From 586a0b0e051a573f8d4f923f55df2c8905def1a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sun, 5 Nov 2017 12:18:52 +0100
Subject: [PATCH] [Dovecot] Add bindirs to cache compiled scripts, drop some
 privileges, run one login proc per user

---
 data/conf/dovecot/dovecot.conf | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index a9e6f0af..6cf1897b 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -173,6 +173,9 @@ service dict {
     group = vmail
   }
 }
+service log {
+  user = dovenull
+}
 service auth {
   inet_listener auth-inet {
     port = 10001
@@ -185,7 +188,6 @@ service auth {
     mode = 0600
     user = vmail
   }
-  user = root
 }
 service managesieve-login {
   inet_listener sieve {
@@ -193,10 +195,19 @@ service managesieve-login {
   }
   service_count = 1
   process_min_avail = 2
-  vsz_limit = 128M
+  vsz_limit = 64M
+}
+service imap-login {
+  service_count = 1
+  vsz_limit = 64M
+  user = dovenull
+}
+service pop3-login {
+  service_count = 1
 }
 service imap {
   executable = imap imap-postlogin
+  user = dovenull
 }
 service managesieve {
   process_limit = 256
@@ -249,8 +260,8 @@ plugin {
   sieve_quota_max_scripts = 0
   sieve_quota_max_storage = 0
   listescape_char = "\\"
-  sieve_before = dict:proxy::sieve_before;name=active
-  sieve_after = dict:proxy::sieve_after;name=active
+  sieve_before = dict:proxy::sieve_before;name=active;bindir=/var/vmail/sieve_before_bindir
+  sieve_after = dict:proxy::sieve_after;name=active;bindir=/var/vmail/sieve_after_bindir
   sieve_after2 = /var/vmail/sieve/global.sieve
   #mail_crypt_global_private_key = </mail_crypt/ecprivkey.pem
   #mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem