diff --git a/roles/ensure_dovecot/.gitignore b/roles/ensure_dovecot/.gitignore
new file mode 100644
index 0000000..b7ba4ab
--- /dev/null
+++ b/roles/ensure_dovecot/.gitignore
@@ -0,0 +1,94 @@
+# ---> Linux
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+# ---> Windows
+# Windows thumbnail cache files
+Thumbs.db
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# ---> macOS
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+# ---> Vim
+# Swap
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+# ---> VisualStudioCode
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+
diff --git a/roles/ensure_dovecot/.travis.yml b/roles/ensure_dovecot/.travis.yml
new file mode 100644
index 0000000..36bbf62
--- /dev/null
+++ b/roles/ensure_dovecot/.travis.yml
@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+ apt:
+ packages:
+ - python-pip
+
+install:
+ # Install ansible
+ - pip install ansible
+
+ # Check ansible version
+ - ansible --version
+
+ # Create ansible.cfg with correct roles_path
+ - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+ # Basic role syntax check
+ - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+ webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
diff --git a/roles/ensure_dovecot/LICENSE b/roles/ensure_dovecot/LICENSE
new file mode 100644
index 0000000..1344add
--- /dev/null
+++ b/roles/ensure_dovecot/LICENSE
@@ -0,0 +1,163 @@
+GNU LESSER GENERAL PUBLIC LICENSE
+
+Version 3, 29 June 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc.
+
+Everyone is permitted to copy and distribute verbatim copies of this license
+document, but changing it is not allowed.
+
+This version of the GNU Lesser General Public License incorporates the terms
+and conditions of version 3 of the GNU General Public License, supplemented
+by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+
+
+As used herein, "this License" refers to version 3 of the GNU Lesser General
+Public License, and the "GNU GPL" refers to version 3 of the GNU General Public
+License.
+
+
+
+"The Library" refers to a covered work governed by this License, other than
+an Application or a Combined Work as defined below.
+
+
+
+An "Application" is any work that makes use of an interface provided by the
+Library, but which is not otherwise based on the Library. Defining a subclass
+of a class defined by the Library is deemed a mode of using an interface provided
+by the Library.
+
+
+
+A "Combined Work" is a work produced by combining or linking an Application
+with the Library. The particular version of the Library with which the Combined
+Work was made is also called the "Linked Version".
+
+
+
+The "Minimal Corresponding Source" for a Combined Work means the Corresponding
+Source for the Combined Work, excluding any source code for portions of the
+Combined Work that, considered in isolation, are based on the Application,
+and not on the Linked Version.
+
+
+
+The "Corresponding Application Code" for a Combined Work means the object
+code and/or source code for the Application, including any data and utility
+programs needed for reproducing the Combined Work from the Application, but
+excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+You may convey a covered work under sections 3 and 4 of this License without
+being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+If you modify a copy of the Library, and, in your modifications, a facility
+refers to a function or data to be supplied by an Application that uses the
+facility (other than as an argument passed when the facility is invoked),
+then you may convey a copy of the modified version:
+
+a) under this License, provided that you make a good faith effort to ensure
+that, in the event an Application does not supply the function or data, the
+facility still operates, and performs whatever part of its purpose remains
+meaningful, or
+
+b) under the GNU GPL, with none of the additional permissions of this License
+applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+The object code form of an Application may incorporate material from a header
+file that is part of the Library. You may convey such object code under terms
+of your choice, provided that, if the incorporated material is not limited
+to numerical parameters, data structure layouts and accessors, or small macros,
+inline functions and templates (ten or fewer lines in length), you do both
+of the following:
+
+a) Give prominent notice with each copy of the object code that the Library
+is used in it and that the Library and its use are covered by this License.
+
+b) Accompany the object code with a copy of the GNU GPL and this license document.
+
+ 4. Combined Works.
+
+You may convey a Combined Work under terms of your choice that, taken together,
+effectively do not restrict modification of the portions of the Library contained
+in the Combined Work and reverse engineering for debugging such modifications,
+if you also do each of the following:
+
+a) Give prominent notice with each copy of the Combined Work that the Library
+is used in it and that the Library and its use are covered by this License.
+
+b) Accompany the Combined Work with a copy of the GNU GPL and this license
+document.
+
+c) For a Combined Work that displays copyright notices during execution, include
+the copyright notice for the Library among these notices, as well as a reference
+directing the user to the copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+0) Convey the Minimal Corresponding Source under the terms of this License,
+and the Corresponding Application Code in a form suitable for, and under terms
+that permit, the user to recombine or relink the Application with a modified
+version of the Linked Version to produce a modified Combined Work, in the
+manner specified by section 6 of the GNU GPL for conveying Corresponding Source.
+
+1) Use a suitable shared library mechanism for linking with the Library. A
+suitable mechanism is one that (a) uses at run time a copy of the Library
+already present on the user's computer system, and (b) will operate properly
+with a modified version of the Library that is interface-compatible with the
+Linked Version.
+
+e) Provide Installation Information, but only if you would otherwise be required
+to provide such information under section 6 of the GNU GPL, and only to the
+extent that such information is necessary to install and execute a modified
+version of the Combined Work produced by recombining or relinking the Application
+with a modified version of the Linked Version. (If you use option 4d0, the
+Installation Information must accompany the Minimal Corresponding Source and
+Corresponding Application Code. If you use option 4d1, you must provide the
+Installation Information in the manner specified by section 6 of the GNU GPL
+for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+You may place library facilities that are a work based on the Library side
+by side in a single library together with other library facilities that are
+not Applications and are not covered by this License, and convey such a combined
+library under terms of your choice, if you do both of the following:
+
+a) Accompany the combined library with a copy of the same work based on the
+Library, uncombined with any other library facilities, conveyed under the
+terms of this License.
+
+b) Give prominent notice with the combined library that part of it is a work
+based on the Library, and explaining where to find the accompanying uncombined
+form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+The Free Software Foundation may publish revised and/or new versions of the
+GNU Lesser General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to address
+new problems or concerns.
+
+Each version is given a distinguishing version number. If the Library as you
+received it specifies that a certain numbered version of the GNU Lesser General
+Public License "or any later version" applies to it, you have the option of
+following the terms and conditions either of that published version or of
+any later version published by the Free Software Foundation. If the Library
+as you received it does not specify a version number of the GNU Lesser General
+Public License, you may choose any version of the GNU Lesser General Public
+License ever published by the Free Software Foundation.
+
+If the Library as you received it specifies that a proxy can decide whether
+future versions of the GNU Lesser General Public License shall apply, that
+proxy's public statement of acceptance of any version is permanent authorization
+for you to choose that version for the Library.
diff --git a/roles/ensure_dovecot/README.md b/roles/ensure_dovecot/README.md
new file mode 100644
index 0000000..6a43abc
--- /dev/null
+++ b/roles/ensure_dovecot/README.md
@@ -0,0 +1,43 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+
+Role Variables
+--------------
+
+| Variable | Default | Description |
+| - | - | - |
+| dovecot_vhost | inventory_hostname | What mod_md certificate should be used for Dovecot |
+| dovecot_quota | 1G | Default mail quota for users of the system |
+| dovecot_users | undefined | list of dictionary with the elements of email address and password (converted to CRYPT-SHA512) |
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+ - hosts: servers
+ roles:
+ - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/roles/ensure_dovecot/defaults/main.yml b/roles/ensure_dovecot/defaults/main.yml
new file mode 100644
index 0000000..6ee41e9
--- /dev/null
+++ b/roles/ensure_dovecot/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# defaults file for ensure_dovecot
+dovecot_vhost: '{{ inventory_hostname }}'
+dovecot_quota: '1G'
diff --git a/roles/ensure_dovecot/handlers/main.yml b/roles/ensure_dovecot/handlers/main.yml
new file mode 100644
index 0000000..f7e47f4
--- /dev/null
+++ b/roles/ensure_dovecot/handlers/main.yml
@@ -0,0 +1,29 @@
+---
+# handlers file for ensure_dovecot
+- name: 'ensure_dovecot.package_facts'
+ ansible.builtin.package_facts:
+- name: 'ensure_dovecot.service_facts'
+ ansible.builtin.service_facts:
+- name: 'ensure_dovecot.service_reload'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ansible_facts["service_mgr"] == 'systemd'
+ - ensure_dovecot is defined
+ ansible.builtin.systemd:
+ daemon_reload: 'yes'
+- name: 'ensure_dovecot.service_restart'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ensure_dovecot is defined
+ - ensure_dovecot.service_list is defined
+ - ensure_dovecot.service_list is iterable
+ - item.state == 'started'
+ ansible.builtin.service:
+ enabled: '{{ item.enabled }}'
+ name: '{{ item.name }}'
+ state: 'restarted'
+ loop: '{{ ensure_dovecot.service_list }}'
+ loop_control:
+ label: '{{ item.name }} will be restarted'
+...
