debops.dovecot default variables¶
Sections
General Dovecot configuration¶
-
dovecot__features
¶
List of features which should be installed and enabled. See dovecot__features for details.
dovecot__features: [ 'imap', 'imaps', 'lmtp', 'sieve', 'quota' ]
-
dovecot__auth_mechanisms
¶
List of enabled authentication mechanisms. Currently plain
and login
are supported.
dovecot__auth_mechanisms: [ 'plain', 'login' ]
-
dovecot__version
¶
Variable which specifies what Dovecot version is installed on the host. It is defined via Ansible local facts and can be used in conditions to modify the configuration as needed.
dovecot__version: '{{ ansible_local.dovecot.version|d("0.0.0") }}'
User database/mailbox configuration¶
-
dovecot__user_accounts
¶
User account lookup mechanisms, see dovecot__user_accounts for details.
dovecot__user_accounts: '{{ [ "deny", "ldap" ]
if dovecot__ldap_enabled|bool
else [ "deny", "system" ] }}'
-
dovecot__deny_users
¶
List of users for which mail access is disabled.
dovecot__deny_users: [ 'root' ]
-
dovecot__mail_location
¶
Mailbox location. For mbox set something like
mbox:~/mail:INBOX=/var/mail/%u
. For more information about the supported
format, see the Dovecot Mail Location documentation.
dovecot__mail_location: 'maildir:~/Maildir'
-
dovecot__auth_default_realm
¶
The default domain (realm) to add to the usernames that don't include one. Required to correctly point the clients to their mailbox directories.
dovecot__auth_default_realm: '{{ ansible_domain }}'
Virtual Mail¶
These settings makes it possible to host multiple (virtual) domains and to manage mail for users which do not need to have a local system account.
-
dovecot__vmail_enabled
¶
Whether the virtual mail support should be enabled.
dovecot__vmail_enabled: '{{ True if (dovecot__user_accounts |
intersect(["mysql", "pgsql", "sqlite",
"ldap", "passwdfile" ]))
else False }}'
-
dovecot__vmail_posix_user
¶
A separate user vmail
(Virtual Mail), which owns the mailbox
directories and is used by the various mail daemons to store and access the
stored email, can be used. On the one hand this prevents mail daemons
components from accessing sensitive system directories, on the other hand it
protects the mailboxes from external access. Only the vmail
user (and
root
) are allowed to access the mailboxes.
dovecot__vmail_posix_user: '{{ ansible_local.postldap.vmail_posix_user
| d("vmail") }}'
-
dovecot__vmail_posix_group
¶
Virtual Mail POSIX group.
dovecot__vmail_posix_group: '{{ ansible_local.postldap.vmail_posix_group
| d("vmail") }}'
-
dovecot__vmail_base
¶
The base directory where user mail directories are located, which also
serves as the home
directory for the dovecot__vmail_posix_user
.
This directory is used as the base for the virtual mail home directory paths
and is used e.g. as a prefix for the mailHomeDirectory
LDAP attribute if
it's found in the LDAP lookups.
dovecot__vmail_base: '/var/vmail'
-
dovecot__vmail_home
¶
The vmail home directory is a per-user directory where Dovecot can save user-specific files. Dovecot's home directories have nothing to do with system users' home directories. For more information, see Home Directories for Virtual Users.
dovecot__vmail_home: '{{ dovecot__vmail_base ~ "/%d/%n" }}'
DSync Settings¶
Dovecot supports master/master replication using dsync
. For more
information, see DSync Replication.
-
dovecot__dsync_port
¶
Port to use for dsync
, defaults to 12345.
dovecot__dsync_port: '12345'
-
dovecot__dsync_host
¶
Remote host to sync with, required.
dovecot__dsync_host: ''
-
dovecot__dsync_replica
¶
Remote host to sync with, specified in the form tcp[s]:host[:port]
.
dovecot__dsync_replica: '{{ ("tcps" if dovecot__pki|d(True) else "tcp") ~ ":" ~
dovecot__dsync_host ~ ":" ~
dovecot__dsync_port }}'
-
dovecot__dsync_password_path
¶
Directory on the Ansible Host where the dsync password will be stored.
