=no'

      - name: 'passdb_sql'
        option: 'passdb'
        state: '{{ "present" if (dovecot__user_accounts | d([]) |
                     intersect(["mysql", "pgsql", "sqlite"])) else "absent" }}'
        options:

          - name: 'driver'
            value: 'sql'

          - name: 'args'
            value: '/etc/dovecot/dovecot-sql.conf.ext'

      - name: 'userdb_sql'
        option: 'userdb'
        state: '{{ "present" if (dovecot__user_accounts | d([]) |
                     intersect(["mysql", "pgsql", "sqlite"])) else "absent" }}'
        options:

          - name: 'driver'
            value: 'sql'

          - name: 'args'
            value: '/etc/dovecot/dovecot-sql.conf.ext'

      - name: 'passdb_ldap'
        option: 'passdb'
        state: '{{ "present" if "ldap" in dovecot__user_accounts else "absent" }}'
        options:

          - name: 'driver'
            value: 'ldap'

          - name: 'args'
            value: '/etc/dovecot/dovecot-ldap-passdb.conf'

      - name: 'userdb_ldap'
        option: 'userdb'
        state: '{{ "present" if "ldap" in dovecot__user_accounts else "absent" }}'
        options:

          - name: 'driver'
            value: 'ldap'

          - name: 'args'
            value: '/etc/dovecot/dovecot-ldap-userdb.conf'

      - name: 'passdb_passwd'
        option: 'passdb'
        state: '{{ "present" if "passwdfile" in dovecot__user_accounts else "absent" }}'
        options:

          - name: 'driver'
            value: 'passwd-file'

          - name: 'args'
            value: 'scheme={{ dovecot__passwdfile_scheme }} {{ dovecot__passwdfile_path }}/{{ dovecot__passwdfile_name }}'

      - name: 'userdb_passwd'
        option: 'userdb'
        state: '{{ "present" if "passwdfile" in dovecot__user_accounts else "absent" }}'
        options:

          - name: 'driver'
            value: 'static'

          - name: 'args'
            value: 'uid={{ dovecot__vmail_posix_user }} gid={{ dovecot__vmail_posix_group }} home={{ dovecot__vmail_home }}'

          - name: 'default_fields'
            value: 'quota_rule=*:storage=1G'
            comment: 'Default fields that can be overridden by passwd-file'
            state: 'comment'

          - name: 'override_fields'
            value: 'home=/home/virtual/%u'
            comment: 'Override fields from passwd-file'
            state: 'comment'

      - name: 'passdb_checkpassword'
        option: 'passdb'
        state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
                     dovecot__checkpassword_passdb_command | d()) else "absent" }}'
        options:

          - name: 'driver'
            value: 'checkpassword'

          - name: 'args'
            value: '{{ dovecot__checkpassword_passdb_command }}'

      - name: 'userdb_checkpassword_pre'
        option: 'userdb'
        state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
                     dovecot__checkpassword_userdb_command | d()) else "absent" }}'
        options:

          - name: 'driver'
            value: 'prefetch'

      - name: 'userdb_checkpassword_main'
        option: 'userdb'
        state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
                     dovecot__checkpassword_userdb_command | d()) else "absent" }}'
        options:

          - name: 'driver'
            value: 'checkpassword'

          - name: 'args'
            value: '{{ dovecot__checkpassword_userdb_command }}'

  - section: 'tls'
    title: 'TLS Configuration'
    state: '{{ "present" if dovecot__pki is defined and dovecot__pki else "absent" }}'
    options:

      - name: 'ssl'
        value: '{{ "required" if dovecot__ssl_required else "yes" }}'

      - name: 'ssl_prefer_server_ciphers'
        value: 'yes'
        comment: 'Prefer the server''s order of ciphers over the client''s. (dovecot >= 2.2.6)'

      - name: 'ssl_cert'
        value: '<{{ dovecot__pki_path ~ "/" ~ dovecot__pki_realm ~ "/" ~ dovecot__pki_crt }}'

      - name: 'ssl_key'
        value: '<{{ dovecot__pki_path ~ "/" ~ dovecot__pki_realm ~ "/" ~ dovecot__pki_key }}'

      - name: 'ssl_protocols'
        value: '{{ dovecot__ssl_min_protocol }}'
        state: '{{ "present" if dovecot__version is version("2.3.0", "<") else "absent" }}'