+
diff --git a/roles/ensure_dovecot/meta/main.yml b/roles/ensure_dovecot/meta/main.yml
new file mode 100644
index 0000000..227ad9c
--- /dev/null
+++ b/roles/ensure_dovecot/meta/main.yml
@@ -0,0 +1,53 @@
+galaxy_info:
+ author: your name
+ description: your role description
+ company: your company (optional)
+
+ # If the issue tracker for your role is not on github, uncomment the
+ # next line and provide a value
+ # issue_tracker_url: http://example.com/issue/tracker
+
+ # Choose a valid license ID from https://spdx.org - some suggested licenses:
+ # - BSD-3-Clause (default)
+ # - MIT
+ # - GPL-2.0-or-later
+ # - GPL-3.0-only
+ # - Apache-2.0
+ # - CC-BY-4.0
+ license: license (GPL-2.0-or-later, MIT, etc)
+
+ min_ansible_version: 2.9
+
+ # If this a Container Enabled role, provide the minimum Ansible Container version.
+ # min_ansible_container_version:
+
+ #
+ # Provide a list of supported platforms, and for each platform a list of versions.
+ # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+ # To view available platforms and versions (or releases), visit:
+ # https://galaxy.ansible.com/api/v1/platforms/
+ #
+ # platforms:
+ # - name: Fedora
+ # versions:
+ # - all
+ # - 25
+ # - name: SomePlatform
+ # versions:
+ # - all
+ # - 1.0
+ # - 7
+ # - 99.99
+
+ galaxy_tags: []
+ # List tags for your role here, one per line. A tag is a keyword that describes
+ # and categorizes the role. Users find roles by searching for tags. Be sure to
+ # remove the '[]' above, if you add tags to this list.
+ #
+ # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+ # Maximum 20 tags per role.
+
+dependencies: []
+ # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+ # if you add dependencies to this list.
+
\ No newline at end of file
diff --git a/roles/ensure_dovecot/tasks/main.yml b/roles/ensure_dovecot/tasks/main.yml
new file mode 100644
index 0000000..2501bc3
--- /dev/null
+++ b/roles/ensure_dovecot/tasks/main.yml
@@ -0,0 +1,152 @@
+---
+# tasks file for ensure_dovecot
+- name: 'include variables'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ include_vars:
+ file: '{{ lookup("first_found", findme ) }}'
+ name: 'ensure_dovecot'
+ vars:
+ findme:
+ files:
+ - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml'
+ - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml'
+ - '{{ ansible_facts["distribution"] }}-default.yml'
+ - '{{ ansible_facts["os_family"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml'
+ - '{{ ansible_facts["os_family"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml'
+ - '{{ ansible_facts["os_family"] }}-default.yml'
+ - 'default.yml'
+ paths:
+ - '../vars/'
+ errors: 'ignore'
+- name: 'package discovery'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ansible_facts["packages"] is not defined
+ ansible.builtin.package_facts:
+- name: 'service discovery'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ansible_facts["services"] is not defined
+ ansible.builtin.service_facts:
+- name: 'ensure sysctl'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ensure_dovecot is defined
+ - ensure_dovecot.sysctl_list is defined
+ - ensure_dovecot.sysctl_list is iterable
+ ansible.posix.sysctl:
+ name: '{{ item.name }}'
+ reload: '{{ item.reload | default(omit) }}'
+ state: '{{ item.state }}'
+ sysctl_file: '{{ item.sysctl_file | default(omit) }}'
+ sysctl_set: '{{ item.sysctl_set | default(omit) }}'
+ value: '{{ item.value | default(omit) }}'
+ loop: '{{ ensure_dovecot.sysctl_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.value }}'
+ notify:
+ - 'ensure_dovecot.package_facts'
+ - 'ensure_dovecot.service_facts'
+ - 'ensure_dovecot.service_reload'
+ - 'ensure_dovecot.service_restart'
+- name: 'ensure packages'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ensure_dovecot is defined
+ - ensure_dovecot.package_list is defined
+ - ensure_dovecot.package_list is iterable
+ ansible.builtin.package:
+ name: '{{ item.name }}'
+ state: '{{ item.state }}'
+ loop: '{{ ensure_dovecot.package_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.state }}'
+ notify:
+ - 'ensure_dovecot.package_facts'
+ - 'ensure_dovecot.service_facts'
+ - 'ensure_dovecot.service_reload'
+ - 'ensure_dovecot.service_restart'
+- name: 'ensure seboolean'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ensure_dovecot is defined
+ - ensure_dovecot.seboolean_list is defined
+ - ensure_dovecot.seboolean_list is iterable
+ ansible.posix.seboolean:
+ name: '{{ item.name }}'
+ persistent: '{{ item.persistent }}'
+ state: '{{ item.state }}'
+ loop: '{{ ensure_dovecot.seboolean_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.state }}'
+ notify:
+ - 'ensure_dovecot.package_facts'
+ - 'ensure_dovecot.service_facts'
+ - 'ensure_dovecot.service_reload'
+ - 'ensure_dovecot.service_restart'
+- name: 'ensure configurations'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ensure_dovecot is defined
+ - ensure_dovecot.template_list is defined
+ - ensure_dovecot.template_list is iterable
+ ansible.builtin.template:
+ backup: 'no'
+ dest: '{{ item.dest }}'
+ group: '{{ item.group | default(omit) }}'
+ mode: '{{ item.mode | default(omit) }}'
+ owner: '{{ item.owner | default(omit) }}'
+ selevel: '{{ iteml.selevel | default(omit) }}'
+ serole: '{{ item.serole | default(omit) }}'
+ setype: '{{ item.setype | default(omit) }}'
+ seuser: '{{ item.seuser | default(omit) }}'
+ src: '{{ item.src }}'
+ loop: '{{ ensure_dovecot.template_list }}'
+ loop_control:
+ label: '{{ item.dest }} will be ensured'
+ notify:
+ - 'ensure_dovecot.package_facts'
+ - 'ensure_dovecot.service_facts'
+ - 'ensure_dovecot.service_reload'
+ - 'ensure_dovecot.service_restart'
+- name: 'ensure firewall'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ansible_facts.packages["firewalld"] is defined
+ - ansible_facts.packages["python3-firewall"] is defined
+ - ensure_dovecot is defined
+ - ensure_dovecot.firewall_list is defined
+ - ensure_dovecot.firewall_list is iterable
+ ansible.posix.firewalld:
+ permanent: '{{ item.permanent }}'
+ service: '{{ item.service }}'
+ state: '{{ item.state }}'
+ loop: '{{ ensure_dovecot.firewall_list }}'
+ loop_control:
+ label: '{{ item.service }} will be {{ item.state }}'
+ notify:
+ - 'ensure_dovecot.package_facts'
+ - 'ensure_dovecot.service_facts'
+ - 'ensure_dovecot.service_reload'
+ - 'ensure_dovecot.service_restart'
+- name: 'ensure services'
+ when:
+ - ansible_facts["system"] == 'Linux'
+ - ensure_dovecot is defined
+ - ensure_dovecot.service_list is defined
+ - ensure_dovecot.service_list is iterable
+ ansible.builtin.service:
+ enabled: '{{ item.enabled }}'
+ name: '{{ item.name }}'
+ state: '{{ item.state }}'
+ loop: '{{ ensure_dovecot.service_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.state }}'
+ notify:
+ - 'ensure_dovecot.package_facts'
+ - 'ensure_dovecot.service_facts'
+- name: 'flush handlers'
+ meta: 'flush_handlers'
+...