By default it's stored relative to the secret/
directory in the
DebOps project directory. See the debops.secret role for more details.
dovecot__dsync_password_path: '{{ "dovecot/credentials/dsync.password" }}'
-
dovecot__dsync_password
¶
Password to use for the dsync
protocol. Must be the same on both
hosts of a replica pair.
dovecot__dsync_password: '{{ lookup("password", secret + "/"
+ dovecot__dsync_password_path
+ " length=32") }}'
SQL Authentication Settings¶
-
dovecot__sql_connect
¶
Database-driver specific database connection string. See SQL User Databases for more details.
dovecot__sql_connect: ''
-
dovecot__sql_default_pass_scheme
¶
Default password scheme for passwords, stored in a SQL database. For more information about the supported schemes, check Authentication / PasswordSchemes.
dovecot__sql_default_pass_scheme: 'SSHA512'
-
dovecot__sql_password_query
¶
SQL query string to get the password. This function should return the values
username
, domain
and password
.
dovecot__sql_password_query: "SELECT userid AS username, domain, password FROM users WHERE userid = '%n' AND domain = '%d'"
-
dovecot__sql_user_query
¶
SQL query string to get the userdb. This function should return the values
home
, uid
and gid
.
Optionally the mail_location
can be defined with the option mail
,
see MailLocation.
dovecot__sql_user_query: "SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d'"
-
dovecot__sql_iterate_query
¶
SQL query string to get a list of users. This function should return all
valid users (user
or username
and domain
).
For more information about the iterate query , see the Dovecot SQL documentation.
dovecot__sql_iterate_query: "SELECT userid AS username, domain FROM users"
-
dovecot__passwdfile_scheme
¶
Encryption scheme to use with password authentication.
dovecot__passwdfile_scheme: 'sha512-crypt'
-
dovecot__passwdfile_path
¶
Path to the dovecot password file.
dovecot__passwdfile_path: '/etc/dovecot/private/'
-
dovecot__passwdfile_name
¶
Name of the dovecot password file.
dovecot__passwdfile_name: 'passwd'
-
dovecot__checkpassword_passdb_command
¶
Command to fetch the password database in checkpassword auth mode.
dovecot__checkpassword_passdb_command: '/usr/bin/checkpassword'
-
dovecot__checkpassword_userdb_command
¶
Command to fetch the user database in checkpassword auth mode.
dovecot__checkpassword_userdb_command: '/usr/bin/checkpassword'
PKI / TLS configuration¶
-
dovecot__pki
¶
Enable or disable support for TLS/SSL using debops.pki.
dovecot__pki: '{{ ansible_local.pki.enabled|d() | bool }}'
-
dovecot__pki_path
¶
Base PKI directory.
dovecot__pki_path: '{{ ansible_local.pki.path|d("/etc/pki/realms") }}'
-
dovecot__pki_realm
¶
Default PKI realm.
dovecot__pki_realm: '{{ ansible_local.pki.realm|d("domain") }}'
-
dovecot__pki_ca
¶
Name of the Root Certificate Authority certificate file, relative to the PKI realm directory.
dovecot__pki_ca: '{{ ansible_local.pki.ca|d("CA.crt") }}'
-
dovecot__pki_crt
¶
Default certificate, relative to the dovecot__pki_realm
variable.
dovecot__pki_crt: '{{ ansible_local.pki.crt|d("default.crt") }}'
-
dovecot__pki_key
¶
Default private key, relative to the dovecot__pki_realm
variable.
dovecot__pki_key: '{{ ansible_local.pki.key|d("default.key") }}'
-
dovecot__tls_ca_cert_dir
¶
Directory containing X509 Certification Authority certificates.
dovecot__tls_ca_cert_dir: '/etc/ssl/certs/'
-
dovecot__ssl_required
¶
Requires SSL/TLS also for non-plaintext authentication. For more
information check ssl_required
in the Dovecot SSL Configuration.
dovecot__ssl_required: True
-
dovecot__ssl_min_protocol
¶
SSL ciphers to use.
dovecot__ssl_min_protocol: '{{ "!SSLv2 !SSLv3"
if (ansible_distribution_release in
[ "jessie", "precise", "trusty" ])
else "TLSv1.2" }}'
-
dovecot__ssl_dh_parameters_length
¶
Diffie-Hellman parameters length.
dovecot__ssl_dh_parameters_length: 4096
-
dovecot__ssl_cipher_list
¶
SSL ciphers to use.
dovecot__ssl_cipher_list: '{{ dovecot__ssl_cipher_list_default }}'
-
dovecot__ssl_cipher_list_default
¶
Default SSL ciphers.
dovecot__ssl_cipher_list_default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH'
-
dovecot__ssl_cipher_list_better_crypto
¶
See the bettercrypto.org guide.
dovecot__ssl_cipher_list_better_crypto: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
-
dovecot__ssl_cipher_list_ncsc_nl
¶
The 'good' cipher suite from the NCSC-NL TLS Guidelines v2.1.
dovecot__ssl_cipher_list_ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'
-
dovecot__pki_hook_name
¶
Name of the debops.pki hook script.
