Dovecot

While postfix provides SMTP outgoing mail services dovecot manages the inbound traffic and the mail boxes.

In the previous parts of this guide we configured postfixadmin so that we can add domains and mailboxes to the database. This information is also useful to dovecot so as part of our configuration of dovecot we are going to use that same database to look up information for dovecot.

Installation

The first thing that we need to do is install a number of dovecot packages

dovecot-pgsql

dovecot-imapd

dovecot-lmtpd

dovecot-managesieved

#apt-get install dovecot-pgsql dovecot-imapd dovecot-lmtpd dovecot-managesieved

We are not going to bother with pop3 because I cannot thing of a single application where we would use it. Once everything is installed we can move on to the configuration

Configuration dovecot.conf

Most of the documentation tells you to add “protocols = imap lmtp sieve” to dovecot conf however this is no longer necessary as dovecot now looks in the /usr/share/dovecot/protocols.d directory to find what protocols to enable.

You just have to make sure that the line

!include_try /usr/share/dovecot/protocols.d/*.protocol

is uncommented (which it is by default). You can use either/or method to enable the installed protocols, but do not use both. The advantage of using the newer method is that any newly installed protocols are automatically enabled by default.

The only thing that you should actually have to worry about in dovecot.conf is

listen =*, ::

needs to be uncommented, and that is it.

Configuration dovecot-sql.conf.ext

As we mentioned, dovecot needs to talk to the postfix database so that it can use it for authentication and to lookup domains, mailboxes etc. In order for it to do this we need to supply it with the connection details and the sql statements that will be used to retrieve information from the database. /etc/dovecot/dovecot.sql.conf is the configuration file that stores this information

driver = pgsql
connect = host=localhost dbname=postfix user=postfixro password=secret
default_pass_scheme = MD5

These 3 lines all relate to the connection information and will require editing with the correct credentials to connect to the database. We also need to add 2 sql statements

The first of these queries the data for the user. The first part of this statement “SELECT ‘/var/mail/vmail/’||maildir” is actually wrong for our configuration as we are keeping our mail in /home/mailstore rather than /var/mail/vmail/. If, as I believe is best practice, you have created a separate partition for your mail store you need to adjust this accordingly (how to do so is explained below).

user_query = \
SELECT '/var/mail/vmail/'||maildir AS home, '*:bytes='||quota AS quota_rule \
FROM mailbox \
WHERE username = '%u' \
AND active = TRUE

NOTE: The backslash “\” at the end of the line is simply to tell the configuration file that the statement continues onto the next line and must be omitted unless you are running on to the next line.

If you run “SELECT ‘var/mail/vmail/’||maildir FROM mailbox;” in psql when connected to the postfix database it should return the path to the directory where the mail is stored for each user in the database; something like

/var/mail/vmail/fqdn.suffix/mailboxname

however we want it to return

/home/mailstore/fqdn.suffix/mailboxname

Thankfully this is easy enough as we simply replace ‘/var/mail/vmail/’ with ’/home/mailstore/’ in the statement. Under the hood the sql statement gets the contents of the column “maildir” in the table “mailbox” and prepends it with whatever string you place in the single inverted commas before the “||”. The “AS home” and “AS quota_rule” parts

To clarify, the actual statement that we want for this configuration is

user_query = \
SELECT '/home/mailstore/'||maildir AS home, '*:bytes='||quota AS quota_rule \
FROM mailbox \
WHERE username = '%u' \
AND active = TRUE

This statement will pass the full path of the mail directory and the quota rule to dovecot.

And here we have the second statement:

password_query = \
SELECT '/home/mailstore/'||maildir AS userdb_home, username AS user, password, '*:bytes='||quota AS userdb_quota_rule \
FROM mailbox \
WHERE username = '%u' \
AND active = TRUE

This statement returns the mailbox path, the mailbox user, a hash of the password; and the quota rule.

The rest of the configuration files are in the folder /etc/dovecot/conf.d. Navigate to that folder now and edit the following files

Configuration 10-mail.conf

This is the file that we use to set up dovecot to access the mail directory and. First we tell it where to find the mail directory (which in our case is /home/mailstore).

mail_location = maildir:/home/mailstore/%d/%n/

The “%d/%n” just represents the fqdn and the mailbox name.

These directives all relate to the userid and groupid that will have access to the mailstore directory. If you remember, when we configured postfix we also created the /home/mailstore directory and a user and group both called mailer that were granted ownership of the directory. We then ran the id command to obtain the uid and gid of the mailer user which was 1001 for both the user and the group. Now we need to tell dovecot what uid and gid will be required to access this directory.

mail_uid = 1001
mail_gid = 1001
first_valid_uid = 1001
last_valid_uid = 1001
first_valid_gid = 1001
last_valid_gid = 1001

The only other thing we need to do is tell dovecot that we want to enable the quota plugin

mail_plugins = quota

Configuration 15-mailboxes.conf

This is optional, but if you want to autocreate folders for junk, trash and sent, or even some other folder the first time that a user logs on then this is where you do it. There is good documentation within the file but in brief, if you want to enable the auto creation of a particular folder then add

auto=subscribe

within its stanza.

