fumiyas/dovecot-ldap.conf.ext

## dovecot-ldap.conf.ext
uris = ldap://a.ldap.example.jp/ ldap://b.ldap.example.jp/
ldap_version = 3
base = ou=%d,dc=example,dc=jp
scope = subtree

auth_bind = yes
pass_filter = (uid=%n)
pass_attrs = mailQuota=userdb_quota_rule=*:bytes=%$

user_filter = (uid=%n)
user_attrs = mailQuota=quota_rule=*:bytes=%$


## dovecot.conf
protocols = imap pop3 lmtp

## ======================================================================

mail_plugins = quota

ssl = yes
ssl_cert = </etc/dovecot/certs/imap.example.jp.cer
ssl_key = </etc/dovecot/private/imap.example.jp.key
ssl_cipher_list = ALL:!SSLv2:!MD5:!EXP:!LOW:!aNULL:!eNULL:@STRENGTH

## Global mail user attributes
## ======================================================================

## UID of user 'mail'
first_valid_uid = 8
## GID of group 'mail'
first_valid_gid = 12

mail_uid = mail
mail_gid = mail
mail_home = /var/mail/domains/%d/%n
mail_location = maildir:~/Maildir

## IMAP namespace for compatibility with Courier IMAP
namespace {
  prefix = INBOX.
  separator = .
  inbox = yes
}

## Authentication and password database
## ======================================================================

auth_mechanisms = plain

disable_plaintext_auth = no

## Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = no

## Even more verbose logging for debugging purposes. Shows for example SQL
## queries.
#auth_debug = no

passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

## User database
## ======================================================================

userdb {
  driver = prefetch
}

## The userdb below is used only by LDA if prefetch driver is enabled above.
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

## Master process
## ======================================================================

#default_process_limit = 100
#default_client_limit = 1000

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
  }

  ## Number of connections to handle before starting a new process. Typically
  ## the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  ## is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  ## Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  ## If you set service_count=0, you probably need to grow this.
  #vsz_limit = 64M
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
  }
}

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0660
    user = dovecot
    group = postfix
  }

  ## Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
  #  ## Avoid making LMTP visible for the entire internet
  #  address =
  #  port =
  #}
}

service imap {
  ## Most of the memory goes to mmap()ing files. You may need to increase this
  ## limit if you have huge mailboxes.
  #vsz_limit = 256M

  ## Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  ## Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service auth {
  ## auth_socket_path points to this userdb socket by default. It's typically
  ## used by dovecot-lda, doveadm, possibly imap process, etc. Its default
  ## permissions make it readable only by root, but you may need to relax these
  ## permissions. Users that have access to this socket are able to get a list
  ## of all usernames and get results of everyone's userdb lookups.
  unix_listener auth-userdb {
    #mode = 0600
    #user =
    #group =
  }

  ## Postfix smtp-auth
  unix_listener /var/spool/postfix/private/dovecot-auth {
    mode = 0660
    user = dovecot
    group = postfix
  }

  ## Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  ## Auth worker process is run as root by default, so that it can access
  ## /etc/shadow. If this isn't necessary, the user should be changed to
  ## $default_internal_user.
  #user = root
}

service dict {
  ## If dict proxy is used, mail processes should have access to its socket.
  ## For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user =
    #group =
  }
}

## LDA, LMTP
## ======================================================================

## Address to use when sending rejection mails.
## Default is postmaster@<your domain>.
#postmaster_address =

## If user is over quota, return with temporary failure instead of
## bouncing the mail.
#quota_full_tempfail = no

## Binary to use for sending mails.
#sendmail_path = /usr/sbin/sendmail

## LDA
## ----------------------------------------------------------------------

## Should saving a mail to a nonexistent mailbox automatically create it?
#lda_mailbox_autocreate = no

## Should automatically created mailboxes be also automatically subscribed?
#lda_mailbox_autosubscribe = no

protocol lda {
  mail_plugins = $mail_plugins
}

## LMTP
## ----------------------------------------------------------------------

## When recipient address includes the detail (e.g. user+detail), try to
## save the mail to the detail mailbox. See also recipient_delimiter and
## lda_mailbox_autocreate settings.
#lmtp_save_to_detail_mailbox = no

protocol lmtp {
  mail_plugins = $mail_plugins
}

## IMAP
## ======================================================================

protocol imap {
  mail_plugins = $mail_plugins imap_quota

  ssl_cert = </etc/dovecot/certs/imap.example.jp.cer
  ssl_key = </etc/dovecot/private/imap.example.jp.key

  ## Workarounds for various client bugs:
  ##   delay-newmail:
  ##     Send EXISTS/RECENT new mail notifications only when replying to NOOP
  ##     and CHECK commands. Some clients ignore them otherwise, for example OSX
  ##     Mail (<v2.1). Outlook Express breaks more badly though, without this it
  ##     may show user "Message no longer in server" errors. Note that OE6 still
  ##     breaks even with this workaround if synchronization is set to
  ##     "Headers Only".
  ##   tb-extra-mailbox-sep:
  ##     With mbox storage a mailbox can contain either mails or submailboxes,
  ##     but not both. Thunderbird separates these two by forcing server to
  ##     accept '/' suffix in mailbox names in subscriptions list.
  ## The list is space-separated.
  #imap_client_workarounds =
}

## POP3
## ======================================================================

protocol pop3 {
  mail_plugins = $mail_plugins

  ssl_cert = </etc/dovecot/certs/pop.example.jp.cer
  ssl_key = </etc/dovecot/private/pop.example.jp.key

  ## If mail has X-UIDL header, use it as the mail's UIDL.
  #pop3_reuse_xuidl = no

  ## POP3 requires message sizes to be listed as if they had CR+LF linefeeds.
  ## Many POP3 servers violate this by returning the sizes with LF linefeeds,
  ## because it's faster to get. When this setting is enabled, Dovecot still
  ## tries to do the right thing first, but if that requires opening the
  ## message, it fallbacks to the easier (but incorrect) size.
  #pop3_fast_size_lookups = no

  ## POP3 UIDL (unique mail identifier) format to use. You can use following
  ## variables, along with the variable modifiers described in
  ## doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase)
  ##
  ##  %v - Mailbox's IMAP UIDVALIDITY
  ##  %u - Mail's IMAP UID
  ##  %m - MD5 sum of the mailbox headers in hex (mbox only)
  ##  %f - filename (maildir only)
  ##  %g - Mail's GUID
  ##
  ## If you want UIDL compatibility with other POP3 servers, use:
  ##  UW's ipop3d         : %08Xv%08Xu
  ##  Courier             : %f or %v-%u (both might be used simultaneosly)
  ##  Cyrus (<= 2.1.3)    : %u
  ##  Cyrus (>= 2.1.4)    : %v.%u
  ##  Dovecot v0.99.x     : %v.%u
  ##  tpop3d              : %Mf
  ##
  ## Note that Outlook 2003 seems to have problems with %v.%u format which was
  ## Dovecot's default, so if you're building a new server it would be a good
  ## idea to change this. %08Xu%08Xv should be pretty fail-safe.
  pop3_uidl_format = %f

  ## Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes
  ## won't change those UIDLs. Currently this works only with Maildir.
  #pop3_save_uidl = no

  ## Workarounds for various client bugs:
  ##   outlook-no-nuls:
  ##     Outlook and Outlook Express hang if mails contain NUL characters.
  ##     This setting replaces them with 0x80 character.
  ##   oe-ns-eoh:
  ##     Outlook Express and Netscape Mail breaks if end of headers-line is
  ##     missing. This option simply sends it if it's missing.
  ## The list is space-separated.
  #pop3_client_workarounds =
}

## Quota
## ======================================================================

plugin {
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_warning = storage=95%% quota-warning 95 %u
}

## Quota warning
## ----------------------------------------------------------------------

## Example quota-warning service. The unix listener's permissions should be
## set in a way that mail processes can connect to it. Below example assumes
## that mail processes run as vmail user. If you use mode=0666, all system users
## can generate quota warnings to anyone.

#service quota-warning {
#  executable = script /usr/local/bin/quota-warning
#  user = dovecot
#  unix_listener quota-warning {
#    user = mail
#  }
#}


## main.cf
## Postfix main.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
	uris = ldap://a.ldap.example.jp/ ldap://b.ldap.example.jp/
	ldap_version = 3
	base = ou=%d,dc=example,dc=jp
	scope = subtree

	auth_bind = yes
	pass_filter = (uid=%n)
	pass_attrs = mailQuota=userdb_quota_rule=*:bytes=%$

	user_filter = (uid=%n)
	user_attrs = mailQuota=quota_rule=*:bytes=%$
	protocols = imap pop3 lmtp

	## ======================================================================

	mail_plugins = quota

	ssl = yes
	ssl_cert = </etc/dovecot/certs/imap.example.jp.cer
	ssl_key = </etc/dovecot/private/imap.example.jp.key
	ssl_cipher_list = ALL:!SSLv2:!MD5:!EXP:!LOW:!aNULL:!eNULL:@STRENGTH