      - name: 'ssl_dh_parameters_length'
        value: '{{ dovecot__ssl_dh_parameters_length }}'
        state: '{{ "present" if dovecot__version is version("2.3.0", "<") else "absent" }}'
        comment: 'Diffie-Hellman parameters length (default 1024, dovecot >= 2.2.7, optional in dovecot >= 2.3.3)'

      - name: 'ssl_min_protocol'
        value: '{{ dovecot__ssl_min_protocol }}'
        state: '{{ "present" if dovecot__version is version("2.3.0", ">=") else "absent" }}'

      - name: 'ssl_dh'
        value: '{{ "" if (dovecot__ssl_dh_file == "") else ("<" + dovecot__ssl_dh_file) }}'
        state: '{{ "present" if dovecot__version is version("2.3.0", ">=") else "absent" }}'

      - name: 'ssl_cipher_list'
        value: '{{ dovecot__ssl_cipher_list }}'

      - name: 'ssl_client_ca_dir'
        value: '/etc/ssl/certs'
        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'

  - section: 'no_tls'
    title: 'TLS Non-Configuration'
    state: '{{ "absent" if dovecot__pki is defined and dovecot__pki else "present" }}'
    options:

      - name: 'ssl'
        value: 'no'

  - section: 'services'
    title: 'Dovecot services'
    options:

      - name: 'service imap-login'
        state: '{{ "present" if ("imap" in dovecot__features or "imaps" in dovecot__features) else "absent" }}'
        options:

          - name: 'inet_listener imap'
            options:

              - name: 'address'
                value: '127.0.0.1, [::1]'
                comment: 'Only localhost if no PKI is configured'
                state: '{{ "present" if not dovecot__pki | d(True) else "comment" }}'

              - name: 'port'
                value: '{{ 143 if "imap" in dovecot__features else 0 }}'

          - name: 'inet_listener imaps'
            options:

              - name: 'port'
                value: '{{ 993 if ("imaps" in dovecot__features and dovecot__pki | d(True)) else 0 }}'
                comment: 'Disabled if no PKI is configured'

      - name: 'service pop3-login'
        state: '{{ "present" if ("pop3" in dovecot__features or "pop3s" in dovecot__features) else "absent" }}'
        options:

          - name: 'inet_listener pop3'
            options:

              - name: 'address'
                value: '127.0.0.1, [::1]'
                comment: 'Only localhost if no PKI is configured'
                state: '{{ "present" if not dovecot__pki | d(True) else "comment" }}'

              - name: 'port'
                value: '{{ 110 if "pop3" in dovecot__features else 0 }}'

          - name: 'inet_listener pop3s'
            options:

              - name: 'port'
                value: '{{ 995 if ("pop3s" in dovecot__features and dovecot__pki | d(True)) else 0 }}'
                comment: 'Disabled if no PKI is configured'

      - name: 'service lmtp'
        state: '{{ "present" if "lmtp" in dovecot__features else "absent" }}'
        options:

          - name: 'user'
            value: '{{ dovecot__vmail_posix_user }}'
            state: '{{ "present" if dovecot__vmail_enabled | d(False) else "absent" }}'

          - name: 'unix_listener /var/spool/postfix/private/dovecot-lmtp'
            options:

              - name: 'mode'
                value: '0660'

              - name: 'group'
                value: 'postfix'

              - name: 'user'
                value: 'postfix'

      - name: 'service managesieve-login'
        state: '{{ "present" if "sieve" in dovecot__features else "absent" }}'
        options:

          - name: 'inet_listener sieve'
            options:

              - name: 'port'
                value: '4190'

      - name: 'service replicator'
        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
        options:

          - name: 'process_min_avail'
            value: '1'

          - name: 'unix_listener replicator-doveadm'
            options:

              - name: 'mode'
                value: '0600'

              - name: 'user'
                value: 'vmail'

      - name: 'service aggregator'
        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
        options:

          - name: 'fifo_listener replication-notify-fifo'
            options:

              - name: 'user'
                value: 'vmail'

          - name: 'unix_listener replication-notify'
            options:

              - name: 'user'
                value: 'vmail'

      - name: 'service doveadm'
        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
        options:

          - name: 'inet_listener doveadm'
            options:

              - name: 'port'
                value: '{{ dovecot__dsync_port }}'

              - name: 'ssl'
                value: 'yes'
                state: '{{ "present" if (dovecot__pki | d(True)) else "absent" }}'

      - name: 'replication_max_conns'
        value: '10'
        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'

      - name: 'doveadm_port'
        value: '{{ dovecot__dsync_port }}'
        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'

      - name: 'doveadm_password'
        value: '{{ dovecot__dsync_password }}'
        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'

      - name: 'service auth'
        options:

          - name: 'unix_listener /var/spool/postfix/private/auth'
            options:

              - name: 'mode'
                value: '0660'

              - name: 'group'
                value: 'postfix'

              - name: 'user'
                value: 'postfix'

          - name: 'unix_listener auth-userdb'
            state: '{{ "present" if (dovecot__vmail_enabled | d(False) and
                         "lmtp" in dovecot__features) else "absent" }}'
            options:

              - name: 'mode'
                value: '0660'

              - name: 'group'
                value: '{{ dovecot__vmail_posix_group }}'

              - name: 'user'
                value: '{{ dovecot__vmail_posix_user }}'

  - section: 'protocols'
    title: 'Protocol settings'
    options:

      - name: 'protocol imap'
        state: '{{ "present" if ("imap" in dovecot__features or "imaps" in dovecot__features) else "absent" }}'
        options:

          - name: 'mail_plugins'
            value: '{{ dovecot__mail_plugins_imap | flatten | join(" ") }}'

          - name: 'mail_max_userip_connections'
            value: '20'
            state: 'comment'

          - name: 'imap_idle_notify_interval'
            value: '29 mins'
            state: 'comment'

      - name: 'protocol pop3'
        state: '{{ "present" if ("pop3" in dovecot__features or "pop3s" in dovecot__features) else "absent" }}'
        options:

          - name: 'mail_plugins'
            value: '{{ dovecot__mail_plugins_pop3 | flatten | join(" ") }}'

          - name: 'mail_max_userip_connections'
            value: '10'
            state: 'comment'

      - name: 'protocol lda'
        state: '{{ "present" if "lmtp" not in dovecot__features else "absent" }}'
        options:

          - name: 'mail_plugins'
            value: '{{ dovecot__mail_plugins_lda | flatten | join(" ") }}'

          - name: 'postmaster_address'
            value: 'postmaster@{{ ansible_domain }}'

      - name: 'protocol lmtp'
        state: '{{ "present" if "lmtp" in dovecot__features else "absent" }}'
        options:

          - name: 'mail_plugins'
            value: '{{ dovecot__mail_plugins_lmtp | flatten | join(" ") }}'

          - name: 'postmaster_address'
            value: 'postmaster@{{ ansible_domain }}'

  - section: 'mailbox_locations'
    title: 'Mailbox Locations'
    options:

      - name: 'mail_home'
        value: '{{ dovecot__vmail_home }}'
        state: '{{ "present" if dovecot__vmail_enabled else "absent" }}'

      - name: 'mail_location'
        value: '{{ dovecot__mail_location }}'
        state: '{{ "present" if dovecot__mail_location | d() else "comment" }}'

  - section: 'mailbox_namespaces'
    title: 'Mailbox Namespaces'
    options:

      - name: 'namespace inbox'
        options:

          - name: 'inbox'
            value: 'yes'
            comment: 'There can be only one INBOX, and this setting defines which namespace has it.'

          - name: 'mailbox Drafts'
            options:
              - name: 'special_use'
                value: '\Drafts'

          - name: 'mailbox Junk'
            options:
              - name: 'special_use'
                value: '\Junk'

          - name: 'mailbox Trash'
            comment: |
              If you change the name of this mailbox and use LDAP,
              dovecot__ldap_trash_field also needs to be updated.
            options:

              - name: 'special_use'
                value: '\Trash'

          - name: 'mailbox Sent'
            comment: |
              For \Sent mailboxes there are two widely used names. We'll mark both of
              them as \Sent. User typically deletes one of them if duplicates are created.
            options:

              - name: 'special_use'
                value: '\Sent'

          - name: 'mailbox "Sent Messages"'
            options:

              - name: 'special_use'
                value: '\Sent'

          - name: 'mailbox virtual/All'
            comment: 'If you have a virtual "All Messages" mailbox:'
            state: 'comment'
            options:

              - name: 'special_use'
                value: '\All'

              - name: 'comment'
                value: 'All my messages'

