https://wiki.archlinux.org/api.php?action=feedcontributions&user=Acid+reign&feedformat=atomArchWiki - User contributions [en]2024-03-28T23:02:44ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Talk:OpenDKIM&diff=488726Talk:OpenDKIM2017-09-05T14:08:49Z<p>Acid reign: Added “opendkim:postfix versus opendkim:mail”; current config is confusing</p>
<hr />
<div>== opendkim:postfix versus opendkim:mail ==<br />
<br />
Under the Security section, the specified groups don’t match for the opendkim.service file and chown opendkim:mail /run/opendkim. Is this intentional?<br />
--[[User:Acid reign|Acid reign]] ([[User talk:Acid reign|talk]]) 14:08, 5 September 2017 (UTC)<br />
<br />
== /etc/tmpfiles.d versus RuntimeDirectory ==<br />
<br />
The guide as it currently stands tells users to create a file in /etc/tmpfiles.d that essentially creates the /run/opendkim directory with systemd. But according to the tmpfiles.d manpage:<br />
<br />
System daemons frequently require private runtime directories below /run to place communication sockets and similar in. For these, consider declaring them in their unit files using RuntimeDirectory= (see systemd.exec(5) for details), if this is feasible.<br />
<br />
I created a RuntimeDirectory=opendkim in the service file, and thus far it works. According to the man page this is better. Plus then it's two files to edit instead of 1.<br />
[[User:T.ink.er|T.ink.er]] ([[User talk:T.ink.er|talk]]) 01:49, 21 July 2014 (UTC)</div>Acid reignhttps://wiki.archlinux.org/index.php?title=Dovecot&diff=488583Dovecot2017-09-04T14:18:46Z<p>Acid reign: /* Compilation with sievec was failing without the appropriate line in dovecot.conf */</p>
<hr />
<div>[[Category:Mail server]]<br />
[[ja:Dovecot]]<br />
{{Related articles start}}<br />
{{Related|Postfix}}<br />
{{Related|Courier MTA}}<br />
{{Related|OpenSMTPD}}<br />
{{Related|Fail2ban}}<br />
{{Related|SOGo}}<br />
{{Related|Virtual user mail system}}<br />
{{Related articles end}}<br />
This article describes how to set up a mail server suitable for personal or small office use.<br />
<br />
[http://www.dovecot.org/ Dovecot] is an open source [[Wikipedia:IMAP|IMAP]] and [[Wikipedia:POP3|POP3]] server for Linux/UNIX-like systems, written primarily with security in mind. Developed by Timo Sirainen, Dovecot was first released in July 2002. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver. For more detailed information, please see the official [http://wiki2.dovecot.org/ Dovecot Wiki].<br />
<br />
==Installation==<br />
<br />
[[Install]] the {{Pkg|dovecot}} package.<br />
<br />
==Configuration==<br />
<br />
===Assumptions===<br />
<br />
* Each mail account served by Dovecot, has a local user account defined on the server.<br />
* The server uses [[PAM]] to authenticate the user against the local user database (/etc/passwd).<br />
* [[Wikipedia:Transport_Layer_Security|SSL]] is used to encrypt the authentication password.<br />
* The common [[Wikipedia:Maildir|Maildir]] format is used to store the mail in the user's home directory.<br />
* A [[Wikipedia:Mail delivery agent|MDA]] has already been set up to deliver mail to the local users.<br />
<br />
===Create the SSL certificate===<br />
<br />
The {{Pkg|dovecot}} package contains a script to generate the server SSL certificate.<br />
<br />
* Copy the example configuration: {{ic|# cp /usr/share/doc/dovecot/dovecot-openssl.cnf /etc/ssl/dovecot-openssl.cnf}}.<br />
* Edit {{ic|/etc/ssl/dovecot-openssl.cnf}} to configure the certificate.<br />
<br />
* Execute {{ic|# /usr/lib/dovecot/mkcert.sh}} to generate the certificate.<br />
<br />