+
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/accounts b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/accounts
new file mode 100644
index 0000000..f95634f
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/accounts
@@ -0,0 +1,5 @@
+{% if dovecot_users is defined and dovecot_users is iterable %}
+{% for user in dovecot_users %}
+{{ user.email }}:{{ user.password | password_hash('sha512') }}::::::
+{% endfor %}
+{% endif %}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-auth.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-auth.conf
new file mode 100644
index 0000000..3e9c4e4
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-auth.conf
@@ -0,0 +1,127 @@
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
+#disable_plaintext_auth = yes
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth and PAM require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm =
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then . UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab =
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper.
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName.
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
+# gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+#
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+#
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+!include auth-system.conf.ext
+#!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+#!include auth-static.conf.ext
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-director.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-director.conf
new file mode 100644
index 0000000..073d8a8
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-director.conf
@@ -0,0 +1,60 @@
+##
+## Director-specific settings.
+##
+
+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
+# mapping. As long as user has simultaneous connections, the user is always
+# redirected to the same server. Each proxy server is running its own director
+# process, and the directors are communicating the state to each others.
+# Directors are mainly useful with NFS-like setups.
+
+# List of IPs or hostnames to all director servers, including ourself.
+# Ports can be specified as ip:port. The default port is the same as
+# what director service's inet_listener is using.
+#director_servers =
+
+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
+# too, like 10.0.0.10-10.0.0.30.
+#director_mail_servers =
+
+# How long to redirect users to a specific server after it no longer has
+# any connections.
+#director_user_expire = 15 min
+
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
+# To enable director service, uncomment the modes and assign a port.
+service director {
+ unix_listener login/director {
+ #mode = 0666
+ }
+ fifo_listener login/proxy-notify {
+ #mode = 0666
+ }
+ unix_listener director-userdb {
+ #mode = 0600
+ }
+ inet_listener {
+ #port =
+ }
+}
+
+# Enable director for the wanted login services by telling them to
+# connect to director socket instead of the default login socket:
+service imap-login {
+ #executable = imap-login director
+}
+service pop3-login {
+ #executable = pop3-login director
+}
+service submission-login {
+ #executable = submission-login director
+}
+
+# Enable director for LMTP proxying:
+protocol lmtp {
+ #auth_socket_path = director-userdb
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-logging.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-logging.conf
new file mode 100644
index 0000000..beb15ba
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-logging.conf
@@ -0,0 +1,105 @@
+##
+## Log destination.
+##
+
+# Log file to use for error messages. "syslog" logs to syslog,
+# /dev/stderr logs to stderr.
+#log_path = syslog
+
+# Log file to use for informational messages. Defaults to log_path.
+#info_log_path =
+# Log file to use for debug messages. Defaults to info_log_path.
+#debug_log_path =
+
+# Syslog facility to use if you're logging to syslog. Usually if you don't
+# want to use "mail", you'll use local0..local7. Also other standard
+# facilities are supported.
+#syslog_facility = mail
+
+##
+## Logging verbosity and debugging.
+##
+
+# Log filter is a space-separated list conditions. If any of the conditions
+# match, the log filter matches (i.e. they're ORed together). Parenthesis
+# are supported if multiple conditions need to be matched together.
+#
+# See https://doc.dovecot.org/configuration_manual/event_filter/ for details.
+#
+# For example: event=http_request_* AND category=error AND category=storage
+#
+# Filter to specify what debug logging to enable. This will eventually replace
+# mail_debug and auth_debug settings.
+#log_debug =
+
+# Crash after logging a matching event. For example category=error will crash
+# any time an error is logged, which can be useful for debugging.
+#log_core_filter =
+
+# Log unsuccessful authentication attempts and the reasons why they failed.
+#auth_verbose = no
+
+# In case of password mismatches, log the attempted password. Valid values are
+# no, plain and sha1. sha1 can be useful for detecting brute force password
+# attempts vs. user simply trying the same password over and over again.
+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
+#auth_verbose_passwords = no
+
+# Even more verbose logging for debugging purposes. Shows for example SQL
+# queries.
+#auth_debug = no
+
+# In case of password mismatches, log the passwords and used scheme so the
+# problem can be debugged. Enabling this also enables auth_debug.
+#auth_debug_passwords = no
+
+# Enable mail process debugging. This can help you figure out why Dovecot
+# isn't finding your mails.
+#mail_debug = no
+
+# Show protocol level SSL errors.
+#verbose_ssl = no
+
+# mail_log plugin provides more event logging for mail processes.
+plugin {
+ # Events to log. Also available: flag_change append
+ #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+ # Available fields: uid, box, msgid, from, subject, size, vsize, flags
+ # size and vsize are available only for expunge and copy events.
+ #mail_log_fields = uid box msgid size
+}
+
+##
+## Log formatting.
+##
+
+# Prefix for each line written to log file. % codes are in strftime(3)
+# format.
+#log_timestamp = "%b %d %H:%M:%S "
+
+# Space-separated list of elements we want to log. The elements which have
+# a non-empty variable value are joined together to form a comma-separated
+# string.
+#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
+
+# Login log format. %s contains login_log_format_elements string, %$ contains
+# the data we want to log.
+#login_log_format = %$: %s
+
+# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
+# possible variables you can use.
+#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
+
+# Format to use for logging mail deliveries:
+# %$ - Delivery status message (e.g. "saved to INBOX")
+# %m / %{msgid} - Message-ID
+# %s / %{subject} - Subject
+# %f / %{from} - From address
+# %p / %{size} - Physical size
+# %w / %{vsize} - Virtual size
+# %e / %{from_envelope} - MAIL FROM envelope
+# %{to_envelope} - RCPT TO envelope
+# %{delivery_time} - How many milliseconds it took to deliver the mail
+# %{session_time} - How long LMTP session took, not including delivery_time
+# %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
+#deliver_log_format = msgid=%m: %$
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-mail.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-mail.conf
new file mode 100644
index 0000000..66ab9be
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-mail.conf
@@ -0,0 +1,416 @@
+##
+## Mailbox locations and namespaces
+##
+
+# Location for users' mailboxes. The default is empty, which means that Dovecot
+# tries to find the mailboxes automatically. This won't work if the user
+# doesn't yet have any mail, so you should explicitly tell Dovecot the full
+# location.
+#
+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
+# kept. This is called the "root mail directory", and it must be the first
+# path given in the mail_location setting.
+#
+# There are a few special variables you can use, eg.:
+#
+# %u - username
+# %n - user part in user@domain, same as %u if there's no domain
+# %d - domain part in user@domain, empty if there's no domain
+# %h - home directory
+#
+# See doc/wiki/Variables.txt for full list. Some examples:
+#
+# mail_location = maildir:~/Maildir
+# mail_location = mbox:~/mail:INBOX=/var/mail/%u
+# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
+#
+#
+#
+#mail_location =
+
+# If you need to set multiple mailbox locations or want to change default
+# namespace settings, you can do it by defining namespace sections.
+#
+# You can have private, shared and public namespaces. Private namespaces
+# are for user's personal mails. Shared namespaces are for accessing other
+# users' mailboxes that have been shared. Public namespaces are for shared
+# mailboxes that are managed by sysadmin. If you create any shared or public
+# namespaces you'll typically want to enable ACL plugin also, otherwise all
+# users can access all the shared mailboxes, assuming they have permissions
+# on filesystem level to do so.
+namespace inbox {
+ # Namespace type: private, shared or public
+ #type = private
+
+ # Hierarchy separator to use. You should use the same separator for all
+ # namespaces or some clients get confused. '/' is usually a good one.
+ # The default however depends on the underlying mail storage format.
+ #separator =
+
+ # Prefix required to access this namespace. This needs to be different for
+ # all namespaces. For example "Public/".
+ #prefix =
+
+ # Physical location of the mailbox. This is in same format as
+ # mail_location, which is also the default for it.
+ #location =
+
+ # There can be only one INBOX, and this setting defines which namespace
+ # has it.
+ inbox = yes
+
+ # If namespace is hidden, it's not advertised to clients via NAMESPACE
+ # extension. You'll most likely also want to set list=no. This is mostly
+ # useful when converting from another server with different namespaces which
+ # you want to deprecate but still keep working. For example you can create
+ # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
+ #hidden = no
+
+ # Show the mailboxes under this namespace with LIST command. This makes the
+ # namespace visible for clients that don't support NAMESPACE extension.
