[mailserver] Disable plain imap (143)

roles/mailserver_dovecot/files/nftables/input.d/imap-imaps.conf

@@ -1 +0,0 @@
-tcp dport {143, 993} accept comment "Allow IMAP/IMAPS from all"

roles/mailserver_dovecot/tasks/main.yml

@@ -60,6 +60,15 @@
     group: vmail
     recurse: true
 
+- name: Disable plain imap inet_listener
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/dovecot/conf.d/10-master.conf
+    regexp: '^\s*#?port = 143'
+    line: '    port = 0'
+    insertafter: '  inet_listener imap {'
+  notify: Reload dovecot service
+
 - name: Add login to auth_mechanisms
   become: true
   ansible.builtin.lineinfile:
@@ -321,18 +330,18 @@
     - spam
     - ham
 
-- name: Allow incoming IMAP/IMAPS
+- name: Allow incoming IMAPS
   become: true
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: nftables/input.d/imap-imaps.conf
+    src: nftables/input.d/imaps.conf.j2
-    dest: /etc/nftables/input.d/imap-imaps.conf
+    dest: /etc/nftables/input.d/imaps.conf
     mode: 0640
   notify: Reload nftables service
 
 - name: Allow incoming ManageSieve
   become: true
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: nftables/input.d/managesieve.conf
+    src: nftables/input.d/managesieve.conf.j2
     dest: /etc/nftables/input.d/managesieve.conf
     mode: 0640
   notify: Reload nftables service

roles/mailserver_dovecot/templates/nftables/input.d/imaps.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+tcp dport 993 accept comment "Allow IMAPS from all"

roles/mailserver_dovecot/templates/nftables/input.d/managesieve.conf.j2

@@ -1 +1,3 @@
+# {{ ansible_managed }}
+
 tcp dport 4190 accept comment "Allow ManageSieve from all"