From e47f9a972c9c4acf9d5b17b401b74dad932ffa9c Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank@brehm-online.com>
Date: Wed, 15 Jan 2025 06:25:02 +0100
Subject: [PATCH] daily autocommit

---
 .etckeeper                           | 17 ++++++-
 dovecot/conf.d/10-auth.conf          | 17 +++++--
 dovecot/conf.d/10-logging.conf       |  9 ++++
 dovecot/conf.d/10-mail.conf          | 13 +++---
 dovecot/conf.d/10-master.conf        | 66 ++++++++++++++++++++++++----
 dovecot/conf.d/10-ssl.conf           | 11 +++--
 dovecot/conf.d/90-quota.conf         | 51 ++++++++++++++++++---
 dovecot/conf.d/90-sieve.conf         | 14 +++++-
 dovecot/conf.d/auth-mysql.conf.ext   | 30 +++++++++++++
 dovecot/dovecot-last-login.conf      | 51 +++++++++++++++++++++
 dovecot/dovecot-master-users         |  0
 dovecot/dovecot-mysql.conf           | 28 ++++++++++++
 dovecot/dovecot-share-folder.conf    | 23 ++++++++++
 dovecot/dovecot-used-quota.conf      | 13 ++++++
 dovecot/dovecot.conf                 | 19 ++++++++
 group                                |  1 +
 group-                               |  1 +
 gshadow                              |  1 +
 gshadow-                             |  1 +
 passwd                               |  1 +
 passwd-                              |  2 +-
 rspamd/local.d/classifier-bayes.conf |  3 ++
 rspamd/local.d/dkim_signing.conf     | 16 +++++++
 rspamd/local.d/redis.conf            |  2 +
 rspamd/local.d/worker-controller.inc |  1 +
 rspamd/local.d/worker-fuzzy.inc      |  3 ++
 rspamd/local.d/worker-proxy.inc      |  3 ++
 rsyslog.d/1-mail-dovecot.conf        | 23 ++++++++++
 rsyslog.d/1-mail-iredapd.conf        | 12 +++++
 rsyslog.d/1-mail-mlmmjadmin.conf     | 12 +++++
 rsyslog.d/1-mail-phpfpm.conf         |  3 ++
 shadow                               |  1 +
 shadow-                              |  1 +
 subgid                               |  1 +
 subgid-                              |  1 +
 subuid                               |  1 +
 subuid-                              |  1 +
 37 files changed, 422 insertions(+), 31 deletions(-)
 create mode 100644 dovecot/conf.d/auth-mysql.conf.ext
 create mode 100644 dovecot/dovecot-last-login.conf
 create mode 100644 dovecot/dovecot-master-users
 create mode 100644 dovecot/dovecot-mysql.conf
 create mode 100644 dovecot/dovecot-share-folder.conf
 create mode 100644 dovecot/dovecot-used-quota.conf
 create mode 100644 rspamd/local.d/classifier-bayes.conf
 create mode 100644 rspamd/local.d/dkim_signing.conf
 create mode 100644 rspamd/local.d/redis.conf
 create mode 100644 rspamd/local.d/worker-controller.inc
 create mode 100644 rspamd/local.d/worker-fuzzy.inc
 create mode 100644 rspamd/local.d/worker-proxy.inc
 create mode 100644 rsyslog.d/1-mail-dovecot.conf
 create mode 100644 rsyslog.d/1-mail-iredapd.conf
 create mode 100644 rsyslog.d/1-mail-mlmmjadmin.conf
 create mode 100644 rsyslog.d/1-mail-phpfpm.conf