+ # "children" value lists child mailboxes, but hides the namespace prefix.
+ #list = yes
+
+ # Namespace handles its own subscriptions. If set to "no", the parent
+ # namespace handles them (empty prefix should always have this as "yes")
+ #subscriptions = yes
+
+ # See 15-mailboxes.conf for definitions of special mailboxes.
+}
+
+# Example shared namespace configuration
+#namespace {
+ #type = shared
+ #separator = /
+
+ # Mailboxes are visible under "shared/user@domain/"
+ # %%n, %%d and %%u are expanded to the destination user.
+ #prefix = shared/%%u/
+
+ # Mail location for other users' mailboxes. Note that %variables and ~/
+ # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
+ # destination user's data.
+ #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
+
+ # Use the default namespace for saving subscriptions.
+ #subscriptions = no
+
+ # List the shared/ namespace only if there are visible shared mailboxes.
+ #list = children
+#}
+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
+#mail_shared_explicit_inbox = no
+
+# System user and group used to access mails. If you use multiple, userdb
+# can override these by returning uid or gid fields. You can use either numbers
+# or names.
+#mail_uid =
+#mail_gid =
+
+# Group to enable temporarily for privileged operations. Currently this is
+# used only with INBOX when either its initial creation or dotlocking fails.
+# Typically this is set to "mail" to give access to /var/mail.
+#mail_privileged_group =
+
+# Grant access to these supplementary groups for mail processes. Typically
+# these are used to set up access to shared mailboxes. Note that it may be
+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
+#mail_access_groups =
+
+# Allow full filesystem access to clients. There's no access checks other than
+# what the operating system does for the active UID/GID. It works with both
+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
+# or ~user/.
+#mail_full_filesystem_access = no
+
+# Dictionary for key=value mailbox attributes. This is used for example by
+# URLAUTH and METADATA extensions.
+#mail_attribute_dict =
+
+# A comment or note that is associated with the server. This value is
+# accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/comment".
+#mail_server_comment = ""
+
+# Indicates a method for contacting the server administrator. According to
+# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
+# is currently not enforced. Use for example mailto:admin@example.com. This
+# value is accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/admin".
+#mail_server_admin =
+
+##
+## Mail processes
+##
+
+# Don't use mmap() at all. This is required if you store indexes to shared
+# filesystems (NFS or clustered filesystem).
+#mmap_disable = no
+
+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
+# since version 3, so this should be safe to use nowadays by default.
+#dotlock_use_excl = yes
+
+# When to use fsync() or fdatasync() calls:
+# optimized (default): Whenever necessary to avoid losing important data
+# always: Useful with e.g. NFS when write()s are delayed
+# never: Never use it (best performance, but crashes can lose data)
+#mail_fsync = optimized
+
+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
+# Dotlocking uses some tricks which may create more disk I/O than other locking
+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
+#lock_method = fcntl
+
+# Directory where mails can be temporarily stored. Usually it's used only for
+# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
+# example LDA/LMTP while delivering large mails or zlib plugin for keeping
+# uncompressed mails.
+#mail_temp_dir = /tmp
+
+# Valid UID range for users, defaults to 500 and above. This is mostly
+# to make sure that users can't log in as daemons or other system users.
+# Note that denying root logins is hardcoded to dovecot binary and can't
+# be done even if first_valid_uid is set to 0.
+#first_valid_uid = 500
+#last_valid_uid = 0
+
+# Valid GID range for users, defaults to non-root/wheel. Users having
+# non-valid GID as primary group ID aren't allowed to log in. If user
+# belongs to supplementary groups with non-valid GIDs, those groups are
+# not set.
+#first_valid_gid = 1
+#last_valid_gid = 0
+
+# Maximum allowed length for mail keyword name. It's only forced when trying
+# to create new keywords.
+#mail_max_keyword_length = 50
+
+# ':' separated list of directories under which chrooting is allowed for mail
+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
+# settings. If this setting is empty, "/./" in home dirs are ignored.
+# WARNING: Never add directories here which local users can modify, that
+# may lead to root exploit. Usually this should be done only if you don't
+# allow shell access for users.
+#valid_chroot_dirs =
+
+# Default chroot directory for mail processes. This can be overridden for
+# specific users in user database by giving /./ in user's home directory
+# (eg. /home/./user chroots into /home). Note that usually there is no real
+# need to do chrooting, Dovecot doesn't allow users to access files outside
+# their mail directory anyway. If your home directories are prefixed with
+# the chroot directory, append "/." to mail_chroot.
+#mail_chroot =
+
+# UNIX socket path to master authentication server to find users.
+# This is used by imap (for shared users) and lda.
+#auth_socket_path = /var/run/dovecot/auth-userdb
+
+# Directory where to look up mail plugins.
+#mail_plugin_dir = /usr/lib/dovecot
+
+# Space separated list of plugins to load for all services. Plugins specific to
+# IMAP, LDA, etc. are added to this list in their own .conf files.
+#mail_plugins =
+
+##
+## Mailbox handling optimizations
+##
+
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+#mailbox_list_index = yes
+
+# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
+# of potentially returning out-of-date results after e.g. server crashes.
+# The results will be automatically fixed once the folders are opened.
+#mailbox_list_index_very_dirty_syncs = yes
+
+# Should INBOX be kept up-to-date in the mailbox list index? By default it's
+# not, because most of the mailbox accesses will open INBOX anyway.
+#mailbox_list_index_include_inbox = no
+
+# The minimum number of mails in a mailbox before updates are done to cache
+# file. This allows optimizing Dovecot's behavior to do less disk writes at
+# the cost of more disk reads.
+#mail_cache_min_mail_count = 0
+
+# When IDLE command is running, mailbox is checked once in a while to see if
+# there are any new mails or other changes. This setting defines the minimum
+# time to wait between those checks. Dovecot can also use inotify and
+# kqueue to find out immediately when changes occur.
+#mailbox_idle_check_interval = 30 secs
+
+# Save mails with CR+LF instead of plain LF. This makes sending those mails
+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
+# But it also creates a bit more disk I/O which may just make it slower.
+# Also note that if other software reads the mboxes/maildirs, they may handle
+# the extra CRs wrong and cause problems.
+#mail_save_crlf = no
+
+# Max number of mails to keep open and prefetch to memory. This only works with
+# some mailbox formats and/or operating systems.
+#mail_prefetch_count = 0
+
+# How often to scan for stale temporary files and delete them (0 = never).
+# These should exist only after Dovecot dies in the middle of saving mails.
+#mail_temp_scan_interval = 1w
+
+# How many slow mail accesses sorting can perform before it returns failure.
+# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
+# The untagged SORT reply is still returned, but it's likely not correct.
+#mail_sort_max_read_count = 0
+
+protocol !indexer-worker {
+ # If folder vsize calculation requires opening more than this many mails from
+ # disk (i.e. mail sizes aren't in cache already), return failure and finish
+ # the calculation via indexer process. Disabled by default. This setting must
+ # be 0 for indexer-worker processes.
+ #mail_vsize_bg_after_count = 0
+}
+
+##
+## Maildir-specific settings
+##
+
+# By default LIST command returns all entries in maildir beginning with a dot.
+# Enabling this option makes Dovecot return only entries which are directories.
+# This is done by stat()ing each entry, so it causes more disk I/O.
+# (For systems setting struct dirent->d_type, this check is free and it's
+# done always regardless of this setting)
+#maildir_stat_dirs = no
+
+# When copying a message, do it with hard links whenever possible. This makes
+# the performance much better, and it's unlikely to have any side effects.
+#maildir_copy_with_hardlinks = yes
+
+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
+#maildir_very_dirty_syncs = no
+
+# If enabled, Dovecot doesn't use the S= in the Maildir filenames for
+# getting the mail's physical size, except when recalculating Maildir++ quota.
+# This can be useful in systems where a lot of the Maildir filenames have a
+# broken size. The performance hit for enabling this is very small.
