diff --git a/tasks/main.yml b/tasks/main.yml index 4078e28..9130753 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -5,14 +5,30 @@ - dovecot-imapd - dovecot-managesieved +- name: install dovecot-ldap + apt: + pkg: + - dovecot-ldap + when: dovecot.ldap.enable + - name: add vmail group group: name: vmail + register: vmail_group - name: add vmail user user: name: vmail group: vmail + register: vmail_user + +- name: Create /var/vmail + file: + path: /var/vmail + state: directory + owner: vmail + group: vmail + mode: '0750' - name: copy dovecot config template: @@ -27,6 +43,8 @@ - { src: "15-lda.conf.j2", dest: "/etc/dovecot/conf.d/15-lda.conf" } - { src: "20-managesieve.conf.j2", dest: "/etc/dovecot/conf.d/20-managesieve.conf" } - { src: "auth-system.conf.j2", dest: "/etc/dovecot/conf.d/auth-system.conf" } + - { src: "auth-ldap.conf.j2", dest: "/etc/dovecot/conf.d/auth-ldap.conf" } + - { src: "dovecot-ldap.conf.ext.j2", dest: "/etc/dovecot/dovecot-ldap.conf.ext" } notify: - restart dovecot diff --git a/templates/10-auth.conf.j2 b/templates/10-auth.conf.j2 index bdc433e..c3b525d 100644 --- a/templates/10-auth.conf.j2 +++ b/templates/10-auth.conf.j2 @@ -119,9 +119,12 @@ auth_mechanisms = {{ dovecot.auth_mechanisms|join(' ') }} #!include auth-deny.conf.ext #!include auth-master.conf.ext +{% if dovecot.ldap.enable %} +!include auth-ldap.conf.ext +{% else %} !include auth-system.conf.ext +{% endif %} #!include auth-sql.conf.ext -#!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext diff --git a/templates/10-mail.conf.j2 b/templates/10-mail.conf.j2 index b8e7e60..e991cc8 100644 --- a/templates/10-mail.conf.j2 +++ b/templates/10-mail.conf.j2 @@ -50,7 +50,7 @@ namespace inbox { # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". - #prefix = + #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. @@ -132,7 +132,7 @@ namespace inbox { # A comment or note that is associated with the server. This value is # accessible for authenticated users through the IMAP METADATA server -# entry "/shared/comment". +# entry "/shared/comment". #mail_server_comment = "" # Indicates a method for contacting the server administrator. According to @@ -140,7 +140,7 @@ namespace inbox { # is currently not enforced. Use for example mailto:admin@example.com. This # value is accessible for authenticated users through the IMAP METADATA server # entry "/shared/admin". -#mail_server_admin = +#mail_server_admin = ## ## Mail processes @@ -172,15 +172,15 @@ namespace inbox { # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. -#first_valid_uid = 500 -#last_valid_uid = 0 +first_valid_uid = {{ vmail_user.uid }} +last_valid_uid = {{ vmail_user.uid }} # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user # belongs to supplementary groups with non-valid GIDs, those groups are # not set. -#first_valid_gid = 1 -#last_valid_gid = 0 +first_valid_gid = {{ vmail_group.gid }} +last_valid_gid = {{ vmail_group.gid }} # Maximum allowed length for mail keyword name. It's only forced when trying # to create new keywords. @@ -193,7 +193,7 @@ namespace inbox { # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. -#valid_chroot_dirs = +#valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory @@ -201,7 +201,7 @@ namespace inbox { # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. -#mail_chroot = +#mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. @@ -212,7 +212,7 @@ namespace inbox { # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -#mail_plugins = +#mail_plugins = ## ## Mailbox handling optimizations @@ -318,7 +318,7 @@ mailbox_list_index = yes # fallbacks to re-reading the whole mbox file whenever something in mbox isn't # how it's expected to be. The only real downside to this setting is that if # some other MUA changes message flags, Dovecot doesn't notice it immediately. -# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK # commands. #mbox_dirty_syncs = yes diff --git a/templates/10-master.conf.j2 b/templates/10-master.conf.j2 index fd3529f..987b35d 100644 --- a/templates/10-master.conf.j2 +++ b/templates/10-master.conf.j2 @@ -61,37 +61,6 @@ service imap-login { # login user, so that login processes can't disturb other