SETTING UP DOVECOT

INSTALL

debian

    apt install dovecot-imapd
    grep dove /etc/passwd
    grep dove /etc/group

slackware

    slackpkg install dovecot libunwind libsodium mariadb sqlite
    grep dove /etc/passwd
    grep dove /etc/group

from source

see dovecot-source

REQUIREMENTS

You have to choose between 770 g+s or a+rwxt for /var/spool/mail/. We prefer the sticky bit option, just like on BSD systems.

ls -ldF /var/mail   #w/o trailing slash as it may be a symlink
ls -ldF /var/spool/mail #idem

On Slackware it’s located here

chmod g-s /var/spool/mail/
chmod a+rwxt /var/spool/mail/

takes a while

time openssl dhparam -rand /dev/urandom 4096 > /etc/dovecot/dhparms.pem
# 35m28.226s on a single-core vps

A GOOD START

# from source
#ls -lF /usr/local/share/doc/dovecot/example-config/
#ls -lF /usr/local/etc/dovecot/
#vi /usr/local/etc/dovecot/dovecot.conf

# debian
mv -i /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.dist
vi /etc/dovecot/dovecot.conf # new file

MBOX — local unix account with no specific group — the mail folder is /home/%u/mail/ for happy shell and Alpine users

    mail_location = mbox:/home/%u/mail:INBOX=/var/spool/mail/%u
    mbox_very_dirty_syncs = yes

MAILDIR

mail_location = maildir:~/Maildir

FURTHER SETUP

protocols = imap
disable_plaintext_auth = yes
auth_mechanisms = plain

imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags

passdb {
    # gnu/linux
    driver = pam

    # bsd
    #driver = passwd
}

userdb {
    driver = passwd
}

first_valid_uid = 1000
last_valid_uid = 64999

# server cert
ssl = required
verbose_ssl = no
ssl_dh = </etc/dovecot/dhparms.pem
ssl_cert = </etc/dehydrated/certs/ECC/xc.nethence.com/fullchain.pem
ssl_key = </etc/dehydrated/certs/ECC/xc.nethence.com/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES128:!CAMELLIA128
ssl_prefer_server_ciphers = no

service imap-login {
    inet_listener imap {
        port = 0
    }
    inet_listener imaps {
        port = 993
        ssl = yes
    }
}

more options

# no need - using sticky bit instead, or Maildir
#mail_privileged_group = mail

# idling server
service imap {
    process_limit = 10
}

if you wanna add POP3

protocols = imap pop3

service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

service pop3 {
  process_limit = 3
}

SASL socket

add the login method and an authentication socket

#vi /usr/local/etc/dovecot/dovecot.conf
vi /etc/dovecot/dovecot.conf

auth_mechanisms = plain login

service auth {
    unix_listener /var/spool/postfix/private/auth {
        mode = 0660
        user = postfix

        # gnu/linux
        group = root

        # bsd
        #group = wheel
    }
}

Ready to go

debian

systemctl restart dovecot

from scratch

/usr/local/sbin/dovecot

shared

ls -lF /var/spool/postfix/private/auth

you can now enable SASL on your MTA of choice

OPERATIONS

enable

vi /etc/rc.local

echo -n dovecot...
rm -f /var/run/dovecot/master.pid
/usr/local/sbin/dovecot && echo done || echo FAIL

status

ps auxfww | grep dovecot | grep -v grep
netstat -lntup | grep dove

# netbsd
#netstat -an -f inet,inet6 | grep LISTEN

reload

/usr/local/sbin/dovecot reload

stop

/usr/local/sbin/dovecot stop

ACCEPTANCE

server=IMAP-SERVER
openssl s_client -showcerts -servername $server -connect $server:993

TROUBLES

print version, build options and configuration

dovecot --version
dovecot --build-options

# privately
doveconf -Pn

# publicly
doveconf -n

CLIENT CERTIFICATE

see dovecot-clientcert

NOTES

namespaces?

#namespace inbox {
#   inbox = yes
#}

password scheme

default_pass_scheme = MD5

restrict by ip

allow_nets restriction not fully tested

vi /usr/local/etc/cram-md5.pwd

USER:PASSFIELD::::::allow_nets=x.x.x.x/32,x.x.x.x/32

tuning

eventually define a more specific range for mail users e.g.

first_valid_uid = 5000
last_valid_uid = 5999

passdb passwd-file

fgrep -v '*' /etc/master.passwd | cut -d : -f 1-4,8-10
vi /usr/local/etc/dovecot.passwd
chown dovecot:dovecot /usr/local/etc/dovecot.passwd
chmod 400 /usr/local/etc/dovecot.passwd

passdb cram-md5

auth_mechanisms = plain cram-md5

passdb {
  driver = passwd-file
  #args = scheme=cram-md5 /usr/local/etc/cram-md5.pwd
  args = /usr/local/etc/dovecot.passwd
}

touch /usr/local/etc/dovecot.passwdcram-md5.pwd
echo -n USER: >> /usr/local/etc/cram-md5.pwd
doveadm pw >> /usr/local/etc/cram-md5.pwd
#chmod 600 /usr/local/etc/cram-md5.pwd
chown dovecot:dovecot /usr/local/etc/cram-md5.pwd
chmod 400 /usr/local/etc/cram-md5.pwd

