mailu/dovecot/conf/dovecot.conf

###############
# General
###############
log_path = /dev/stderr
protocols = imap pop3 lmtp sieve
postmaster_address = {{ POSTMASTER }}@{{ DOMAIN }}
hostname = {{ HOSTNAME }}
mail_plugins = $mail_plugins quota
submission_host = smtp

service dict {
  unix_listener dict {
    group = mail
    mode = 0660
  }
}

dict {
  sieve = sqlite:/etc/dovecot/pigeonhole-sieve.dict
}

###############
# Mailboxes
###############
first_valid_gid = 8
first_valid_uid = 8
mail_location = maildir:/mail/%u
mail_home = /mail/%u
mail_uid = mail
mail_gid = mail
mail_privileged_group = mail
mail_access_groups = mail

namespace inbox {
  inbox = yes
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
}

###############
# TLS
###############
ssl = yes
ssl_cert = </certs/cert.pem
ssl_key = </certs/key.pem
# TLS hardening is based on the following documentation:
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
ssl_protocols=!SSLv3 !SSLv2
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
ssl_options = no_compression

###############
# Authentication
###############
auth_mechanisms = plain login

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

service auth {
  user = dovecot
  unix_listener auth-userdb {
  }

  inet_listener {
    port = 2102
  }
}

service auth-worker {
  unix_listener auth-worker {
    user = dovecot
    group = mail
    mode = 0660
  }
  user = mail
}

###############
# IMAP & POP
###############

protocol imap {
  mail_plugins = $mail_plugins imap_quota antispam
}

protocol pop3 {

}

service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
  }
}

###############
# Delivery
###############

protocol lmtp {
  mail_plugins = $mail_plugins sieve
  recipient_delimiter = +
}

service lmtp {
  inet_listener lmtp {
    port = 2525
  }
}

plugin {
  quota = maildir:User quota
}


###############
# Filtering
###############

service managesieve-login {
	inet_listener sieve {
    port = 4190
  }
}

service managesieve {
}

plugin {
	sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_plugins = sieve_extdata
  sieve_global_extensions = +vnd.dovecot.extdata +spamtest +spamtestplus
	sieve_before = /var/lib/dovecot/before.sieve
	sieve_default = /var/lib/dovecot/default.sieve
	sieve_after = /var/lib/dovecot/after.sieve
  sieve_extdata_dict_uri = proxy::sieve

  # Send vacation replies even for aliases
  # See the Pigeonhole documentation about warnings: http://wiki2.dovecot.org/Pigeonhole/Sieve/Extensions/Vacation
  # It appears that our implemntation of mail delivery meets criteria of section 4.5
  # from RFC 5230 and that disabling the recipient checks is not an issue here.
  sieve_vacation_dont_check_recipient = yes

  # Include the recipient in vacation replies so that DKIM applies
  sieve_vacation_send_from_recipient = yes

  antispam_backend = mailtrain
  antispam_spam = Junk
  antispam_trash = Trash
  antispam_mail_sendmail = /usr/bin/rspamc
  antispam_mail_spam = learn_spam
  antispam_mail_notspam = learn_ham
  antispam_mail_sendmail_args = -h;antispam:11334;-P;q1

  # extract spam score from
  # X-Spam-Result: .... [<value> / <max_value] ...
  sieve_spamtest_status_type = score
  sieve_spamtest_status_header = X-Spamd-Result: .*\[(-?[[:digit:]]+\.[[:digit:]]+) .*\]
  sieve_spamtest_max_header = X-Spamd-Result: .*\[.* ([[:digit:]]+\.[[:digit:]]+)\]
}

###############
# Extensions
###############

!include_try /overrides/dovecot.conf