wk2: account management tooling

target/dovecot/10-auth.conf

@@ -121,9 +121,9 @@ auth_mechanisms = plain
 #!include auth-deny.conf.ext
 #!include auth-master.conf.ext
 
-!include auth-system.conf.ext
+#!include auth-system.conf.ext
 #!include auth-sql.conf.ext
 #!include auth-ldap.conf.ext
-#!include auth-passwdfile.conf.ext
+!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
 #!include auth-static.conf.ext

target/dovecot/10-director.conf

@@ -1,60 +0,0 @@
-##
-## Director-specific settings.
-##
-
-# Director can be used by Dovecot proxy to keep a temporary user -> mail server
-# mapping. As long as user has simultaneous connections, the user is always
-# redirected to the same server. Each proxy server is running its own director
-# process, and the directors are communicating the state to each others.
-# Directors are mainly useful with NFS-like setups.
-
-# List of IPs or hostnames to all director servers, including ourself.
-# Ports can be specified as ip:port. The default port is the same as
-# what director service's inet_listener is using.
-#director_servers = 
-
-# List of IPs or hostnames to all backend mail servers. Ranges are allowed
-# too, like 10.0.0.10-10.0.0.30.
-#director_mail_servers = 
-
-# How long to redirect users to a specific server after it no longer has
-# any connections.
-#director_user_expire = 15 min
-
-# How the username is translated before being hashed. Useful values include
-# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
-# within domain.
-#director_username_hash = %Lu
-
-# To enable director service, uncomment the modes and assign a port.
-service director {
-  unix_listener login/director {
-    #mode = 0666
-  }
-  fifo_listener login/proxy-notify {
-    #mode = 0666
-  }
-  unix_listener director-userdb {
-    #mode = 0600
-  }
-  inet_listener {
-    #port = 
-  }
-}
-
-# Enable director for the wanted login services by telling them to
-# connect to director socket instead of the default login socket:
-service imap-login {
-  #executable = imap-login director
-}
-service pop3-login {
-  #executable = pop3-login director
-}
-service submission-login {
-  #executable = submission-login director
-}
-
-# Enable director for LMTP proxying:
-protocol lmtp {
-  #auth_socket_path = director-userdb
-}

target/dovecot/10-mail.conf

@@ -27,7 +27,8 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_location = mbox:~/mail:INBOX=/var/mail/%u
+mail_home = /var/mail/%d/%n/home/
+mail_location = maildir:/var/mail/%u/%n
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -111,7 +112,7 @@ namespace inbox {
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
-mail_privileged_group = mail
+mail_privileged_group = jupiter
 
 # Grant access to these supplementary groups for mail processes. Typically
 # these are used to set up access to shared mailboxes. Note that it may be
@@ -215,7 +216,7 @@ mail_privileged_group = mail
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-#mail_plugins = 
+mail_plugins = $mail_plugins quota
 
 ##
 ## Mailbox handling optimizations
@@ -282,7 +283,7 @@ protocol !indexer-worker {
 # This is done by stat()ing each entry, so it causes more disk I/O.
 # (For systems setting struct dirent->d_type, this check is free and it's
 # done always regardless of this setting)
-#maildir_stat_dirs = no
+maildir_stat_dirs = yes
 
 # When copying a message, do it with hard links whenever possible. This makes
 # the performance much better, and it's unlikely to have any side effects.

target/dovecot/10-master.conf

@@ -98,15 +98,17 @@ service auth {
   # something else than 0666 and Dovecot lets the kernel enforce the
   # permissions (e.g. 0777 allows everyone full permissions).
   unix_listener auth-userdb {
-    #mode = 0666
-    #user = 
-    #group = 
+    mode = 0666
+    user = jupiter
+    group = jupiter
   }
 
   # Postfix smtp-auth
-  #unix_listener /var/spool/postfix/private/auth {
-  #  mode = 0666
-  #}
+  unix_listener /dev/shm/sasl-auth.sock {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
 
   # Auth process is run as this user.
   #user = $default_internal_user

target/dovecot/10-ssl.conf

@@ -10,8 +10,8 @@ ssl = no #yes
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = /etc/dovecot/private/dovecot.pem
-ssl_key = /etc/dovecot/private/dovecot.key
+#ssl_cert = /etc/dovecot/private/dovecot.pem
+#ssl_key = /etc/dovecot/private/dovecot.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -53,7 +53,7 @@ ssl_client_ca_dir = /etc/ssl/certs
 # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
 # Or migrate from old ssl-parameters.dat file with the command dovecot
 # gives on startup when ssl_dh is unset.
-ssl_dh = </usr/share/dovecot/dh.pem
+#ssl_dh = </usr/share/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.