          - name: 'mailbox virtual/Flagged'
            comment: 'If you have a virtual "Flagged" mailbox:'
            state: 'comment'
            options:

              - name: 'special_use'
                value: '\Flagged'

              - name: 'comment'
                value: 'All my flagged messages'

          - name: 'mailbox virtual/Important'
            comment: 'If you have a virtual "Important" mailbox:'
            state: 'comment'
            options:

              - name: 'special_use'
                value: '\Important'

              - name: 'comment'
                value: 'All my important messages'

  - section: 'plugins'
    title: 'Mail Plugins'
    options:

      - name: 'plugin'
        options:

          - name: 'sieve'
            value: '{{ dovecot__sieve_dir }}'
            state: '{{ "present" if "sieve" in dovecot__features else "absent" }}'

          - name: 'quota'
            value: 'maildir:User quota'
            state: '{{ "present" if "quota" in dovecot__features else "absent" }}'

          - name: 'mail_replica'
            value: '{{ dovecot__dsync_replica }}'
            state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
dovecot__configuration

The dovecot configuration options defined for all hosts in the Ansible inventory.

dovecot__configuration: []
dovecot__group_configuration

The dovecot configuration options defined for hosts in a specific Ansible inventory group.

dovecot__group_configuration: []
dovecot__host_configuration

The dovecot configuration options defined for a specific host in the Ansible inventory.

dovecot__host_configuration: []
dovecot__combined_configuration

The variable that combines other dovecot configuration options for use in the /etc/dovecot/dovecot.conf template.

dovecot__combined_configuration: '{{ dovecot__default_configuration
                                      + dovecot__configuration
                                      + dovecot__group_configuration
                                      + dovecot__host_configuration }}'
dovecot__mail_plugins

Default mail plugins for all protocols.

dovecot__mail_plugins:
  - '$mail_plugins'
  - '{{ "notify" if "dsync" in dovecot__features else [] }}'
  - '{{ "replication" if "dsync" in dovecot__features else [] }}'
  - '{{ "quota" if "quota" in dovecot__features else [] }}'
dovecot__mail_plugins_imap

Enabled mail plugins for the IMAP protocol.

dovecot__mail_plugins_imap:
  - '{{ dovecot__mail_plugins }}'
  - '{{ "imap_sieve" if "sieve" in dovecot__features else [] }}'
  - '{{ "imap_quota" if "quota" in dovecot__features else [] }}'
dovecot__mail_plugins_pop3

Enabled mail plugins for the POP3 protocol.

dovecot__mail_plugins_pop3:
  - '{{ dovecot__mail_plugins }}'
dovecot__mail_plugins_lda

Enabled mail plugins for the LDA protocol.

dovecot__mail_plugins_lda:
  - '{{ dovecot__mail_plugins }}'
  - '{{ "sieve" if "sieve" in dovecot__features else [] }}'
dovecot__mail_plugins_ltmp

Enabled mail plugins for the LMTP protocol.

dovecot__mail_plugins_lmtp:
  - '{{ dovecot__mail_plugins }}'
  - '{{ "sieve" if "sieve" in dovecot__features else [] }}'
dovecot__sieve_dir

Storage directory for sieve scripts.

dovecot__sieve_dir: 'file:~/sieve;active=~/.dovecot.sieve'

Firewall configuration

dovecot__accept_any

The default firewall policy for dovecot services.

If True, any host can connect to the dovecot daemon unless allow restrictions are defined using the variables below.

If False, no hosts can connect to the dovecot daemon by default. You need to specify IP addresses or subnets that can access the services using the variables below.

dovecot__accept_any: True
dovecot__allow_imap

List of hosts/networks that can access the imap port (143).

dovecot__allow_imap: []
dovecot__allow_imaps

List of hosts/networks that can access the imaps port (993).

dovecot__allow_imaps: []
dovecot__allow_pop3

List of hosts/networks that can access the pop3 port (110).

dovecot__allow_pop3: []
dovecot__allow_pop3s

List of hosts/networks that can access the pop3s port (995).

dovecot__allow_pop3s: []
dovecot__allow_doveadm

List of hosts/networks that can access the doveadm port (12345, used for dsync).

dovecot__allow_doveadm:
  - '{{ dovecot__dsync_host }}'
dovecot__allow_sieve

List of hosts/networks that can access the ManageSieve Protocol port (4190).

