# {{ ansible_managed }}

# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS
disable_plaintext_auth = no
auth_mechanisms = plain login

# Authentification LDAP + intégration avec Postfix pour l'auth SMTP
!include auth-ldap.conf.ext
service auth {
    unix_listener auth-userdb {
        mode = 0600
        user = vmail
        group = vmail
    }
    unix_listener /var/spool/postfix/private/auth-client {
        mode = 0666
        user = postfix
        group = postfix
    }
}

# Stockage des emails dans /home/mail avec UID/GID 5000/5000
mail_location = maildir:/home/vmail/%d/%n
mail_uid = 5000
mail_gid = 5000

# Activation Sieve
protocol lda {
    mail_plugins = sieve
}

# Optimisations
service login {
    process_limit = 256
}
mail_max_userip_connections = 42

# SSL/TLS
ssl = yes
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
ssl_options = no_compression no_ticket
ssl_protocols = !TLSv1 !TLSv1.1
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key