diff --git a/.etckeeper b/.etckeeper
index 29cbdc3..4aa621d 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -29,7 +29,6 @@ mkdir -p './network/interfaces.d'
 mkdir -p './opt'
 mkdir -p './postfix/dynamicmaps.cf.d'
 mkdir -p './postfix/sasl'
-mkdir -p './rspamd/local.d'
 mkdir -p './rspamd/override.d'
 mkdir -p './security/limits.d'
 mkdir -p './security/namespace.d'
@@ -607,6 +606,7 @@ maybe chmod 0644 'dovecot/conf.d/auth-checkpassword.conf.ext'
 maybe chmod 0644 'dovecot/conf.d/auth-deny.conf.ext'
 maybe chmod 0644 'dovecot/conf.d/auth-dict.conf.ext'
 maybe chmod 0644 'dovecot/conf.d/auth-master.conf.ext'
+maybe chmod 0644 'dovecot/conf.d/auth-mysql.conf.ext'
 maybe chmod 0644 'dovecot/conf.d/auth-passwdfile.conf.ext'
 maybe chmod 0644 'dovecot/conf.d/auth-sql.conf.ext'
 maybe chmod 0644 'dovecot/conf.d/auth-static.conf.ext'
@@ -615,8 +615,13 @@ maybe chgrp 'dovecot' 'dovecot/dovecot-dict-auth.conf.ext'
 maybe chmod 0640 'dovecot/dovecot-dict-auth.conf.ext'
 maybe chgrp 'dovecot' 'dovecot/dovecot-dict-sql.conf.ext'
 maybe chmod 0640 'dovecot/dovecot-dict-sql.conf.ext'
+maybe chmod 0644 'dovecot/dovecot-last-login.conf'
+maybe chmod 0600 'dovecot/dovecot-master-users'
+maybe chmod 0640 'dovecot/dovecot-mysql.conf'
+maybe chmod 0644 'dovecot/dovecot-share-folder.conf'
 maybe chgrp 'dovecot' 'dovecot/dovecot-sql.conf.ext'
 maybe chmod 0640 'dovecot/dovecot-sql.conf.ext'
+maybe chmod 0644 'dovecot/dovecot-used-quota.conf'
 maybe chmod 0644 'dovecot/dovecot.conf'
 maybe chmod 0700 'dovecot/private'
 maybe chmod 0755 'dpkg'
@@ -1053,6 +1058,12 @@ maybe chmod 0644 'rspamd/common.conf'
 maybe chmod 0644 'rspamd/composites.conf'
 maybe chmod 0644 'rspamd/groups.conf'
 maybe chmod 0755 'rspamd/local.d'
+maybe chmod 0644 'rspamd/local.d/classifier-bayes.conf'
+maybe chmod 0644 'rspamd/local.d/dkim_signing.conf'
+maybe chmod 0644 'rspamd/local.d/redis.conf'
+maybe chmod 0644 'rspamd/local.d/worker-controller.inc'
+maybe chmod 0644 'rspamd/local.d/worker-fuzzy.inc'
+maybe chmod 0644 'rspamd/local.d/worker-proxy.inc'
 maybe chmod 0644 'rspamd/logging.inc'
 maybe chmod 0755 'rspamd/maps.d'
 maybe chmod 0644 'rspamd/maps.d/dmarc_whitelist.inc'
@@ -1139,6 +1150,10 @@ maybe chmod 0644 'rspamd/worker-proxy.inc'
 maybe chmod 0644 'rsyslog.conf'
 maybe chmod 0644 'rsyslog.conf.orig'
 maybe chmod 0755 'rsyslog.d'
+maybe chmod 0644 'rsyslog.d/1-mail-dovecot.conf'
+maybe chmod 0644 'rsyslog.d/1-mail-iredapd.conf'
+maybe chmod 0644 'rsyslog.d/1-mail-mlmmjadmin.conf'
+maybe chmod 0644 'rsyslog.d/1-mail-phpfpm.conf'
 maybe chmod 0644 'rsyslog.d/60-default.conf'
 maybe chmod 0644 'rsyslog.d/60-mail.conf'
 maybe chmod 0644 'rsyslog.d/70-fb.conf'
diff --git a/dovecot/conf.d/10-auth.conf b/dovecot/conf.d/10-auth.conf
index 3e9c4e4..a410580 100644
--- a/dovecot/conf.d/10-auth.conf
+++ b/dovecot/conf.d/10-auth.conf
@@ -50,12 +50,22 @@
 # "-AT-". This translation is done after auth_username_translation changes.
 #auth_username_format = %Lu
 
+# Master user.
 # If you want to allow master users to log in by specifying the master
 # username within the normal username string (ie. not using SASL mechanism's
 # support for it), you can specify the separator character here. The format
 # is then <username><separator><master username>. UW-IMAP uses "*" as the
 # separator, so that could be a good choice.
-#auth_master_user_separator =
+# Master users are able to log in as other users. It's also possible to
+# directly log in as any user using a master password, although this isn't
+# recommended.
+# Reference: http://wiki2.dovecot.org/Authentication/MasterUsers
+auth_master_user_separator = *
+passdb {
+    driver = passwd-file
+    args = /etc/dovecot/dovecot-master-users
+    master = yes
+}
 
 # Username to use for users logging in with ANONYMOUS SASL mechanism
 #auth_anonymous_username = anonymous
@@ -97,7 +107,7 @@
 #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
 #   gss-spnego
 # NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain
+auth_mechanisms = plain login
 
 ##
 ## Password and user databases
@@ -119,8 +129,9 @@ auth_mechanisms = plain
 #!include auth-deny.conf.ext
 #!include auth-master.conf.ext
 
-!include auth-system.conf.ext
+#!include auth-system.conf.ext
 #!include auth-sql.conf.ext
+!include auth-mysql.conf.ext
 #!include auth-ldap.conf.ext
 #!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
diff --git a/dovecot/conf.d/10-logging.conf b/dovecot/conf.d/10-logging.conf
index beb15ba..1f6d8f5 100644
--- a/dovecot/conf.d/10-logging.conf
+++ b/dovecot/conf.d/10-logging.conf
@@ -5,9 +5,12 @@
 # Log file to use for error messages. "syslog" logs to syslog,
 # /dev/stderr logs to stderr.
 #log_path = syslog
+log_path = /var/log/dovecot/dovecot.log
+
 
