Difference between revisions of "Dovecot"
Jump to navigation
Jump to search
(Major rewrite) |
(→PAM Authentication: rm section, it should have always been and now is part of the package: https://bugs.archlinux.org/task/61852) |
||
| (79 intermediate revisions by 42 users not shown) | |||
| Line 1: | Line 1: | ||
| − | [[Category:Mail | + | [[Category:Mail server]] |
| + | [[ja:Dovecot]] | ||
| + | {{Related articles start}} | ||
| + | {{Related|Postfix}} | ||
| + | {{Related|Courier MTA}} | ||
| + | {{Related|OpenSMTPD}} | ||
| + | {{Related|Fail2ban}} | ||
| + | {{Related|SOGo}} | ||
| + | {{Related|Virtual user mail system}} | ||
| + | {{Related articles end}} | ||
| − | + | [http://www.dovecot.org/ Dovecot] is an open source [[Wikipedia:IMAP|IMAP]] and [[Wikipedia:POP3|POP3]] server for Linux/UNIX-like systems, written primarily with security in mind. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver. For more detailed information, please see the official [http://wiki2.dovecot.org/ Dovecot Wiki]. | |
| − | + | This article describes how to set up Dovecot for personal or small office use. | |
==Installation== | ==Installation== | ||
| − | [[ | + | [[Install]] the {{Pkg|dovecot}} package. |
==Configuration== | ==Configuration== | ||
| Line 13: | Line 22: | ||
===Assumptions=== | ===Assumptions=== | ||
| − | + | {{Style|Don't make arbitrary assumptions.}} | |
| − | |||
| − | |||
| − | |||
| − | + | * Each mail account served by Dovecot, has a local user account defined on the server. | |
| + | * The server uses [[PAM]] to authenticate the user against the local user database (/etc/passwd). | ||
| + | * [[Wikipedia:Transport_Layer_Security|TLS]] is used to encrypt the authentication password. | ||
| + | * The common [[Wikipedia:Maildir|Maildir]] format is used to store the mail in the user's home directory. | ||
| + | * A [[Wikipedia:Mail delivery agent|MDA]] has already been set up to deliver mail to the local users. | ||
| − | + | === Create the TLS certificate === | |
| − | + | {{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent vulnerabilities. {{ic|ssl_min_protocol}} defaults to TLSv1. For more information see [[Server-side TLS]].}} | |
| − | |||
| − | + | To obtain a certificate, see [[OpenSSL#Usage]]. | |
| + | |||
| + | Alternatively you can generate the certificate using a script that comes with the {{Pkg|dovecot}} package: | ||
| + | |||
| + | # Copy the example configuration: {{ic|# cp /usr/share/doc/dovecot/dovecot-openssl.cnf /etc/ssl/dovecot-openssl.cnf}}. | ||
| + | # Edit {{ic|/etc/ssl/dovecot-openssl.cnf}} to configure the certificate. | ||
| + | # Execute {{ic|# /usr/lib/dovecot/mkcert.sh}} to generate the certificate. | ||
The certificate/key pair is created as {{ic|/etc/ssl/certs/dovecot.pem}} and {{ic|/etc/ssl/private/dovecot.pem}}. | The certificate/key pair is created as {{ic|/etc/ssl/certs/dovecot.pem}} and {{ic|/etc/ssl/private/dovecot.pem}}. | ||
| − | + | Run {{ic|cp /etc/ssl/certs/dovecot.pem /etc/ca-certificates/trust-source/anchors/dovecot.crt}} and then {{ic|# trust extract-compat}} whenever you have | |
| − | + | changed your certificate. | |
| − | |||
| − | {{ | ||
| − | |||
| − | |||
| − | |||
===Dovecot configuration=== | ===Dovecot configuration=== | ||
| − | * Copy the dovecot.conf and conf.d configuration files from {{ic|/usr/share/doc/dovecot/example-config}} to {{ic|/etc/dovecot}}: | + | * Copy the {{ic|dovecot.conf}} and {{ic|conf.d/*}} configuration files from {{ic|/usr/share/doc/dovecot/example-config}} to {{ic|/etc/dovecot}}: |
{{bc| | {{bc| | ||
# cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot | # cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot | ||
| Line 49: | Line 59: | ||
By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit {{ic|/etc/dovecot/conf.d/10-mail.conf}} to set {{ic|1=mail_location = maildir:~/Maildir}}. | By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit {{ic|/etc/dovecot/conf.d/10-mail.conf}} to set {{ic|1=mail_location = maildir:~/Maildir}}. | ||
| − | == | + | ===Generate DH parameters=== |
| + | |||
| + | To generate a new DH parameters file (this will take very long): | ||
| + | |||
| + | # openssl dhparam -out /etc/dovecot/dh.pem 4096 | ||
| + | |||
| + | then add the file to {{ic|/etc/dovecot/conf.d/10-ssl.conf}} | ||
| + | |||
| + | ssl_dh = </etc/dovecot/dh.pem | ||
| + | |||
| + | ===PAM Authentication with LDAP=== | ||
| + | |||
| + | * If you are using an [[OpenLDAP]] server for authentication instead, be sure to be able to login with your LDAP users first, as described in [[LDAP authentication]]. | ||
| + | You can then write the following in {{ic|/etc/pam.d/dovecot}} remembering that the entries order is very important: | ||
| + | {{hc|/etc/pam.d/dovecot|2= | ||
| + | auth sufficient pam_ldap.so | ||
| + | auth required pam_unix.so nullok | ||
| + | account sufficient pam_ldap.so | ||
| + | account required pam_unix.so | ||
| + | session required pam_mkhomedir.so skel=/etc/skel umask=0022 | ||
| + | session sufficient pam_ldap.so | ||
| + | }} | ||
| + | In this way both LDAP and system users have their mailbox. | ||
| + | |||
| + | * Edit {{ic|/etc/dovecot/conf.d/auth-system.conf}} by changing the {{ic|passdb}} directive, like this: | ||
| + | <pre> | ||
| + | passdb { | ||
| + | driver = pam | ||
| + | args = session=yes dovecot | ||
| + | } | ||
| + | </pre> | ||
| + | By using the {{ic|pam_mkhomedir.so}} module and by adding the {{ic|session}} part in the {{ic|passdb}} directive, if an LDAP user logs in for the first time the corresponding home directory will be automatically created. | ||
| + | |||
| + | ===Sieve=== | ||
| + | [[wikipedia:Sieve (mail filtering language)|Sieve]] is a programming language that can be used to create filters for email on mail server. | ||
| + | {{Note| You must be using Dovecot as a local delivery agent (through LMTP or LDA) for plugins like Sieve to work. If you are following the [[Virtual user mail system]] guide, this is most likely not the case and you will need to modify your Postfix configuration. A guide can be found in the [https://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP Dovecot Wiki].}} | ||
| + | |||
| + | ====Sieve Interpreter Plugin==== | ||
| + | This facilitates the actual Sieve filtering upon delivery. | ||
| + | |||
| + | * Install {{Pkg|pigeonhole}}. | ||
| + | * Depending on your usage, add {{ic|sieve}} to {{ic|mail_plugins}} in | ||
| + | ** {{ic|<nowiki>/etc/dovecot/conf.d/15-lda.conf</nowiki>}}{{bc|<nowiki> | ||
| + | protocol lda { | ||
| + | mail_plugins = $mail_plugins sieve | ||
| + | } | ||
| + | </nowiki>}} | ||
| + | ** and/or {{ic|/etc/dovecot/conf.d/20-lmtp.conf}}{{bc|<nowiki> | ||
| + | protocol lmtp { | ||
| + | mail_plugins = $mail_plugins sieve | ||
| + | } | ||
| + | </nowiki>}} | ||
| + | {{Note| Nowadays it is recommended to use LMTP instead of LDA. Nevertheless the Dovecot LDA can still be used for small mailservers. More information can be found in the [http://wiki2.dovecot.org/LMTP Dovecot Wiki].}} | ||
| + | |||
| + | * Optionally, add configuration in {{ic|plugin}} section. See [http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration Sieve Interpreter Documentation] for configuration options and default values.<br> Example: run {{ic|cp /usr/share/doc/dovecot/example-config/conf.d/90-sieve.conf /etc/dovecot/conf.d/90-sieve.conf}} and verify in {{ic|/etc/dovecot/conf.d/90-sieve.conf}}: {{bc|<nowiki> | ||
| + | plugin { | ||
| + | sieve = file:~/sieve;active=~/.dovecot.sieve | ||
| + | } | ||
| + | </nowiki>}} | ||
| + | {{Note| Configuration files in {{ic|/etc/dovecot/conf.d/}} will not be read without a line in {{ic|/etc/dovecot/dovecot.conf}} like {{ic|!include /etc/dovecot/conf.d/*.conf}}. If you are following the [[Virtual user mail system]] guide, you may need to add this line.}} | ||
| + | |||
| + | ======Example: SpamAssassin - move spam to "Junk" folder====== | ||
| + | * Add spamtest configuration | ||
| + | {{hc|/etc/dovecot/conf.d/90-sieve.conf|<nowiki> | ||
| + | plugin { | ||
| + | sieve_extensions = +spamtest +spamtestplus | ||
| + | |||
| + | sieve_spamtest_status_type = score | ||
| + | sieve_spamtest_status_header = \ | ||
| + | X-Spam_score: (-?[[:digit:]]+\.[[:digit:]]).* | ||
| + | sieve_spamtest_max_value = 5.0 | ||
| + | |||
| + | sieve_before = /var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve | ||
| + | } | ||
| + | </nowiki>}} '''Note:''' This tests for "X-Spam_score" (which is the spam header format in default Exim configuration). Your header might look different, ie "X-Spam-Score". | ||
