dmckeone/dovecot.conf.j2

## dovecot.conf.j2
# Dovecot 2.4.2 gateway/relay w/ LDAP
#
# This configuration is intended to be used with Jinja2, so all variables look like: {{ variable }}
#
# For primary server see: https://gist.github.com/dmckeone/7cdf170624d77c4ddcdce1721c6f760e
#
# On Ubuntu 24.04 LTS this requires the PPA: https://repo.dovecot.org/
#
# This file was created as a "minimal" configuration since it only requires authorization and nothing else
#
# Unlike a stock install, other files are not read (eg. conf.d/*)

dovecot_config_version = 2.4.2
dovecot_storage_version = 2.4.2

log_path = /var/log/dovecot.log

# Allow plain and login mechanisms
auth_mechanisms = plain login
auth_username_format = %{user | lower}

# Allow use of self-signed Certificate Authorities (CA) on the machine
ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt

# LDAP Connection Settings
ldap_version = 3
ldap_uris = ldaps://{{ ldap_server }}
ldap_base = ou=people,{{ ldap_base_dn }}    # e.g dc=example,dc=com
ldap_auth_dn = {{ ldap_bind_dn }}           # e.g uid=admin,ou=people,dc=example,dc=com
ldap_auth_dn_password = {{ ldap_bind_pw }}  # password for admin user

# https://doc.dovecot.org/2.4.2/core/config/auth/databases/ldap.html#worker-processes
passdb_use_worker = yes

# Use LDAP as the password database (passdb)
passdb ldap {
    driver = ldap

    ldap_bind = yes
    ldap_bind_userdn = uid=%{user | username | lower},ou=people,{{ ldap_base_dn }}

    # *_attrs are used to map betwen ldap fields and dovecot fields
    # <ldap attribute>=<dovecot field>

    # useful commands for testing
    # doveadm auth test user@example.com password
    # doveadm auth lookup user@example.com
    # doveadm user user@example.com

    # pass_* is used when user is trying to login (authentication)
    # user_* is used when checking if an incoming mail has a valid user
    # and for delivery

    # only allow user@example.com to login, not an alias
    # mail check makes sure user supplies entire email address and not just username
    # uid check makes sure that user isn't trying to login with an alias
    #
    # WORKAROUND: mailaliasN is a custom set of LDAP user attributes that allow for searchable aliases:
    #             https://github.com/lldap/lldap/issues/997
    #
    # DEV NOTE: mailenabled is a custom LDAP user attribute
    filter = (&(uid=%{user | username | lower})(objectclass=mailAccount)(mailenabled=1)(|(mail=%{user | lower}){% for i in range(1, ldap_max_aliases + 1) %}(mailalias{{ i }}=%{user | lower}){% endfor %}))
}

# Disable all protocols - we're only using auth
protocols =

# Allow postfix to authorize and authenticate against this server
service auth {
  # Unix socket for postfix authorization
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
	# Dovecot 2.4.2 gateway/relay w/ LDAP
	#
	# This configuration is intended to be used with Jinja2, so all variables look like: {{ variable }}
	#
	# For primary server see: https://gist.github.com/dmckeone/7cdf170624d77c4ddcdce1721c6f760e
	#
	# On Ubuntu 24.04 LTS this requires the PPA: https://repo.dovecot.org/
	#
	# This file was created as a "minimal" configuration since it only requires authorization and nothing else
	#
	# Unlike a stock install, other files are not read (eg. conf.d/*)

	dovecot_config_version = 2.4.2
	dovecot_storage_version = 2.4.2

	log_path = /var/log/dovecot.log

	# Allow plain and login mechanisms
	auth_mechanisms = plain login
	auth_username_format = %{user \| lower}

	# Allow use of self-signed Certificate Authorities (CA) on the machine
	ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt

	# LDAP Connection Settings
	ldap_version = 3
	ldap_uris = ldaps://{{ ldap_server }}
	ldap_base = ou=people,{{ ldap_base_dn }} # e.g dc=example,dc=com
	ldap_auth_dn = {{ ldap_bind_dn }} # e.g uid=admin,ou=people,dc=example,dc=com
	ldap_auth_dn_password = {{ ldap_bind_pw }} # password for admin user

	# https://doc.dovecot.org/2.4.2/core/config/auth/databases/ldap.html#worker-processes
	passdb_use_worker = yes

	# Use LDAP as the password database (passdb)
	passdb ldap {
	driver = ldap

	ldap_bind = yes
	ldap_bind_userdn = uid=%{user \| username \| lower},ou=people,{{ ldap_base_dn }}

	# *_attrs are used to map betwen ldap fields and dovecot fields
	# <ldap attribute>=<dovecot field>

	# useful commands for testing
	# doveadm auth test user@example.com password
	# doveadm auth lookup user@example.com
	# doveadm user user@example.com

	# pass_* is used when user is trying to login (authentication)
	# user_* is used when checking if an incoming mail has a valid user
	# and for delivery

	# only allow user@example.com to login, not an alias
	# mail check makes sure user supplies entire email address and not just username
	# uid check makes sure that user isn't trying to login with an alias
	#
	# WORKAROUND: mailaliasN is a custom set of LDAP user attributes that allow for searchable aliases:
	# https://github.com/lldap/lldap/issues/997
	#
	# DEV NOTE: mailenabled is a custom LDAP user attribute
	filter = (&(uid=%{user \| username \| lower})(objectclass=mailAccount)(mailenabled=1)(\|(mail=%{user \| lower}){% for i in range(1, ldap_max_aliases + 1) %}(mailalias{{ i }}=%{user \| lower}){% endfor %}))
	}

	# Disable all protocols - we're only using auth
	protocols =

	# Allow postfix to authorize and authenticate against this server
	service auth {
	# Unix socket for postfix authorization
	unix_listener /var/spool/postfix/private/auth {
	group = postfix
	mode = 0666
	user = postfix
	}
	}
No results found