 # Log file to use for informational messages. Defaults to log_path.
 #info_log_path = 
+info_log_path = /var/log/dovecot/info.log
 # Log file to use for debug messages. Defaults to info_log_path.
 #debug_log_path = 
 
@@ -15,6 +18,7 @@
 # want to use "mail", you'll use local0..local7. Also other standard
 # facilities are supported.
 #syslog_facility = mail
+syslog_facility = local5
 
 ##
 ## Logging verbosity and debugging.
@@ -38,6 +42,7 @@
 
 # Log unsuccessful authentication attempts and the reasons why they failed.
 #auth_verbose = no
+auth_verbose = yes
 
 # In case of password mismatches, log the attempted password. Valid values are
 # no, plain and sha1. sha1 can be useful for detecting brute force password
@@ -64,9 +69,11 @@
 plugin {
   # Events to log. Also available: flag_change append
   #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+  mail_log_events = delete undelete expunge copy mailbox_create mailbox_delete mailbox_rename
   # Available fields: uid, box, msgid, from, subject, size, vsize, flags
   # size and vsize are available only for expunge and copy events.
   #mail_log_fields = uid box msgid size
+  mail_log_fields = uid box msgid size from subject flags
 }
 
 ##
@@ -81,6 +88,7 @@ plugin {
 # a non-empty variable value are joined together to form a comma-separated
 # string.
 #login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
+login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}>
 
 # Login log format. %s contains login_log_format_elements string, %$ contains
 # the data we want to log.
@@ -103,3 +111,4 @@ plugin {
 #  %{session_time} - How long LMTP session took, not including delivery_time
 #  %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
 #deliver_log_format = msgid=%m: %$
+deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, delivery_time=%{delivery_time}ms, %$
diff --git a/dovecot/conf.d/10-mail.conf b/dovecot/conf.d/10-mail.conf
index b47235f..36106e7 100644
--- a/dovecot/conf.d/10-mail.conf
+++ b/dovecot/conf.d/10-mail.conf
@@ -27,7 +27,8 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_location = mbox:~/mail:INBOX=/var/mail/%u
+# mail_location = mbox:~/mail:INBOX=/var/mail/%u
+mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -105,8 +106,8 @@ namespace inbox {
 # System user and group used to access mails. If you use multiple, userdb
 # can override these by returning uid or gid fields. You can use either numbers
 # or names. <doc/wiki/UserIds.txt>
-#mail_uid =
-#mail_gid =
+mail_uid = 2000
+mail_gid = 2000
 
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
@@ -175,14 +176,14 @@ mail_privileged_group = mail
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-#first_valid_uid = 500
-#last_valid_uid = 0
+first_valid_uid = 2000
+last_valid_uid = 2000
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-#first_valid_gid = 1
+first_valid_gid = 2000
 #last_valid_gid = 0
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
diff --git a/dovecot/conf.d/10-master.conf b/dovecot/conf.d/10-master.conf
index d52ce80..853b47c 100644
--- a/dovecot/conf.d/10-master.conf
+++ b/dovecot/conf.d/10-master.conf
@@ -52,9 +52,33 @@ service submission-login {
 }
 
 service lmtp {
-  unix_listener lmtp {
-    #mode = 0666
-  }
+    user = vmail
+
+    # For higher volume sites, it may be desirable to increase the number of
+    # active listener processes. A range of 5 to 20 is probably good for most
+    # sites.
+    process_min_avail = 5
+
+    # Logging.
+    # Require 'log_path =' in 'protocol lmtp {}' block.
+    executable = lmtp -L
+
+    # Listening on socket file and TCP
+    unix_listener /var/spool/postfix/private/dovecot-lmtp {
+        user = postfix
+        group = postfix
+        mode = 0600
+    }
+
+    inet_listener lmtp {
+        # Listen on localhost (ipv4)
+        address = 127.0.0.1
+        port = 24
+    }
+
+  # unix_listener lmtp {
+  #   mode = 0666
+  # }
 
   # Create inet listener only if you can't use the above UNIX socket
   #inet_listener lmtp {
@@ -97,11 +121,26 @@ service auth {
   # To give the caller full permissions to lookup all users, set the mode to
   # something else than 0666 and Dovecot lets the kernel enforce the
   # permissions (e.g. 0777 allows everyone full permissions).
-  unix_listener auth-userdb {
-    #mode = 0666
-    #user = 
-    #group = 
-  }
+    unix_listener /var/spool/postfix/private/dovecot-auth {
+        user = postfix
+        group = postfix
+        mode = 0666
+    }
+    unix_listener auth-master {
+        user = vmail
+        group = vmail
+        mode = 0666
+    }
+    unix_listener auth-userdb {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+  #unix_listener auth-userdb {
+  #  mode = 0666
+  #  user = 
+  #  group = 
+  #}
 
