From 7f5f30bd4ffb59694657f68671acb573f8f65f83 Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Thu, 3 Mar 2016 08:02:56 +0100
Subject: [PATCH] Switch dovecot to LDAP auth.

---
 .../templates/dovecot/dovecot-ldap.conf.ext.j2   |  4 ++--
 roles/mail/templates/dovecot/local.conf.j2       | 16 ++++++----------
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
index 8e48ec8..9aedae6 100644
--- a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
+++ b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
@@ -45,14 +45,14 @@ dnpass = {{ ldap_bindpw }}
 # Use TLS to connect to the LDAP server.
 tls = yes
 # TLS options, currently supported only with OpenLDAP:
-#tls_ca_cert_file =
+#tls_ca_cert_file = TODO
 #tls_ca_cert_dir =
 #tls_cipher_suite =
 # TLS cert/key is used only if LDAP server requires a client certificate.
 #tls_cert_file =
 #tls_key_file =
 # Valid values: never, hard, demand, allow, try
-#tls_require_cert =
+#tls_require_cert = TODO
 
 # Use the given ldaprc path.
 #ldaprc_path =
diff --git a/roles/mail/templates/dovecot/local.conf.j2 b/roles/mail/templates/dovecot/local.conf.j2
index 6947dbe..91d8f23 100644
--- a/roles/mail/templates/dovecot/local.conf.j2
+++ b/roles/mail/templates/dovecot/local.conf.j2
@@ -1,7 +1,8 @@
 auth_mechanisms = plain login
 auth_verbose = yes
-
 auth_debug=yes
+disable_plaintext_auth = yes
+
 mail_debug = yes
 log_path = /var/log/dovecot/errors.log
 info_log_path = /var/log/dovecot/info.log
@@ -21,14 +22,9 @@ ssl_key = </etc/dovecot/ssl/{{ ansible_fqdn }}.key
 ssl_protocols = !SSLv2 !SSLv3
 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
-#passdb {
-#  driver = ldap
-#  args = /etc/dovecot/dovecot-ldap.conf.ext
-#}
-
 passdb {
-  driver = static
-  args = password=fnord
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
 }
 
 userdb {
@@ -46,11 +42,11 @@ service auth {
 
 service imap-login {
   inet_listener imap {
-    address = 127.0.0.1 ::1
+    address = 0.0.0.0 ::
     port = 143
   }
   inet_listener imaps {
-    address = 0.0.0.0
+    address = 0.0.0.0 ::
     port = 993
   }
 }