dovecot__pki_hook_name: 'dovecot'
-
dovecot__pki_hook_path
¶
Directory for the debops.pki hooks.
dovecot__pki_hook_path: '{{ ansible_local.pki.hooks|d("/etc/pki/hooks") }}'
-
dovecot__pki_hook_action
¶
Specify how changes in PKI should affect dovecot, either 'reload' or 'restart'.
dovecot__pki_hook_action: 'reload'
Diffie-Hellman parameters¶
-
dovecot__dhparam
¶
Enable or disable support for custom Diffie-Hellman parameters managed by the debops.dhparam Ansible role.
dovecot__dhparam: '{{ ansible_local.dhparam.enabled
if (ansible_local|d() and ansible_local.dhparam|d() and
ansible_local.dhparam.enabled is defined)
else False }}'
-
dovecot__dhparam_set
¶
Name of the Diffie-Hellman parameter set to use. See the debops.dhparam Ansible role for more details.
dovecot__dhparam_set: 'default'
-
dovecot__ssl_dh_file
¶
Absolute path to the Diffie-Hellman parameters file which should be used.
dovecot__ssl_dh_file: '{{ ansible_local.dhparam[dovecot__dhparam_set]
if (ansible_local|d() and ansible_local.dhparam|d() and
ansible_local.dhparam[dovecot__dhparam_set]|d())
else "" }}'
Dovecot custom configuration¶
These variables define the contents of the /etc/dovecot/dovecot.conf
configuration file.
-
dovecot__default_configuration
¶
The default dovecot configuration options defined by the role. See Syntax for details.
dovecot__default_configuration:
- section: 'main'
title: 'Main Configuration'
options:
- name: 'protocols'
comment: 'Currently active protocols'
value: "{{ dovecot__features |
intersect(['imap', 'imaps', 'pop3',
'pop3s', 'sieve', 'lmtp']) |
map('regex_replace', '^(imap|pop3)s$', '\\1') |
list | unique | join(' ') }}"
- section: 'authentication'
title: 'Client Configuration'
options:
- name: 'auth_mechanisms'
value: '{{ dovecot__auth_mechanisms | join(" ") }}'
- name: 'disable_plaintext_auth'
value: 'yes'
- name: 'auth_default_realm'
value: '{{ dovecot__auth_default_realm }}'
- name: 'mail_uid'
value: '{{ dovecot__vmail_posix_user }}'
state: '{{ "present" if dovecot__vmail_enabled|d(False) else "absent" }}'
- name: 'mail_gid'
value: '{{ dovecot__vmail_posix_group }}'
state: '{{ "present" if dovecot__vmail_enabled|d(False) else "absent" }}'
- name: 'mail_privileged_group'
value: '{{ dovecot__vmail_posix_user }}'
state: '{{ "present" if dovecot__vmail_enabled|d(False) else "absent" }}'
- name: 'passdb_deny'
option: 'passdb'
state: '{{ "present" if "deny" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'passwd-file'
- name: 'deny'
value: 'yes'
- name: 'args'
value: '/etc/dovecot/dovecot.deny'
- name: 'passdb_system'
option: 'passdb'
state: '{{ "present" if "system" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'pam'
- name: 'args'
value: 'session=yes dovecot'
- name: 'userdb_system'
option: 'userdb'
state: '{{ "present" if "system" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'passwd'
- name: 'args'
value: 'blocking=no'
- name: 'passdb_sql'
option: 'passdb'
state: '{{ "present" if (dovecot__user_accounts | d([]) |
intersect(["mysql", "pgsql", "sqlite"])) else "absent" }}'
options:
- name: 'driver'
value: 'sql'
- name: 'args'
value: '/etc/dovecot/dovecot-sql.conf.ext'
- name: 'userdb_sql'
option: 'userdb'
state: '{{ "present" if (dovecot__user_accounts | d([]) |
intersect(["mysql", "pgsql", "sqlite"])) else "absent" }}'
options:
- name: 'driver'
value: 'sql'
- name: 'args'
value: '/etc/dovecot/dovecot-sql.conf.ext'
- name: 'passdb_ldap'
option: 'passdb'
state: '{{ "present" if "ldap" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'ldap'
- name: 'args'
value: '/etc/dovecot/dovecot-ldap-passdb.conf'
- name: 'userdb_ldap'
option: 'userdb'
state: '{{ "present" if "ldap" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'ldap'
- name: 'args'
value: '/etc/dovecot/dovecot-ldap-userdb.conf'
- name: 'passdb_passwd'
option: 'passdb'
state: '{{ "present" if "passwdfile" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'passwd-file'
- name: 'args'
value: 'scheme={{ dovecot__passwdfile_scheme }} {{ dovecot__passwdfile_path }}/{{ dovecot__passwdfile_name }}'
- name: 'userdb_passwd'
