Dovecot

From ArchWiki

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver. For more detailed information, please see the official Dovecot Wiki.

This article describes how to set up Dovecot for personal or small office use.

Installation

Install the dovecot package.

Configuration

Assumptions

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Reason: Do not make arbitrary assumptions. (Discuss in Talk:Dovecot)
  • Each mail account served by Dovecot, has a local user account defined on the server.
  • The server uses PAM to authenticate the user against the local user database (/etc/passwd).
  • TLS is used to encrypt the authentication password.
  • The common Maildir format is used to store the mail in the user's home directory.
  • A MDA has already been set up to deliver mail to the local users.

Create the TLS certificate

Warning: If you deploy TLS, be sure to follow weakdh.org's guide to prevent vulnerabilities. ssl_min_protocol defaults to TLSv1. For more information see Server-side TLS.

To obtain a certificate, see OpenSSL#Usage.

Alternatively you can generate the certificate using a script that comes with the dovecot package:

  1. Copy the example configuration: cp /usr/share/doc/dovecot/dovecot-openssl.cnf /etc/ssl/dovecot-openssl.cnf as the root user.
  2. Edit /etc/ssl/dovecot-openssl.cnf to configure the certificate.
  3. Execute /usr/lib/dovecot/mkcert.sh as the root user to generate the certificate.

The certificate/key pair is created as /etc/ssl/certs/dovecot.pem and /etc/ssl/private/dovecot.pem.

Run cp /etc/ssl/certs/dovecot.pem /etc/ca-certificates/trust-source/anchors/dovecot.crt and then trust extract-compat as the root user whenever you have changed your certificate.

Dovecot configuration

  • Create the dovecot configuration folder /etc/dovecot.
  • Copy the dovecot.conf and conf.d/* configuration files from /usr/share/doc/dovecot/example-config to /etc/dovecot:
# mkdir /etc/dovecot
# cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf
# cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot

If files in /usr/share/doc/dovecot/ are missing, check the NoExtract setting in pacman.conf(5).

The default configuration is ok for most systems, but make sure to read through the configuration files to see what options are available. See the quick configuration guide and dovecot configuration for more instructions.

By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit /etc/dovecot/conf.d/10-mail.conf to set mail_location = maildir:~/Maildir.

Generate DH parameters

To generate a new DH parameters file (this will take a long time):

# openssl dhparam -out /etc/dovecot/dh.pem 4096

then add the file to /etc/dovecot/conf.d/10-ssl.conf

ssl_dh = </etc/dovecot/dh.pem

PAM Authentication

To enable PAM authentication with Dovecot follow this section and then either #PAM Authentication with LDAP or #PAM Authentication with SSSD.

Edit /etc/dovecot/conf.d/auth-system.conf.ext by removing the comment in front of the PAM authentication section , like this:

# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
passdb {
  driver = pam
  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
  # [cache_key=<key>] [<service name>]
  args = session=yes dovecot
}

If you also want to log login failures add failure_show_msg=yes to args.

By using the pam_mkhomedir.so module and by adding the session part in the passdb directive, if an LDAP user logs in for the first time the corresponding home directory will be automatically created.

Warning: The pam session is cleared after the initial authentication request; you may experience race conditions where the home directory gets cleared during the imap session.

PAM Authentication with LDAP

If you are using an OpenLDAP or 389-ds-base server for authentication instead, be sure to be able to login with your LDAP users first, as described in LDAP authentication. You can then write the following in /etc/pam.d/dovecot remembering that the entries order is very important:

/etc/pam.d/dovecot
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so     nullok
account sufficient      pam_ldap.so
account required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel umask=0022
session sufficient      pam_ldap.so

In this way both LDAP and system users have their mailbox.

PAM Authentication with SSSD

If you are using SSSD for authentication You can then write the following in /etc/pam.d/dovecot remembering that the entries order is very important:

/etc/pam.d/dovecot
auth    sufficient      pam_sss.so
auth    required        pam_unix.so     nullok
account sufficient      pam_sss.so
account required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel umask=0022
session sufficient      pam_sss.so

In this way both LDAP and system users have their mailbox.

Sieve

Sieve is a programming language that can be used to create filters for email on mail server.

Note: You must be using Dovecot as a local delivery agent (through LMTP or LDA) for plugins like Sieve to work. If you are following the Virtual user mail system guide, this is most likely not the case and you will need to modify your Postfix configuration. A guide can be found in the Dovecot Wiki.

Sieve Interpreter Plugin

This facilitates the actual Sieve filtering upon delivery.

