dovecot - Sep 2015 - Different behavior of ACLs in MUA and doveadm

I have noticed a difference in the behavior of ACLs. When used in a MUA the
following global ACL works fine and has the desired effect - new mailboxes can
be created by a user being part of the 'PublicMailboxAdmins' group:

[ global-acl: ]
INBOX owner lrwstiekxap
Public/* group=PublicMailboxAdmins lrwsipk
Public/* anyone lr
Public/* authenticated lrws

Creating the same mailbox via doveadm however fails with a permission problem:

doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file:
/var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: Namespace : type=public, prefix=Public/,
sep=/, inbox=no, hidden=no, list=yes, subscriptions=no
location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public
doveadm(tlx at leuxner.net): Debug: fs: root=/var/vmail/public, index=,
indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=,
altdoveadm(tlx at leuxner.net): Debug: acl: initializing backend with data:
vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
doveadm(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
doveadm(tlx at leuxner.net): Debug: acl: owner = 0
doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file:
/var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: Namespace : type=private, prefix=Virtual/,
sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes
location=virtual:~/mdbox/virtual
doveadm(tlx at leuxner.net): Debug: fs:
root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=,
control=, inbox=, altdoveadm(tlx at leuxner.net): Debug: acl: initializing
backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
doveadm(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
doveadm(tlx at leuxner.net): Debug: acl: owner = 1
doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file:
/var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/dovecot-acl not found
doveadm(tlx at leuxner.net): Error: Can't create mailbox
Public/Archive/Newsletters/heise-security/2014: Permission denied

Interestingly, doveadm succeeds when dovecot-acl is present in the namespace
root - which of course is not desirable in the light of the global ACL:

[ dovecot-acl: ] 
group=PublicMailboxAdmins lrwsipk

doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file:
/var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: Namespace : type=public, prefix=Public/,
sep=/, inbox=no, hidden=no, list=yes, subscriptions=no
location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public
doveadm(tlx at leuxner.net): Debug: fs: root=/var/vmail/public, index=,
indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=,
altdoveadm(tlx at leuxner.net): Debug: acl: initializing backend with data:
vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
doveadm(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
doveadm(tlx at leuxner.net): Debug: acl: owner = 0
doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file:
/var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: Namespace : type=private, prefix=Virtual/,
sep=/, inbox=no, hidden=no, list=yes, subscriptions=yes
location=virtual:~/mdbox/virtual
doveadm(tlx at leuxner.net): Debug: fs:
root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=,
control=, inbox=, altdoveadm(tlx at leuxner.net): Debug: acl: initializing
backend with data: vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
doveadm(tlx at leuxner.net): Debug: acl: acl username = tlx at leuxner.net
doveadm(tlx at leuxner.net): Debug: acl: owner = 1
doveadm(tlx at leuxner.net): Debug: acl vfile: Global ACL file:
/var/vmail/conf.d/leuxner.net/global-acl
doveadm(tlx at leuxner.net): Debug: acl vfile: reading file
/var/vmail/public/mailboxes/dovecot-acl
doveadm(tlx at leuxner.net): Debug: Namespace Public/:
/var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014 doesn't
exist yet, using default permissions
doveadm(tlx at leuxner.net): Debug: Namespace Public/: Using permissions from
/var/vmail/public: mode=0700 gid=default
doveadm(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/Archive/Newsletters/heise-security/dbox-Mails/dovecot-acl
not found
doveadm(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl
not found
doveadm(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl
not found
doveadm(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/Archive/Newsletters/heise-security/2014/dbox-Mails/dovecot-acl
not found

# 2.2.15 (6078354e6238): /etc/dovecot/dovecot.conf

I know there have been some changes in Mercurial as to how global ACLs are
interpreted. Is doveadm probably behind on them?

Regards
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20141231/3bc5c8b0/attachment.sig>

* Thomas Leuxner <tlx at leuxner.net> 2014.12.31 22:10:

namespace {
  list = yes
  location = mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public
  prefix = Public/
  separator = /
  subscriptions = no
  type = public
}

$ cat /var/vmail/conf.d/leuxner.net/global-acl
INBOX owner lrwstiekxap
Public/* group=PublicMailboxAdmins lrwsipk
Public/* anyone lr
Public/* authenticated lrws

$ doveadm mailbox create -u tlx at leuxner.net
Public/Archive/Mailing-Lists/Dovecot/2015
doveadm(tlx at leuxner.net): Error: Can't create mailbox
Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied

$ doveadm acl get -u tlx at leuxner.net Public/Archive/Mailing-Lists/Dovecot
doveadm(tlx at leuxner.net): Error: Can't open mailbox
Public/Archive/Mailing-Lists/Dovecot: Mailbox doesn't exist:
Public/Archive/Mailing-Lists/Dovecot
ID Global Rights

I retested this issue after all the HG commits. Doveadm still treats the
namespace/ACL differently compared to a MUA. While doveadm refuses to create the
mailbox, the MUA succeeds. However I'd like to do all this scripted using
doveadm ideally...

