engineering/ansible_role_mail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(dovecot): replace template hashing with openssl command

Browse Source 
- Add `openssl` to the list of installed packages to ensure CLI availability.
- Introduce a new task to generate user password hashes using `openssl passwd -6` on the target host instead of relying on the Jinja2 `password_hash` filter.
- Update `dovecot-users.j2` template to utilize the registered output from the new OpenSSL task.
- This ensures consistent SHA512-CRYPT hash generation independent of the controller's Python environment or hashing libraries.
This commit is contained in:
Luciano Giacchetta
2026-02-10 18:10:01 -03:00
parent 589d3e0d12
commit e350a39a29
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tasks/main.yml
View File

@@ -57,7 +57,7 @@
- name: "DOVECOT | Install Dovecot packages"
when: dovecot_enabled | default(false)
ansible.builtin.apt:
name: "{{ ['dovecot-core', 'dovecot-imapd', 'dovecot-pop3d'] + (['dovecot-lmtpd'] if dovecot_postfix_lmtp_enable | default(false) else []) }}"
name: "{{ ['dovecot-core', 'dovecot-imapd', 'dovecot-pop3d', 'openssl'] + (['dovecot-lmtpd'] if dovecot_postfix_lmtp_enable | default(false) else []) }}"
state: present
tags:
- dovecot_install
@@ -108,6 +108,18 @@
tags:
- dovecot_config
- name: "DOVECOT | Generate user password hashes"
when: dovecot_enabled | default(false) and dovecot_users | length > 0
ansible.builtin.command:
cmd: "openssl passwd -6 -salt {{ dovecot_token_value | quote }} {{ (dovecot_token_value + item.pass) | quote }}"
loop: "{{ dovecot_users }}"
register: dovecot_user_hashes
changed_when: false
vars:
dovecot_token_value: "{{ dovecot_token_file['content'] | b64decode | trim }}"
tags:
- dovecot_config
- name: "DOVECOT | Create users password file"
when: dovecot_enabled | default(false)
ansible.builtin.template:

6
templates/dovecot-users.j2
View File

@@ -1,6 +1,8 @@
# Dovecot users file
# Ansible managed: {{ ansible_managed }}
# user:{scheme}hash:uid:gid:gecos:home:shell:extra_fields
{% for user in dovecot_users %}
{{ user.name }}:{SHA512-CRYPT}{{ (dovecot_token_value + user.pass) | password_hash('sha512', dovecot_token_value) }}::::::
{% if dovecot_user_hashes.results is defined %}
{% for res in dovecot_user_hashes.results %}
{{ res.item.name }}:{SHA512-CRYPT}{{ res.stdout | trim }}::::::
{% endfor %}
{% endif %}