+#maildir_broken_filename_sizes = no
+
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
+##
+## mbox-specific settings
+##
+
+# Which locking methods to use for locking mbox. There are four available:
+# dotlock: Create .lock file. This is the oldest and most NFS-safe
+# solution. If you want to use /var/mail/ like directory, the users
+# will need write access to that directory.
+# dotlock_try: Same as dotlock, but if it fails because of permissions or
+# because there isn't enough disk space, just skip it.
+# fcntl : Use this if possible. Works with NFS too if lockd is used.
+# flock : May not exist in all systems. Doesn't work with NFS.
+# lockf : May not exist in all systems. Doesn't work with NFS.
+#
+# You can use multiple locking methods; if you do the order they're declared
+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
+# locking methods as well. Some operating systems don't allow using some of
+# them simultaneously.
+#mbox_read_locks = fcntl
+#mbox_write_locks = dotlock fcntl
+mbox_write_locks = fcntl
+
+# Maximum time to wait for lock (all of them) before aborting.
+#mbox_lock_timeout = 5 mins
+
+# If dotlock exists but the mailbox isn't modified in any way, override the
+# lock file after this much time.
+#mbox_dotlock_change_timeout = 2 mins
+
+# When mbox changes unexpectedly we have to fully read it to find out what
+# changed. If the mbox is large this can take a long time. Since the change
+# is usually just a newly appended mail, it'd be faster to simply read the
+# new mails. If this setting is enabled, Dovecot does this but still safely
+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
+# how it's expected to be. The only real downside to this setting is that if
+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
+# commands.
+#mbox_dirty_syncs = yes
+
+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
+#mbox_very_dirty_syncs = no
+
+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
+# commands and when closing the mailbox). This is especially useful for POP3
+# where clients often delete all mails. The downside is that our changes
+# aren't immediately visible to other MUAs.
+#mbox_lazy_writes = yes
+
+# If mbox size is smaller than this (e.g. 100k), don't write index files.
+# If an index file already exists it's still read, just not updated.
+#mbox_min_index_size = 0
+
+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
+# algorithm, but it fails if the first Received: header isn't unique in all
+# mails. An alternative algorithm is "all" that selects all headers.
+#mbox_md5 = apop3d
+
+##
+## mdbox-specific settings
+##
+
+# Maximum dbox file size until it's rotated.
+#mdbox_rotate_size = 10M
+
+# Maximum dbox file age until it's rotated. Typically in days. Day begins
+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
+#mdbox_rotate_interval = 0
+
+# When creating new mdbox files, immediately preallocate their size to
+# mdbox_rotate_size. This setting currently works only in Linux with some
+# filesystems (ext4, xfs).
+#mdbox_preallocate_space = no
+
+##
+## Mail attachments
+##
+
+# sdbox and mdbox support saving mail attachments to external files, which
+# also allows single instance storage for them. Other backends don't support
+# this for now.
+
+# Directory root where to store mail attachments. Disabled, if empty.
+#mail_attachment_dir =
+
+# Attachments smaller than this aren't saved externally. It's also possible to
+# write a plugin to disable saving specific attachments externally.
+#mail_attachment_min_size = 128k
+
+# Filesystem backend to use for saving attachments:
+# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
+# sis posix : SiS with immediate byte-by-byte comparison during saving
+# sis-queue posix : SiS with delayed comparison and deduplication
+#mail_attachment_fs = sis posix
+
+# Hash format to use in attachment filenames. You can add any text and
+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
+#mail_attachment_hash = %{sha1}
+
+# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
+# By default, all MIME parts with Content-Disposition=attachment, or inlines
+# with filename parameter are consired attachments.
+# add-flags - Add the keywords when saving new mails or when fetching can
+# do it efficiently.
+# content-type=type or !type - Include/exclude content type. Excluding will
+# never consider the matched MIME part as attachment. Including will only
+# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
+# exclude-inlined - Exclude any Content-Disposition=inline MIME part.
+#mail_attachment_detection_options =
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-master.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-master.conf
new file mode 100644
index 0000000..64fa0f2
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-master.conf
@@ -0,0 +1,133 @@
+#default_process_limit = 100
+#default_client_limit = 1000
+
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
+# intended to catch and kill processes that leak memory before they eat up
+# everything.
+#default_vsz_limit = 256M
+
+# Login user is internally used by login processes. This is the most untrusted
+# user in Dovecot system. It shouldn't have access to anything at all.
+#default_login_user = dovenull
+
+# Internal user is used by unprivileged processes. It should be separate from
+# login user, so that login processes can't disturb other processes.
+#default_internal_user = dovecot
+
+service imap-login {
+ inet_listener imap {
+ #port = 143
+ }
+ inet_listener imaps {
+ #port = 993
+ #ssl = yes
+ }
+
+ # Number of connections to handle before starting a new process. Typically
+ # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+ # is faster.
+ #service_count = 1
+
+ # Number of processes to always keep waiting for more connections.
+ #process_min_avail = 0
+
+ # If you set service_count=0, you probably need to grow this.
+ #vsz_limit = $default_vsz_limit
+}
+
+service pop3-login {
+ inet_listener pop3 {
+ #port = 110
+ }
+ inet_listener pop3s {
+ #port = 995
+ #ssl = yes
+ }
+}
+
+service submission-login {
+ inet_listener submission {
+ #port = 587
+ }
+ inet_listener submissions {
+ #port = 465
+ }
+}
+
+service lmtp {
+ unix_listener lmtp {
+ #mode = 0666
+ }
+
+ # Create inet listener only if you can't use the above UNIX socket
+ #inet_listener lmtp {
+ # Avoid making LMTP visible for the entire internet
+ #address =
+ #port =
+ #}
+}
+
+service imap {
+ # Most of the memory goes to mmap()ing files. You may need to increase this
+ # limit if you have huge mailboxes.
+ #vsz_limit = $default_vsz_limit
+
+ # Max. number of IMAP processes (connections)
+ #process_limit = 1024
+}
+
+service pop3 {
+ # Max. number of POP3 processes (connections)
+ #process_limit = 1024
+}
+
+service submission {
+ # Max. number of SMTP Submission processes (connections)
+ #process_limit = 1024
+}
+
+service auth {
+ # auth_socket_path points to this userdb socket by default. It's typically
+ # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
+ # full permissions to this socket are able to get a list of all usernames and
+ # get the results of everyone's userdb lookups.
+ #
+ # The default 0666 mode allows anyone to connect to the socket, but the
+ # userdb lookups will succeed only if the userdb returns an "uid" field that
+ # matches the caller process's UID. Also if caller's uid or gid matches the
+ # socket's uid or gid the lookup succeeds. Anything else causes a failure.
+ #
+ # To give the caller full permissions to lookup all users, set the mode to
+ # something else than 0666 and Dovecot lets the kernel enforce the
+ # permissions (e.g. 0777 allows everyone full permissions).
+ unix_listener auth-userdb {
+ #mode = 0666
+ #user =
+ #group =
+ }
+
+ # Postfix smtp-auth
+ #unix_listener /var/spool/postfix/private/auth {
+ # mode = 0666
+ #}
+
+ # Auth process is run as this user.
+ #user = $default_internal_user
+}
+
+service auth-worker {
+ # Auth worker process is run as root by default, so that it can access
+ # /etc/shadow. If this isn't necessary, the user should be changed to
+ # $default_internal_user.
+ #user = root
+}
+
+service dict {
+ # If dict proxy is used, mail processes should have access to its socket.
+ # For example: mode=0660, group=vmail and global mail_access_groups=vmail
+ unix_listener dict {
+ #mode = 0600
+ #user =
+ #group =
+ }
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-metrics.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-metrics.conf
new file mode 100644
index 0000000..f7a758f
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-metrics.conf
@@ -0,0 +1,74 @@
+##
+## Statistics and metrics
+##
+
+# Dovecot supports gathering statistics from events.
+# Currently there are no statistics logged by default, and therefore they must
+# be explicitly added using the metric configuration blocks.
+#
+# Unlike old stats, the new statistics do not require any plugins loaded.
+#
+# See https://doc.dovecot.org/configuration_manual/stats/ for more details.
+
+##
+## Example metrics
+##
+
+#metric auth_success {
+# filter = event=auth_request_finished AND success=yes
+#}
+#
+#metric auth_failures {
+# filter = event=auth_request_finished AND NOT success=yes
+#}
+#
+#metric imap_command {
+# filter = event=imap_command_finished
+# group_by = cmd_name tagged_reply_state
+#}
+#
+#metric smtp_command {
+# filter = event=smtp_server_command_finished
+# group_by = cmd_name status_code duration:exponential:1:5:10
+#}
+#
+#metric mail_delivery {
+# filter = event=mail_delivery_finished
+# group_by = duration:exponential:1:5:10
+#}
+
+##
+## Prometheus
+##
+
+# To allow access to statistics with Prometheus, enable http listener
+# on stats process. Stats will be available on /metrics path.
+#
+# See https://doc.dovecot.org/configuration_manual/stats/openmetrics/ for more
+# details.
+
+#service stats {
+# inet_listener http {
+# port = 9900
+# }
+#}
+
+##
+## Event exporting
+##
+
+# You can also export individual events.
+#
+# See https://doc.dovecot.org/configuration_manual/event_export/ for more
+# details.
+
+#event_exporter log {
+# format = json
+# format_args = time-rfc3339
+# transport = log
+#}
+#
+#metric imap_commands {
+# exporter = log
+# filter = event=imap_command_finished
+#}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-ssl.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-ssl.conf
new file mode 100644
index 0000000..0bee01e
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/10-ssl.conf
@@ -0,0 +1,85 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required.
+# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
+# plain imap and pop3 are still allowed for local connections
+ssl = required
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+#lda_mailbox_autocreate = no
+
+# Should automatically created mailboxes be also automatically subscribed?
+#lda_mailbox_autosubscribe = no
+
+protocol lda {
+ # Space separated list of plugins to load (default is global mail_plugins).
+ #mail_plugins = $mail_plugins
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/15-mailboxes.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/15-mailboxes.conf
new file mode 100644
index 0000000..71076d4
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/15-mailboxes.conf
@@ -0,0 +1,86 @@
+##
+## Mailbox definitions
+##
+
+# Each mailbox is specified in a separate mailbox section. The section name
+# specifies the mailbox name. If it has spaces, you can put the name
+# "in quotes". These sections can contain the following mailbox settings:
+#
+# auto:
+# Indicates whether the mailbox with this name is automatically created
+# implicitly when it is first accessed. The user can also be automatically
+# subscribed to the mailbox after creation. The following values are
+# defined for this setting:
+#
+# no - Never created automatically.
+# create - Automatically created, but no automatic subscription.
+# subscribe - Automatically created and subscribed.
+#
+# special_use:
+# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
+# mailbox. There are no validity checks, so you could specify anything
+# you want in here, but it's not a good idea to use flags other than the
+# standard ones specified in the RFC:
+#
+# \All - This (virtual) mailbox presents all messages in the
+# user's message store.
+# \Archive - This mailbox is used to archive messages.
+# \Drafts - This mailbox is used to hold draft messages.
+# \Flagged - This (virtual) mailbox presents all messages in the
+# user's message store marked with the IMAP \Flagged flag.
+# \Important - This (virtual) mailbox presents all messages in the
+# user's message store deemed important to user.
+# \Junk - This mailbox is where messages deemed to be junk mail
+# are held.
+# \Sent - This mailbox is used to hold copies of messages that
+# have been sent.
+# \Trash - This mailbox is used to hold messages that have been
+# deleted.
+#
+# comment:
+# Defines a default comment or note associated with the mailbox. This
+# value is accessible through the IMAP METADATA mailbox entries
+# "/shared/comment" and "/private/comment". Users with sufficient
+# privileges can override the default value for entries with a custom
+# value.
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+ # These mailboxes are widely used and could perhaps be created automatically:
+ mailbox Drafts {
+ special_use = \Drafts
+ }
+ mailbox Junk {
+ special_use = \Junk
+ }
+ mailbox Trash {
+ special_use = \Trash
+ }
+
+ # For \Sent mailboxes there are two widely used names. We'll mark both of
+ # them as \Sent. User typically deletes one of them if duplicates are created.
+ mailbox Sent {
+ special_use = \Sent
+ }
+ mailbox "Sent Messages" {
+ special_use = \Sent
+ }
+
+ # If you have a virtual "All messages" mailbox:
+ #mailbox virtual/All {
+ # special_use = \All
+ # comment = All my messages
+ #}
+
+ # If you have a virtual "Flagged" mailbox:
+ #mailbox virtual/Flagged {
+ # special_use = \Flagged
+ # comment = All my flagged messages
+ #}
+
+ # If you have a virtual "Important" mailbox:
+ #mailbox virtual/Important {
+ # special_use = \Important
+ # comment = All my important messages
+ #}
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-imap.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-imap.conf
new file mode 100644
index 0000000..e60b0cd
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-imap.conf
@@ -0,0 +1,99 @@
+##
+## IMAP specific settings
+##
+
+# If nothing happens for this long while client is IDLEing, move the connection
+# to imap-hibernate process and close the old imap process. This saves memory,
+# because connections use very little memory in imap-hibernate process. The
+# downside is that recreating the imap process back uses some resources.
+#imap_hibernate_timeout = 0
+
+# Maximum IMAP command line length. Some clients generate very long command
+# lines with huge mailboxes, so you may need to raise this if you get
+# "Too long argument" or "IMAP command line too large" errors often.
+#imap_max_line_length = 64k
+
+# IMAP logout format string:
+# %i - total number of bytes read from client
+# %o - total number of bytes sent to client
+# %{fetch_hdr_count} - Number of mails with mail header data sent to client
+# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
+# %{fetch_body_count} - Number of mails with mail body data sent to client
+# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
+# %{deleted} - Number of mails where client added \Deleted flag
+# %{expunged} - Number of mails that client expunged, which does not
+# include automatically expunged mails
+# %{autoexpunged} - Number of mails that were automatically expunged after
+# client disconnected
+# %{trashed} - Number of mails that client copied/moved to the
+# special_use=\Trash mailbox.
+# %{appended} - Number of mails saved during the session
+#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
+# trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
+# hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
+# body_bytes=%{fetch_body_bytes}
+
+# Override the IMAP CAPABILITY response. If the value begins with '+',
+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+#imap_capability =
+
+# How long to wait between "OK Still here" notifications when client is
+# IDLEing.
+#imap_idle_notify_interval = 2 mins
+
+# ID field names and values to send to clients. Using * as the value makes
+# Dovecot use the default value. The following fields have default values
+# currently: name, version, os, os-version, support-url, support-email,
+# revision.
+#imap_id_send =
+
+# ID fields sent by client to log. * means everything.
+#imap_id_log =
+
+# Workarounds for various client bugs:
+# delay-newmail:
+# Send EXISTS/RECENT new mail notifications only when replying to NOOP
+# and CHECK commands. Some clients ignore them otherwise, for example OSX
+# Mail () instead of full path
+# syntax.
+#
+# The list is space-separated.
+#lmtp_client_workarounds =
+
+protocol lmtp {
+ # Space separated list of plugins to load (default is global mail_plugins).
+ #mail_plugins = $mail_plugins
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-managesieve.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-managesieve.conf
new file mode 100644
index 0000000..3f71b58
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-managesieve.conf
@@ -0,0 +1,84 @@
+##
+## ManageSieve specific settings
+##
+
+# Uncomment to enable managesieve protocol:
+#protocols = $protocols sieve
+
+# Service definitions
+
+#service managesieve-login {
+ #inet_listener sieve {
+ # port = 4190
+ #}
+
+ #inet_listener sieve_deprecated {
+ # port = 2000
+ #}
+
+ # Number of connections to handle before starting a new process. Typically
+ # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+ # is faster.
+ #service_count = 1
+
+ # Number of processes to always keep waiting for more connections.
+ #process_min_avail = 0
+
+ # If you set service_count=0, you probably need to grow this.
+ #vsz_limit = 64M
+#}
+
+#service managesieve {
+ # Max. number of ManageSieve processes (connections)
+ #process_limit = 1024
+#}
+
+# Service configuration
+
+protocol sieve {
+ # Maximum ManageSieve command line length in bytes. ManageSieve usually does
+ # not involve overly long command lines, so this setting will not normally
+ # need adjustment
+ #managesieve_max_line_length = 65536
+
+ # Maximum number of ManageSieve connections allowed for a user from each IP
+ # address.
+ # NOTE: The username is compared case-sensitively.
+ #mail_max_userip_connections = 10
+
+ # Space separated list of plugins to load (none known to be useful so far).
+ # Do NOT try to load IMAP plugins here.
+ #mail_plugins =
+
+ # MANAGESIEVE logout format string:
+ # %i - total number of bytes read from client
+ # %o - total number of bytes sent to client
+ # %{put_bytes} - Number of bytes saved using PUTSCRIPT command
+ # %{put_count} - Number of scripts saved using PUTSCRIPT command
+ # %{get_bytes} - Number of bytes read using GETCRIPT command
+ # %{get_count} - Number of scripts read using GETSCRIPT command
+ # %{get_bytes} - Number of bytes processed using CHECKSCRIPT command
+ # %{get_count} - Number of scripts checked using CHECKSCRIPT command
+ # %{deleted_count} - Number of scripts deleted using DELETESCRIPT command
+ # %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command
+ #managesieve_logout_format = bytes=%i/%o
+
+ # To fool ManageSieve clients that are focused on CMU's timesieved you can
+ # specify the IMPLEMENTATION capability that Dovecot reports to clients.
+ # For example: 'Cyrus timsieved v2.2.13'
+ #managesieve_implementation_string = Dovecot Pigeonhole
+
+ # Explicitly specify the SIEVE and NOTIFY capability reported by the server
+ # before login. If left unassigned these will be reported dynamically
+ # according to what the Sieve interpreter supports by default (after login
+ # this may differ depending on the user).
+ #managesieve_sieve_capability =
+ #managesieve_notify_capability =
+
+ # The maximum number of compile errors that are returned to the client upon
+ # script upload or script verification.
+ #managesieve_max_compile_errors = 5
+
+ # Refer to 90-sieve.conf for script quota configuration and configuration of
+ # Sieve execution limits.
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-pop3.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-pop3.conf
new file mode 100644
index 0000000..7b310ea
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-pop3.conf
@@ -0,0 +1,99 @@
+##
+## POP3 specific settings
+##
+
+# Don't try to set mails non-recent or seen with POP3 sessions. This is
+# mostly intended to reduce disk I/O. With maildir it doesn't move files
+# from new/ to cur/, with mbox it doesn't write Status-header.
+#pop3_no_flag_updates = no
+
+# Support LAST command which exists in old POP3 specs, but has been removed
+# from new ones. Some clients still wish to use this though. Enabling this
+# makes RSET command clear all \Seen flags from messages.
+#pop3_enable_last = no
+
+# If mail has X-UIDL header, use it as the mail's UIDL.
+#pop3_reuse_xuidl = no
+
+# Allow only one POP3 session to run simultaneously for the same user.
+#pop3_lock_session = no
+
+# POP3 requires message sizes to be listed as if they had CR+LF linefeeds.
+# Many POP3 servers violate this by returning the sizes with LF linefeeds,
+# because it's faster to get. When this setting is enabled, Dovecot still
+# tries to do the right thing first, but if that requires opening the
+# message, it fallbacks to the easier (but incorrect) size.
+#pop3_fast_size_lookups = no
+
+# POP3 UIDL (unique mail identifier) format to use. You can use following
+# variables, along with the variable modifiers described in
+# doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase)
+#
+# %v - Mailbox's IMAP UIDVALIDITY
+# %u - Mail's IMAP UID
+# %m - MD5 sum of the mailbox headers in hex (mbox only)
+# %f - filename (maildir only)
+# %g - Mail's GUID
+#
+# If you want UIDL compatibility with other POP3 servers, use:
+# UW's ipop3d : %08Xv%08Xu
+# Courier : %f or %v-%u (both might be used simultaneously)
+# Cyrus (<= 2.1.3) : %u
+# Cyrus (>= 2.1.4) : %v.%u
+# Dovecot v0.99.x : %v.%u
+# tpop3d : %Mf
+#
+# Note that Outlook 2003 seems to have problems with %v.%u format which was
+# Dovecot's default, so if you're building a new server it would be a good
+# idea to change this. %08Xu%08Xv should be pretty fail-safe.
+#
+#pop3_uidl_format = %08Xu%08Xv
+
+# Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes
+# won't change those UIDLs. Currently this works only with Maildir.
+#pop3_save_uidl = no
+
+# What to do about duplicate UIDLs if they exist?
+# allow: Show duplicates to clients.
+# rename: Append a temporary -2, -3, etc. counter after the UIDL.
+#pop3_uidl_duplicates = allow
+
+# This option changes POP3 behavior so that it's not possible to actually
+# delete mails via POP3, only hide them from future POP3 sessions. The mails
+# will still be counted towards user's quota until actually deleted via IMAP.
+# Use e.g. "$POP3Deleted" as the value (it will be visible as IMAP keyword).
+# Make sure you can legally archive mails before enabling this setting.
+#pop3_deleted_flag =
+
+# POP3 logout format string:
+# %i - total number of bytes read from client
+# %o - total number of bytes sent to client
+# %t - number of TOP commands
+# %p - number of bytes sent to client as a result of TOP command
+# %r - number of RETR commands
+# %b - number of bytes sent to client as a result of RETR command
+# %d - number of deleted messages
+# %{deleted_bytes} - number of bytes in deleted messages
+# %m - number of messages (before deletion)
+# %s - mailbox size in bytes (before deletion)
+# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
+#pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
+
+# Workarounds for various client bugs:
+# outlook-no-nuls:
+# Outlook and Outlook Express hang if mails contain NUL characters.
+# This setting replaces them with 0x80 character.
+# oe-ns-eoh:
+# Outlook Express and Netscape Mail breaks if end of headers-line is
+# missing. This option simply sends it if it's missing.
+# The list is space-separated.
+#pop3_client_workarounds =
+
+protocol pop3 {
+ # Space separated list of plugins to load (default is global mail_plugins).
+ #mail_plugins = $mail_plugins
+
+ # Maximum number of POP3 connections allowed for a user from each IP address.
+ # NOTE: The username is compared case-sensitively.
+ #mail_max_userip_connections = 10
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-submission.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-submission.conf
new file mode 100644
index 0000000..390089c
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/20-submission.conf
@@ -0,0 +1,112 @@
+##
+## Settings specific to SMTP Submission
+##
+
+# SMTP Submission logout format string:
+# %i - total number of bytes read from client
+# %o - total number of bytes sent to client
+# %{command_count} - Number of commands received from client
+# %{reply_count} - Number of replies sent to client
+# %{session} - Session ID of the login session
+# %{transaction_id} - ID of the current transaction, if any
+#submission_logout_format = in=%i out=%o
+
+# Host name reported by the SMTP service, for example to the client in the
+# initial greeting and to the relay server in the HELO/EHLO command.
+# Default is the system's real hostname@domain.
+#hostname =
+
+# Maximum size of messages accepted for relay. This announced in the SIZE
+# capability. If not configured, this is either determined from the relay
+# server or left unlimited if no limit is known (relay will reply with error
+# if some unknown limit exists there, which is duly passed to our client).
+#submission_max_mail_size =
+
+# Maximum number of recipients accepted per connection (default: unlimited)
+#submission_max_recipients =
+
+# Workarounds for various client bugs:
+# whitespace-before-path:
+# Allow one or more spaces or tabs between `MAIL FROM:' and path and between
+# `RCPT TO:' and path.
+# mailbox-for-path:
+# Allow using bare Mailbox syntax (i.e., without <...>) instead of full path
+# syntax.
+#
+# The list is space-separated.
+#submission_client_workarounds =
+
+# Relay server configuration:
+#
+# The Dovecot SMTP submission service directly proxies the mail transaction
+# to the SMTP relay configured here.
