vbezhenar.com host configuration

Introduction

This page describes vbezhenar.com host configuration including every configuration file and command. You're free to use anything anywhere if you find it useful. I'm using this server for:

Some interactions between different daemons might be quite tricky and it took me a while to figure out everything, so I hope that this information might help someone out there.

Email access is provided via IMAPS on port 993. Email sending is provided via SMTPS on port 465. Ham/spam auto-learning is implemented when user moves email from/to Junk IMAP folder.

IPv6 access is limited to SMTP, HTTP and HTTPS, because I'm not using IPv6 on my client devices.

I'm using Debian 10 buster minimal installation with "System Tools" option selected as a base. I'm saving every typed command and every changed configuration file with my backup scripts, so the following information was auto-generated from this data. If you find any inconsistencies or serious issues, feel free to email me at me@vbezhenar.com.

DNS configuration

It is necessary to configure quite a few DNS records to send and receive email. I'm using free Cloudflare DNS hosting. I exported my DNS records from Cloudflare DNS management page and included relevant records. You might not need all of them.

dav.vbezhenar.com.			86400	IN	A	5.255.96.43
jupi.vbezhenar.com.			86400	IN	A	5.255.96.43
mta-sts.vbezhenar.com.			86400	IN	A	5.255.96.43
vbezhenar.com.				86400	IN	A	5.255.96.43
www.vbezhenar.com.			86400	IN	A	5.255.96.43

dav.vbezhenar.com.			86400	IN	AAAA	2a04:52c0:101:56c::b45a
jupi.vbezhenar.com.			86400	IN	AAAA	2a04:52c0:101:56c::b45a
mta-sts.vbezhenar.com.			86400	IN	AAAA	2a04:52c0:101:56c::b45a
vbezhenar.com.				86400	IN	AAAA	2a04:52c0:101:56c::b45a
www.vbezhenar.com.			86400	IN	AAAA	2a04:52c0:101:56c::b45a

vbezhenar.com.				86400	IN	CAA	0 issue "letsencrypt.org"

vbezhenar.com.				86400	IN	MX	1 jupi.vbezhenar.com.

default._bimi.vbezhenar.com.		86400	IN	TXT	"v=BIMI1; l=https://vbezhenar.com/favicon.svg"
default._domainkey.vbezhenar.com.	86400	IN	TXT	"v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuNJTJdDvesYEIHklBtr2hNTVJfqoe0o3iKyi5gh7nEBrv8x1aKnGFlk3tU66035MwPggxzCJvNR0ZuEZuFkhRo3R94Bwul22ub3sE2HWzkxqYXQe+M7wSvfU0gxgTQKpX3lGavuFeeQDC+az0NLj3KXaN3fWljot0AsctRVrSGbliTie6xHMTmlWDil2wuxWVqlzhKuhmDNz/6J/F+d3NqNhnoGEdEHyv5wImMjz9WXbnYnVW85GiILCGKkwT4i/qs+ex0oTPxuXNKaW7A6yGFhZB8jDrTSR8ZLdclNGr987wOHy/GiR0BwpZ0KRs41ZN1/jok8TzPYII0BBNnF4vwIDAQAB"
_dmarc.vbezhenar.com.			86400	IN	TXT	"v=DMARC1;p=reject;adkim=s;aspf=s"
_mta-sts.vbezhenar.com.			86400	IN	TXT	"v=STSv1;id=20200910"
vbezhenar.com.				86400	IN	TXT	"v=spf1 ip4:5.255.96.43 ip6:2a04:52c0:101:56c::b45a -all"

System configuration

Edit /etc/systemd/journald.conf (, , )
--- /root/backup/orig/etc/systemd/journald.conf	2020-04-27 19:02:57.000000000 +0200
+++ /etc/systemd/journald.conf	2020-09-13 22:42:05.618501914 +0200
@@ -12,7 +12,7 @@
 # See journald.conf(5) for details.
 
 [Journal]
-#Storage=auto
+Storage=persistent
 #Compress=yes
 #Seal=yes
 #SplitMode=uid
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.

[Journal]
Storage=persistent
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
Create or replace file /etc/network/interfaces -rw-r--r-- root:root
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens3
iface ens3 inet static
	address 5.255.96.43/24
	gateway 5.255.96.1
	# dns-* options are implemented by the resolvconf package, if installed
	dns-nameservers 185.31.172.240 89.188.29.4
	dns-search vbezhenar.com

iface ens3 inet static
	address 172.28.67.1/32

iface ens3 inet6 static
	address 2a04:52c0:101:56c::b45a/64
	pointopoint 2a04:52c0:101::1
	gateway 2a04:52c0:101::1
Edit /etc/sysctl.conf (, , )
--- /root/backup/orig/etc/sysctl.conf	2018-05-31 11:42:46.000000000 +0200
+++ /etc/sysctl.conf	2020-09-13 22:58:18.433813316 +0200
@@ -25,7 +25,7 @@
 #net.ipv4.tcp_syncookies=1
 
 # Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
+net.ipv4.ip_forward=1
 
 # Uncomment the next line to enable packet forwarding for IPv6
 #  Enabling this option disables Stateless Address Autoconfiguration
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
#kernel.sysrq=438

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
#kernel.sysrq=438

Execute
root@jupi:~# apt install nftables
Create or replace file /etc/nftables.conf -rwxr-xr-x root:root
#!/usr/sbin/nft -f

flush ruleset

table ip filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iif "lo" accept
		ct state established,related accept
		ip protocol esp accept
		icmp type echo-request accept
		udp dport { isakmp, ipsec-nat-t } accept
		ip saddr 172.28.67.0/24 udp dport domain accept
		tcp dport { ssh, smtp, http, https, 465, imaps } ct state new accept
	}
}

table ip6 filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iif "lo" accept
		ct state established,related accept
		ip6 nexthdr icmpv6 accept
		tcp dport { smtp, http, https } ct state new accept
	}
}

table ip nat {
	chain prerouting {
		type nat hook prerouting priority 0;
	}
	chain postrouting {
		type nat hook postrouting priority 0;
		oif "ens3" ip saddr 172.28.67.0/24 snat 5.255.96.43
	}
}
Execute
root@jupi:~# /etc/nftables.conf
root@jupi:~# systemctl enable nftables.service

Additional utilities

Execute
root@jupi:~# apt install patch tmux vim
Create or replace file /root/.tmux.conf -rw-r--r-- root:root
set-option -g prefix `
unbind-key c-b
bind-key ` send-prefix
set-option -g mouse on
Edit /root/.bashrc (, , )
--- /root/backup/orig/root/.bashrc	2010-01-31 12:52:26.000000000 +0100
+++ /root/.bashrc	2020-09-13 23:06:20.078081659 +0200
@@ -6,9 +6,9 @@
 # umask 022
 
 # You may uncomment the following lines if you want `ls' to be colorized:
-# export LS_OPTIONS='--color=auto'
-# eval "`dircolors`"
-# alias ls='ls $LS_OPTIONS'
+export LS_OPTIONS='--color=auto'
+eval "`dircolors`"
+alias ls='ls $LS_OPTIONS'
 # alias ll='ls $LS_OPTIONS -l'
 # alias l='ls $LS_OPTIONS -lA'
 #
# ~/.bashrc: executed by bash(1) for non-login shells.

# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
# umask 022

# You may uncomment the following lines if you want `ls' to be colorized:
# export LS_OPTIONS='--color=auto'
# eval "`dircolors`"
# alias ls='ls $LS_OPTIONS'
# alias ll='ls $LS_OPTIONS -l'
# alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'
# ~/.bashrc: executed by bash(1) for non-login shells.

# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
# umask 022

# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
# alias ll='ls $LS_OPTIONS -l'
# alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'
Edit /etc/vim/vimrc (, , )
--- /root/backup/orig/etc/vim/vimrc	2019-06-15 18:41:15.000000000 +0200
+++ /etc/vim/vimrc	2020-09-13 23:07:39.122269771 +0200
@@ -27,7 +27,7 @@
 
 " If using a dark background within the editing area and syntax highlighting
 " turn on this option as well
-"set background=dark
+set background=dark
 
 " Uncomment the following to have Vim jump to the last position when
 " reopening a file
" All system-wide defaults are set in $VIMRUNTIME/debian.vim and sourced by
" the call to :runtime you can find below.  If you wish to change any of those
" settings, you should do it in this file (/etc/vim/vimrc), since debian.vim
" will be overwritten everytime an upgrade of the vim packages is performed.
" It is recommended to make changes after sourcing debian.vim since it alters
" the value of the 'compatible' option.

" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim

" Vim will load $VIMRUNTIME/defaults.vim if the user does not have a vimrc.
" This happens after /etc/vim/vimrc(.local) are loaded, so it will override
" any settings in these files.
" If you don't want that to happen, uncomment the below line to prevent
" defaults.vim from being loaded.
" let g:skip_defaults_vim = 1

" Uncomment the next line to make Vim more Vi-compatible
" NOTE: debian.vim sets 'nocompatible'.  Setting 'compatible' changes numerous
" options, so any other options should be set AFTER setting 'compatible'.
"set compatible

" Vim5 and later versions support syntax highlighting. Uncommenting the next
" line enables syntax highlighting by default.
"syntax on

" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
"set background=dark

" Uncomment the following to have Vim jump to the last position when
" reopening a file
"au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif

" Uncomment the following to have Vim load indentation rules and plugins
" according to the detected filetype.
"filetype plugin indent on

" The following are commented out as they cause vim to behave a lot
" differently from regular Vi. They are highly recommended though.
"set showcmd		" Show (partial) command in status line.
"set showmatch		" Show matching brackets.
"set ignorecase		" Do case insensitive matching
"set smartcase		" Do smart case matching
"set incsearch		" Incremental search
"set autowrite		" Automatically save before commands like :next and :make
"set hidden		" Hide buffers when they are abandoned
"set mouse=a		" Enable mouse usage (all modes)

" Source a global configuration file if available
if filereadable("/etc/vim/vimrc.local")
  source /etc/vim/vimrc.local
endif

" All system-wide defaults are set in $VIMRUNTIME/debian.vim and sourced by
" the call to :runtime you can find below.  If you wish to change any of those
" settings, you should do it in this file (/etc/vim/vimrc), since debian.vim
" will be overwritten everytime an upgrade of the vim packages is performed.
" It is recommended to make changes after sourcing debian.vim since it alters
" the value of the 'compatible' option.

" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim

" Vim will load $VIMRUNTIME/defaults.vim if the user does not have a vimrc.
" This happens after /etc/vim/vimrc(.local) are loaded, so it will override
" any settings in these files.
" If you don't want that to happen, uncomment the below line to prevent
" defaults.vim from being loaded.
" let g:skip_defaults_vim = 1

" Uncomment the next line to make Vim more Vi-compatible
" NOTE: debian.vim sets 'nocompatible'.  Setting 'compatible' changes numerous
" options, so any other options should be set AFTER setting 'compatible'.
"set compatible

" Vim5 and later versions support syntax highlighting. Uncommenting the next
" line enables syntax highlighting by default.
"syntax on

" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark

" Uncomment the following to have Vim jump to the last position when
" reopening a file
"au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif

" Uncomment the following to have Vim load indentation rules and plugins
" according to the detected filetype.
"filetype plugin indent on

" The following are commented out as they cause vim to behave a lot
" differently from regular Vi. They are highly recommended though.
"set showcmd		" Show (partial) command in status line.
"set showmatch		" Show matching brackets.
"set ignorecase		" Do case insensitive matching
"set smartcase		" Do smart case matching
"set incsearch		" Incremental search
"set autowrite		" Automatically save before commands like :next and :make
"set hidden		" Hide buffers when they are abandoned
"set mouse=a		" Enable mouse usage (all modes)

" Source a global configuration file if available
if filereadable("/etc/vim/vimrc.local")
  source /etc/vim/vimrc.local
endif

Apache HTTP Server

Install HTTP-only server for now

Execute
root@jupi:~# apt install apache2

Install certbot and get letsencrypt-signed certificate using HTTP challenge

Execute
root@jupi:~# apt install certbot
root@jupi:~# certbot certonly --reuse-key --webroot --webroot-path /var/www/html -d vbezhenar.com -d www.vbezhenar.com -d jupi.vbezhenar.com -d dav.vbezhenar.com -d mta-sts.vbezhenar.com
Create or replace file /etc/letsencrypt/renewal-hooks/deploy/restart-services.sh -rwxr-xr-x root:root
#!/bin/sh
/usr/bin/systemctl reload apache2.service strongswan-swanctl.service dovecot.service postfix.service

Configure HTTPS and finish Apache configuration

Execute
root@jupi:~# systemctl stop apache2.service
root@jupi:~# a2enmod dav_fs
root@jupi:~# a2enmod headers
root@jupi:~# a2enmod http2
root@jupi:~# a2enmod ssl
Edit /etc/apache2/mods-available/ssl.conf (, , )
--- /root/backup/orig/etc/apache2/mods-available/ssl.conf	2020-08-08 09:47:06.000000000 +0200
+++ /etc/apache2/mods-available/ssl.conf	2020-09-13 23:27:50.750593001 +0200
@@ -56,7 +56,7 @@
 	#   ciphers(1) man page from the openssl package for list of all available
 	#   options.
 	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:!aNULL
+	SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 	# SSL server cipher order preference:
 	# Use server priorities for cipher algorithm choice.
@@ -70,7 +70,7 @@
 	#   The protocols to enable.
 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
 	#   SSL v2  is no longer supported
-	SSLProtocol all -SSLv3
+	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 
 	#   Allow insecure renegotiation with clients which do not yet support the
 	#   secure renegotiation protocol. Default: Off
@@ -80,6 +80,9 @@
 	#   Default: Off
 	#SSLStrictSNIVHostCheck On
 
+	SSLSessionTickets off
+	SSLUseStapling On
+	SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(32768)
 </IfModule>
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule mod_ssl.c>

	# Pseudo Random Number Generator (PRNG):
	# Configure one or more sources to seed the PRNG of the SSL library.
	# The seed data should be of good random quality.
	# WARNING! On some platforms /dev/random blocks if not enough entropy
	# is available. This means you then cannot use the /dev/random device
	# because it would lead to very long connection times (as long as
	# it requires to make more entropy available). But usually those
	# platforms additionally provide a /dev/urandom device which doesn't
	# block. So, if available, use this one instead. Read the mod_ssl User
	# Manual for more details.
	#
	SSLRandomSeed startup builtin
	SSLRandomSeed startup file:/dev/urandom 512
	SSLRandomSeed connect builtin
	SSLRandomSeed connect file:/dev/urandom 512

	##
	##  SSL Global Context
	##
	##  All SSL configuration in this context applies both to
	##  the main server and all SSL-enabled virtual hosts.
	##

	#
	#   Some MIME-types for downloading Certificates and CRLs
	#
	AddType application/x-x509-ca-cert .crt
	AddType application/x-pkcs7-crl	.crl

	#   Pass Phrase Dialog:
	#   Configure the pass phrase gathering process.
	#   The filtering dialog program (`builtin' is a internal
	#   terminal dialog) has to provide the pass phrase on stdout.
	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

	#   Inter-Process Session Cache:
	#   Configure the SSL Session Cache: First the mechanism 
	#   to use and second the expiring timeout (in seconds).
	#   (The mechanism dbm has known memory leaks and should not be used).
	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
	SSLSessionCacheTimeout  300

	#   Semaphore:
	#   Configure the path to the mutual exclusion semaphore the
	#   SSL engine uses internally for inter-process synchronization. 
	#   (Disabled by default, the global Mutex directive consolidates by default
	#   this)
	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


	#   SSL Cipher Suite:
	#   List the ciphers that the client is permitted to negotiate. See the
	#   ciphers(1) man page from the openssl package for list of all available
	#   options.
	#   Enable only secure ciphers:
	SSLCipherSuite HIGH:!aNULL

	# SSL server cipher order preference:
	# Use server priorities for cipher algorithm choice.
	# Clients may prefer lower grade encryption.  You should enable this
	# option if you want to enforce stronger encryption, and can afford
	# the CPU cost, and did not override SSLCipherSuite in a way that puts
	# insecure ciphers first.
	# Default: Off
	#SSLHonorCipherOrder on

	#   The protocols to enable.
	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
	#   SSL v2  is no longer supported
	SSLProtocol all -SSLv3

	#   Allow insecure renegotiation with clients which do not yet support the
	#   secure renegotiation protocol. Default: Off
	#SSLInsecureRenegotiation on

	#   Whether to forbid non-SNI clients to access name based virtual hosts.
	#   Default: Off
	#SSLStrictSNIVHostCheck On

</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<IfModule mod_ssl.c>

	# Pseudo Random Number Generator (PRNG):
	# Configure one or more sources to seed the PRNG of the SSL library.
	# The seed data should be of good random quality.
	# WARNING! On some platforms /dev/random blocks if not enough entropy
	# is available. This means you then cannot use the /dev/random device
	# because it would lead to very long connection times (as long as
	# it requires to make more entropy available). But usually those
	# platforms additionally provide a /dev/urandom device which doesn't
	# block. So, if available, use this one instead. Read the mod_ssl User
	# Manual for more details.
	#
	SSLRandomSeed startup builtin
	SSLRandomSeed startup file:/dev/urandom 512
	SSLRandomSeed connect builtin
	SSLRandomSeed connect file:/dev/urandom 512

	##
	##  SSL Global Context
	##
	##  All SSL configuration in this context applies both to
	##  the main server and all SSL-enabled virtual hosts.
	##

	#
	#   Some MIME-types for downloading Certificates and CRLs
	#
	AddType application/x-x509-ca-cert .crt
	AddType application/x-pkcs7-crl	.crl

	#   Pass Phrase Dialog:
	#   Configure the pass phrase gathering process.
	#   The filtering dialog program (`builtin' is a internal
	#   terminal dialog) has to provide the pass phrase on stdout.
	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

	#   Inter-Process Session Cache:
	#   Configure the SSL Session Cache: First the mechanism 
	#   to use and second the expiring timeout (in seconds).
	#   (The mechanism dbm has known memory leaks and should not be used).
	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
	SSLSessionCacheTimeout  300

	#   Semaphore:
	#   Configure the path to the mutual exclusion semaphore the
	#   SSL engine uses internally for inter-process synchronization. 
	#   (Disabled by default, the global Mutex directive consolidates by default
	#   this)
	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


	#   SSL Cipher Suite:
	#   List the ciphers that the client is permitted to negotiate. See the
	#   ciphers(1) man page from the openssl package for list of all available
	#   options.
	#   Enable only secure ciphers:
	SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

	# SSL server cipher order preference:
	# Use server priorities for cipher algorithm choice.
	# Clients may prefer lower grade encryption.  You should enable this
	# option if you want to enforce stronger encryption, and can afford
	# the CPU cost, and did not override SSLCipherSuite in a way that puts
	# insecure ciphers first.
	# Default: Off
	#SSLHonorCipherOrder on

	#   The protocols to enable.
	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
	#   SSL v2  is no longer supported
	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

	#   Allow insecure renegotiation with clients which do not yet support the
	#   secure renegotiation protocol. Default: Off
	#SSLInsecureRenegotiation on

	#   Whether to forbid non-SNI clients to access name based virtual hosts.
	#   Default: Off
	#SSLStrictSNIVHostCheck On

	SSLSessionTickets off
	SSLUseStapling On
	SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(32768)
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Configure DAV and MTA-STS

Execute
root@jupi:~# install --group=www-data --mode=640 /dev/null /var/www/dav.passwd
root@jupi:~# install --group=www-data --mode=770 --directory /var/www/dav
root@jupi:~# htpasswd -B /var/www/dav.passwd vbezhenar
Create or replace file /var/www/html/.well-known/mta-sts.txt -rw-r--r-- vbezhenar:vbezhenar
version: STSv1
mode: enforce
mx: jupi.vbezhenar.com
max_age: 31536000
Execute
root@jupi:~# systemctl start apache2.service

Unbound

Execute
root@jupi:~# apt install unbound
root@jupi:~# systemctl stop unbound.service
root@jupi:~# rm -r /etc/unbound/unbound.conf.d
Create or replace file /etc/unbound/adservers-exclude-patterns.conf -rw-r--r-- root:root
googleadservices\.com$
Create or replace file /etc/unbound/adservers-include.conf -rw-r--r-- root:root
jivosite.com
Create or replace file /etc/unbound/unbound.conf -rw-r--r-- root:root
server:
	directory: /etc/unbound
	username: unbound
	pidfile: /run/unbound.pid
	interface: 172.28.67.1
	access-control: 172.28.67.0/24 allow
	cache-min-ttl: 3600
	do-tcp: no
	root-hints: named.root
	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	prefetch: yes

include: adservers.conf

remote-control:
	control-enable: yes
Create or replace file /etc/cron.daily/unbound -rwxr-xr-x root:root
#!/bin/sh

/usr/bin/wget -q -O /etc/unbound/named.root.new https://www.internic.net/domain/named.root && \
	/usr/bin/mv /etc/unbound/named.root.new /etc/unbound/named.root

/usr/bin/wget -q -O - https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml | \
	/usr/bin/grep -v -f /etc/unbound/adservers-exclude-patterns.conf | \
	/usr/bin/cat - /etc/unbound/adservers-include.conf | \
	/usr/bin/awk '{ print "local-zone: \"" $0 "\" static" }' > /etc/unbound/adservers.conf.new && \
	/usr/bin/mv /etc/unbound/adservers.conf.new /etc/unbound/adservers.conf

systemctl reload unbound.service
Execute
root@jupi:~# /etc/cron.daily/unbound
root@jupi:~# systemctl start unbound.service

Strongswan

Execute
root@jupi:~# apt install charon-systemd libcharon-extra-plugins
root@jupi:~# systemctl stop strongswan-swanctl.service
Create or replace file /etc/swanctl/swanctl.conf -rw-r--r-- root:root
connections {
        vpn {
                version = 2
                proposals = aes256-sha256-modp2048,aes256-sha256-modp1024
                send_certreq = no
                send_cert = always
                pools = ipv4
                local {
                        certs = vbezhenar.com-cert.pem
                        id = jupi.vbezhenar.com
                }
                remote {
                        eap_id = %any
                        auth = eap-mschapv2
                }
                children {
                        client {
                                esp_proposals = aes256-sha256,aes256-sha1
                                local_ts = 0.0.0.0/0
                        }
                }
        }
}

secrets {
        eap_vbezhenar_pc {
                id = vbezhenar_pc
                secret = ********
        }
        eap_vbezhenar_iphone8 {
                id = vbezhenar_iphone8
                secret = ********
        }
        private_vbezhenar_com {
                file = vbezhenar.com-privkey.pem
        }
}

pools {
        ipv4 {
                addrs = 172.28.67.2/24
                dns = 172.28.67.1
        }
}
Execute
root@jupi:~# cp /etc/letsencrypt/live/vbezhenar.com/privkey.pem /etc/swanctl/private/vbezhenar.com-privkey.pem
root@jupi:~# ln -s /etc/letsencrypt/live/vbezhenar.com/cert.pem /etc/swanctl/x509/vbezhenar.com-cert.pem
root@jupi:~# ln -s /etc/letsencrypt/live/vbezhenar.com/chain.pem /etc/swanctl/x509ca/vbezhenar.com-chain.pem
root@jupi:~# systemctl start strongswan-swanctl.service

Spamassassin

Execute
root@jupi:~# apt install spamassassin
Edit /etc/default/spamassassin (, , )
--- /root/backup/orig/etc/default/spamassassin	2020-01-30 17:50:54.000000000 +0100
+++ /etc/default/spamassassin	2020-09-15 20:17:13.591833863 +0200
@@ -16,7 +16,7 @@
 # make sure --max-children is not set to anything higher than 5,
 # unless you know what you're doing.
 
-OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
+OPTIONS="--allow-tell --create-prefs --max-children 5 --helper-home-dir --username debian-spamd"
 
 # Pid file
 # Where should spamd write its PID to file? If you use the -u or
@@ -30,4 +30,4 @@
 # Cronjob
 # Set to anything but 0 to enable the cron job to automatically update
 # spamassassin's rules on a nightly basis
-CRON=0
+CRON=1
# /etc/default/spamassassin
# Duncan Findlay

# WARNING: please read README.spamd before using.
# There may be security risks.

# Prior to version 3.4.2-1, spamd could be enabled by setting
# ENABLED=1 in this file. This is no longer supported. Instead, please
# use the update-rc.d command, invoked for example as "update-rc.d
# spamassassin enable", to enable the spamd service.

# Options
# See man spamd for possible options. The -d option is automatically added.

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.

OPTIONS="--create-prefs --max-children 5 --helper-home-dir"

# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"

# Set nice level of spamd
#NICE="--nicelevel 15"

# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=0
# /etc/default/spamassassin
# Duncan Findlay

# WARNING: please read README.spamd before using.
# There may be security risks.

# Prior to version 3.4.2-1, spamd could be enabled by setting
# ENABLED=1 in this file. This is no longer supported. Instead, please
# use the update-rc.d command, invoked for example as "update-rc.d
# spamassassin enable", to enable the spamd service.

# Options
# See man spamd for possible options. The -d option is automatically added.

# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.

OPTIONS="--allow-tell --create-prefs --max-children 5 --helper-home-dir --username debian-spamd"

# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"

# Set nice level of spamd
#NICE="--nicelevel 15"

# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=1
Create or replace file /etc/spamassassin/spamc.conf -rw-r--r-- root:root
--max-size=16777216
Execute
root@jupi:~# systemctl start spamassassin.service
root@jupi:~# systemctl enable spamassassin.service

Dovecot

Execute
root@jupi:~# apt install dovecot-imapd dovecot-lmtpd dovecot-sieve
root@jupi:~# systemctl stop dovecot.service
root@jupi:~# wget -O /etc/dovecot/ffdhe2048.pem https://ssl-config.mozilla.org/ffdhe2048.txt
root@jupi:~# install --owner=dovecot --mode=600 /dev/null /etc/dovecot/users

Replace passwordhash in the echo command below with part of value printed by doveadm pw command.

Execute
root@jupi:~# doveadm pw -s sha256-crypt
root@jupi:~# echo 'vbezhenar@jupi.vbezhenar.com:$5$passwordhash:1000:1000::/home/vbezhenar::' > /etc/dovecot/users
Edit /etc/dovecot/conf.d/10-auth.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/10-auth.conf	2019-01-23 11:05:58.000000000 +0100
+++ /etc/dovecot/conf.d/10-auth.conf	2020-09-15 20:50:13.943948110 +0200
@@ -119,10 +119,10 @@
 #!include auth-deny.conf.ext
 #!include auth-master.conf.ext
 
-!include auth-system.conf.ext
+#!include auth-system.conf.ext
 #!include auth-sql.conf.ext
 #!include auth-ldap.conf.ext
-#!include auth-passwdfile.conf.ext
+!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
 #!include auth-vpopmail.conf.ext
 #!include auth-static.conf.ext
##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm = 

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab = 

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using 
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName. 
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain

##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
##
## Authentication processes
##

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =

# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm = 

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =

# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu

# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =

# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous

# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30

# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =

# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab = 

# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no

# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth

# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs

# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no

# Take the username from client's SSL certificate, using 
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName. 
#auth_ssl_username_from_cert = no

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain

##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
Edit /etc/dovecot/conf.d/10-mail.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/10-mail.conf	2020-08-11 03:03:03.000000000 +0200
+++ /etc/dovecot/conf.d/10-mail.conf	2020-09-15 20:51:09.111394342 +0200
@@ -27,7 +27,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-mail_location = mbox:~/mail:INBOX=/var/mail/%u
+mail_location = mdbox:~/mail
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -381,7 +381,7 @@
 # When creating new mdbox files, immediately preallocate their size to
 # mdbox_rotate_size. This setting currently works only in Linux with some
 # filesystems (ext4, xfs).
-#mdbox_preallocate_space = no
+mdbox_preallocate_space = yes
 
 ##
 ## Mail attachments
##
## Mailbox locations and namespaces
##

# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = mbox:~/mail:INBOX=/var/mail/%u

# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
  # Namespace type: private, shared or public
  #type = private

  # Hierarchy separator to use. You should use the same separator for all
  # namespaces or some clients get confused. '/' is usually a good one.
  # The default however depends on the underlying mail storage format.
  #separator = 

  # Prefix required to access this namespace. This needs to be different for
  # all namespaces. For example "Public/".
  #prefix = 

  # Physical location of the mailbox. This is in same format as
  # mail_location, which is also the default for it.
  #location =

  # There can be only one INBOX, and this setting defines which namespace
  # has it.
  inbox = yes

  # If namespace is hidden, it's not advertised to clients via NAMESPACE
  # extension. You'll most likely also want to set list=no. This is mostly
  # useful when converting from another server with different namespaces which
  # you want to deprecate but still keep working. For example you can create
  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
  #hidden = no

  # Show the mailboxes under this namespace with LIST command. This makes the
  # namespace visible for clients that don't support NAMESPACE extension.
  # "children" value lists child mailboxes, but hides the namespace prefix.
  #list = yes

  # Namespace handles its own subscriptions. If set to "no", the parent
  # namespace handles them (empty prefix should always have this as "yes")
  #subscriptions = yes

  # See 15-mailboxes.conf for definitions of special mailboxes.
}

# Example shared namespace configuration
#namespace {
  #type = shared
  #separator = /

  # Mailboxes are visible under "shared/user@domain/"
  # %%n, %%d and %%u are expanded to the destination user.
  #prefix = shared/%%u/

  # Mail location for other users' mailboxes. Note that %variables and ~/
  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
  # destination user's data.
  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

  # Use the default namespace for saving subscriptions.
  #subscriptions = no

  # List the shared/ namespace only if there are visible shared mailboxes.
  #list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
#mail_shared_explicit_inbox = no

# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
#mail_uid =
#mail_gid =

# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
mail_privileged_group = mail

# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =

# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no

# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
#mail_attribute_dict =

# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# entry "/shared/comment". 
#mail_server_comment = ""

# Indicates a method for contacting the server administrator. According to
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
# is currently not enforced. Use for example mailto:admin@example.com. This
# value is accessible for authenticated users through the IMAP METADATA server
# entry "/shared/admin".
#mail_server_admin = 

##
## Mail processes
##

# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no

# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes

# When to use fsync() or fdatasync() calls:
#   optimized (default): Whenever necessary to avoid losing important data
#   always: Useful with e.g. NFS when write()s are delayed
#   never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized

# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl

# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp

# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0

# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0

# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50

# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs = 

# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot = 

# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb

# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot/modules

# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins = 

##
## Mailbox handling optimizations
##

# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = yes

# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes

# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no

# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0

# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs

# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no

# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0

# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w

# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0

protocol !indexer-worker {
  # If folder vsize calculation requires opening more than this many mails from
  # disk (i.e. mail sizes aren't in cache already), return failure and finish
  # the calculation via indexer process. Disabled by default. This setting must
  # be 0 for indexer-worker processes.
  #mail_vsize_bg_after_count = 0
}

##
## Maildir-specific settings
##

# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no

# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes

# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no

# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no

# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no

##
## mbox-specific settings
##

# Which locking methods to use for locking mbox. There are four available:
#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
#           solution. If you want to use /var/mail/ like directory, the users
#           will need write access to that directory.
#  dotlock_try: Same as dotlock, but if it fails because of permissions or
#               because there isn't enough disk space, just skip it.
#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
#  flock  : May not exist in all systems. Doesn't work with NFS.
#  lockf  : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#
# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
#       Dovecot: mbox_write_locks = dotlock fcntl
#       Debian:  mbox_write_locks = fcntl dotlock
#
#mbox_read_locks = fcntl
#mbox_write_locks = fcntl dotlock

# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins

# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins

# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
# commands.
#mbox_dirty_syncs = yes

# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no

# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes

# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0

# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d

##
## mdbox-specific settings
##

# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 10M

# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0

# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no

##
## Mail attachments
##

# sdbox and mdbox support saving mail attachments to external files, which
# also allows single instance storage for them. Other backends don't support
# this for now.

# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =

# Attachments smaller than this aren't saved externally. It's also possible to
# write a plugin to disable saving specific attachments externally.
#mail_attachment_min_size = 128k

# Filesystem backend to use for saving attachments:
#  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
#  sis posix : SiS with immediate byte-by-byte comparison during saving
#  sis-queue posix : SiS with delayed comparison and deduplication
#mail_attachment_fs = sis posix

# Hash format to use in attachment filenames. You can add any text and
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}

# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
#   add-flags-on-save - Add the keywords when saving new mails.
#   content-type=type or !type - Include/exclude content type. Excluding will
#     never consider the matched MIME part as attachment. Including will only
#     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
#   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =
##
## Mailbox locations and namespaces
##

# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = mdbox:~/mail

# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
  # Namespace type: private, shared or public
  #type = private

  # Hierarchy separator to use. You should use the same separator for all
  # namespaces or some clients get confused. '/' is usually a good one.
  # The default however depends on the underlying mail storage format.
  #separator = 

  # Prefix required to access this namespace. This needs to be different for
  # all namespaces. For example "Public/".
  #prefix = 

  # Physical location of the mailbox. This is in same format as
  # mail_location, which is also the default for it.
  #location =

  # There can be only one INBOX, and this setting defines which namespace
  # has it.
  inbox = yes

  # If namespace is hidden, it's not advertised to clients via NAMESPACE
  # extension. You'll most likely also want to set list=no. This is mostly
  # useful when converting from another server with different namespaces which
  # you want to deprecate but still keep working. For example you can create
  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
  #hidden = no

  # Show the mailboxes under this namespace with LIST command. This makes the
  # namespace visible for clients that don't support NAMESPACE extension.
  # "children" value lists child mailboxes, but hides the namespace prefix.
  #list = yes

  # Namespace handles its own subscriptions. If set to "no", the parent
  # namespace handles them (empty prefix should always have this as "yes")
  #subscriptions = yes

  # See 15-mailboxes.conf for definitions of special mailboxes.
}

# Example shared namespace configuration
#namespace {
  #type = shared
  #separator = /

  # Mailboxes are visible under "shared/user@domain/"
  # %%n, %%d and %%u are expanded to the destination user.
  #prefix = shared/%%u/

  # Mail location for other users' mailboxes. Note that %variables and ~/
  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
  # destination user's data.
  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

  # Use the default namespace for saving subscriptions.
  #subscriptions = no

  # List the shared/ namespace only if there are visible shared mailboxes.
  #list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
#mail_shared_explicit_inbox = no

# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
#mail_uid =
#mail_gid =

# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
mail_privileged_group = mail

# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =

# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no

# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
#mail_attribute_dict =

# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# entry "/shared/comment". 
#mail_server_comment = ""

# Indicates a method for contacting the server administrator. According to
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
# is currently not enforced. Use for example mailto:admin@example.com. This
# value is accessible for authenticated users through the IMAP METADATA server
# entry "/shared/admin".
#mail_server_admin = 

##
## Mail processes
##

# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no

# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes

# When to use fsync() or fdatasync() calls:
#   optimized (default): Whenever necessary to avoid losing important data
#   always: Useful with e.g. NFS when write()s are delayed
#   never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized

# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl

# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp

# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0

# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0

# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50

# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs = 

# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot = 

# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb

# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot/modules

# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins = 

##
## Mailbox handling optimizations
##

# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = yes

# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes

# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no

# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0

# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs

# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no

# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0

# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w

# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0

protocol !indexer-worker {
  # If folder vsize calculation requires opening more than this many mails from
  # disk (i.e. mail sizes aren't in cache already), return failure and finish
  # the calculation via indexer process. Disabled by default. This setting must
  # be 0 for indexer-worker processes.
  #mail_vsize_bg_after_count = 0
}

##
## Maildir-specific settings
##

# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no

# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes

# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no

# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no

# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no

##
## mbox-specific settings
##

# Which locking methods to use for locking mbox. There are four available:
#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
#           solution. If you want to use /var/mail/ like directory, the users
#           will need write access to that directory.
#  dotlock_try: Same as dotlock, but if it fails because of permissions or
#               because there isn't enough disk space, just skip it.
#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
#  flock  : May not exist in all systems. Doesn't work with NFS.
#  lockf  : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#
# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
#       Dovecot: mbox_write_locks = dotlock fcntl
#       Debian:  mbox_write_locks = fcntl dotlock
#
#mbox_read_locks = fcntl
#mbox_write_locks = fcntl dotlock

# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins

# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins

# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
# commands.
#mbox_dirty_syncs = yes

# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no

# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes

# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0

# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d

##
## mdbox-specific settings
##

# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 10M

# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0

# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
mdbox_preallocate_space = yes

##
## Mail attachments
##

# sdbox and mdbox support saving mail attachments to external files, which
# also allows single instance storage for them. Other backends don't support
# this for now.

# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =

# Attachments smaller than this aren't saved externally. It's also possible to
# write a plugin to disable saving specific attachments externally.
#mail_attachment_min_size = 128k

# Filesystem backend to use for saving attachments:
#  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
#  sis posix : SiS with immediate byte-by-byte comparison during saving
#  sis-queue posix : SiS with delayed comparison and deduplication
#mail_attachment_fs = sis posix

# Hash format to use in attachment filenames. You can add any text and
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}

# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
#   add-flags-on-save - Add the keywords when saving new mails.
#   content-type=type or !type - Include/exclude content type. Excluding will
#     never consider the matched MIME part as attachment. Including will only
#     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
#   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =
Edit /etc/dovecot/conf.d/10-master.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/10-master.conf	2019-01-23 11:05:58.000000000 +0100
+++ /etc/dovecot/conf.d/10-master.conf	2020-09-15 20:54:55.777119602 +0200
@@ -16,7 +16,7 @@
 
 service imap-login {
   inet_listener imap {
-    #port = 143
+    port = 0
   }
   inet_listener imaps {
     #port = 993
@@ -52,8 +52,9 @@
 }
 
 service lmtp {
-  unix_listener lmtp {
-    #mode = 0666
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    mode = 0600
+    user = postfix
   }
 
   # Create inet listener only if you can't use the above UNIX socket
@@ -104,9 +105,10 @@
   }
 
   # Postfix smtp-auth
-  #unix_listener /var/spool/postfix/private/auth {
-  #  mode = 0666
-  #}
+  unix_listener /var/spool/postfix/private/dovecot-auth {
+    mode = 0600
+    user = postfix
+  }
 
   # Auth process is run as this user.
   #user = $default_internal_user
@@ -116,7 +118,7 @@
   # Auth worker process is run as root by default, so that it can access
   # /etc/shadow. If this isn't necessary, the user should be changed to
   # $default_internal_user.
-  #user = root
+  user = $default_internal_user
 }
 
 service dict {
#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service submission-login {
  inet_listener submission {
    #port = 587
  }
}

service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service submission {
  # Max. number of SMTP Submission processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user = 
    #group = 
  }

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  # Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user = 
    #group = 
  }
}
#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service submission-login {
  inet_listener submission {
    #port = 587
  }
}

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service submission {
  # Max. number of SMTP Submission processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user = 
    #group = 
  }

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/dovecot-auth {
    mode = 0600
    user = postfix
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  user = $default_internal_user
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user = 
    #group = 
  }
}
Edit /etc/dovecot/conf.d/10-ssl.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/10-ssl.conf	2020-08-11 03:03:03.000000000 +0200
+++ /etc/dovecot/conf.d/10-ssl.conf	2020-09-15 20:58:42.986840089 +0200
@@ -9,8 +9,8 @@
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/private/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.key
+ssl_cert = </etc/letsencrypt/live/vbezhenar.com/fullchain.pem
+ssl_key = </etc/letsencrypt/live/vbezhenar.com/privkey.pem
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -47,7 +47,7 @@
 # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
 # Or migrate from old ssl-parameters.dat file with the command dovecot
 # gives on startup when ssl_dh is unset.
-ssl_dh = </usr/share/dovecot/dh.pem
+ssl_dh = </etc/dovecot/ffdhe2048.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca = 

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems.
ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
#ssl_min_protocol = TLSv1

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =

# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

# SSL extra options. Currently supported options are:
#   compression - Enable compression.
#   no_ticket - Disable SSL session tickets.
#ssl_options =
##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/vbezhenar.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/vbezhenar.com/privkey.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca = 

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems.
ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/ffdhe2048.pem

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
#ssl_min_protocol = TLSv1

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =

# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

# SSL extra options. Currently supported options are:
#   compression - Enable compression.
#   no_ticket - Disable SSL session tickets.
#ssl_options =
Edit /etc/dovecot/conf.d/15-mailboxes.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/15-mailboxes.conf	2019-01-23 11:05:58.000000000 +0100
+++ /etc/dovecot/conf.d/15-mailboxes.conf	2020-09-15 21:01:06.801397424 +0200
@@ -44,35 +44,28 @@
 
 # NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
 namespace inbox {
-  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Archive {
+    auto = subscribe
+    special_use = \Archive
+  }
+
+  mailbox Sent {
+    auto = subscribe
+    special_use = \Sent
+  }
+
   mailbox Drafts {
+    auto = subscribe
     special_use = \Drafts
   }
+
   mailbox Junk {
+    auto = subscribe
     special_use = \Junk
   }
+
   mailbox Trash {
+    auto = subscribe
     special_use = \Trash
   }
-
-  # For \Sent mailboxes there are two widely used names. We'll mark both of
-  # them as \Sent. User typically deletes one of them if duplicates are created.
-  mailbox Sent {
-    special_use = \Sent
-  }
-  mailbox "Sent Messages" {
-    special_use = \Sent
-  }
-
-  # If you have a virtual "All messages" mailbox:
-  #mailbox virtual/All {
-  #  special_use = \All
-  #  comment = All my messages
-  #}
-
-  # If you have a virtual "Flagged" mailbox:
-  #mailbox virtual/Flagged {
-  #  special_use = \Flagged
-  #  comment = All my flagged messages
-  #}
 }
##
## Mailbox definitions
##

# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
#   Indicates whether the mailbox with this name is automatically created
#   implicitly when it is first accessed. The user can also be automatically
#   subscribed to the mailbox after creation. The following values are
#   defined for this setting:
# 
#     no        - Never created automatically.
#     create    - Automatically created, but no automatic subscription.
#     subscribe - Automatically created and subscribed.
#  
# special_use:
#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
#   mailbox. There are no validity checks, so you could specify anything
#   you want in here, but it's not a good idea to use flags other than the
#   standard ones specified in the RFC:
#
#     \All      - This (virtual) mailbox presents all messages in the
#                 user's message store. 
#     \Archive  - This mailbox is used to archive messages.
#     \Drafts   - This mailbox is used to hold draft messages.
#     \Flagged  - This (virtual) mailbox presents all messages in the
#                 user's message store marked with the IMAP \Flagged flag.
#     \Junk     - This mailbox is where messages deemed to be junk mail
#                 are held.
#     \Sent     - This mailbox is used to hold copies of messages that
#                 have been sent.
#     \Trash    - This mailbox is used to hold messages that have been
#                 deleted.
#
# comment:
#   Defines a default comment or note associated with the mailbox. This
#   value is accessible through the IMAP METADATA mailbox entries
#   "/shared/comment" and "/private/comment". Users with sufficient
#   privileges can override the default value for entries with a custom
#   value.

# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Trash {
    special_use = \Trash
  }

  # For \Sent mailboxes there are two widely used names. We'll mark both of
  # them as \Sent. User typically deletes one of them if duplicates are created.
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }

  # If you have a virtual "All messages" mailbox:
  #mailbox virtual/All {
  #  special_use = \All
  #  comment = All my messages
  #}

  # If you have a virtual "Flagged" mailbox:
  #mailbox virtual/Flagged {
  #  special_use = \Flagged
  #  comment = All my flagged messages
  #}
}
##
## Mailbox definitions
##

# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
#   Indicates whether the mailbox with this name is automatically created
#   implicitly when it is first accessed. The user can also be automatically
#   subscribed to the mailbox after creation. The following values are
#   defined for this setting:
# 
#     no        - Never created automatically.
#     create    - Automatically created, but no automatic subscription.
#     subscribe - Automatically created and subscribed.
#  
# special_use:
#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
#   mailbox. There are no validity checks, so you could specify anything
#   you want in here, but it's not a good idea to use flags other than the
#   standard ones specified in the RFC:
#
#     \All      - This (virtual) mailbox presents all messages in the
#                 user's message store. 
#     \Archive  - This mailbox is used to archive messages.
#     \Drafts   - This mailbox is used to hold draft messages.
#     \Flagged  - This (virtual) mailbox presents all messages in the
#                 user's message store marked with the IMAP \Flagged flag.
#     \Junk     - This mailbox is where messages deemed to be junk mail
#                 are held.
#     \Sent     - This mailbox is used to hold copies of messages that
#                 have been sent.
#     \Trash    - This mailbox is used to hold messages that have been
#                 deleted.
#
# comment:
#   Defines a default comment or note associated with the mailbox. This
#   value is accessible through the IMAP METADATA mailbox entries
#   "/shared/comment" and "/private/comment". Users with sufficient
#   privileges can override the default value for entries with a custom
#   value.

# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
  mailbox Archive {
    auto = subscribe
    special_use = \Archive
  }

  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }

  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }

  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }

  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
}
Edit /etc/dovecot/conf.d/20-imap.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/20-imap.conf	2019-01-23 11:05:58.000000000 +0100
+++ /etc/dovecot/conf.d/20-imap.conf	2020-09-15 21:01:35.269111872 +0200
@@ -90,7 +90,7 @@
 
 protocol imap {
   # Space separated list of plugins to load (default is global mail_plugins).
-  #mail_plugins = $mail_plugins
+  mail_plugins = $mail_plugins imap_sieve
 
   # Maximum number of IMAP connections allowed for a user from each IP address.
   # NOTE: The username is compared case-sensitively.
##
## IMAP specific settings
##

# If nothing happens for this long while client is IDLEing, move the connection
# to imap-hibernate process and close the old imap process. This saves memory,
# because connections use very little memory in imap-hibernate process. The
# downside is that recreating the imap process back uses some resources.
#imap_hibernate_timeout = 0

# Maximum IMAP command line length. Some clients generate very long command
# lines with huge mailboxes, so you may need to raise this if you get
# "Too long argument" or "IMAP command line too large" errors often.
#imap_max_line_length = 64k

# IMAP logout format string:
#  %i - total number of bytes read from client
#  %o - total number of bytes sent to client
#  %{fetch_hdr_count} - Number of mails with mail header data sent to client
#  %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
#  %{fetch_body_count} - Number of mails with mail body data sent to client
#  %{fetch_body_bytes} - Number of bytes with mail body data sent to client
#  %{deleted} - Number of mails where client added \Deleted flag
#  %{expunged} - Number of mails that client expunged, which does not
#                include automatically expunged mails
#  %{autoexpunged} - Number of mails that were automatically expunged after
#                    client disconnected
#  %{trashed} - Number of mails that client copied/moved to the
#               special_use=\Trash mailbox.
#  %{appended} - Number of mails saved during the session
#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
#  trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
#  hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
#  body_bytes=%{fetch_body_bytes}

# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
#imap_capability = 

# How long to wait between "OK Still here" notifications when client is
# IDLEing.
#imap_idle_notify_interval = 2 mins

# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email.
#imap_id_send = 

# ID fields sent by client to log. * means everything.
#imap_id_log =

# Workarounds for various client bugs:
#   delay-newmail:
#     Send EXISTS/RECENT new mail notifications only when replying to NOOP
#     and CHECK commands. Some clients ignore them otherwise, for example OSX
#     Mail (<v2.1). Outlook Express breaks more badly though, without this it
#     may show user "Message no longer in server" errors. Note that OE6 still
#     breaks even with this workaround if synchronization is set to
#     "Headers Only".
#   tb-extra-mailbox-sep:
#     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
#     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
#     ignore the extra '/' instead of treating it as invalid mailbox name.
#   tb-lsub-flags:
#     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
#     This makes Thunderbird realize they aren't selectable and show them
#     greyed out, instead of only later giving "not selectable" popup error.
#
# The list is space-separated.
#imap_client_workarounds = 

# Host allowed in URLAUTH URLs sent by client. "*" allows all.
#imap_urlauth_host =

# Enable IMAP LITERAL- extension (replaces LITERAL+)
#imap_literal_minus = no

# What happens when FETCH fails due to some internal error:
#   disconnect-immediately:
#     The FETCH is aborted immediately and the IMAP client is disconnected.
#   disconnect-after:
#     The FETCH runs for all the requested mails returning as much data as
#     possible. The client is finally disconnected without a tagged reply.
#   no-after:
#     Same as disconnect-after, but tagged NO reply is sent instead of
#     disconnecting the client. If the client attempts to FETCH the same failed
#     mail more than once, the client is disconnected. This is to avoid clients
#     from going into infinite loops trying to FETCH a broken mail.
#imap_fetch_failure = disconnect-immediately

protocol imap {
  # Space separated list of plugins to load (default is global mail_plugins).
  #mail_plugins = $mail_plugins

  # Maximum number of IMAP connections allowed for a user from each IP address.
  # NOTE: The username is compared case-sensitively.
  #mail_max_userip_connections = 10
}
##
## IMAP specific settings
##

# If nothing happens for this long while client is IDLEing, move the connection
# to imap-hibernate process and close the old imap process. This saves memory,
# because connections use very little memory in imap-hibernate process. The
# downside is that recreating the imap process back uses some resources.
#imap_hibernate_timeout = 0

# Maximum IMAP command line length. Some clients generate very long command
# lines with huge mailboxes, so you may need to raise this if you get
# "Too long argument" or "IMAP command line too large" errors often.
#imap_max_line_length = 64k

# IMAP logout format string:
#  %i - total number of bytes read from client
#  %o - total number of bytes sent to client
#  %{fetch_hdr_count} - Number of mails with mail header data sent to client
#  %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
#  %{fetch_body_count} - Number of mails with mail body data sent to client
#  %{fetch_body_bytes} - Number of bytes with mail body data sent to client
#  %{deleted} - Number of mails where client added \Deleted flag
#  %{expunged} - Number of mails that client expunged, which does not
#                include automatically expunged mails
#  %{autoexpunged} - Number of mails that were automatically expunged after
#                    client disconnected
#  %{trashed} - Number of mails that client copied/moved to the
#               special_use=\Trash mailbox.
#  %{appended} - Number of mails saved during the session
#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
#  trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
#  hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
#  body_bytes=%{fetch_body_bytes}

# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
#imap_capability = 

# How long to wait between "OK Still here" notifications when client is
# IDLEing.
#imap_idle_notify_interval = 2 mins

# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email.
#imap_id_send = 

# ID fields sent by client to log. * means everything.
#imap_id_log =

# Workarounds for various client bugs:
#   delay-newmail:
#     Send EXISTS/RECENT new mail notifications only when replying to NOOP
#     and CHECK commands. Some clients ignore them otherwise, for example OSX
#     Mail (<v2.1). Outlook Express breaks more badly though, without this it
#     may show user "Message no longer in server" errors. Note that OE6 still
#     breaks even with this workaround if synchronization is set to
#     "Headers Only".
#   tb-extra-mailbox-sep:
#     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
#     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
#     ignore the extra '/' instead of treating it as invalid mailbox name.
#   tb-lsub-flags:
#     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
#     This makes Thunderbird realize they aren't selectable and show them
#     greyed out, instead of only later giving "not selectable" popup error.
#
# The list is space-separated.
#imap_client_workarounds = 

# Host allowed in URLAUTH URLs sent by client. "*" allows all.
#imap_urlauth_host =

# Enable IMAP LITERAL- extension (replaces LITERAL+)
#imap_literal_minus = no

# What happens when FETCH fails due to some internal error:
#   disconnect-immediately:
#     The FETCH is aborted immediately and the IMAP client is disconnected.
#   disconnect-after:
#     The FETCH runs for all the requested mails returning as much data as
#     possible. The client is finally disconnected without a tagged reply.
#   no-after:
#     Same as disconnect-after, but tagged NO reply is sent instead of
#     disconnecting the client. If the client attempts to FETCH the same failed
#     mail more than once, the client is disconnected. This is to avoid clients
#     from going into infinite loops trying to FETCH a broken mail.
#imap_fetch_failure = disconnect-immediately

protocol imap {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins imap_sieve

