1 files changed, 10 insertions, 2 deletions

diff --git a/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh b/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh
index f03bc81..34ecd51 100755
--- a/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh
+++ b/playbooks/roles/mail/templates/volumes/data/dms/config/user-patches.sh
@@ -26,13 +26,21 @@ sed -i 's/result_attribute = mail/result_attribute = emailprimary/' /etc/postfix
 sed -i 's/result_attribute = mail/result_attribute = emailprimary/' /etc/postfix/ldap-domains.cf
 sed -i 's/result_attribute = mail/result_attribute = emailprimary/' /etc/postfix/ldap-users.cf
 
+# recursively search for members in groups
+postconf -e 'recursion_limit = 15'
 grep -q '^leaf_result_attribute = mail$' /etc/postfix/ldap-groups.cf || echo "leaf_result_attribute = mail" >> /etc/postfix/ldap-groups.cf
 grep -q '^special_result_attribute = member$' /etc/postfix/ldap-groups.cf || echo "special_result_attribute = member" >> /etc/postfix/ldap-groups.cf
 
-echo 'auth_username_format = %Ln' >> /etc/dovecot/conf.d/10-auth.conf
+echo "ssl = required
 
-echo 'username_format = %Ln' >> /etc/dovecot/dovecot-oauth2.conf.ext
+auth_username_format = %Ln
+
+# use oauth2 before ldap to prevent bind throttling
+auth_mechanisms = xoauth2 oauthbearer plain login
+!include auth-oauth2.conf.ext
+!include auth-ldap.conf.ext" > /etc/dovecot/conf.d/10-auth.conf
 
+echo 'username_format = %Ln' >> /etc/dovecot/dovecot-oauth2.conf.ext
 echo "passdb {
     driver = ldap
     args = /etc/dovecot/dovecot-ldap.conf.ext