[Dovecot] Add bindirs to cache compiled scripts, drop some privileges, run one login proc per user

data/conf/dovecot/dovecot.conf

@@ -173,6 +173,9 @@ service dict {
     group = vmail
   }
 }
+service log {
+  user = dovenull
+}
 service auth {
   inet_listener auth-inet {
     port = 10001
@@ -185,7 +188,6 @@ service auth {
     mode = 0600
     user = vmail
   }
-  user = root
 }
 service managesieve-login {
   inet_listener sieve {
@@ -193,10 +195,19 @@ service managesieve-login {
   }
   service_count = 1
   process_min_avail = 2
-  vsz_limit = 128M
+  vsz_limit = 64M
+}
+service imap-login {
+  service_count = 1
+  vsz_limit = 64M
+  user = dovenull
+}
+service pop3-login {
+  service_count = 1
 }
 service imap {
   executable = imap imap-postlogin
+  user = dovenull
 }
 service managesieve {
   process_limit = 256
@@ -249,8 +260,8 @@ plugin {
   sieve_quota_max_scripts = 0
   sieve_quota_max_storage = 0
   listescape_char = "\\"
-  sieve_before = dict:proxy::sieve_before;name=active
-  sieve_after = dict:proxy::sieve_after;name=active
+  sieve_before = dict:proxy::sieve_before;name=active;bindir=/var/vmail/sieve_before_bindir
+  sieve_after = dict:proxy::sieve_after;name=active;bindir=/var/vmail/sieve_after_bindir
   sieve_after2 = /var/vmail/sieve/global.sieve
   #mail_crypt_global_private_key = </mail_crypt/ecprivkey.pem
   #mail_crypt_global_public_key = </mail_crypt/ecpubkey.pem