   # Postfix smtp-auth
   #unix_listener /var/spool/postfix/private/auth {
@@ -126,5 +165,16 @@ service dict {
     #mode = 0600
     #user = 
     #group = 
+    mode = 0660
+    user = vmail
+    group = vmail
   }
 }
+
+dict {
+    #expire = db:/var/lib/dovecot/expire/expire.db
+    quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
+    acl = mysql:/etc/dovecot/dovecot-share-folder.conf
+    lastlogin = mysql:/etc/dovecot/dovecot-last-login.conf
+}
+
diff --git a/dovecot/conf.d/10-ssl.conf b/dovecot/conf.d/10-ssl.conf
index c4502fc..fbc62fa 100644
--- a/dovecot/conf.d/10-ssl.conf
+++ b/dovecot/conf.d/10-ssl.conf
@@ -3,14 +3,17 @@
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+#ssl = required
 ssl = yes
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/private/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.key
+# ssl_cert = </etc/dovecot/private/dovecot.pem
+ssl_cert = </etc/ssl/tls/certs/wildcard.pixelpark.com-cert.pem
+# ssl_key = </etc/dovecot/private/dovecot.key
+ssl_key = </etc/ssl/tls/private/wildcard.pixelpark.com-key.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -59,12 +62,13 @@ ssl_dh = </usr/share/dovecot/dh.pem
 #
 # Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
 # version, and LATEST matches with the latest version supported by library.
-#ssl_min_protocol = TLSv1.2
+ssl_min_protocol = TLSv1.2
 
 # SSL ciphers to use, the default is:
 #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 # To disable non-EC DH, use:
 #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 
 # Colon separated list of elliptic curves to use. Empty value (the default)
 # means use the defaults from the SSL library. P-521:P-384:P-256 would be an
@@ -73,6 +77,7 @@ ssl_dh = </usr/share/dovecot/dh.pem
 
 # Prefer the server's order of ciphers over client's.
 #ssl_prefer_server_ciphers = no
+ssl_prefer_server_ciphers = yes
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
diff --git a/dovecot/conf.d/90-quota.conf b/dovecot/conf.d/90-quota.conf
index 3308c05..44c14b9 100644
--- a/dovecot/conf.d/90-quota.conf
+++ b/dovecot/conf.d/90-quota.conf
@@ -25,6 +25,16 @@ plugin {
 
   # Quota plugin can also limit the maximum accepted mail size.
   #quota_max_mail_size = 100M
+
+    # Quota configuration.
+    # Reference: http://wiki2.dovecot.org/Quota/Configuration
+    quota = dict:user::proxy::quotadict
+    
+    # Set default quota rule if no quota returned from SQL/LDAP query.
+    #quota_rule = *:storage=1G
+    #quota_rule2 = *:messages=0
+    #quota_rule3 = Trash:storage=1G
+    #quota_rule4 = Junk:ignore
 }
 
 ##
@@ -41,19 +51,46 @@ plugin {
 plugin {
   #quota_warning = storage=95%% quota-warning 95 %u
   #quota_warning2 = storage=80%% quota-warning 80 %u
+    # Quota warning.
+    #
+    # If user suddenly receives a huge mail and the quota jumps from
+    # 85% to 95%, only the 95% script is executed.
+    #
+    # Only the command for the first exceeded limit is executed, so configure
+    # the highest limit first.
+    quota_warning = storage=100%% quota-warning 100 %u
+    quota_warning2 = storage=95%% quota-warning 95 %u
+    quota_warning3 = storage=90%% quota-warning 90 %u 
+    quota_warning4 = storage=85%% quota-warning 85 %u
+
+    # allow user to become max 10% (or 50 MB) over quota
+    quota_grace = 10%%
+    #quota_grace = 50 M
+
+    # You can specify the message directly or read the message from a file.
+    #quota_exceeded_message = Quota exceeded, please try again later.
+    #quota_exceeded_message = </path/to/quota_exceeded_message.txt
+    
+    # Used by quota-status service.
+    quota_status_success = DUNNO
+    quota_status_nouser = DUNNO
+    quota_status_overquota = "552 5.2.2 Mailbox is full"
+
 }
 
 # Example quota-warning service. The unix listener's permissions should be
 # set in a way that mail processes can connect to it. Below example assumes
 # that mail processes run as vmail user. If you use mode=0666, all system users
 # can generate quota warnings to anyone.
-#service quota-warning {
-#  executable = script /usr/local/bin/quota-warning.sh
-#  user = dovecot
-#  unix_listener quota-warning {
-#    user = vmail
-#  }
-#}
+service quota-warning {
+  executable = script /usr/local/bin/quota-warning.sh
+  user = dovecot
+  unix_listener quota-warning {
+    user = vmail
+    group = vmail
+    mode = 0660
+  }
+}
 