dovecot__allow_sieve: []

LDAP

dovecot__ldap_enabled

When enabled, dovecot will authenticate users against LDAP and authorize access to the user's mailbox.

dovecot__ldap_enabled: '{{ True
                           if (ansible_local | d() and ansible_local.ldap | d() and
                              (ansible_local.ldap.enabled | d()) | bool)
                           else False }}'
dovecot__ldap_base_dn

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects.

dovecot__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
dovecot__ldap_device_dn

The Distinguished Name of the current host LDAP object. It will be used as a base for the Virtual Mail service account LDAP object. If empty, the role will not create the account LDAP object automatically.

dovecot__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
dovecot__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the dovecot service to access the LDAP directory.

dovecot__ldap_self_rdn: 'uid=dovecot'
dovecot__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the dovecot service to access the LDAP directory.

dovecot__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
dovecot__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the dovecot service to access the LDAP directory.

dovecot__ldap_self_attributes:
  uid: '{{ dovecot__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ dovecot__ldap_bindpw }}'
  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
  description: 'Account used by the "Dovecot" service to access the LDAP directory'
dovecot__ldap_binddn

The Distinguished Name used to bind to the LDAP directory.

dovecot__ldap_binddn: '{{ ([dovecot__ldap_self_rdn]
                           + dovecot__ldap_device_dn) | join(",") }}'
dovecot__ldap_bindpw

The password used to bind to the LDAP directory.

dovecot__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                           + dovecot__ldap_binddn | to_uuid + ".password length=32 "
                           + "chars=ascii_letters,digits,!@_$%^&*"))
                          if dovecot__ldap_enabled | bool
                          else "" }}'
dovecot__ldap_people_rdn

The Relative Distinguished Name of the LDAP object which contains the user accounts in LDAP.

dovecot__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d("ou=People") }}'
dovecot__ldap_people_dn

The Distinguished Name of the LDAP object which contains the user accounts.

dovecot__ldap_people_dn: '{{ [dovecot__ldap_people_rdn]
                             + dovecot__ldap_base_dn }}'
dovecot__ldap_uri

List of LDAP URIs that point to the directory servers which should be used.

dovecot__ldap_uri: '{{ ansible_local.ldap.uri | d([""]) }}'
dovecot__ldap_start_tls

If True, STARTTLS will be used to connect to the LDAP server.

dovecot__ldap_start_tls: '{{ ansible_local.ldap.start_tls | d(True) | bool }}'
dovecot__ldap_user_filter

The LDAP filter used to look up user accounts in the directory. See LDAP tasks and administrative operations for more information.

dovecot__ldap_user_filter: '(&
                              (objectClass=mailRecipient)
                              (|
                                (uid=%n)
                                (mail=%u)
                              )
                              (|
                                (authorizedService=all)
                                (authorizedService=mail:access)
                              )
                            )'
dovecot__ldap_user_list_filter

The LDAP filter used to look list user accounts in the directory. This allows commands like doveadm users '*' or doveadm purge -A to work. See LDAP tasks and administrative operations for more information.

dovecot__ldap_user_list_filter: '(&
                                   (objectClass=mailRecipient)
                                   (|
                                     (authorizedService=all)
                                     (authorizedService=mail:access)
                                   )
                                 )'
dovecot__ldap_user_list_filter_attribute

The attribute used by the dovecot__ldap_user_list_filter filter as the identifier of the user. See LDAP tasks and administrative operations for more information.

dovecot__ldap_user_list_filter_attribute: 'mail'
dovecot__ldap_quota_attribute

The LDAP attribute storing the user quota.

dovecot__ldap_quota_attribute: 'mailQuota'
dovecot__ldap_quota_default

Default LDAP quota.

dovecot__ldap_quota_default: '10 GB'
dovecot__ldap_trash_field

The dovecot internal field name which corresponds to the trash mailbox, used to control the automatic expunction of mails via the mailExpungeTrash LDAP attribute.

dovecot__ldap_trash_field: 'namespace/inbox/mailbox/Trash/autoexpunge'

Configuration for other Ansible roles

dovecot__postfix_lmtp_transport

Postfix mail transport target if LMTP is enabled.

dovecot__postfix_lmtp_transport: 'lmtp:unix:private/dovecot-lmtp'
dovecot__ldap__dependent_tasks

Configuration for the debops.ldap role.

