From 87ce53d1d307a2560f1d874cdc17e31722408d3a Mon Sep 17 00:00:00 2001
From: Luciano Giacchetta <luciano@gianet.us>
Date: Tue, 10 Feb 2026 17:24:59 -0300
Subject: [PATCH] feat: add support for Dovecot IMAP/POP3 configuration

Introduces functionality to install and configure Dovecot alongside Postfix to provide IMAP/POP3 services.

Changes include:
- Added tasks to install Dovecot packages (core, imapd, pop3d, lmtpd).
- Added templates for main configuration and conf.d files (auth, master, ssl, mail).
- Defined default variables for protocols, SSL settings, and Maildir location.
- Enabled Postfix SASL and LMTP integration options.
- Added a handler to restart the Dovecot service.
- Updated README.md with the new configuration variables and usage instructions.
---
 .ansible/.lock              |  0
 README.md                   | 16 ++++++++++++
 defaults/main.yml           | 26 ++++++++++++++++++-
 handlers/main.yml           |  5 ++++
 tasks/main.yml              | 39 +++++++++++++++++++++++++++-
 templates/10-auth.conf.j2   |  7 +++++
 templates/10-mail.conf.j2   |  7 +++++
 templates/10-master.conf.j2 | 51 +++++++++++++++++++++++++++++++++++++
 templates/10-ssl.conf.j2    |  6 +++++
 templates/dovecot.conf.j2   |  7 +++++
 templates/main.cf.j2        | 18 +++++++++++++
 tests/test.yml              |  2 +-
 12 files changed, 181 insertions(+), 3 deletions(-)
 create mode 100644 .ansible/.lock
 create mode 100644 templates/10-auth.conf.j2
 create mode 100644 templates/10-mail.conf.j2
 create mode 100644 templates/10-master.conf.j2
 create mode 100644 templates/10-ssl.conf.j2
 create mode 100644 templates/dovecot.conf.j2

diff --git a/.ansible/.lock b/.ansible/.lock
new file mode 100644
index 0000000..e69de29
diff --git a/README.md b/README.md
index eaf998e..c65da5b 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,22 @@ The role's behavior can be customized using the following variables. The default
 | postfix_inet_interfaces | all | The network interfaces Postfix listens on. Set to loopback-only to only accept mail from the server itself. |
 | postfix_inet_protocols | all | The IP protocols to use (ipv4, ipv6, or all). |
 
+### **Dovecot Configuration**
+
+The role now supports installing and configuring Dovecot for IMAP/POP3 services.
+
+| Variable | Default Value | Description |
+| :---- | :---- | :---- |
+| dovecot_enabled | true | Whether to install and configure Dovecot. |
+| dovecot_protocols | "imap pop3 lmtp" | Protocols to enable. |
+| dovecot_mail_location | "maildir:~/Maildir" | Mail storage location. |
+| dovecot_ssl | "yes" | SSL/TLS configuration (yes, no, required). |
+| dovecot_ssl_cert | snakeoil | Path to SSL certificate. |
+| dovecot_ssl_key | snakeoil | Path to SSL key. |
+| dovecot_auth_mechanisms | "plain login" | Authentication mechanisms. |
+| dovecot_postfix_sasl_enable | true | Enable Postfix SASL authentication via Dovecot. |
+| dovecot_postfix_lmtp_enable | true | Enable Postfix delivery via Dovecot LMTP. |
+
 ### **SASL Authentication**
 