option: 'userdb'
state: '{{ "present" if "passwdfile" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'static'
- name: 'args'
value: 'uid={{ dovecot__vmail_posix_user }} gid={{ dovecot__vmail_posix_group }} home={{ dovecot__vmail_home }}'
- name: 'default_fields'
value: 'quota_rule=*:storage=1G'
comment: 'Default fields that can be overridden by passwd-file'
state: 'comment'
- name: 'override_fields'
value: 'home=/home/virtual/%u'
comment: 'Override fields from passwd-file'
state: 'comment'
- name: 'passdb_checkpassword'
option: 'passdb'
state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
dovecot__checkpassword_passdb_command|d()) else "absent" }}'
options:
- name: 'driver'
value: 'checkpassword'
- name: 'args'
value: '{{ dovecot__checkpassword_passdb_command }}'
- name: 'userdb_checkpassword_pre'
option: 'userdb'
state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
dovecot__checkpassword_userdb_command|d()) else "absent" }}'
options:
- name: 'driver'
value: 'prefetch'
- name: 'userdb_checkpassword_main'
option: 'userdb'
state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
dovecot__checkpassword_userdb_command|d()) else "absent" }}'
options:
- name: 'driver'
value: 'checkpassword'
- name: 'args'
value: '{{ dovecot__checkpassword_userdb_command }}'
- section: 'tls'
title: 'TLS Configuration'
state: '{{ "present" if dovecot__pki is defined and dovecot__pki else "absent" }}'
options:
- name: 'ssl'
value: '{{ "required" if dovecot__ssl_required else "yes" }}'
- name: 'ssl_prefer_server_ciphers'
value: 'yes'
comment: 'Prefer the server''s order of ciphers over the client''s. (dovecot >= 2.2.6)'
- name: 'ssl_cert'
value: '<{{ dovecot__pki_path ~ "/" ~ dovecot__pki_realm ~ "/" ~ dovecot__pki_crt }}'
- name: 'ssl_key'
value: '<{{ dovecot__pki_path ~ "/" ~ dovecot__pki_realm ~ "/" ~ dovecot__pki_key }}'
- name: 'ssl_protocols'
value: '{{ dovecot__ssl_min_protocol }}'
state: '{{ "present" if dovecot__version is version("2.3.0", "<") else "absent" }}'
- name: 'ssl_dh_parameters_length'
value: '{{ dovecot__ssl_dh_parameters_length }}'
state: '{{ "present" if dovecot__version is version("2.3.0", "<") else "absent" }}'
comment: 'Diffie-Hellman parameters length (default 1024, dovecot >= 2.2.7, optional in dovecot >= 2.3.3)'
- name: 'ssl_min_protocol'
value: '{{ dovecot__ssl_min_protocol }}'
state: '{{ "present" if dovecot__version is version("2.3.0", ">=") else "absent" }}'
- name: 'ssl_dh'
value: '{{ "" if (dovecot__ssl_dh_file == "") else ("<" + dovecot__ssl_dh_file) }}'
state: '{{ "present" if dovecot__version is version("2.3.0", ">=") else "absent" }}'
- name: 'ssl_cipher_list'
value: '{{ dovecot__ssl_cipher_list }}'
- name: 'ssl_client_ca_dir'
value: '/etc/ssl/certs'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- section: 'no_tls'
title: 'TLS Non-Configuration'
state: '{{ "absent" if dovecot__pki is defined and dovecot__pki else "present" }}'
options:
- name: 'ssl'
value: 'no'
- section: 'services'
title: 'Dovecot services'
options:
- name: 'service imap-login'
state: '{{ "present" if ("imap" in dovecot__features or "imaps" in dovecot__features) else "absent" }}'
options:
- name: 'inet_listener imap'
options:
- name: 'address'
value: '127.0.0.1, [::1]'
comment: 'Only localhost if no PKI is configured'
state: '{{ "present" if not dovecot__pki|d(True) else "comment" }}'
- name: 'port'
value: '{{ 143 if "imap" in dovecot__features else 0 }}'
- name: 'inet_listener imaps'
options:
- name: 'port'
value: '{{ 993 if ("imaps" in dovecot__features and dovecot__pki|d(True)) else 0 }}'
comment: 'Disabled if no PKI is configured'
- name: 'service pop3-login'
state: '{{ "present" if ("pop3" in dovecot__features or "pop3s" in dovecot__features) else "absent" }}'
options:
- name: 'inet_listener pop3'
options:
- name: 'address'
value: '127.0.0.1, [::1]'
comment: 'Only localhost if no PKI is configured'
state: '{{ "present" if not dovecot__pki|d(True) else "comment" }}'
- name: 'port'
value: '{{ 110 if "pop3" in dovecot__features else 0 }}'
- name: 'inet_listener pop3s'
options:
- name: 'port'
value: '{{ 995 if ("pop3s" in dovecot__features and dovecot__pki|d(True)) else 0 }}'
comment: 'Disabled if no PKI is configured'
- name: 'service lmtp'
state: '{{ "present" if "lmtp" in dovecot__features else "absent" }}'
options:
- name: 'user'
value: '{{ dovecot__vmail_posix_user }}'
state: '{{ "present" if dovecot__vmail_enabled|d(False) else "absent" }}'
- name: 'unix_listener /var/spool/postfix/private/dovecot-lmtp'
options:
- name: 'mode'
value: '0660'
- name: 'group'
value: 'postfix'
- name: 'user'
value: 'postfix'
- name: 'service managesieve-login'
state: '{{ "present" if "sieve" in dovecot__features else "absent" }}'
options:
- name: 'inet_listener sieve'
options:
- name: 'port'
value: '4190'
- name: 'service replicator'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
options:
- name: 'process_min_avail'
value: '1'
- name: 'unix_listener replicator-doveadm'
options:
- name: 'mode'
value: '0600'
- name: 'user'
value: 'vmail'
- name: 'service aggregator'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
options:
- name: 'fifo_listener replication-notify-fifo'
options:
- name: 'user'
value: 'vmail'
- name: 'unix_listener replication-notify'
options:
- name: 'user'
value: 'vmail'
- name: 'service doveadm'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
options:
- name: 'inet_listener doveadm'
options:
- name: 'port'
value: '{{ dovecot__dsync_port }}'
- name: 'ssl'
value: 'yes'
state: '{{ "present" if (dovecot__pki|d(True)) else "absent" }}'
- name: 'replication_max_conns'
value: '10'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- name: 'doveadm_port'
value: '{{ dovecot__dsync_port }}'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- name: 'doveadm_password'
value: '{{ dovecot__dsync_password }}'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- name: 'service auth'
options:
- name: 'unix_listener /var/spool/postfix/private/auth'
options:
- name: 'mode'
value: '0660'
- name: 'group'
value: 'postfix'
- name: 'user'
value: 'postfix'
- name: 'unix_listener auth-userdb'
state: '{{ "present" if (dovecot__vmail_enabled|d(False) and
"lmtp" in dovecot__features) else "absent" }}'
options:
- name: 'mode'
value: '0660'
- name: 'group'
value: '{{ dovecot__vmail_posix_group }}'
- name: 'user'
value: '{{ dovecot__vmail_posix_user }}'
- section: 'protocols'
title: 'Protocol settings'
options:
- name: 'protocol imap'
state: '{{ "present" if ("imap" in dovecot__features or "imaps" in dovecot__features) else "absent" }}'
options:
- name: 'mail_plugins'
value: '{{ dovecot__mail_plugins_imap | flatten | join(" ") }}'
- name: 'mail_max_userip_connections'
value: '20'
state: 'comment'
- name: 'imap_idle_notify_interval'
value: '29 mins'
state: 'comment'
- name: 'protocol pop3'
state: '{{ "present" if ("pop3" in dovecot__features or "pop3s" in dovecot__features) else "absent" }}'
options:
- name: 'mail_plugins'
value: '{{ dovecot__mail_plugins_pop3 | flatten | join(" ") }}'
- name: 'mail_max_userip_connections'
value: '10'
state: 'comment'
- name: 'protocol lda'
state: '{{ "present" if "lmtp" not in dovecot__features else "absent" }}'
options:
- name: 'mail_plugins'
value: '{{ dovecot__mail_plugins_lda | flatten | join(" ") }}'
- name: 'postmaster_address'
value: 'postmaster@{{ ansible_domain }}'
- name: 'protocol lmtp'
state: '{{ "present" if "lmtp" in dovecot__features else "absent" }}'
options:
- name: 'mail_plugins'
value: '{{ dovecot__mail_plugins_lmtp | flatten | join(" ") }}'
- name: 'postmaster_address'
value: 'postmaster@{{ ansible_domain }}'
- section: 'mailbox_locations'
title: 'Mailbox Locations'
options:
- name: 'mail_home'
value: '{{ dovecot__vmail_home }}'
state: '{{ "present" if dovecot__vmail_enabled else "absent" }}'
- name: 'mail_location'
value: '{{ dovecot__mail_location }}'
state: '{{ "present" if dovecot__mail_location|d() else "comment" }}'
- section: 'mailbox_namespaces'
title: 'Mailbox Namespaces'
options:
- name: 'namespace inbox'
options:
- name: 'inbox'
value: 'yes'
comment: 'There can be only one INBOX, and this setting defines which namespace has it.'
- name: 'mailbox Drafts'
options:
- name: 'special_use'
value: '\Drafts'
- name: 'mailbox Junk'
options:
- name: 'special_use'
value: '\Junk'
- name: 'mailbox Trash'
comment: |
If you change the name of this mailbox and use LDAP,
dovecot__ldap_trash_field also needs to be updated.
options:
- name: 'special_use'
value: '\Trash'
- name: 'mailbox Sent'
comment: |
For \Sent mailboxes there are two widely used names. We'll mark both of
them as \Sent. User typically deletes one of them if duplicates are created.
options:
- name: 'special_use'
value: '\Sent'
- name: 'mailbox "Sent Messages"'
options:
- name: 'special_use'
value: '\Sent'
- name: 'mailbox virtual/All'
comment: 'If you have a virtual "All Messages" mailbox:'
state: 'comment'
options:
- name: 'special_use'
value: '\All'
- name: 'comment'
value: 'All my messages'
- name: 'mailbox virtual/Flagged'
comment: 'If you have a virtual "Flagged" mailbox:'
state: 'comment'
options:
- name: 'special_use'
value: '\Flagged'
- name: 'comment'
value: 'All my flagged messages'
- name: 'mailbox virtual/Important'
comment: 'If you have a virtual "Important" mailbox:'
state: 'comment'
options:
- name: 'special_use'
value: '\Important'
- name: 'comment'
value: 'All my important messages'
- section: 'plugins'
title: 'Mail Plugins'
options:
- name: 'plugin'
options:
- name: 'sieve'
value: '{{ dovecot__sieve_dir }}'
state: '{{ "present" if "sieve" in dovecot__features else "absent" }}'
- name: 'quota'
value: 'maildir:User quota'
state: '{{ "present" if "quota" in dovecot__features else "absent" }}'
- name: 'mail_replica'
value: '{{ dovecot__dsync_replica }}'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
-
dovecot__configuration
¶
The dovecot configuration options defined for all hosts in the Ansible inventory.
dovecot__configuration: []
-
dovecot__group_configuration
¶
The dovecot configuration options defined for hosts in a specific Ansible inventory group.
dovecot__group_configuration: []
-
dovecot__host_configuration
¶
The dovecot configuration options defined for a specific host in the Ansible inventory.
dovecot__host_configuration: []
-
dovecot__combined_configuration
¶
The variable that combines other dovecot configuration options for
use in the /etc/dovecot/dovecot.conf
template.
dovecot__combined_configuration: '{{ dovecot__default_configuration
+ dovecot__configuration
+ dovecot__group_configuration
+ dovecot__host_configuration }}'
-
dovecot__mail_plugins
¶
Default mail plugins for all protocols.
dovecot__mail_plugins:
- '$mail_plugins'
- '{{ "notify" if "dsync" in dovecot__features else [] }}'
- '{{ "replication" if "dsync" in dovecot__features else [] }}'
- '{{ "quota" if "quota" in dovecot__features else [] }}'
-
dovecot__mail_plugins_imap
¶
Enabled mail plugins for the IMAP protocol.
dovecot__mail_plugins_imap:
- '{{ dovecot__mail_plugins }}'
- '{{ "imap_sieve" if "sieve" in dovecot__features else [] }}'
- '{{ "imap_quota" if "quota" in dovecot__features else [] }}'
-
dovecot__mail_plugins_pop3
¶
Enabled mail plugins for the POP3 protocol.
dovecot__mail_plugins_pop3:
- '{{ dovecot__mail_plugins }}'
-
dovecot__mail_plugins_lda
¶
Enabled mail plugins for the LDA protocol.
dovecot__mail_plugins_lda:
- '{{ dovecot__mail_plugins }}'
- '{{ "sieve" if "sieve" in dovecot__features else [] }}'
-
dovecot__mail_plugins_ltmp
¶
Enabled mail plugins for the LMTP protocol.
dovecot__mail_plugins_lmtp:
- '{{ dovecot__mail_plugins }}'
- '{{ "sieve" if "sieve" in dovecot__features else [] }}'
-
dovecot__sieve_dir
¶
Storage directory for sieve scripts.
dovecot__sieve_dir: 'file:~/sieve;active=~/.dovecot.sieve'
Firewall configuration¶
-
dovecot__accept_any
¶
The default firewall policy for dovecot services.
