Upgrade configuration files for Dovecot 2.3

Author: jchristgit

ansible/roles/dovecot/tasks/main.yml

@@ -176,33 +176,34 @@
   tags:
     - role::dovecot
 
-- name: Template Dovecot LDAP config
-  template:
-    src: dovecot-ldap.conf.ext.j2
-    dest: /etc/dovecot/dovecot-ldap.conf.ext
-    group: root
-    owner: root
-    mode: "0600"
+# BEGIN temporary cleanup task
+- name: Kill Dovecot LDAP config
+  file:
+    path: /etc/dovecot/dovecot-ldap.conf.ext
+    state: absent
   tags:
     - role::dovecot
   notify:
     - Reload Dovecot
+# END temporary cleanup task
 
 - name: Template Dovecot component configurations
   template:
     src: "configs/{{ item }}.j2"
     dest: "/etc/dovecot/conf.d/{{ item }}"
     group: root
     owner: root
-    mode: "0644"
+    mode: "0600"
   loop:
+    - 10-director.conf
     - 10-mail.conf
     - 10-master.conf
     - 10-auth.conf
     - 10-ssl.conf
     - 15-mailboxes.conf
     - 20-lmtp.conf
     - 20-imap.conf
+    - 90-acl.conf
     - auth-ldap.conf.ext
   tags:
     - role::dovecot

ansible/roles/dovecot/templates/configs/10-auth.conf.j2

@@ -9,7 +9,7 @@
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
 # See also ssl=required setting.
-disable_plaintext_auth = yes
+auth_allow_cleartext = no
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
 # bsdauth and PAM require cache_key to be set for caching to be used.

ansible/roles/dovecot/templates/configs/10-director.conf.j2

@@ -0,0 +1,62 @@
+# {{ ansible_managed }}
+
+##
+## Director-specific settings.
+##
+
+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
+# mapping. As long as user has simultaneous connections, the user is always
+# redirected to the same server. Each proxy server is running its own director
+# process, and the directors are communicating the state to each others.
+# Directors are mainly useful with NFS-like setups.
+
+# List of IPs or hostnames to all director servers, including ourself.
+# Ports can be specified as ip:port. The default port is the same as
+# what director service's inet_listener is using.
+#director_servers =
+
+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
+# too, like 10.0.0.10-10.0.0.30.
+#director_mail_servers =
+
+# How long to redirect users to a specific server after it no longer has
+# any connections.
+#director_user_expire = 15 min
+
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
+# To enable director service, uncomment the modes and assign a port.
+service director {
+  unix_listener login/director {
+    #mode = 0666
+  }
+  fifo_listener login/proxy-notify {
+    #mode = 0666
+  }
+  unix_listener director-userdb {
+    #mode = 0600
+  }
+  inet_listener schweinehund {
+    #port =
+  }
+}
+
+# Enable director for the wanted login services by telling them to
+# connect to director socket instead of the default login socket:
+service imap-login {
+  #executable = imap-login director
+}
+service pop3-login {
+  #executable = pop3-login director
+}
+service submission-login {
+  #executable = submission-login director
+}
+
+# Enable director for LMTP proxying:
+protocol lmtp {
+  #auth_socket_path = director-userdb
+}

ansible/roles/dovecot/templates/configs/10-mail.conf.j2

@@ -29,8 +29,9 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_home = /var/vmail/%u
-mail_location = maildir:~/mail
+mail_home = /var/vmail/%{user}
+mail_driver = Maildir
+mail_path = %{home}/mail
 
 
 # If you need to set multiple mailbox locations or want to change default
@@ -219,7 +220,10 @@ mail_privileged_group = mail
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-mail_plugins = welcome notify
+mail_plugins {
+  welcome = yes
+  notify = yes
+}
 
 ##
 ## Mailbox handling optimizations
@@ -424,9 +428,11 @@ protocol !indexer-worker {
 #   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
 #mail_attachment_detection_options =
 