dovecot__ldap__dependent_tasks:
  - name: 'Create Postfix account for {{ dovecot__ldap_device_dn | join(",") }}'
    dn: '{{ dovecot__ldap_binddn }}'
    objectClass: '{{ dovecot__ldap_self_object_classes }}'
    attributes: '{{ dovecot__ldap_self_attributes }}'
    no_log: '{{ debops__no_log | d(True) }}'
    state: '{{ "present"
                if (dovecot__ldap_enabled | bool and
                    dovecot__ldap_device_dn | d())
                else "ignore" }}'
dovecot__postfix__dependent_maincf

The main.cf configuration for the debops.postfix role.

dovecot__postfix__dependent_maincf:

  # The default TLS security level set by the 'postfix' role is "may", however
  # when the mail is delivered over local UNIX socket, this results in
  # a warning in the mail logs: "warning: smtp_connect_local: opportunistic TLS
  # encryption is not appropriate for unix-domain destinations". Therefore if
  # we know that Dovecot is installed locally and we deliver over an UNIX
  # socket, we can disable the opportunistic TLS encryption for the LMTP
  # protocol.
  - name: 'lmtp_tls_security_level'
    comment: |
      Security level overridden via local Dovecot installation
    value: '{{ "none"
               if dovecot__postfix_lmtp_transport.startswith("lmtp:unix:")
               else "may" }}'
    state: '{{ "present" if "lmtp" in dovecot__features else "ignore" }}'

  # We don't care about the STARTTLS offer when we talk to Dovecot over an UNIX
  # socket.
  - name: 'lmtp_tls_note_starttls_offer'
    value: '{{ False
               if dovecot__postfix_lmtp_transport.startswith("lmtp:unix:")
               else True }}'
    state: '{{ "present" if "lmtp" in dovecot__features else "ignore" }}'

  - name: 'virtual_transport'
    value: '{{ dovecot__postfix_lmtp_transport }}'
    state: '{{ "present"
               if ("lmtp" in dovecot__features and
                   dovecot__ldap_enabled | bool)
               else "ignore" }}'

  - name: 'mailbox_transport'
    value: '{{ dovecot__postfix_lmtp_transport }}'
    state: '{{ "present"
               if ("lmtp" in dovecot__features and
                   not dovecot__ldap_enabled | bool)
               else "ignore" }}'
dovecot__postfix__dependent_mastercf

The master.cf configuration for the debops.postfix role.

dovecot__postfix__dependent_mastercf: []
dovecot__etc_services__dependent_list

Configuration for the debops.etc_services role.

dovecot__etc_services__dependent_list:

  - name: 'doveadm'
    port: '{{ dovecot__dsync_port }}'
    protocols: [ 'tcp' ]
    comment: 'Added by debops.dovecot Ansible role.'
dovecot__ferm__dependent_rules

Configuration for the debops.ferm role.

dovecot__ferm__dependent_rules:

  - name: 'dovecot_imap'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'imap2' ]
    saddr: '{{ dovecot__allow_imap }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("imap" in dovecot__features | d([]))
                    else "absent" }}'

  - name: 'dovecot_imaps'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'imaps' ]
    saddr: '{{ dovecot__allow_imaps }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("imaps" in dovecot__features | d([])
                         and dovecot__pki | d(True))
                    else "absent" }}'

  - name: 'dovecot_pop3'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'pop3' ]
    saddr: '{{ dovecot__allow_pop3 }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("pop3" in dovecot__features | d([]))
                    else "absent" }}'

  - name: 'dovecot_pop3s'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'pop3s' ]
    saddr: '{{ dovecot__allow_pop3s }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("pop3s" in dovecot__features | d([])
                         and dovecot__pki | d(True))
                    else "absent" }}'

  - name: 'dovecot_doveadm'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'doveadm' ]
    saddr: '{{ dovecot__allow_doveadm }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("dsync" in dovecot__features | d([]))
                    else "absent" }}'

  - name: 'dovecot_sieve'
    type: 'accept'
    by_role: 'debops.dovecot'
    dport: [ 'sieve' ]
    saddr: '{{ dovecot__allow_sieve }}'
    accept_any: '{{ dovecot__accept_any }}'
    rule_state: '{{ "present"
                    if ("sieve" in dovecot__features | d([])
                         and dovecot__pki | d(True))
                    else "absent" }}'