# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.8&config=intermediate&openssl=1.1.1g&guideline=5.6
ssl = required

ssl_cert = <{{ tls_certs }}/{{ mail_server }}-fullchain.crt
ssl_key = <{{ tls_private }}/{{ mail_server }}.key

ssl_dh = <{{ tls_certs }}/ffdhe3072.pem

ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no

# kerberos
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = gssapi plain login

# enable only imap
protocols = imap

# use index from tmpfs
mail_location = mbox:~/imapmail/:INBOX=/var/mail/%u:INDEX=/var/spool/dovecot/index/home/%u

# special icons for mailboxes
namespace inbox {
  mailbox spam {
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
}

# imap specific
protocol imap {
  mail_max_userip_connections = 20
  imap_idle_notify_interval = 29 mins
}

# disable plain text imap
service imap-login {
    inet_listener imap {
        port = 0
    }
}