 ##
 ## Quota backends
diff --git a/dovecot/conf.d/90-sieve.conf b/dovecot/conf.d/90-sieve.conf
index 238bcf4..d474dba 100644
--- a/dovecot/conf.d/90-sieve.conf
+++ b/dovecot/conf.d/90-sieve.conf
@@ -36,7 +36,9 @@ plugin {
   # active script symlink is located.
   # For other types: use the ';name=' parameter to specify the name of the
   # default/active script.
-  sieve = file:~/sieve;active=~/.dovecot.sieve
+  sieve_dir = ~/sieve
+  #sieve = file:~/sieve;active=~/.dovecot.sieve
+  sieve = ~/sieve/dovecot.sieve
 
   # The default Sieve script when the user has none. This is the location of a
   # global sieve script file, which gets executed ONLY if user's personal Sieve
@@ -45,14 +47,17 @@ plugin {
   # --> See sieve_before for executing scripts before the user's personal
   #     script.
   #sieve_default = /var/lib/dovecot/sieve/default.sieve
+  sieve_default = /var/vmail/sieve/default.sieve
 
   # The name by which the default Sieve script (as configured by the 
   # sieve_default setting) is visible to the user through ManageSieve. 
   #sieve_default_name = 
+  sieve_default_name = Default
 
   # Location for ":global" include scripts as used by the "include" extension.
   #sieve_global =
-
+  sieve_global_dir = /var/vmail/sieve
+  
   # The location of a Sieve script that is run for any message that is about to
   # be discarded; i.e., it is not delivered anywhere by the normal Sieve
   # execution. This only happens when the "implicit keep" is canceled, by e.g.
@@ -76,6 +81,7 @@ plugin {
   #sieve_before = /var/lib/dovecot/sieve.d/
   #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
   #sieve_before3 = (etc...)
+  sieve_before = /var/vmail/sieve/dovecot.sieve
 
   # Identical to sieve_before, only the specified scripts are executed after the
   # user's script (only when keep is still in effect!). Multiple script
@@ -125,6 +131,7 @@ plugin {
   # The maximum number of redirect actions that can be performed during a single
   # script execution. If set to 0, no redirect actions are allowed.
   #sieve_max_redirects = 4
+  sieve_max_redirects = 30
 
   # The maximum number of personal Sieve scripts a single user can have. If set
   # to 0, no limit on the number of scripts is enforced.
@@ -149,6 +156,7 @@ plugin {
   # with sieve=) is a file, the logfile is set to <filename>.log by default. If
   # it is not a file, the default user log file is ~/.dovecot.sieve.log.
   #sieve_user_log =
+  sieve_user_log = ~/sieve/dovecot.sieve.log
 
   # Specifies what envelope sender address is used for redirected messages.
   # The following values are supported for this setting:
@@ -183,6 +191,7 @@ plugin {
   # path is relative or it starts with "~/" it is interpreted relative to the
   # current user's home directory.
   #sieve_trace_dir =
+  sieve_trace_dir = ~/sieve-trace
   
   # The verbosity level of the trace messages. Trace debugging is disabled if
   # this setting is not configured. Possible values are:
@@ -194,6 +203,7 @@ plugin {
   #   "matching"       - Print all executed commands, performed tests and the
   #                      values matched in those tests.
   #sieve_trace_level =
+  sieve_trace_level = matching
   