The certificate/key pair is created as {{ic|/etc/ssl/certs/dovecot.pem}} and {{ic|/etc/ssl/private/dovecot.pem}}.<br />
<br />
Run {{ic|cp /etc/ssl/certs/dovecot.pem /etc/ca-certificates/trust-source/anchors/dovecot.crt}} and then {{ic|# trust extract-compat}} whenever you have<br />
changed your certificate.<br />
<br />
{{Warning|If you plan on implementing SSL/TLS, please respond safely to [http://disablessl3.com/ POODLE] and [https://weakdh.org/sysadmin.html FREAK/Logjam] by adding the following to your [[#Dovecot configuration|configuration]] in {{ic|/etc/dovecot/conf.d/10-ssl.conf}}:<br />
{{bc|1=<br />
ssl_protocols = !SSLv3<br />
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA<br />
ssl_prefer_server_ciphers = yes<br />
ssl_dh_parameters_length = 2048<br />
}}}}<br />
<br />
===Dovecot configuration===<br />
<br />
* Copy the {{ic|dovecot.conf}} and {{ic|conf.d/*}} configuration files from {{ic|/usr/share/doc/dovecot/example-config}} to {{ic|/etc/dovecot}}:<br />
{{bc|<br />
# cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot<br />
# cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot<br />
}}<br />
<br />
The default configuration is ok for most systems, but make sure to read through the configuration files to see what options are available. See the [http://wiki2.dovecot.org/QuickConfiguration quick configuration guide] and [http://wiki2.dovecot.org/#Dovecot_configuration dovecot configuration] for more instructions.<br />
<br />
By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit {{ic|/etc/dovecot/conf.d/10-mail.conf}} to set {{ic|1=mail_location = maildir:~/Maildir}}.<br />
<br />
===PAM Authentication===<br />
<br />
* To configure PAM for dovecot, create {{ic|/etc/pam.d/dovecot}} with the following content:<br />
{{hc|/etc/pam.d/dovecot|<br />
auth required pam_unix.so nullok<br />
account required pam_unix.so <br />
}}<br />
<br />
===PAM Authentication with LDAP===<br />
<br />
* If you are using an [[OpenLDAP]] server for authentication instead, be sure to be able to login with your LDAP users first, as described in [[LDAP authentication]].<br />
You can then write the following in {{ic|/etc/pam.d/dovecot}} remembering that the entries order is very important:<br />
{{hc|/etc/pam.d/dovecot|2=<br />
auth sufficient pam_ldap.so<br />
auth required pam_unix.so nullok<br />
account sufficient pam_ldap.so<br />
account required pam_unix.so<br />
session required pam_mkhomedir.so skel=/etc/skel umask=0022<br />
session sufficient pam_ldap.so<br />
}}<br />
In this way both LDAP and system users have their mailbox. <br />
<br />
* Edit {{ic|/etc/dovecot/conf.d/auth-system.conf}} by changing the {{ic|passdb}} directive, like this:<br />
<pre><br />
passdb {<br />
driver = pam<br />
args = session=yes dovecot<br />
}<br />
</pre><br />
By using the {{ic|pam_mkhomedir.so}} module and by adding the {{ic|session}} part in the {{ic|passdb}} directive, if an LDAP user logs in for the first time the corresponding home directory will be automatically created.<br />
<br />
===Sieve===<br />
[[wikipedia:Sieve (mail filtering language)|Sieve]] is a programming language that can be used to create filters for email on mail server.<br />
<br />
====Sieve Interpreter Plugin====<br />
This facilitates the actual Sieve filtering upon delivery. <br />
<br />
* Install {{Pkg|pigeonhole}}.<br />
* Depending on your usage, add {{ic|sieve}} to {{ic|mail_plugins}} in<br />
** {{ic|<nowiki>/etc/dovecot/conf.d/15-lda.conf</nowiki>}}{{bc|<nowiki><br />
protocol lda {<br />
mail_plugins = $mail_plugins sieve<br />
}<br />
</nowiki>}} <br />
** and/or {{ic|/etc/dovecot/conf.d/20-lmtp.conf}}{{bc|<nowiki><br />
protocol lmtp {<br />