processes. #default_internal_user = dovecot -service imap-login { - inet_listener imap { - port = 0 - } - inet_listener imaps { - port = 993 - ssl = yes - } - - # Number of connections to handle before starting a new process. Typically - # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 - # is faster. - #service_count = 1 - - # Number of processes to always keep waiting for more connections. - #process_min_avail = 0 - - # If you set service_count=0, you probably need to grow this. - #vsz_limit = $default_vsz_limit -} - -#service pop3-login { - #inet_listener pop3 { - #port = 110 - #} - #inet_listener pop3s { - #port = 995 - #ssl = yes - #} -#} - service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have diff --git a/templates/10-ssl.conf.j2 b/templates/10-ssl.conf.j2 index 34a27d3..5839747 100644 --- a/templates/10-ssl.conf.j2 +++ b/templates/10-ssl.conf.j2 @@ -16,7 +16,7 @@ ssl_dh = + +passdb { + driver = ldap + + # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext + args = /etc/dovecot/dovecot-ldap.conf.ext +} + +# "prefetch" user database means that the passdb already provided the +# needed information and there's no need to do a separate userdb lookup. +# +#userdb { +# driver = prefetch +#} + +userdb { + driver = ldap + args = /etc/dovecot/dovecot-ldap.conf.ext + + # Default fields can be used to specify defaults that LDAP may override + #default_fields = home=/home/virtual/%u +} + +# If you don't have any user-specific settings, you can avoid the userdb LDAP +# lookup by using userdb static instead of userdb ldap, for example: +# +#userdb { + #driver = static + #args = uid=vmail gid=vmail home=/var/vmail/%u +#} diff --git a/templates/dovecot-ldap.conf.ext.j2 b/templates/dovecot-ldap.conf.ext.j2 new file mode 100644 index 0000000..14dcb8c --- /dev/null +++ b/templates/dovecot-ldap.conf.ext.j2 @@ -0,0 +1,49 @@ +{% if dovecot.ldap.enable %} +## Debug everything +# debug_level = -1 + +uris = {{ dovecot.ldap.uris }} + +# Use TLS to connect to the LDAP server. +# Set to no because we use LDAPS and dovecot tells you this is not possible together +tls = no + +dn = {{ dovecot.ldap.bind_dn }} +dnpass = {{ dovecot.ldap.bind_pw }} + +# TLS options, currently supported only with OpenLDAP: +tls_ca_cert_file = {{ dovecot.ldap.tls.ca }} +#tls_ca_cert_dir = +#tls_cipher_suite = + +# TLS cert/key. This must be set only if LDAP server requires a client certificate. +# If you set it in other cases, the LDAP connection will fail. +# tls_cert_file = +# tls_key_file = + +# Valid values: never, hard, demand, allow, try +tls_require_cert = hard + +auth_bind = yes +ldap_version = 3 +base = {{ dovecot.ldap.base }} +deref = never +scope = subtree + +user_attrs = \ +{% for attr in dovecot.ldap.user_attrs %} +={{ attr.attr }}={{ attr.value }}{% if not loop.last %}, \ +{% endif %} +{% endfor %} + +user_filter = {{ dovecot.ldap.filter }} +pass_filter = {{ dovecot.ldap.filter }} + +default_pass_scheme = {{ dovecot.ldap.default_pass_scheme }} + +# iterate_attrs = mail=user # Wird vor allem von "doveadm" benötigt, um Benutzer zu finden +# iterate_filter = (objectClass=person) +{% else %} +# LDAP is not configured for this instance. +{% endif %} + diff --git a/templates/dovecot.conf.j2 b/templates/dovecot.conf.j2 index e687b0c..449c2d0 100644 --- a/templates/dovecot.conf.j2 +++ b/templates/dovecot.conf.j2 @@ -73,6 +73,12 @@ dict { #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext } + +# Specifies the user and group id. As we use virtual mailboxes, this is set to +# the vmail user and group +mail_uid = {{ vmail_user.uid }} +mail_gid = {{ vmail_group.gid }} + # Most of the actual configuration gets included below. The filenames are # first sorted by their ASCII value and parsed in that order. The 00-prefixes # in filenames are intended to make it easier to understand the ordering. diff --git a/templates/passwd.j2 b/templates/passwd.j2 index 765a6a5..c5331d1 100644 --- a/templates/passwd.j2 +++ b/templates/passwd.j2 @@ -1,3 +1,7 @@ +{% if not dovecot.ldap.enable %} {% for i in dovecot.user %} {{ i.name }}:{PLAIN}{{ i.password }} {% endfor %} +{% else %} +# LDAP is enabled for this instance, no local users can be configured. +{% endif %}