   # Enables highly verbose debugging messages that are usually only useful for
   # developers.
diff --git a/dovecot/conf.d/auth-mysql.conf.ext b/dovecot/conf.d/auth-mysql.conf.ext
new file mode 100644
index 0000000..9679342
--- /dev/null
+++ b/dovecot/conf.d/auth-mysql.conf.ext
@@ -0,0 +1,30 @@
+# Authentication for SQL users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.SQL.txt>
+
+passdb {
+  driver = sql
+
+  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
+  args = /etc/dovecot/dovecot-mysql.conf
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+userdb {
+  driver = sql
+  args = /etc/dovecot/dovecot-mysql.conf
+}
+
+# If you don't have any user-specific settings, you can avoid the user_query
+# by using userdb static instead of userdb sql, for example:
+# <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  #args = uid=vmail gid=vmail home=/var/vmail/%u
+#}
diff --git a/dovecot/dovecot-last-login.conf b/dovecot/dovecot-last-login.conf
new file mode 100644
index 0000000..31d62f7
--- /dev/null
+++ b/dovecot/dovecot-last-login.conf
@@ -0,0 +1,51 @@
+connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp
+
+map {
+    pattern = shared/last-login/imap/$user/$domain
+    table = last_login
+    value_field = imap
+    value_type = uint
+
+    fields {
+        username = $user
+        domain = $domain
+    }
+}
+
+map {
+    pattern = shared/last-login/pop3/$user/$domain
+    table = last_login
+    value_field = pop3
+    value_type = uint
+
+    fields {
+        username = $user
+        domain = $domain
+    }
+}
+
+map {
+    pattern = shared/last-login/lda/$user/$domain
+    table = last_login
+    value_field = lda
+    value_type = uint
+
+    fields {
+        username = $user
+        domain = $domain
+    }
+}
+
+# Treat lmtp as lda.
+map {
+    pattern = shared/last-login/lmtp/$user/$domain
+    table = last_login
+    value_field = lda
+    value_type = uint
+
+    fields {
+        username = $user
+        domain = $domain
+    }
+}
+
diff --git a/dovecot/dovecot-master-users b/dovecot/dovecot-master-users
new file mode 100644
index 0000000..e69de29
diff --git a/dovecot/dovecot-mysql.conf b/dovecot/dovecot-mysql.conf
new file mode 100644
index 0000000..f06ef0e
--- /dev/null
+++ b/dovecot/dovecot-mysql.conf
@@ -0,0 +1,28 @@
+driver = mysql
+default_pass_scheme = CRYPT
+connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i
+
+# Required by doveadm tools which require to list all mail users.
+iterate_query = SELECT username AS user FROM mailbox
+
+password_query = SELECT mailbox.password, mailbox.allow_nets \
+        FROM mailbox,domain \
+       WHERE mailbox.username='%u' \
+             AND mailbox.`enable%Ls%Lc`=1 \
+             AND mailbox.active=1 \
+             AND mailbox.domain=domain.domain \
+             AND domain.backupmx=0 \
+             AND domain.active=1
+
+user_query = SELECT \
+            LOWER('%u') AS master_user, \
+            LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir)) AS home, \
+            CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS mail, \
+            CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule \
+        FROM mailbox,domain \
+       WHERE mailbox.username='%u' \
+             AND mailbox.`enable%Ls%Lc`=1 \
+             AND mailbox.active=1 \
+             AND mailbox.domain=domain.domain \
+             AND domain.backupmx=0 \
+             AND domain.active=1
diff --git a/dovecot/dovecot-share-folder.conf b/dovecot/dovecot-share-folder.conf
new file mode 100644
index 0000000..2b40e17
--- /dev/null
+++ b/dovecot/dovecot-share-folder.conf
@@ -0,0 +1,23 @@
+
+connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp
+map {
+    pattern = shared/shared-boxes/user/$to/$from
+    table = share_folder
+    value_field = dummy
+
+    fields {
+        from_user = $from
+        to_user = $to
+    }
+}
+
+# To share mailbox to anyone, please uncomment 'acl_anyone = allow' in
+# dovecot.conf
+map {
+    pattern = shared/shared-boxes/anyone/$from
+    table = anyone_shares
+    value_field = dummy
+    fields {
+        from_user = $from
+    }
+}
diff --git a/dovecot/dovecot-used-quota.conf b/dovecot/dovecot-used-quota.conf
new file mode 100644
index 0000000..71a6e91
--- /dev/null
+++ b/dovecot/dovecot-used-quota.conf
@@ -0,0 +1,13 @@
+connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp
+map {
+    pattern = priv/quota/storage
+    table = used_quota
+    username_field = username
+    value_field = bytes
+}
+map {
+    pattern = priv/quota/messages
+    table = used_quota
+    username_field = username
+    value_field = messages
+}
diff --git a/dovecot/dovecot.conf b/dovecot/dovecot.conf
index 7e9953f..6c240c9 100644
--- a/dovecot/dovecot.conf
+++ b/dovecot/dovecot.conf
@@ -28,6 +28,7 @@
 # If you want to specify non-default ports or anything more complex,
 # edit conf.d/master.conf.
 #listen = *, ::
+listen = * ::
 
 # Base directory where to store runtime data.
 #base_dir = /var/run/dovecot/
@@ -91,6 +92,24 @@ dict {
   #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
 }
 
