infra/ansible-role-dovecot
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added buster support

Browse source
This commit is contained in:
nd 2020-04-30 14:59:14 +02:00
parent 0ed250d6ee
commit 38ff3f3fe4
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
3 changed files with 18 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
templates/10-mail.conf.j2
View file

@ -220,7 +220,7 @@ namespace inbox {
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled. # also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = no mailbox_list_index = yes
# The minimum number of mails in a mailbox before updates are done to cache # The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at # file. This allows optimizing Dovecot's behavior to do less disk writes at

13
templates/10-master.conf.j2
View file

@ -140,3 +140,16 @@ service dict {
} }
} }
service stats {
unix_listener stats-reader {
user = vmail
group = vmail
mode = 0660
}
unix_listener stats-writer {
user = vmail
group = vmail
mode = 0660
}
}

20
templates/10-ssl.conf.j2
View file

@ -11,12 +11,7 @@ ssl = required
# certificate, just make sure to update the domains in dovecot-openssl.cnf # certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/{{ inventory_hostname }}.crt ssl_cert = </etc/ssl/{{ inventory_hostname }}.crt
ssl_key = </etc/ssl/private/{{ inventory_hostname }}.key ssl_key = </etc/ssl/private/{{ inventory_hostname }}.key
ssl_dh = </etc/ssl/dh-4096.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use # PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
@ -42,17 +37,10 @@ ssl_key = </etc/ssl/private/{{ inventory_hostname }}.key
# auth_ssl_username_from_cert=yes. # auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName #ssl_cert_username_field = commonName
# DH parameters length to use. ssl_min_protocol = TLSv1.2
ssl_dh_parameters_length = 4092 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
# SSL protocols to use
ssl_protocols = TLSv1.2
# SSL ciphers to use
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
# SSL crypto device to use, for valid values run "openssl engine" # SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device = #ssl_crypto_device =