############### # General ############### log_path = /dev/stderr auth_verbose=yes mail_debug=yes login_log_format_elements = user=<%u> method=%m rip=%r rport=%b lip=%l lport=%a mpid=%e %c protocols = sieve imap pop3 lmtp submission postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }} hostname = {{ HOSTNAMES.split(",")[0] }} submission_host = {{ SMTP_ADDRESS }} submission_relay_host = {{ SMTP_ADDRESS }} submission_relay_port = 10025 submission_relay_trusted = yes submission_relay_ssl = no submission_max_mail_size = {{ MESSAGE_SIZE_LIMIT }} submission_backend_capabilities = 8BITMIME DSN VRFY submission_client_workarounds = mailbox-for-path whitespace-before-path # disable BURL imap_urlauth_host= lmtp_proxy = yes lmtp_client_workarounds = whitespace-before-path mailbox-for-path {%- if SUBNET6 %} listen = *,:: {% else %} listen = * {% endif %} default_internal_user = dovecot default_login_user = mail default_internal_group = dovecot haproxy_trusted_networks = {% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}{{ from_ip }} {% endfor %}{% endif %} ############### # Authentication ############### auth_username_chars = auth_mechanisms = plain login {%- if TLS %} ssl = required ssl_cert = <{{ TLS[0] }} ssl_key = <{{ TLS[1] }} {%- if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt'] %} ssl_alt_cert = <{{ TLS[2] }} ssl_alt_key = <{{ TLS[3] }} {% endif %} # intermediate configuration ssl_min_protocol = TLSv1.2 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 ssl_prefer_server_ciphers = no ssl_options = no_compression no_ticket {% else %} disable_plaintext_auth = no ssl = no {% endif %} passdb { driver = lua args = file=/etc/dovecot/login.lua blocking=yes } service auth-worker { user = dovenull group = dovenull unix_listener auth-worker { } } service anvil { unix_listener anvil-auth-penalty { mode = 0 } } service managesieve-login { executable = managesieve-login inet_listener sieve { port = 4190 {%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %} haproxy = yes {% endif %} } inet_listener sieve-webmail { port = 14190 } } protocol imap { mail_max_userip_connections = 20 imap_idle_notify_interval = 29mins } service imap-login { inet_listener imap { port = 143 {%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %} haproxy = yes {% endif %} } inet_listener imaps { port = 993 {%- if TLS %} ssl = yes {% endif %} {%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %} haproxy = yes {% endif %} } inet_listener imap-webmail { port = 10143 } } service pop3-login { inet_listener pop3 { port = 110 {%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %} haproxy = yes {% endif %} } inet_listener pop3s { port = 995 {%- if TLS %} ssl = yes {% endif %} {%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %} haproxy = yes {% endif %} } } recipient_delimiter = {{ RECIPIENT_DELIMITER }} service lmtp { user = $default_internal_user inet_listener lmtp { port = 2525 } } service submission-login { inet_listener submission { port = 587 {%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %} haproxy = yes {% endif %} } inet_listener submissions { port = 465 {%- if TLS %} ssl = yes {% endif %} {%- if PROXY_PROTOCOL in ['all', 'all-but-http', 'mail'] %} haproxy = yes {% endif %} } inet_listener submission-webmail { port = 10025 } }