Setting up Dovecot, the IMAP Server
A mail server is a computer on the network that acts as a virtual post office for emails. In the previous article published in February 2014, the author had explained how to set up an email server on Gentoo Linux using Postfix and Dovecot. This part guide
In Gentoo (and probably every other distro), details about Dovecot configuration are available in /etc/dovecot. The directory contains a few files and a conf.d directory for extra configuration of various aspects of the server. The configuration files are well documented with comments.
The main dovecot.conf file is something like this: protocols = imap lmtp listen = <ip>, 127.0.0.1 login_greeting = ABC mail service verbose_proctitle = yes shutdown_clients = yes !include conf.d/*.conf
The protocols line specifies the protocols it must serve. It's been set to LMTP and IMAP. LMTP, as described in the first article in this series, is the local mail delivery protocol used by Postfix to transfer mails to Dovecot. You can add one more protocol there—the traditional POP3. But in the age of mobile devices and easily accessible email, I don't think anyone really uses POP3 as it involves downloading everything to a single machine.
You should put your public IP and localhost there. If you want to offer only a Web mail service, you can leave out the public IP. Dovecot must listen on 127.0.0.1 because that's where our Web mail client (Roundcube) will connect. We'll look into the configuration of Roundcube later.
The login greeting is nothing specific, so use anything you like. It is a protocol level greeting message, which is not seen or shown by most (or all) clients that interact with a mail server.
Verbose proctitle: As the documentation in the configuration file says, the verbose_proctitle option shows mailbox information in process names in ps (the process status command), which is automatically available in tools like top/htop. In a virtual mail setup, it will be hard to distinguish the load offender when only the username and IP is shown. I recommend enabling this.
Shutdown clients: This is a rather debated setting— whether or not Dovecot should kill client connections when the master process shuts down. If this is enabled, for a short period of time during upgrade, the mail server will be unavailable. If it is disabled, it will be available throughout—but existing processes (open connections) will not get the update. What happens if a security fix is missed out as a result? I prefer security to availability, so recommend that this is enabled.
Now, in the same directory, we have dovecot-sql.conf.ext. In this file, Dovecot is configured to access the SQL database. The same connection configuration (only the connect option) must be specified in the beginning of dovecot-dict-sql.conf as well (which is used for expire and quota plugins). driver = pgsql connect = host=/run/postgresql dbname=mail user=mail password=<password> default_pass_scheme = SHA512-CRYPT password_query = SELECT * FROM active_users_passdb WHERE user
= '%u'; user_query = SELECT * FROM active_users_userdb WHERE user = '%u'; iterate_query = SELECT user FROM active_users_userdb;
default_pass_scheme: This is the default password hashing method to be used. SHA512-CRYPT is the highest possible algorithm supported by Dovecot on most Linux distributions at the time of writing this. It supports BLFCRYPT as well, which uses the highly secure BCRYPT algorithm, but that requires a patched glibc installation.
password_query – The SQL query that Dovecot must use to authenticate a user. user_query – The SQL query for fetching user information. iterate_query – The SQL query for pre-fetching users. This is used by Dovecot when we run the mail indexer.
Authentication configuration: This is done in conf.d/10auth.conf. disable_plaintext_auth = yes auth_mechanisms = plain login !include auth-sql.conf
PLAIN and LOGIN are the most commonly used authentication mechanisms. With the first option, plaintext authentication over cleartext (non-encrypted connection) is disabled. You can enable it if needed.
In auth-sql.conf, we just need the following: passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext
} userdb {
driver = prefetch
} userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext
}
In 10-mail.conf there are various settings to be configured, but the most important ones are: mail_location = mdbox:/var/vmail/%d/%n mail_privileged_group = vmail mail_fsync = optimized mail_plugins = expire fts fts_lucene quota trash virtual
mail_location sets the path on the filesystem to store emails. Mdbox is a format created by Dovecot itself to overcome performance related and other issues with old storage formats like mbox and maildir. mail_plugins enables various plugins for all the protocols. Logging can be configured in 10-logging.conf. Configure it according to your needs. But temporarily, while the server isn't ready for production yet, enable the following options: log_path = syslog auth_debug = yes auth_verbose = yes mail_debug = yes
This will help in debugging any issues with Dovecot. If you don't have syslog, you can set it to a filename.
