root
5 years ago
30 changed files with 1715 additions and 137 deletions
@ -0,0 +1,66 @@ |
|||
### |
|||
### Meta Information |
|||
### |
|||
FROM localhost/debian |
|||
|
|||
# deploy options |
|||
# -p (port) and -v (volume) both go host:container |
|||
LABEL deployopts="\ |
|||
-p 25:25 \ |
|||
-p 587:587 \ |
|||
-p 143:143 \ |
|||
-p 993:993 \ |
|||
-v /srv/volumes/mailsrv/db:/vol/db \ |
|||
-v /srv/volumes/mailsrv/mail:/vol/mail \ |
|||
-v /srv/volumes/mailsrv/ssl:/vol/ssl:ro" |
|||
|
|||
# Build Variables |
|||
# uid that the files owner user should have |
|||
ARG FILESUID=5000 |
|||
|
|||
### |
|||
### General Setup |
|||
### |
|||
|
|||
# tell debian not to ask questions during install process |
|||
ARG DEBIAN_FRONTEND=noninteractive |
|||
|
|||
# install packages we want |
|||
RUN apt update -y && apt install -y rsyslog postfix dovecot-imapd dovecot-lmtpd |
|||
|
|||
# add virtual mail user |
|||
RUN addgroup --gid ${FILESUID:?} vmail && \ |
|||
adduser vmail --ingroup vmail --uid ${FILESUID:?} --disabled-password --gecos "Virtual Mail Owner" --shell /usr/sbin/nologin --no-create-home --home /var/mail/virtual |
|||
|
|||
# copy our custom scripts |
|||
COPY assets/bin /usr/local/bin |
|||
|
|||
### |
|||
### Postfix |
|||
### |
|||
|
|||
# copy postfix config |
|||
COPY assets/postfix /etc/postfix |
|||
|
|||
# copy service override config |
|||
COPY assets/override-postfix.service /etc/systemd/system/postfix.service.d/override.conf |
|||
|
|||
### |
|||
### Dovecot |
|||
### |
|||
|
|||
# copy dovecot config |
|||
COPY assets/dovecot /etc/dovecot |
|||
|
|||
# make symlink to mail dir |
|||
RUN ln -s /vol/mail /var/mail/virtual |
|||
|
|||
### |
|||
### Working Directory |
|||
### |
|||
|
|||
# make sure /vol/db exists |
|||
RUN mkdir -p /vol/db |
|||
|
|||
# set /vol/db as working directory |
|||
WORKDIR /vol/db |
|||
@ -0,0 +1,2 @@ |
|||
#!/bin/bash |
|||
openssl passwd -6 |
|||
@ -0,0 +1,25 @@ |
|||
#!/bin/sh |
|||
|
|||
set -e |
|||
|
|||
# copy users passwd-file to /etc/dovecot and set appropriate permissions |
|||
cp /vol/db/users /etc/dovecot/users |
|||
chown dovecot:dovecot /etc/dovecot/users |
|||
|
|||
# make self-referential users list |
|||
# this is needed for the reject_sender_login_mismatch restriction to work, |
|||
# otherwise users cannot send emails as their own address |
|||
cd /vol/db/aliases.d |
|||
echo "# This file is autogenerated by mkvirt. Don't edit it manually." > self.list |
|||
cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1\@brbytes.org \1\n\1\@mail.brbytes.org \1/' >> self.list |
|||
|
|||
cd /etc/postfix |
|||
|
|||
# do users |
|||
cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./' > users |
|||
postmap users |
|||
|
|||
# do aliases |
|||
cat /vol/db/aliases.d/*.list > aliases |
|||
postmap aliases |
|||
|
|||
@ -0,0 +1,130 @@ |
|||
## |
|||
## Authentication processes |
|||
## |
|||
|
|||
# Disable LOGIN command and all other plaintext authentications unless |
|||
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP |
|||
# matches the local IP (ie. you're connecting from the same computer), the |
|||
# connection is considered secure and plaintext authentication is allowed. |
|||
# See also ssl=required setting. |
|||
#disable_plaintext_auth = yes |
|||
|
|||
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that |
|||
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. |
|||
#auth_cache_size = 0 |
|||
# Time to live for cached data. After TTL expires the cached record is no |
|||
# longer used, *except* if the main database lookup returns internal failure. |
|||
# We also try to handle password changes automatically: If user's previous |
|||
# authentication was successful, but this one wasn't, the cache isn't used. |
|||
# For now this works only with plaintext authentication. |
|||
#auth_cache_ttl = 1 hour |
|||
# TTL for negative hits (user not found, password mismatch). |
|||
# 0 disables caching them completely. |
|||
#auth_cache_negative_ttl = 1 hour |
|||
|
|||
# Space separated list of realms for SASL authentication mechanisms that need |
|||
# them. You can leave it empty if you don't want to support multiple realms. |
|||
# Many clients simply use the first one listed here, so keep the default realm |
|||
# first. |
|||
#auth_realms = |
|||
|
|||
# Default realm/domain to use if none was specified. This is used for both |
|||
# SASL realms and appending @domain to username in plaintext logins. |
|||
#auth_default_realm = |
|||
|
|||
# List of allowed characters in username. If the user-given username contains |
|||
# a character not listed in here, the login automatically fails. This is just |
|||
# an extra check to make sure user can't exploit any potential quote escaping |
|||
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters, |
|||
# set this value to empty. |
|||
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ |
|||
|
|||
# Username character translations before it's looked up from databases. The |
|||
# value contains series of from -> to characters. For example "#@/@" means |
|||
# that '#' and '/' characters are translated to '@'. |
|||
#auth_username_translation = |
|||
|
|||
# Username formatting before it's looked up from databases. You can use |
|||
# the standard variables here, eg. %Lu would lowercase the username, %n would |
|||
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into |
|||
# "-AT-". This translation is done after auth_username_translation changes. |
|||
#auth_username_format = %Lu |
|||
|
|||
# If you want to allow master users to log in by specifying the master |
|||
# username within the normal username string (ie. not using SASL mechanism's |
|||
# support for it), you can specify the separator character here. The format |
|||
# is then <username><separator><master username>. UW-IMAP uses "*" as the |
|||
# separator, so that could be a good choice. |
|||
#auth_master_user_separator = |
|||
|
|||
# Username to use for users logging in with ANONYMOUS SASL mechanism |
|||
#auth_anonymous_username = anonymous |
|||
|
|||
# Maximum number of dovecot-auth worker processes. They're used to execute |
|||
# blocking passdb and userdb queries (eg. MySQL and PAM). They're |
|||
# automatically created and destroyed as needed. |
|||
#auth_worker_max_count = 30 |
|||
|
|||
# Host name to use in GSSAPI principal names. The default is to use the |
|||
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab |
|||
# entries. |
|||
#auth_gssapi_hostname = |
|||
|
|||
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system |
|||
# default (usually /etc/krb5.keytab) if not specified. You may need to change |
|||
# the auth service to run as root to be able to read this file. |
|||
#auth_krb5_keytab = |
|||
|
|||
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and |
|||
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt> |
|||
#auth_use_winbind = no |
|||
|
|||
# Path for Samba's ntlm_auth helper binary. |
|||
#auth_winbind_helper_path = /usr/bin/ntlm_auth |
|||
|
|||
# Time to delay before replying to failed authentications. |
|||
#auth_failure_delay = 2 secs |
|||
|
|||
# Require a valid SSL client certificate or the authentication fails. |
|||
#auth_ssl_require_client_cert = no |
|||
|
|||
# Take the username from client's SSL certificate, using |
|||
# X509_NAME_get_text_by_NID() which returns the subject's DN's |
|||
# CommonName. |
|||
#auth_ssl_username_from_cert = no |
|||
|
|||
# Space separated list of wanted authentication mechanisms: |
|||
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey |
|||
# gss-spnego |
|||
# NOTE: See also disable_plaintext_auth setting. |
|||
# Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN: |
|||
auth_mechanisms = plain login |
|||
|
|||
## |
|||
## Password and user databases |
|||
## |
|||
|
|||
# |
|||
# Password database is used to verify user's password (and nothing more). |
|||
# You can have multiple passdbs and userdbs. This is useful if you want to |
|||
# allow both system users (/etc/passwd) and virtual users to login without |
|||
# duplicating the system users into virtual database. |
|||
