systemli · doobry-systemli · Jan 1, 2024 · Jan 1, 2024 · Jan 1, 2024 · Jan 1, 2024
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -32,6 +32,13 @@ dovecot_mail_plugins:
   - quota
 dovecot_mail_plugins_imap: $mail_plugins imap_quota
 
+dovecot_lda_mailbox_autosubscribe: "yes"
+dovecot_lda_mail_plugins_extra: sieve
+dovecot_junk_trash_autoexpunge: 30d
+dovecot_sieve_location: /var/vmail/%d/%n/.dovecot.sieve
+dovecot_sieve_before: /etc/dovecot/sieve-before/spam-to-junk.sieve
+dovecot_sieve_max_redirects: 20
+
 # See https://wiki.dovecot.org/LoginProcess for performance tuning
 dovecot_login_service_count: 1
 dovecot_login_process_min_avail: "{{ ansible_processor_cores * ansible_processor_count }}"

diff --git a/files/dovecot.munin b/files/dovecot.munin
diff --git a/files/sieve-before/spam-to-junk.sieve b/files/sieve-before/spam-to-junk.sieve
@@ -0,0 +1,4 @@
+require "fileinto";
+if header :contains "X-Spam-Flag" "YES" {
+  fileinto "Junk";
+}
diff --git a/files/systemd/system/dovecot.service.d/limits.conf b/files/systemd/system/dovecot.service.d/limits.conf
@@ -0,0 +1,2 @@
+[Service]
+LimitNOFILE=10000
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -32,3 +32,8 @@
   systemd:
     daemon_reload: true
   become: true
+
+- name: Compile sieve-before scripts # noqa no-changed-when
+  command: /usr/bin/sievec /etc/dovecot/sieve-before
+  notify:
+    - Restart dovecot
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -35,6 +35,9 @@
     pkg: "{{ dovecot_apt_packages }}"
     state: present
 
+- name: Import systemd limits tasks
+  import_tasks: systemd-limits.yml
+
 - name: Ensure dovecot is in group of userli
   user:
     name: dovecot
@@ -97,6 +100,9 @@
   tags:
     - molecule-notest
 
+- name: Import sieve-before tasks
+  import_tasks: sieve-before.yml
+
 - name: Configure dovecot
   template:
     src: "{{ item }}.j2"
@@ -109,8 +115,12 @@
     - 10-mail.conf
     - 10-master.conf
     - 10-ssl.conf
+    - 15-lda.conf
+    - 15-mailboxes.conf
     - 20-imap.conf
+    - 20-managesieve.conf
     - 90-quota.conf
+    - 90-sieve.conf
     - 90-stats.conf
   notify: Restart dovecot
 