$ openssl s_client -connect host.domain.tld:143 -starttls imap

. OK Pre-login capabilities listed, post-login capabilities have more.
1 login tlx at leuxner.net <redacted>
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND
URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED
I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH
LIST-STATUS BINARY MOVE NOTIFY SPECIAL-USE QUOTA ACL RIGHTS=texk
1 OK Logged in
2 list "Public/Archive" *
[...]
* LIST (\Noselect \HasChildren) "/"
Public/Archive/Mailing-Lists/Dovecot
* LIST (\HasNoChildren \UnMarked) "/"
Public/Archive/Mailing-Lists/Dovecot/2014
* LIST (\HasNoChildren \UnMarked) "/"
Public/Archive/Mailing-Lists/Dovecot/2013
* LIST (\HasNoChildren \UnMarked) "/"
Public/Archive/Mailing-Lists/Dovecot/2012
[...]
2 OK List completed (0.016 secs).
3 create "Public/Archive/Mailing-Lists/Dovecot/2015"
3 OK Create completed (0.006 secs).
4 list "Public/Archive" *
[...]
* LIST (\HasNoChildren) "/" Public/Archive/Mailing-Lists/Dovecot/2015
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20150908/5c2b9588/attachment.sig>

On 31 Dec 2014, at 23:10, Thomas Leuxner <tlx at leuxner.net>
wrote:
> 
> I have noticed a difference in the behavior of ACLs. When used in a MUA the
following global ACL works fine and has the desired effect - new mailboxes can
be created by a user being part of the 'PublicMailboxAdmins' group:
How does the PublicMailboxAdmins group get set? Looks to me like the problem is
that it's not getting set to doveadm. Here's an easy way to check if
that's the problem or something else:
http://hg.dovecot.org/dovecot-2.2/rev/500e8dd7a389

If that doesn't help: Show your full doveconf -n, set auth_debug=yes and
mail_debug=yes and show the debug logs for IMAP login and doveadm. There's a
difference somewhere in there.

* Timo Sirainen <tss at iki.fi> 2015.09.08 12:20:
> How does the PublicMailboxAdmins group get set? Looks to me like the
problem is that it's not getting set to doveadm. Here's an easy way to
check if that's the problem or something else:
http://hg.dovecot.org/dovecot-2.2/rev/500e8dd7a389
> 
> If that doesn't help: Show your full doveconf -n, set auth_debug=yes
and mail_debug=yes and show the debug logs for IMAP login and doveadm.
There's a difference somewhere in there.
$ doveadm mailbox create -u tlx at leuxner.net
Public/Archive/Mailing-Lists/Dovecot/2015
doveadm(tlx at leuxner.net): Error: Can't create mailbox
Public/Archive/Mailing-Lists/Dovecot/2015: Permission denied

Both debug levels raised, it doesn't log about the problem when using
doveadm. I guess the patch is not enough:

Sep  8 13:19:07 nihlus dovecot: auth: Debug: master in: USER#0111#011tlx at
leuxner.net#011service=doveadm
Sep  8 13:19:07 nihlus dovecot: auth: Debug: passwd-file(tlx at leuxner.net):
userdb cache miss
Sep  8 13:19:07 nihlus dovecot: auth: Debug: passwd-file
/var/vmail/auth.d/leuxner.net/passwd: Read 1 users in 0 secs
Sep  8 13:19:07 nihlus dovecot: auth: Debug: passwd-file(tlx at leuxner.net):
lookup: user=tlx at leuxner.net file=/var/vmail/auth.d/leuxner.net/passwd
Sep  8 13:19:07 nihlus dovecot: auth: Debug: userdb out: USER#0111#011tlx at
leuxner.net#011uid=5000#011gid=5000#011home=/var/vmail/domains/leuxner.net/tlx#011quota_rule=*:storage=5G#011acl_groups=PublicMailboxAdmins

With IMAP it is more talkative:

3 create "Public/Archive/Mailing-Lists/Dovecot/2015"

Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Added userdb
setting: plugin/acl_groups=PublicMailboxAdmins
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Added userdb
setting: plugin/quota_rule=*:storage=5G
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Effective
uid=5000, gid=5000, home=/var/vmail/domains/leuxner.net/tlx
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: No
acl_shared_dict setting - shared mailbox listing is disabled
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Quota root:
name=user backend=dict
args=:file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Quota rule:
root=user mailbox=* bytes=5368709120 messages=0
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Quota rule:
root=user mailbox=Trash bytes=+536870912 (10%) messages=0
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Quota grace:
root=user bytes=536870912 (10%)
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: dict quota:
user=tlx at leuxner.net,
uri=file:/var/vmail/domains/leuxner.net/tlx/mdbox/dovecot-quota, noenforcing=0
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace
inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=mdbox:~/mdbox
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: fs:
root=/var/vmail/domains/leuxner.net/tlx/mdbox, index=, indexpvt=, control=,
inbox=, altSep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl:
initializing backend with data:
vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: acl
username = tlx at leuxner.net
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: owner = 1
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: group
added: PublicMailboxAdmins
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile:
Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace :
type=public, prefix=Public/, sep=/, inbox=no, hidden=no, list=yes,
subscriptions=no location=mdbox:/var/vmail/public:INDEXPVT=~/mdbox
/public
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: fs:
root=/var/vmail/public, index=,
indexpvt=/var/vmail/domains/leuxner.net/tlx/mdbox/public, control=, inbox=,
altSep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl:
initializing backend with data:
vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: acl
username = tlx at leuxner.net
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: owner = 0
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: group
added: PublicMailboxAdmins
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile:
Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace :
type=private, prefix=Virtual/, sep=/, inbox=no, hidden=no, list=yes,
subscriptions=yes location=virtual:~/mdbox/virtual
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: fs:
root=/var/vmail/domains/leuxner.net/tlx/mdbox/virtual, index=, indexpvt=,
control=, inbox=, altSep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net):
Debug: acl: initializing backend with data:
vfile:/var/vmail/conf.d/leuxner.net/global-acl:cache_secs=300
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: acl
username = tlx at leuxner.net
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: owner = 1
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl: group
added: PublicMailboxAdmins
Sep  8 13:06:29 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile:
Global ACL file: /var/vmail/conf.d/leuxner.net/global-acl
Sep  8 13:07:13 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/domains/leuxner.net/tlx/mdbox/mailboxes/dovecot-acl not found
Sep  8 13:07:13 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace :
Using permissions from /var/vmail/domains/leuxner.net/tlx/mdbox: mode=0700
gid=default
Sep  8 13:07:13 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace
Public/: Using permissions from /var/vmail/public: mode=0700 gid=default

Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Namespace
Public/: /var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015
doesn't exist yet, using default permissions
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/dbox-Mails/dovecot-acl
not found
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl
not found
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl
not found
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: Mailbox
'Public/Archive/Mailing-Lists/Dovecot/2015' matches global ACL pattern
'Public/*'
Sep  8 13:07:42 nihlus dovecot: imap(tlx at leuxner.net): Debug: acl vfile: file
/var/vmail/public/mailboxes/Archive/Mailing-Lists/Dovecot/2015/dbox-Mails/dovecot-acl
not found

# 2.2.18 (500e8dd7a389): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.2
auth_cache_size = 16 k
auth_debug = yes
auth_verbose = yes
deliver_log_format = msgid=%m, time=%{delivery_time}ms, status=%$
hostname = host.domain.tld
imap_hibernate_timeout = 1 mins
imap_id_log = *
imap_logout_format = in=%i out=%o hdr=%{fetch_hdr_count}
body=%{fetch_body_count} del=%{deleted} exp=%{expunged} trash=%{trashed}
mail_debug = yes
mail_location = mdbox:~/mdbox
mail_plugins = acl quota stats zlib virtual
mailbox_list_index = yes
namespace {
  list = yes
  location = mdbox:/var/vmail/public:INDEXPVT=~/mdbox/public
  prefix = Public/
  separator = /
  subscriptions = no
  type = public
}
namespace {
  location = virtual:~/mdbox/virtual
  prefix = Virtual/
  separator = /
}
namespace inbox {
  hidden = no
  inbox = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix   separator = /
  type = private
}
passdb {
  args = username_format=%u /var/vmail/auth.d/%d/passwd
  driver = passwd-file
}
plugin {
  acl = vfile:/var/vmail/conf.d/%d/global-acl:cache_secs=300
  mail_log_events = expunge mailbox_delete
  quota = dict:user::file:%h/mdbox/dovecot-quota
  quota_grace = 10%%
  quota_rule = *:storage=1GB
  quota_rule2 = Trash:storage=+10%%
  quota_status_nouser = DUNNO
  quota_status_success = DUNNO
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_global_dir = /var/vmail/conf.d/%d/sieve
  stats_refresh = 30s
  stats_track_cmds = yes
  zlib_save = gz
  zlib_save_level = 6
}
protocols = " imap lmtp"
quota_full_tempfail = yes
service auth-worker {
  unix_listener auth-worker {
    user = doveauth
  }
  user = doveauth
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = doveauth
}
service imap-hibernate {
  unix_listener imap-hibernate {
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    address = 1.2.3.4
    port = 143
    reuse_port = yes
  }
  inet_listener imaps {
    port = 0
  }
  process_min_avail = 8
}
service imap {
  unix_listener imap-master {
    user = dovecot
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  unix_listener /var/spool/postfix/private/quota-status {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service stats {
  fifo_listener stats-mail {
    mode = 0600
    user = vmail
  }
}
ssl_ca =
</etc/ssl/certs/Comodo_RSA_Domain_Validation_SHA-2_Intermediates_CA_Bundle.crt
ssl_cert = </etc/ssl/certs/host_domain_tld.crt
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/private/host_domain_tld.key
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local1
userdb {
  args = username_format=%u /var/vmail/auth.d/%d/passwd
  driver = passwd-file
}
verbose_proctitle = yes
protocol lmtp {
  mail_plugins = acl quota stats zlib virtual sieve
}
protocol imap {
  mail_max_userip_connections = 20
  mail_plugins = acl quota stats zlib virtual mail_log notify imap_acl
imap_quota imap_stats
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20150908/88adc761/attachment.sig>