target/dovecot/10-tcpwrapper.conf

@@ -1,14 +0,0 @@
-# 10-tcpwrapper.conf
-#
-# service name for hosts.{allow|deny} are those defined as
-# inet_listener in master.conf
-#
-#login_access_sockets = tcpwrap
-#
-#service tcpwrap {
-#  unix_listener login/tcpwrap {
-#    group = $default_login_user
-#    mode = 0600
-#    user = $default_login_user
-#  }
-#}

target/dovecot/15-lda.conf

@@ -1,48 +0,0 @@
-##
-## LDA specific settings (also used by LMTP)
-##
-
-# Address to use when sending rejection mails.
-# Default is postmaster@%d. %d expands to recipient domain.
-#postmaster_address =
-
-# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
-# in LMTP replies. Default is the system's real hostname@domain.
-#hostname = 
-
-# If user is over quota, return with temporary failure instead of
-# bouncing the mail.
-#quota_full_tempfail = no
-
-# Binary to use for sending mails.
-#sendmail_path = /usr/sbin/sendmail
-
-# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
-#submission_host =
-
-# Subject: header to use for rejection mails. You can use the same variables
-# as for rejection_reason below.
-#rejection_subject = Rejected: %s
-
-# Human readable error message for rejection mails. You can use variables:
-#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
-#rejection_reason = Your message to <%t> was automatically rejected:%n%r
-
-# Delimiter character between local-part and detail in email address.
-#recipient_delimiter = +
-
-# Header where the original recipient address (SMTP's RCPT TO: address) is taken
-# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
-# A commonly used header for this is X-Original-To.
-#lda_original_recipient_header =
-
-# Should saving a mail to a nonexistent mailbox automatically create it?
-#lda_mailbox_autocreate = no
-
-# Should automatically created mailboxes be also automatically subscribed?
-#lda_mailbox_autosubscribe = no
-
-protocol lda {
-  # Space separated list of plugins to load (default is global mail_plugins).
-  #mail_plugins = $mail_plugins
-}

target/dovecot/90-acl.conf

@@ -1,19 +0,0 @@
-##
-## Mailbox access control lists.
-##
-
-# vfile backend reads ACLs from "dovecot-acl" file from mail directory.
-# You can also optionally give a global ACL directory path where ACLs are
-# applied to all users' mailboxes. The global ACL directory contains
-# one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
-# specifies how many seconds to wait between stat()ing dovecot-acl file
-# to see if it changed.
-plugin {
-  #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
-}
-
-# To let users LIST mailboxes shared by other users, Dovecot needs a
-# shared mailbox dictionary. For example:
-plugin {
-  #acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
-}

target/dovecot/auth-checkpassword.conf.ext

@@ -1,21 +0,0 @@
-# Authentication for checkpassword users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.CheckPassword.txt>
-
-passdb {
-  driver = checkpassword
-  args = /usr/bin/checkpassword
-}
-
-# passdb lookup should return also userdb info
-userdb {
-  driver = prefetch
-}
-
-# Standard checkpassword doesn't support direct userdb lookups.
-# If you need checkpassword userdb, the checkpassword must support
-# Dovecot-specific extensions.
-#userdb {
-#  driver = checkpassword
-#  args = /usr/bin/checkpassword
-#}

target/dovecot/auth-deny.conf.ext

@@ -1,15 +0,0 @@
-# Deny access for users. Included from 10-auth.conf.
-
-# Users can be (temporarily) disabled by adding a passdb with deny=yes.
-# If the user is found from that database, authentication will fail.
-# The deny passdb should always be specified before others, so it gets
-# checked first.
-
-# Example deny passdb using passwd-file. You can use any passdb though.
-passdb {
-  driver = passwd-file
-  deny = yes
-
-  # File contains a list of usernames, one per line
-  args = /etc/dovecot/deny-users
-}

target/dovecot/auth-dict.conf.ext

@@ -1,16 +0,0 @@
-# Authentication via dict backend. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.Dict.txt>
-
-passdb {
-  driver = dict
-
-  # Path for dict configuration file, see
-  # example-config/dovecot-dict-auth.conf.ext
-  args = /etc/dovecot/dovecot-dict-auth.conf.ext
-}
-
-userdb {
-  driver = dict
-  args = /etc/dovecot/dovecot-dict-auth.conf.ext
-}

target/dovecot/auth-passwdfile.conf.ext

@@ -6,12 +6,13 @@
 passdb {
   driver = passwd-file
   mechanisms = plain login
-  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users
+  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb
 }
 
 userdb {
   driver = passwd-file
-  args = username_format=%u /etc/dovecot/users
+  args = username_format=%u /etc/dovecot/userdb
+  default_fields = uid=jupiter gid=jupiter home=/var/mail/%d/%u/home/
 