If True
, any host can connect to the dovecot daemon unless allow
restrictions are defined using the variables below.
If False
, no hosts can connect to the dovecot daemon by default. You
need to specify IP addresses or subnets that can access the services using
the variables below.
dovecot__accept_any: True
-
dovecot__allow_imap
¶
List of hosts/networks that can access the imap
port (143).
dovecot__allow_imap: []
-
dovecot__allow_imaps
¶
List of hosts/networks that can access the imaps
port (993).
dovecot__allow_imaps: []
-
dovecot__allow_pop3
¶
List of hosts/networks that can access the pop3
port (110).
dovecot__allow_pop3: []
-
dovecot__allow_pop3s
¶
List of hosts/networks that can access the pop3s
port (995).
dovecot__allow_pop3s: []
-
dovecot__allow_doveadm
¶
List of hosts/networks that can access the doveadm
port (12345, used for
dsync).
dovecot__allow_doveadm:
- '{{ dovecot__dsync_host }}'
-
dovecot__allow_sieve
¶
List of hosts/networks that can access the ManageSieve Protocol
port
(4190).
dovecot__allow_sieve: []
LDAP¶
-
dovecot__ldap_enabled
¶
When enabled, dovecot will authenticate users against LDAP and authorize access to the user's mailbox.
dovecot__ldap_enabled: '{{ True
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.enabled|d())|bool)
else False }}'
-
dovecot__ldap_base_dn
¶
The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects.
dovecot__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
-
dovecot__ldap_device_dn
¶
The Distinguished Name of the current host LDAP object. It will be used as a base for the Virtual Mail service account LDAP object. If empty, the role will not create the account LDAP object automatically.
dovecot__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
-
dovecot__ldap_self_rdn
¶
The Relative Distinguished Name of the account LDAP object used by the dovecot service to access the LDAP directory.
dovecot__ldap_self_rdn: 'uid=dovecot'
-
dovecot__ldap_self_object_classes
¶
List of the LDAP object classes which will be used to create the LDAP object used by the dovecot service to access the LDAP directory.
dovecot__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
-
dovecot__ldap_self_attributes
¶
YAML dictionary that defines the attributes of the LDAP object used by the dovecot service to access the LDAP directory.
dovecot__ldap_self_attributes:
uid: '{{ dovecot__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ dovecot__ldap_bindpw }}'
host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
description: 'Account used by the "Dovecot" service to access the LDAP directory'
-
dovecot__ldap_binddn
¶
The Distinguished Name used to bind to the LDAP directory.
dovecot__ldap_binddn: '{{ ([ dovecot__ldap_self_rdn ]
+ dovecot__ldap_device_dn) | join(",") }}'
-
dovecot__ldap_bindpw
¶
The password used to bind to the LDAP directory.
dovecot__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ dovecot__ldap_binddn | to_uuid + ".password length=32 "
+ "chars=ascii_letters,digits,!@_$%^&*"))
if dovecot__ldap_enabled|bool
else "" }}'
-
dovecot__ldap_people_rdn
¶
The Relative Distinguished Name of the LDAP object which contains the user accounts in LDAP.
dovecot__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn|d("ou=People") }}'
-
dovecot__ldap_people_dn
¶
The Distinguished Name of the LDAP object which contains the user accounts.
dovecot__ldap_people_dn: '{{ [ dovecot__ldap_people_rdn ]
+ dovecot__ldap_base_dn }}'
-
dovecot__ldap_uri
¶
List of LDAP URIs that point to the directory servers which should be used.
dovecot__ldap_uri: '{{ ansible_local.ldap.uri|d([""]) }}'
-
dovecot__ldap_start_tls
¶
If True
, STARTTLS will be used to connect to the LDAP server.
dovecot__ldap_start_tls: '{{ ansible_local.ldap.start_tls|d(True)|bool }}'
-
dovecot__ldap_user_filter
¶
The LDAP filter used to look up user accounts in the directory. See LDAP tasks and administrative operations for more information.
dovecot__ldap_user_filter: '(&
(objectClass=mailRecipient)
(|
(uid=%n)
(mail=%u)
)
(|
(authorizedService=all)
(authorizedService=mail:access)
)
)'
-
dovecot__ldap_quota_attribute
¶
The LDAP attribute storing the user quota.
dovecot__ldap_quota_attribute: 'mailQuota'
-
dovecot__ldap_quota_default
¶
Default LDAP quota.
dovecot__ldap_quota_default: '10 GB'
-
dovecot__ldap_trash_field
¶
The dovecot internal field name which corresponds to the trash
mailbox, used to control the automatic expunction of mails via the
mailExpungeTrash
LDAP attribute.
dovecot__ldap_trash_field: 'namespace/inbox/mailbox/Trash/autoexpunge'
Configuration for other Ansible roles¶
-
dovecot__postfix_lmtp_transport
¶
Postfix mail transport target if LMTP is enabled.
dovecot__postfix_lmtp_transport: 'lmtp:unix:private/dovecot-lmtp'
-
dovecot__ldap__dependent_tasks
¶
Configuration for the debops.ldap role.
dovecot__ldap__dependent_tasks:
- name: 'Create Postfix account for {{ dovecot__ldap_device_dn | join(",") }}'
dn: '{{ dovecot__ldap_binddn }}'
objectClass: '{{ dovecot__ldap_self_object_classes }}'
attributes: '{{ dovecot__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present"
if (dovecot__ldap_enabled|bool and
dovecot__ldap_device_dn|d())
else "ignore" }}'
-
dovecot__postfix__dependent_maincf
¶
The main.cf
configuration for the debops.postfix
role.
dovecot__postfix__dependent_maincf:
# The default TLS security level set by the 'postfix' role is "may", however
# when the mail is delivered over local UNIX socket, this results in
# a warning in the mail logs: "warning: smtp_connect_local: opportunistic TLS
# encryption is not appropriate for unix-domain destinations". Therefore if
# we know that Dovecot is installed locally and we deliver over an UNIX
# socket, we can disable the opportunistic TLS encryption for the LMTP
# protocol.
- name: 'lmtp_tls_security_level'
comment: |
Security level overridden via local Dovecot installation
value: '{{ "none"
if dovecot__postfix_lmtp_transport.startswith("lmtp:unix:")
else "may" }}'
state: '{{ "present" if "lmtp" in dovecot__features else "ignore" }}'
# We don't care about the STARTTLS offer when we talk to Dovecot over an UNIX
# socket.
- name: 'lmtp_tls_note_starttls_offer'
value: '{{ False
if dovecot__postfix_lmtp_transport.startswith("lmtp:unix:")
else True }}'
state: '{{ "present" if "lmtp" in dovecot__features else "ignore" }}'
- name: 'virtual_transport'
value: '{{ dovecot__postfix_lmtp_transport }}'
state: '{{ "present"
if ("lmtp" in dovecot__features and
dovecot__ldap_enabled|bool)
else "ignore" }}'
- name: 'mailbox_transport'
value: '{{ dovecot__postfix_lmtp_transport }}'
state: '{{ "present"
if ("lmtp" in dovecot__features and
not dovecot__ldap_enabled|bool)
else "ignore" }}'
-
dovecot__postfix__dependent_mastercf
¶
The master.cf
configuration for the debops.postfix
role.
dovecot__postfix__dependent_mastercf: []
-
dovecot__etc_services__dependent_list
¶
Configuration for the debops.etc_services role.
dovecot__etc_services__dependent_list:
- name: 'doveadm'
port: '{{ dovecot__dsync_port }}'
protocols: [ 'tcp' ]
comment: 'Added by debops.dovecot Ansible role.'
-
dovecot__ferm__dependent_rules
¶
Configuration for the debops.ferm role.
dovecot__ferm__dependent_rules:
- name: 'dovecot_imap'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'imap2' ]
saddr: '{{ dovecot__allow_imap }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("imap" in dovecot__features|d([]))
else "absent" }}'
- name: 'dovecot_imaps'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'imaps' ]
saddr: '{{ dovecot__allow_imaps }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("imaps" in dovecot__features|d([])
and dovecot__pki|d(True))
else "absent" }}'
- name: 'dovecot_pop3'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'pop3' ]
saddr: '{{ dovecot__allow_pop3 }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("pop3" in dovecot__features|d([]))
else "absent" }}'
- name: 'dovecot_pop3s'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'pop3s' ]
saddr: '{{ dovecot__allow_pop3s }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("pop3s" in dovecot__features|d([])
and dovecot__pki|d(True))
else "absent" }}'
- name: 'dovecot_doveadm'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'doveadm' ]
saddr: '{{ dovecot__allow_doveadm }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("dsync" in dovecot__features|d([]))
else "absent" }}'
- name: 'dovecot_sieve'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'sieve' ]
saddr: '{{ dovecot__allow_sieve }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("sieve" in dovecot__features|d([])
and dovecot__pki|d(True))
else "absent" }}'