debops.dovecot default variables
Sections
General Dovecot configuration
- dovecot__features
List of features which should be installed and enabled. See dovecot__features for details.
dovecot__features: [ 'imap', 'imaps', 'lmtp', 'sieve', 'quota' ]
- dovecot__auth_mechanisms
List of enabled authentication mechanisms. Currently plain and login
are supported.
dovecot__auth_mechanisms: [ 'plain', 'login' ]
- dovecot__version
Variable which specifies what Dovecot version is installed on the host. It is defined via Ansible local facts and can be used in conditions to modify the configuration as needed.
dovecot__version: '{{ ansible_local.dovecot.version|d("0.0.0") }}'
User database/mailbox configuration
- dovecot__user_accounts
User account lookup mechanisms, see dovecot__user_accounts for details.
dovecot__user_accounts: '{{ [ "deny", "ldap" ]
if dovecot__ldap_enabled|bool
else [ "deny", "system" ] }}'
- dovecot__deny_users
List of users for which mail access is disabled.
dovecot__deny_users: [ 'root' ]
- dovecot__mail_location
Mailbox location. For mbox set something like
mbox:~/mail:INBOX=/var/mail/%u. For more information about the supported
format, see the Dovecot Mail Location documentation.
dovecot__mail_location: 'maildir:~/Maildir'
- dovecot__auth_default_realm
The default domain (realm) to add to the usernames that don't include one. Required to correctly point the clients to their mailbox directories.
dovecot__auth_default_realm: '{{ ansible_domain }}'
Virtual Mail
These settings makes it possible to host multiple (virtual) domains and to manage mail for users which do not need to have a local system account.
- dovecot__vmail_enabled
Whether the virtual mail support should be enabled.
dovecot__vmail_enabled: '{{ True if (dovecot__user_accounts |
intersect(["mysql", "pgsql", "sqlite",
"ldap", "passwdfile" ]))
else False }}'
- dovecot__vmail_posix_user
A separate user vmail (Virtual Mail), which owns the mailbox
directories and is used by the various mail daemons to store and access the
stored email, can be used. On the one hand this prevents mail daemons
components from accessing sensitive system directories, on the other hand it
protects the mailboxes from external access. Only the vmail user (and
root) are allowed to access the mailboxes.
dovecot__vmail_posix_user: '{{ ansible_local.postldap.vmail_posix_user
| d("vmail") }}'
- dovecot__vmail_posix_group
Virtual Mail POSIX group.
dovecot__vmail_posix_group: '{{ ansible_local.postldap.vmail_posix_group
| d("vmail") }}'
- dovecot__vmail_base
The base directory where user mail directories are located, which also
serves as the home directory for the dovecot__vmail_posix_user.
This directory is used as the base for the virtual mail home directory paths
and is used e.g. as a prefix for the mailHomeDirectory LDAP attribute if
it's found in the LDAP lookups.
dovecot__vmail_base: '/var/vmail'
- dovecot__vmail_home
The vmail home directory is a per-user directory where Dovecot can save user-specific files. Dovecot's home directories have nothing to do with system users' home directories. For more information, see Home Directories for Virtual Users.
dovecot__vmail_home: '{{ dovecot__vmail_base ~ "/%d/%n" }}'
DSync Settings
Dovecot supports master/master replication using dsync. For more
information, see DSync Replication.
- dovecot__dsync_port
Port to use for dsync, defaults to 12345.
dovecot__dsync_port: '12345'
- dovecot__dsync_host
Remote host to sync with, required.
dovecot__dsync_host: ''
- dovecot__dsync_replica
Remote host to sync with, specified in the form tcp[s]:host[:port].
dovecot__dsync_replica: '{{ ("tcps" if dovecot__pki|d(True) else "tcp") ~ ":" ~
dovecot__dsync_host ~ ":" ~
dovecot__dsync_port }}'
- dovecot__dsync_password_path
Directory on the Ansible Host where the dsync password will be stored.
