diff --git a/lib/configfiles/jessie.xml b/lib/configfiles/bullseye.xml similarity index 87% rename from lib/configfiles/jessie.xml rename to lib/configfiles/bullseye.xml index 8bab8ddc..7fee323d 100644 --- a/lib/configfiles/jessie.xml +++ b/lib/configfiles/bullseye.xml @@ -1,7 +1,7 @@ - + @@ -56,25 +56,14 @@ - {{settings.phpfpm.enabled}} - - - - {{settings.phpfpm.enabled}} - FastCgiIpcDir - - - Require all granted - Require env REDIRECT_STATUS - - +# Please remember to activate the use of mod_proxy / mod_proxy_fcgi in the PHP-FPM settings!!! +a2enmod proxy_fcgi ]]> - + {{settings.system.leenabled}} @@ -160,7 +149,7 @@ include_shell "/usr/share/lighttpd/include-conf-enabled.pl" {{settings.system.mod_fcgid}} - + # # allow-dnsupdate-from=127.0.0.0/8,::1 -################################# -# allow-recursion List of subnets that are allowed to recurse -# -allow-recursion=127.0.0.1 - ################################# # also-notify When notifying a domain, also notify these nameservers # @@ -740,16 +724,6 @@ master=yes # # receiver-threads=1 -################################# -# recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache -# -# recursive-cache-ttl=10 - -################################# -# recursor If recursion is desired, IP address of a recursing nameserver -# -# recursor=no - ################################# # retrieval-threads Number of AXFR-retrieval threads for slave operation # @@ -938,11 +912,6 @@ gmysql-password= # # allow-dnsupdate-from=127.0.0.0/8,::1 -################################# -# allow-recursion List of subnets that are allowed to recurse -# -allow-recursion=127.0.0.1 - ################################# # also-notify When notifying a domain, also notify these nameservers # @@ -1284,16 +1253,6 @@ master=yes # # receiver-threads=1 -################################# -# recursive-cache-ttl Seconds to store packets for recursive queries in the PacketCache -# -# recursive-cache-ttl=10 - -################################# -# recursor If recursion is desired, IP address of a recursing nameserver -# -# recursor=no - ################################# # retrieval-threads Number of AXFR-retrieval threads for slave operation # @@ -1612,7 +1571,7 @@ root: root@ # For common configuration examples, see BASIC_CONFIGURATION_README # and STANDARD_CONFIGURATION_README. To find these documents, use # the command "postconf html_directory readme_directory", or go to -# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. +# http://www.postfix.org/. # # For best results, change no more than 2-3 parameters at a time, # and test if Postfix still works after every change. @@ -1646,7 +1605,7 @@ command_directory = /usr/sbin # daemon programs (i.e. programs listed in the master.cf file). This # directory must be owned by root. # -daemon_directory = /usr/lib/postfix +daemon_directory = /usr/lib/postfix/sbin # The data_directory parameter specifies the location of Postfix-writable # data files (caches, random numbers). This directory must be owned @@ -1672,14 +1631,34 @@ data_directory = /var/lib/postfix # #default_privs = nobody +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +# Froxlor Note: $myhostname can and should be the same as $mydomain as long as +# you don't intend to send mail to it (it will be considered local, not virtual) +# for the case of a subdomain, $mydomain *must* be equal to $myhostname, +# otherwise you cannot use the main domain for virtual transport. +# also check the note about $mydomain below. +myhostname = mail.$mydomain +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +# Froxlor Note: We are using a default here but that may or may not make sense, +# depending on your dns configuration, please check yourself. + # FQDN from Froxlor mydomain = -# set myhostname to $mydomain because Froxlor alrady uses a FQDN -myhostname = $mydomain - # SENDING MAIL -# +# # The myorigin parameter specifies the domain that locally-posted # mail appears to come from. The default is to append $myhostname, # which is fine for small sites. If you run a domain with multiple @@ -1711,7 +1690,7 @@ myhostname = $mydomain # # Note: you need to stop/start Postfix when this parameter changes. # -#inet_interfaces = all +inet_interfaces = all #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost @@ -1759,7 +1738,7 @@ myhostname = $mydomain # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". # #mydestination = $myhostname, localhost.$mydomain, localhost -#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, # mail.$mydomain, www.$mydomain, ftp.$mydomain @@ -1781,7 +1760,7 @@ myhostname = $mydomain # # - You define $mydestination domain recipients in files other than # /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. -# For example, you define $mydestination domain recipients in +# For example, you define $mydestination domain recipients in # the $virtual_mailbox_maps files. # # - You redefine the local delivery agent in master.cf. @@ -1801,7 +1780,7 @@ myhostname = $mydomain # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify a bare username, an @domain.tld # wild-card, or specify a user@domain.tld address. -# +# #local_recipient_maps = unix:passwd.byname $alias_maps #local_recipient_maps = proxy:unix:passwd.byname $alias_maps #local_recipient_maps = @@ -1833,16 +1812,16 @@ unknown_local_recipient_reject_code = 550 # clients in the same IP subnetworks as the local machine. # On Linux, this does works correctly only with interfaces specified # with the "ifconfig" command. -# +# # Specify "mynetworks_style = class" when Postfix should "trust" SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to "trust" # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. -# +# # Specify "mynetworks_style = host" when Postfix should "trust" # only the local machine. -# +# #mynetworks_style = class #mynetworks_style = subnet #mynetworks_style = host @@ -1872,7 +1851,7 @@ mynetworks = 127.0.0.0/8 # - from "untrusted" clients to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. -# +# # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces or $proxy_interfaces, @@ -1880,7 +1859,7 @@ mynetworks = 127.0.0.0/8 # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # These destinations do not need to be listed in $relay_domains. -# +# # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name @@ -1925,7 +1904,7 @@ mynetworks = 127.0.0.0/8 # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify an @domain.tld wild-card, or specify # a user@domain.tld address. -# +# #relay_recipient_maps = hash:/etc/postfix/relay_recipients # INPUT RATE CONTROL @@ -1934,15 +1913,15 @@ mynetworks = 127.0.0.0/8 # flow control. This feature is turned on by default, although it # still needs further development (it's disabled on SCO UNIX due # to an SCO bug). -# +# # A Postfix process will pause for $in_flow_delay seconds before # accepting a new message, when the message arrival rate exceeds the # message delivery rate. With the default 100 SMTP server process # limit, this limits the mail inflow to 100 messages a second more # than the number of messages delivered per second. -# +# # Specify 0 to disable the feature. Valid delays are 0..10. -# +# #in_flow_delay = 1s # ADDRESS REWRITING @@ -1972,7 +1951,7 @@ mynetworks = 127.0.0.0/8 # On systems with NIS, the default is to search the local alias # database, then the NIS alias database. See aliases(5) for syntax # details. -# +# # If you change the alias database, run "postalias /etc/aliases" (or # wherever your system stores the mail alias file), or simply run # "newaliases" to build the necessary DBM or DB file. @@ -2015,7 +1994,7 @@ mynetworks = 127.0.0.0/8 # #home_mailbox = Mailbox #home_mailbox = Maildir/ - + # The mail_spool_directory parameter specifies the directory where # UNIX-style mailboxes are kept. The default setting depends on the # system type. @@ -2042,7 +2021,7 @@ mynetworks = 127.0.0.0/8 # IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. # -#mailbox_command = /usr/bin/procmail +mailbox_command = /usr/lib/dovecot/deliver #mailbox_command = /usr/bin/procmail -a "$EXTENSION" # The mailbox_transport specifies the optional transport in master.cf @@ -2057,7 +2036,7 @@ mynetworks = 127.0.0.0/8 # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for +# the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # # Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" @@ -2079,7 +2058,7 @@ mynetworks = 127.0.0.0/8 # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for +# the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #fallback_transport = lmtp:unix:/file/name @@ -2102,15 +2081,15 @@ mynetworks = 127.0.0.0/8 # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must specify "local_recipient_maps =" (i.e. empty) in -# the main.cf file, otherwise the SMTP server will reject mail for +# the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #luser_relay = $user@other.host #luser_relay = $local@other.host #luser_relay = admin+$local - + # JUNK MAIL CONTROLS -# +# # The controls listed here are only a very small subset. The file # SMTPD_ACCESS_README provides an overview. @@ -2132,11 +2111,11 @@ mynetworks = 127.0.0.0/8 # deferred mail, so that mail can be flushed quickly with the SMTP # "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". # See the ETRN_README document for a detailed description. -# +# # The fast_flush_domains parameter controls what destinations are # eligible for this service. By default, they are all domains that # this server is willing to relay mail to. -# +# #fast_flush_domains = $relay_domains # SHOW SOFTWARE VERSION OR NOT @@ -2162,7 +2141,7 @@ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) # too many are run at the same time. With SMTP deliveries, 10 # simultaneous connections to the same domain could be sufficient to # raise eyebrows. -# +# # Each message delivery transport has its XXX_destination_concurrency_limit # parameter. The default is $default_destination_concurrency_limit for # most delivery transports. For the local delivery agent the default is 2. @@ -2220,11 +2199,11 @@ debugger_command = # INSTALL-TIME CONFIGURATION INFORMATION # # The following parameters are used when installing a new Postfix version. -# +# # sendmail_path: The full pathname of the Postfix sendmail command. # This is the Sendmail-compatible mail posting interface. -# -sendmail_path = /usr/sbin/sendmail +# +sendmail_path = /usr/sbin/sendmail # newaliases_path: The full pathname of the Postfix newaliases command. # This is the Sendmail-compatible command to build alias databases. @@ -2233,7 +2212,7 @@ newaliases_path = /usr/bin/newaliases # mailq_path: The full pathname of the Postfix mailq command. This # is the Sendmail-compatible mail queue listing command. -# +# mailq_path = /usr/bin/mailq # setgid_group: The group for mail submission and queue management @@ -2342,12 +2321,12 @@ virtual_mailbox_limit = 0 # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== -smtp inet n - - - - smtpd -#smtp inet n - - - 1 postscreen -#smtpd pass - - - - - smtpd -#dnsblog unix - - - - 0 dnsblog -#tlsproxy unix - - - - 0 tlsproxy -#submission inet n - - - - smtpd +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes @@ -2358,7 +2337,7 @@ smtp inet n - - - - smtpd # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - - - - smtpd +#smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes @@ -2369,32 +2348,32 @@ smtp inet n - - - - smtpd # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -#628 inet n - - - - qmqpd -pickup unix n - - 60 1 pickup -cleanup unix n - - - 0 cleanup +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - - 1000? 1 tlsmgr -rewrite unix - - - - - trivial-rewrite -bounce unix - - - - 0 bounce -defer unix - - - - 0 bounce -trace unix - - - - 0 bounce -verify unix - - - - 1 verify -flush unix n - - 1000? 0 flush +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap -smtp unix - - - - - smtp -relay unix - - - - - smtp +smtp unix - - y - - smtp +relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - - - - showq -error unix - - - - - error -retry unix - - - - - error -discard unix - - - - - discard +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual -lmtp unix - - - - - lmtp -anvil unix - - - - 1 anvil -scache unix - - - - 1 scache +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual @@ -2500,7 +2479,7 @@ dovecot unix - n n - - pipe # Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol -# A comma separated list of IPs or hosts where to listen in for connections. +# A comma separated list of IPs or hosts where to listen in for connections. # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. # If you want to specify non-default ports or anything more complex, # edit conf.d/master.conf. @@ -2525,7 +2504,7 @@ dovecot unix - n n - - pipe #login_trusted_networks = # Space separated list of login access check sockets (e.g. tcpwrap) -#login_access_sockets = +#login_access_sockets = # With proxy_maybe=yes if proxy destination matches any of these IPs, don't do # proxying. This isn't necessary normally, but may be useful if the destination @@ -2622,7 +2601,7 @@ driver = mysql # settings, like: host=sql1.host.org host=sql2.host.org # # pgsql: -# For available options, see the PostgreSQL documention for the +# For available options, see the PostgreSQL documentation for the # PQconnectdb function of libpq. # Use maxconns=n (default 5) to change how many connections Dovecot can # create to pgsql. @@ -2633,6 +2612,9 @@ driver = mysql # # But also adds some new settings: # client_flags - See MySQL manual +# connect_timeout - Connect timeout in seconds (default: 5) +# read_timeout - Read timeout in seconds (default: 30) +# write_timeout - Write timeout in seconds (default: 30) # ssl_ca, ssl_ca_path - Set either one or both to enable SSL # ssl_cert, ssl_key - For sending client-side certificates to server # ssl_cipher - Set minimum allowed cipher security (default: HIGH) @@ -2641,7 +2623,7 @@ driver = mysql # option_file - Read options from the given file instead of # the default my.cnf location # option_group - Read options from the given group (default: client) -# +# # You can connect to UNIX sockets by using host: host=/var/run/mysql.sock # Note that currently you can't use spaces in parameters. # @@ -2680,7 +2662,7 @@ default_pass_scheme = CRYPT # %u = entire user@domain # %n = user part of user@domain # %d = domain part of user@domain -# +# # Note that these can be used only as input to SQL query. If the query outputs # any of these substitutions, they're not touched. Otherwise it would be # difficult to have eg. usernames containing '%' characters. @@ -2725,7 +2707,7 @@ user_query = SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir password_query = SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('*:storage=', quota, 'M') as userdb_quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR ((postfix = 'Y' AND '%Ls' = 'smtp') OR (postfix = 'Y' AND '%Ls' = 'sieve'))) # Query to get a list of all usernames. -#iterate_query = SELECT username AS user FROM users +#iterate_query = SELECT username AS user FROM mail_users ]]> @@ -2744,7 +2726,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed #disable_plaintext_auth = yes # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that -# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. +# bsdauth and PAM require cache_key to be set for caching to be used. #auth_cache_size = 0 # Time to live for cached data. After TTL expires the cached record is no # longer used, *except* if the main database lookup returns internal failure. @@ -2764,7 +2746,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. -#auth_default_realm = +#auth_default_realm = # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just @@ -2807,7 +2789,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. -#auth_krb5_keytab = +#auth_krb5_keytab = # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. @@ -2822,13 +2804,13 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no -# Take the username from client's SSL certificate, using +# Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's -# CommonName. +# CommonName. #auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: -# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey +# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login @@ -2858,7 +2840,6 @@ auth_mechanisms = plain login #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext -#!include auth-vpopmail.conf.ext #!include auth-static.conf.ext ]]> @@ -2914,11 +2895,11 @@ namespace inbox { # Hierarchy separator to use. You should use the same separator for all # namespaces or some clients get confused. '/' is usually a good one. # The default however depends on the underlying mail storage format. - #separator = + #separator = # Prefix required to access this namespace. This needs to be different for # all namespaces. For example "Public/". - #prefix = + #prefix = # Physical location of the mailbox. This is in same format as # mail_location, which is also the default for it. @@ -2943,6 +2924,8 @@ namespace inbox { # Namespace handles its own subscriptions. If set to "no", the parent # namespace handles them (empty prefix should always have this as "yes") #subscriptions = yes + + # See 15-mailboxes.conf for definitions of special mailboxes. } # Example shared namespace configuration @@ -2977,14 +2960,14 @@ namespace inbox { # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to "mail" to give access to /var/mail. -#mail_privileged_group = +mail_privileged_group = mail # Grant access to these supplementary groups for mail processes. Typically # these are used to set up access to shared mailboxes. Note that it may be # dangerous to set these if users can create symlinks (e.g. if "mail" group is # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). -mail_access_groups = vmail +#mail_access_groups = # Allow full filesystem access to clients. There's no access checks other than # what the operating system does for the active UID/GID. It works with both @@ -2992,10 +2975,22 @@ mail_access_groups = vmail # or ~user/. #mail_full_filesystem_access = no -# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but -# soon intended to be used by METADATA as well. +# Dictionary for key=value mailbox attributes. This is used for example by +# URLAUTH and METADATA extensions. #mail_attribute_dict = +# A comment or note that is associated with the server. This value is +# accessible for authenticated users through the IMAP METADATA server +# entry "/shared/comment". +#mail_server_comment = "" + +# Indicates a method for contacting the server administrator. According to +# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that +# is currently not enforced. Use for example mailto:admin@example.com. This +# value is accessible for authenticated users through the IMAP METADATA server +# entry "/shared/admin". +#mail_server_admin = + ## ## Mail processes ## @@ -3019,7 +3014,10 @@ mail_access_groups = vmail # methods. NFS users: flock doesn't work, remember to change mmap_disable. #lock_method = fcntl -# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB. +# Directory where mails can be temporarily stored. Usually it's used only for +# mails larger than >= 128 kB. It's used by various parts of Dovecot, for +# example LDA/LMTP while delivering large mails or zlib plugin for keeping +# uncompressed mails. #mail_temp_dir = /tmp # Valid UID range for users, defaults to 500 and above. This is mostly @@ -3047,7 +3045,7 @@ mail_access_groups = vmail # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. -#valid_chroot_dirs = +#valid_chroot_dirs = # Default chroot directory for mail processes. This can be overridden for # specific users in user database by giving /./ in user's home directory @@ -3055,7 +3053,7 @@ mail_access_groups = vmail # need to do chrooting, Dovecot doesn't allow users to access files outside # their mail directory anyway. If your home directories are prefixed with # the chroot directory, append "/." to mail_chroot. -#mail_chroot = +#mail_chroot = # UNIX socket path to master authentication server to find users. # This is used by imap (for shared users) and lda. @@ -3066,7 +3064,7 @@ mail_access_groups = vmail # Space separated list of plugins to load for all services. Plugins specific to # IMAP, LDA, etc. are added to this list in their own .conf files. -#mail_plugins = +#mail_plugins = ## ## Mailbox handling optimizations @@ -3074,7 +3072,16 @@ mail_access_groups = vmail # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are # also required for IMAP NOTIFY extension to be enabled. -#mailbox_list_index = no +#mailbox_list_index = yes + +# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost +# of potentially returning out-of-date results after e.g. server crashes. +# The results will be automatically fixed once the folders are opened. +#mailbox_list_index_very_dirty_syncs = yes + +# Should INBOX be kept up-to-date in the mailbox list index? By default it's +# not, because most of the mailbox accesses will open INBOX anyway. +#mailbox_list_index_include_inbox = no # The minimum number of mails in a mailbox before updates are done to cache # file. This allows optimizing Dovecot's behavior to do less disk writes at @@ -3083,7 +3090,7 @@ mail_access_groups = vmail # When IDLE command is running, mailbox is checked once in a while to see if # there are any new mails or other changes. This setting defines the minimum -# time to wait between those checks. Dovecot can also use dnotify, inotify and +# time to wait between those checks. Dovecot can also use inotify and # kqueue to find out immediately when changes occur. #mailbox_idle_check_interval = 30 secs @@ -3102,6 +3109,19 @@ mail_access_groups = vmail # These should exist only after Dovecot dies in the middle of saving mails. #mail_temp_scan_interval = 1w +# How many slow mail accesses sorting can perform before it returns failure. +# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long. +# The untagged SORT reply is still returned, but it's likely not correct. +#mail_sort_max_read_count = 0 + +protocol !indexer-worker { + # If folder vsize calculation requires opening more than this many mails from + # disk (i.e. mail sizes aren't in cache already), return failure and finish + # the calculation via indexer process. Disabled by default. This setting must + # be 0 for indexer-worker processes. + #mail_vsize_bg_after_count = 0 +} + ## ## Maildir-specific settings ## @@ -3172,7 +3192,7 @@ mail_access_groups = vmail # fallbacks to re-reading the whole mbox file whenever something in mbox isn't # how it's expected to be. The only real downside to this setting is that if # some other MUA changes message flags, Dovecot doesn't notice it immediately. -# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK # commands. #mbox_dirty_syncs = yes @@ -3201,7 +3221,7 @@ mail_access_groups = vmail ## # Maximum dbox file size until it's rotated. -#mdbox_rotate_size = 2M +#mdbox_rotate_size = 10M # Maximum dbox file age until it's rotated. Typically in days. Day begins # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. @@ -3237,6 +3257,17 @@ mail_access_groups = vmail # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits #mail_attachment_hash = %{sha1} + +# Settings to control adding $HasAttachment or $HasNoAttachment keywords. +# By default, all MIME parts with Content-Disposition=attachment, or inlines +# with filename parameter are consired attachments. +# add-flags - Add the keywords when saving new mails or when fetching can +# do it efficiently. +# content-type=type or !type - Include/exclude content type. Excluding will +# never consider the matched MIME part as attachment. Including will only +# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar). +# exclude-inlined - Exclude any Content-Disposition=inline MIME part. +#mail_attachment_detection_options = ]]> @@ -3290,6 +3321,12 @@ service pop3-login { } } +service submission-login { + inet_listener submission { + #port = 587 + } +} + service lmtp { unix_listener lmtp { #mode = 0666 @@ -3299,7 +3336,7 @@ service lmtp { #inet_listener lmtp { # Avoid making LMTP visible for the entire internet #address = - #port = + #port = #} } @@ -3317,6 +3354,11 @@ service pop3 { #process_limit = 1024 } +service submission { + # Max. number of SMTP Submission processes (connections) + #process_limit = 1024 +} + service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have @@ -3333,8 +3375,8 @@ service auth { # permissions (e.g. 0777 allows everyone full permissions). unix_listener auth-userdb { #mode = 0666 - #user = - #group = + #user = + #group = } # Postfix smtp-auth @@ -3348,7 +3390,7 @@ service auth { unix_listener auth-client { mode = 0660 user = mail - # group = Debian-exim + #group = Debian-exim } # Auth process is run as this user. @@ -3367,10 +3409,106 @@ service dict { # For example: mode=0660, group=vmail and global mail_access_groups=vmail unix_listener dict { #mode = 0600 - #user = - #group = + #user = + #group = } } + +service stats { + unix_listener stats-reader { + group = vmail + mode = 0666 + } + unix_listener stats-writer { + group = vmail + mode = 0666 + } +} +]]> + + + + +ssl = yes + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. Included doc/mkcert.sh can be used to easily generate self-signed +# certificate, just make sure to update the domains in dovecot-openssl.cnf +ssl_cert = @@ -3382,12 +3520,12 @@ service dict { ## # Address to use when sending rejection mails. -# Default is postmaster@. %d expands to recipient domain. +# Default is postmaster@%d. %d expands to recipient domain. postmaster_address = postmaster@ # Hostname to use in various parts of sent mails (e.g. in Message-Id) and # in LMTP replies. Default is the system's real hostname@domain. -#hostname = +#hostname = # If user is over quota, return with temporary failure instead of # bouncing the mail. @@ -3411,7 +3549,7 @@ postmaster_address = postmaster@ #recipient_delimiter = + # Header where the original recipient address (SMTP's RCPT TO: address) is taken -# from if not available elsewhere. With dovecot-lda -a parameter overrides this. +# from if not available elsewhere. With dovecot-lda -a parameter overrides this. # A commonly used header for this is X-Original-To. #lda_original_recipient_header = @@ -3423,7 +3561,7 @@ postmaster_address = postmaster@ protocol lda { # Space separated list of plugins to load (default is global mail_plugins). - mail_plugins = $mail_plugins quota sieve + #mail_plugins = $mail_plugins } ]]> @@ -3435,6 +3573,12 @@ protocol lda { ## IMAP specific settings ## +# If nothing happens for this long while client is IDLEing, move the connection +# to imap-hibernate process and close the old imap process. This saves memory, +# because connections use very little memory in imap-hibernate process. The +# downside is that recreating the imap process back uses some resources. +#imap_hibernate_timeout = 0 + # Maximum IMAP command line length. Some clients generate very long command # lines with huge mailboxes, so you may need to raise this if you get # "Too long argument" or "IMAP command line too large" errors often. @@ -3443,11 +3587,26 @@ protocol lda { # IMAP logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client -#imap_logout_format = in=%i out=%o +# %{fetch_hdr_count} - Number of mails with mail header data sent to client +# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client +# %{fetch_body_count} - Number of mails with mail body data sent to client +# %{fetch_body_bytes} - Number of bytes with mail body data sent to client +# %{deleted} - Number of mails where client added \Deleted flag +# %{expunged} - Number of mails that client expunged, which does not +# include automatically expunged mails +# %{autoexpunged} - Number of mails that were automatically expunged after +# client disconnected +# %{trashed} - Number of mails that client copied/moved to the +# special_use=\Trash mailbox. +# %{appended} - Number of mails saved during the session +#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \ +# trashed=%{trashed} hdr_count=%{fetch_hdr_count} \ +# hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \ +# body_bytes=%{fetch_body_bytes} # Override the IMAP CAPABILITY response. If the value begins with '+', # add the given capabilities on top of the defaults (e.g. +XFOO XBAR). -#imap_capability = +#imap_capability = # How long to wait between "OK Still here" notifications when client is # IDLEing. @@ -3455,8 +3614,9 @@ protocol lda { # ID field names and values to send to clients. Using * as the value makes # Dovecot use the default value. The following fields have default values -# currently: name, version, os, os-version, support-url, support-email. -#imap_id_send = +# currently: name, version, os, os-version, support-url, support-email, +# revision +#imap_id_send = # ID fields sent by client to log. * means everything. #imap_id_log = @@ -3479,11 +3639,27 @@ protocol lda { # greyed out, instead of only later giving "not selectable" popup error. # # The list is space-separated. -#imap_client_workarounds = +#imap_client_workarounds = # Host allowed in URLAUTH URLs sent by client. "*" allows all. #imap_urlauth_host = +# Enable IMAP LITERAL- extension (replaces LITERAL+) +#imap_literal_minus = no + +# What happens when FETCH fails due to some internal error: +# disconnect-immediately: +# The FETCH is aborted immediately and the IMAP client is disconnected. +# disconnect-after: +# The FETCH runs for all the requested mails returning as much data as +# possible. The client is finally disconnected without a tagged reply. +# no-after: +# Same as disconnect-after, but tagged NO reply is sent instead of +# disconnecting the client. If the client attempts to FETCH the same failed +# mail more than once, the client is disconnected. This is to avoid clients +# from going into infinite loops trying to FETCH a broken mail. +#imap_fetch_failure = disconnect-immediately + protocol imap { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins quota imap_quota @@ -3553,6 +3729,14 @@ protocol sieve { # MANAGESIEVE logout format string: # %i - total