User:Paul/sandbox/Configure Dovecot

WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.

Dovecot is the MDA used in this server and is one of the most important components.

Most of the commands in this article require  privileges:

username@servername:~$ sudo /bin/bash

Configure Dovecot
Dovecot is already installed, so configuration of several files is all that is necessary. Many of the files are being changed considerably from the default install of the file, so archiving of the original file and pasting a new one in is done for expediency.

dovecot-sql.conf.ext
root@servername:~# mv /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/original.dovecot-sql.conf.ext root@servername:~# nano /etc/dovecot/dovecot-sql.conf.ext

Add: driver = mysql connect = host=localhost dbname=mail user=mail password=password # default_pass_scheme = BLF-CRYPT password_query = \ SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, \ 'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as userdb_gid \ FROM mailbox WHERE username = '%u' AND active = '1' user_query = \ SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, \ 150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \ FROM mailbox WHERE username = '%u' AND active = '1'
 * 1) Database driver: mysql, pgsql, sqlite
 * 1) Examples:
 * 2)   connect = host=192.168.1.1 dbname=users
 * 3)   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
 * 4)   connect = /etc/dovecot/authdb.sqlite
 * 1) Default password scheme.
 * 1) List of supported schemes is in
 * 2) http://wiki2.dovecot.org/Authentication/PasswordSchemes
 * 1) Define the query to obtain a user password.
 * 1) Define the query to obtain user information.

10-auth.conf
root@servername:~# mv /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/original.10-auth.conf root@servername:~# nano /etc/dovecot/conf.d/10-auth.conf

Add: disable_plaintext_auth = yes auth_mechanisms = plain login ## ## # # # # !include auth-sql.conf.ext
 * 1) Disable LOGIN command and all other plaintext authentications unless
 * 2) SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
 * 3) matches the local IP (ie. you're connecting from the same computer), the
 * 4) connection is considered secure and plaintext authentication is allowed.
 * 1) Space separated list of wanted authentication mechanisms:
 * 2)   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 * 3)   gss-spnego
 * 4) NOTE: See also disable_plaintext_auth setting.
 * 1) Password and user databases
 * 1) Password database is used to verify user's password (and nothing more).
 * 2) You can have multiple passdbs and userdbs. This is useful if you want to
 * 3) allow both system users (/etc/passwd) and virtual users to login without
 * 4) duplicating the system users into virtual database.
 * 1) 
 * 1) User database specifies where mails are located and what user/group IDs
 * 2) own them. For single-UID configuration use "static" userdb.
 * 1) 
 * 1) !include auth-deny.conf.ext
 * 2) !include auth-master.conf.ext
 * 1) !include auth-system.conf.ext
 * 2) Use the SQL database configuration rather than any of these others.
 * 1) !include auth-ldap.conf.ext
 * 2) !include auth-passwdfile.conf.ext
 * 3) !include auth-checkpassword.conf.ext
 * 4) !include auth-vpopmail.conf.ext
 * 5) !include auth-static.conf.ext

10-mail.conf
root@servername:~# mv /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/original.10-mail.conf root@servername:~# nano /etc/dovecot/conf.d/10-mail.conf

Add: # # # # # # # mail_location = maildir:/var/vmail/%d/%n mail_uid = vmail mail_gid = mail # first_valid_uid = 150 last_valid_uid = 150
 * 1) Location for users' mailboxes. The default is empty, which means that Dovecot
 * 2) tries to find the mailboxes automatically. This won't work if the user
 * 3) doesn't yet have any mail, so you should explicitly tell Dovecot the full
 * 4) location.
 * 1) If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
 * 2) isn't enough. You'll also need to tell Dovecot where the other mailboxes are
 * 3) kept. This is called the "root mail directory", and it must be the first
 * 4) path given in the mail_location setting.
 * 1) There are a few special variables you can use, eg.:
 * 1)   %u - username
 * 2)   %n - user part in user@domain, same as %u if there's no domain
 * 3)   %d - domain part in user@domain, empty if there's no domain
 * 4)   %h - home directory
 * 1) See doc/wiki/Variables.txt for full list. Some examples:
 * 1)   mail_location = maildir:~/Maildir
 * 2)   mail_location = mbox:~/mail:INBOX=/var/mail/%u
 * 3)   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
 * 1) 
 * 1) System user and group used to access mails. If you use multiple, userdb
 * 2) can override these by returning uid or gid fields. You can use either numbers
 * 3) or names. 
 * 1) Valid UID range for users, defaults to 500 and above. This is mostly
 * 2) to make sure that users can't log in as daemons or other system users.
 * 3) Note that denying root logins is hardcoded to dovecot binary and can't
 * 4) be done even if first_valid_uid is set to 0.
 * 1) Use the vmail user uid here.

10-ssl.conf
root@servername:~# nano /etc/dovecot/conf.d/10-ssl.conf

Change: ssl = yes

ssl_cert =  unix_listener auth-userdb { mode = 0600 user = vmail group = mail }  unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix }

15-lda.conf
root@servername:~# nano /etc/dovecot/conf.d/15-lda.conf

Change: postmaster_address = username@example.com

quota_full_tempfail = yes

rejection_subject = Rejected: %s

rejection_reason = Your message to <%t> was automatically rejected:%n%r

Update permissions
Now that the files are created, update their ownership and permissions:

root@servername:~# chown -R vmail:dovecot /etc/dovecot root@servername:~# chmod -R o-rwx /etc/dovecot

UFW Configuration
The Dovecot PPA doesn't include UFW profiles. Profiles may be added to simplify UFW configuration.

root@servername:~# nano /etc/ufw/applications.d/dovecot-core

Add: [Dovecot POP3] title=Secure mail server (POP3) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=110/tcp [Dovecot Secure POP3] title=Secure mail server (POP3S) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=995/tcp [Dovecot IMAP] title=Secure mail server (IMAP) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=143/tcp [Dovecot Secure IMAP] title=Secure mail server (IMAPS) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=993/tcp

Next step
Configure Postfix.