By default it's stored relative to the secret/ directory in the
DebOps project directory. See the debops.secret role for more details.
dovecot__dsync_password_path: '{{ "dovecot/credentials/dsync.password" }}'
- dovecot__dsync_password
Password to use for the dsync protocol. Must be the same on both
hosts of a replica pair.
dovecot__dsync_password: '{{ lookup("password", secret + "/"
+ dovecot__dsync_password_path
+ " length=32") }}'
SQL Authentication Settings
- dovecot__sql_connect
Database-driver specific database connection string. See SQL User Databases for more details.
dovecot__sql_connect: ''
- dovecot__sql_default_pass_scheme
Default password scheme for passwords, stored in a SQL database. For more information about the supported schemes, check Authentication / PasswordSchemes.
dovecot__sql_default_pass_scheme: 'SSHA512'
- dovecot__sql_password_query
SQL query string to get the password. This function should return the values
username, domain and password.
dovecot__sql_password_query: "SELECT userid AS username, domain, password FROM users WHERE userid = '%n' AND domain = '%d'"
- dovecot__sql_user_query
SQL query string to get the userdb. This function should return the values
home, uid and gid.
Optionally the mail_location can be defined with the option mail,
see MailLocation.
dovecot__sql_user_query: "SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d'"
- dovecot__sql_iterate_query
SQL query string to get a list of users. This function should return all
valid users (user or username and domain).
For more information about the iterate query , see the Dovecot SQL documentation.
dovecot__sql_iterate_query: "SELECT userid AS username, domain FROM users"
- dovecot__passwdfile_scheme
Encryption scheme to use with password authentication.
dovecot__passwdfile_scheme: 'sha512-crypt'
- dovecot__passwdfile_path
Path to the dovecot password file.
dovecot__passwdfile_path: '/etc/dovecot/private/'
- dovecot__passwdfile_name
Name of the dovecot password file.
dovecot__passwdfile_name: 'passwd'
- dovecot__checkpassword_passdb_command
Command to fetch the password database in checkpassword auth mode.
dovecot__checkpassword_passdb_command: '/usr/bin/checkpassword'
- dovecot__checkpassword_userdb_command
Command to fetch the user database in checkpassword auth mode.
dovecot__checkpassword_userdb_command: '/usr/bin/checkpassword'
PKI / TLS configuration
- dovecot__pki
Enable or disable support for TLS/SSL using debops.pki.
dovecot__pki: '{{ ansible_local.pki.enabled|d() | bool }}'
- dovecot__pki_path
Base PKI directory.
dovecot__pki_path: '{{ ansible_local.pki.path|d("/etc/pki/realms") }}'
- dovecot__pki_realm
Default PKI realm.
dovecot__pki_realm: '{{ ansible_local.pki.realm|d("domain") }}'
- dovecot__pki_ca
Name of the Root Certificate Authority certificate file, relative to the PKI realm directory.
dovecot__pki_ca: '{{ ansible_local.pki.ca|d("CA.crt") }}'
- dovecot__pki_crt
Default certificate, relative to the dovecot__pki_realm variable.
dovecot__pki_crt: '{{ ansible_local.pki.crt|d("default.crt") }}'
- dovecot__pki_key
Default private key, relative to the dovecot__pki_realm variable.
dovecot__pki_key: '{{ ansible_local.pki.key|d("default.key") }}'
- dovecot__tls_ca_cert_dir
Directory containing X509 Certification Authority certificates.
dovecot__tls_ca_cert_dir: '/etc/ssl/certs/'
- dovecot__ssl_required
Requires SSL/TLS also for non-plaintext authentication. For more
information check ssl_required in the Dovecot SSL Configuration.
dovecot__ssl_required: True
- dovecot__ssl_min_protocol
SSL ciphers to use.
dovecot__ssl_min_protocol: '{{ "!SSLv2 !SSLv3"
if (ansible_distribution_release in
[ "jessie", "precise", "trusty" ])
else "TLSv1.2" }}'
- dovecot__ssl_dh_parameters_length
Diffie-Hellman parameters length.
dovecot__ssl_dh_parameters_length: 4096
- dovecot__ssl_cipher_list
SSL ciphers to use.
dovecot__ssl_cipher_list: '{{ dovecot__ssl_cipher_list_default }}'
- dovecot__ssl_cipher_list_default
Default SSL ciphers.
dovecot__ssl_cipher_list_default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH'
- dovecot__ssl_cipher_list_better_crypto
See the bettercrypto.org guide.
dovecot__ssl_cipher_list_better_crypto: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
- dovecot__ssl_cipher_list_ncsc_nl
The 'good' cipher suite from the NCSC-NL TLS Guidelines v2.1.
dovecot__ssl_cipher_list_ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'
- dovecot__pki_hook_name
Name of the debops.pki hook script.
dovecot__pki_hook_name: 'dovecot'
- dovecot__pki_hook_path
Directory for the debops.pki hooks.
dovecot__pki_hook_path: '{{ ansible_local.pki.hooks|d("/etc/pki/hooks") }}'
- dovecot__pki_hook_action
Specify how changes in PKI should affect dovecot, either 'reload' or 'restart'.
dovecot__pki_hook_action: 'reload'
Diffie-Hellman parameters
- dovecot__dhparam
Enable or disable support for custom Diffie-Hellman parameters managed by the debops.dhparam Ansible role.
dovecot__dhparam: '{{ ansible_local.dhparam.enabled
if (ansible_local|d() and ansible_local.dhparam|d() and
ansible_local.dhparam.enabled is defined)
else False }}'
- dovecot__dhparam_set
Name of the Diffie-Hellman parameter set to use. See the debops.dhparam Ansible role for more details.
dovecot__dhparam_set: 'default'
- dovecot__ssl_dh_file
Absolute path to the Diffie-Hellman parameters file which should be used.
dovecot__ssl_dh_file: '{{ ansible_local.dhparam[dovecot__dhparam_set]
if (ansible_local|d() and ansible_local.dhparam|d() and
ansible_local.dhparam[dovecot__dhparam_set]|d())
else "" }}'
Dovecot custom configuration
These variables define the contents of the /etc/dovecot/dovecot.conf
configuration file.
- dovecot__default_configuration
The default dovecot configuration options defined by the role. See Syntax for details.
dovecot__default_configuration:
- section: 'main'
title: 'Main Configuration'
options:
- name: 'protocols'
comment: 'Currently active protocols'
value: "{{ dovecot__features |
intersect(['imap', 'imaps', 'pop3',
'pop3s', 'sieve', 'lmtp']) |
map('regex_replace', '^(imap|pop3)s$', '\\1') |
list | unique | join(' ') }}"
- section: 'authentication'
title: 'Client Configuration'
options:
- name: 'auth_mechanisms'
value: '{{ dovecot__auth_mechanisms | join(" ") }}'
- name: 'disable_plaintext_auth'
value: 'yes'
- name: 'auth_default_realm'
value: '{{ dovecot__auth_default_realm }}'
- name: 'mail_uid'
value: '{{ dovecot__vmail_posix_user }}'
state: '{{ "present" if dovecot__vmail_enabled|d(False) else "absent" }}'
- name: 'mail_gid'
value: '{{ dovecot__vmail_posix_group }}'
state: '{{ "present" if dovecot__vmail_enabled|d(False) else "absent" }}'
- name: 'mail_privileged_group'
value: '{{ dovecot__vmail_posix_user }}'
state: '{{ "present" if dovecot__vmail_enabled|d(False) else "absent" }}'
- name: 'passdb_deny'
option: 'passdb'
state: '{{ "present" if "deny" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'passwd-file'
- name: 'deny'
value: 'yes'
- name: 'args'
value: '/etc/dovecot/dovecot.deny'
- name: 'passdb_system'
option: 'passdb'
state: '{{ "present" if "system" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'pam'
- name: 'args'
value: 'session=yes dovecot'
- name: 'userdb_system'
option: 'userdb'
state: '{{ "present" if "system" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'passwd'
- name: 'args'
value: 'blocking=no'
- name: 'passdb_sql'
option: 'passdb'
state: '{{ "present" if (dovecot__user_accounts | d([]) |
intersect(["mysql", "pgsql", "sqlite"])) else "absent" }}'
options:
- name: 'driver'
value: 'sql'
- name: 'args'
value: '/etc/dovecot/dovecot-sql.conf.ext'
- name: 'userdb_sql'
option: 'userdb'
state: '{{ "present" if (dovecot__user_accounts | d([]) |
intersect(["mysql", "pgsql", "sqlite"])) else "absent" }}'
options:
- name: 'driver'
value: 'sql'
- name: 'args'
value: '/etc/dovecot/dovecot-sql.conf.ext'
- name: 'passdb_ldap'
option: 'passdb'
state: '{{ "present" if "ldap" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'ldap'
- name: 'args'
value: '/etc/dovecot/dovecot-ldap-passdb.conf'
- name: 'userdb_ldap'
option: 'userdb'
state: '{{ "present" if "ldap" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'ldap'
- name: 'args'
value: '/etc/dovecot/dovecot-ldap-userdb.conf'
- name: 'passdb_passwd'
option: 'passdb'
state: '{{ "present" if "passwdfile" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'passwd-file'
- name: 'args'
value: 'scheme={{ dovecot__passwdfile_scheme }} {{ dovecot__passwdfile_path }}/{{ dovecot__passwdfile_name }}'
- name: 'userdb_passwd'
option: 'userdb'
state: '{{ "present" if "passwdfile" in dovecot__user_accounts else "absent" }}'
options:
- name: 'driver'
value: 'static'
- name: 'args'