number of bytes read from client # %o - total number of bytes sent to client + # %{put_bytes} - Number of bytes saved using PUTSCRIPT command + # %{put_count} - Number of scripts saved using PUTSCRIPT command + # %{get_bytes} - Number of bytes read using GETCRIPT command + # %{get_count} - Number of scripts read using GETSCRIPT command + # %{get_bytes} - Number of bytes processed using CHECKSCRIPT command + # %{get_count} - Number of scripts checked using CHECKSCRIPT command + # %{deleted_count} - Number of scripts deleted using DELETESCRIPT command + # %{renamed_count} - Number of scripts renamed using RENAMESCRIPT command #managesieve_logout_format = bytes=%i/%o # To fool ManageSieve clients that are focused on CMU's timesieved you can @@ -3619,7 +3803,7 @@ protocol sieve { # # If you want UIDL compatibility with other POP3 servers, use: # UW's ipop3d : %08Xv%08Xu -# Courier : %f or %v-%u (both might be used simultaneosly) +# Courier : %f or %v-%u (both might be used simultaneously) # Cyrus (<= 2.1.3) : %u # Cyrus (>= 2.1.4) : %v.%u # Dovecot v0.99.x : %v.%u @@ -3655,6 +3839,7 @@ protocol sieve { # %r - number of RETR commands # %b - number of bytes sent to client as a result of RETR command # %d - number of deleted messages +# %{deleted_bytes} - number of bytes in deleted messages # %m - number of messages (before deletion) # %s - mailbox size in bytes (before deletion) # %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly @@ -3668,7 +3853,7 @@ pop3_logout_format = in=%i out=%o top=%t/%p, retr=%r/%b, del=%d/%m, size=%s # Outlook Express and Netscape Mail breaks if end of headers-line is # missing. This option simply sends it if it's missing. # The list is space-separated. -#pop3_client_workarounds = +#pop3_client_workarounds = protocol pop3 { # Space separated list of plugins to load (default is global mail_plugins). @@ -3691,39 +3876,82 @@ protocol pop3 { # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf # by adding it to the respective mail_plugins= settings. -plugin { - # The path to the user's main active script. If ManageSieve is used, this the - # location of the symbolic link controlled by ManageSieve. - sieve = ~/sieve/.dovecot.sieve +# The Sieve interpreter can retrieve Sieve scripts from several types of +# locations. The default `file' location type is a local filesystem path +# pointing to a Sieve script file or a directory containing multiple Sieve +# script files. More complex setups can use other location types such as +# `ldap' or `dict' to fetch Sieve scripts from remote databases. +# +# All settings that specify the location of one ore more Sieve scripts accept +# the following syntax: +# +# location = [:]path[; @@ -3851,7 +4136,9 @@ Include /etc/proftpd/modules.conf # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 on # If set on you can experience a longer connection delay in many cases. -IdentLookups off + + IdentLookups off + ServerName " FTP Server" ServerType standalone @@ -4051,6 +4338,8 @@ ModuleControlsACLs lsmod allow user * LoadModule mod_ctrls_admin.c LoadModule mod_tls.c +LoadModule mod_ident.c + # Install one of proftpd-mod-mysql, proftpd-mod-pgsql or any other # SQL backend engine to use this module and the required backend. # This module must be mandatory loaded before anyone of @@ -4474,179 +4763,6 @@ UPLOADGID= - - - - - -database -username -password -port 3306 -#socket /var/run/mysqld/mysqld.sock -]]> - - - - - {{sql.socket}} - - - - - - -password -]]> - - - - - - - - - - - - /etc/insserv/overrides - - - - {{settings.system.webserver}} - - - - - {{settings.system.webserver}} - - - - - {{settings.system.webserver}} - - - - - - - - @@ -4711,7 +4827,7 @@ aliases: files - + {{settings.system.mod_fcgid_ownvhost}} @@ -4720,7 +4836,7 @@ aliases: files - + @@ -4729,22 +4845,16 @@ aliases: files - - {{settings.system.webserver}} - - - - {{settings.system.webserver}} - + - + {{settings.system.webserver}} - + {{settings.phpfpm.enabled_ownvhost}} @@ -4759,7 +4869,7 @@ aliases: files {{settings.phpfpm.enabled_ownvhost}} - + {{settings.system.webserver}} diff --git a/lib/configfiles/stretch.xml b/lib/configfiles/stretch.xml index 05b4a3a5..2b1bb25e 100644 --- a/lib/configfiles/stretch.xml +++ b/lib/configfiles/stretch.xml @@ -1,7 +1,7 @@ + version="9.x" defaulteditor="/bin/nano" deprecated="true">