| + | * Create sieve script: {{ic|mkdir -p /var/lib/dovecot/sieve/global_sieves}} | ||
| + | {{hc|/var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve|<nowiki> | ||
| + | require "spamtestplus"; | ||
| + | require "fileinto"; | ||
| + | require "relational"; | ||
| + | require "comparator-i;ascii-numeric"; | ||
| + | |||
| + | if spamtest :value "ge" :comparator "i;ascii-numeric" "5" { | ||
| + | fileinto "Junk"; | ||
| + | } | ||
| + | </nowiki>}} | ||
| + | |||
| + | * To compile sieve, execute in shell {{bc|<nowiki> | ||
| + | sievec /var/lib/dovecot/sieve/global_sieves | ||
| + | </nowiki>}} and make sure the {{ic|move_to_spam_folder.sieve}} and the resulting {{ic|move_to_spam_folder.svbin}} files are world readable. | ||
| + | |||
| + | ====ManageSieve Server==== | ||
| + | This implements the ManageSieve protocol through which users can remotely manage Sieve scripts on the server. | ||
| + | |||
| + | * Follow the steps in '''Sieve Interpreter Plugin''' above. | ||
| + | * Add {{ic|sieve}} to {{ic|protocols}} in {{ic|dovecot.conf}} {{bc|<nowiki> | ||
| + | protocols = imap pop3 sieve | ||
| + | </nowiki>}} | ||
| + | * Add minimal {{ic|/etc/dovecot/conf.d/20-managesieve.conf}} {{bc|<nowiki> | ||
| + | service managesieve-login { | ||
| + | } | ||
| + | |||
| + | service managesieve { | ||
| + | } | ||
| + | |||
| + | protocol sieve { | ||
| + | } | ||
| + | </nowiki>}} | ||
| + | * Restart {{ic|dovecot}}. The managesieve daemon will listen on port 4190 by default. | ||
| + | |||
| + | ==Starting the server== | ||
Use the standard [[systemd]] syntax to control the {{ic|dovecot.service}} [[daemon]]. | Use the standard [[systemd]] syntax to control the {{ic|dovecot.service}} [[daemon]]. | ||
| + | |||
| + | == Tricks == | ||
| + | |||
| + | Generate hashes with non-default hash functions. | ||
| + | |||
| + | doveadm pw -s SHA512-CRYPT -p "superpassword" | ||
| + | |||
| + | Remember to make sure that the column in the database is large enough(you might not get a warning..) | ||
| + | |||
| + | Remember to set the password scheme in your dovecot-sql.conf file | ||
| + | |||
| + | default_pass_scheme = SHA512-CRYPT | ||
Latest revision as of 17:00, 26 February 2019
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver. For more detailed information, please see the official Dovecot Wiki.
This article describes how to set up Dovecot for personal or small office use.
Installation
Configuration
Assumptions
- Each mail account served by Dovecot, has a local user account defined on the server.
- The server uses PAM to authenticate the user against the local user database (/etc/passwd).
- TLS is used to encrypt the authentication password.
- The common Maildir format is used to store the mail in the user's home directory.
- A MDA has already been set up to deliver mail to the local users.
Create the TLS certificate
Warning: If you deploy TLS, be sure to follow weakdh.org's guide to prevent vulnerabilities.
ssl_min_protocol defaults to TLSv1. For more information see Server-side TLS.To obtain a certificate, see OpenSSL#Usage.
Alternatively you can generate the certificate using a script that comes with the dovecot package:
- Copy the example configuration:
# cp /usr/share/doc/dovecot/dovecot-openssl.cnf /etc/ssl/dovecot-openssl.cnf. - Edit
/etc/ssl/dovecot-openssl.cnfto configure the certificate. - Execute
# /usr/lib/dovecot/mkcert.shto generate the certificate.
The certificate/key pair is created as /etc/ssl/certs/dovecot.pem and /etc/ssl/private/dovecot.pem.
Run cp /etc/ssl/certs/dovecot.pem /etc/ca-certificates/trust-source/anchors/dovecot.crt and then # trust extract-compat whenever you have
changed your certificate.
Dovecot configuration
- Copy the
dovecot.confandconf.d/*configuration files from/usr/share/doc/dovecot/example-configto/etc/dovecot:
# cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot # cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot
The default configuration is ok for most systems, but make sure to read through the configuration files to see what options are available. See the quick configuration guide and dovecot configuration for more instructions.