value: 'uid={{ dovecot__vmail_posix_user }} gid={{ dovecot__vmail_posix_group }} home={{ dovecot__vmail_home }}'
- name: 'default_fields'
value: 'quota_rule=*:storage=1G'
comment: 'Default fields that can be overridden by passwd-file'
state: 'comment'
- name: 'override_fields'
value: 'home=/home/virtual/%u'
comment: 'Override fields from passwd-file'
state: 'comment'
- name: 'passdb_checkpassword'
option: 'passdb'
state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
dovecot__checkpassword_passdb_command|d()) else "absent" }}'
options:
- name: 'driver'
value: 'checkpassword'
- name: 'args'
value: '{{ dovecot__checkpassword_passdb_command }}'
- name: 'userdb_checkpassword_pre'
option: 'userdb'
state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
dovecot__checkpassword_userdb_command|d()) else "absent" }}'
options:
- name: 'driver'
value: 'prefetch'
- name: 'userdb_checkpassword_main'
option: 'userdb'
state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
dovecot__checkpassword_userdb_command|d()) else "absent" }}'
options:
- name: 'driver'
value: 'checkpassword'
- name: 'args'
value: '{{ dovecot__checkpassword_userdb_command }}'
- section: 'tls'
title: 'TLS Configuration'
state: '{{ "present" if dovecot__pki is defined and dovecot__pki else "absent" }}'
options:
- name: 'ssl'
value: '{{ "required" if dovecot__ssl_required else "yes" }}'
- name: 'ssl_prefer_server_ciphers'
value: 'yes'
comment: 'Prefer the server''s order of ciphers over the client''s. (dovecot >= 2.2.6)'
- name: 'ssl_cert'
value: '<{{ dovecot__pki_path ~ "/" ~ dovecot__pki_realm ~ "/" ~ dovecot__pki_crt }}'
- name: 'ssl_key'
value: '<{{ dovecot__pki_path ~ "/" ~ dovecot__pki_realm ~ "/" ~ dovecot__pki_key }}'
- name: 'ssl_protocols'
value: '{{ dovecot__ssl_min_protocol }}'
state: '{{ "present" if dovecot__version is version("2.3.0", "<") else "absent" }}'
- name: 'ssl_dh_parameters_length'
value: '{{ dovecot__ssl_dh_parameters_length }}'
state: '{{ "present" if dovecot__version is version("2.3.0", "<") else "absent" }}'
comment: 'Diffie-Hellman parameters length (default 1024, dovecot >= 2.2.7, optional in dovecot >= 2.3.3)'
- name: 'ssl_min_protocol'
value: '{{ dovecot__ssl_min_protocol }}'
state: '{{ "present" if dovecot__version is version("2.3.0", ">=") else "absent" }}'
- name: 'ssl_dh'
value: '{{ "" if (dovecot__ssl_dh_file == "") else ("<" + dovecot__ssl_dh_file) }}'
state: '{{ "present" if dovecot__version is version("2.3.0", ">=") else "absent" }}'
- name: 'ssl_cipher_list'
value: '{{ dovecot__ssl_cipher_list }}'
- name: 'ssl_client_ca_dir'
value: '/etc/ssl/certs'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- section: 'no_tls'
title: 'TLS Non-Configuration'
state: '{{ "absent" if dovecot__pki is defined and dovecot__pki else "present" }}'
options:
- name: 'ssl'
value: 'no'
- section: 'services'
title: 'Dovecot services'
options:
- name: 'service imap-login'
state: '{{ "present" if ("imap" in dovecot__features or "imaps" in dovecot__features) else "absent" }}'
options:
- name: 'inet_listener imap'
options:
- name: 'address'
value: '127.0.0.1, [::1]'
comment: 'Only localhost if no PKI is configured'
state: '{{ "present" if not dovecot__pki|d(True) else "comment" }}'
- name: 'port'
value: '{{ 143 if "imap" in dovecot__features else 0 }}'
- name: 'inet_listener imaps'
options:
- name: 'port'
value: '{{ 993 if ("imaps" in dovecot__features and dovecot__pki|d(True)) else 0 }}'
comment: 'Disabled if no PKI is configured'
- name: 'service pop3-login'
state: '{{ "present" if ("pop3" in dovecot__features or "pop3s" in dovecot__features) else "absent" }}'
options:
- name: 'inet_listener pop3'
options:
- name: 'address'
value: '127.0.0.1, [::1]'
comment: 'Only localhost if no PKI is configured'
state: '{{ "present" if not dovecot__pki|d(True) else "comment" }}'
- name: 'port'
value: '{{ 110 if "pop3" in dovecot__features else 0 }}'
- name: 'inet_listener pop3s'
options:
- name: 'port'
value: '{{ 995 if ("pop3s" in dovecot__features and dovecot__pki|d(True)) else 0 }}'
comment: 'Disabled if no PKI is configured'
- name: 'service lmtp'
state: '{{ "present" if "lmtp" in dovecot__features else "absent" }}'
options:
- name: 'user'
value: '{{ dovecot__vmail_posix_user }}'
state: '{{ "present" if dovecot__vmail_enabled|d(False) else "absent" }}'
- name: 'unix_listener /var/spool/postfix/private/dovecot-lmtp'
options:
- name: 'mode'
value: '0660'
- name: 'group'
value: 'postfix'
- name: 'user'
value: 'postfix'
- name: 'service managesieve-login'
state: '{{ "present" if "sieve" in dovecot__features else "absent" }}'
options:
- name: 'inet_listener sieve'
options:
- name: 'port'
value: '4190'
- name: 'service replicator'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
options:
- name: 'process_min_avail'
value: '1'
- name: 'unix_listener replicator-doveadm'
options:
- name: 'mode'
value: '0600'
- name: 'user'
value: 'vmail'
- name: 'service aggregator'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
options:
- name: 'fifo_listener replication-notify-fifo'
options:
- name: 'user'
value: 'vmail'
- name: 'unix_listener replication-notify'
options:
- name: 'user'
value: 'vmail'
- name: 'service doveadm'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
options:
- name: 'inet_listener doveadm'
options:
- name: 'port'
value: '{{ dovecot__dsync_port }}'
- name: 'ssl'
value: 'yes'
state: '{{ "present" if (dovecot__pki|d(True)) else "absent" }}'
- name: 'replication_max_conns'
value: '10'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- name: 'doveadm_port'
value: '{{ dovecot__dsync_port }}'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- name: 'doveadm_password'
value: '{{ dovecot__dsync_password }}'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- name: 'service auth'
options:
- name: 'unix_listener /var/spool/postfix/private/auth'
options:
- name: 'mode'
value: '0660'
- name: 'group'
value: 'postfix'
- name: 'user'
value: 'postfix'
- name: 'unix_listener auth-userdb'
state: '{{ "present" if (dovecot__vmail_enabled|d(False) and
"lmtp" in dovecot__features) else "absent" }}'
options:
- name: 'mode'
value: '0660'
- name: 'group'
value: '{{ dovecot__vmail_posix_group }}'
- name: 'user'
value: '{{ dovecot__vmail_posix_user }}'
- section: 'protocols'
title: 'Protocol settings'
options:
- name: 'protocol imap'
state: '{{ "present" if ("imap" in dovecot__features or "imaps" in dovecot__features) else "absent" }}'
options:
- name: 'mail_plugins'
value: '{{ dovecot__mail_plugins_imap | flatten | join(" ") }}'
- name: 'mail_max_userip_connections'
value: '20'
state: 'comment'
- name: 'imap_idle_notify_interval'
value: '29 mins'
state: 'comment'
- name: 'protocol pop3'
state: '{{ "present" if ("pop3" in dovecot__features or "pop3s" in dovecot__features) else "absent" }}'
options:
- name: 'mail_plugins'
value: '{{ dovecot__mail_plugins_pop3 | flatten | join(" ") }}'
- name: 'mail_max_userip_connections'
value: '10'
state: 'comment'
- name: 'protocol lda'
state: '{{ "present" if "lmtp" not in dovecot__features else "absent" }}'
options:
- name: 'mail_plugins'
value: '{{ dovecot__mail_plugins_lda | flatten | join(" ") }}'
- name: 'postmaster_address'
value: 'postmaster@{{ ansible_domain }}'
- name: 'protocol lmtp'
state: '{{ "present" if "lmtp" in dovecot__features else "absent" }}'
options:
- name: 'mail_plugins'
value: '{{ dovecot__mail_plugins_lmtp | flatten | join(" ") }}'
- name: 'postmaster_address'
value: 'postmaster@{{ ansible_domain }}'
- section: 'mailbox_locations'
title: 'Mailbox Locations'
options:
- name: 'mail_home'
value: '{{ dovecot__vmail_home }}'
state: '{{ "present" if dovecot__vmail_enabled else "absent" }}'
- name: 'mail_location'
value: '{{ dovecot__mail_location }}'
state: '{{ "present" if dovecot__mail_location|d() else "comment" }}'
- section: 'mailbox_namespaces'
title: 'Mailbox Namespaces'
options:
- name: 'namespace inbox'
options:
- name: 'inbox'
value: 'yes'
comment: 'There can be only one INBOX, and this setting defines which namespace has it.'