   # Default fields that can be overridden by passwd-file
   #default_fields = quota_rule=*:storage=1G

target/dovecot/auth-sql.conf.ext

@@ -1,30 +0,0 @@
-# Authentication for SQL users. Included from 10-auth.conf.
-#
-# <doc/wiki/AuthDatabase.SQL.txt>
-
-passdb {
-  driver = sql
-
-  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
-  args = /etc/dovecot/dovecot-sql.conf.ext
-}
-
-# "prefetch" user database means that the passdb already provided the
-# needed information and there's no need to do a separate userdb lookup.
-# <doc/wiki/UserDatabase.Prefetch.txt>
-#userdb {
-#  driver = prefetch
-#}
-
-userdb {
-  driver = sql
-  args = /etc/dovecot/dovecot-sql.conf.ext
-}
-
-# If you don't have any user-specific settings, you can avoid the user_query
-# by using userdb static instead of userdb sql, for example:
-# <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-  #driver = static
-  #args = uid=vmail gid=vmail home=/var/vmail/%u
-#}

target/dovecot/auth-static.conf.ext

@@ -1,24 +0,0 @@
-# Static passdb. Included from 10-auth.conf.
-
-# This can be used for situations where Dovecot doesn't need to verify the
-# username or the password, or if there is a single password for all users:
-#
-#  - proxy frontend, where the backend verifies the password
-#  - proxy backend, where the frontend already verified the password
-#  - authentication with SSL certificates
-#  - simple testing
-
-#passdb {
-#  driver = static
-#  args = proxy=y host=%1Mu.example.com nopassword=y
-#}
-
-#passdb {
-#  driver = static
-#  args = password=test
-#}
-
-#userdb {
-#  driver = static
-#  args = uid=vmail gid=vmail home=/home/%u
-#}

target/dovecot/auth-system.conf.ext

@@ -1,74 +0,0 @@
-# Authentication for system users. Included from 10-auth.conf.
-#
-# <doc/wiki/PasswordDatabase.txt>
-# <doc/wiki/UserDatabase.txt>
-
-# PAM authentication. Preferred nowadays by most systems.
-# PAM is typically used with either userdb passwd or userdb static.
-# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
-# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
-passdb {
-  driver = pam
-  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
-  # [cache_key=<key>] [<service name>]
-  #args = dovecot
-}
-
-# System users (NSS, /etc/passwd, or similar).
-# In many systems nowadays this uses Name Service Switch, which is
-# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
-#passdb {
-  #driver = passwd
-  # [blocking=no]
-  #args = 
-#}
-
-# Shadow passwords for system users (NSS, /etc/shadow or similar).
-# Deprecated by PAM nowadays.
-# <doc/wiki/PasswordDatabase.Shadow.txt>
-#passdb {
-  #driver = shadow
-  # [blocking=no]
-  #args = 
-#}
-
-# PAM-like authentication for OpenBSD.
-# <doc/wiki/PasswordDatabase.BSDAuth.txt>
-#passdb {
-  #driver = bsdauth
-  # [blocking=no] [cache_key=<key>]
-  #args =
-#}
-
-##
-## User databases
-##
-
-# System users (NSS, /etc/passwd, or similar). In many systems nowadays this
-# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
-userdb {
-  # <doc/wiki/AuthDatabase.Passwd.txt>
-  driver = passwd
-  # [blocking=no]
-  #args = 
-
-  # Override fields from passwd
-  #override_fields = home=/home/virtual/%u
-}
-
-# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
-#userdb {
-  #driver = static
-  # Can return anything a userdb could normally return. For example:
-  #
-  #  args = uid=500 gid=500 home=/var/mail/%u
-  #
-  # LDA and LMTP needs to look up users only from the userdb. This of course
-  # doesn't work with static userdb because there is no list of users.
-  # Normally static userdb handles this by doing a passdb lookup. This works
-  # with most passdbs, with PAM being the most notable exception. If you do
-  # the user verification another way, you can add allow_all_users=yes to
-  # the args in which case the passdb lookup is skipped.
-  #
-  #args =
-#}