  • Install pigeonhole.
  • Depending on your usage, add sieve to mail_plugins in
    • /etc/dovecot/conf.d/15-lda.conf
      protocol lda {
        mail_plugins = $mail_plugins sieve
      }
      
    • and/or /etc/dovecot/conf.d/20-lmtp.conf
      protocol lmtp {
        mail_plugins = $mail_plugins sieve
      }
      
Note: Nowadays it is recommended to use LMTP instead of LDA. Nevertheless the Dovecot LDA can still be used for small mailservers. More information can be found in the Dovecot Manual.
  • Optionally, add configuration in plugin section. See Sieve Interpreter Documentation for configuration options and default values.
    Example: run cp /usr/share/doc/dovecot/example-config/conf.d/90-sieve.conf /etc/dovecot/conf.d/90-sieve.conf and verify in /etc/dovecot/conf.d/90-sieve.conf:
    plugin {
      sieve = file:~/sieve;active=~/.dovecot.sieve 
    }
    
Note: Configuration files in /etc/dovecot/conf.d/ will not be read without a line in /etc/dovecot/dovecot.conf like !include /etc/dovecot/conf.d/*.conf. If you are following the Virtual user mail system guide, you may need to add this line.
Example: SpamAssassin - move spam to "Junk" folder
  • Add spamtest configuration
/etc/dovecot/conf.d/90-sieve.conf
plugin {
  sieve_extensions = +spamtest +spamtestplus

  sieve_spamtest_status_type = score
  sieve_spamtest_status_header = \ 
    X-Spam_score: (-?[[:digit:]]+\.[[:digit:]]).* 
  sieve_spamtest_max_value = 5.0 

  sieve_before = /var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve
}

Note: This tests for "X-Spam_score" (which is the spam header format in default Exim configuration). Your header might look different, ie "X-Spam-Score".

  • Create sieve script: mkdir -p /var/lib/dovecot/sieve/global_sieves
/var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve
require "spamtestplus";
require "fileinto";
require "relational";
require "comparator-i;ascii-numeric";

if spamtest :value "ge" :comparator "i;ascii-numeric" "5" {
  fileinto "Junk";
}
  • To compile sieve, execute in shell
    sievec /var/lib/dovecot/sieve/global_sieves
    
    and make sure the move_to_spam_folder.sieve and the resulting move_to_spam_folder.svbin files are world readable.

ManageSieve Server

This implements the ManageSieve protocol through which users can remotely manage Sieve scripts on the server.

  • Follow the steps in #Sieve Interpreter Plugin above.
  • Add sieve to protocols in dovecot.conf
    protocols = imap pop3 sieve
    
  • Add minimal /etc/dovecot/conf.d/20-managesieve.conf
    service managesieve-login {
    }
    
    service managesieve {
    }
    
    protocol sieve {
    }
    
  • Restart dovecot. The managesieve daemon will listen on port 4190 by default.

Full Text Search

By default Dovecot does not index the full message content, which will result in slow response times for IMAP SEARCH queries for bigger mailboxes. There is a number of FTS backends Dovecot can be hooked up to.

Dovecot needs a plugin for the chosen search backend. The solr plugin is included in dovecot but solr itself is not the easiest to set up. There are packages for Xapian (dovecot-fts-xapian) and Elasticsearch (dovecot-fts-elastic).

Starting the server

Start/enable dovecot.service.

Tips and tricks

Generate hashes with non-default hash functions:

$ doveadm pw -s SHA512-CRYPT -p "password"

Ensure that the column in the database is large enough. A warning will be emitted if it is too small.

Remember to set the password password scheme:

dovecot-sql.conf
default_pass_scheme = SHA512-CRYPT

Troubleshooting

warning: pipe flag `D' requires dovecot_destination_recipient_limit = 1

If you cannot receive emails with multiple recipients and there is something like this is your logs:

mail postfix/pipe[663]: 72A62733: to=<user2@example.com>, relay=dovecot, delay=495, delays=495/0.01/0/0.08, dsn=4.3.5, status=deferred (mail system configuration error)
mail postfix/pipe[663]: 72A62733: to=<user1@example.com>, relay=dovecot, delay=495, delays=495/0.01/0/0.06, dsn=4.3.5, status=deferred (mail system configuration error)
mail postfix/pipe[1614231]: warning: pipe flag `D' requires dovecot_destination_recipient_limit = 1

Add dovecot_destination_recipient_limit = 1 to /etc/postfix/main.cf and reload postfix.