  # Maximum number of IMAP connections allowed for a user from each IP address.
  # NOTE: The username is compared case-sensitively.
  #mail_max_userip_connections = 10
}
Edit /etc/dovecot/conf.d/20-lmtp.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/20-lmtp.conf	2019-01-23 11:05:58.000000000 +0100
+++ /etc/dovecot/conf.d/20-lmtp.conf	2020-09-15 21:02:02.912834597 +0200
@@ -22,5 +22,5 @@
 
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
-  #mail_plugins = $mail_plugins
+  mail_plugins = $mail_plugins sieve
 }
##
## LMTP specific settings
##

# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
#lmtp_proxy = no

# When recipient address includes the detail (e.g. user+detail), try to save
# the mail to the detail mailbox. See also recipient_delimiter and
# lda_mailbox_autocreate settings.
#lmtp_save_to_detail_mailbox = no

# Verify quota before replying to RCPT TO. This adds a small overhead.
#lmtp_rcpt_check_quota = no

# Which recipient address to use for Delivered-To: header and Received:
# header. The default is "final", which is the same as the one given to
# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
# parameter, "none" uses nothing. Note that "none" is currently always used
# when a mail has multiple recipients.
#lmtp_hdr_delivery_address = final

protocol lmtp {
  # Space separated list of plugins to load (default is global mail_plugins).
  #mail_plugins = $mail_plugins
}
##
## LMTP specific settings
##

# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
#lmtp_proxy = no

# When recipient address includes the detail (e.g. user+detail), try to save
# the mail to the detail mailbox. See also recipient_delimiter and
# lda_mailbox_autocreate settings.
#lmtp_save_to_detail_mailbox = no

# Verify quota before replying to RCPT TO. This adds a small overhead.
#lmtp_rcpt_check_quota = no

# Which recipient address to use for Delivered-To: header and Received:
# header. The default is "final", which is the same as the one given to
# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
# parameter, "none" uses nothing. Note that "none" is currently always used
# when a mail has multiple recipients.
#lmtp_hdr_delivery_address = final

protocol lmtp {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
}
Edit /etc/dovecot/conf.d/90-sieve.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/90-sieve.conf	2020-08-11 03:03:03.000000000 +0200
+++ /etc/dovecot/conf.d/90-sieve.conf	2020-09-15 21:03:13.388127733 +0200
@@ -44,7 +44,7 @@
   # sievec command line tool if the binary is not stored in a global location.
   # --> See sieve_before for executing scripts before the user's personal
   #     script.
-  #sieve_default = /var/lib/dovecot/sieve/default.sieve
+  sieve_default = /var/lib/dovecot/sieve/default.sieve
 
   # The name by which the default Sieve script (as configured by the 
   # sieve_default setting) is visible to the user through ManageSieve. 
@@ -104,14 +104,14 @@
   # `sieve_extensions' setting, with the difference that extensions are
   # enabled or disabled for exclusive use in global scripts. Currently, no
   # extensions are marked as such by default.
-  #sieve_global_extensions =
+  sieve_global_extensions = +vnd.dovecot.pipe
 
   # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
   # setting, the used plugins can be specified. Check the Dovecot wiki
   # (wiki2.dovecot.org) or the pigeonhole website
   # (http://pigeonhole.dovecot.org) for available plugins.
   # The sieve_extprograms plugin is included in this release.
-  #sieve_plugins =
+  sieve_plugins = sieve_imapsieve sieve_extprograms
 
   # The separator that is expected between the :user and :detail
   # address parts introduced by the subaddress extension. This may
##
## Settings for the Sieve interpreter
##

# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.

# The Sieve interpreter can retrieve Sieve scripts from several types of
# locations. The default `file' location type is a local filesystem path
# pointing to a Sieve script file or a directory containing multiple Sieve
# script files. More complex setups can use other location types such as
# `ldap' or `dict' to fetch Sieve scripts from remote databases.
#
# All settings that specify the location of one ore more Sieve scripts accept
# the following syntax:
#
# location = [<type>:]path[;<option>[=<value>][;...]]
#
# If the type prefix is omitted, the script location type is 'file' and the 
# location is interpreted as a local filesystem path pointing to a Sieve script
# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
# information.

plugin {
  # The location of the user's main Sieve script or script storage. The LDA
  # Sieve plugin uses this to find the active script for Sieve filtering at
  # delivery. The "include" extension uses this location for retrieving
  # :personal" scripts. This is also where the  ManageSieve service will store
  # the user's scripts, if supported.
  # 
  # Currently only the 'file:' location type supports ManageSieve operation.
  # Other location types like 'dict:' and 'ldap:' can currently only
  # be used as a read-only script source ().
  #
  # For the 'file:' type: use the ';active=' parameter to specify where the
  # active script symlink is located.
  # For other types: use the ';name=' parameter to specify the name of the
  # default/active script.
  sieve = file:~/sieve;active=~/.dovecot.sieve

  # The default Sieve script when the user has none. This is the location of a
  # global sieve script file, which gets executed ONLY if user's personal Sieve
  # script doesn't exist. Be sure to pre-compile this script manually using the
  # sievec command line tool if the binary is not stored in a global location.
  # --> See sieve_before for executing scripts before the user's personal
  #     script.
  #sieve_default = /var/lib/dovecot/sieve/default.sieve

  # The name by which the default Sieve script (as configured by the 
  # sieve_default setting) is visible to the user through ManageSieve. 
  #sieve_default_name = 

  # Location for ":global" include scripts as used by the "include" extension.
  #sieve_global =

  # The location of a Sieve script that is run for any message that is about to
  # be discarded; i.e., it is not delivered anywhere by the normal Sieve
  # execution. This only happens when the "implicit keep" is canceled, by e.g.
  # the "discard" action, and no actions that deliver the message are executed.
  # This "discard script" can prevent discarding the message, by executing
  # alternative actions. If the discard script does nothing, the message is
	# still discarded as it would be when no discard script is configured.
  #sieve_discard =

  # Location Sieve of scripts that need to be executed before the user's
  # personal script. If a 'file' location path points to a directory, all the 
  # Sieve scripts contained therein (with the proper `.sieve' extension) are
  # executed. The order of execution within that directory is determined by the
  # file names, using a normal 8bit per-character comparison.
  #
  # Multiple script locations can be specified by appending an increasing number
  # to the setting name. The Sieve scripts found from these locations are added
  # to the script execution sequence in the specified order. Reading the
  # numbered sieve_before settings stops at the first missing setting, so no
  # numbers may be skipped.
  #sieve_before = /var/lib/dovecot/sieve.d/
  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
  #sieve_before3 = (etc...)

  # Identical to sieve_before, only the specified scripts are executed after the
  # user's script (only when keep is still in effect!). Multiple script
  # locations can be specified by appending an increasing number.
  #sieve_after =
  #sieve_after2 =
  #sieve_after2 = (etc...)

  # Which Sieve language extensions are available to users. By default, all
  # supported extensions are available, except for deprecated extensions or
  # those that are still under development. Some system administrators may want
  # to disable certain Sieve extensions or enable those that are not available
  # by default. This setting can use '+' and '-' to specify differences relative
  # to the default. For example `sieve_extensions = +imapflags' will enable the
  # deprecated imapflags extension in addition to all extensions were already
  # enabled by default.
  #sieve_extensions = +notify +imapflags

  # Which Sieve language extensions are ONLY available in global scripts. This
  # can be used to restrict the use of certain Sieve extensions to administrator
  # control, for instance when these extensions can cause security concerns.
  # This setting has higher precedence than the `sieve_extensions' setting
  # (above), meaning that the extensions enabled with this setting are never
  # available to the user's personal script no matter what is specified for the
  # `sieve_extensions' setting. The syntax of this setting is similar to the
  # `sieve_extensions' setting, with the difference that extensions are
  # enabled or disabled for exclusive use in global scripts. Currently, no
  # extensions are marked as such by default.
  #sieve_global_extensions =

  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
  # setting, the used plugins can be specified. Check the Dovecot wiki
  # (wiki2.dovecot.org) or the pigeonhole website
  # (http://pigeonhole.dovecot.org) for available plugins.
  # The sieve_extprograms plugin is included in this release.
  #sieve_plugins =

  # The separator that is expected between the :user and :detail
  # address parts introduced by the subaddress extension. This may
  # also be a sequence of characters (e.g. '--'). The current
  # implementation looks for the separator from the left of the
  # localpart and uses the first one encountered. The :user part is
  # left of the separator and the :detail part is right. This setting
  # is also used by Dovecot's LMTP service.
  #recipient_delimiter = +

  # The maximum size of a Sieve script. The compiler will refuse to compile any
  # script larger than this limit. If set to 0, no limit on the script size is
  # enforced.
  #sieve_max_script_size = 1M

  # The maximum number of actions that can be performed during a single script
  # execution. If set to 0, no limit on the total number of actions is enforced.
  #sieve_max_actions = 32

  # The maximum number of redirect actions that can be performed during a single
  # script execution. If set to 0, no redirect actions are allowed.
  #sieve_max_redirects = 4

  # The maximum number of personal Sieve scripts a single user can have. If set
  # to 0, no limit on the number of scripts is enforced.
  # (Currently only relevant for ManageSieve)
  #sieve_quota_max_scripts = 0

  # The maximum amount of disk storage a single user's scripts may occupy. If
  # set to 0, no limit on the used amount of disk storage is enforced.
  # (Currently only relevant for ManageSieve)
  #sieve_quota_max_storage = 0

  # The primary e-mail address for the user. This is used as a default when no
  # other appropriate address is available for sending messages. If this setting
  # is not configured, either the postmaster or null "<>" address is used as a
  # sender, depending on the action involved. This setting is important when
  # there is no message envelope to extract addresses from, such as when the
  # script is executed in IMAP.
  #sieve_user_email =

  # The path to the file where the user log is written. If not configured, a
  # default location is used. If the main user's personal Sieve (as configured
  # with sieve=) is a file, the logfile is set to <filename>.log by default. If
  # it is not a file, the default user log file is ~/.dovecot.sieve.log.
  #sieve_user_log =

  # Specifies what envelope sender address is used for redirected messages.
  # The following values are supported for this setting:
  #
  #   "sender"         - The sender address is used (default).
  #   "recipient"      - The final recipient address is used.
  #   "orig_recipient" - The original recipient is used.
  #   "user_email"     - The user's primary address is used. This is
  #                      configured with the "sieve_user_email" setting. If
  #                      that setting is unconfigured, "user_mail" is equal to
  #                      "recipient".
  #   "postmaster"     - The postmaster_address configured for the LDA.
  #   "<user@domain>"  - Redirected messages are always sent from user@domain.
  #                      The angle brackets are mandatory. The null "<>" address
  #                      is also supported.
  #
  # This setting is ignored when the envelope sender is "<>". In that case the
  # sender of the redirected message is also always "<>".
  #sieve_redirect_envelope_from = sender

  ## TRACE DEBUGGING
  # Trace debugging provides detailed insight in the operations performed by
  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
  # IMAPSIEVE plugin. 
  #
  # WARNING: On a busy server, this functionality can quickly fill up the trace
  # directory with a lot of trace files. Enable this only temporarily and as
  # selective as possible.
  
