Use exherbo as base image

config/dovecot/dovecot.auth

@@ -0,0 +1,11 @@
+auth_mechanisms = plain login
+
+passdb {
+  driver = passwd-file
+  args = /etc/dovecot/passwd
+}
+
+userdb {
+  driver = static
+  args = uid=vmail gid=vmail home=/vmail/%d/%n allow_all_users=yes
+}

config/dovecot/dovecot.imap

@@ -0,0 +1,3 @@
+protocol imap {
+	imap_client_workarounds = tb-extra-mailbox-sep
+}

config/dovecot/dovecot.lda

@@ -0,0 +1,8 @@
+lda_mailbox_autocreate = yes
+lda_mailbox_autosubscribe = yes
+
+protocol lda {
+  hostname = mail.docker.container
+  postmaster_address = postmaster@mail.docker.container
+  mail_plugins = $mail_plugins sieve
+}

config/dovecot/dovecot.logging

@@ -0,0 +1,2 @@
+auth_verbose = yes
+auth_debug = yes

config/dovecot/dovecot.mail

@@ -0,0 +1,19 @@
+mail_location = maildir:/vmail/%d/%n:LAYOUT=fs
+
+namespace inbox {
+  inbox = yes
+
+  # set these to autocreate or else thunderbird will complain
+  mailbox Trash {
+    auto = create
+    special_use = \Trash
+  }
+  mailbox Drafts {
+    auto = subscribe
+    special_use = \Drafts
+  }
+  mailbox Sent {
+    auto = subscribe # autocreate and autosubscribe the Sent mailbox
+    special_use = \Sent
+  }
+}

config/dovecot/dovecot.managesieve

@@ -0,0 +1,76 @@
+##
+## ManageSieve specific settings
+##
+
+# Uncomment to enable managesieve protocol:
+protocols = $protocols sieve
+
+# Service definitions
+
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+
+  #inet_listener sieve_deprecated {
+  #  port = 2000
+  #}
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  #process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = 64M
+}
+
+service managesieve {
+  # Max. number of ManageSieve processes (connections)
+  process_limit = 1024
+}
+
+# Service configuration
+
+protocol sieve {
+  # Maximum ManageSieve command line length in bytes. ManageSieve usually does
+  # not involve overly long command lines, so this setting will not normally
+  # need adjustment
+  #managesieve_max_line_length = 65536
+
+  # Maximum number of ManageSieve connections allowed for a user from each IP
+  # address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+
+  # Space separated list of plugins to load (none known to be useful so far).
+  # Do NOT try to load IMAP plugins here.
+  #mail_plugins =
+
+  # MANAGESIEVE logout format string:
+  #  %i - total number of bytes read from client
+  #  %o - total number of bytes sent to client
+  #managesieve_logout_format = bytes=%i/%o
+
+  # To fool ManageSieve clients that are focused on CMU's timesieved you can
+  # specify the IMPLEMENTATION capability that Dovecot reports to clients.
+  # For example: 'Cyrus timsieved v2.2.13'
+  managesieve_implementation_string = Dovecot Pigeonhole
+
+  # Explicitly specify the SIEVE and NOTIFY capability reported by the server
+  # before login. If left unassigned these will be reported dynamically
+  # according to what the Sieve interpreter supports by default (after login
+  # this may differ depending on the user).
+  #managesieve_sieve_capability =
+  #managesieve_notify_capability =
+
+  # The maximum number of compile errors that are returned to the client upon
+  # script upload or script verification.
+  #managesieve_max_compile_errors = 5
+
+  # Refer to 90-sieve.conf for script quota configuration and configuration of
+  # Sieve execution limits.
+}

config/dovecot/dovecot.master

@@ -0,0 +1,35 @@
+listen = "*, [::]"
+
+service imap-login {
+  # disable starttls
+  inet_listener imap {
+	port = 0
+  }
+
+  inet_listener imaps {
+
+  }
+}
+
+service imap {
+}
+
+# not sure if this is needed
+service lmtp {
+ unix_listener /var/spool/postfix/private/dovecot-lmtp {
+   group = vmail
+   mode = 0660
+   user = postfix
+  }
+}
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+          mode = 0660
+    user = postfix
+    group = vmail
+  }
+}
+
+service auth-worker {
+}

config/dovecot/dovecot.sieve

@@ -0,0 +1,5 @@
+plugin {
+    sieve_before = /vmail/sieve/spam-global.sieve
+    sieve = file:/vmail/%d/%n/sieve/scripts/;active=/vmail/%d/%n/sieve/currently-active-script.sieve
+    sieve_extensions = +fileinto +imapflags +regex +copy
+}

config/dovecot/dovecot.ssl

@@ -0,0 +1,5 @@
+ssl = required
+disable_plaintext_auth = no
+ssl_cert = </etc/ssl/server/email.crt
+ssl_key = </etc/ssl/server/email.key
+