# |
|||
# <doc/wiki/PasswordDatabase.txt> |
|||
# |
|||
# User database specifies where mails are located and what user/group IDs |
|||
# own them. For single-UID configuration use "static" userdb. |
|||
# |
|||
# <doc/wiki/UserDatabase.txt> |
|||
|
|||
passdb { |
|||
driver = passwd-file |
|||
# username_format: Set to '%u' to look up full usernames. If you want to enable |
|||
# user@domain logins but have only user in the file, set to %n instead. |
|||
args = username_format=%n /vol/db/users |
|||
} |
|||
|
|||
userdb { |
|||
driver = static |
|||
args = uid=vmail gid=vmail home=/var/mail/virtual/%n |
|||
} |
|||
@ -0,0 +1,420 @@ |
|||
## |
|||
## Mailbox locations and namespaces |
|||
## |
|||
|
|||
# Location for users' mailboxes. The default is empty, which means that Dovecot |
|||
# tries to find the mailboxes automatically. This won't work if the user |
|||
# doesn't yet have any mail, so you should explicitly tell Dovecot the full |
|||
# location. |
|||
# |
|||
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) |
|||
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are |
|||
# kept. This is called the "root mail directory", and it must be the first |
|||
# path given in the mail_location setting. |
|||
# |
|||
# There are a few special variables you can use, eg.: |
|||
# |
|||
# %u - username |
|||
# %n - user part in user@domain, same as %u if there's no domain |
|||
# %d - domain part in user@domain, empty if there's no domain |
|||
# %h - home directory |
|||
# |
|||
# See doc/wiki/Variables.txt for full list. Some examples: |
|||
# |
|||
# mail_location = maildir:~/Maildir |
|||
# mail_location = mbox:~/mail:INBOX=/var/mail/%u |
|||
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n |
|||
# |
|||
# <doc/wiki/MailLocation.txt> |
|||
# |
|||
mail_location = maildir:~/Maildir:LAYOUT=fs |
|||
|
|||
# If you need to set multiple mailbox locations or want to change default |
|||
# namespace settings, you can do it by defining namespace sections. |
|||
# |
|||
# You can have private, shared and public namespaces. Private namespaces |
|||
# are for user's personal mails. Shared namespaces are for accessing other |
|||
# users' mailboxes that have been shared. Public namespaces are for shared |
|||
# mailboxes that are managed by sysadmin. If you create any shared or public |
|||
# namespaces you'll typically want to enable ACL plugin also, otherwise all |
|||
# users can access all the shared mailboxes, assuming they have permissions |
|||
# on filesystem level to do so. |
|||
namespace inbox { |
|||
# Namespace type: private, shared or public |
|||
#type = private |
|||
|
|||
# Hierarchy separator to use. You should use the same separator for all |
|||
# namespaces or some clients get confused. '/' is usually a good one. |
|||
# The default however depends on the underlying mail storage format. |
|||
#separator = |
|||
|
|||
# Prefix required to access this namespace. This needs to be different for |
|||
# all namespaces. For example "Public/". |
|||
#prefix = |
|||
|
|||
# Physical location of the mailbox. This is in same format as |
|||
# mail_location, which is also the default for it. |
|||
#location = |
|||
|
|||
# There can be only one INBOX, and this setting defines which namespace |
|||
# has it. |
|||
inbox = yes |
|||
|
|||
# If namespace is hidden, it's not advertised to clients via NAMESPACE |
|||
# extension. You'll most likely also want to set list=no. This is mostly |
|||
# useful when converting from another server with different namespaces which |
|||
# you want to deprecate but still keep working. For example you can create |
|||
# hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". |
|||
#hidden = no |
|||
|
|||
# Show the mailboxes under this namespace with LIST command. This makes the |
|||
# namespace visible for clients that don't support NAMESPACE extension. |
|||
# "children" value lists child mailboxes, but hides the namespace prefix. |
|||
#list = yes |
|||
|
|||
# Namespace handles its own subscriptions. If set to "no", the parent |
|||
# namespace handles them (empty prefix should always have this as "yes") |
|||
#subscriptions = yes |
|||
|
|||
# See 15-mailboxes.conf for definitions of special mailboxes. |
|||
} |
|||
|
|||
# Example shared namespace configuration |
|||
#namespace { |
|||
#type = shared |
|||
#separator = / |
|||
|
|||
# Mailboxes are visible under "shared/user@domain/" |
|||
# %%n, %%d and %%u are expanded to the destination user. |
|||
#prefix = shared/%%u/ |
|||
|
|||
# Mail location for other users' mailboxes. Note that %variables and ~/ |
|||
# expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the |
|||
# destination user's data. |
|||
#location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u |
|||
|
|||
# Use the default namespace for saving subscriptions. |
|||
#subscriptions = no |
|||
|
|||
# List the shared/ namespace only if there are visible shared mailboxes. |
|||
#list = children |
|||
#} |
|||
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? |
|||
#mail_shared_explicit_inbox = no |
|||
|
|||
# System user and group used to access mails. If you use multiple, userdb |
|||
# can override these by returning uid or gid fields. You can use either numbers |
|||
# or names. <doc/wiki/UserIds.txt> |
|||
#mail_uid = |
|||
#mail_gid = |
|||
|
|||
# Group to enable temporarily for privileged operations. Currently this is |
|||
# used only with INBOX when either its initial creation or dotlocking fails. |
|||
# Typically this is set to "mail" to give access to /var/mail. |
|||
mail_privileged_group = mail |
|||
|
|||
# Grant access to these supplementary groups for mail processes. Typically |
|||
# these are used to set up access to shared mailboxes. Note that it may be |
|||
# dangerous to set these if users can create symlinks (e.g. if "mail" group is |
|||
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others' |
|||
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). |
|||
#mail_access_groups = |
|||
|
|||
# Allow full filesystem access to clients. There's no access checks other than |
|||
# what the operating system does for the active UID/GID. It works with both |
|||
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ |
|||
# or ~user/. |
|||
#mail_full_filesystem_access = no |
|||
|
|||
# Dictionary for key=value mailbox attributes. This is used for example by |
|||
# URLAUTH and METADATA extensions. |
|||
#mail_attribute_dict = |
|||
|
|||
# A comment or note that is associated with the server. This value is |
|||
# accessible for authenticated users through the IMAP METADATA server |
|||
# entry "/shared/comment". |
|||
#mail_server_comment = "" |
|||
|
|||
# Indicates a method for contacting the server administrator. According to |
|||
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that |
|||
# is currently not enforced. Use for example mailto:admin@example.com. This |
|||
# value is accessible for authenticated users through the IMAP METADATA server |
|||
# entry "/shared/admin". |
|||
#mail_server_admin = |
|||
|
|||
## |
|||
## Mail processes |
|||
## |
|||
|
|||
# Don't use mmap() at all. This is required if you store indexes to shared |
|||
# filesystems (NFS or clustered filesystem). |
|||
#mmap_disable = no |
|||
|
|||
# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL |
|||
# since version 3, so this should be safe to use nowadays by default. |
|||
#dotlock_use_excl = yes |
|||
|
|||
# When to use fsync() or fdatasync() calls: |
|||
# optimized (default): Whenever necessary to avoid losing important data |
|||
# always: Useful with e.g. NFS when write()s are delayed |
|||
# never: Never use it (best performance, but crashes can lose data) |
|||
#mail_fsync = optimized |
|||
|
|||
# Locking method for index files. Alternatives are fcntl, flock and dotlock. |
|||
# Dotlocking uses some tricks which may create more disk I/O than other locking |
|||
# methods. NFS users: flock doesn't work, remember to change mmap_disable. |
|||
#lock_method = fcntl |
|||
|
|||
# Directory where mails can be temporarily stored. Usually it's used only for |
|||