AUTH METHODS

those do NOT work unless you’ve built it accordingly

NTLM
GSSAPI

TROUBLES

when trying to connect tru IMAP or SMTP

Error: Failed to initialize SSL server context: Couldn't parse DH parameters

==> Dovecot 2.3 requires to setup DH params: https://wiki.dovecot.org/SSL/DovecotConfiguration

in the logs when running

dovecot: imap-login: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Connection refused

==> look at the permissions - writer is SUID and group writable for dovecot and just restart the daemon

ls -lF /var/run/dovecot/*stat*
rc.dovecot restart

RESOURCES

Dovecot Logging https://wiki.dovecot.org/Logging

Dovecot SSL configuration https://wiki.dovecot.org/SSL/DovecotConfiguration

SSL https://doc.dovecot.org/admin_manual/ssl/

Dovecot-2.3.6 http://linuxfromscratch.org/blfs/view/cvs/server/dovecot.html

auth

Passwd-file https://doc.dovecot.org/configuration_manual/authentication/passwd_file/

Password databases (passdb) https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/

Password Schemes https://doc.dovecot.org/configuration_manual/authentication/password_schemes/

ssl

Tighten TLS - usage of specific ssl_ec-curve https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle

the mail group issue vs sticky bit

Dovecot: missing +w perm: /var/mail, we’re not in group 8(mail) https://serverfault.com/questions/814398/dovecot-missing-w-perm-var-mail-were-not-in-group-8mail

Mbox https://doc.dovecot.org/configuration_manual/quick_configuration/#mbox

Operation Not Permitted https://wiki2.dovecot.org/Errors/ChgrpNoPerm

[Dovecot-news] Security issue #5: mail_extra_groups setting is often used insecurely https://dovecot.org/list/dovecot-news/2008-March/000060.html

dovecot can’t compact mail folder /var/mail/username https://askubuntu.com/questions/118416/dovecot-cant-compact-mail-folder-var-mail-username

client workarounds

https://dovecot.org/pipermail/dovecot/2013-December/094232.html

https://doc.dovecot.org/configuration_manual/quick_configuration/#client-workarounds

https://wiki1.dovecot.org/QuickConfiguration#Client_Workarounds

https://wiki2.dovecot.org/Clients#Thunderbird

misc

Dovecot configuration file https://dovecot.org/doc/dovecot-example.conf

[Dovecot] Disable unsecure POP3 at all (Dovecot 2.1) https://dovecot.org/list/dovecot/2013-October/093191.html

Howto: Linux Dovecot Secure IMAPS / POP3S SSL Server configuration https://www.cyberciti.biz/faq/unix-dovecot-ssl-tls-server-configuration/

Security tuning https://wiki.dovecot.org/SecurityTuning

A exim/dovecot2/webapp to administrate email accounts and virtual domains https://opsec.eu/src/exim-dovecot2-mbxadm/

user mgmt

Authentication Mechanisms https://wiki2.dovecot.org/Authentication/Mechanisms

System users used by Dovecot https://wiki.dovecot.org/UserIds

Master users/passwords https://wiki.dovecot.org/Authentication/MasterUsers

HowToCRAM-MD5 https://wiki.dovecot.org/HowTo/CRAM-MD5

Operation Not Permitted https://wiki2.dovecot.org/Errors/ChgrpNoPerm

restrict by ip

https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets

https://wiki2.dovecot.org/LoginProcess

https://wiki2.dovecot.org/PostLoginScripting

Allow_nets extra field https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets

todo

Namespaces https://doc.dovecot.org/configuration_manual/namespace/

troubles

error:1418708B:SSL routines:ssl_do_config:unknown command and nice example ssl_cipher_list https://bugzilla.redhat.com/show_bug.cgi?id=1847697

error:1418708B:SSL routines:ssl_do_config:unknown command https://bugzilla.redhat.com/show_bug.cgi?id=1836522

auth

Authentication https://wiki2.dovecot.org/Authentication

authentication_mechanismsĀ¶ https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/

Auth SettingsĀ¶ https://doc.dovecot.org/configuration_manual/authentication/auth_settings/

HowToCRAM-MD5 https://wiki.dovecot.org/HowTo/CRAM-MD5

Help on CRAM-MD5 https://dovecot.org/pipermail/dovecot/2019-June/116204.html

gssapi

Re: Looking for GSSAPI config [was: Looking for NTLM config example] http://dovecot.2317879.n4.nabble.com/Looking-for-NTLM-config-example-td55940i20.html

imap http://www.who.is.free.fr/wiki/doku.php?id=imap

Kerberos (protocol) https://en.wikipedia.org/wiki/Kerberos_(protocol)

Kerberos https://wiki.dovecot.org/Authentication/Kerberos

Dovecot + FreeIPA user auth errors (on Ubuntu 20.04): seeking debugging tips https://www.reddit.com/r/linuxadmin/comments/ikb5jp/dovecot_freeipa_user_auth_errors_on_ubuntu_2004/

gss-spnego

Dovecot with NTLM and GSS-SPNEGO authentication mechanisms (Samba’s winbind daemon) #1906 https://github.com/zentyal/zentyal/issues/1906

Winbind mechanisms https://wiki.dovecot.org/Authentication/Mechanisms/Winbind

oauth2

Add OAUTH2 support for the Dovecot IMAP server https://bugzilla.mozilla.org/show_bug.cgi?id=1342152

Open Authentication v2.0 databaseĀ¶ https://doc.dovecot.org/configuration_manual/authentication/oauth2/

OAuth2 mail client https://dovecot.org/pipermail/dovecot/2019-December/117828.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun