Dovecot (2.1)

From Hexwiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Dovecot seems to be a natural fit for Postfix. As complex as these configurations look, building up to them was a relatively painless process.

Except for quotas. Save yourself the pain unless you really need them.

/etc/dovecot.conf

  • listen = 198.51.100.187, 2001:db8::4
    • Set this to your ips, obviously.
  • login_greeting = Dovecot ready (or whatever greeting you feel like)

/etc/dovecot/dovecot-sql.conf

Editing guidelines:

  • driver = mysql
  • connect = host=/var/run/mysqld/mysqld.sock dbname=mail user=vmreader password=yourpasshere
  • default_pass_scheme = SSHA256
    • Or choose whatever
  • user_query = SELECT CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',u.username) AS home, 999 AS uid, 999 AS gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
    • Obviously set the home directory appropriately.
  • password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
    • Note the md5 hash splitting - you can add further subtrees:
      • password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',substring(md5(u.username),3,2),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
      • or additional characters:
      • password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,3),'/',substring(md5(u.username),4,3),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
    • But when you clearly don't need it, too many subtrees is more of a nuisance than a feature.


/etc/dovecot/conf.d/auth-sql.conf.ext

# Authentication for SQL users. Included from auth.conf.
#
# <doc/wiki/AuthDatabase.SQL.txt>

passdb {
  driver = sql

  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
  args = /etc/dovecot/dovecot-sql.conf
}

# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
userdb {
  driver = prefetch
}

# for the LDA
userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf
}

/etc/dovecot/conf.d/10-auth.conf

  • disable_plaintext_auth = yes
  • auth_username_format = %Lu
  • auth_mechanisms = plain login
  • Comment out system include, uncomment sql include

/etc/dovecot/conf.d/10-logging.conf

##
## Log destination.
##

# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
log_path = syslog

# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path =

# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
# Trying to figure out mailing issues with dovecot cluttering the logs is annoying.
# Get it out of there.
syslog_facility = local2

##
## Logging verbosity and debugging.
##

# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = yes

# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
# auth_verbose_passwords = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
auth_debug = yes

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = no

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = yes

# Show protocol level SSL errors.
verbose_ssl = yes

/etc/dovecot/conf.d/10-mail.conf

Nine nine nine nine...

  • mail_location = maildir:/var/vmail/%d/%2Mn/%n/Maildir
  • maildir_broken_filename_sizes = yes
  • mail_privileged_group = vmail
  • valid_chroot_dirs = /var/vmail
  • mail_uid = 999
  • mail_gid = 999
  • first_valid_uid = 999
  • last_valid_uid = 999
  • first_valid_gid = 999
  • last_valid_gid = 999

/etc/dovecot/conf.d/10-master.conf

Only planning to listen on IMAP over ssl, so: 

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_min_avail = 2
}

/etc/dovecot/conf.d/10-ssl.conf

SSL is teh future. 

ssl = required
ssl_cert = </etc/maincert/example.crt
ssl_key = </etc/maincert/example.key

You can block older protocols and bad ciphers, as well - the format is standard for OpenSSL just as nginx is. Set them accordingly.

/etc/dovecot/conf.d/15-lda.conf

  • Set your postmaster address, naturally.
# Again, make sure you are consistent with setting this everywhere else.
recipient_delimiter = _

# Should saving a mail to a nonexistent mailbox automatically create it?
lda_mailbox_autocreate = yes

# Should automatically created mailboxes be also automatically subscribed?
lda_mailbox_autosubscribe = yes

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = sieve
}

/etc/dovecot/conf.d/15-mailboxes

Uncomment and autosubscribe the basics: 

 mailbox Archive {
   auto = subscribe
   special_use = \Archive
 }
 mailbox Drafts {
   auto = subscribe
   special_use = \Drafts
 }
 mailbox Junk {
   auto = subscribe
   special_use = \Junk
 }
 mailbox Sent {
   auto = subscribe
   special_use = \Sent
 }
 mailbox Trash {
   auto = subscribe
   special_use = \Trash
 }

/etc/dovecot/conf.d/90-sieve.conf

We're not using this for a whole lot, really. This and the following file automagically move stuff that Spamassassin thinks are spam into the junk folder.

  • sieve_before = /var/vmail/presieve
    • Make sure to create the directory.
  • recipient_delimiter = _
    • In the event that we use sieve for more, we don't want to mess this up.

/var/vmail/presieve/spamtojunk.sieve

require ["fileinto"];
# Move spam to Junk folder
if header :contains "X-Spam-Flag" ["YES"] {
  fileinto "Junk";
  stop;
}
  • Ensure is owned by vmail user:group, chmod 640
  • sievec spamtojunk.sieve

And enjoy!

Debian Wheezy
Initial: Designing a Server - IPMI Installation

Core: Network - OpenSSH - Packages - sysctl.conf - Iptables - Security - User Management

Stack: Unbound - MySQL - Nginx - PHP (5.4)

Mail

Mail Setup - Mail Tables - OpenDKIM - Mail and DNS - Spamassassin - ClamAV - Postfix - Dovecot - Reputation Management

Logs and Security: Logging - Logcheck - Backups - AppArmor
Retrieved from "http://hexwiki.com/w/index.php?title=Dovecot_(2.1)&oldid=229"