Setting up Dovecot

INSTALL

grab the latest

ftp -a https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz.sig
ftp -a https://dovecot.org/releases/2.3/dovecot-2.3.6.tar.gz
#gpg --search-keys dovecot
gpg dovecot-2.3.6.tar.gz.sig
gpg --recv-key ED409DA1
gpg --list-keys
gpg --verify dovecot-2.3.6.tar.gz.sig dovecot-2.3.6.tar.gz
#Primary key fingerprint: 2BE7 4AAB 3EE7 54DF B9C8  0D33 18A3 48AE ED40 9DA1

extract and build it

./configure
make
make install

bring the pain

grep 42 /etc/group
grep 42 /etc/passwd
groupadd -g 42 dovecot
useradd -c "Dovecot unprivileged user" -d /dev/null -u 42 -g dovecot -s /sbin/nologin dovecot

grep 43 /etc/group
grep 43 /etc/passwd
groupadd -g 43 dovenull
useradd -c "Dovecot login user" -d /dev/null -u 43 -g dovenull -s /sbin/nologin dovenull

UNIX AUTH

fgrep -v '*' /etc/master.passwd | cut -d : -f 1-4,8-10
vi /usr/local/etc/dovecot.passwd
chown dovecot:dovecot /usr/local/etc/dovecot.passwd
chmod 400 /usr/local/etc/dovecot.passwd

–OR– CRAM-MD5

touch /usr/local/etc/dovecot.passwdcram-md5.pwd
echo -n USER: >> /usr/local/etc/cram-md5.pwd
doveadm pw >> /usr/local/etc/cram-md5.pwd
#chmod 600 /usr/local/etc/cram-md5.pwd
chown dovecot:dovecot /usr/local/etc/cram-md5.pwd
chmod 400 /usr/local/etc/cram-md5.pwd

SETUP (MBOX FORMAT)

openssl dhparam -rand /dev/urandom 2048 > /etc/openssl/dh.pem
chmod 400 /etc/openssl/dh.pem

#cp -Rp /usr/local/share/doc/dovecot/example-config/* /usr/local/etc/dovecot/
cd /usr/local/etc/dovecot/
vi dovecot.conf

protocols = imap pop3
disable_plaintext_auth = yes
#auth_mechanisms = plain cram-md5
auth_mechanisms = plain
userdb {
  driver=passwd
}
passdb {
  driver = passwd-file
  #args = scheme=cram-md5 /usr/local/etc/cram-md5.pwd
  args = /usr/local/etc/dovecot.passwd
}
first_valid_uid = 1000
#last_valid_uid =
mail_location = mbox:/home/%u:INBOX=/var/mail/%u
namespace inbox {
  inbox = yes
}

ssl = required
verbose_ssl = no
ssl_dh = </etc/openssl/dh.pem
ssl_cert = </usr/pkg/etc/letsencrypt/live/xc.nethence.com/fullchain.pem
ssl_key = </usr/pkg/etc/letsencrypt/live/xc.nethence.com/privkey.pem
#ssl_cert = </etc/openssl/selfsign.cer
#ssl_key = </etc/openssl/selfsign.key
#imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags 

IMAPS

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

service imap {
  process_limit = 3
}

POP3S

service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

service pop3 {
  process_limit = 3
}

OPERATIONS

check configuration

doveconf -Pn

restart

vi RESTART-DOVE

#!/bin/sh

echo -n stopping dovecot...
/usr/local/sbin/dovecot stop && echo done

echo -n dovecot...
/usr/local/sbin/dovecot && echo done
ps auxww | grep dovecot | grep -v grep
netstat -an -f inet,inet6 | grep LISTEN

chmod +x RESTART-DOVE  

enable at startup

vi /etc/rc.local

/root/RESTART-DOVE

reload

/usr/local/sbin/dovecot reload

ADDITIONAL

sasl

see SASL

restrict by ip

vi /usr/local/etc/cram-md5.pwd

USER:PASSFIELD::::::allow_nets=x.x.x.x/32,x.x.x.x/32

tuning

define a range for mail users e.g.

first_valid_uid = 5000
last_valid_uid = 5999

TROUBLES

when trying to connect tru IMAP or SMTP

Error: Failed to initialize SSL server context: Couldn't parse DH parameters

==> Dovecot 2.3 requires to setup DH params: https://wiki.dovecot.org/SSL/DovecotConfiguration

RESOURCES

Dovecot Logging https://wiki.dovecot.org/Logging

Dovecot SSL configuration https://wiki.dovecot.org/SSL/DovecotConfiguration

Dovecot-2.3.6 http://linuxfromscratch.org/blfs/view/cvs/server/dovecot.html

auth

Passwd-file https://doc.dovecot.org/configuration_manual/authentication/passwd_file/

Password databases (passdb) https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/

misc

Dovecot configuration file https://dovecot.org/doc/dovecot-example.conf

[Dovecot] Disable unsecure POP3 at all (Dovecot 2.1) https://dovecot.org/list/dovecot/2013-October/093191.html

Howto: Linux Dovecot Secure IMAPS / POP3S SSL Server configuration https://www.cyberciti.biz/faq/unix-dovecot-ssl-tls-server-configuration/

Security tuning https://wiki.dovecot.org/SecurityTuning

user mgmt

Authentication Mechanisms https://wiki2.dovecot.org/Authentication/Mechanisms

System users used by Dovecot https://wiki.dovecot.org/UserIds

Master users/passwords https://wiki.dovecot.org/Authentication/MasterUsers

HowToCRAM-MD5 https://wiki.dovecot.org/HowTo/CRAM-MD5

Operation Not Permitted https://wiki2.dovecot.org/Errors/ChgrpNoPerm

restrict by ip

https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets

https://wiki2.dovecot.org/LoginProcess

https://wiki2.dovecot.org/PostLoginScripting

Allow_nets extra field https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml