fix(dovecot): Enable shared mailboxes

Also fixed a typo in oidcPath.

README.md

@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Collaborative notes  | Notes (aka Docs)            | [2.4.0](https://github.com/suitenumerique/docs/releases/tag/v2.4.0)                                                           | Online documentation/welcome document available in installed application                                                              |
 | Diagram editor       | CryptPad ft. diagrams.net   | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
 | File management      | Nextcloud                   | [30.0.6](https://nextcloud.com/de/changelog/#30-0-6)                                                                          | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | [8.35](https://documentation.open-xchange.com/appsuite/releases/8.35/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Groupware            | OX App Suite                | [8.37](https://documentation.open-xchange.com/appsuite/releases/8.37/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                              | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | [1.8.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-8-0-2025-04-07) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | [15.5.1](https://www.openproject.org/docs/release-notes/15-5-1/)                                                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |

docs/getting-started.md

@@ -70,6 +70,10 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c
 | domain.tld                    | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                        |
 | _dmarc.domain.tld             | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                          |
 | default._domainkey.domain.tld | TXT  | `v=DKIM1; k=rsa; h=sha256; ...`                    | Optional, DKIM settings                                           |
+| _caldavs._tcp.domain.tld      | SRV  | 10 1 443 dav.domain.tld.                           | Optional, CalDav auto discovery                                   |
+| _caldav._tcp.domain.tld       | SRV  | 10 1  80 dav.domain.tld.                           | Optional, CalDav auto discovery                                   |
+| _carddavs._tcp.domain.tld     | SRV  | 10 1 443 dav.domain.tld.                           | Optional, CardDav auto discovery                                  |
+| _carddav._tcp.domain.tld      | SRV  | 10 1  80 dav.domain.tld.                           | Optional, CardDav auto discovery                                  |
 
 ## Domain
 

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -27,15 +27,8 @@ dovecot:
     password:
       value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
     keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
-  sharedMailboxes:
-    enabled: false
-    host: {{ .Values.databases.dovecotACL.host | quote }}
-    port: {{ .Values.databases.dovecotACL.port }}
-    username: {{ .Values.databases.dovecotACL.username | quote }}
-    password:
-      value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
-    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
   objectStorage:
+    bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
     encryption:
       privateKey:
         value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -49,6 +49,15 @@ dovecot:
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"
   loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
+  sharedMailboxes:
+    type: "postgresql"
+    enabled: true
+    host: {{ .Values.databases.dovecotACL.host | quote }}
+    port: {{ .Values.databases.dovecotACL.port }}
+    username: {{ .Values.databases.dovecotACL.username | quote }}
+    password:
+      value: {{ .Values.secrets.postgresql.dovecotACLUser | quote }}
+    database: {{ .Values.databases.dovecotACL.name | quote }}
   submission:
     enabled: true
     ssl: "no"

