Dovecot (2.1)

From Hexwiki
Revision as of 17:29, 12 May 2014 by Vekseid (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Dovecot seems to be a natural fit for Postfix. As complex as these configurations look, building up to them was a relatively painless process.

Except for quotas. Save yourself the pain unless you really need them.

/etc/dovecot.conf

  • listen = 198.51.100.187, 2001:db8::4
    • Set this to your ips, obviously.
  • login_greeting = Dovecot ready (or whatever greeting you feel like)

/etc/dovecot/dovecot-sql.conf

Editing guidelines:

  • driver = mysql
  • connect = host=/var/run/mysqld/mysqld.sock dbname=mail user=vmreader password=yourpasshere
  • default_pass_scheme = SSHA256
    • Or choose whatever
  • user_query = SELECT CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',u.username) AS home, 999 AS uid, 999 AS gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
    • Obviously set the home directory appropriately.
  • password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
    • Note the md5 hash splitting - you can add further subtrees:
      • password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',substring(md5(u.username),3,2),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
      • or additional characters:
      • password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,3),'/',substring(md5(u.username),4,3),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
    • But when you clearly don't need it, too many subtrees is more of a nuisance than a feature.


/etc/dovecot/conf.d/auth-sql.conf.ext

# Authentication for SQL users. Included from auth.conf.
#
# <doc/wiki/AuthDatabase.SQL.txt>

passdb {
  driver = sql

  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
  args = /etc/dovecot/dovecot-sql.conf
}

# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
userdb {
  driver = prefetch
}

# for the LDA
userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf
}

/etc/dovecot/conf.d/10-auth.conf

  • disable_plaintext_auth = yes
  • auth_username_format = %Lu
  • auth_mechanisms = plain login
  • Comment out system include, uncomment sql include

/etc/dovecot/conf.d/10-logging.conf

##
## Log destination.
##

# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
log_path = syslog

# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path =

# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
# Trying to figure out mailing issues with dovecot cluttering the logs is annoying.
# Get it out of there.
syslog_facility = local2

##
## Logging verbosity and debugging.
##

# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = yes

# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
# auth_verbose_passwords = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
auth_debug = yes

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = no

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = yes

# Show protocol level SSL errors.
verbose_ssl = yes

/etc/dovecot/conf.d/10-mail.conf

Nine nine nine nine...

  • mail_location = maildir:/var/vmail/%d/%2Mn/%n/Maildir
  • maildir_broken_filename_sizes = yes
  • mail_privileged_group = vmail
  • valid_chroot_dirs = /var/vmail
  • mail_uid = 999
  • mail_gid = 999
  • first_valid_uid = 999
  • last_valid_uid = 999
  • first_valid_gid = 999
  • last_valid_gid = 999

/etc/dovecot/conf.d/10-master.conf

Only planning to listen on IMAP over ssl, so: 

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_min_avail = 2
}

/etc/dovecot/conf.d/10-ssl.conf

SSL is teh future. 

ssl = required
ssl_cert = </etc/maincert/example.crt
ssl_key = </etc/maincert/example.key

You can block older protocols and bad ciphers, as well - the format is standard for OpenSSL just as nginx is. Set them accordingly.

/etc/dovecot/conf.d/15-lda.conf

  • Set your postmaster address, naturally.
# Again, make sure you are consistent with setting this everywhere else.
recipient_delimiter = _

# Should saving a mail to a nonexistent mailbox automatically create it?
lda_mailbox_autocreate = yes

# Should automatically created mailboxes be also automatically subscribed?
lda_mailbox_autosubscribe = yes

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = sieve
}

/etc/dovecot/conf.d/15-mailboxes

Uncomment and autosubscribe the basics: 

 mailbox Archive {
   auto = subscribe
   special_use = \Archive
 }
 mailbox Drafts {
   auto = subscribe
   special_use = \Drafts
 }
 mailbox Junk {
   auto = subscribe
   special_use = \Junk
 }
 mailbox Sent {
   auto = subscribe
   special_use = \Sent
 }
 mailbox Trash {
   auto = subscribe
   special_use = \Trash
 }

/etc/dovecot/conf.d/90-sieve.conf

We're not using this for a whole lot, really. This and the following file automagically move stuff that Spamassassin thinks are spam into the junk folder.

  • sieve_before = /var/vmail/presieve
    • Make sure to create the directory.
  • recipient_delimiter = _
    • In the event that we use sieve for more, we don't want to mess this up.

/var/vmail/presieve/spamtojunk.sieve

require ["fileinto"];
# Move spam to Junk folder
if header :contains "X-Spam-Flag" ["YES"] {
  fileinto "Junk";
  stop;
}
  • Ensure is owned by vmail user:group, chmod 640
  • sievec spamtojunk.sieve

And enjoy!

Debian Wheezy
Initial: Designing a Server - IPMI Installation

Core: Network - OpenSSH - Packages - sysctl.conf - Iptables - Security - User Management

Stack: Unbound - MySQL - Nginx - PHP (5.4)

Mail

Mail Setup - Mail Tables - OpenDKIM - Mail and DNS - Spamassassin - ClamAV - Postfix - Dovecot - Reputation Management

Logs and Security: Logging - Logcheck - Backups - AppArmor
Retrieved from "http://hexwiki.com/w/index.php?title=Dovecot_(2.1)&oldid=229"