diff --git a/tasks/sieve-before.yml b/tasks/sieve-before.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Ensure sieve-before dir is present
+  file:
+    path: /etc/dovecot/sieve-before
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+
+- name: Copy sieve-before script
+  copy:
+    src: sieve-before/spam-to-junk.sieve
+    dest: /etc/dovecot/sieve-before/spam-to-junk.sieve
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Compile sieve-before scripts
diff --git a/tasks/systemd-limits.yml b/tasks/systemd-limits.yml
@@ -0,0 +1,20 @@
+---
+
+- name: Ensure systemd dovecot include directory is present
+  file:
+    path: /etc/systemd/system/dovecot.service.d/
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+
+- name: Copy systemd limits file for dovecot service
+  copy:
+    src: systemd/system/dovecot.service.d/limits.conf
+    dest: /etc/systemd/system/dovecot.service.d/limits.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Reload systemd
+    - Restart dovecot
diff --git a/templates/15-lda.conf.j2 b/templates/15-lda.conf.j2
@@ -0,0 +1,48 @@
+##
+## LDA specific settings (also used by LMTP)
+##
+
+# Address to use when sending rejection mails.
+# Default is postmaster@%d. %d expands to recipient domain.
+#postmaster_address =
+
+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
+# in LMTP replies. Default is the system's real hostname@domain.
+#hostname = 
+
+# If user is over quota, return with temporary failure instead of
+# bouncing the mail.
+#quota_full_tempfail = no
+
+# Binary to use for sending mails.
+#sendmail_path = /usr/sbin/sendmail
+
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
+#submission_host =
+
+# Subject: header to use for rejection mails. You can use the same variables
+# as for rejection_reason below.
+#rejection_subject = Rejected: %s
+
+# Human readable error message for rejection mails. You can use variables:
+#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+#lda_mailbox_autocreate = no
+
+# Should automatically created mailboxes be also automatically subscribed?
+lda_mailbox_autosubscribe = {{ dovecot_lda_mailbox_autosubscribe }}
+
+protocol lda {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins {{ dovecot_lda_mail_plugins_extra }}
+}
diff --git a/templates/15-mailboxes.conf.j2 b/templates/15-mailboxes.conf.j2
@@ -0,0 +1,91 @@
+##
+## Mailbox definitions
+##
+
+# Each mailbox is specified in a separate mailbox section. The section name
+# specifies the mailbox name. If it has spaces, you can put the name
+# "in quotes". These sections can contain the following mailbox settings:
+#
+# auto:
+#   Indicates whether the mailbox with this name is automatically created
+#   implicitly when it is first accessed. The user can also be automatically
+#   subscribed to the mailbox after creation. The following values are
+#   defined for this setting:
+# 
+#     no        - Never created automatically.
+#     create    - Automatically created, but no automatic subscription.
+#     subscribe - Automatically created and subscribed.
+#  
+# special_use:
+#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
+#   mailbox. There are no validity checks, so you could specify anything
+#   you want in here, but it's not a good idea to use flags other than the
+#   standard ones specified in the RFC:
+#
+#     \All       - This (virtual) mailbox presents all messages in the
+#                  user's message store.
+#     \Archive   - This mailbox is used to archive messages.
+#     \Drafts    - This mailbox is used to hold draft messages.
+#     \Flagged   - This (virtual) mailbox presents all messages in the
+#                  user's message store marked with the IMAP \Flagged flag.
+#     \Important - This (virtual) mailbox presents all messages in the
+#                  user's message store deemed important to user.
+#     \Junk      - This mailbox is where messages deemed to be junk mail
+#                  are held.
+#     \Sent      - This mailbox is used to hold copies of messages that
+#                  have been sent.
+#     \Trash     - This mailbox is used to hold messages that have been
+#                  deleted.
+#
+# comment:
+#   Defines a default comment or note associated with the mailbox. This
+#   value is accessible through the IMAP METADATA mailbox entries
+#   "/shared/comment" and "/private/comment". Users with sufficient
+#   privileges can override the default value for entries with a custom
+#   value.
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Drafts {
+    auto = subscribe
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    auto = subscribe
+    special_use = \Junk
+    autoexpunge = {{ dovecot_junk_trash_autoexpunge }}
+  }
+  mailbox Trash {
+    auto = subscribe
+    special_use = \Trash
+    autoexpunge = {{ dovecot_junk_trash_autoexpunge }}
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+
+  # If you have a virtual "All messages" mailbox:
+  #mailbox virtual/All {
+  #  special_use = \All
+  #  comment = All my messages
+  #}
+
+  # If you have a virtual "Flagged" mailbox:
+  #mailbox virtual/Flagged {
+  #  special_use = \Flagged
+  #  comment = All my flagged messages
+  #}
+
+  # If you have a virtual "Important" mailbox:
+  #mailbox virtual/Important {
+  #  special_use = \Important
+  #  comment = All my important messages
+  #}
+}
diff --git a/templates/20-managesieve.conf.j2 b/templates/20-managesieve.conf.j2
@@ -0,0 +1,84 @@
+##
+## ManageSieve specific settings
+##
+
+# Uncomment to enable managesieve protocol:
+protocols = $protocols sieve
+
+# Service definitions
+
+service managesieve-login {
+  #inet_listener sieve {
+  #  port = 4190
+  #}
+
+  #inet_listener sieve_deprecated {
+  #  port = 2000
+  #}
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  #service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  #process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = 64M
+}
+
+service managesieve {
+  # Max. number of ManageSieve processes (connections)
+  #process_limit = 1024
+}
+
+# Service configuration
+
+protocol sieve {
+  # Maximum ManageSieve command line length in bytes. ManageSieve usually does
+  # not involve overly long command lines, so this setting will not normally
+  # need adjustment
+  #managesieve_max_line_length = 65536
+
+  # Maximum number of ManageSieve connections allowed for a user from each IP
+  # address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+
+  # Space separated list of plugins to load (none known to be useful so far).
+  # Do NOT try to load IMAP plugins here.
+  #mail_plugins =
+
+  # MANAGESIEVE logout format string:
+  #  %i - total number of bytes read from client
+  #  %o - total number of bytes sent to client
+  #  %{put_bytes} - Number of bytes saved using PUTSCRIPT command
+  #  %{put_count} - Number of scripts saved using PUTSCRIPT command
+  #  %{get_bytes} - Number of bytes read using GETCRIPT command
+  #  %{get_count} - Number of scripts read using GETSCRIPT command
+  #  %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
+  #  %{get_count} - Number of scripts checked using CHECKSCRIPT command
+  #  %{deleted_count} - Number of scripts deleted using DELETESCRIPT command
+  #  %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
+  #managesieve_logout_format = bytes=%i/%o
+
+  # To fool ManageSieve clients that are focused on CMU's timesieved you can
+  # specify the IMPLEMENTATION capability that Dovecot reports to clients.
+  # For example: 'Cyrus timsieved v2.2.13'
+  #managesieve_implementation_string = Dovecot Pigeonhole
+
+  # Explicitly specify the SIEVE and NOTIFY capability reported by the server
+  # before login. If left unassigned these will be reported dynamically
+  # according to what the Sieve interpreter supports by default (after login
+  # this may differ depending on the user).
+  #managesieve_sieve_capability =
+  #managesieve_notify_capability =
+
+  # The maximum number of compile errors that are returned to the client upon
+  # script upload or script verification.
+  #managesieve_max_compile_errors = 5
+
+  # Refer to 90-sieve.conf for script quota configuration and configuration of
+  # Sieve execution limits.
+}