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -108,8 +108,9 @@ appsuite:
       hosts:
         - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
     dav:
+      enabled: {{ .Values.functional.groupware.davSupport.enabled }}
       hosts:
-        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+        - "{{ .Values.global.hosts.openxchangeDav }}.{{ .Values.global.domain }}"
     routes:
       appsuite-base:
         annotations:
@@ -215,7 +216,7 @@ appsuite:
         host: "all"
         productName: {{ .Values.theme.texts.productName | quote }}
         oidcLogin: true
-        oidcPath: "/oidc"
+        oidcPath: "/oidc/"
     masterAdmin: "admin"
     masterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
     hzGroupName: "hzgroup"
@@ -278,17 +279,14 @@ appsuite:
       status:
         {{- if .Values.functional.migration.oxAppSuite.enabled }}
         open-xchange-oidc: "disabled"
-        open-xchange-authentication-oauth: "disabled"
         open-xchange-authentication-masterpassword: "enabled"
-        open-xchange-authentication-database: "disabled"
-        open-xchange-authentication-ldap: "disabled"
         {{- else }}
         open-xchange-oidc: "enabled"
-        open-xchange-authentication-oauth: "enabled"
         open-xchange-authentication-masterpassword: "disabled"
+        {{- end }}
+        open-xchange-authentication-oauth: "disabled"
         open-xchange-authentication-database: "disabled"
         open-xchange-authentication-ldap: "disabled"
-        {{- end }}
         # OX Documents (office-web) is not used in openDesk
         open-xchange-documents-backend: "disabled"
         open-xchange-documents-monitoring: "disabled"
@@ -323,26 +321,25 @@ appsuite:
       com.openexchange.oidc.startDefaultBackend: "true"
       com.openexchange.oidc.userLookupClaim: "opendesk_username"
       com.openexchange.oidc.userLookupNamePart: "full"
-      # OAUTH
+      com.openexchange.oidc.enablePasswordGrant: "true"
-      com.openexchange.oauth.provider.enabled: "true"
+      com.openexchange.oidc.passwordGrantUserNamePart: "local-part"
-      com.openexchange.oauth.provider.allowedIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
-      com.openexchange.oauth.provider.contextLookupClaim: "context"
-      com.openexchange.oauth.provider.contextLookupNamePart: "full"
-      com.openexchange.oauth.provider.jwt.jwksUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
-      com.openexchange.oauth.provider.mode: "expect_jwt"
-      com.openexchange.oauth.provider.userLookupNamePart: "full"
-      com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
-      com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
-      com.openexchange.authentication.oauth.tokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-      com.openexchange.authentication.oauth.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
       # MAIL
       com.openexchange.mail.authType: "xoauth2"
-      com.openexchange.mail.loginSource: "mail"
+      com.openexchange.mail.loginSource: "name"
       com.openexchange.mail.mailServer: "dovecot"
       com.openexchange.mail.mailServerSource: "global"
       com.openexchange.mail.transport.authType: "xoauth2"
       com.openexchange.mail.transportServer: "postfix-ox"
       com.openexchange.mail.transportServerSource: "global"
+      # Mail Login Resolver
+      com.openexchange.mail.login.resolver.enabled: "true"
+      com.openexchange.mail.login.resolver.ldap.enabled: "true"
+      com.openexchange.mail.login.resolver.ldap.clientId: "contactsLdapClient"
+      com.openexchange.mail.login.resolver.ldap.mailLoginSearchFilter: "(entryUUID=[mailLogin])"
+      com.openexchange.mail.login.resolver.ldap.userNameAttribute: "uid"
+      com.openexchange.mail.login.resolver.ldap.contextNameAttribute: "oxContextIDNum"
+      com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(oxContextIDNum=[cid])(uid=[uname]))"
+      com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: "entryUUID"
       # Requirements for OX-Connector
       com.openexchange.user.enforceUniqueDisplayName: "false"
       com.openexchange.folderstorage.database.preferDisplayName: "false"
@@ -398,6 +395,15 @@ appsuite:
       # http = (await import('./io.ox/core/http.js')).default
       # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
       com.openexchange.smime.test: "true"
+      # DAV
+      {{- if .Values.functional.groupware.davSupport.enabled }}
+      com.openexchange.caldav.enabled: "true"
+      com.openexchange.caldav.url: {{ printf "https://%s.%s/caldav/[folderId]" .Values.global.hosts.openxchangeDav .Values.global.domain }}
+      com.openexchange.carddav.enabled: "true"
+      com.openexchange.carddav.url: {{ printf "https://%s.%s/carddav/[folderId]" .Values.global.hosts.openxchangeDav .Values.global.domain }}
+      com.openexchange.client.onboarding.caldav.url: {{ printf "https://%s.%s/" .Values.global.hosts.openxchangeDav .Values.global.domain }}
+      com.openexchange.client.onboarding.carddav.url: {{ printf "https://%s.%s/" .Values.global.hosts.openxchangeDav .Values.global.domain }}
+      {{- end }}
       # Other
       com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
       {{- if .Values.certificate.selfSigned }}

helmfile/apps/services-external/values-cassandra.yaml.gotmpl

@@ -43,10 +43,6 @@ initDB:
     CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
     ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
     GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
-    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
-    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
-    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
-    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
 
 # Will print a warning if unset but is automatically calculated:
 jvm:

helmfile/apps/services-external/values-postgresql.yaml.gotmpl

@@ -48,6 +48,9 @@ image:
 
 job:
   users:
+    - username: {{ .Values.databases.dovecotACL.username | quote }}
+      password: {{ .Values.secrets.postgresql.dovecotACLUser | quote }}
+      connectionLimit: {{ .Values.databases.dovecotACL.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.keycloak.username | quote }}
       password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
       connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
@@ -83,6 +86,8 @@ job:
       connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
   databases:
+    - name: {{ .Values.databases.dovecotACL.name | quote }}
+      user: {{ .Values.databases.dovecotACL.username | quote }}
     - name: {{ .Values.databases.keycloak.name | quote }}
       user: {{ .Values.databases.keycloak.username | quote }}
     - name: {{ .Values.databases.keycloakExtension.name | quote }}

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,12 +6,11 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "3.0.0"
+    version: "3.0.0-tkaltenbrunner-fix-postgresacl"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector-pro-chart"
-    version: "1.15.236"
+    version: "1.17.283"
     verify: false
-...

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -17,5 +17,5 @@ images:
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.35.85@sha256:54d01a16ea29a3ae8f1857e5bdf6d2e34046b8a3fa3d6179bb3ad3d047e1318f"
+    tag: "8.37.62@sha256:750bb22a12646e4f3df01de9d438617c53d0996407ba11924167102cd84c4660"
 ...

helmfile/environments/default/charts.yaml.gotmpl

@@ -56,7 +56,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
-    version: "1.1.37"
+    version: "1.1.38"
     verify: true
   collaboraController:
     # Enterprise Component
@@ -99,7 +99,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "3.0.0"
+    version: "3.1.0-tkaltenbrunner-fix-dovecot-acls"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -387,7 +387,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
-    version: "2.17.164"
+    version: "2.19.254"
     verify: false
   oxAppSuiteBootstrap:
     # providerCategory: "Platform"

helmfile/environments/default/database.yaml.gotmpl

@@ -15,10 +15,10 @@ databases:
     password: ""
     connectionLimit: ~
   dovecotACL:
-    type: "cassandra"
+    type: "postgresql"
     name: "dovecot_acl"
-    host: "cassandra"
+    host: "postgresql"
-    port: 9042
+    port: 5432
     username: "dovecot_acl_user"
     password: ""
     connectionLimit: ~

helmfile/environments/default/functional.yaml.gotmpl

@@ -144,6 +144,10 @@ functional:
         versions: "auto"
         # yamllint enable rule:line-length
 
+  groupware:
+    davSupport:
+      enabled: true
+
   migration:
     oxAppSuite:
       # Note: Only available in openDesk Enterprise.

helmfile/environments/default/global.yaml.gotmpl

@@ -55,6 +55,7 @@ global:
     nubus: "portal"
     openproject: "projects"
     openxchange: "webmail"
+    openxchangeDav: "dav"
     static: "static"
     synapse: "matrix"
     synapseAdmin: "synapse-admin"

helmfile/environments/default/images.yaml.gotmpl

@@ -746,7 +746,7 @@ images:
     # upstreamRepository: "library/postgres"
     registry: "registry-1.docker.io"
     repository: "library/postgres"
-    tag: "16.8-alpine3.20@sha256:951d0626662c85a25e1ba0a89e64f314a2b99abced2c85b4423506249c2d82b0"
+    tag: "16.9-alpine3.20@sha256:e5507c984377515b8c9922b0eb19f55aba2063fdc7bccf268cefd53133f97054"
   openxchangeBootstrap:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -764,7 +764,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "6", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.14@sha256:c00546144667d2d5036fa37b2e6185f1abb53c13e9eee7b0c78ec64ac8e5250a"
+    tag: "8.6.15@sha256:f8ea7b3f4003b518c43b12118980d26d1258396f55848af6a64e7a3e7e103c1d"
   openxchangeCoreMW:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -774,7 +774,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "51"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.35.83@sha256:5c4180c1ba255193059241921e6fe0a34555592aa29104a145a0e1beb91157d2"
+    tag: "8.37.62@sha256:2eb5f4a472c329cbf170b6e7fba5790756dcc3f6360d5d36dfff5eb06b09f8c3"
   openxchangeCoreUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -784,7 +784,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.35.2@sha256:658563b6ec4d3d5f2e06f2987cd8e730d91b8d0c65b0206495007d347f98965f"
+    tag: "8.37.1@sha256:eb30e03a5976d57a62d00a613336631d46bffc84c0d67e422f062635669f6b62"
   openxchangeCoreUIMiddleware:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -794,7 +794,7 @@ images:
     # upstreamMirrorStartFrom: ["2", "0", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.1@sha256:1a3e96243353a53e06bf3d90067d7d07de449e8273fa60a043d7ac4a5e6464c3"
+    tag: "2.1.2@sha256:36fe59a047fa466bef6fcdeed1ed8e4bbeaf7824c37c63e3bfe7262cd135cb9e"
   openxchangeCoreUserGuide:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -804,7 +804,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "799279"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.35.1292950@sha256:a6937222e3b07b42c7dc6a066aae0cd05b3b899325a4e4aee50ee91355c9b3b5"
+    tag: "8.37.1354160@sha256:226b210268cd3c9b13a84a2ca1168e1ab08b62e19bccd3129adad7ffca514655"
   openxchangeDocumentConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -814,7 +814,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.35.1671@sha256:0a7b9d7af9cd22562196b854ad11ca3fd477ddcc70f2ccd113e87ab3b7aad26c"
+    tag: "8.37.1751@sha256:c1bbe271d6c0ba9ecc1bbb4ba2a944099f0ba90133dd4e6d3aecd0ea51b2e5bd"
   openxchangeGotenberg:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -834,7 +834,7 @@ images:
     # upstreamMirrorStartFrom: ["4", "2", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.32.0@sha256:5c9542f9112882e46c3b8cb6f0ca2bef61585abac0e640a4fafa7d7ef60a392b"
+    tag: "8.33.2@sha256:920b5ac87128f30c176c0ae75c6bedd32d226a97c6c5a822235606c39992ee9a"
   openxchangeImageConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -844,7 +844,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.35.77@sha256:fb67cbaf0771ea6c18b5a1b94aaec9bf72b930227613e70535d382be58940372"
+    tag: "8.37.2089@sha256:8109351da173fa836d5559973103c8890e6a6e2514866675387bbf4d49606917"
   openxchangeNextcloudIntegrationUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -854,7 +854,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "2", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/nextcloud-integration-ui"
-    tag: "1.4.0@sha256:4be267ab2dc8dbef6b8382e2de6b28f3851a7af7f68702f360d457898cb9011e"
+    tag: "1.4.1@sha256:423d596b52ab32778d7227d98ccc719f98395a00d95ff0bcac826665b59e1937"
   openxchangePublicSectorUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -864,7 +864,7 @@ images:
     # upstreamMirrorStartFrom: ["2", "2", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.4.0@sha256:6513e948028ed98aca633d9943ef3be5fed890e4757eee6b527b7215206d2bd6"
+    tag: "2.4.1@sha256:c9f0f5425517e1740aaf9998c5944ce36ce26eda52329754e6b8ac733e2dacc5"
   oxConnector:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"

helmfile/environments/default/secrets.yaml.gotmpl

@@ -8,7 +8,6 @@ secrets:
   cassandra:
     rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "root_password" | sha1sum | quote }}
     dovecotDictmapUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_dictmap_user" | sha1sum | quote }}
-    dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }}
   oxAppSuite:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
     basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
@@ -59,6 +58,7 @@ secrets:
     natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
   postgresql:
     postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
+    dovecotACLUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cassandra" "dovecot_acl_user" | sha1sum | quote }}
     keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
     keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
     matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}