User:Paul/sandbox/Configure Dovecot

WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.

Most of the commands in this article require  privileges:

username@servername:~$ sudo /bin/bash

Configure Dovecot

root@servername:~# mv /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/original.dovecot-sql.conf.ext root@servername:~# nano /etc/dovecot/dovecot-sql.conf.ext

Add: driver = mysql connect = host=localhost dbname=mail user=mail password=password # default_pass_scheme = BLF-CRYPT password_query = \ SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, \ 'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as userdb_gid \ FROM mailbox WHERE username = '%u' AND active = '1' user_query = \ SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, \ 150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \ FROM mailbox WHERE username = '%u' AND active = '1'
 * 1) Database driver: mysql, pgsql, sqlite
 * 1) Examples:
 * 2)   connect = host=192.168.1.1 dbname=users
 * 3)   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
 * 4)   connect = /etc/dovecot/authdb.sqlite
 * 1) Default password scheme.
 * 1) List of supported schemes is in
 * 2) http://wiki2.dovecot.org/Authentication/PasswordSchemes
 * 1) Define the query to obtain a user password.
 * 1) Define the query to obtain user information.

root@servername:~# mv /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/oritginal.10-auth.conf root@servername:~# nano /etc/dovecot/conf.d/10-auth.conf

Add: disable_plaintext_auth = yes auth_mechanisms = plain login ## ## # # # # !include auth-sql.conf.ext
 * 1) Disable LOGIN command and all other plaintext authentications unless
 * 2) SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
 * 3) matches the local IP (ie. you're connecting from the same computer), the
 * 4) connection is considered secure and plaintext authentication is allowed.
 * 1) Space separated list of wanted authentication mechanisms:
 * 2)   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
 * 3)   gss-spnego
 * 4) NOTE: See also disable_plaintext_auth setting.
 * 1) Password and user databases
 * 1) Password database is used to verify user's password (and nothing more).
 * 2) You can have multiple passdbs and userdbs. This is useful if you want to
 * 3) allow both system users (/etc/passwd) and virtual users to login without
 * 4) duplicating the system users into virtual database.
 * 1) 
 * 1) User database specifies where mails are located and what user/group IDs
 * 2) own them. For single-UID configuration use "static" userdb.
 * 1) 
 * 1) !include auth-deny.conf.ext
 * 2) !include auth-master.conf.ext
 * 1) !include auth-system.conf.ext
 * 2) Use the SQL database configuration rather than any of these others.
 * 1) !include auth-ldap.conf.ext
 * 2) !include auth-passwdfile.conf.ext
 * 3) !include auth-checkpassword.conf.ext
 * 4) !include auth-vpopmail.conf.ext
 * 5) !include auth-static.conf.ext

root@servername:~# mv /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/original.10-mail.conf root@servername:~# nano /etc/dovecot/conf.d/10-mail.conf

Add: # # # # # # # mail_location = maildir:/var/vmail/%d/%n mail_uid = vmail mail_gid = mail # first_valid_uid = 150 last_valid_uid = 150
 * 1) Location for users' mailboxes. The default is empty, which means that Dovecot
 * 2) tries to find the mailboxes automatically. This won't work if the user
 * 3) doesn't yet have any mail, so you should explicitly tell Dovecot the full
 * 4) location.
 * 1) If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
 * 2) isn't enough. You'll also need to tell Dovecot where the other mailboxes are
 * 3) kept. This is called the "root mail directory", and it must be the first
 * 4) path given in the mail_location setting.
 * 1) There are a few special variables you can use, eg.:
 * 1)   %u - username
 * 2)   %n - user part in user@domain, same as %u if there's no domain
 * 3)   %d - domain part in user@domain, empty if there's no domain
 * 4)   %h - home directory
 * 1) See doc/wiki/Variables.txt for full list. Some examples:
 * 1)   mail_location = maildir:~/Maildir
 * 2)   mail_location = mbox:~/mail:INBOX=/var/mail/%u
 * 3)   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
 * 1) 
 * 1) System user and group used to access mails. If you use multiple, userdb
 * 2) can override these by returning uid or gid fields. You can use either numbers
 * 3) or names. 
 * 1) Valid UID range for users, defaults to 500 and above. This is mostly
 * 2) to make sure that users can't log in as daemons or other system users.
 * 3) Note that denying root logins is hardcoded to dovecot binary and can't
 * 4) be done even if first_valid_uid is set to 0.
 * 1) Use the vmail user uid here.

root@servername:~# nano /etc/dovecot/conf.d/10-ssl.conf

Change: ssl = yes

ssl_cert = </etc/ssl/private/example.com/server.crt ssl_key = </etc/ssl/private/example.com/server.key

ssl_ca = /etc/ssl/private/startssl/startssl-ca-bundle.pem

ssl_client_ca_dir = /etc/ssl/certs

ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

root@servername:~# nano /etc/dovecot/conf.d/10-master.conf

Change: service auth { # auth_socket_path points to this userdb socket by default. It's typically # used by dovecot-lda, doveadm, possibly imap process, etc. Its default # permissions make it readable only by root, but you may need to relax these # permissions. Users that have access to this socket are able to get a list # of all usernames and get results of everyone's userdb lookups. unix_listener auth-userdb { mode = 0600 user = vmail group = mail }  unix_listener /var/spool/postfix/private/auth { mode = 0660 # Assuming the default Postfix user and group user = postfix group = postfix }

root@servername:~# nano /etc/dovecot/conf.d/15-lda.conf

Change: postmaster_address = username@example.com

quota_full_tempfail = yes

rejection_subject = Rejected: %s

rejection_reason = Your message to <%t> was automatically rejected:%n%r

root@servername:~# chown -R vmail:dovecot /etc/dovecot root@servername:~# chmod -R o-rwx /etc/dovecot

Dovecot PPA doesn't include UFW profiles. Profiles may be added per this file on PaulServer:

nano /etc/ufw/applications.d/dovecot-core

Add: [Dovecot POP3] title=Secure mail server (POP3) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=110/tcp [Dovecot Secure POP3] title=Secure mail server (POP3S) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=995/tcp [Dovecot IMAP] title=Secure mail server (IMAP) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=143/tcp [Dovecot Secure IMAP] title=Secure mail server (IMAPS) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=993/tcp