apt install dovecot-imapd
grep dove /etc/passwd
grep dove /etc/group
slackpkg install dovecot libunwind libsodium mariadb sqlite
grep dove /etc/passwd
grep dove /etc/group
see dovecot-source
You have to choose between 770 g+s or a+rwxt for /var/spool/mail/. We prefer the sticky bit option, just like on BSD systems.
ls -ldF /var/mail #w/o trailing slash as it may be a symlink ls -ldF /var/spool/mail #idem
On Slackware it’s located here
chmod g-s /var/spool/mail/ chmod a+rwxt /var/spool/mail/
takes a while
time openssl dhparam -rand /dev/urandom 4096 > /etc/dovecot/dhparms.pem # 35m28.226s on a single-core vps
# from source #ls -lF /usr/local/share/doc/dovecot/example-config/ #ls -lF /usr/local/etc/dovecot/ #vi /usr/local/etc/dovecot/dovecot.conf # debian mv -i /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.dist vi /etc/dovecot/dovecot.conf # new file
MBOX — local unix account with no specific group — the mail folder is /home/%u/mail/ for happy shell and Alpine users
mail_location = mbox:/home/%u/mail:INBOX=/var/spool/mail/%u
mbox_very_dirty_syncs = yes
MAILDIR
mail_location = maildir:~/Maildir
protocols = imap
disable_plaintext_auth = yes
auth_mechanisms = plain
imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags
passdb {
# gnu/linux
driver = pam
# bsd
#driver = passwd
}
userdb {
driver = passwd
}
first_valid_uid = 1000
last_valid_uid = 64999
# server cert
ssl = required
verbose_ssl = no
ssl_dh = </etc/dovecot/dhparms.pem
ssl_cert = </etc/dehydrated/certs/ECC/xc.nethence.com/fullchain.pem
ssl_key = </etc/dehydrated/certs/ECC/xc.nethence.com/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES128:!CAMELLIA128
ssl_prefer_server_ciphers = no
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
more options
# no need - using sticky bit instead, or Maildir
#mail_privileged_group = mail
# idling server
service imap {
process_limit = 10
}
if you wanna add POP3
protocols = imap pop3
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service pop3 {
process_limit = 3
}
add the login method and an authentication socket
#vi /usr/local/etc/dovecot/dovecot.conf
vi /etc/dovecot/dovecot.conf
auth_mechanisms = plain login
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
# gnu/linux
group = root
# bsd
#group = wheel
}
}
systemctl restart dovecot
/usr/local/sbin/dovecot
ls -lF /var/spool/postfix/private/auth
you can now enable SASL on your MTA of choice
enable
vi /etc/rc.local echo -n dovecot... rm -f /var/run/dovecot/master.pid /usr/local/sbin/dovecot && echo done || echo FAIL
status
ps auxfww | grep dovecot | grep -v grep netstat -lntup | grep dove # netbsd #netstat -an -f inet,inet6 | grep LISTEN
reload
/usr/local/sbin/dovecot reload
stop
/usr/local/sbin/dovecot stop
server=IMAP-SERVER openssl s_client -showcerts -servername $server -connect $server:993
print version, build options and configuration
dovecot --version dovecot --build-options # privately doveconf -Pn # publicly doveconf -n
#namespace inbox {
# inbox = yes
#}
default_pass_scheme = MD5
allow_nets restriction not fully tested
vi /usr/local/etc/cram-md5.pwd USER:PASSFIELD::::::allow_nets=x.x.x.x/32,x.x.x.x/32
eventually define a more specific range for mail users e.g.
