smartmachine 1.2.3 → 1.3.1

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/conf.d/90-sieve.conf

@@ -0,0 +1,229 @@
+##
+## Settings for the Sieve interpreter
+##
+
+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
+# by adding it to the respective mail_plugins= settings.
+
+# The Sieve interpreter can retrieve Sieve scripts from several types of
+# locations. The default `file' location type is a local filesystem path
+# pointing to a Sieve script file or a directory containing multiple Sieve
+# script files. More complex setups can use other location types such as
+# `ldap' or `dict' to fetch Sieve scripts from remote databases.
+#
+# All settings that specify the location of one ore more Sieve scripts accept
+# the following syntax:
+#
+# location = [<type>:]path[;<option>[=<value>][;...]]
+#
+# If the type prefix is omitted, the script location type is 'file' and the 
+# location is interpreted as a local filesystem path pointing to a Sieve script
+# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
+# information.
+
+plugin {
+  # The location of the user's main Sieve script or script storage. The LDA
+  # Sieve plugin uses this to find the active script for Sieve filtering at
+  # delivery. The "include" extension uses this location for retrieving
+  # :personal" scripts. This is also where the  ManageSieve service will store
+  # the user's scripts, if supported.
+  # 
+  # Currently only the 'file:' location type supports ManageSieve operation.
+  # Other location types like 'dict:' and 'ldap:' can currently only
+  # be used as a read-only script source ().
+  #
+  # For the 'file:' type: use the ';active=' parameter to specify where the
+  # active script symlink is located.
+  # For other types: use the ';name=' parameter to specify the name of the
+  # default/active script.
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+
+  # The default Sieve script when the user has none. This is the location of a
+  # global sieve script file, which gets executed ONLY if user's personal Sieve
+  # script doesn't exist. Be sure to pre-compile this script manually using the
+  # sievec command line tool if the binary is not stored in a global location.
+  # --> See sieve_before for executing scripts before the user's personal
+  #     script.
+  #sieve_default = /var/lib/dovecot/sieve/default.sieve
+
+  # The name by which the default Sieve script (as configured by the 
+  # sieve_default setting) is visible to the user through ManageSieve. 
+  #sieve_default_name = 
+
+  # Location for ":global" include scripts as used by the "include" extension.
+  #sieve_global =
+
+  # The location of a Sieve script that is run for any message that is about to
+  # be discarded; i.e., it is not delivered anywhere by the normal Sieve
+  # execution. This only happens when the "implicit keep" is canceled, by e.g.
+  # the "discard" action, and no actions that deliver the message are executed.
+  # This "discard script" can prevent discarding the message, by executing
+  # alternative actions. If the discard script does nothing, the message is
+        # still discarded as it would be when no discard script is configured.
+  #sieve_discard =
+
+  # Location Sieve of scripts that need to be executed before the user's
+  # personal script. If a 'file' location path points to a directory, all the 
+  # Sieve scripts contained therein (with the proper `.sieve' extension) are
+  # executed. The order of execution within that directory is determined by the
+  # file names, using a normal 8bit per-character comparison.
+  #
+  # Multiple script locations can be specified by appending an increasing number
+  # to the setting name. The Sieve scripts found from these locations are added
+  # to the script execution sequence in the specified order. Reading the
+  # numbered sieve_before settings stops at the first missing setting, so no
+  # numbers may be skipped.
+  #sieve_before = /var/lib/dovecot/sieve.d/
+  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
+  #sieve_before3 = (etc...)
+
+  # Identical to sieve_before, only the specified scripts are executed after the
+  # user's script (only when keep is still in effect!). Multiple script
+  # locations can be specified by appending an increasing number.
+  #sieve_after =
+  #sieve_after2 =
+  #sieve_after2 = (etc...)
+  ##### SmartMachine Begin.
+  sieve_after = /etc/dovecot/sieve-after
+  ##### SmartMachine Close.
+
+  # Which Sieve language extensions are available to users. By default, all
+  # supported extensions are available, except for deprecated extensions or
+  # those that are still under development. Some system administrators may want
+  # to disable certain Sieve extensions or enable those that are not available
+  # by default. This setting can use '+' and '-' to specify differences relative
+  # to the default. For example `sieve_extensions = +imapflags' will enable the
+  # deprecated imapflags extension in addition to all extensions were already
+  # enabled by default.
+  #sieve_extensions = +notify +imapflags
+
+  # Which Sieve language extensions are ONLY available in global scripts. This
+  # can be used to restrict the use of certain Sieve extensions to administrator
+  # control, for instance when these extensions can cause security concerns.
+  # This setting has higher precedence than the `sieve_extensions' setting
+  # (above), meaning that the extensions enabled with this setting are never
+  # available to the user's personal script no matter what is specified for the
+  # `sieve_extensions' setting. The syntax of this setting is similar to the
+  # `sieve_extensions' setting, with the difference that extensions are
+  # enabled or disabled for exclusive use in global scripts. Currently, no
+  # extensions are marked as such by default.
+  #sieve_global_extensions =
+  ##### SmartMachine Begin.
+  sieve_global_extensions = +vnd.dovecot.pipe
+  ##### SmartMachine Close.
+
+  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
+  # setting, the used plugins can be specified. Check the Dovecot wiki
+  # (wiki2.dovecot.org) or the pigeonhole website
+  # (http://pigeonhole.dovecot.org) for available plugins.
+  # The sieve_extprograms plugin is included in this release.
+  #sieve_plugins =
+  ##### SmartMachine Begin.
+  sieve_plugins = sieve_imapsieve sieve_extprograms
+  ##### SmartMachine Close.
+
+  # The maximum size of a Sieve script. The compiler will refuse to compile any
+  # script larger than this limit. If set to 0, no limit on the script size is
+  # enforced.
+  #sieve_max_script_size = 1M
+
+  # The maximum number of actions that can be performed during a single script
+  # execution. If set to 0, no limit on the total number of actions is enforced.
+  #sieve_max_actions = 32
+
+  # The maximum number of redirect actions that can be performed during a single
+  # script execution. If set to 0, no redirect actions are allowed.
+  #sieve_max_redirects = 4
+
+  # The maximum number of personal Sieve scripts a single user can have. If set
+  # to 0, no limit on the number of scripts is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_scripts = 0
+
+  # The maximum amount of disk storage a single user's scripts may occupy. If
+  # set to 0, no limit on the used amount of disk storage is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_storage = 0
+
+  # The primary e-mail address for the user. This is used as a default when no
+  # other appropriate address is available for sending messages. If this setting
+  # is not configured, either the postmaster or null "<>" address is used as a
+  # sender, depending on the action involved. This setting is important when
+  # there is no message envelope to extract addresses from, such as when the
+  # script is executed in IMAP.
+  #sieve_user_email =
+
+  # The path to the file where the user log is written. If not configured, a
+  # default location is used. If the main user's personal Sieve (as configured
+  # with sieve=) is a file, the logfile is set to <filename>.log by default. If
+  # it is not a file, the default user log file is ~/.dovecot.sieve.log.
+  #sieve_user_log =
+
+  # Specifies what envelope sender address is used for redirected messages.
+  # The following values are supported for this setting:
+  #
+  #   "sender"         - The sender address is used (default).
+  #   "recipient"      - The final recipient address is used.
+  #   "orig_recipient" - The original recipient is used.
+  #   "user_email"     - The user's primary address is used. This is
+  #                      configured with the "sieve_user_email" setting. If
+  #                      that setting is unconfigured, "user_mail" is equal to
+  #                      "recipient".
+  #   "postmaster"     - The postmaster_address configured for the LDA.
+  #   "<user@domain>"  - Redirected messages are always sent from user@domain.
+  #                      The angle brackets are mandatory. The null "<>" address
+  #                      is also supported.
+  #
+  # This setting is ignored when the envelope sender is "<>". In that case the
+  # sender of the redirected message is also always "<>".
+  #sieve_redirect_envelope_from = sender
+
+  ##### SmartMachine Begin.
+  # From elsewhere to Junk folder
+  imapsieve_mailbox1_name = Junk
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
+
+  # From Junk folder to elsewhere
+  imapsieve_mailbox2_name = *
+  imapsieve_mailbox2_from = Junk
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
+
+  sieve_pipe_bin_dir = /etc/dovecot/sieve
+  ##### SmartMachine Close.
+
+  ## TRACE DEBUGGING
+  # Trace debugging provides detailed insight in the operations performed by
+  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
+  # IMAPSIEVE plugin. 
+  #
+  # WARNING: On a busy server, this functionality can quickly fill up the trace
+  # directory with a lot of trace files. Enable this only temporarily and as
+  # selective as possible.
+  
+  # The directory where trace files are written. Trace debugging is disabled if
+  # this setting is not configured or if the directory does not exist. If the 
+  # path is relative or it starts with "~/" it is interpreted relative to the
+  # current user's home directory.
+  #sieve_trace_dir =
+  
+  # The verbosity level of the trace messages. Trace debugging is disabled if
+  # this setting is not configured. Possible values are:
+  #
+  #   "actions"        - Only print executed action commands, like keep,
+  #                      fileinto, reject and redirect.
+  #   "commands"       - Print any executed command, excluding test commands.
+  #   "tests"          - Print all executed commands and performed tests.
+  #   "matching"       - Print all executed commands, performed tests and the
+  #                      values matched in those tests.
+  #sieve_trace_level =
+  
+  # Enables highly verbose debugging messages that are usually only useful for
+  # developers.
+  #sieve_trace_debug = no
+  
+  # Enables showing byte code addresses in the trace output, rather than only
+  # the source line numbers.
+  #sieve_trace_addresses = no 
+}