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for |
|||
# example LDA/LMTP while delivering large mails or zlib plugin for keeping |
|||
# uncompressed mails. |
|||
#mail_temp_dir = /tmp |
|||
|
|||
# Valid UID range for users, defaults to 500 and above. This is mostly |
|||
# to make sure that users can't log in as daemons or other system users. |
|||
# Note that denying root logins is hardcoded to dovecot binary and can't |
|||
# be done even if first_valid_uid is set to 0. |
|||
#first_valid_uid = 500 |
|||
#last_valid_uid = 0 |
|||
|
|||
# Valid GID range for users, defaults to non-root/wheel. Users having |
|||
# non-valid GID as primary group ID aren't allowed to log in. If user |
|||
# belongs to supplementary groups with non-valid GIDs, those groups are |
|||
# not set. |
|||
#first_valid_gid = 1 |
|||
#last_valid_gid = 0 |
|||
|
|||
# Maximum allowed length for mail keyword name. It's only forced when trying |
|||
# to create new keywords. |
|||
#mail_max_keyword_length = 50 |
|||
|
|||
# ':' separated list of directories under which chrooting is allowed for mail |
|||
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). |
|||
# This setting doesn't affect login_chroot, mail_chroot or auth chroot |
|||
# settings. If this setting is empty, "/./" in home dirs are ignored. |
|||
# WARNING: Never add directories here which local users can modify, that |
|||
# may lead to root exploit. Usually this should be done only if you don't |
|||
# allow shell access for users. <doc/wiki/Chrooting.txt> |
|||
#valid_chroot_dirs = |
|||
|
|||
# Default chroot directory for mail processes. This can be overridden for |
|||
# specific users in user database by giving /./ in user's home directory |
|||
# (eg. /home/./user chroots into /home). Note that usually there is no real |
|||
# need to do chrooting, Dovecot doesn't allow users to access files outside |
|||
# their mail directory anyway. If your home directories are prefixed with |
|||
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt> |
|||
#mail_chroot = |
|||
|
|||
# UNIX socket path to master authentication server to find users. |
|||
# This is used by imap (for shared users) and lda. |
|||
#auth_socket_path = /var/run/dovecot/auth-userdb |
|||
|
|||
# Directory where to look up mail plugins. |
|||
#mail_plugin_dir = /usr/lib/dovecot/modules |
|||
|
|||
# Space separated list of plugins to load for all services. Plugins specific to |
|||
# IMAP, LDA, etc. are added to this list in their own .conf files. |
|||
#mail_plugins = |
|||
|
|||
## |
|||
## Mailbox handling optimizations |
|||
## |
|||
|
|||
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are |
|||
# also required for IMAP NOTIFY extension to be enabled. |
|||
#mailbox_list_index = yes |
|||
|
|||
# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost |
|||
# of potentially returning out-of-date results after e.g. server crashes. |
|||
# The results will be automatically fixed once the folders are opened. |
|||
#mailbox_list_index_very_dirty_syncs = yes |
|||
|
|||
# Should INBOX be kept up-to-date in the mailbox list index? By default it's |
|||
# not, because most of the mailbox accesses will open INBOX anyway. |
|||
#mailbox_list_index_include_inbox = no |
|||
|
|||
# The minimum number of mails in a mailbox before updates are done to cache |
|||
# file. This allows optimizing Dovecot's behavior to do less disk writes at |
|||
# the cost of more disk reads. |
|||
#mail_cache_min_mail_count = 0 |
|||
|
|||
# When IDLE command is running, mailbox is checked once in a while to see if |
|||
# there are any new mails or other changes. This setting defines the minimum |
|||
# time to wait between those checks. Dovecot can also use inotify and |
|||
# kqueue to find out immediately when changes occur. |
|||
#mailbox_idle_check_interval = 30 secs |
|||
|
|||
# Save mails with CR+LF instead of plain LF. This makes sending those mails |
|||
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. |
|||
# But it also creates a bit more disk I/O which may just make it slower. |
|||
# Also note that if other software reads the mboxes/maildirs, they may handle |
|||
# the extra CRs wrong and cause problems. |
|||
#mail_save_crlf = no |
|||
|
|||
# Max number of mails to keep open and prefetch to memory. This only works with |
|||
# some mailbox formats and/or operating systems. |
|||
#mail_prefetch_count = 0 |
|||
|
|||
# How often to scan for stale temporary files and delete them (0 = never). |
|||
# These should exist only after Dovecot dies in the middle of saving mails. |
|||
#mail_temp_scan_interval = 1w |
|||
|
|||
# How many slow mail accesses sorting can perform before it returns failure. |
|||
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long. |
|||
# The untagged SORT reply is still returned, but it's likely not correct. |
|||
#mail_sort_max_read_count = 0 |
|||
|
|||
protocol !indexer-worker { |
|||
# If folder vsize calculation requires opening more than this many mails from |
|||
# disk (i.e. mail sizes aren't in cache already), return failure and finish |
|||
# the calculation via indexer process. Disabled by default. This setting must |
|||
# be 0 for indexer-worker processes. |
|||
#mail_vsize_bg_after_count = 0 |
|||
} |
|||
|
|||
## |
|||
## Maildir-specific settings |
|||
## |
|||
|
|||
# By default LIST command returns all entries in maildir beginning with a dot. |
|||
# Enabling this option makes Dovecot return only entries which are directories. |
|||
# This is done by stat()ing each entry, so it causes more disk I/O. |
|||
# (For systems setting struct dirent->d_type, this check is free and it's |
|||
# done always regardless of this setting) |
|||
#maildir_stat_dirs = no |
|||
|
|||
# When copying a message, do it with hard links whenever possible. This makes |
|||
# the performance much better, and it's unlikely to have any side effects. |
|||
#maildir_copy_with_hardlinks = yes |
|||
|
|||
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only |
|||
# when its mtime changes unexpectedly or when we can't find the mail otherwise. |
|||
#maildir_very_dirty_syncs = no |
|||
|
|||
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for |
|||
# getting the mail's physical size, except when recalculating Maildir++ quota. |
|||
# This can be useful in systems where a lot of the Maildir filenames have a |
|||
# broken size. The performance hit for enabling this is very small. |
|||
#maildir_broken_filename_sizes = no |
|||
|
|||
# Always move mails from new/ directory to cur/, even when the \Recent flags |
|||
# aren't being reset. |
|||
#maildir_empty_new = no |
|||
|
|||
## |
|||
## mbox-specific settings |
|||
## |
|||
|
|||
# Which locking methods to use for locking mbox. There are four available: |
|||
# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe |
|||
# solution. If you want to use /var/mail/ like directory, the users |
|||
# will need write access to that directory. |
|||
# dotlock_try: Same as dotlock, but if it fails because of permissions or |
|||
# because there isn't enough disk space, just skip it. |
|||
# fcntl : Use this if possible. Works with NFS too if lockd is used. |
|||
# flock : May not exist in all systems. Doesn't work with NFS. |
|||
# lockf : May not exist in all systems. Doesn't work with NFS. |
|||
# |
|||
# You can use multiple locking methods; if you do the order they're declared |
|||
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple |
|||
# locking methods as well. Some operating systems don't allow using some of |
|||
# them simultaneously. |
|||
# |
|||
# The Debian value for mbox_write_locks differs from upstream Dovecot. It is |
|||
# changed to be compliant with Debian Policy (section 11.6) for NFS safety. |
|||
# Dovecot: mbox_write_locks = dotlock fcntl |
|||
# Debian: mbox_write_locks = fcntl dotlock |
|||
# |
|||
#mbox_read_locks = fcntl |
|||
#mbox_write_locks = fcntl dotlock |
|||
|
|||
# Maximum time to wait for lock (all of them) before aborting. |
|||
#mbox_lock_timeout = 5 mins |
|||
|
|||
# If dotlock exists but the mailbox isn't modified in any way, override the |
|||
# lock file after this much time. |
|||
#mbox_dotlock_change_timeout = 2 mins |
|||
|
|||
# When mbox changes unexpectedly we have to fully read it to find out what |
|||
# changed. If the mbox is large this can take a long time. Since the change |
|||
# is usually just a newly appended mail, it'd be faster to simply read the |
|||
# new mails. If this setting is enabled, Dovecot does this but still safely |
|||
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't |
|||
# how it's expected to be. The only real downside to this setting is that if |
|||
# some other MUA changes message flags, Dovecot doesn't notice it immediately. |
|||
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK |
|||
# commands. |
|||
#mbox_dirty_syncs = yes |
|||
|
|||
# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, |
|||
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. |
|||
#mbox_very_dirty_syncs = no |
|||
|
|||
# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK |
|||
# commands and when closing the mailbox). This is especially useful for POP3 |
|||
# where clients often delete all mails. The downside is that our changes |
|||
# aren't immediately visible to other MUAs. |
|||
#mbox_lazy_writes = yes |
|||
|
|||
# If mbox size is smaller than this (e.g. 100k), don't write index files. |
|||
# If an index file already exists it's still read, just not updated. |
|||
#mbox_min_index_size = 0 |
|||
|
|||
# Mail header selection algorithm to use for MD5 POP3 UIDLs when |
|||
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired |
|||
# algorithm, but it fails if the first Received: header isn't unique in all |
|||
# mails. An alternative algorithm is "all" that selects all headers. |
|||
#mbox_md5 = apop3d |
|||
|
|||
## |
|||
## mdbox-specific settings |
|||
## |
|||
|
|||
# Maximum dbox file size until it's rotated. |
|||
#mdbox_rotate_size = 10M |
|||
|
|||
# Maximum dbox file age until it's rotated. Typically in days. Day begins |
|||
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. |
|||
#mdbox_rotate_interval = 0 |
|||
|
|||
# When creating new mdbox files, immediately preallocate their size to |
|||
# mdbox_rotate_size. This setting currently works only in Linux with some |
|||
# filesystems (ext4, xfs). |
|||
#mdbox_preallocate_space = no |
|||
|
|||
## |
|||
## Mail attachments |
|||
## |
|||
|
|||
# sdbox and mdbox support saving mail attachments to external files, which |
|||
# also allows single instance storage for them. Other backends don't support |
|||
# this for now. |
|||
|
|||
# Directory root where to store mail attachments. Disabled, if empty. |
|||
#mail_attachment_dir = |
|||
|
|||
# Attachments smaller than this aren't saved externally. It's also possible to |
|||
# write a plugin to disable saving specific attachments externally. |
|||
#mail_attachment_min_size = 128k |
|||
|
|||
# Filesystem backend to use for saving attachments: |
|||
# posix : No SiS done by Dovecot (but this might help FS's own deduplication) |
|||
# sis posix : SiS with immediate byte-by-byte comparison during saving |
|||
# sis-queue posix : SiS with delayed comparison and deduplication |
|||
#mail_attachment_fs = sis posix |
|||
|
|||
# Hash format to use in attachment filenames. You can add any text and |
|||
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. |
|||
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits |
|||
#mail_attachment_hash = %{sha1} |
|||
|
|||
# Settings to control adding $HasAttachment or $HasNoAttachment keywords. |
|||
# By default, all MIME parts with Content-Disposition=attachment, or inlines |
|||
# with filename parameter are consired attachments. |
|||
# add-flags-on-save - Add the keywords when saving new mails. |
|||
# content-type=type or !type - Include/exclude content type. Excluding will |
|||
# never consider the matched MIME part as attachment. Including will only |
|||
# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar). |
|||
# exclude-inlined - Exclude any Content-Disposition=inline MIME part. |
|||
#mail_attachment_detection_options = |
|||
@ -0,0 +1,130 @@ |
|||
#default_process_limit = 100 |
|||
#default_client_limit = 1000 |
|||
|
|||
# Default VSZ (virtual memory size) limit for service processes. This is mainly |
|||
# intended to catch and kill processes that leak memory before they eat up |
|||
# everything. |
|||
#default_vsz_limit = 256M |
|||
|
|||
# Login user is internally used by login processes. This is the most untrusted |
|||
# user in Dovecot system. It shouldn't have access to anything at all. |
|||
#default_login_user = dovenull |
|||
|
|||
# Internal user is used by unprivileged processes. It should be separate from |
|||
# login user, so that login processes can't disturb other processes. |
|||
#default_internal_user = dovecot |
|||
|
|||
service imap-login { |
|||
inet_listener imap { |
|||
port = 143 |
|||
} |
|||
inet_listener imaps { |
|||
port = 993 |
|||
ssl = yes |
|||
} |
|||
|
|||
# Number of connections to handle before starting a new process. Typically |
|||
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 |
|||
# is faster. <doc/wiki/LoginProcess.txt> |
|||
#service_count = 1 |
|||
|
|||
# Number of processes to always keep waiting for more connections. |
|||
#process_min_avail = 0 |
|||
|
|||
# If you set service_count=0, you probably need to grow this. |
|||
#vsz_limit = $default_vsz_limit |
|||
} |
|||
|
|||
service pop3-login { |
|||
inet_listener pop3 { |
|||
#port = 110 |
|||
} |
|||
inet_listener pop3s { |
|||
#port = 995 |
|||
#ssl = yes |
|||
} |
|||
} |
|||
|
|||
service submission-login { |
|||
inet_listener submission { |
|||
#port = 587 |
|||
} |
|||
} |
|||
|
|||
service lmtp { |
|||
user = vmail |
|||
#process_min_avail = 5 |
|||
unix_listener /var/spool/postfix/private/dovecot-lmtp { |
|||
group = postfix |
|||
mode = 0600 |
|||
user = postfix |
|||
} |
|||
} |
|||
|
|||
service imap { |
|||
# Most of the memory goes to mmap()ing files. You may need to increase this |
|||
# limit if you have huge mailboxes. |
|||
#vsz_limit = $default_vsz_limit |
|||
|
|||
# Max. number of IMAP processes (connections) |
|||
#process_limit = 1024 |
|||
} |
|||
|
|||
service pop3 { |
|||
# Max. number of POP3 processes (connections) |
|||
#process_limit = 1024 |
|||
} |
|||
|
|||
service submission { |
|||
# Max. number of SMTP Submission processes (connections) |
|||
#process_limit = 1024 |
|||
} |
|||
|
|||
service auth { |
|||
# auth_socket_path points to this userdb socket by default. It's typically |
|||
# used by dovecot-lda, doveadm, possibly imap process, etc. Users that have |
|||
# full permissions to this socket are able to get a list of all usernames and |
|||
# get the results of everyone's userdb lookups. |
|||
# |
|||
# The default 0666 mode allows anyone to connect to the socket, but the |
|||
# userdb lookups will succeed only if the userdb returns an "uid" field that |
|||
# matches the caller process's UID. Also if caller's uid or gid matches the |
|||
# socket's uid or gid the lookup succeeds. Anything else causes a failure. |
|||
# |
|||
# To give the caller full permissions to lookup all users, set the mode to |
|||
# something else than 0666 and Dovecot lets the kernel enforce the |
|||
# permissions (e.g. 0777 allows everyone full permissions). |
|||
unix_listener auth-userdb { |
|||
#mode = 0666 |
|||
#user = |
|||
#group = |
|||
} |
|||
|
|||
# Postfix smtp-auth |
|||
unix_listener /var/spool/postfix/private/auth { |
|||
mode = 0700 |
|||
# Assuming the default Postfix user and group |
|||
user = postfix |
|||
group = postfix |
|||
} |
|||
|
|||
# Auth process is run as this user. |
|||
user = vmail |
|||
} |
|||
|
|||
service auth-worker { |
|||
# Auth worker process is run as root by default, so that it can access |
|||
# /etc/shadow. If this isn't necessary, the user should be changed to |
|||
# $default_internal_user. |
|||
#user = root |
|||
} |
|||
|
|||
service dict { |
|||
# If dict proxy is used, mail processes should have access to its socket. |
|||
# For example: mode=0660, group=vmail and global mail_access_groups=vmail |
|||
unix_listener dict { |
|||
#mode = 0600 |
|||
#user = |
|||
#group = |
|||
} |
|||
} |
|||
@ -0,0 +1,75 @@ |
|||
## |
|||
## SSL settings |
|||
## |
|||
|
|||
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> |
|||
ssl = yes |
|||
|
|||
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before |
|||
# dropping root privileges, so keep the key file unreadable by anyone but |
|||
# root. Included doc/mkcert.sh can be used to easily generate self-signed |
|||
# certificate, just make sure to update the domains in dovecot-openssl.cnf |
|||
ssl_cert = </vol/ssl/fullchain.pem |
|||
ssl_key = </vol/ssl/privkey.pem |
|||
|
|||
# If key file is password protected, give the password here. Alternatively |
|||
# give it when starting dovecot with -p parameter. Since this file is often |
|||
# world-readable, you may want to place this setting instead to a different |
|||
# root owned 0600 file by using ssl_key_password = <path. |
|||
#ssl_key_password = |
|||
|
|||
# PEM encoded trusted certificate authority. Set this only if you intend to use |
|||
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s) |
|||
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) |
|||
#ssl_ca = |
|||
|
|||
# Require that CRL check succeeds for client certificates. |
|||
#ssl_require_crl = yes |
|||
|
|||
# Directory and/or file for trusted SSL CA certificates. These are used only |
|||
# when Dovecot needs to act as an SSL client (e.g. imapc backend or |
|||
# submission service). The directory is usually /etc/ssl/certs in |
|||
# Debian-based systems and the file is /etc/pki/tls/cert.pem in |
|||
# RedHat-based systems. |
|||
ssl_client_ca_dir = /etc/ssl/certs |
|||
#ssl_client_ca_file = |
|||
|
|||
# Request client to send a certificate. If you also want to require it, set |
|||
# auth_ssl_require_client_cert=yes in auth section. |
|||
#ssl_verify_client_cert = no |
|||
|
|||
# Which field from certificate to use for username. commonName and |
|||
# x500UniqueIdentifier are the usual choices. You'll also need to set |
|||
# auth_ssl_username_from_cert=yes. |
|||
#ssl_cert_username_field = commonName |
|||
|
|||
# SSL DH parameters |
|||
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` |
|||
# Or migrate from old ssl-parameters.dat file with the command dovecot |
|||
# gives on startup when ssl_dh is unset. |
|||
ssl_dh = </usr/share/dovecot/dh.pem |
|||
|
|||
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3, |
|||
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. |
|||
#ssl_min_protocol = TLSv1 |
|||
|
|||
# SSL ciphers to use, the default is: |
|||
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH |
|||
# To disable non-EC DH, use: |
|||
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH |
|||
|
|||
# Colon separated list of elliptic curves to use. Empty value (the default) |
|||
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an |
|||
# example of a valid value. |
|||
#ssl_curve_list = |
|||
|
|||
# Prefer the server's order of ciphers over client's. |
|||
#ssl_prefer_server_ciphers = no |
|||
|
|||
# SSL crypto device to use, for valid values run "openssl engine" |
|||
#ssl_crypto_device = |
|||
|
|||
# SSL extra options. Currently supported options are: |
|||
# compression - Enable compression. |
|||
# no_ticket - Disable SSL session tickets. |
|||
#ssl_options = |
|||
@ -0,0 +1,78 @@ |
|||
## |
|||
## Mailbox definitions |
|||
## |
|||
|
|||
# Each mailbox is specified in a separate mailbox section. The section name |
|||
# specifies the mailbox name. If it has spaces, you can put the name |
|||
# "in quotes". These sections can contain the following mailbox settings: |
|||
# |
|||
# auto: |
|||
# Indicates whether the mailbox with this name is automatically created |
|||
# implicitly when it is first accessed. The user can also be automatically |
|||
# subscribed to the mailbox after creation. The following values are |
|||
# defined for this setting: |
|||
# |
|||
# no - Never created automatically. |
|||
# create - Automatically created, but no automatic subscription. |
|||
# subscribe - Automatically created and subscribed. |
|||
# |
|||
# special_use: |
|||
# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the |
|||
# mailbox. There are no validity checks, so you could specify anything |
|||
# you want in here, but it's not a good idea to use flags other than the |
|||
# standard ones specified in the RFC: |
|||
# |
|||
# \All - This (virtual) mailbox presents all messages in the |
|||
# user's message store. |
|||
# \Archive - This mailbox is used to archive messages. |
|||
# \Drafts - This mailbox is used to hold draft messages. |
|||
# \Flagged - This (virtual) mailbox presents all messages in the |
|||
# user's message store marked with the IMAP \Flagged flag. |
|||
# \Junk - This mailbox is where messages deemed to be junk mail |
|||
# are held. |
|||
# \Sent - This mailbox is used to hold copies of messages that |
|||
# have been sent. |
|||
# \Trash - This mailbox is used to hold messages that have been |
|||
# deleted. |
|||
# |
|||
# comment: |
|||
# Defines a default comment or note associated with the mailbox. This |
|||
# value is accessible through the IMAP METADATA mailbox entries |
|||
# "/shared/comment" and "/private/comment". Users with sufficient |
|||
# privileges can override the default value for entries with a custom |
|||
# value. |
|||
|
|||
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. |
|||
namespace inbox { |
|||
# These mailboxes are widely used and could perhaps be created automatically: |
|||
mailbox Drafts { |
|||
special_use = \Drafts |
|||
} |
|||
mailbox Junk { |
|||
special_use = \Junk |
|||
} |
|||
mailbox Trash { |
|||
special_use = \Trash |
|||
} |
|||
|
|||
# For \Sent mailboxes there are two widely used names. We'll mark both of |
|||
# them as \Sent. User typically deletes one of them if duplicates are created. |
|||
mailbox Sent { |
|||
special_use = \Sent |
|||
} |
|||
#mailbox "Sent Messages" { |
|||
# special_use = \Sent |
|||
#} |
|||
|
|||
# If you have a virtual "All messages" mailbox: |
|||
#mailbox virtual/All { |
|||
# special_use = \All |
|||
# comment = All my messages |
|||
#} |
|||
|
|||
# If you have a virtual "Flagged" mailbox: |
|||
#mailbox virtual/Flagged { |
|||
# special_use = \Flagged |
|||
# comment = All my flagged messages |
|||
#} |
|||
} |
|||
@ -0,0 +1,29 @@ |
|||
## |
|||
## LMTP specific settings |
|||
## |
|||
|
|||
# Support proxying to other LMTP/SMTP servers by performing passdb lookups. |
|||
#lmtp_proxy = no |
|||
|
|||
# When recipient address includes the detail (e.g. user+detail), try to save |
|||
# the mail to the detail mailbox. See also recipient_delimiter and |
|||
# lda_mailbox_autocreate settings. |
|||
lmtp_save_to_detail_mailbox = no |
|||
recipient_delimiter = - |
|||
lda_mailbox_autocreate = yes |
|||
lda_mailbox_autosubscribe = yes |
|||
|
|||
# Verify quota before replying to RCPT TO. This adds a small overhead. |
|||
#lmtp_rcpt_check_quota = no |
|||
|
|||
# Which recipient address to use for Delivered-To: header and Received: |
|||
# header. The default is "final", which is the same as the one given to |
|||
# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT |
|||
# parameter, "none" uses nothing. Note that "none" is currently always used |
|||
# when a mail has multiple recipients. |
|||
#lmtp_hdr_delivery_address = final |
|||
|
|||
protocol lmtp { |
|||
# Space separated list of plugins to load (default is global mail_plugins). |
|||
#mail_plugins = $mail_plugins |
|||
} |
|||
@ -0,0 +1,105 @@ |
|||
## Dovecot configuration file |
|||
|
|||
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration |
|||
|
|||
# "doveconf -n" command gives a clean output of the changed settings. Use it |
|||
# instead of copy&pasting files when posting to the Dovecot mailing list. |
|||
|
|||
# '#' character and everything after it is treated as comments. Extra spaces |
|||
# and tabs are ignored. If you want to use either of these explicitly, put the |
|||
