sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2026-06-20 02:02:38 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

initial: no secrets

Browse Source
This commit is contained in:
Johnathen Sheppard
2024-02-12 17:01:18 +01:00
commit cf9efd55b5
186 changed files with 8697 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/mail/files/dovecot.conf
+122
View File
@@ -0,0 +1,122 @@
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# logs
info_log_path = /var/dovecot/logs/dovecot_info.log
log_path = /var/dovecot/logs/dovecot.log
protocols = imap pop3 lmtp
# We're using Maildir format
mail_location = maildir:~/Maildir
# If you're using POP3, you'll need this:
pop3_uidl_format = %g
# Authentication configuration:
auth_verbose = yes
auth_mechanisms = plain login
disable_plaintext_auth = no
passdb {
driver = passwd-file
args = scheme=SHA512-CRYPT username_format=%n /var/dovecot/auth/passwd
}
userdb {
driver = passwd-file
args = username_format=%n /var/dovecot/auth/passwd
}
# Postmaster
protocol lda {
postmaster_address = postmaster@example.com
}
# Quotas mus be defined like this in passwd userdb_quota_rule=*:storage=100M
mail_plugins = $mail_plugins quota
protocol imap {
mail_plugins = $mail_plugins imap_quota
}
plugin {
quota = maildir
}
## SSL settings
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
ssl_cert = </etc/letsencrypt/live/atlantishq.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/atlantishq.de/privkey.pem
ssl_min_protocol = TLSv1.1
ssl_cipher_list = HIGH:!aNULL
ssl_prefer_server_ciphers = yes
default_login_user = dovenull
default_internal_user = dovecot
####### IMAP #######
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener imap {
port = 0
}
service_count = 1
process_min_avail = 1
vsz_limit = 100M
}
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
}
service imap {
vsz_limit = 100M
process_limit = 100
}
####### POP3 #######
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
inet_listener pop3 {
port = 0
}
}
service pop3 {
process_limit = 100
}
###### LMTP #######
service lmtp {
unix_listener /var/spool/postfix/private/dovecot_lmtp_target {
mode = 0600
group = postfix
user = postfix
}
}
###### AUTH ######
service auth {
unix_listener auth-userdb {
mode = 0600
group = postfix
user = postfix
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0600
group = postfix
user = postfix
}
user = dovecot
}
service auth-worker {
user = dovecot
}
first_valid_uid = 100
roles/mail/files/dovecot_passwd
+1
View File
@@ -0,0 +1 @@
noreply:{SHA512-CRYPT}$6$XXXXXXXXXXXXXXXXXXXuse this: $(mkpasswd -msha512crypt)XXXXX:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
roles/mail/files/dynamicmaps.cf
+1
View File
@@ -0,0 +1 @@
sqlite postfix-sqlite.so dict_sqlite_open
roles/mail/files/enabled_senders
+9
View File
@@ -0,0 +1,9 @@
# Sender adress the user may use :)
sheppy@atlantishq.de sheppy@atlantishq.de
ths-nas@atlantishq.de ths-nas@atlantishq.de
joerg@darknet-fashion.de joerg@darknet-fashion.de
yannik.schmidt@potaris.de yannik.schmidt@potaris.de
noreply@atlantishq.de noreply@atlantishq.de
@darknet-fashion.de joerg
@darknet-fashion.com joerg
@atlantishq.de sheppy
roles/mail/files/header_checks
+1
View File
@@ -0,0 +1 @@
/^X-Spam-Flag: YES/ REDIRECT spamsink@atlantishq.de
roles/mail/files/main.cf
+102
View File
@@ -0,0 +1,102 @@
# let's confuse atackers
smtpd_banner = $myhostname Postfix
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
# delay_warning_time = 10h
queue_directory = /var/spool/postfix
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/atlantishq.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/atlantishq.de/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# tls paramaters
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
# breaks mailman for obvious reasons
smtpd_tls_security_level=may
smtpd_tls_auth_only = yes
# SMTP (mainly from dovecot documentation)
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_mandatory_ciphers=high
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtpd_sender_login_maps=hash:/etc/postfix/enabled_senders
## restrictions
# PERMIT MY NETWORKS MUST ALWAYS BE THE FIRST ARGUMENT OR YOU CANNOT SEND TO NON-LOCAL domains from NOT-DOVECOT
#policyd-spf_time_limit = 3600
smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender
smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,permit_sasl_authenticated
# USER mappings (not reliant on unix users)
# MAILMAN #
virtual_mailbox_domains = atlantishq.de,darknet-fashion.de,darknet-fashion.com,potaris.de
virtual_alias_maps = hash:/etc/postfix/virtual
#recipient_cononical_maps = hash:/etc/postfix/canonical-recipient
virtual_transport = lmtp:unix:private/dovecot_lmtp_target
#relocated_maps = hash:/etc/postfix/mail_redirect
alias_maps = hash:/etc/aliases
virtual_minimum_uid = 100
virtual_uid_maps = static:1009
virtual_gid_maps = static:1009
#receive_override_options = no_address_mappings
# spam redirect happens here
header_checks = regexp:/etc/postfix/header_checks
# random shit
biff = no
readme_directory = no
compatibility_level = 2
myhostname = mail.atlantishq.de
#mydestination = localhost.divercitystudio.de,localhost.atlantishq.de, ,localhost
mydestination = localhost
#,localhost.esports-erlangen.de,esports-erlangen.de
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
message_size_limit = 80480000
inet_interfaces = all
inet_protocols = all
#alias_maps = hash:/etc/aliases
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = $smtpd_milters
disable_mime_output_conversion = yes
authorized_submit_users = !check,static:all
roles/mail/files/master.cf
+58
View File
@@ -0,0 +1,58 @@
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o content_filter=spamassassin
8025 inet n - y - - smtpd
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
#smtp inet n - y - 1 postscreen
smtps inet n - y - - smtpd -v
-o smtpd_tls_wrappermode=yes
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
########################## OTHER #############################
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m ${extension}
roles/mail/files/nginx.conf
+63
View File
@@ -0,0 +1,63 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_certificate /etc/letsencrypt/live/atlantishq.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/atlantishq.de/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
roles/mail/files/nginx_default.conf
+26
View File
@@ -0,0 +1,26 @@
server {
server_name mail.atlantishq.de autoconfig.atlantishq.de autodiscover.atlantishq.de autoconfig.potaris.de;
listen 443 ssl;
listen 80;
listen [::]:443 ssl;
location /.well-known/acme-challenge/ {
auth_basic off;
alias /var/www/.well-known/acme-challenge/;
}
location /initdb {
allow 127.0.0.1;
deny all;
}
location /{
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}
roles/mail/files/opendkim/key.table
+1
View File
@@ -0,0 +1 @@
atlantishq atlantishq.de:default:/etc/opendkim/keys/atlantishq.de/default.private
roles/mail/files/opendkim/opendkim.conf
+86
View File
@@ -0,0 +1,86 @@
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain example.com
#KeyFile /etc/dkimkeys/dkim.key
#Selector 2007
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
#Mode sv
#SubDomains no
# Socket smtp://localhost
#
# ## Socket socketspec
# ##
# ## Names the socket where this filter should listen for milter connections
# ## from the MTA. Required. Should be in one of these forms:
# ##
# ## inet:port@address to listen on a specific interface
# ## inet:port to listen on all interfaces
# ## local:/path/to/socket to listen on a UNIX domain socket
#
Socket inet:8892@localhost
#Socket local:/var/run/opendkim/opendkim.sock
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
## PidFile filename
### default (none)
###
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /var/run/opendkim/opendkim.pid
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at http://unbound.net for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
SigningTable refile:/etc/opendkim/signing.table
KeyTable /etc/opendkim/key.table
roles/mail/files/opendkim/signing.table
+3
View File
@@ -0,0 +1,3 @@
*@atlantishq.de atlantishq
*@lantia-it.de atlantishq
*@esports-erlangen.de atlantishq
roles/mail/files/opendkim/trusted.hosts
+6
View File
@@ -0,0 +1,6 @@
127.0.0.1
localhost
atlantishq.de
192.168.122.112
192.168.122.107
192.168.122.117
roles/mail/files/policy-spf/policyd-spf.conf
+16
View File
@@ -0,0 +1,16 @@
# For a fully commented sample config file see policyd-spf.conf.commented
debugLevel = 1
TestOnly = 1
#HELO_reject = Fail
#Mail_From_reject = Fail
HELO_reject = False
Mail_From_reject = False
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.122.112,192.168.122.107
roles/mail/files/relocated
+1
View File
@@ -0,0 +1 @@
test@atlantishq.de sheppy@atlantishq.de
roles/mail/files/sender_blacklist
+11
View File
@@ -0,0 +1,11 @@
alyssa@catapult.gg REJECT
service-expert.net REJECT
yougetnow.com REJECT
forestanes.pics REJECT
stockcard.io REJECT
zapingers.autos REJECT
cleverep.com REJECT
.ru REJECT
allsip.ru REJECT
sina.buffy@avantgarde-experts.de OK
.avantgarde-experts.de OK
roles/mail/files/tls_policy
+13
View File
@@ -0,0 +1,13 @@
[atlantishq.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[atlantishq.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[atlantishq.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:587 encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:msa encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:submission encrypt protocols=TLSv1.2 ciphers=high
.datev.de encrypt
roles/mail/files/transport
+3
View File
@@ -0,0 +1,3 @@
atlantishq.de lmtp:unix:private/dovecot_lmtp_target
darknet-fashion.de lmtp:unix:private/dovecot_lmtp_target
darknet-fashion.com lmtp:unix:private/dovecot_lmtp_target
roles/mail/files/virtual
+38
View File
@@ -0,0 +1,38 @@
# you can also so this: test-second-account@atlantishq.de test@atlantishq.de
# which will give all incoming mails of test-second-account to test (sorta obvious)
# IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT
# user@atlantishq.de user@esports-erlangen.de
# every user will get emails from both domains
# If a user also wants to _SEND_ mails, he also have to have an
# entry in the /etc/postfix/enabled-senders
# CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!)
# postmap FILENAME
# CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!)
# sheppy
insurgency@atlantishq.de sheppy@atlantishq.de
yannik@atlantishq.de sheppy@atlantishq.de
tac@atlantishq.de sheppy@atlantishq.de
uplay@atlantishq.de sheppy@atlantishq.de
#yannik.schmidt@potaris.de sheppy@atlantishq.de
acc@atlantishq.de sheppy@atlantishq.de
mail@potaris.de yannik.schmidt@potaris.de
sector32@potaris.de yannik.schmidt@potaris.de
root@atlantishq.de sheppy@atlantishq.de
trackmania-2@atlantishq.de sheppy@atlantishq.de
maria@atlantishq.de mondauge@icloud.com
steam-potaris-1@atlantishq.de sheppy@atlantishq.de
steam-potaris-2@atlantishq.de sheppy@atlantishq.de
steam-potaris-3@atlantishq.de sheppy@atlantishq.de
# michy
ipatix@atlantishq.de michael.panzlaff@fau.de
# catchall
#@atlantishq.de root@atlantishq.de
#@esports-erlangen.de root@atlantishq.de
@darknet-fashion.com joerg@darknet-fashion.de
@darknet-fashion.de joerg@darknet-fashion.de
roles/mail/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/mail/tasks/main.yaml
+88
View File
@@ -0,0 +1,88 @@
- name: Install Mail stuff
apt:
pkg:
- postfix
- dovecot-core
- dovecot-imapd
- spamassassin
- nginx
- postfix-policyd-spf-python
- opendkim
- opendkim-tools
state: present
- name: Deploy Postfix config
copy:
src: "{{ item }}"
dest: "/etc/postfix/{{ item }}"
with_items:
- dynamicmaps.cf
- enabled_senders
- main.cf
- master.cf
- relocated
- sender_blacklist
- tls_policy
- transport
- virtual
- header_checks
notify: restart postfix
- name: Deploy dmark/opendkim config (main)
copy:
src: "opendkim/opendkim.conf"
dest: "/etc/opendkim.conf"
notify: restart opendkim
- name: Deploy dmark/opendkim config (config dir)
copy:
src: "opendkim/{{ item }}"
dest: "/etc/opendkim/"
with_items:
- key.table
- signing.table
- trusted.hosts
notify: restart opendkim
- name: Deploy policy spf config
copy:
src: "policy-spf/policyd-spf.conf"
dest: "/etc/postfix-policyd-spf-python/"
notify: restart postfix
- name: Deploy dmark/opendkim config (config dir)
copy:
src: "opendkim/{{ item }}"
dest: "/etc/opendkim/"
with_items:
- key.table
- signing.table
notify: restart postfix
- name: Deploy Dovecot config
copy:
src: "{{ item }}"
dest: "/etc/dovecot/{{ item }}"
with_items:
- dovecot.conf
notify: restart dovecot
- name: Deploy nginx-config
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
notify: restart nginx
- name: Deploy nginx-config (page)
copy:
src: nginx_default.conf
dest: /etc/nginx/sites-available/default
notify: restart nginx
- name: Deploy user passwd config
copy:
src: dovecot_passwd
dest: /var/dovecot/auth/passwd
owner: dovecot
group: dovecot
notify: restart dovecot