config/example/aliases

@@ -0,0 +1,2 @@
+admin@example.org	admin@example.org
+@example.org 	catch-all@example.org

config/example/domains

@@ -0,0 +1 @@
+example.org

config/example/myhostname

@@ -0,0 +1 @@
+localhost

config/example/passwords

@@ -0,0 +1,2 @@
+catch-all@example.org:{PLAIN}password123
+admin@example.org:{SHA256-CRYPT}$5$3qaCC/fV65Adtfoy$O20EXoSOcgWKf5NyAZnXAtGPQoSgeYRjLm56M25.H12

config/example/postfix-networks

@@ -0,0 +1 @@
+127.0.0.0/8 [::1]/128

config/example/spam-global.sieve

@@ -0,0 +1,5 @@
+require "fileinto";
+
+if header :contains "X-Spam-Flag" "YES" {
+  fileinto "Spam";
+}

config/paludis/options.conf.d/mail.conf

@@ -0,0 +1,4 @@
+net-mail/dovecot caps lz4 sqlite tcpd
+mail-mta/postfix ssl
+
+dev-lang/perl berkdb dbm

config/paludis/sets/mail.conf

@@ -0,0 +1,7 @@
+* app-admin/supervisor
+* dev-python/pyzor
+* dev-perl/razor
+* mail-filter/spamassassin
+* mail-mta/postfix
+* net-mail/dovecot
+* dev-perl/Net-IDN-Encode

config/postfix/postfix.main.cf

@@ -0,0 +1,76 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+inet_protocols = all
+
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/server/email.crt
+smtpd_tls_key_file=/etc/ssl/server/email.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = localhost
+#alias_maps = hash:/etc/mail/aliases
+#alias_database = hash:/etc/mail/aliases
+mydestination = localhost.localdomain, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+
+# SMTP configuration for incoming mail (port 25)
+# Outgoing mail (port 587) configuration  is specified in master.cf
+
+# Opportunistic TLS
+smtp_tls_security_level = may
+
+# allow all connections (since we want to receive mail from outside)
+smtpd_client_restrictions = permit
+
+# Don't talk to mail systems that don't know their own hostname.
+# With Postfix < 2.3, specify reject_unknown_hostname.
+smtpd_helo_restrictions = permit
+
+# Don't accept mail from domains that don't exist.
+smtpd_sender_restrictions = permit
+
+# Only accept mail where this server is the final destination
+smtpd_relay_restrictions = permit_auth_destination, permit_mynetworks, reject
+
+# Mail thats not for us gets filtered out by smtpd_relay_restrictions
+# When the mail is for us, we just accept everything. (could add spam blocklists/user checking etc. here)
+smtpd_recipient_restrictions = permit
+
+# Delivery to dovecot
+#alias_maps = hash:/etc/mail/aliases
+#alias_database = hash:/etc/mail/aliases
+virtual_alias_maps = hash:/etc/postfix/virtual
+virtual_mailbox_domains = /etc/postfix/virtual-mailbox-domains
+virtual_mailbox_maps = hash:/etc/postfix/virtual-mailbox-maps
+virtual_transport = dovecot
+dovecot_destination_recipient_limit = 1
+
+# additional authentication settings
+smtpd_tls_auth_only = yes
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth

config/postfix/postfix.master.cf.append

@@ -0,0 +1,21 @@
+dovecot   unix  -       n       n       -       -       pipe
+ flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
+
+# we need to be permissive with the helo restrictions since the client can only
+# authenticate after HELO has been sent
+submission      inet    n       -       n       -       -       smtpd
+ -o smtpd_etrn_restrictions=reject
+ -o smtpd_tls_security_level=may
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_type=dovecot
+ -o smtpd_sasl_path=private/auth
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_helo_restrictions=permit
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+ -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+
+spamassassin unix -     n       n       -       -       pipe
+ user=vmail:vmail argv=/usr/bin/spamc -f -e
+ /usr/sbin/sendmail -oi -f ${sender} ${recipient}

config/spamassasin/pyzor.servers

@@ -0,0 +1 @@
+public.pyzor.org:24441

config/spamassasin/spamassasin.local.append

@@ -0,0 +1,7 @@
+
+# you should leave this untouched
+razor_config /etc/spamassassin/.razor/razor-agent.conf
+pyzor_options --homedir /etc/spamassassin/.pyzor
+
+# here goes your whitelist stuff for example
+# whitelist_from user@example.com

config/supervisord.conf

@@ -0,0 +1,18 @@
+[supervisord]
+nodaemon=true
+
+[program:spamassasin]
+command=/usr/sbin/spamd
+startsecs=2
+autorestart=true
+
+[program:postfix]
+process_name=master
+directory=/etc/postfix
+command=/usr/sbin/postfix -c /etc/postfix start
+startsecs=1
+autorestart=false
+
+[program:dovecot]
+command=/usr/sbin/dovecot -c /etc/dovecot/dovecot.conf -F
+autorestart=true