From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 30 Dec 2021 21:07:43 +0000 (-0300)
Subject: Bullseye updates
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=52e4f5906023c29c75e0e0c96f91cc4042d9f9ae;p=puppet-mail.git

Bullseye updates
---

diff --git a/files/opendkim/default b/files/opendkim/default
index 1098626..3d8de9b 100644
--- a/files/opendkim/default
+++ b/files/opendkim/default
@@ -1,11 +1,31 @@
-# Command-line options specified here will override the contents of
-# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
+# NOTE: This is a legacy configuration file. It is not used by the opendkim
+# systemd service. Please use the corresponding configuration parameters in
+# /etc/opendkim.conf instead.
+#
+# Previously, one would edit the default settings here, and then execute
+# /lib/opendkim/opendkim.service.generate to generate systemd override files at
+# /etc/systemd/system/opendkim.service.d/override.conf and
+# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
+# recommended to adjust the settings directly in /etc/opendkim.conf.
+#
 #DAEMON_OPTS=""
+# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
+# postfix in a chroot:
+#RUNDIR=/var/spool/postfix/run/opendkim
+RUNDIR=/run/opendkim
 #
 # Uncomment to specify an alternate socket
 # Note that setting this will override any Socket value in opendkim.conf
-#SOCKET="local:/var/run/opendkim/opendkim.sock" # default
-#SOCKET="inet:54321" # listen on all interfaces on port 54321
-#SOCKET="inet:12345@localhost" # listen on loopback on port 12345
-#SOCKET="inet:12345@192.0.2.1" # listen on 192.0.2.1 on port 12345
+# default:
+#SOCKET=local:$RUNDIR/opendkim.sock
+# listen on all interfaces on port 54321:
+#SOCKET=inet:54321
+# listen on loopback on port 12345:
+#SOCKET=inet:12345@localhost
+# listen on 192.0.2.1 on port 12345:
+#SOCKET=inet:12345@192.0.2.1
 SOCKET="inet:12301@localhost"
+USER=opendkim
+GROUP=opendkim
+PIDFILE=$RUNDIR/$NAME.pid
+EXTRAAFTER=
diff --git a/templates/dovecot/dovecot.conf.bullseye.erb b/templates/dovecot/dovecot.conf.bullseye.erb
new file mode 100644
index 0000000..a515e35
--- /dev/null
+++ b/templates/dovecot/dovecot.conf.bullseye.erb
@@ -0,0 +1,98 @@
+# 2.1.7: /etc/dovecot/dovecot.conf
+# OS: Linux 2.6.32-5-vserver-amd64 x86_64 Debian 7.3 ufs
+
+# See http://help.directadmin.com/item.php?id=348
+listen = *
+
+auth_mechanisms = plain login
+log_timestamp = "%Y-%m-%d %H:%M:%S "
+login_log_format_elements = user=<%%u> method=%m %c
+mail_location = maildir:/var/mail/virtual/%u
+mail_privileged_group = mail
+passdb {
+  args = /etc/dovecot/dovecot-sql.conf
+  driver = sql
+}
+plugin {
+  sieve = ~/.dovecot.sieve
+  sieve_storage = ~/sieve
+}
+protocols = imap
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+  unix_listener auth-master {
+    group = mail
+    mode = 0600
+    user = vmail
+  }
+  user = root
+}
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root.
+ssl_cert = </etc/ssl/certs/cert.crt
+ssl_key = </etc/ssl/private/cert.pem
+
+# SSL ciphers to use
+#
+# Since Dovecot started using OpenSSL 1.1, we don't have to disable
+# SSLv2 anymore as it's already removed from OpenSSL.
+#
+# See http://www.virtualmin.com/node/25057
+#     https://zmap.io/sslv3/servers.html
+#     https://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls-handshaking-failed-no-shared-cipher
+#     https://bbs.archlinux.org/viewtopic.php?id=225535
+ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:SSLv3
+
+# See https://wiki2.dovecot.org/Upgrading/2.3
+#ssl_protocols = !SSLv3
+ssl_min_protocol = TLSv1
+ssl_dh = </etc/dovecot/dh.pem
+
+userdb {
+  args = uid=5000 gid=5000 home=/var/mail/virtual/%u allow_all_users=yes
+  driver = static
+}
+userdb {
+  args = /etc/dovecot/dovecot-sql.conf
+  driver = sql
+}
+protocol pop3 {
+  pop3_uidl_format = %08Xu%08Xv
+}
+protocol lda {
+  auth_socket_path = /var/run/dovecot/auth-master
+  mail_plugins = sieve
+  postmaster_address = postmaster@<%= @fqdn %>
+}
+
+# Should saving a mail to a non-existing mailbox automatically create it?
+lda_mailbox_autocreate = yes
+
+# See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903161
+service stats {
+  unix_listener stats-reader {
+    mode = 0
+  }
+  unix_listener stats-writer {
+    mode = 0
+  }
+}
+
+# See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903161
+service old-stats {
+  fifo_listener old-stats-mail {
+    mode = 0
+  }
+  fifo_listener old-stats-user {
+    mode = 0
+  }
+  unix_listener old-stats {
+    mode = 0
+  }
+}