-plugin {
-  welcome_script = welcome %u
-  welcome_wait = no
+welcome {
+  execute welcome {
+    args = %{user}
+  }
+  wait = no
 }
 
 service welcome {

ansible/roles/dovecot/templates/configs/10-ssl.conf.j2

@@ -11,8 +11,8 @@ ssl = yes
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/letsencrypt/live/pydis.wtf/fullchain.pem
-ssl_key = </etc/letsencrypt/live/pydis.wtf/privkey.pem
+ssl_server_cert_file = /etc/letsencrypt/live/pydis.wtf/fullchain.pem
+ssl_server_key_file = /etc/letsencrypt/live/pydis.wtf/privkey.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -54,7 +54,7 @@ ssl_client_ca_dir = /etc/ssl/certs
 # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
 # Or migrate from old ssl-parameters.dat file with the command dovecot
 # gives on startup when ssl_dh is unset.
-ssl_dh = </usr/share/dovecot/dh.pem
+ssl_server_dh_file = /usr/share/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.

ansible/roles/dovecot/templates/configs/20-imap.conf.j2

@@ -91,11 +91,17 @@
 #     from going into infinite loops trying to FETCH a broken mail.
 #imap_fetch_failure = disconnect-immediately
 
-mail_attribute_dict = file:~/mail/dovecot-attributes
+mail_attribute {
+  dict file {
+    path = %{home}/mail/dovecot-attributes
+  }
+}
 
 protocol imap {
   # Space separated list of plugins to load (default is global mail_plugins).
-  mail_plugins = $mail_plugins imap_sieve
+  mail_plugins {
+    imap_sieve = yes
+  }
 
   imap_metadata = yes
 

ansible/roles/dovecot/templates/configs/20-lmtp.conf.j2

@@ -38,5 +38,7 @@ lmtp_add_received_header = yes
 
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
-  mail_plugins = $mail_plugins sieve
+  mail_plugins {
+    sieve = yes
+  }
 }

ansible/roles/dovecot/templates/configs/90-acl.conf.j2

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+##
+## Mailbox access control lists.
+##
+
+# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
+# You can also optionally give a global ACL directory path where ACLs are
+# applied to all users' mailboxes. The global ACL directory contains
+# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
+# specifies how many seconds to wait between stat()ing dovecot-acl file
+# to see if it changed.
+#plugin {
+  #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
+#}
+
+# To let users LIST mailboxes shared by other users, Dovecot needs a
+# shared mailbox dictionary. For example:
+#plugin {
+  #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
+#}

ansible/roles/dovecot/templates/configs/auth-ldap.conf.ext.j2

@@ -4,18 +4,58 @@
 #
 # <doc/wiki/AuthDatabase.LDAP.txt>
 
-passdb {
-  driver = ldap
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+ldap_uris = {{ dovecot_ldap_host }}
+
+# Distinguished Name - the username used to login to the LDAP server.
+# Leave it commented out to bind anonymously (useful with auth_bind=yes).
+ldap_auth_dn = {{ dovecot_ldap_user }}
+
+# Password for LDAP server, if dn is specified.
+ldap_auth_dn_password = {{ dovecot_ldap_password }}
+
+# TLS options, currently supported only with OpenLDAP:
+ldap_tls_ca_cert_file = {{ dovecot_ldap_tls_ca }}
 
-  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
-  args = /etc/dovecot/dovecot-ldap.conf.ext
-}
 
-userdb {
-  driver = prefetch
+# LDAP protocol version to use. Likely 2 or 3.
+ldap_version = 3
+
+# LDAP base. %variables can be used here.
+# For example: dc=mail, dc=example, dc=org
+ldap_base = cn=users,cn=accounts,dc=box,dc=pydis,dc=wtf
+
+# User attributes are given in LDAP-name=dovecot-internal-name list. The
+# internal names are:
+#   uid - System UID
+#   gid - System GID
+#   home - Home directory
+#   mail - Mail location
+#
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+ldap_user_attrs = uidNumber=uid, sieve=${home}/main.sieve, sieve_user_log=${home}/sieve.log
+
+passdb ldap {
+  fields {
+    uidNumber = %{ldap:uid}
+    sieve = ${home}/main.sieve
+    sieve_user_log = ${home}/sieve.log
+  }
+  bind = yes
+  bind_userdn = uid=%{user},cn=users,cn=accounts,dc=box,dc=pydis,dc=wtf
+
+  filter = (&(objectClass=posixAccount)(uid=%{user}))
+  driver = ldap
 }
 
-userdb {
+userdb ldap {
+  fields {
+    uidNumber = %{ldap:uid}
+    sieve = ${home}/main.sieve
+    sieve_user_log = ${home}/sieve.log
+  }
+  filter = (&(objectClass=posixAccount)(uid=%{user}))
   driver = ldap
-  args = /etc/dovecot/dovecot-ldap.conf.ext
 }