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/dovecot-sql.conf.ext

@@ -0,0 +1,163 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-sql.conf.ext
+
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/SQL
+#
+# For the sql passdb module, you'll need a database with a table that
+# contains fields for at least the username and password. If you want to
+# use the user@domain syntax, you might want to have a separate domain
+# field as well.
+#
+# If your users all have the same uig/gid, and have predictable home
+# directories, you can use the static userdb module to generate the home
+# dir based on the username and domain. In this case, you won't need fields
+# for home, uid, or gid in the database.
+#
+# If you prefer to use the sql userdb module, you'll want to add fields
+# for home, uid, and gid. Here is an example table:
+#
+# CREATE TABLE users (
+#     username VARCHAR(128) NOT NULL,
+#     domain VARCHAR(128) NOT NULL,
+#     password VARCHAR(64) NOT NULL,
+#     home VARCHAR(255) NOT NULL,
+#     uid INTEGER NOT NULL,
+#     gid INTEGER NOT NULL,
+#     active CHAR(1) DEFAULT 'Y' NOT NULL
+# );
+
+# Database driver: mysql, pgsql, sqlite
+#driver = 
+##### SmartMachine Begin.
+driver = mysql
+##### SmartMachine Close.
+
+# Database connection string. This is driver-specific setting.
+#
+# HA / round-robin load-balancing is supported by giving multiple host
+# settings, like: host=sql1.host.org host=sql2.host.org
+#
+# pgsql:
+#   For available options, see the PostgreSQL documentation for the
+#   PQconnectdb function of libpq.
+#   Use maxconns=n (default 5) to change how many connections Dovecot can
+#   create to pgsql.
+#
+# mysql:
+#   Basic options emulate PostgreSQL option names:
+#     host, port, user, password, dbname
+#
+#   But also adds some new settings:
+#     client_flags           - See MySQL manual
+#     connect_timeout        - Connect timeout in seconds (default: 5)
+#     read_timeout           - Read timeout in seconds (default: 30)
+#     write_timeout          - Write timeout in seconds (default: 30)
+#     ssl_ca, ssl_ca_path    - Set either one or both to enable SSL
+#     ssl_cert, ssl_key      - For sending client-side certificates to server
+#     ssl_cipher             - Set minimum allowed cipher security (default: HIGH)
+#     ssl_verify_server_cert - Verify that the name in the server SSL certificate
+#                              matches the host (default: no)
+#     option_file            - Read options from the given file instead of
+#                              the default my.cnf location
+#     option_group           - Read options from the given group (default: client)
+# 
+#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
+#   Note that currently you can't use spaces in parameters.
+#
+# sqlite:
+#   The path to the database file.
+#
+# Examples:
+#   connect = host=192.168.1.1 dbname=users
+#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
+#   connect = /etc/dovecot/authdb.sqlite
+#
+#connect =
+##### SmartMachine Begin.
+connect = host=%<mysql_host>s port=%<mysql_port>s dbname=%<mysql_database_name>s user=%<mysql_user>s password=%<mysql_password>s
+##### SmartMachine Close.
+
+# Default password scheme.
+#
+# List of supported schemes is in
+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
+#
+#default_pass_scheme = MD5
+
+# passdb query to retrieve the password. It can return fields:
+#   password - The user's password. This field must be returned.
+#   user - user@domain from the database. Needed with case-insensitive lookups.
+#   username and domain - An alternative way to represent the "user" field.
+#
+# The "user" field is often necessary with case-insensitive lookups to avoid
+# e.g. "name" and "nAme" logins creating two different mail directories. If
+# your user and domain names are in separate fields, you can return "username"
+# and "domain" fields instead of "user".
+#
+# The query can also return other fields which have a special meaning, see
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+#
+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
+# for full list):
+#   %u = entire user@domain
+#   %n = user part of user@domain
+#   %d = domain part of user@domain
+# 
+# Note that these can be used only as input to SQL query. If the query outputs
+# any of these substitutions, they're not touched. Otherwise it would be
+# difficult to have eg. usernames containing '%' characters.
+#
+# Example:
+#   password_query = SELECT userid AS user, pw AS password \
+#     FROM users WHERE userid = '%u' AND active = 'Y'
+#
+#password_query = \
+#  SELECT username, domain, password \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+##### SmartMachine Begin.
+password_query = SELECT password FROM virtual_users WHERE email='%u'
+##### SmartMachine Close.
+
+# userdb query to retrieve the user information. It can return fields:
+#   uid - System UID (overrides mail_uid setting)
+#   gid - System GID (overrides mail_gid setting)
+#   home - Home directory
+#   mail - Mail location (overrides mail_location setting)
+#
+# None of these are strictly required. If you use a single UID and GID, and
+# home or mail directory fits to a template string, you could use userdb static
+# instead. For a list of all fields that can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+#
+# Examples:
+#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
+#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
+#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
+#
+#user_query = \
+#  SELECT home, uid, gid \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+##### SmartMachine Begin.
+user_query = SELECT email as user, \
+  concat('*:bytes=', quota_bytes) AS quota_rule, \
+  '/var/vmail/%d/%n' AS home, \
+  5000 AS uid, 5000 AS gid \
+  FROM virtual_users WHERE email='%u'
+##### SmartMachine Close.
+
+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
+# also have to return userdb fields in password_query prefixed with "userdb_"
+# string. For example:
+#password_query = \
+#  SELECT userid AS user, password, \
+#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
+#  FROM users WHERE userid = '%u'
+
+# Query to get a list of all usernames.
+#iterate_query = SELECT username AS user FROM users
+##### SmartMachine Begin.
+iterate_query = SELECT email AS user FROM virtual_users
+##### SmartMachine Close.

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-ham.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/sa-learn --ham

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-ham.sieve

@@ -0,0 +1,5 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "variables"];
+if string "${mailbox}" "Trash" {
+  stop;
+}
+pipe :copy "learn-ham.sh";

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-spam.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/sa-learn --spam

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-spam.sieve

@@ -0,0 +1,2 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+pipe :copy "learn-spam.sh";

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve-after/spam-to-folder.sieve

@@ -0,0 +1,6 @@
+require ["fileinto"];
+
+if header :contains "X-Spam-Flag" "YES" {
+ fileinto "Junk";
+ stop;
+}

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/haproxy/haproxy.cfg

@@ -0,0 +1,58 @@
+global
+	log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+        log     global
+        mode    http
+        option  httplog
+        option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+##### SmartMachine Begin.
+frontend myfrontend
+        bind :80
+	acl oracle_ips_listed str("%<oracle_ips_allowed>s") -m len gt 0
+	acl oracle_ip_allowed req.hdr(X-Real-IP) -m ip %<oracle_ips_allowed>s
+	http-request redirect code 302 location %<oracle_deflect_url>s unless oracle_ips_listed oracle_ip_allowed
+	http-request redirect code 302 location /oracle/monit/ if { path /oracle/monit }
+	use_backend monitbackend if { path_beg -i /oracle/monit/ }
+	stats enable
+	stats uri /oracle/haproxy
+        stats refresh 30s
+	stats admin if oracle_ips_listed oracle_ip_allowed
+
+backend monitbackend
+        balance roundrobin
+        option forwardfor
+        http-request add-header X-Forwarded-Proto https if { ssl_fc }
+        http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+        http-request set-header X-Forwarded-Port %[dst_port]
+	http-request replace-path /oracle/monit(/)?(.*) /\2
+        option httpchk GET /
+        server s1 127.0.0.1:2812 check
+##### SmartMachine Close.

