Difference between revisions of "Dovecot"

From ArchWiki
Jump to: navigation, search
(Sieve)
(PAM Authentication with LDAP: unless i remove this 'mv' instruction, i get "doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-auth.conf line 122: No matches")
 
(38 intermediate revisions by 25 users not shown)
Line 1: Line 1:
[[Category:Mail Server]]
+
[[Category:Mail server]]
 
+
[[ja:Dovecot]]
 +
{{Related articles start}}
 +
{{Related|Postfix}}
 +
{{Related|Courier MTA}}
 +
{{Related|OpenSMTPD}}
 +
{{Related|Fail2ban}}
 +
{{Related|Virtual user mail system}}
 +
{{Related articles end}}
 
This article describes how to set up a mail server suitable for personal or small office use.
 
This article describes how to set up a mail server suitable for personal or small office use.
  
Line 7: Line 14:
 
==Installation==
 
==Installation==
  
[[pacman|Install]] the packages {{Pkg|dovecot}} and {{Pkg|pam}} from the [[Official Repositories|official repositories]].
+
[[Install]] the {{Pkg|dovecot}} package.
  
 
==Configuration==
 
==Configuration==
Line 14: Line 21:
  
 
* Each mail account served by Dovecot, has a local user account defined on the server.
 
* Each mail account served by Dovecot, has a local user account defined on the server.
* The server uses [[Wikipedia:Pluggable authentication module|PAM]] to authenticate the user against the local user database (/etc/passwd).
+
* The server uses [[PAM]] to authenticate the user against the local user database (/etc/passwd).
 
* [[Wikipedia:Transport_Layer_Security|SSL]] is used to encrypt the authentication password.
 
* [[Wikipedia:Transport_Layer_Security|SSL]] is used to encrypt the authentication password.
 
* The common [[Wikipedia:Maildir|Maildir]] format is used to store the mail in the user's home directory.
 
* The common [[Wikipedia:Maildir|Maildir]] format is used to store the mail in the user's home directory.
Line 30: Line 37:
 
The certificate/key pair is created as {{ic|/etc/ssl/certs/dovecot.pem}} and {{ic|/etc/ssl/private/dovecot.pem}}.
 
The certificate/key pair is created as {{ic|/etc/ssl/certs/dovecot.pem}} and {{ic|/etc/ssl/private/dovecot.pem}}.
  
===PAM Authentication===
+
Run {{ic|cp /etc/ssl/certs/dovecot.pem /etc/ca-certificates/trust-source/anchors/dovecot.crt}} and then {{ic|# trust extract-compat}} whenever you have
 +
changed your certificate.
  
* To configure PAM for dovecot, create {{ic|/etc/pam.d/dovecot}} with the following content:
+
{{Warning|If you plan on implementing SSL/TLS, please respond safely to [http://disablessl3.com/ POODLE] and [https://weakdh.org/sysadmin.html FREAK/Logjam] by adding the following to your [[#Dovecot configuration|configuration]]:
{{hc|/etc/pam.d/dovecot|
+
{{bc|1=
auth    required        pam_unix.so nullok
+
ssl_protocols = !SSLv2 !SSLv3
account required        pam_unix.so
+
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
}}
+
ssl_prefer_server_ciphers = yes
 +
ssl_dh_parameters_length = 2048
 +
}}}}
  
 
===Dovecot configuration===
 
===Dovecot configuration===
  
* Copy the dovecot.conf and conf.d/* configuration files from {{ic|/usr/share/doc/dovecot/example-config}} to {{ic|/etc/dovecot}}:
+
* Copy the {{ic|dovecot.conf}} and {{ic|conf.d/*}} configuration files from {{ic|/usr/share/doc/dovecot/example-config}} to {{ic|/etc/dovecot}}:
 
{{bc|
 
{{bc|
 
# cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot
 
# cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot
Line 49: Line 59:
  
 
By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit {{ic|/etc/dovecot/conf.d/10-mail.conf}} to set {{ic|1=mail_location = maildir:~/Maildir}}.
 
By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit {{ic|/etc/dovecot/conf.d/10-mail.conf}} to set {{ic|1=mail_location = maildir:~/Maildir}}.
 +
 +
===PAM Authentication===
 +
 +
* To configure PAM for dovecot, create {{ic|/etc/pam.d/dovecot}} with the following content:
 +
{{hc|/etc/pam.d/dovecot|
 +
auth    required        pam_unix.so nullok
 +
account required        pam_unix.so
 +
}}
 +
 +
===PAM Authentication with LDAP===
 +
 +
* If you are using an [[OpenLDAP]] server for authentication instead, be sure to be able to login with your LDAP users first, as described in [[LDAP authentication]].
 +
You can then write the following in {{ic|/etc/pam.d/dovecot}} remembering that the entries order is very important:
 +
{{hc|/etc/pam.d/dovecot|2=
 +
auth    sufficient      pam_ldap.so
 +
auth    required        pam_unix.so    nullok
 +
account sufficient      pam_ldap.so
 +
account required        pam_unix.so
 +
session required        pam_mkhomedir.so skel=/etc/skel umask=0022
 +
session sufficient      pam_ldap.so
 +
}}
 +
In this way both LDAP and system users have their mailbox.
 +
 +
* Edit {{ic|/etc/dovecot/conf.d/auth-system.conf}} by changing the {{ic|passdb}} directive, like this:
 +
<pre>
 +
passdb {
 +
  driver = pam
 +
  args = session=yes dovecot
 +
}
 +
</pre>
 +
By using the {{ic|pam_mkhomedir.so}} module and by adding the {{ic|session}} part in the {{ic|passdb}} directive, if an LDAP user logs in for the first time the corresponding home directory will be automatically created.
  
 
===Sieve===
 
===Sieve===
  
[http://en.wikipedia.org/wiki/Sieve_%28mail_filtering_language%29 Sieve] is a programming language that can be used to create filters for email on mail server.
+
[[wikipedia:Sieve (mail filtering language)|Sieve]] is a programming language that can be used to create filters for email on mail server.
  
* Install pigeonhole
+
* Install {{Pkg|pigeonhole}}.
* Add "managesieve sieve" to "protocols" in dovecot.conf
+
* Add "sieve" to "protocols" in dovecot.conf (and the lines from the next points)
* Add minimal 80-sieve.conf
+
<pre>
 +
protocols = imap pop3 sieve
 +
</pre>
 +
* Add minimal 80-sieve.conf in {{ic|/etc/dovecot/conf.d/}}
 
<pre>
 
<pre>
 
service managesieve-login {
 
service managesieve-login {
Line 70: Line 114:
 
}
 
}
 
</pre>
 
</pre>
* Specify sieve storage location in "plugin" section:
+
* Add "sieve" as "mail_plugins" in "protocol lda" section of {{ic|/etc/dovecot/conf.d/15-lda.conf}}
 +
<pre>
 +
protocol lda {
 +
  mail_plugins = sieve
 +
}
 +
</pre>
 +
* Specify sieve storage location in "plugin" section of {{ic|/etc/dovecot/conf.d/90-plugin.conf}}:
 +
<pre>
 +
plugin {
 
   sieve=/var/mail/%u/dovecot.sieve
 
   sieve=/var/mail/%u/dovecot.sieve
   sieve_storage=/var/mail/%u/sieve
+
   sieve_dir=/var/mail/%u/sieve
 +
}
 +
</pre>
 +
 
 +
{{Note| Nowadays it is recommended to use LMTP instead of LDA. Nevertheless the Dovecot LDA can still be used for small mailservers. More information can be found in the [http://wiki2.dovecot.org/LMTP Dovecot Wiki]}}
  
 
* Ensure that your MTA uses dovecot for delivery. For example: postfix's main.cf and dovecot-lda:
 
* Ensure that your MTA uses dovecot for delivery. For example: postfix's main.cf and dovecot-lda:
 
   mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
 
   mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
* Add "sieve" to "mail_plugins" in "protocol lda" section
 
  
 
==Starting the server==
 
==Starting the server==
  
 
Use the standard [[systemd]] syntax to control the {{ic|dovecot.service}} [[daemon]].
 
Use the standard [[systemd]] syntax to control the {{ic|dovecot.service}} [[daemon]].
 +
 +
== Tricks ==
 +
 +
Generate hashes with non-default hash functions.
 +
 +
doveadm pw -s SHA512-CRYPT -p "superpassword"
 +
 +
Remember to make sure that the column in the database is large enough(you might not get a warning..)
 +
 +
Remember to set the password scheme in your dovecot-sql.conf file
 +
 +
default_pass_scheme = SHA512-CRYPT

Latest revision as of 02:39, 5 April 2016

This article describes how to set up a mail server suitable for personal or small office use.