- name: 'mailbox Drafts'
options:
- name: 'special_use'
value: '\Drafts'
- name: 'mailbox Junk'
options:
- name: 'special_use'
value: '\Junk'
- name: 'mailbox Trash'
comment: |
If you change the name of this mailbox and use LDAP,
dovecot__ldap_trash_field also needs to be updated.
options:
- name: 'special_use'
value: '\Trash'
- name: 'mailbox Sent'
comment: |
For \Sent mailboxes there are two widely used names. We'll mark both of
them as \Sent. User typically deletes one of them if duplicates are created.
options:
- name: 'special_use'
value: '\Sent'
- name: 'mailbox "Sent Messages"'
options:
- name: 'special_use'
value: '\Sent'
- name: 'mailbox virtual/All'
comment: 'If you have a virtual "All Messages" mailbox:'
state: 'comment'
options:
- name: 'special_use'
value: '\All'
- name: 'comment'
value: 'All my messages'
- name: 'mailbox virtual/Flagged'
comment: 'If you have a virtual "Flagged" mailbox:'
state: 'comment'
options:
- name: 'special_use'
value: '\Flagged'
- name: 'comment'
value: 'All my flagged messages'
- name: 'mailbox virtual/Important'
comment: 'If you have a virtual "Important" mailbox:'
state: 'comment'
options:
- name: 'special_use'
value: '\Important'
- name: 'comment'
value: 'All my important messages'
- section: 'plugins'
title: 'Mail Plugins'
options:
- name: 'plugin'
options:
- name: 'sieve'
value: '{{ dovecot__sieve_dir }}'
state: '{{ "present" if "sieve" in dovecot__features else "absent" }}'
- name: 'quota'
value: 'maildir:User quota'
state: '{{ "present" if "quota" in dovecot__features else "absent" }}'
- name: 'mail_replica'
value: '{{ dovecot__dsync_replica }}'
state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
- dovecot__configuration
The dovecot configuration options defined for all hosts in the Ansible inventory.
dovecot__configuration: []
- dovecot__group_configuration
The dovecot configuration options defined for hosts in a specific Ansible inventory group.
dovecot__group_configuration: []
- dovecot__host_configuration
The dovecot configuration options defined for a specific host in the Ansible inventory.
dovecot__host_configuration: []
- dovecot__combined_configuration
The variable that combines other dovecot configuration options for
use in the /etc/dovecot/dovecot.conf template.
dovecot__combined_configuration: '{{ dovecot__default_configuration
+ dovecot__configuration
+ dovecot__group_configuration
+ dovecot__host_configuration }}'
- dovecot__mail_plugins
Default mail plugins for all protocols.
dovecot__mail_plugins:
- '$mail_plugins'
- '{{ "notify" if "dsync" in dovecot__features else [] }}'
- '{{ "replication" if "dsync" in dovecot__features else [] }}'
- '{{ "quota" if "quota" in dovecot__features else [] }}'
- dovecot__mail_plugins_imap
Enabled mail plugins for the IMAP protocol.
dovecot__mail_plugins_imap:
- '{{ dovecot__mail_plugins }}'
- '{{ "imap_sieve" if "sieve" in dovecot__features else [] }}'
- '{{ "imap_quota" if "quota" in dovecot__features else [] }}'
- dovecot__mail_plugins_pop3
Enabled mail plugins for the POP3 protocol.
dovecot__mail_plugins_pop3:
- '{{ dovecot__mail_plugins }}'
- dovecot__mail_plugins_lda
Enabled mail plugins for the LDA protocol.
dovecot__mail_plugins_lda:
- '{{ dovecot__mail_plugins }}'
- '{{ "sieve" if "sieve" in dovecot__features else [] }}'
- dovecot__mail_plugins_ltmp
Enabled mail plugins for the LMTP protocol.
dovecot__mail_plugins_lmtp:
- '{{ dovecot__mail_plugins }}'
- '{{ "sieve" if "sieve" in dovecot__features else [] }}'
- dovecot__sieve_dir
Storage directory for sieve scripts.
dovecot__sieve_dir: 'file:~/sieve;active=~/.dovecot.sieve'
Firewall configuration
- dovecot__accept_any
The default firewall policy for dovecot services.
If True, any host can connect to the dovecot daemon unless allow
restrictions are defined using the variables below.
If False, no hosts can connect to the dovecot daemon by default. You
need to specify IP addresses or subnets that can access the services using
the variables below.
dovecot__accept_any: True
- dovecot__allow_imap
List of hosts/networks that can access the imap port (143).
dovecot__allow_imap: []
- dovecot__allow_imaps
List of hosts/networks that can access the imaps port (993).
dovecot__allow_imaps: []
- dovecot__allow_pop3
List of hosts/networks that can access the pop3 port (110).
dovecot__allow_pop3: []
- dovecot__allow_pop3s
List of hosts/networks that can access the pop3s port (995).
dovecot__allow_pop3s: []
- dovecot__allow_doveadm
List of hosts/networks that can access the doveadm port (12345, used for
dsync).
dovecot__allow_doveadm:
- '{{ dovecot__dsync_host }}'
- dovecot__allow_sieve
List of hosts/networks that can access the ManageSieve Protocol port
(4190).
dovecot__allow_sieve: []
LDAP
- dovecot__ldap_enabled
When enabled, dovecot will authenticate users against LDAP and authorize access to the user's mailbox.
dovecot__ldap_enabled: '{{ True
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.enabled|d())|bool)
else False }}'
- dovecot__ldap_base_dn
The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects.
dovecot__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
- dovecot__ldap_device_dn
The Distinguished Name of the current host LDAP object. It will be used as a base for the Virtual Mail service account LDAP object. If empty, the role will not create the account LDAP object automatically.
dovecot__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
- dovecot__ldap_self_rdn
The Relative Distinguished Name of the account LDAP object used by the dovecot service to access the LDAP directory.
dovecot__ldap_self_rdn: 'uid=dovecot'
- dovecot__ldap_self_object_classes
List of the LDAP object classes which will be used to create the LDAP object used by the dovecot service to access the LDAP directory.
dovecot__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
- dovecot__ldap_self_attributes
YAML dictionary that defines the attributes of the LDAP object used by the dovecot service to access the LDAP directory.
dovecot__ldap_self_attributes:
uid: '{{ dovecot__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ dovecot__ldap_bindpw }}'
host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
description: 'Account used by the "Dovecot" service to access the LDAP directory'
- dovecot__ldap_binddn
The Distinguished Name used to bind to the LDAP directory.
dovecot__ldap_binddn: '{{ ([ dovecot__ldap_self_rdn ]
+ dovecot__ldap_device_dn) | join(",") }}'
- dovecot__ldap_bindpw
The password used to bind to the LDAP directory.
dovecot__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ dovecot__ldap_binddn | to_uuid + ".password length=32 "
+ "chars=ascii_letters,digits,!@_$%^&*"))
if dovecot__ldap_enabled|bool
else "" }}'
- dovecot__ldap_people_rdn
The Relative Distinguished Name of the LDAP object which contains the user accounts in LDAP.
dovecot__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn|d("ou=People") }}'
- dovecot__ldap_people_dn
The Distinguished Name of the LDAP object which contains the user accounts.
dovecot__ldap_people_dn: '{{ [ dovecot__ldap_people_rdn ]
+ dovecot__ldap_base_dn }}'
- dovecot__ldap_uri
List of LDAP URIs that point to the directory servers which should be used.
dovecot__ldap_uri: '{{ ansible_local.ldap.uri|d([""]) }}'
- dovecot__ldap_start_tls
If True, STARTTLS will be used to connect to the LDAP server.
dovecot__ldap_start_tls: '{{ ansible_local.ldap.start_tls|d(True)|bool }}'
- dovecot__ldap_user_filter
The LDAP filter used to look up user accounts in the directory. See LDAP tasks and administrative operations for more information.
dovecot__ldap_user_filter: '(&
(objectClass=mailRecipient)
(|
(uid=%n)
(mail=%u)
)
(|
(authorizedService=all)
(authorizedService=mail:access)
)
)'
- dovecot__ldap_quota_attribute
The LDAP attribute storing the user quota.
dovecot__ldap_quota_attribute: 'mailQuota'
- dovecot__ldap_quota_default
Default LDAP quota.
dovecot__ldap_quota_default: '10 GB'
- dovecot__ldap_trash_field
The dovecot internal field name which corresponds to the trash
mailbox, used to control the automatic expunction of mails via the
mailExpungeTrash LDAP attribute.