first_valid_uid = 5000 last_valid_uid = 5999
fgrep -v '*' /etc/master.passwd | cut -d : -f 1-4,8-10 vi /usr/local/etc/dovecot.passwd chown dovecot:dovecot /usr/local/etc/dovecot.passwd chmod 400 /usr/local/etc/dovecot.passwd
auth_mechanisms = plain cram-md5
passdb {
driver = passwd-file
#args = scheme=cram-md5 /usr/local/etc/cram-md5.pwd
args = /usr/local/etc/dovecot.passwd
}
touch /usr/local/etc/dovecot.passwdcram-md5.pwd
echo -n USER: >> /usr/local/etc/cram-md5.pwd
doveadm pw >> /usr/local/etc/cram-md5.pwd
#chmod 600 /usr/local/etc/cram-md5.pwd
chown dovecot:dovecot /usr/local/etc/cram-md5.pwd
chmod 400 /usr/local/etc/cram-md5.pwd
those do NOT work unless you’ve built it accordingly
NTLM GSSAPI
when trying to connect tru IMAP or SMTP
Error: Failed to initialize SSL server context: Couldn't parse DH parameters
==> Dovecot 2.3 requires to setup DH params: https://wiki.dovecot.org/SSL/DovecotConfiguration
in the logs when running
dovecot: imap-login: Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Connection refused
==> look at the permissions - writer is SUID and group writable for dovecot and just restart the daemon
ls -lF /var/run/dovecot/*stat* rc.dovecot restart
Dovecot Logging https://wiki.dovecot.org/Logging
Dovecot SSL configuration https://wiki.dovecot.org/SSL/DovecotConfiguration
SSL https://doc.dovecot.org/admin_manual/ssl/
Dovecot-2.3.6 http://linuxfromscratch.org/blfs/view/cvs/server/dovecot.html
Passwd-file https://doc.dovecot.org/configuration_manual/authentication/passwd_file/
Password databases (passdb) https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
Password Schemes https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
Tighten TLS - usage of specific ssl_ec-curve https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle
mail group issue vs sticky bitDovecot: missing +w perm: /var/mail, we’re not in group 8(mail) https://serverfault.com/questions/814398/dovecot-missing-w-perm-var-mail-were-not-in-group-8mail
Mbox https://doc.dovecot.org/configuration_manual/quick_configuration/#mbox
Operation Not Permitted https://wiki2.dovecot.org/Errors/ChgrpNoPerm
[Dovecot-news] Security issue #5: mail_extra_groups setting is often used insecurely https://dovecot.org/list/dovecot-news/2008-March/000060.html
dovecot can’t compact mail folder /var/mail/username https://askubuntu.com/questions/118416/dovecot-cant-compact-mail-folder-var-mail-username
https://dovecot.org/pipermail/dovecot/2013-December/094232.html
https://doc.dovecot.org/configuration_manual/quick_configuration/#client-workarounds
https://wiki1.dovecot.org/QuickConfiguration#Client_Workarounds
https://wiki2.dovecot.org/Clients#Thunderbird
Dovecot configuration file https://dovecot.org/doc/dovecot-example.conf
[Dovecot] Disable unsecure POP3 at all (Dovecot 2.1) https://dovecot.org/list/dovecot/2013-October/093191.html
Howto: Linux Dovecot Secure IMAPS / POP3S SSL Server configuration https://www.cyberciti.biz/faq/unix-dovecot-ssl-tls-server-configuration/
Security tuning https://wiki.dovecot.org/SecurityTuning
A exim/dovecot2/webapp to administrate email accounts and virtual domains https://opsec.eu/src/exim-dovecot2-mbxadm/
Authentication Mechanisms https://wiki2.dovecot.org/Authentication/Mechanisms
System users used by Dovecot https://wiki.dovecot.org/UserIds
Master users/passwords https://wiki.dovecot.org/Authentication/MasterUsers
HowToCRAM-MD5 https://wiki.dovecot.org/HowTo/CRAM-MD5
Operation Not Permitted https://wiki2.dovecot.org/Errors/ChgrpNoPerm
https://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
https://wiki2.dovecot.org/LoginProcess
https://wiki2.dovecot.org/PostLoginScripting
Allow_nets extra field https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
Namespaces https://doc.dovecot.org/configuration_manual/namespace/
error:1418708B:SSL routines:ssl_do_config:unknown command and nice example ssl_cipher_list https://bugzilla.redhat.com/show_bug.cgi?id=1847697
error:1418708B:SSL routines:ssl_do_config:unknown command https://bugzilla.redhat.com/show_bug.cgi?id=1836522
Authentication https://wiki2.dovecot.org/Authentication
authentication_mechanismsĀ¶ https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/
Auth SettingsĀ¶ https://doc.dovecot.org/configuration_manual/authentication/auth_settings/
HowToCRAM-MD5 https://wiki.dovecot.org/HowTo/CRAM-MD5
Help on CRAM-MD5 https://dovecot.org/pipermail/dovecot/2019-June/116204.html
Re: Looking for GSSAPI config [was: Looking for NTLM config example] http://dovecot.2317879.n4.nabble.com/Looking-for-NTLM-config-example-td55940i20.html
imap http://www.who.is.free.fr/wiki/doku.php?id=imap
Kerberos (protocol) https://en.wikipedia.org/wiki/Kerberos_(protocol)
Kerberos https://wiki.dovecot.org/Authentication/Kerberos
Dovecot + FreeIPA user auth errors (on Ubuntu 20.04): seeking debugging tips https://www.reddit.com/r/linuxadmin/comments/ikb5jp/dovecot_freeipa_user_auth_errors_on_ubuntu_2004/
Dovecot with NTLM and GSS-SPNEGO authentication mechanisms (Samba’s winbind daemon) #1906 https://github.com/zentyal/zentyal/issues/1906
Winbind mechanisms https://wiki.dovecot.org/Authentication/Mechanisms/Winbind
Add OAUTH2 support for the Dovecot IMAP server https://bugzilla.mozilla.org/show_bug.cgi?id=1342152
Open Authentication v2.0 databaseĀ¶ https://doc.dovecot.org/configuration_manual/authentication/oauth2/
OAuth2 mail client https://dovecot.org/pipermail/dovecot/2019-December/117828.html