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Developed by Timo Sirainen, Dovecot was first released in July 2002. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver. For more detailed information, please see the official Dovecot Wiki.

Installation

Install the dovecot package.

Configuration

Assumptions

  • Each mail account served by Dovecot, has a local user account defined on the server.
  • The server uses PAM to authenticate the user against the local user database (/etc/passwd).
  • SSL is used to encrypt the authentication password.
  • The common Maildir format is used to store the mail in the user's home directory.
  • A MDA has already been set up to deliver mail to the local users.

Create the SSL certificate

The dovecot package contains a script to generate the server SSL certificate.

  • Copy the configuration file from the sample file: # cp /etc/ssl/dovecot-openssl.cnf{.sample,} .
  • Edit /etc/ssl/dovecot-openssl.cnf to configure the certificate.
  • Execute # /usr/lib/dovecot/mkcert.sh to generate the certificate.

The certificate/key pair is created as /etc/ssl/certs/dovecot.pem and /etc/ssl/private/dovecot.pem.

Run cp /etc/ssl/certs/dovecot.pem /etc/ca-certificates/trust-source/anchors/dovecot.crt and then # trust extract-compat whenever you have changed your certificate.

Warning: If you plan on implementing SSL/TLS, please respond safely to POODLE and FREAK/Logjam by adding the following to your configuration:
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048

Dovecot configuration

  • Copy the dovecot.conf and conf.d/* configuration files from /usr/share/doc/dovecot/example-config to /etc/dovecot:
# cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot
# cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot

The default configuration is ok for most systems, but make sure to read through the configuration files to see what options are available. See the quick configuration guide and dovecot configuration for more instructions.

By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit /etc/dovecot/conf.d/10-mail.conf to set mail_location = maildir:~/Maildir.

PAM Authentication

  • To configure PAM for dovecot, create /etc/pam.d/dovecot with the following content:
/etc/pam.d/dovecot
auth    required        pam_unix.so nullok
account required        pam_unix.so 

PAM Authentication with LDAP

  • If you are using an OpenLDAP server for authentication instead, be sure to be able to login with your LDAP users first, as described in LDAP authentication.

You can then write the following in /etc/pam.d/dovecot remembering that the entries order is very important:

/etc/pam.d/dovecot
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so     nullok
account sufficient      pam_ldap.so
account required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel umask=0022
session sufficient      pam_ldap.so

In this way both LDAP and system users have their mailbox.

  • Edit /etc/dovecot/conf.d/auth-system.conf by changing the passdb directive, like this:
passdb {
  driver = pam
  args = session=yes dovecot
}

By using the pam_mkhomedir.so module and by adding the session part in the passdb directive, if an LDAP user logs in for the first time the corresponding home directory will be automatically created.

Sieve

Sieve is a programming language that can be used to create filters for email on mail server.

  • Install pigeonhole.
  • Add "sieve" to "protocols" in dovecot.conf (and the lines from the next points)
protocols = imap pop3 sieve
  • Add minimal 80-sieve.conf in /etc/dovecot/conf.d/
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}

service managesieve {
}

protocol sieve {
}
  • Add "sieve" as "mail_plugins" in "protocol lda" section of /etc/dovecot/conf.d/15-lda.conf
protocol lda {
  mail_plugins = sieve
}
  • Specify sieve storage location in "plugin" section of /etc/dovecot/conf.d/90-plugin.conf:
plugin {
  sieve=/var/mail/%u/dovecot.sieve
  sieve_dir=/var/mail/%u/sieve
}
Note: Nowadays it is recommended to use LMTP instead of LDA. Nevertheless the Dovecot LDA can still be used for small mailservers. More information can be found in the Dovecot Wiki
  • Ensure that your MTA uses dovecot for delivery. For example: postfix's main.cf and dovecot-lda:
 mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"

Starting the server

Use the standard systemd syntax to control the dovecot.service daemon.

Tricks

Generate hashes with non-default hash functions.

doveadm pw -s SHA512-CRYPT -p "superpassword"

Remember to make sure that the column in the database is large enough(you might not get a warning..)

Remember to set the password scheme in your dovecot-sql.conf file

default_pass_scheme = SHA512-CRYPT