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/monit/conf.d/services.cfg

@@ -0,0 +1,70 @@
+# system
+check system $HOST
+  if loadavg (5min) > 3 then alert
+  if loadavg (15min) > 1 then alert
+  if memory usage > 90% for 4 cycles then alert
+  if swap usage > 60% for 4 cycles then alert
+  # Test the user part of CPU usage
+  if cpu usage (user) > 80% for 2 cycles then alert
+  # Test the system part of CPU usage
+  if cpu usage (system) > 20% for 2 cycles then alert
+  # Test the i/o wait part of CPU usage
+  if cpu usage (wait) > 80% for 2 cycles then alert
+  # Test CPU usage including user, system and wait. Note that
+  # multi-core systems can generate 100% per core
+  # so total CPU usage can be more than 100%
+  if cpu usage > 200% for 4 cycles then alert
+
+# rsyslog
+check process rsyslog with pidfile /run/rsyslogd.pid
+  start program = "/usr/sbin/service rsyslog start"
+  stop  program = "/usr/sbin/service rsyslog stop"
+
+# rsyslog.syslog
+check file rsyslog.syslog with path /var/log/syslog
+  if timestamp > 65 minutes then alert
+
+# haproxy
+check process haproxy with pidfile /run/tmpfs/haproxy.pid
+  start program = "/usr/sbin/haproxy -W -f /etc/haproxy/haproxy.cfg -p /run/tmpfs/haproxy.pid -S /run/haproxy-master.sock"
+  stop  program = "/bin/bash -c '/bin/kill --signal SIGUSR1 `cat /run/tmpfs/haproxy.pid`'"
+
+# spamassassin
+check process spamassassin with pidfile /home/spamd/spamd.pid
+  start program = "/usr/sbin/spamd -d --pidfile=/home/spamd/spamd.pid --create-prefs --max-children 5 --username spamd --helper-home-dir /home/spamd/ -s /home/spamd/spamd.log"
+  stop  program = "/bin/bash -c '/bin/kill --signal SIGTERM `cat /home/spamd/spamd.pid`'"
+  if cpu usage > 99% for 5 cycles then alert
+  if mem usage > 99% for 5 cycles then alert
+
+# spamassassin.update
+check program spamassassin.update with path "/bin/bash -c '/usr/bin/sa-update && /bin/kill --signal SIGHUP `cat /home/spamd/spamd.pid`'"
+  every "0-15 12-1 * * *"
+  if changed status then alert
+
+# opendkim
+check process opendkim with pidfile /var/run/opendkim/opendkim.pid
+  start program = "/usr/sbin/opendkim"
+  stop  program = "/bin/bash -c '/bin/kill --signal SIGTERM `cat /var/run/opendkim/opendkim.pid`'"
+
+# postfix
+check process postfix with pidfile /var/spool/postfix/pid/master.pid
+  start program = "/bin/bash -c '/usr/lib/postfix/configure-instance.sh - && /usr/sbin/postmulti -i - -p start'"
+  stop  program = "/usr/sbin/postmulti -i - -p stop"
+  if failed port 25 protocol smtp then restart
+
+# dovecot
+check process dovecot with pidfile /run/dovecot/master.pid
+  start program = "/usr/sbin/dovecot"
+  stop  program = "/usr/bin/doveadm stop"
+  if failed host %<fqdn>s port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
+
+# certbot
+check file certbot.fullchain with path /etc/letsencrypt/live/%<fqdn>s/fullchain.pem
+  if changed checksum then exec "/bin/bash -c '/usr/sbin/postfix reload && /usr/sbin/dovecot reload'"
+check file certbot.key with path /etc/letsencrypt/live/%<fqdn>s/key.pem
+  if changed checksum then exec "/bin/bash -c '/usr/sbin/postfix reload && /usr/sbin/dovecot reload'"
+
+# monit
+check process monit with pidfile /var/run/tmpfs/monit.pid
+  start program = "/usr/bin/monit"
+  stop  program = "/usr/bin/monit quit"