+
+# Host name for the relay server (required)
+#submission_relay_host =
+
+# Port for the relay server
+#submission_relay_port = 25
+
+# Is the relay server trusted? This determines whether we try to send
+# (Postfix-specific) XCLIENT data to the relay server
+#submission_relay_trusted = no
+
+# Authentication data for the relay server if authentication is required
+#submission_relay_user =
+#submission_relay_master_user =
+#submission_relay_password =
+
+# SSL configuration for connection to relay server
+#
+# submission_relay_ssl:
+# Indicates whether SSL is used for the connection to the relay server. The
+# following values are defined for this setting:
+#
+# no - No SSL is used
+# smtps - An SMTPS connection (immediate SSL) is used
+# starttls - The STARTTLS command is used to establish SSL layer
+#submission_relay_ssl = no
+
+# submission_relay_ssl_verify:
+# Configures whether the SSL certificate of the relay server is to be
+# verified.
+#submission_relay_ssl_verify = yes
+
+# Write protocol logs for relay connection to this directory for debugging
+#submission_relay_rawlog_dir =
+
+# BURL is configured implicitly by IMAP URLAUTH
+
+# Part of the SMTP capabilities that the submission service can offer to the
+# client (as listed in the EHLO reply) depend on those capabilities also being
+# provided by the relay server. These capabilities currently are:
+#
+# - 8BITMIME
+# - BINARYMIME
+# - DSN
+# - VRFY (always returns 252 without support)
+#
+# By default, the submission service first connects to the relay server to
+# determine the support for such capabilities before sending the initial EHLO
+# reply to the client. If the list of capabilities returned by the relay server
+# is somehow unreliable or it is undesirable to start the connection to the
+# relay server before the first mail transaction is started, the backend
+# capabilities can be configured explicitly using the
+# submission_backend_capabilities setting. This is a space-separated list of
+# SMTP capability names. This setting is only relevant for capabilities that
+# depend on support from the relay server: including (or omitting) capabilities
+# that are not listed above has no effect. When this setting is explicitly set
+# to the empty string, none of the capabilities is enabled. To achieve the
+# default behavior, this setting must be left unconfigured.
+#submission_backend_capabilities =
+
+protocol submission {
+ # Space-separated list of plugins to load (default is global mail_plugins).
+ #mail_plugins = $mail_plugins
+
+ # Maximum number of SMTP submission connections allowed for a user from
+ # each IP address.
+ # NOTE: The username is compared case-sensitively.
+ #mail_max_userip_connections = 10
+}
+
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-acl.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-acl.conf
new file mode 100644
index 0000000..f0c0e7a
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-acl.conf
@@ -0,0 +1,19 @@
+##
+## Mailbox access control lists.
+##
+
+# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
+# You can also optionally give a global ACL directory path where ACLs are
+# applied to all users' mailboxes. The global ACL directory contains
+# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
+# specifies how many seconds to wait between stat()ing dovecot-acl file
+# to see if it changed.
+plugin {
+ #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
+}
+
+# To let users LIST mailboxes shared by other users, Dovecot needs a
+# shared mailbox dictionary. For example:
+plugin {
+ #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-plugin.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-plugin.conf
new file mode 100644
index 0000000..8c8fccf
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-plugin.conf
@@ -0,0 +1,11 @@
+##
+## Plugin settings
+##
+
+# All wanted plugins must be listed in mail_plugins setting before any of the
+# settings take effect. See for list of plugins and
+# their configuration. Note that %variable expansion is done for all values.
+
+plugin {
+ #setting_name = value
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-quota.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-quota.conf
new file mode 100644
index 0000000..3308c05
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-quota.conf
@@ -0,0 +1,83 @@
+##
+## Quota configuration.
+##
+
+# Note that you also have to enable quota plugin in mail_plugins setting.
+#
+
+##
+## Quota limits
+##
+
+# Quota limits are set using "quota_rule" parameters. To get per-user quota
+# limits, you can set/override them by returning "quota_rule" extra field
+# from userdb. It's also possible to give mailbox-specific limits, for example
+# to give additional 100 MB when saving to Trash:
+
+plugin {
+ #quota_rule = *:storage=1G
+ #quota_rule2 = Trash:storage=+100M
+
+ # LDA/LMTP allows saving the last mail to bring user from under quota to
+ # over quota, if the quota doesn't grow too high. Default is to allow as
+ # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+ #quota_grace = 10%%
+
+ # Quota plugin can also limit the maximum accepted mail size.
+ #quota_max_mail_size = 100M
+}
+
+##
+## Quota warnings
+##
+
+# You can execute a given command when user exceeds a specified quota limit.
+# Each quota root has separate limits. Only the command for the first
+# exceeded limit is executed, so put the highest limit first.
+# The commands are executed via script service by connecting to the named
+# UNIX socket (quota-warning below).
+# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
+
+plugin {
+ #quota_warning = storage=95%% quota-warning 95 %u
+ #quota_warning2 = storage=80%% quota-warning 80 %u
+}
+
+# Example quota-warning service. The unix listener's permissions should be
+# set in a way that mail processes can connect to it. Below example assumes
+# that mail processes run as vmail user. If you use mode=0666, all system users
+# can generate quota warnings to anyone.
+#service quota-warning {
+# executable = script /usr/local/bin/quota-warning.sh
+# user = dovecot
+# unix_listener quota-warning {
+# user = vmail
+# }
+#}
+
+##
+## Quota backends
+##
+
+# Multiple backends are supported:
+# dirsize: Find and sum all the files found from mail directory.
+# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
+# dict: Keep quota stored in dictionary (eg. SQL)
+# maildir: Maildir++ quota
+# fs: Read-only support for filesystem quota
+
+plugin {
+ #quota = dirsize:User quota
+ #quota = maildir:User quota
+ #quota = dict:User quota::proxy::quota
+ #quota = fs:User quota
+}
+
+# Multiple quota roots are also possible, for example this gives each user
+# their own 100MB quota and one shared 1GB quota within the domain:
+plugin {
+ #quota = dict:user::proxy::quota
+ #quota2 = dict:domain:%d:proxy::quota_domain
+ #quota_rule = *:storage=102400
+ #quota2_rule = *:storage=1048576
+}
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-sieve-extprograms.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-sieve-extprograms.conf
new file mode 100644
index 0000000..17dcb77
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-sieve-extprograms.conf
@@ -0,0 +1,44 @@
+# Sieve Extprograms plugin configuration
+
+# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
+# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
+# vnd.dovecot.filter and vnd.dovecot.execute) by adding these to the
+# sieve_extensions or sieve_global_extensions settings. Restricting these
+# extensions to a global context using sieve_global_extensions is recommended.
+
+plugin {
+
+ # The directory where the program sockets are located for the
+ # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+ # respectively. The name of each unix socket contained in that directory
+ # directly maps to a program-name referenced from the Sieve script.
+ #sieve_pipe_socket_dir = sieve-pipe
+ #sieve_filter_socket_dir = sieve-filter
+ #sieve_execute_socket_dir = sieve-execute
+
+ # The directory where the scripts are located for direct execution by the
+ # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
+ # respectively. The name of each script contained in that directory
+ # directly maps to a program-name referenced from the Sieve script.
+ #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
+ #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
+ #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
+}
+
+# An example program service called 'do-something' to pipe messages to
+#service do-something {
+ # Define the executed script as parameter to the sieve service
+ #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh
+
+ # Use some unprivileged user for executing the program
+ #user = dovenull
+
+ # The unix socket located in the sieve_pipe_socket_dir (as defined in the
+ # plugin {} section above)
+ #unix_listener sieve-pipe/do-something {
+ # LDA/LMTP must have access
+ # user = vmail
+ # mode = 0600
+ #}
+#}
+
diff --git a/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-sieve.conf b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-sieve.conf
new file mode 100644
index 0000000..238bcf4
--- /dev/null
+++ b/roles/ensure_dovecot/templates/Fedora/42/etc/dovecot/conf.d/90-sieve.conf
@@ -0,0 +1,205 @@
+##
+## Settings for the Sieve interpreter
+##
+
+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
+# by adding it to the respective mail_plugins= settings.
+
+# The Sieve interpreter can retrieve Sieve scripts from several types of
+# locations. The default `file' location type is a local filesystem path
+# pointing to a Sieve script file or a directory containing multiple Sieve
+# script files. More complex setups can use other location types such as
+# `ldap' or `dict' to fetch Sieve scripts from remote databases.
+#
+# All settings that specify the location of one ore more Sieve scripts accept
+# the following syntax:
+#
+# location = [:]path[;