 SASL authentication for the smarthost is **automatically enabled** if both postfix_relayhost_user and postfix_relayhost_password are defined. If they are not defined, Postfix will attempt to send mail without authentication.
diff --git a/defaults/main.yml b/defaults/main.yml
index 4a95e62..b6ad1c6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -34,4 +34,28 @@ postfix_relayhost: ""
 # Optional credentials for the relayhost. If these are defined,
 # SASL authentication will be automatically configured.
 # postfix_relayhost_user: "apikey"
-# postfix_relayhost_password: "YourVeryLongAndComplexApiKey"
\ No newline at end of file
+# postfix_relayhost_password: "YourVeryLongAndComplexApiKey"
+
+# --- Dovecot Configuration ---
+
+# Whether to install and configure Dovecot
+dovecot_enabled: true
+
+# Protocols to enable (imap, pop3, lmtp)
+dovecot_protocols: "imap pop3 lmtp"
+
+# Mail storage location. Using Maildir in the user's home directory.
+dovecot_mail_location: "maildir:~/Maildir"
+
+# SSL/TLS configuration
+# Use 'yes', 'no' or 'required'. 'required' is recommended for production.
+dovecot_ssl: "yes"
+dovecot_ssl_cert: "</etc/ssl/certs/ssl-cert-snakeoil.pem"
+dovecot_ssl_key: "</etc/ssl/private/ssl-cert-snakeoil.key"
+
+# Authentication mechanisms
+dovecot_auth_mechanisms: "plain login"
+
+# Postfix integration
+dovecot_postfix_sasl_enable: true
+dovecot_postfix_lmtp_enable: true
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
index bf37d43..59b226e 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -2,4 +2,9 @@
 - name: Restart Postfix
   ansible.builtin.service:
     name: postfix
+    state: restarted
+
+- name: Restart Dovecot
+  ansible.builtin.service:
+    name: dovecot
     state: restarted
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
index e24e5df..cf78e64 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -52,4 +52,41 @@
       notify: Restart Postfix
   tags:
     - postfix_config
-    - postfix_smarthost
\ No newline at end of file
+    - postfix_smarthost
+
+- name: "DOVECOT | Install Dovecot packages"
+  when: dovecot_enabled | default(false)
+  ansible.builtin.apt:
+    name: "{{ ['dovecot-core', 'dovecot-imapd', 'dovecot-pop3d'] + (['dovecot-lmtpd'] if dovecot_postfix_lmtp_enable | default(false) else []) }}"
+    state: present
+  tags:
+    - dovecot_install
+
+- name: "DOVECOT | Configure dovecot.conf"
+  when: dovecot_enabled | default(false)
+  ansible.builtin.template:
+    src: dovecot.conf.j2
+    dest: /etc/dovecot/dovecot.conf
+    owner: root
+    group: dovecot
+    mode: '0644'
+  notify: Restart Dovecot
+  tags:
+    - dovecot_config
+
+- name: "DOVECOT | Configure conf.d files"
+  when: dovecot_enabled | default(false)
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "/etc/dovecot/conf.d/{{ item.dest }}"
+    owner: root
+    group: dovecot
+    mode: '0644'
+  loop:
+    - { src: '10-auth.conf.j2', dest: '10-auth.conf' }
+    - { src: '10-master.conf.j2', dest: '10-master.conf' }
+    - { src: '10-ssl.conf.j2', dest: '10-ssl.conf' }
+    - { src: '10-mail.conf.j2', dest: '10-mail.conf' }
+  notify: Restart Dovecot
+  tags:
+    - dovecot_config
\ No newline at end of file
diff --git a/templates/10-auth.conf.j2 b/templates/10-auth.conf.j2
new file mode 100644
index 0000000..007ce56
--- /dev/null
+++ b/templates/10-auth.conf.j2
@@ -0,0 +1,7 @@
+# Dovecot authentication configuration
+# Ansible managed: {{ ansible_managed }}
+
+disable_plaintext_auth = {{ 'yes' if dovecot_ssl == 'required' else 'no' }}
+auth_mechanisms = {{ dovecot_auth_mechanisms }}
+
+!include auth-system.conf.ext
diff --git a/templates/10-mail.conf.j2 b/templates/10-mail.conf.j2
new file mode 100644
index 0000000..640586a
--- /dev/null
+++ b/templates/10-mail.conf.j2
@@ -0,0 +1,7 @@
+# Dovecot mail location configuration
+# Ansible managed: {{ ansible_managed }}
+
+mail_location = {{ dovecot_mail_location }}
+namespace inbox {
+  inbox = yes
+}
diff --git a/templates/10-master.conf.j2 b/templates/10-master.conf.j2
new file mode 100644
index 0000000..6f70385
--- /dev/null
+++ b/templates/10-master.conf.j2
@@ -0,0 +1,51 @@
+# Dovecot master configuration
+# Ansible managed: {{ ansible_managed }}
+
+service imap-login {
+  inet_listener imap {
+    port = 143
+  }
+  inet_listener imaps {
+    port = 993
+    ssl = yes
+  }
+}
+
+service pop3-login {
+  inet_listener pop3 {
+    port = 110
+  }
+  inet_listener pop3s {
+    port = 995
+    ssl = yes
+  }
+}
+
+service lmtp {
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    mode = 0600
+    user = postfix
+    group = postfix
+  }
+}
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0660
+    user = postfix
+    group = postfix
+  }
+
+  unix_listener auth-userdb {
+    mode = 0600
+    user = vmail
+  }
+}
+
+service auth-worker {
+}
+
+service dict {
+  unix_listener dict {
+  }
+}
diff --git a/templates/10-ssl.conf.j2 b/templates/10-ssl.conf.j2
new file mode 100644
index 0000000..c74e1f2
--- /dev/null
+++ b/templates/10-ssl.conf.j2
@@ -0,0 +1,6 @@
+# Dovecot SSL configuration
+# Ansible managed: {{ ansible_managed }}
+
+ssl = {{ dovecot_ssl }}
+ssl_cert = {{ dovecot_ssl_cert }}
+ssl_key = {{ dovecot_ssl_key }}
diff --git a/templates/dovecot.conf.j2 b/templates/dovecot.conf.j2
new file mode 100644
index 0000000..49e85b1
--- /dev/null
+++ b/templates/dovecot.conf.j2
@@ -0,0 +1,7 @@
+# Dovecot configuration file
+# Ansible managed: {{ ansible_managed }}
+
+protocols = {{ dovecot_protocols }}
+
+# Dictionary of configuration files
+!include conf.d/*.conf
diff --git a/templates/main.cf.j2 b/templates/main.cf.j2
index cab9889..df24ecf 100644
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@@ -48,3 +48,21 @@ smtp_tls_security_level = may
 # Other settings
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
+
+# Dovecot Integration
+{% if dovecot_enabled | default(false) %}
+# Use Maildir format
+home_mailbox = Maildir/
+
+{% if dovecot_postfix_sasl_enable | default(false) %}
+# SASL Authentication via Dovecot
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+{% endif %}
+
+{% if dovecot_postfix_lmtp_enable | default(false) %}
+# Delivery via LMTP
+mailbox_transport = lmtp:unix:private/dovecot-lmtp
+{% endif %}
+{% endif %}
diff --git a/tests/test.yml b/tests/test.yml
index bf8503c..42a1ba3 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -2,4 +2,4 @@
 - hosts: localhost
   remote_user: root
   roles:
-    - ansible_role_mailserver
+    - ansible_role_mail