+service stats {
+    fifo_listener stats-mail {
+        user = vmail
+        mode = 0644
+    }
+
+    unix_listener stats-writer {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+
+    inet_listener {
+        address = 127.0.0.1
+        port = 24242
+    }
+}
+
 # Most of the actual configuration gets included below. The filenames are
 # first sorted by their ASCII value and parsed in that order. The 00-prefixes
 # in filenames are intended to make it easier to understand the ordering.
diff --git a/group b/group
index c0cf2dd..bef46a6 100644
--- a/group
+++ b/group
@@ -59,3 +59,4 @@ dovecot:x:118:
 dovenull:x:119:
 redis:x:120:
 _rspamd:x:115:
+vmail:x:2000:
diff --git a/group- b/group-
index cea0f27..c0cf2dd 100644
--- a/group-
+++ b/group-
@@ -58,3 +58,4 @@ tcpdump:x:117:
 dovecot:x:118:
 dovenull:x:119:
 redis:x:120:
+_rspamd:x:115:
diff --git a/gshadow b/gshadow
index aecd562..15b8fdd 100644
--- a/gshadow
+++ b/gshadow
@@ -59,3 +59,4 @@ dovecot:!::
 dovenull:!::
 redis:!::
 _rspamd:!::
+vmail:!::
diff --git a/gshadow- b/gshadow-
index 064f42e..aecd562 100644
--- a/gshadow-
+++ b/gshadow-
@@ -58,3 +58,4 @@ tcpdump:!::
 dovecot:!::
 dovenull:!::
 redis:!::
+_rspamd:!::
diff --git a/passwd b/passwd
index d765850..eecf6ef 100644
--- a/passwd
+++ b/passwd
@@ -30,3 +30,4 @@ dovecot:x:108:118:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
 dovenull:x:109:119:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
 redis:x:110:120::/var/lib/redis:/usr/sbin/nologin
 _rspamd:x:105:115:rspamd spam filtering system,,,:/var/lib/rspamd:/usr/sbin/nologin
+vmail:x:2000:2000:Dovecot vmail user:/var/vmail:/usr/sbin/nologin
diff --git a/passwd- b/passwd-
index ff45df0..d765850 100644
--- a/passwd-
+++ b/passwd-
@@ -29,4 +29,4 @@ tcpdump:x:107:117::/nonexistent:/usr/sbin/nologin
 dovecot:x:108:118:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
 dovenull:x:109:119:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
 redis:x:110:120::/var/lib/redis:/usr/sbin/nologin
-_rspamd:x:105:115::/var/lib/rspamd:/usr/sbin/nologin
+_rspamd:x:105:115:rspamd spam filtering system,,,:/var/lib/rspamd:/usr/sbin/nologin
diff --git a/rspamd/local.d/classifier-bayes.conf b/rspamd/local.d/classifier-bayes.conf
new file mode 100644
index 0000000..8c1d33a
--- /dev/null
+++ b/rspamd/local.d/classifier-bayes.conf
@@ -0,0 +1,3 @@
+backend = "redis";
+servers = "localhost:6378";
+
diff --git a/rspamd/local.d/dkim_signing.conf b/rspamd/local.d/dkim_signing.conf
new file mode 100644
index 0000000..f0db219
--- /dev/null
+++ b/rspamd/local.d/dkim_signing.conf
@@ -0,0 +1,16 @@
+sign_authenticated = true;
+use_domain = "envelope";
+allow_hdrfrom_mismatch = true;
+allow_hdrfrom_mismatch_sign_networks = true;
+allow_username_mismatch = true;
+domain {
+    frankepedia.eu {
+        selector = "mail-2025-01-14";
+        path = "/var/lib/rspamd/dkim/frankepedia.eu.mail-2025-01-14.key";
+    }
+    wildpark.de {
+        selector = "mail-2025-01-14-0";
+        path = "/var/lib/rspamd/dkim/wildpark.de.mail-2025-01-14-0.key";
+    }
+}
+use_esld = true;
diff --git a/rspamd/local.d/redis.conf b/rspamd/local.d/redis.conf
new file mode 100644
index 0000000..6b6c00d
--- /dev/null
+++ b/rspamd/local.d/redis.conf
@@ -0,0 +1,2 @@
+write_servers = "localhost";
+read_servers = "localhost";
diff --git a/rspamd/local.d/worker-controller.inc b/rspamd/local.d/worker-controller.inc
new file mode 100644
index 0000000..54dc726
--- /dev/null
+++ b/rspamd/local.d/worker-controller.inc
@@ -0,0 +1 @@
+password = "$2$qyp3gj1yq157newudkczpxowpb5k6c98$h1pyzfe4swxuj8b3q6c5k8p1w6w6n9o7n3mtu5cfaw1na9fjajcb";
diff --git a/rspamd/local.d/worker-fuzzy.inc b/rspamd/local.d/worker-fuzzy.inc
new file mode 100644
index 0000000..99812bb
--- /dev/null
+++ b/rspamd/local.d/worker-fuzzy.inc
@@ -0,0 +1,3 @@
+backend = "redis";
+servers = "localhost:6377";
+
diff --git a/rspamd/local.d/worker-proxy.inc b/rspamd/local.d/worker-proxy.inc
new file mode 100644
index 0000000..568c62e
--- /dev/null
+++ b/rspamd/local.d/worker-proxy.inc
@@ -0,0 +1,3 @@
+count = 2; # Do not spawn too many processes of this type
+reject_message = "Spam message rejected - wir wollen kein Buechsenfleisch!";
+
diff --git a/rsyslog.d/1-mail-dovecot.conf b/rsyslog.d/1-mail-dovecot.conf
new file mode 100644
index 0000000..a9166a8
--- /dev/null
+++ b/rsyslog.d/1-mail-dovecot.conf
@@ -0,0 +1,23 @@
+# Debug
+if $syslogfacility-text == 'local5' and ($msg contains ": Debug:") then -/var/log/dovecot/dovecot.log
+& stop
+
+# sieve and LMTP
+if $syslogfacility-text == 'local5' and ($msg contains "lmtp(" or $msg contains "lda(") then -/var/log/dovecot/lda.log
+& stop
+
+# IMAP
+if $syslogfacility-text == 'local5' and ($msg contains "imap(" or $msg contains "imap-login:") then -/var/log/dovecot/imap.log
+& stop
+
+# POP3
+if $syslogfacility-text == 'local5' and ($msg contains "pop3(" or $msg contains "pop3-login:") then -/var/log/dovecot/pop3.log
+& stop
+
+# managesieve
+if $syslogfacility-text == 'local5' and ($msg contains "managesieve(" or $msg contains "managesieve-login:") then -/var/log/dovecot/sieve.log
+& stop
+
+# All other Dovecot log
+if $syslogfacility-text == 'local5' and $programname startswith "dovecot" then -/var/log/dovecot/dovecot.log
+& stop
diff --git a/rsyslog.d/1-mail-iredapd.conf b/rsyslog.d/1-mail-iredapd.conf
new file mode 100644
index 0000000..54ace50
--- /dev/null
+++ b/rsyslog.d/1-mail-iredapd.conf
@@ -0,0 +1,12 @@
+# Log to /var/log/iredapd/iredapd.log
+#
+# Notes:
+#
+#   - $syslogfacility-text must be same as value of parameter SYSLOG_FACILITY
+#     in mlmmjadmin config file. Defaults to 'local5' (defined in
+#     libs/default_settings.py).
+#
+#   - Directory /var/log/iredapd/ must be owned by syslog daemon user/group.
+#
+if $syslogfacility-text == 'local5' and ($syslogtag startswith 'iredapd' or $msg startswith 'iredapd ') then -/var/log/iredapd/iredapd.log
+& stop
diff --git a/rsyslog.d/1-mail-mlmmjadmin.conf b/rsyslog.d/1-mail-mlmmjadmin.conf
new file mode 100644
index 0000000..1d5158c
--- /dev/null
+++ b/rsyslog.d/1-mail-mlmmjadmin.conf
@@ -0,0 +1,12 @@
+# Log to /var/log/mlmmjadmin/mlmmjadmin.log
+#
+# Notes:
+#
+#   - $syslogfacility-text must be same as value of parameter SYSLOG_FACILITY
+#     in mlmmjadmin config file. Defaults to 'local5' (defined in
+#     libs/default_settings.py).
+#
+#   - Directory /var/log/mlmmjadmin/ must be owned by syslog daemon user/group.
+#
+if $syslogfacility-text == 'local5' and $programname startswith 'mlmmjadmin' then -/var/log/mlmmjadmin/mlmmjadmin.log
+& stop
diff --git a/rsyslog.d/1-mail-phpfpm.conf b/rsyslog.d/1-mail-phpfpm.conf
new file mode 100644
index 0000000..f2920c2
--- /dev/null
+++ b/rsyslog.d/1-mail-phpfpm.conf
@@ -0,0 +1,3 @@
+# php-fpm
+if $syslogfacility-text == 'local5' and $syslogtag startswith 'php-fpm' then -/var/log/php-fpm/php-fpm.log
+& stop
diff --git a/shadow b/shadow
index 2998c41..1afd07a 100644
--- a/shadow
+++ b/shadow
@@ -30,3 +30,4 @@ dovecot:!:20101::::::
 dovenull:!:20101::::::
 redis:!:20101::::::
 _rspamd:!:20101::::::
+vmail:!:20102:0:99999:7:::
diff --git a/shadow- b/shadow-
index f95b719..2998c41 100644
--- a/shadow-
+++ b/shadow-
@@ -29,3 +29,4 @@ tcpdump:!:20101::::::
 dovecot:!:20101::::::
 dovenull:!:20101::::::
 redis:!:20101::::::
+_rspamd:!:20101::::::
diff --git a/subgid b/subgid
index f1ee3c1..7e3ecfa 100644
--- a/subgid
+++ b/subgid
@@ -1 +1,2 @@
 frank:100000:65536
+vmail:165536:65536
diff --git a/subgid- b/subgid-
index e69de29..f1ee3c1 100644
--- a/subgid-
+++ b/subgid-
@@ -0,0 +1 @@
+frank:100000:65536
diff --git a/subuid b/subuid
index f1ee3c1..7e3ecfa 100644
--- a/subuid
+++ b/subuid
@@ -1 +1,2 @@
 frank:100000:65536
+vmail:165536:65536
diff --git a/subuid- b/subuid-
index e69de29..f1ee3c1 100644
--- a/subuid-
+++ b/subuid-
@@ -0,0 +1 @@
+frank:100000:65536
-- 
2.39.5