	## Global mail user attributes
	## ======================================================================

	## UID of user 'mail'
	first_valid_uid = 8
	## GID of group 'mail'
	first_valid_gid = 12

	mail_uid = mail
	mail_gid = mail
	mail_home = /var/mail/domains/%d/%n
	mail_location = maildir:~/Maildir

	## IMAP namespace for compatibility with Courier IMAP
	namespace {
	prefix = INBOX.
	separator = .
	inbox = yes
	}

	## Authentication and password database
	## ======================================================================

	auth_mechanisms = plain

	disable_plaintext_auth = no

	## Log unsuccessful authentication attempts and the reasons why they failed.
	#auth_verbose = no

	## Even more verbose logging for debugging purposes. Shows for example SQL
	## queries.
	#auth_debug = no

	passdb {
	driver = ldap
	args = /etc/dovecot/dovecot-ldap.conf.ext
	}

	## User database
	## ======================================================================

	userdb {
	driver = prefetch
	}

	## The userdb below is used only by LDA if prefetch driver is enabled above.
	userdb {
	driver = ldap
	args = /etc/dovecot/dovecot-ldap.conf.ext
	}

	## Master process
	## ======================================================================

	#default_process_limit = 100
	#default_client_limit = 1000

	service imap-login {
	inet_listener imap {
	#port = 143
	}
	inet_listener imaps {
	#port = 993
	}

	## Number of connections to handle before starting a new process. Typically
	## the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
	## is faster. <doc/wiki/LoginProcess.txt>
	#service_count = 1

	## Number of processes to always keep waiting for more connections.
	#process_min_avail = 0

	## If you set service_count=0, you probably need to grow this.
	#vsz_limit = 64M
	}

	service pop3-login {
	inet_listener pop3 {
	#port = 110
	}
	inet_listener pop3s {
	#port = 995
	}
	}

	service lmtp {
	unix_listener /var/spool/postfix/private/dovecot-lmtp {
	mode = 0660
	user = dovecot
	group = postfix
	}

	## Create inet listener only if you can't use the above UNIX socket
	#inet_listener lmtp {
	# ## Avoid making LMTP visible for the entire internet
	# address =
	# port =
	#}
	}

	service imap {
	## Most of the memory goes to mmap()ing files. You may need to increase this
	## limit if you have huge mailboxes.
	#vsz_limit = 256M

	## Max. number of IMAP processes (connections)
	#process_limit = 1024
	}

	service pop3 {
	## Max. number of POP3 processes (connections)
	#process_limit = 1024
	}

	service auth {
	## auth_socket_path points to this userdb socket by default. It's typically
	## used by dovecot-lda, doveadm, possibly imap process, etc. Its default
	## permissions make it readable only by root, but you may need to relax these
	## permissions. Users that have access to this socket are able to get a list
	## of all usernames and get results of everyone's userdb lookups.
	unix_listener auth-userdb {
	#mode = 0600
	#user =
	#group =
	}

	## Postfix smtp-auth
	unix_listener /var/spool/postfix/private/dovecot-auth {
	mode = 0660
	user = dovecot
	group = postfix
	}

	## Auth process is run as this user.
	#user = $default_internal_user
	}

	service auth-worker {
	## Auth worker process is run as root by default, so that it can access
	## /etc/shadow. If this isn't necessary, the user should be changed to
	## $default_internal_user.
	#user = root
	}

	service dict {
	## If dict proxy is used, mail processes should have access to its socket.
	## For example: mode=0660, group=vmail and global mail_access_groups=vmail
	unix_listener dict {
	#mode = 0600
	#user =
	#group =
	}
	}

	## LDA, LMTP
	## ======================================================================

	## Address to use when sending rejection mails.
	## Default is postmaster@<your domain>.
	#postmaster_address =

	## If user is over quota, return with temporary failure instead of
	## bouncing the mail.
	#quota_full_tempfail = no

	## Binary to use for sending mails.
	#sendmail_path = /usr/sbin/sendmail

	## LDA
	## ----------------------------------------------------------------------

	## Should saving a mail to a nonexistent mailbox automatically create it?
	#lda_mailbox_autocreate = no

	## Should automatically created mailboxes be also automatically subscribed?
	#lda_mailbox_autosubscribe = no

	protocol lda {
	mail_plugins = $mail_plugins
	}

	## LMTP
	## ----------------------------------------------------------------------

	## When recipient address includes the detail (e.g. user+detail), try to
	## save the mail to the detail mailbox. See also recipient_delimiter and
	## lda_mailbox_autocreate settings.
	#lmtp_save_to_detail_mailbox = no

	protocol lmtp {
	mail_plugins = $mail_plugins
	}

	## IMAP
	## ======================================================================

	protocol imap {
	mail_plugins = $mail_plugins imap_quota

	ssl_cert = </etc/dovecot/certs/imap.example.jp.cer
	ssl_key = </etc/dovecot/private/imap.example.jp.key

	## Workarounds for various client bugs:
	## delay-newmail:
	## Send EXISTS/RECENT new mail notifications only when replying to NOOP
	## and CHECK commands. Some clients ignore them otherwise, for example OSX
	## Mail (<v2.1). Outlook Express breaks more badly though, without this it
	## may show user "Message no longer in server" errors. Note that OE6 still
	## breaks even with this workaround if synchronization is set to
	## "Headers Only".
	## tb-extra-mailbox-sep:
	## With mbox storage a mailbox can contain either mails or submailboxes,
	## but not both. Thunderbird separates these two by forcing server to
	## accept '/' suffix in mailbox names in subscriptions list.
	## The list is space-separated.
	#imap_client_workarounds =
	}

	## POP3
	## ======================================================================

	protocol pop3 {
	mail_plugins = $mail_plugins

	ssl_cert = </etc/dovecot/certs/pop.example.jp.cer
	ssl_key = </etc/dovecot/private/pop.example.jp.key

	## If mail has X-UIDL header, use it as the mail's UIDL.
	#pop3_reuse_xuidl = no

	## POP3 requires message sizes to be listed as if they had CR+LF linefeeds.
	## Many POP3 servers violate this by returning the sizes with LF linefeeds,
	## because it's faster to get. When this setting is enabled, Dovecot still
	## tries to do the right thing first, but if that requires opening the
	## message, it fallbacks to the easier (but incorrect) size.
	#pop3_fast_size_lookups = no

	## POP3 UIDL (unique mail identifier) format to use. You can use following
	## variables, along with the variable modifiers described in
	## doc/wiki/Variables.txt (e.g. %Uf for the filename in uppercase)
	##
	## %v - Mailbox's IMAP UIDVALIDITY
	## %u - Mail's IMAP UID
	## %m - MD5 sum of the mailbox headers in hex (mbox only)
	## %f - filename (maildir only)
	## %g - Mail's GUID
	##
	## If you want UIDL compatibility with other POP3 servers, use:
	## UW's ipop3d : %08Xv%08Xu
	## Courier : %f or %v-%u (both might be used simultaneosly)
	## Cyrus (<= 2.1.3) : %u
	## Cyrus (>= 2.1.4) : %v.%u
	## Dovecot v0.99.x : %v.%u
	## tpop3d : %Mf
	##
	## Note that Outlook 2003 seems to have problems with %v.%u format which was
	## Dovecot's default, so if you're building a new server it would be a good
	## idea to change this. %08Xu%08Xv should be pretty fail-safe.
	pop3_uidl_format = %f

	## Permanently save UIDLs sent to POP3 clients, so pop3_uidl_format changes
	## won't change those UIDLs. Currently this works only with Maildir.
	#pop3_save_uidl = no

	## Workarounds for various client bugs:
	## outlook-no-nuls:
	## Outlook and Outlook Express hang if mails contain NUL characters.
	## This setting replaces them with 0x80 character.
	## oe-ns-eoh:
	## Outlook Express and Netscape Mail breaks if end of headers-line is
	## missing. This option simply sends it if it's missing.
	## The list is space-separated.
	#pop3_client_workarounds =
	}

	## Quota
	## ======================================================================

	plugin {
	quota = maildir:User quota
	quota_rule = *:storage=1G
	quota_warning = storage=95%% quota-warning 95 %u
	}

	## Quota warning
	## ----------------------------------------------------------------------

	## Example quota-warning service. The unix listener's permissions should be
	## set in a way that mail processes can connect to it. Below example assumes
	## that mail processes run as vmail user. If you use mode=0666, all system users
	## can generate quota warnings to anyone.

	#service quota-warning {
	# executable = script /usr/local/bin/quota-warning
	# user = dovecot
	# unix_listener quota-warning {
	# user = mail
	# }
	#}
	## Postfix main.cf
	virtual_transport = lmtp:unix:private/dovecot-lmtp