dovecot__ldap_trash_field: 'namespace/inbox/mailbox/Trash/autoexpunge'
Configuration for other Ansible roles
- dovecot__postfix_lmtp_transport
Postfix mail transport target if LMTP is enabled.
dovecot__postfix_lmtp_transport: 'lmtp:unix:private/dovecot-lmtp'
- dovecot__ldap__dependent_tasks
Configuration for the debops.ldap role.
dovecot__ldap__dependent_tasks:
- name: 'Create Postfix account for {{ dovecot__ldap_device_dn | join(",") }}'
dn: '{{ dovecot__ldap_binddn }}'
objectClass: '{{ dovecot__ldap_self_object_classes }}'
attributes: '{{ dovecot__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present"
if (dovecot__ldap_enabled|bool and
dovecot__ldap_device_dn|d())
else "ignore" }}'
- dovecot__postfix__dependent_maincf
The main.cf configuration for the debops.postfix role.
dovecot__postfix__dependent_maincf:
# The default TLS security level set by the 'postfix' role is "may", however
# when the mail is delivered over local UNIX socket, this results in
# a warning in the mail logs: "warning: smtp_connect_local: opportunistic TLS
# encryption is not appropriate for unix-domain destinations". Therefore if
# we know that Dovecot is installed locally and we deliver over an UNIX
# socket, we can disable the opportunistic TLS encryption for the LMTP
# protocol.
- name: 'lmtp_tls_security_level'
comment: |
Security level overridden via local Dovecot installation
value: '{{ "none"
if dovecot__postfix_lmtp_transport.startswith("lmtp:unix:")
else "may" }}'
state: '{{ "present" if "lmtp" in dovecot__features else "ignore" }}'
# We don't care about the STARTTLS offer when we talk to Dovecot over an UNIX
# socket.
- name: 'lmtp_tls_note_starttls_offer'
value: '{{ False
if dovecot__postfix_lmtp_transport.startswith("lmtp:unix:")
else True }}'
state: '{{ "present" if "lmtp" in dovecot__features else "ignore" }}'
- name: 'virtual_transport'
value: '{{ dovecot__postfix_lmtp_transport }}'
state: '{{ "present"
if ("lmtp" in dovecot__features and
dovecot__ldap_enabled|bool)
else "ignore" }}'
- name: 'mailbox_transport'
value: '{{ dovecot__postfix_lmtp_transport }}'
state: '{{ "present"
if ("lmtp" in dovecot__features and
not dovecot__ldap_enabled|bool)
else "ignore" }}'
- dovecot__postfix__dependent_mastercf
The master.cf configuration for the debops.postfix role.
dovecot__postfix__dependent_mastercf: []
- dovecot__etc_services__dependent_list
Configuration for the debops.etc_services role.
dovecot__etc_services__dependent_list:
- name: 'doveadm'
port: '{{ dovecot__dsync_port }}'
protocols: [ 'tcp' ]
comment: 'Added by debops.dovecot Ansible role.'
- dovecot__ferm__dependent_rules
Configuration for the debops.ferm role.
dovecot__ferm__dependent_rules:
- name: 'dovecot_imap'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'imap2' ]
saddr: '{{ dovecot__allow_imap }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("imap" in dovecot__features|d([]))
else "absent" }}'
- name: 'dovecot_imaps'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'imaps' ]
saddr: '{{ dovecot__allow_imaps }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("imaps" in dovecot__features|d([])
and dovecot__pki|d(True))
else "absent" }}'
- name: 'dovecot_pop3'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'pop3' ]
saddr: '{{ dovecot__allow_pop3 }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("pop3" in dovecot__features|d([]))
else "absent" }}'
- name: 'dovecot_pop3s'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'pop3s' ]
saddr: '{{ dovecot__allow_pop3s }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("pop3s" in dovecot__features|d([])
and dovecot__pki|d(True))
else "absent" }}'
- name: 'dovecot_doveadm'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'doveadm' ]
saddr: '{{ dovecot__allow_doveadm }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("dsync" in dovecot__features|d([]))
else "absent" }}'
- name: 'dovecot_sieve'
type: 'accept'
by_role: 'debops.dovecot'
dport: [ 'sieve' ]
saddr: '{{ dovecot__allow_sieve }}'
accept_any: '{{ dovecot__accept_any }}'
rule_state: '{{ "present"
if ("sieve" in dovecot__features|d([])
and dovecot__pki|d(True))
else "absent" }}'