# value inside quotes, eg.: key = "# char and trailing whitespace " |
|||
|
|||
# Most (but not all) settings can be overridden by different protocols and/or |
|||
# source/destination IPs by placing the settings inside sections, for example: |
|||
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { } |
|||
|
|||
# Default values are shown for each setting, it's not required to uncomment |
|||
# those. These are exceptions to this though: No sections (e.g. namespace {}) |
|||
# or plugin settings are added by default, they're listed only as examples. |
|||
# Paths are also just examples with the real defaults being based on configure |
|||
# options. The paths listed here are for configure --prefix=/usr |
|||
# --sysconfdir=/etc --localstatedir=/var |
|||
|
|||
# Enable installed protocols |
|||
!include_try /usr/share/dovecot/protocols.d/*.protocol |
|||
|
|||
# A comma separated list of IPs or hosts where to listen in for connections. |
|||
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. |
|||
# If you want to specify non-default ports or anything more complex, |
|||
# edit conf.d/master.conf. |
|||
#listen = *, :: |
|||
|
|||
# Base directory where to store runtime data. |
|||
#base_dir = /var/run/dovecot/ |
|||
|
|||
# Name of this instance. In multi-instance setup doveadm and other commands |
|||
# can use -i <instance_name> to select which instance is used (an alternative |
|||
# to -c <config_path>). The instance name is also added to Dovecot processes |
|||
# in ps output. |
|||
#instance_name = dovecot |
|||
|
|||
# Greeting message for clients. |
|||
#login_greeting = Dovecot ready. |
|||
|
|||
# Space separated list of trusted network ranges. Connections from these |
|||
# IPs are allowed to override their IP addresses and ports (for logging and |
|||
# for authentication checks). disable_plaintext_auth is also ignored for |
|||
# these networks. Typically you'd specify your IMAP proxy servers here. |
|||
#login_trusted_networks = |
|||
|
|||
# Space separated list of login access check sockets (e.g. tcpwrap) |
|||
#login_access_sockets = |
|||
|
|||
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do |
|||
# proxying. This isn't necessary normally, but may be useful if the destination |
|||
# IP is e.g. a load balancer's IP. |
|||
#auth_proxy_self = |
|||
|
|||
# Show more verbose process titles (in ps). Currently shows user name and |
|||
# IP address. Useful for seeing who are actually using the IMAP processes |
|||
# (eg. shared mailboxes or if same uid is used for multiple accounts). |
|||
#verbose_proctitle = no |
|||
|
|||
# Should all processes be killed when Dovecot master process shuts down. |
|||
# Setting this to "no" means that Dovecot can be upgraded without |
|||
# forcing existing client connections to close (although that could also be |
|||
# a problem if the upgrade is e.g. because of a security fix). |
|||
#shutdown_clients = yes |
|||
|
|||
# If non-zero, run mail commands via this many connections to doveadm server, |
|||
# instead of running them directly in the same process. |
|||
#doveadm_worker_count = 0 |
|||
# UNIX socket or host:port used for connecting to doveadm server |
|||
#doveadm_socket_path = doveadm-server |
|||
|
|||
# Space separated list of environment variables that are preserved on Dovecot |
|||
# startup and passed down to all of its child processes. You can also give |
|||
# key=value pairs to always set specific settings. |
|||
#import_environment = TZ |
|||
|
|||
## |
|||
## Dictionary server settings |
|||
## |
|||
|
|||
# Dictionary can be used to store key=value lists. This is used by several |
|||
# plugins. The dictionary can be accessed either directly or though a |
|||
# dictionary server. The following dict block maps dictionary names to URIs |
|||
# when the server is used. These can then be referenced using URIs in format |
|||
# "proxy::<name>". |
|||
|
|||
dict { |
|||
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext |
|||
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext |
|||
} |
|||
|
|||
# Most of the actual configuration gets included below. The filenames are |
|||
# first sorted by their ASCII value and parsed in that order. The 00-prefixes |
|||
# in filenames are intended to make it easier to understand the ordering. |
|||
!include conf.d/*.conf |
|||
|
|||
# A config file can also tried to be included without giving an error if |
|||
# it's not found: |
|||
!include_try local.conf |
|||
|
|||
# General settings |
|||
protocols = imap lmtp |
|||
@ -0,0 +1,3 @@ |
|||
[Service] |
|||
ExecStartPre="/usr/local/bin/mkvirt" |
|||
ExecReload="/usr/local/bin/mkvirt" |
|||
@ -0,0 +1,59 @@ |
|||
### General ### |
|||
# network segments to consider internal |
|||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 |
|||
# interfaces & protocols to listen on |
|||
inet_interfaces = all |
|||
inet_protocols = all |
|||
# what backend to use to deliver local & virtual mail |
|||
local_transport = lmtp:unix:private/dovecot-lmtp |
|||
# hosts to relay for |
|||
relayhost = |
|||
# whether to send "new mail" notifications to users |
|||
# on by default, but we turn off because we're not using system users |
|||
biff = no |
|||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on |
|||
# fresh installs. |
|||
compatibility_level = 2 |
|||
|
|||
### Domains ### |
|||
# primary name of server |
|||
myhostname = mail.brbytes.org |
|||
myorigin = $mydomain |
|||
# domains to consider primary (local) endpoints |
|||
mydestination = $myhostname, $mydomain, localhost.localdomain, localhost |
|||
# domains to consider secondary (virtual) endpoints |
|||
#virtual_alias_domains = info.brbytes.org |
|||
|
|||
### Users ### |
|||
# get list of valid users from here instead of /etc/passwd |
|||
local_recipient_maps = hash:/etc/postfix/users |
|||
# get list of user aliases from this file |
|||
virtual_alias_maps = hash:/etc/postfix/aliases |
|||
# Address tag delimiter. If an email is sent to ${user}${delimiter}*, |
|||
# the email is sent to ${user} if that address is not already explicitly defined. |
|||
recipient_delimiter = - |
|||
|
|||
### TLS ### |
|||
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for |
|||
# information on enabling SSL in the smtp client. |
|||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache |
|||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache |
|||
# whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'. |
|||
smtpd_tls_security_level=may |
|||
# where to find certs |
|||
smtpd_tls_cert_file=/vol/ssl/fullchain.pem |
|||
smtpd_tls_key_file=/vol/ssl/privkey.pem |
|||
|
|||
### Anti-spam ### |
|||
#smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, permit |
|||
#smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname |
|||
|
|||
### SASL ### |
|||
smtpd_sasl_type = dovecot |
|||
# Can be an absolute path, or relative to $queue_directory |
|||
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below |
|||
smtpd_sasl_path = private/auth |
|||
# and the common settings to enable SASL: |
|||
smtpd_sasl_auth_enable = yes |
|||
# With Postfix version before 2.10, use smtpd_recipient_restrictions |
|||
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination |
|||
@ -0,0 +1,119 @@ |
|||
# |
|||
# Postfix master process configuration file. For details on the format |
|||
# of the file, see the master(5) manual page (command: "man 5 master" or |
|||
# on-line: http://www.postfix.org/master.5.html). |
|||
# |
|||
# Do not forget to execute "postfix reload" after editing this file. |
|||
# |
|||
# ========================================================================== |
|||
# service type private unpriv chroot wakeup maxproc command + args |
|||
# (yes) (yes) (no) (never) (100) |
|||
# ========================================================================== |
|||
smtp inet n - y - - smtpd |
|||
submission inet n - y - - smtpd |
|||
-o smtpd_sasl_local_domain=$myhostname |
|||
-o smtpd_tls_security_level=encrypt |
|||
-o smtpd_sasl_security_options=noanonymous |
|||
-o smtpd_client_restrictions=permit_sasl_authenticated,reject |
|||