  # The directory where trace files are written. Trace debugging is disabled if
  # this setting is not configured or if the directory does not exist. If the 
  # path is relative or it starts with "~/" it is interpreted relative to the
  # current user's home directory.
  #sieve_trace_dir =
  
  # The verbosity level of the trace messages. Trace debugging is disabled if
  # this setting is not configured. Possible values are:
  #
  #   "actions"        - Only print executed action commands, like keep,
  #                      fileinto, reject and redirect.
  #   "commands"       - Print any executed command, excluding test commands.
  #   "tests"          - Print all executed commands and performed tests.
  #   "matching"       - Print all executed commands, performed tests and the
  #                      values matched in those tests.
  #sieve_trace_level =
  
  # Enables highly verbose debugging messages that are usually only useful for
  # developers.
  #sieve_trace_debug = no
  
  # Enables showing byte code addresses in the trace output, rather than only
  # the source line numbers.
  #sieve_trace_addresses = no 
}
##
## Settings for the Sieve interpreter
##

# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.

# The Sieve interpreter can retrieve Sieve scripts from several types of
# locations. The default `file' location type is a local filesystem path
# pointing to a Sieve script file or a directory containing multiple Sieve
# script files. More complex setups can use other location types such as
# `ldap' or `dict' to fetch Sieve scripts from remote databases.
#
# All settings that specify the location of one ore more Sieve scripts accept
# the following syntax:
#
# location = [<type>:]path[;<option>[=<value>][;...]]
#
# If the type prefix is omitted, the script location type is 'file' and the 
# location is interpreted as a local filesystem path pointing to a Sieve script
# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
# information.

plugin {
  # The location of the user's main Sieve script or script storage. The LDA
  # Sieve plugin uses this to find the active script for Sieve filtering at
  # delivery. The "include" extension uses this location for retrieving
  # :personal" scripts. This is also where the  ManageSieve service will store
  # the user's scripts, if supported.
  # 
  # Currently only the 'file:' location type supports ManageSieve operation.
  # Other location types like 'dict:' and 'ldap:' can currently only
  # be used as a read-only script source ().
  #
  # For the 'file:' type: use the ';active=' parameter to specify where the
  # active script symlink is located.
  # For other types: use the ';name=' parameter to specify the name of the
  # default/active script.
  sieve = file:~/sieve;active=~/.dovecot.sieve

  # The default Sieve script when the user has none. This is the location of a
  # global sieve script file, which gets executed ONLY if user's personal Sieve
  # script doesn't exist. Be sure to pre-compile this script manually using the
  # sievec command line tool if the binary is not stored in a global location.
  # --> See sieve_before for executing scripts before the user's personal
  #     script.
  sieve_default = /var/lib/dovecot/sieve/default.sieve

  # The name by which the default Sieve script (as configured by the 
  # sieve_default setting) is visible to the user through ManageSieve. 
  #sieve_default_name = 

  # Location for ":global" include scripts as used by the "include" extension.
  #sieve_global =

  # The location of a Sieve script that is run for any message that is about to
  # be discarded; i.e., it is not delivered anywhere by the normal Sieve
  # execution. This only happens when the "implicit keep" is canceled, by e.g.
  # the "discard" action, and no actions that deliver the message are executed.
  # This "discard script" can prevent discarding the message, by executing
  # alternative actions. If the discard script does nothing, the message is
	# still discarded as it would be when no discard script is configured.
  #sieve_discard =

  # Location Sieve of scripts that need to be executed before the user's
  # personal script. If a 'file' location path points to a directory, all the 
  # Sieve scripts contained therein (with the proper `.sieve' extension) are
  # executed. The order of execution within that directory is determined by the
  # file names, using a normal 8bit per-character comparison.
  #
  # Multiple script locations can be specified by appending an increasing number
  # to the setting name. The Sieve scripts found from these locations are added
  # to the script execution sequence in the specified order. Reading the
  # numbered sieve_before settings stops at the first missing setting, so no
  # numbers may be skipped.
  #sieve_before = /var/lib/dovecot/sieve.d/
  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
  #sieve_before3 = (etc...)

  # Identical to sieve_before, only the specified scripts are executed after the
  # user's script (only when keep is still in effect!). Multiple script
  # locations can be specified by appending an increasing number.
  #sieve_after =
  #sieve_after2 =
  #sieve_after2 = (etc...)

  # Which Sieve language extensions are available to users. By default, all
  # supported extensions are available, except for deprecated extensions or
  # those that are still under development. Some system administrators may want
  # to disable certain Sieve extensions or enable those that are not available
  # by default. This setting can use '+' and '-' to specify differences relative
  # to the default. For example `sieve_extensions = +imapflags' will enable the
  # deprecated imapflags extension in addition to all extensions were already
  # enabled by default.
  #sieve_extensions = +notify +imapflags

  # Which Sieve language extensions are ONLY available in global scripts. This
  # can be used to restrict the use of certain Sieve extensions to administrator
  # control, for instance when these extensions can cause security concerns.
  # This setting has higher precedence than the `sieve_extensions' setting
  # (above), meaning that the extensions enabled with this setting are never
  # available to the user's personal script no matter what is specified for the
  # `sieve_extensions' setting. The syntax of this setting is similar to the
  # `sieve_extensions' setting, with the difference that extensions are
  # enabled or disabled for exclusive use in global scripts. Currently, no
  # extensions are marked as such by default.
  sieve_global_extensions = +vnd.dovecot.pipe

  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
  # setting, the used plugins can be specified. Check the Dovecot wiki
  # (wiki2.dovecot.org) or the pigeonhole website
  # (http://pigeonhole.dovecot.org) for available plugins.
  # The sieve_extprograms plugin is included in this release.
  sieve_plugins = sieve_imapsieve sieve_extprograms

  # The separator that is expected between the :user and :detail
  # address parts introduced by the subaddress extension. This may
  # also be a sequence of characters (e.g. '--'). The current
  # implementation looks for the separator from the left of the
  # localpart and uses the first one encountered. The :user part is
  # left of the separator and the :detail part is right. This setting
  # is also used by Dovecot's LMTP service.
  #recipient_delimiter = +

  # The maximum size of a Sieve script. The compiler will refuse to compile any
  # script larger than this limit. If set to 0, no limit on the script size is
  # enforced.
  #sieve_max_script_size = 1M

  # The maximum number of actions that can be performed during a single script
  # execution. If set to 0, no limit on the total number of actions is enforced.
  #sieve_max_actions = 32

  # The maximum number of redirect actions that can be performed during a single
  # script execution. If set to 0, no redirect actions are allowed.
  #sieve_max_redirects = 4

  # The maximum number of personal Sieve scripts a single user can have. If set
  # to 0, no limit on the number of scripts is enforced.
  # (Currently only relevant for ManageSieve)
  #sieve_quota_max_scripts = 0

  # The maximum amount of disk storage a single user's scripts may occupy. If
  # set to 0, no limit on the used amount of disk storage is enforced.
  # (Currently only relevant for ManageSieve)
  #sieve_quota_max_storage = 0

  # The primary e-mail address for the user. This is used as a default when no
  # other appropriate address is available for sending messages. If this setting
  # is not configured, either the postmaster or null "<>" address is used as a
  # sender, depending on the action involved. This setting is important when
  # there is no message envelope to extract addresses from, such as when the
  # script is executed in IMAP.
  #sieve_user_email =

  # The path to the file where the user log is written. If not configured, a
  # default location is used. If the main user's personal Sieve (as configured
  # with sieve=) is a file, the logfile is set to <filename>.log by default. If
  # it is not a file, the default user log file is ~/.dovecot.sieve.log.
  #sieve_user_log =

  # Specifies what envelope sender address is used for redirected messages.
  # The following values are supported for this setting:
  #
  #   "sender"         - The sender address is used (default).
  #   "recipient"      - The final recipient address is used.
  #   "orig_recipient" - The original recipient is used.
  #   "user_email"     - The user's primary address is used. This is
  #                      configured with the "sieve_user_email" setting. If
  #                      that setting is unconfigured, "user_mail" is equal to
  #                      "recipient".
  #   "postmaster"     - The postmaster_address configured for the LDA.
  #   "<user@domain>"  - Redirected messages are always sent from user@domain.
  #                      The angle brackets are mandatory. The null "<>" address
  #                      is also supported.
  #
  # This setting is ignored when the envelope sender is "<>". In that case the
  # sender of the redirected message is also always "<>".
  #sieve_redirect_envelope_from = sender

  ## TRACE DEBUGGING
  # Trace debugging provides detailed insight in the operations performed by
  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
  # IMAPSIEVE plugin. 
  #
  # WARNING: On a busy server, this functionality can quickly fill up the trace
  # directory with a lot of trace files. Enable this only temporarily and as
  # selective as possible.
  