By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit /etc/dovecot/conf.d/10-mail.conf to set mail_location = maildir:~/Maildir.
Generate DH parameters
To generate a new DH parameters file (this will take very long):
# openssl dhparam -out /etc/dovecot/dh.pem 4096
then add the file to /etc/dovecot/conf.d/10-ssl.conf
ssl_dh = </etc/dovecot/dh.pem
PAM Authentication with LDAP
- If you are using an OpenLDAP server for authentication instead, be sure to be able to login with your LDAP users first, as described in LDAP authentication.
You can then write the following in /etc/pam.d/dovecot remembering that the entries order is very important:
/etc/pam.d/dovecot
auth sufficient pam_ldap.so auth required pam_unix.so nullok account sufficient pam_ldap.so account required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 session sufficient pam_ldap.so
In this way both LDAP and system users have their mailbox.
- Edit
/etc/dovecot/conf.d/auth-system.confby changing thepassdbdirective, like this:
passdb {
driver = pam
args = session=yes dovecot
}
By using the pam_mkhomedir.so module and by adding the session part in the passdb directive, if an LDAP user logs in for the first time the corresponding home directory will be automatically created.
Sieve
Sieve is a programming language that can be used to create filters for email on mail server.
Note: You must be using Dovecot as a local delivery agent (through LMTP or LDA) for plugins like Sieve to work. If you are following the Virtual user mail system guide, this is most likely not the case and you will need to modify your Postfix configuration. A guide can be found in the Dovecot Wiki.
Sieve Interpreter Plugin
This facilitates the actual Sieve filtering upon delivery.
- Install pigeonhole.
- Depending on your usage, add
sievetomail_pluginsin/etc/dovecot/conf.d/15-lda.confprotocol lda { mail_plugins = $mail_plugins sieve }- and/or
/etc/dovecot/conf.d/20-lmtp.confprotocol lmtp { mail_plugins = $mail_plugins sieve }
Note: Nowadays it is recommended to use LMTP instead of LDA. Nevertheless the Dovecot LDA can still be used for small mailservers. More information can be found in the Dovecot Wiki.
- Optionally, add configuration in
pluginsection. See Sieve Interpreter Documentation for configuration options and default values.
Example: runcp /usr/share/doc/dovecot/example-config/conf.d/90-sieve.conf /etc/dovecot/conf.d/90-sieve.confand verify in/etc/dovecot/conf.d/90-sieve.conf:plugin { sieve = file:~/sieve;active=~/.dovecot.sieve }
Note: Configuration files in
/etc/dovecot/conf.d/ will not be read without a line in /etc/dovecot/dovecot.conf like !include /etc/dovecot/conf.d/*.conf. If you are following the Virtual user mail system guide, you may need to add this line.Example: SpamAssassin - move spam to "Junk" folder
- Add spamtest configuration
/etc/dovecot/conf.d/90-sieve.conf
plugin {
sieve_extensions = +spamtest +spamtestplus
sieve_spamtest_status_type = score
sieve_spamtest_status_header = \
X-Spam_score: (-?[[:digit:]]+\.[[:digit:]]).*
sieve_spamtest_max_value = 5.0
sieve_before = /var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve
}
Note: This tests for "X-Spam_score" (which is the spam header format in default Exim configuration). Your header might look different, ie "X-Spam-Score".
- Create sieve script:
mkdir -p /var/lib/dovecot/sieve/global_sieves
/var/lib/dovecot/sieve/global_sieves/move_to_spam_folder.sieve
require "spamtestplus";
require "fileinto";
require "relational";
require "comparator-i;ascii-numeric";
if spamtest :value "ge" :comparator "i;ascii-numeric" "5" {
fileinto "Junk";
}
- To compile sieve, execute in shell
sievec /var/lib/dovecot/sieve/global_sieves
and make sure themove_to_spam_folder.sieveand the resultingmove_to_spam_folder.svbinfiles are world readable.
ManageSieve Server
This implements the ManageSieve protocol through which users can remotely manage Sieve scripts on the server.
- Follow the steps in Sieve Interpreter Plugin above.
- Add
sievetoprotocolsindovecot.confprotocols = imap pop3 sieve
- Add minimal
/etc/dovecot/conf.d/20-managesieve.confservice managesieve-login { } service managesieve { } protocol sieve { } - Restart
dovecot. The managesieve daemon will listen on port 4190 by default.
Starting the server
Use the standard systemd syntax to control the dovecot.service daemon.
Tricks
Generate hashes with non-default hash functions.
doveadm pw -s SHA512-CRYPT -p "superpassword"
Remember to make sure that the column in the database is large enough(you might not get a warning..)
Remember to set the password scheme in your dovecot-sql.conf file
default_pass_scheme = SHA512-CRYPT