If you want to create a folder inside another then you need to use a period “.” as a separator. The period “.” after INBOX will cause dovecot to create the Junk folder inside INBOX.

mailbox INBOX.Junk {
    auto=subscribe
    special_use = \Junk
}

Configuration 20-lmtp.conf

Within the protocol lmtp stanza you need to add the following

protocol lmtp {
    mail_plugins = $mail_plugins sieve
    postmaster_address=postmaster@fqdn.suffix
    hostname=server.fqdn.suffix
}

Configuration 20-imap.conf

Only one line to check here

mail_plugins = $mail_plugins imap_quota

Configuration 10-master.conf

Now on to 10-master.conf and change the unix_listner auth-userdb directives within the “service auth” stanza to

unix_listener auth-userdb {
    mode = 0600
    user = mailer
    group = mailer
}

and add the following, also within the service auth stanza

unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
}

In the service auth-worker stanza add

service auth-worker {
    user = $default_internal_user
}

Configuration 10-auth.conf

Here you need to uncomment !include auth-sql.conf.ext and comment out !include auth-system.conf.ext so that dovecot knows that it is using our sql server for authentication. We also want to make sure that we are not allowing plain text authorisation (note you might want to temporarily enable plain text while you are testing, but make sure you turn it off when you are done)

disable_plaintext_auth = yes
#!include auth-system.conf.ext
!include auth-sql.conf.ext

Configuration 15-lda.conf

This is a fairly simple one, just don’t forget to set the postmaster address to the proper value

postmaster_address = postmaster@domain.net
    protocol lda {
    mail_plugins = $mail_plugins sieve
}

Configuration 90-plugin.conf

Now we need to provide some information about sieve

plugin {
    sieve = ~/.dovecot.sieve
    sieve_global_path = /var/lib/dovecot/sieve/default.sieve
    sieve_dir = ~/sieve
    sieve_global_dir = /var/lib/dovecot/sieve/global/
}

We also need to create the /var/lib/dovecot/sieve directory and change the owner to mailer:mailer

#mkdir /var/lib/dovecot/sieve
#chown –R mailer:mailer /var/lib/dovecot/sieve

Configuration 10-ssl.conf

The final configuration file is the ssl configuration that tells dovecot where to look for the certificates. We need to tell dovecot that we want to use ssl so we need to change “ssl =” to yes

ssl = yes

Back when we configured apache we created the certificates “mailserver.pem” and “mailserver.key” in /etc/ssl/certs and /etc/ssl/private respectively so all we need to do is add the following 2 lines (NOTE: If you want to use certbot certificates then you need to set these directives to the path of those instead)

ssl_cert = </etc/ssl/certs/mailserver.pem
ssl_key = </etc/ssl/private/mailserver.key

It is not clear why the “<” is there, but it is necessary.

Final actions

The final step is to tell Postfix to use this socket for final delivery, in this case in a virtual user scenario. All you have to do is add

virtual_transport = lmtp:unix:private/dovecot-lmtp

to the end of /etc/postfix/main.cf

You should now be able to restart dovecot and provided that you have added a domain and user you should be able to connect to the server using a client.

Enable debugging and check the logs. At the top of /etc/dovecot/dovecot.conf add

mail_debug = yes

You will want to remove this when you are sure your configuration is ok

If for some reason the server is not working as it should, check the log file for errors

#tail –f /var/log/mail.log

If you need authentication and password related debug message, turn on related settings and restart dovecot service.

auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth_verbose_passwords = yes

If you see many error message (like dovecot fails, spawning too quickly) in Dovecot error log while restarting Dovecot, there might be something wrong in Dovecot config file. Please try to start it on command line manually, it will report configuration error if any, fix them and start it again:

#dovecot -c /etc/dovecot/dovecot.conf

ADDENDUM

By default dovecot is initialised with diffie-hellman parameters file that is 1024 bit encrypted. This is pretty insecure for todays systems so is adviseable to up it a bit. 2048 will take it a little time to start but you could probably live with it, but once you get to 4096 it becomes painful (hours painful) for dovecot to generate the key.

The workaround for this is to leave your dovecot server running and run a second instance that will just create the key. To do this you need to observe the following steps:

Generate a temporary minimal config:

#cat <<EOF > /tmp/ssl-params.conf ssl_dh_parameters_length = 4096 state_dir = /tmp/ EOF

creates a small configuration file.

Remove any old attempts and then start an instance to automatically generate the file

#rm -f /tmp/ssl-parameters.dat*
#nice -n 19 /path/to/ssl-params -c /tmp/ssl-params.conf

If you have an uncommented ssl_dh_parameters_length directive in your main instance’ 10-ssl.conf file then you need to comment it out, otherwise it will try to generate a new key when you restart the server.

#vi /etc/dovecot/conf.d/10-ssl.conf

Once the file has been generated you can move it to your running configuration

#mv /tmp/ssl-parameters.dat /var/lib/dovecot/
#doveadm reload

You can now remove the configuration file you created earlier if you wish.

#rm /tmp/ssl-params.conf

Filed under: Debian Server - @ 10:52 pm

IT software and programming blog

Ncurses, C++, Postgresql, Common Gateway Interface and varous server configurations

Categories

Recent Posts

Recent Comments

Archives