In 10-master.conf, ports and protocol mapping are configured: service imap-login { inet_listener imap { port = 143
ssl = no
} } inet_listener imaps { port = 993 ssl = yes
}
service_count = 0
vsz_limit = 256M service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix user = postfix mode = 0600
}
} service auth { unix_listener auth-userdb { mode = 0600 user = vmail group = vmail
}
} unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix
}
user = dovecot
service dict { unix_listener dict { mode = 0660 user = vmail group = vmail
}
Let Dovecot listen on Port 143 for cleartext connections. There's no point in encrypting for clients connecting from the same machine (the Web mail client, i.e., Roundcube). You can block the plaintext Port 143 using iptables so that nobody from the Internet connects via the cleartext protocol.
The service LMTP and service auth are interesting parts in the above configuration. In the LMTP section, Dovecot is configured to listen for LMTP connections at a UNIX socket path. We'll use the same path in Postfix configuration –- it tells Postfix where to deliver the mails via LMTP.
Postfix is the SMTP server, but we need user authentication. Postfix must be configured to use Dovecot's authentication mechanism because we are storing encrypted passwords in the database. Postfix supports Dovecot-SASL. For the same reason, we have configured the Dovecot service auth to listen on a UNIX socket for connections.
In 15-lda.conf, we need the following settings: recipient_delimiter = + lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes protocol lda {
mail_plugins = $mail_plugins sieve
}
}
In the first article in this series, we had created a function sender_bcc_map which outputs username+Sent@domain for input username@domain. In the above configuration, the recipient_ delimiter option specifies that the email address should be split by +, and the part after + should to be treated as the destination folder name. This is something similar to Gmail wherein we can use any number of email aliases, but everything gets delivered to the inbox and filters need to be set up manually. Our mail server does the filtering automatically.
The Sieve plugin is loaded for the LDA protocol –- it cannot operate on other protocols. Sieve is the RFC defined standard language for mail filtering.
In 20-imap.conf, we need to load the anti-spam plugin, as follows: protocol imap {
mail_plugins = $mail_plugins antispam
}
Similarly, in 20-lmtp.conf, load the Sieve plugin for the LMTP protocol.
The ManageSieve protocol configuration titled 20- managesieve. conf is as follows:
protocols = $protocols sieve service managesieve-login { inet_listener sieves { port = 4190
ssl = yes
}
} inet_listener sieve { port = 4191
ssl = no } service_count = 0 vsz_limit = 256M
This instructs Dovecot to enable the ManageSieve protocol, with which users configure Sieve filter scripts by themselves. This is required if you want the user to be able to configure filters using Roundcube or other Web mail clients and/or desktop clients like Thunderbird. Since security is important, we'll use two ports for Sieve. The new standard for Sieve says that it is on Port 4191, so it should be open to the public and have SSL. The other port, 4191, will be used for local Web mail client connections.
Coming to the plugin settings in 90-plugin.conf, we need to configure four plugins -– Fulltext Lucene Search, Trash, Expire and Antispam: plugin { fts = lucene fts_lucene = whitespace_chars=@. trash = /etc/dovecot/dovecot-trash.conf.ext expire = Trash expire2 = Trash/* expire3 = Junk expire4 = Junk/* expire_dict = proxy::expire antispam_backend = spool2dir antispam_allow_append_to_spam = yes antispam_spam = Junk antispam_trash = Trash antispam_spool2dir_spam = /var/lib/dovecot/antispam/ spam/%%lu
antispam_spool2dir_notspam = /var/lib/dovecot/antispam/ ham/%%lu }
The trash plugin is useful when quotas are enabled – it will automatically delete messages from folders when a new