Difference between revisions of "User:Paul/sandbox/Configure Dovecot"
Jump to navigation
Jump to search
| Line 160: | Line 160: | ||
Change: | Change: | ||
service auth { | service auth { | ||
| − | + | <large block of commented text> | |
| − | |||
| − | |||
| − | |||
| − | |||
unix_listener auth-userdb { | unix_listener auth-userdb { | ||
| − | + | mode = 0600 | |
user = vmail | user = vmail | ||
group = mail | group = mail | ||
| Line 173: | Line 169: | ||
unix_listener /var/spool/postfix/private/auth { | unix_listener /var/spool/postfix/private/auth { | ||
mode = 0660 | mode = 0660 | ||
| − | |||
user = postfix | user = postfix | ||
group = postfix | group = postfix | ||
Revision as of 03:10, 29 May 2014
WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.
Dovecot is the MDA used in this server and is one of the most important components.
Most of the commands in this article require root privileges:
username@servername:~$ sudo /bin/bash
Configure Dovecot
Dovecot is already installed, so configuration of several files is all that is necessary. Many of the files are being changed considerably from the default install of the file, so archiving of the original file and pasting a new one in is done for expediency.
dovecot-sql.conf.ext
root@servername:~# mv /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/original.dovecot-sql.conf.ext root@servername:~# nano /etc/dovecot/dovecot-sql.conf.ext
Add:
# Database driver: mysql, pgsql, sqlite driver = mysql # Examples: # connect = host=192.168.1.1 dbname=users # connect = host=sql.example.com dbname=virtual user=virtual password=blarg # connect = /etc/dovecot/authdb.sqlite connect = host=localhost dbname=mail user=mail password=password # Default password scheme. # # List of supported schemes is in # http://wiki2.dovecot.org/Authentication/PasswordSchemes default_pass_scheme = BLF-CRYPT # Define the query to obtain a user password. password_query = \ SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, \ 'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as userdb_gid \ FROM mailbox WHERE username = '%u' AND active = '1' # Define the query to obtain user information. user_query = \ SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, \ 150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \ FROM mailbox WHERE username = '%u' AND active = '1'
10-auth.conf
root@servername:~# mv /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/original.10-auth.conf root@servername:~# nano /etc/dovecot/conf.d/10-auth.conf
Add:
# Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. disable_plaintext_auth = yes # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login ## ## Password and user databases ## # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # <doc/wiki/PasswordDatabase.txt> # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # <doc/wiki/UserDatabase.txt> #!include auth-deny.conf.ext #!include auth-master.conf.ext #!include auth-system.conf.ext # Use the SQL database configuration rather than any of these others. !include auth-sql.conf.ext #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext
10-mail.conf
root@servername:~# mv /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/original.10-mail.conf root@servername:~# nano /etc/dovecot/conf.d/10-mail.conf
Add:
# Location for users' mailboxes. The default is empty, which means that Dovecot # tries to find the mailboxes automatically. This won't work if the user # doesn't yet have any mail, so you should explicitly tell Dovecot the full # location. # # If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) # isn't enough. You'll also need to tell Dovecot where the other mailboxes are # kept. This is called the "root mail directory", and it must be the first # path given in the mail_location setting. # # There are a few special variables you can use, eg.: # # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if there's no domain # %h - home directory # # See doc/wiki/Variables.txt for full list. Some examples: # # mail_location = maildir:~/Maildir # mail_location = mbox:~/mail:INBOX=/var/mail/%u # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n # # <doc/wiki/MailLocation.txt> # mail_location = maildir:/var/vmail/%d/%n # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. <doc/wiki/UserIds.txt> mail_uid = vmail mail_gid = mail # Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can't log in as daemons or other system users. # Note that denying root logins is hardcoded to dovecot binary and can't # be done even if first_valid_uid is set to 0. # # Use the vmail user uid here. first_valid_uid = 150 last_valid_uid = 150
10-ssl.conf
root@servername:~# nano /etc/dovecot/conf.d/10-ssl.conf
Change:
ssl = yes
ssl_cert = </etc/ssl/private/example.com/server.crt ssl_key = </etc/ssl/private/example.com/server.key
ssl_ca = /etc/ssl/private/startssl/startssl-ca-bundle.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
10-master.conf
root@servername:~# nano /etc/dovecot/conf.d/10-master.conf
Change:
service auth {
<large block of commented text>
unix_listener auth-userdb {
mode = 0600
user = vmail
group = mail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
15-lda.conf
root@servername:~# nano /etc/dovecot/conf.d/15-lda.conf
Change:
postmaster_address = username@example.com
quota_full_tempfail = yes
rejection_subject = Rejected: %s
rejection_reason = Your message to <%t> was automatically rejected:%n%r
Update permissions
Now that the files are created, update their ownership and permissions:
root@servername:~# chown -R vmail:dovecot /etc/dovecot root@servername:~# chmod -R o-rwx /etc/dovecot
UFW Configuration
The Dovecot PPA doesn't include UFW profiles. Profiles may be added to simplify UFW configuration.
root@servername:~# nano /etc/ufw/applications.d/dovecot-core
Add:
[Dovecot POP3] title=Secure mail server (POP3) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=110/tcp [Dovecot Secure POP3] title=Secure mail server (POP3S) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=995/tcp [Dovecot IMAP] title=Secure mail server (IMAP) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=143/tcp [Dovecot Secure IMAP] title=Secure mail server (IMAPS) description=Dovecot is a mail server whose major goals are security and extreme reliability. ports=993/tcp
Next step
External links
A Mailserver on Ubuntu 12.04: Postfix, Dovecot, MySQL | Ex Ratione