User:Paul/sandbox/Configure Dovecot

From UNPM.org Wiki
< User:Paul
Revision as of 23:54, 21 May 2014 by Paul (talk | contribs)
Jump to navigation Jump to search

WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.

Most of the commands in this article require root privileges: 

username@servername:~$ sudo /bin/bash

Configure Dovecot 

root@servername:~# mv /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/original.dovecot-sql.conf.ext
root@servername:~# nano /etc/dovecot/dovecot-sql.conf.ext

Add: 

# Database driver: mysql, pgsql, sqlite
driver = mysql

# Examples:
#   connect = host=192.168.1.1 dbname=users
#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
#   connect = /etc/dovecot/authdb.sqlite
connect = host=localhost dbname=mail user=mail password=password

# Default password scheme.
#
# List of supported schemes is in
# http://wiki2.dovecot.org/Authentication/PasswordSchemes
default_pass_scheme = BLF-CRYPT

# Define the query to obtain a user password.
password_query = \
  SELECT username as user, password, '/var/vmail/%d/%n' as userdb_home, \
  'maildir:/var/vmail/%d/%n' as userdb_mail, 150 as userdb_uid, 8 as userdb_gid \
  FROM mailbox WHERE username = '%u' AND active = '1'

# Define the query to obtain user information.
user_query = \
  SELECT '/var/vmail/%d/%n' as home, 'maildir:/var/vmail/%d/%n' as mail, \
  150 AS uid, 8 AS gid, concat('dirsize:storage=', quota) AS quota \
  FROM mailbox WHERE username = '%u' AND active = '1'

root@servername:~# mv /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/oritginal.10-auth.conf
root@servername:~# nano /etc/dovecot/conf.d/10-auth.conf

Add: 

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
disable_plaintext_auth = yes

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login

##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
# Use the SQL database configuration rather than any of these others.
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

root@servername:~# mv /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/original.10-mail.conf
root@servername:~# nano /etc/dovecot/conf.d/10-mail.conf

Add: 

# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = maildir:/var/vmail/%d/%n

# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
mail_uid = vmail
mail_gid = mail

# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#
# Use the vmail user uid here.
first_valid_uid = 150
last_valid_uid = 150

root@servername:~# nano /etc/dovecot/conf.d/10-ssl.conf

Change: 

ssl = yes

ssl_cert = </etc/ssl/private/example.com/server.crt
ssl_key = </etc/ssl/private/example.com/server.key

ssl_ca = /etc/ssl/private/startssl/startssl-ca-bundle.pem

ssl_client_ca_dir = /etc/ssl/certs

ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

root@servername:~# nano /etc/dovecot/conf.d/10-master.conf

Change: 

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
  # permissions make it readable only by root, but you may need to relax these
  # permissions. Users that have access to this socket are able to get a list
  # of all usernames and get results of everyone's userdb lookups.
  unix_listener auth-userdb {
   mode = 0600
    user = vmail
    group = mail
  }

  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix       
  }

root@servername:~# nano /etc/dovecot/conf.d/15-lda.conf

Change: 

postmaster_address = username@example.com

quota_full_tempfail = yes

rejection_subject = Rejected: %s

rejection_reason = Your message to <%t> was automatically rejected:%n%r

root@servername:~# chown -R vmail:dovecot /etc/dovecot
root@servername:~# chmod -R o-rwx /etc/dovecot

Dovecot PPA doesn't include UFW profiles. Profiles may be added per this file on PaulServer:

nano /etc/ufw/applications.d/dovecot-core

Add: 

[Dovecot POP3]
title=Secure mail server (POP3)
description=Dovecot is a mail server whose major goals are security and extreme
 reliability.
ports=110/tcp

[Dovecot Secure POP3]
title=Secure mail server (POP3S)
description=Dovecot is a mail server whose major goals are security and extreme
 reliability.
ports=995/tcp

[Dovecot IMAP]
title=Secure mail server (IMAP)
description=Dovecot is a mail server whose major goals are security and extreme
 reliability.
ports=143/tcp

[Dovecot Secure IMAP]
title=Secure mail server (IMAPS)
description=Dovecot is a mail server whose major goals are security and extreme
 reliability.
ports=993/tcp
Retrieved from "http://www.unpm.org/wiki/index.php?title=User:Paul/sandbox/Configure_Dovecot&oldid=230"