mail_plugins = $mail_plugins sieve<br />
}<br />
</nowiki>}}<br />
{{Note| Nowadays it is recommended to use LMTP instead of LDA. Nevertheless the Dovecot LDA can still be used for small mailservers. More information can be found in the [http://wiki2.dovecot.org/LMTP Dovecot Wiki]}}<br />
<br />
* Optionally, add configuration in {{ic|plugin}} section. See [http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration Sieve Interpreter Documentation] for configuration options and default values.<br> Example: run {{ic|cp /usr/share/doc/dovecot/example-config/conf.d/90-sieve.conf /etc/dovecot/conf.d/90-sieve.conf}} and verify in {{ic|/etc/dovecot/conf.d/90-sieve.conf}}: {{bc|<nowiki><br />
plugin {<br />
sieve = file:~/sieve;active=~/.dovecot.sieve <br />
}<br />
</nowiki>}}<br />
{{Note| Configuration files in {{ic|/etc/dovecot/conf.d/}} will not be read without a line in {{ic|/etc/dovecot/dovecot.conf}} like {{ic|!include /etc/dovecot/conf.d/*.conf}}. If you are following the [[Virtual user mail system|Virtual user mail system]] guide, you may need to add this line.}}<br />
<br />
======Example: SpamAssassin - move spam to "Junk" folder======<br />
* Add spamtest configuration<br />
{{hc|/etc/dovecot/conf.d/90-sieve.conf|<nowiki><br />
plugin {<br />
sieve_extensions = +spamtest +spamtestplus<br />
<br />
sieve_spamtest_status_type = score<br />
sieve_spamtest_status_header = \ <br />
X-Spam_score: (-?[[:digit:]]+\.[[:digit:]]).* <br />
sieve_spamtest_max_value = 5.0 <br />
<br />
sieve_before = /var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve<br />
}<br />
</nowiki>}} '''Note:''' This tests for "X-Spam_score" (which is the spam header format in default Exim configuration). Your header might look different, ie "X-Spam-Score".<br />
* Create sieve script: {{ic|mkdir -p /var/lib/dovecot/sieve/global_sieves}}<br />
{{hc|/var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve|<nowiki><br />
require "spamtestplus";<br />
require "fileinto";<br />
require "relational";<br />
require "comparator-i;ascii-numeric";<br />
<br />
if spamtest :value "ge" :comparator "i;ascii-numeric" "5" {<br />
fileinto "Junk";<br />
}<br />
</nowiki>}}<br />
<br />
* To compile sieve, execute in shell {{bc|<nowiki><br />
sievec /var/lib/dovecot/sieve/global_sieves<br />
</nowiki>}} and make sure the {{ic|move_to_spam_folder.sieve}} and the resulting {{ic|move_to_spam_folder.svbin}} files are world readable.<br />
<br />
====ManageSieve Server====<br />
This implements the ManageSieve protocol through which users can remotely manage Sieve scripts on the server.<br />
<br />
* Follow the steps in '''Sieve Interpreter Plugin''' above.<br />
* Add {{ic|sieve}} to {{ic|protocols}} in {{ic|dovecot.conf}} {{bc|<nowiki><br />
protocols = imap pop3 sieve<br />
</nowiki>}}<br />
* Add minimal {{ic|/etc/dovecot/conf.d/20-managesieve.conf}} {{bc|<nowiki><br />
service managesieve-login {<br />
}<br />
<br />
service managesieve {<br />
}<br />
<br />
protocol sieve {<br />
}<br />
</nowiki>}} <br />
* Restart {{ic|dovecot}}. The managesieve daemon will listen on port 4190 by default.<br />
<br />
==Starting the server==<br />
<br />
Use the standard [[systemd]] syntax to control the {{ic|dovecot.service}} [[daemon]].<br />
<br />
== Tricks ==<br />
<br />
Generate hashes with non-default hash functions.<br />
<br />
doveadm pw -s SHA512-CRYPT -p "superpassword"<br />
<br />
Remember to make sure that the column in the database is large enough(you might not get a warning..)<br />
<br />
Remember to set the password scheme in your dovecot-sql.conf file<br />
<br />
default_pass_scheme = SHA512-CRYPT</div>Acid reign