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject |
|||
-o smtpd_sender_login_maps=hash:/etc/postfix/aliases |
|||
-o smtpd_sender_restrictions=reject_sender_login_mismatch |
|||
#smtps inet n - y - - smtpd |
|||
# -o syslog_name=postfix/smtps |
|||
# -o smtpd_tls_wrappermode=yes |
|||
# -o smtpd_sasl_auth_enable=yes |
|||
# -o smtpd_reject_unlisted_recipient=no |
|||
# -o smtpd_client_restrictions=$mua_client_restrictions |
|||
# -o smtpd_helo_restrictions=$mua_helo_restrictions |
|||
# -o smtpd_sender_restrictions=$mua_sender_restrictions |
|||
# -o smtpd_recipient_restrictions= |
|||
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject |
|||
# -o milter_macro_daemon_name=ORIGINATING |
|||
# Local services |
|||
# ========================================================================== |
|||
pickup unix n - y 60 1 pickup |
|||
cleanup unix n - y - 0 cleanup |
|||
qmgr unix n - n 300 1 qmgr |
|||
#qmgr unix n - n 300 1 oqmgr |
|||
tlsmgr unix - - y 1000? 1 tlsmgr |
|||
rewrite unix - - y - - trivial-rewrite |
|||
bounce unix - - y - 0 bounce |
|||
defer unix - - y - 0 bounce |
|||
trace unix - - y - 0 bounce |
|||
verify unix - - y - 1 verify |
|||
flush unix n - y 1000? 0 flush |
|||
proxymap unix - - n - - proxymap |
|||
proxywrite unix - - n - 1 proxymap |
|||
smtp unix - - y - - smtp |
|||
relay unix - - y - - smtp |
|||
-o syslog_name=postfix/$service_name |
|||
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 |
|||
showq unix n - y - - showq |
|||
error unix - - y - - error |
|||
retry unix - - y - - error |
|||
discard unix - - y - - discard |
|||
local unix - n n - - local |
|||
virtual unix - n n - - virtual |
|||
lmtp unix - - y - - lmtp |
|||
anvil unix - - y - 1 anvil |
|||
scache unix - - y - 1 scache |
|||
postlog unix-dgram n - n - 1 postlogd |
|||
# |
|||
# ==================================================================== |
|||
# Interfaces to non-Postfix software. Be sure to examine the manual |
|||
# pages of the non-Postfix software to find out what options it wants. |
|||
# |
|||
# Many of the following services use the Postfix pipe(8) delivery |
|||
# agent. See the pipe(8) man page for information about ${recipient} |
|||
# and other message envelope options. |
|||
# ==================================================================== |
|||
# |
|||
# maildrop. See the Postfix MAILDROP_README file for details. |
|||
# Also specify in main.cf: maildrop_destination_recipient_limit=1 |
|||
# |
|||
maildrop unix - n n - - pipe |
|||
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} |
|||
# |
|||
# ==================================================================== |
|||
# |
|||
# Recent Cyrus versions can use the existing "lmtp" master.cf entry. |
|||
# |
|||
# Specify in cyrus.conf: |
|||
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 |
|||
# |
|||
# Specify in main.cf one or more of the following: |
|||
# mailbox_transport = lmtp:inet:localhost |
|||
# virtual_transport = lmtp:inet:localhost |
|||
# |
|||
# ==================================================================== |
|||
# |
|||
# Cyrus 2.1.5 (Amos Gouaux) |
|||
# Also specify in main.cf: cyrus_destination_recipient_limit=1 |
|||
# |
|||
#cyrus unix - n n - - pipe |
|||
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} |
|||
# |
|||
# ==================================================================== |
|||
# Old example of delivery via Cyrus. |
|||
# |
|||
#old-cyrus unix - n n - - pipe |
|||
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} |
|||
# |
|||
# ==================================================================== |
|||
# |
|||
# See the Postfix UUCP_README file for configuration details. |
|||
# |
|||
uucp unix - n n - - pipe |
|||
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) |
|||
# |
|||
# Other external delivery methods. |
|||
# |
|||
ifmail unix - n n - - pipe |
|||
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) |
|||
bsmtp unix - n n - - pipe |
|||
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient |
|||
scalemail-backend unix - n n - 2 pipe |
|||
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} |
|||
mailman unix - n n - - pipe |
|||
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py |
|||
${nexthop} ${user} |
|||
@ -0,0 +1,222 @@ |
|||
# build postfix container |
|||
|
|||
## notes |
|||
|
|||
add dovecot user to vmail grp |
|||
|
|||
## basic setup |
|||
|
|||
### create container |
|||
|
|||
build & launch debian-base container: |
|||
``` |
|||
git clone https://git.brbytes.org/mario/container.git |
|||
cd container |
|||
./install.sh |
|||
cd src/debian |
|||
sudo pdm-build |
|||
sudo pdm-launch debian postfix |
|||
sudo pdm-shell postfix |
|||
``` |
|||
|
|||
### add user |
|||
|
|||
add `vmail` user with appropriate UID. Run: |
|||
``` |
|||
addgroup --gid ${files_uid:?} vmail |
|||
adduser vmail --ingroup vmail --uid ${files_uid:?} --disabled-password --gecos "Virtual Mail Owner" --shell /usr/sbin/nologin --home /var/mail/virtual |
|||
``` |
|||
|
|||
### install packages |
|||
|
|||
install postfix: |
|||
``` |
|||
apt install postfix |
|||
``` |
|||
select `2 (internet site)` when asked how to configure, and enter your appropriate hostname. |
|||
|
|||
install other packages: |
|||
``` |
|||
apt install rsyslog dovecot-imapd dovecot-lmtpd |
|||
|
|||
## postfix |
|||
|
|||
### Install |
|||
|
|||
edit config: |
|||
``` |
|||
cd /etc/postfix/ |
|||
nano main.cf |
|||
``` |
|||
|
|||
### main.cf |
|||
|
|||
All of the excerpts in this section should be included in `main.cf`. |
|||
|
|||
configure the domain: |
|||
``` |
|||
# domain |
|||
myhostname = mailtest.brbytes.org |
|||
myorigin = $myhostname |
|||
mydestination = $myhostname, localhost.localdomain, localhost |
|||
``` |
|||
|
|||
tell postfix where to look for aliases: |
|||
``` |
|||
alias_maps = hash:/etc/postfix/aliases |
|||
alias_database = hash:/etc/postfix/aliases |
|||
recipient_delimiter = - |
|||
``` |
|||
|
|||
add some sanity checking to block spam/malicious emails: |
|||
``` |
|||
# anti-spam restrictions |
|||
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, permit |
|||
smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname |
|||
``` |
|||
|
|||
remove the line setting the `smtpd_use_tls` parameter, and replace it with: |
|||
``` |
|||
# whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'. |
|||
smtpd_tls_security_level=may |
|||
``` |
|||
we also want to tell postfix where it can find our SSL certificates: |
|||
``` |
|||
smtpd_tls_cert_file=${path_to_cert:?} |
|||
smtpd_tls_key_file=${path_to_key:?} |
|||
``` |
|||
configure postfix to use Dovecot SASL for user authentication: |
|||
``` |
|||
#configure Dovecot SASL |
|||
smtpd_sasl_type = dovecot |
|||
# Can be an absolute path, or relative to $queue_directory |
|||
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below |
|||
smtpd_sasl_path = private/auth |
|||
# and the common settings to enable SASL: |
|||
smtpd_sasl_auth_enable = yes |
|||
# With Postfix version before 2.10, use smtpd_recipient_restrictions |
|||
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination |
|||
# More settings |
|||
smtpd_sasl_security_options=noanonymous |
|||
smtpd_sasl_local_domain=$myhostname |
|||
smtpd_client_restrictions=permit_sasl_authenticated,reject |
|||
smtpd_sender_login_maps=hash:/etc/postfix/virtual |
|||
smtpd_sender_restrictions=reject_sender_login_mismatch |
|||
``` |
|||
Configure postfix to use Dovecot LMTP for mail delivery: |
|||
``` |
|||
mailbox_transport = lmtp:unix:private/dovecot-lmtp |
|||
virtual_transport = lmtp:unix:private/dovecot-lmtp |
|||
``` |
|||
|
|||
### virtual |
|||
|
|||
create virtual aliases file: |
|||
``` |
|||
postmaster: root |
|||
root: fernando, juana, mario |
|||
``` |
|||
|
|||
then run the following commands to update the aliases list: |
|||
``` |
|||
newaliases |
|||
postfix reload |
|||
``` |
|||
|
|||
## Dovecot |
|||
|
|||
We also need to configure dovecot. Go to its configuration directory: |
|||
``` |
|||
cd /etc/dovecot |
|||
``` |
|||
|
|||
Edit the file `dovecot.conf` and add the line: |
|||
``` |
|||
protocols = imap lmtp |
|||
``` |
|||
we need to create a `users` file containing our usernames and passwords. Don't forget to set its permissions properly: |
|||
``` |
|||
chmod u=rw,g=r,o= users |
|||
chown root:dovecot users |
|||
``` |
|||
create dir for virtual mailboxes: |
|||
``` |
|||
mkdir -p /var/mail/virtual |
|||
chown -R vmail:vmail /var/mail/virtual |
|||
``` |
|||
|
|||
### conf.d |
|||
|
|||
There are several config files in `conf.d` that we will also need to edit: |
|||
|
|||
First, we need to enable SASL so that Dovecot can tell postfix whether or not a user is authenticated. Edit the file `10-master.conf`, and add/uncomment the following directive to the `service auth` section: |
|||
``` |
|||
# Postfix smtp-auth |
|||
unix_listener /var/spool/postfix/private/auth { |
|||
mode = 0666 |
|||
# Assuming the default Postfix user and group |
|||
user = postfix |
|||
group = postfix |
|||
} |
|||
``` |
|||
|
|||
Next, edit the file `10-auth.conf`, and edit the `auth_mechanisms` directive to be: |
|||
``` |
|||
# Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN: |
|||
auth_mechanisms = plain login |
|||
``` |
|||
|
|||
We also want to enable LMTP. Edit `10-master.conf` again and add/uncomment the directive: |
|||
``` |
|||
service lmtp { |
|||
user = vmail |
|||
unix_listener /var/spool/postfix/private/dovecot-lmtp { |
|||
group = postfix |
|||
mode = 0600 |
|||
user = postfix |
|||
} |
|||
} |
|||
``` |
|||
We also need to configure some settings for LMTP. Edit `20-lmtp.conf` and add the directives: |
|||
``` |
|||
lmtp_save_to_detail_mailbox = no |
|||
recipient_delimiter = - |
|||
lda_mailbox_autocreate = yes |
|||
lda_mailbox_autosubscribe = yes |
|||
``` |
|||
|
|||
We also need to tell Dovecot what database to look up users in. Edit `10-auth.conf` and delete/comment any lines including a `.ext` file (includes begin with an exclamation point). Then, add the directives: |
|||
``` |
|||
passdb { |
|||
driver = passwd-file |
|||
# username_format: Set to '%u' to look up full usernames. If you want to enable |
|||
# user@domain logins but have only user in the file, set to %n instead. |
|||
args = username_format=%n /etc/dovecot/users |
|||
} |
|||
|
|||
userdb { |
|||
driver = static |
|||
args = uid=vmail gid=vmail home=/var/mail/virtual/%n |
|||
} |
|||
``` |
|||
We also want to configure where mail is stored and in what format. Edit `10-mail.conf` and delete/comment the line setting `mail_location`. Replace it with: |
|||
``` |
|||
mail_location = maildir:~/Maildir:LAYOUT=fs |
|||
``` |
|||
We need to tell Dovecot to listen on the IMAP ports so we can access it with IMAP clients. Add/uncomment the following directives in `10-master.conf`: |
|||
``` |
|||
service imap-login { |
|||
inet_listener imap { |
|||
port = 143 |
|||
} |
|||
inet_listener imaps { |
|||
port = 993 |
|||
ssl = yes |
|||
} |
|||
} |
|||
``` |
|||
Tell dovecot where to get its SSL certificates by setting the following directives in `10-ssl.conf`: |
|||
``` |
|||
ssl_cert = <${path_to cert:?} |
|||
ssl_key = <${path_to_key:?} |
|||
``` |
|||
@ -0,0 +1,60 @@ |
|||
# steps needed to deploy mailserver |
|||
|
|||
## create dirs |
|||
|
|||
``` |
|||
mkdir -p /srv/volumes/mailserver/{db,mail,ssl} |
|||
chown -R 5000:5000 /srv/volumes/mailserver |
|||
chmod go-rwx /srv/volumes/mailserver/ssl |
|||
``` |
|||
put your `users` and `aliases.d` in the `db` directory. Mail will go in the `mail` directory. |
|||
|
|||
## make sure mail ports are open |
|||
|
|||
add the following directives to the `myfirewall` chain in `/etc/nftables`: |
|||
``` |
|||
# accept incoming SMTP(s) connections |
|||
tcp dport {25, 465, 587} accept |
|||
|
|||
# accept incoming IMAP(s) connections |
|||
tcp dport {143, 993} accept |
|||
``` |
|||
then make sure configuration has taken place by running: |
|||
``` |
|||
nft -f /etc/nftables |
|||
``` |
|||
|
|||
## set up domain name |
|||
|
|||
Set up a DNS A Record pointing to your host machine. Make sure it works by running: |
|||
``` |
|||
ping ${dnsname:?} |
|||
``` |
|||
|
|||
## get SSL certificates from letsencrypt |
|||
|
|||
install certbot: |
|||
``` |
|||
apt install certbot |
|||
``` |
|||
|
|||
if you are using a firewall, you need to figure out how to define a temporary rule allowing http access. For nftables, the rule would be `nft insert rule inet myfilter myfirewall tcp dport 80 accept`. |
|||
|
|||
Get a certificate for your domain by running: |
|||
``` |
|||
certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf" --deploy-hook "rsync -vaSHL /etc/letsencrypt/live/${domain:?}/ /srv/volumes/mailsrv/ssl/; chown -R 5000:5000 /srv/volumes/mailsrv/ssl" -d ${domain:?} |
|||
``` |
|||
the application may ask you a few questions. Answer them as you would like. Including the appropriate hooks in the issue command should ensure that those hooks are also included in subsequent renew commands. |
|||
|
|||
## make users and aliases |
|||
|
|||
``` |
|||
cd /srv/volumes/mailsrv/db |
|||
mkdir aliases.d |
|||
touch users |
|||
chmod go= users |
|||
``` |
|||
then edit `users` and add aliases lists to `aliases.d`. Don't forget to change its ownership once you're done: |
|||
``` |
|||
chown -R 5000:5000 /srv/volumes/mailsrv/db |
|||
``` |
|||
@ -1,58 +0,0 @@ |
|||
### |
|||
### Meta Information |
|||
### |
|||
FROM localhost/debian |
|||
|
|||
# deploy options |
|||
# -p (port) and -v (volume) both go host:container |
|||
LABEL deployopts="\ |
|||
-p 25:25 \ |
|||
-p 465:465 \ |
|||
-p 143:143 \ |
|||
-p 993:993" |
|||
|
|||
# Build Variables |
|||
# uid that the files owner user should have |
|||
ARG FILESUID=5000 |
|||
|
|||
### |
|||
### General Setup |
|||
### |
|||
|
|||
# install packages we want |
|||
RUN apt update -y && apt install -y postfix dovecot-imapd |
|||
|
|||
### |
|||
### Apache |
|||
### |
|||
|
|||
# enable modules we need |
|||
RUN a2enmod php${phpv} |
|||
|
|||
# copy site config |
|||
COPY assets/site.conf /etc/apache2/sites-available/ |
|||
WORKDIR /etc/apache2/sites-enabled |
|||
RUN rm 000-default.conf && ln -s ../sites-available/site.conf |
|||
|
|||
### |
|||
### browserStartpage |
|||
### |
|||
|
|||
# download app |
|||
WORKDIR /root |
|||
RUN wget https://github.com/saschadiercks/browserStartpage/archive/master.zip && \ |
|||
echo "Unzipping ..." && \ |
|||
unzip -q master.zip && \ |
|||
mv browserStartpage-master/htdocs /var/www/html/startpage && \ |
|||
chown -R www-data:www-data /var/www/html && \ |
|||
rm -r browserStartpage-master |
|||
|
|||
# copy config |
|||
WORKDIR /var/www/html |
|||
COPY --chown=www-data:www-data assets/config.php startpage/config/config.php |
|||
COPY --chown=www-data:www-data assets/data.json startpage/data/data.json |
|||
|
|||
# copy thumbnails |
|||
COPY --chown=www-data:www-data assets/thumbnails/ startpage/assets/thumbnails/ |
|||
# copy wallpaper |
|||
COPY --chown=www-data:www-data assets/wallpaper/ startpage/assets/wallpaper/ |
|||
@ -1,39 +0,0 @@ |
|||
# build postfix container |
|||
|
|||
## create container |
|||
|
|||
build & launch debian-base container: |
|||
``` |
|||
git clone https://git.brbytes.org/mario/container.git |
|||
cd container |
|||
./install.sh |
|||
cd src/debian |
|||
sudo pdm-build |
|||
sudo pdm-launch debian postfix |
|||
sudo pdm-shell postfix |
|||
``` |
|||
|
|||
## postfix |
|||
|
|||
install postfix: |
|||
``` |
|||
apt install postfix |
|||
``` |
|||
select `1 (no configuration)` when asked how to configure. |
|||
|
|||
copy default config for postfix: |
|||
``` |
|||
cp /usr/share/postfix/main.cf.dist /etc/postfix/main.cf |
|||
``` |
|||
edit config: |
|||
``` |
|||
cd /etc/postfix/ |
|||
nano main.cf |
|||
``` |
|||
|
|||
set the following config parameters: |
|||
``` |
|||
mail_owner = postfix |
|||
myhostname = linode.alemor.org |
|||
myorigin = $myhostname |
|||
mydestination = $myhostname |
|||
|
After Width: | Height: | Size: 2.9 KiB |
|
Before Width: | Height: | Size: 20 KiB |
|
After Width: | Height: | Size: 1.0 KiB |
|
Before Width: | Height: | Size: 86 KiB |
|
After Width: | Height: | Size: 6.4 KiB |
Loading…
Reference in new issue