  # The directory where trace files are written. Trace debugging is disabled if
  # this setting is not configured or if the directory does not exist. If the 
  # path is relative or it starts with "~/" it is interpreted relative to the
  # current user's home directory.
  #sieve_trace_dir =
  
  # The verbosity level of the trace messages. Trace debugging is disabled if
  # this setting is not configured. Possible values are:
  #
  #   "actions"        - Only print executed action commands, like keep,
  #                      fileinto, reject and redirect.
  #   "commands"       - Print any executed command, excluding test commands.
  #   "tests"          - Print all executed commands and performed tests.
  #   "matching"       - Print all executed commands, performed tests and the
  #                      values matched in those tests.
  #sieve_trace_level =
  
  # Enables highly verbose debugging messages that are usually only useful for
  # developers.
  #sieve_trace_debug = no
  
  # Enables showing byte code addresses in the trace output, rather than only
  # the source line numbers.
  #sieve_trace_addresses = no 
}
Edit /etc/dovecot/conf.d/90-sieve-extprograms.conf (, , )
--- /root/backup/orig/etc/dovecot/conf.d/90-sieve-extprograms.conf	2020-08-11 03:03:03.000000000 +0200
+++ /etc/dovecot/conf.d/90-sieve-extprograms.conf	2020-09-15 21:03:41.311847664 +0200
@@ -20,7 +20,7 @@
   # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
   # respectively. The name of each script contained in that directory
   # directly maps to a program-name referenced from the Sieve script.
-  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
+  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
   #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
   #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
 }
# Sieve Extprograms plugin configuration

# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
# vnd.dovecot.filter and vnd.dovecot.execute) by adding these	to the
# sieve_extensions or sieve_global_extensions settings. Restricting these
# extensions to a global context using sieve_global_extensions is recommended.

plugin {

  # The directory where the program sockets are located for the
  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
  # respectively. The name of each unix socket contained in that directory
  # directly maps to a program-name referenced from the Sieve script.
  #sieve_pipe_socket_dir = sieve-pipe
  #sieve_filter_socket_dir = sieve-filter
  #sieve_execute_socket_dir = sieve-execute

  # The directory where the scripts are located for direct execution by the
  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
  # respectively. The name of each script contained in that directory
  # directly maps to a program-name referenced from the Sieve script.
  #sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
}

# An example program service called 'do-something' to pipe messages to
#service do-something {
  # Define the executed script as parameter to the sieve service
  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh

  # Use some unprivileged user for executing the program
  #user = dovenull

  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
  # plugin {} section above)
  #unix_listener sieve-pipe/do-something {
    # LDA/LMTP must have access
  #  user = vmail  
  #  mode = 0600
  #}
#}

# Sieve Extprograms plugin configuration

# Don't forget to add the sieve_extprograms plugin to the sieve_plugins setting.
# Also enable the extensions you need (one or more of vnd.dovecot.pipe,
# vnd.dovecot.filter and vnd.dovecot.execute) by adding these	to the
# sieve_extensions or sieve_global_extensions settings. Restricting these
# extensions to a global context using sieve_global_extensions is recommended.

plugin {

  # The directory where the program sockets are located for the
  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
  # respectively. The name of each unix socket contained in that directory
  # directly maps to a program-name referenced from the Sieve script.
  #sieve_pipe_socket_dir = sieve-pipe
  #sieve_filter_socket_dir = sieve-filter
  #sieve_execute_socket_dir = sieve-execute

  # The directory where the scripts are located for direct execution by the
  # vnd.dovecot.pipe, vnd.dovecot.filter and vnd.dovecot.execute extension
  # respectively. The name of each script contained in that directory
  # directly maps to a program-name referenced from the Sieve script.
  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve-pipe
  #sieve_filter_bin_dir = /usr/lib/dovecot/sieve-filter
  #sieve_execute_bin_dir = /usr/lib/dovecot/sieve-execute
}

# An example program service called 'do-something' to pipe messages to
#service do-something {
  # Define the executed script as parameter to the sieve service
  #executable = script /usr/lib/dovecot/sieve-pipe/do-something.sh

  # Use some unprivileged user for executing the program
  #user = dovenull

  # The unix socket located in the sieve_pipe_socket_dir (as defined in the 
  # plugin {} section above)
  #unix_listener sieve-pipe/do-something {
    # LDA/LMTP must have access
  #  user = vmail  
  #  mode = 0600
  #}
#}

Create or replace file /etc/dovecot/conf.d/91-imapsieve-spam.conf -rw-r--r-- root:root
plugin {
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/learn-spam.sieve

  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve
}
Create or replace file /usr/lib/dovecot/sieve-pipe/learn-ham.sh -rwxr-xr-x root:root
#!/bin/sh
exec /usr/bin/spamc --learntype=ham --username=debian-spamd
Create or replace file /usr/lib/dovecot/sieve-pipe/learn-spam.sh -rwxr-xr-x root:root
#!/bin/sh
exec /usr/bin/spamc --learntype=spam --username=debian-spamd
Create or replace file /var/lib/dovecot/sieve/default.sieve -rw-r--r-- root:root
require ["fileinto"];
if header :contains "X-Spam-Flag" "YES" {
    fileinto "Junk";
}
Create or replace file /var/lib/dovecot/sieve/learn-ham.sieve -rw-r--r-- root:root
require ["copy", "environment", "variables", "vnd.dovecot.pipe"];

if environment :matches "imap.mailbox" "*" {
  set "mailbox" "${1}";
}

if string "${mailbox}" "Trash" {
  stop;
}

pipe :copy "learn-ham.sh";

Create or replace file /var/lib/dovecot/sieve/learn-spam.sieve -rw-r--r-- root:root
require ["copy", "vnd.dovecot.pipe"];
pipe :copy "learn-spam.sh";
Execute
root@jupi:~# sievec /var/lib/dovecot/sieve/default.sieve
root@jupi:~# sievec /var/lib/dovecot/sieve/learn-ham.sieve
root@jupi:~# sievec /var/lib/dovecot/sieve/learn-spam.sieve

OpenDKIM

Execute
root@jupi:~# apt install opendkim opendkim-tools
root@jupi:~# systemctl stop opendkim.service
root@jupi:~# opendkim-genkey --directory=/etc/dkimkeys --domain=vbezhenar.com

Update DNS record default._domainkey.vbezhenar.com. according to /etc/dkimkeys/default.txt

Edit /etc/opendkim.conf (, , )
--- /root/backup/orig/etc/opendkim.conf	2017-09-04 02:17:50.000000000 +0200
+++ /etc/opendkim.conf	2020-09-15 21:19:06.470569470 +0200
@@ -10,13 +10,13 @@
 
 # Sign for example.com with key in /etc/dkimkeys/dkim.key using
 # selector '2007' (e.g. 2007._domainkey.example.com)
-#Domain			example.com
-#KeyFile		/etc/dkimkeys/dkim.key
-#Selector		2007
+Domain			vbezhenar.com
+KeyFile			/etc/dkimkeys/default.private
+Selector		default
 
 # Commonly-used options; the commented-out versions show the defaults.
 #Canonicalization	simple
-#Mode			sv
+Mode			s
 #SubDomains		no
 
 # Socket smtp://localhost
@@ -31,7 +31,7 @@
 # ##  local:/path/to/socket       to listen on a UNIX domain socket
 #
 #Socket                  inet:8892@localhost
-Socket			local:/var/run/opendkim/opendkim.sock
+Socket			local:/var/spool/postfix/opendkim/opendkim.sock
 
 ##  PidFile filename
 ###      default (none)
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog			yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask			007

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain			example.com
#KeyFile		/etc/dkimkeys/dkim.key
#Selector		2007

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization	simple
#Mode			sv
#SubDomains		no

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
#Socket                  inet:8892@localhost
Socket			local:/var/run/opendkim/opendkim.sock

##  PidFile filename
###      default (none)
###
###  Name of the file where the filter should write its pid before beginning
###  normal operations.
#
PidFile               /var/run/opendkim/opendkim.pid


# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders		From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key

##  Userid userid
###      default (none)
###
###  Change to user "userid" before starting normal operation?  May include
###  a group ID as well, separated from the userid by a colon.
#
UserID                opendkim
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog			yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask			007

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain			vbezhenar.com
KeyFile			/etc/dkimkeys/default.private
Selector		default

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization	simple
Mode			s
#SubDomains		no

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
#Socket                  inet:8892@localhost
Socket			local:/var/spool/postfix/opendkim/opendkim.sock

##  PidFile filename
###      default (none)
###
###  Name of the file where the filter should write its pid before beginning
###  normal operations.
#
PidFile               /var/run/opendkim/opendkim.pid


# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders		From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key

##  Userid userid
###      default (none)
###
###  Change to user "userid" before starting normal operation?  May include
###  a group ID as well, separated from the userid by a colon.
#
UserID                opendkim

Postfix

Select No configuration option in postinstall script

Execute
root@jupi:~# apt install postfix
Edit /etc/postfix/master.cf (, , )
--- /root/backup/orig/etc/postfix/master.cf	2020-09-15 21:27:11.513705450 +0200
+++ /etc/postfix/master.cf	2020-09-15 21:33:51.661692803 +0200
@@ -10,6 +10,7 @@
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 smtp      inet  n       -       y       -       -       smtpd
+  -o content_filter=spamassassin
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
@@ -26,10 +27,11 @@
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
-#smtps     inet  n       -       y       -       -       smtpd
-#  -o syslog_name=postfix/smtps
-#  -o smtpd_tls_wrappermode=yes
-#  -o smtpd_sasl_auth_enable=yes
+smtps     inet  n       -       y       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_milters=unix:opendkim/opendkim.sock
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
@@ -125,3 +127,5 @@
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}
 
+spamassassin unix -	n	n	-	-	pipe
+  user=debian-spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
  -o content_filter=spamassassin
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_milters=unix:opendkim/opendkim.sock
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

spamassassin unix -	n	n	-	-	pipe
  user=debian-spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Create or replace file /etc/postfix/main.cf -rw-r--r-- root:root
compatibility_level = 2

myhostname = jupi.vbezhenar.com

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/vbezhenar.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/vbezhenar.com/privkey.pem

alias_maps = hash:/etc/aliases
local_recipient_maps = hash:/etc/postfix/recipients $alias_maps
recipient_delimiter = +

mynetworks = 127.0.0.0/8 [::1]/128

mailbox_transport = lmtp:unix:private/dovecot-lmtp

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
Create or replace file /etc/aliases -rw-r--r-- root:root
abuse: vbezhenar
admin: vbezhenar
administrator: vbezhenar
hostmaster: vbezhenar
postmaster: vbezhenar
support: vbezhenar
webmaster: vbezhenar
root: vbezhenar

me: vbezhenar
Execute
root@jupi:~# postalias hash:/etc/aliases
root@jupi:~# echo "vbezhenar: exists" > /etc/postfix/recipients
root@jupi:~# postalias hash:/etc/postfix/recipients
root@jupi:~# install --owner opendkim --group opendkim --mode 750 --directory /var/spool/postfix/opendkim
root@jupi:~# adduser postfix opendkim
root@jupi:~# systemctl start dovecot.service opendkim.service postfix.service

Apticron

Execute
root@jupi:~# apt install apticron-systemd
root@jupi:~# mkdir /var/lib/apticron