Fix some syntax errors and update config file comments to most recent version

roles/dovecot/defaults/main/tls.yml

@@ -2,7 +2,7 @@
 
 dovecot_tls_cert_filename: /etc/ssl/certs/ssl-cert-snakeoil.pem
 dovecot_tls_key_filename: /etc/ssl/private/ssl-cert-snakeoil.key
-dovecot_tls_dh_filename: /etc/dovecot/dh.pem
+dovecot_tls_dh_filename: /usr/share/dovecot/dh.pem
 
 # generated 2020-12-05, Mozilla Guideline v5.6, Dovecot 2.3.4, OpenSSL 1.1.1d, intermediate configuration
 # https://ssl-config.mozilla.org/#server=dovecot&version=2.3.4&config=intermediate&openssl=1.1.1d&guideline=5.6

roles/dovecot/templates/etc/dovecot/conf.d/10-auth.conf.j2

@@ -129,7 +129,7 @@ passdb {
 userdb {
   driver = passwd-file
   args = username_format={{ dovecot_passdb_user_format }} {{ dovecot_passdb_filename }}
-  default_fields = uid={{ virtual_uid }} gid={{ virtual_gid }} home={{ virtual_mail_user_home }}
+  default_fields = uid={{ virtual_mail_uid }} gid={{ virtual_mail_gid }} home={{ virtual_mail_user_home }}
 
   # Default fields that can be overridden by passwd-file
   #default_fields = quota_rule=*:storage=1G

roles/dovecot/templates/etc/dovecot/conf.d/10-mail.conf.j2

@@ -107,13 +107,13 @@ namespace inbox {
 # System user and group used to access mails. If you use multiple, userdb
 # can override these by returning uid or gid fields. You can use either numbers
 # or names. <doc/wiki/UserIds.txt>
-mail_uid = {{ virtual_uid }}
-mail_gid = {{ virtual_gid }}
+mail_uid = {{ virtual_mail_uid }}
+mail_gid = {{ virtual_mail_gid }}
 
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
-mail_privileged_group = {{ virtual_uid }}
+mail_privileged_group = {{ virtual_mail_gid }}
 
 # Grant access to these supplementary groups for mail processes. Typically
 # these are used to set up access to shared mailboxes. Note that it may be

roles/dovecot/templates/etc/dovecot/conf.d/10-master.conf.j2

@@ -102,22 +102,22 @@ service auth {
   }
 
   # Auth process is run as this user.
-  user = dovecot
+  user = $default_internal_user
 }
 
 service auth-worker {
   # Auth worker process is run as root by default, so that it can access
   # /etc/shadow. If this isn't necessary, the user should be changed to
   # $default_internal_user.
-  user = dovecot
+  user = $default_internal_user
 }
 
 service dict {
   # If dict proxy is used, mail processes should have access to its socket.
   # For example: mode=0660, group=vmail and global mail_access_groups=vmail
-  #unix_listener dict {
+  unix_listener dict {
     #mode = 0600
     #user = 
     #group = 
-  #}
+  }
 }

roles/dovecot/templates/etc/dovecot/conf.d/10-ssl.conf.j2

@@ -29,10 +29,11 @@ ssl_key = <{{ dovecot_tls_key_filename }}
 #ssl_require_crl = yes
 
 # Directory and/or file for trusted SSL CA certificates. These are used only
-# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
-# directory is usually /etc/ssl/certs in Debian-based systems and the file is
-# /etc/pki/tls/cert.pem in RedHat-based systems.
-#ssl_client_ca_dir =
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
 #ssl_client_ca_file =
 
 # Request client to send a certificate. If you also want to require it, set
@@ -44,14 +45,27 @@ ssl_key = <{{ dovecot_tls_key_filename }}
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
 ssl_dh = <{{ dovecot_tls_dh_filename }}
 
-# SSL protocols to use
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
 ssl_min_protocol = {{ dovecot_tls_min_version }}
 
-# SSL ciphers to use
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 ssl_cipher_list = {{ dovecot_tls_cipher_list }}
 
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
+
 # Prefer the server's order of ciphers over client's.
 ssl_prefer_server_ciphers = yes
 
@@ -59,5 +73,6 @@ ssl_prefer_server_ciphers = yes
 #ssl_crypto_device =
 
 # SSL extra options. Currently supported options are:
-#   no_compression - Disable compression.
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
 #ssl_options =