Basic service configuration

Setup postfix and dovecot to work with virtual domains/mailboxes and
user accounts defined in the userconfig directory.  Services are also
configured to use TLS certificates that will later be provided by the
nginx-proxy acme service.

Basic formatting and informative comments are added to config files.

Signed-off-by: Malfurious <m@lfurio.us>

2 files changed, 58 insertions, 111 deletions

diff --git a/dovecot/dovecot.conf b/dovecot/dovecot.conf
index 7e9953f..19f5ebd 100644
--- a/dovecot/dovecot.conf
+++ b/dovecot/dovecot.conf
@@ -13,89 +13,28 @@
 # source/destination IPs by placing the settings inside sections, for example:
 # protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
 
-# Default values are shown for each setting, it's not required to uncomment
-# those. These are exceptions to this though: No sections (e.g. namespace {})
-# or plugin settings are added by default, they're listed only as examples.
-# Paths are also just examples with the real defaults being based on configure
-# options. The paths listed here are for configure --prefix=/usr
-# --sysconfdir=/etc --localstatedir=/var
+protocols = imap
+auth_mechanisms = plain
 
-# Enable installed protocols
-!include_try /usr/share/dovecot/protocols.d/*.protocol
+ssl_cert = </etc/certs/ENV_HOSTNAME/fullchain.pem
+ssl_key = </etc/certs/ENV_HOSTNAME/key.pem
+ssl_dh = </etc/certs/dhparam.pem
 
-# A comma separated list of IPs or hosts where to listen in for connections. 
-# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
-# If you want to specify non-default ports or anything more complex,
-# edit conf.d/master.conf.
-#listen = *, ::
-
-# Base directory where to store runtime data.
-#base_dir = /var/run/dovecot/
-
-# Name of this instance. In multi-instance setup doveadm and other commands
-# can use -i <instance_name> to select which instance is used (an alternative
-# to -c <config_path>). The instance name is also added to Dovecot processes
-# in ps output.
-#instance_name = dovecot
-
-# Greeting message for clients.
-#login_greeting = Dovecot ready.
-
-# Space separated list of trusted network ranges. Connections from these
-# IPs are allowed to override their IP addresses and ports (for logging and
-# for authentication checks). disable_plaintext_auth is also ignored for
-# these networks. Typically you'd specify your IMAP proxy servers here.
-#login_trusted_networks =
-
-# Space separated list of login access check sockets (e.g. tcpwrap)
-#login_access_sockets = 
-
-# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
-# proxying. This isn't necessary normally, but may be useful if the destination
-# IP is e.g. a load balancer's IP.
-#auth_proxy_self =
-
-# Show more verbose process titles (in ps). Currently shows user name and
-# IP address. Useful for seeing who are actually using the IMAP processes
-# (eg. shared mailboxes or if same uid is used for multiple accounts).
-#verbose_proctitle = no
-
-# Should all processes be killed when Dovecot master process shuts down.
-# Setting this to "no" means that Dovecot can be upgraded without
-# forcing existing client connections to close (although that could also be
-# a problem if the upgrade is e.g. because of a security fix).
-#shutdown_clients = yes
-
-# If non-zero, run mail commands via this many connections to doveadm server,
-# instead of running them directly in the same process.
-#doveadm_worker_count = 0
-# UNIX socket or host:port used for connecting to doveadm server
-#doveadm_socket_path = doveadm-server
-
-# Space separated list of environment variables that are preserved on Dovecot
-# startup and passed down to all of its child processes. You can also give
-# key=value pairs to always set specific settings.
-#import_environment = TZ
-
-##
-## Dictionary server settings
-##
-
-# Dictionary can be used to store key=value lists. This is used by several
-# plugins. The dictionary can be accessed either directly or though a
-# dictionary server. The following dict block maps dictionary names to URIs
-# when the server is used. These can then be referenced using URIs in format
-# "proxy::<name>".
-
-dict {
-  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
+# Users defined by the user-configured password file
+passdb {
+    driver = passwd-file
+    args = /etc/userconfig/passwd
+}
+userdb {
+    driver = passwd-file
+    args = /etc/userconfig/passwd
 }
 
-# Most of the actual configuration gets included below. The filenames are
-# first sorted by their ASCII value and parsed in that order. The 00-prefixes
-# in filenames are intended to make it easier to understand the ordering.
-!include conf.d/*.conf
 
-# A config file can also tried to be included without giving an error if
-# it's not found:
-!include_try local.conf
+# Location for users mailboxes
+#  %u - username
+#  %n - user part in user@domain, same as %u if there's no domain
+#  %d - domain part in user@domain, empty if there's no domain
+#  %h - home directory
+mail_home = /var/mail/vhost/%d/%n
+mail_location = maildir:~
diff --git a/postfix/main.cf b/postfix/main.cf
index 5dd67b3..7c5d77e 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -1,46 +1,54 @@
-# See /usr/share/postfix/main.cf.dist for a commented, more complete version
-
-
-# Debian specific:  Specifying a file name will cause the first
-# line of that file to be used as the name.  The Debian default
-# is /etc/mailname.
-#myorigin = /etc/mailname
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+# TIP: use the command "postconf -n" to view main.cf parameter
+# settings, "postconf parametername" to view a specific parameter,
+# and "postconf 'parametername=value'" to set a specific parameter.
+#
+# For common configuration examples, see BASIC_CONFIGURATION_README
+# and STANDARD_CONFIGURATION_README. To find these documents, use
+# the command "postconf html_directory readme_directory", or go to
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
+#
+# For best results, change no more than 2-3 parameters at a time,
+# and test if Postfix still works after every change.
+
+# See http://www.postfix.org/COMPATIBILITY_README.html
+compatibility_level = 3.6
 
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+smtpd_banner = $myhostname ESMTP $mail_name (mailnode)
 biff = no
 
 # appending .domain is the MUA's job.
 append_dot_mydomain = no
 
-# Uncomment the next line to generate "delayed mail" warnings
-#delay_warning_time = 4h
-
-readme_directory = no
-
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
-# fresh installs.
-compatibility_level = 3.6
-
-
-
 # TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_tls_security_level=may
+smtpd_tls_cert_file = /etc/certs/ENV_HOSTNAME/fullchain.pem
+smtpd_tls_key_file = /etc/certs/ENV_HOSTNAME/key.pem
+smtpd_tls_security_level = may
 
-smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=may
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_security_level = may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
-
+# System parameters
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = 15a7693789ea
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-mydestination = $myhostname, 15a7693789ea, localhost.localdomain, , localhost
-relayhost = 
+myhostname = ENV_HOSTNAME
+mydestination = $myhostname localhost
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all
+
+# Virtual mailbox parameters
+virtual_mailbox_domains = ENV_VIRTUAL_DOMAINS
+virtual_mailbox_base = /var/mail/vhost
+virtual_mailbox_maps = hash:/etc/postfix/vmailbox
+virtual_minimum_uid = 2000
+virtual_uid_maps = static:2000
+virtual_gid_maps = static:2000
+virtual_mailbox_limit = 0
+
+virtual_alias_maps = hash:/etc/userconfig/aliases