image-center

Mailserver: Dovecot Configuration – Part 6

Welcome to Part 6 of the mailserver configuration series. This part will cover installing and configuring Dovecot. Dovecot provides the IMAP and POP3 services for our mailserver. As always if you missed the previous parts of the Mailserver Configuration, you can find an Index of them all on Part 1 or at the end of this post.

Installation

The first step is to install Dovecot on our server, it doesn’t require any special repositories or anything simply run:

yum install -y dovecot dovecot-pgsql

Dovecot Configuration

The main dovecot configuration file is found at “/etc/dovecot/dovecot.conf” open the file now, and don’t bother closing it until I tell you to. We will be adding a lot of settings to this file.

nano /etc/dovecot/dovecot.conf

I generally leave the entire file at it’s default configuration, and add my custom settings to the end of the file, the first of which is removing a line. Scroll down the file and at the end, comment out this line by adding ‘#’ in front of it:

!include_try /etc/dovecot/local.conf

This will stop dovecot from trying to load other files, we will be making all our changes to the end of this file so we don’t want it reading in some other settings and overwriting what we set. Next I usually add a couple blank lines to the file and add a comment so that I know where my own settings start like this one:

# **********************
# My Values:
# **********************

Now lets start adding some of our own values.

### Basic Settings

First we need to configure the most basic settings like the protocol to use and the message that displays when the server is ready for connections. You can paste in the lines below for a basic setup:

protocols = imap pop3
base_dir = /var/run/dovecot/
login_greeting = Dovecot ready.

Using the lines above we are setting the “protocols” we want Dovecot to provide on our mailserver. The next setting defines where Dovecot will be running. Finally the “login_greeting” is the message Dovecot sends when it receives a new connection.

SSL Configuration

Remember those certificates we have been using in “/etc/postfix/certs/”? Well Dovecot supports SSL connections, and for best security I recommend using SSL. We can re-use the same certificates that we did for Postfix and ViMbAdmin here as well which makes them very easy to rotate out in the future. Modify the lines below to match the path to your certificates, and paste them into the end of your “/etc/dovecot/dovecot.conf” file.

#SSL Config:
ssl = yes
ssl_cert = </etc/postfix/certs/mail.domain.com.crt
ssl_key = </etc/postfix/certs/mail.domain.com.key
ssl_ca = </etc/postfix/certs/mail.domain.com.ca.key

Now you can go ahead and save and close your dovecot.conf file. Then start Dovecot, and you might as well set it to start at boot as well:

systemctl start dovecot
systemctl enable dovecot

Testing the SSL

Now it is time to test, run either or both of the following commands, if they fail, check your “ssl_cert” and “ssl_key” paths. You should at least get a certificate printed out when you run them. After running them you will have to use CTRL+C to terminate the connection.

openssl s_client -connect 127.0.0.1:imaps
openssl s_client -connect 127.0.0.1:pop3s

Just because it prints a certificate, does NOT mean that its working correctly, here is an example of what you DON’Twant to see:

verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate

If you get the errors above it is probably because you aren’t using the root Certificate Authority file provided by StartSSL, or whoever you got your SSL Certificates from. In this case, verify the “ssl_ca” path is correct and accessible.

When it is working properly, it will print out the Certificate chain as in the example below, then print the certificate itself and some information about the connection.

---
Certificate chain
 0 s:/C=US/CN=mail.domain.com
 i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
 i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---

SQL Configuration

Now we can start configuring users. Luckily we already have a database that manages all that stuff for us in our PostgreSQL server. Again we are going to have to add a bunch of lines to “dovecot.conf” so open it up:

nano /etc/dovecot/dovecot.conf

The following lines tell Dovecot that we are going to be using an SQL server for user authentication, but we are going to configure the SQL server in another file. Paste the following lines into the end of your file:

#SQL config:
userdb {
 driver = sql
 args = /etc/dovecot/dovecot-sql.conf
}
passdb {
 driver = sql
 args = /etc/dovecot/dovecot-sql.conf
}

Save and close “dovecot.conf” and lets create the file which holds the database connection settings:

nano /etc/dovecot/dovecot-sql.conf

Update “mailreaderpassword” in the following section to the one you used for the read-only mailreader PostgreSQL user we created in Part 4. There is no reason Dovecot should ever have to modify anything inside the database, so it is best to not even give it that capability. Right now ViMbAdmin is the only application on our server that is allowed to modify the PostgreSQL database. After updating the password, paste the following lines into the new “dovecot-sql.conf” file:

driver = pgsql
connect = host=localhost dbname=vimbadmin user=mailreader password=mailreaderpassword
default_pass_scheme = SHA512
#default_pass_scheme = PLAIN
password_query = SELECT username as user, password FROM mailbox WHERE username = '%u'
user_query = SELECT username as user, 'maildir:'||homedir||maildir as mail, uid, gid FROM mailbox WHERE username = '%u'

I left the “PLAIN” password scheme in here but commented out if in the future you need it for troubleshooting. This tells dovecot type of encryption is used when storing passwords in the PostgreSQL database, “PLAIN” means plain-text which is usually not a good idea. For our server we are using the SHA512 hash for storing the passwords. The final line defines the query Dovecot needs to use to get the password from the database.

ViMbAdmin Modification

We set SHA512 for the password scheme in the previous step, we need to tell ViMbAdmin about this change. Open the applicaion.ini:

nano /usr/share/vimbadmin/application/configs/application.ini

Find and update the defaults.mailbox.password_scheme to match the following line:

defaults.mailbox.password_scheme = "dovecot:SHA512"

At this time I usually like to verify that the following settings are correct while I have the file open:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Default values for creating mailboxes

; This sets the uid and gid columns in the mailbox table to the below values
defaults.mailbox.uid = 200
defaults.mailbox.gid = 12

And just below that:

defaults.mailbox.maildir = "%d/%u/"
defaults.mailbox.homedir = "/home/mail/"

The last thing I usually do before closing the file is scroll down to the “Identity” section and set the values to something other than default, but that is totally optional. You can save and close this file now.

Unix User Configuration

The next step is telling Dovecot what user has permission to view and modify the email on the server. For this we need to open “dovecot.conf” again:

nano /etc/dovecot/dovecot.conf

Paste the following lines into the end of the file, don’t close it yet though:

#Unix user Config:
first_valid_uid = 200
mail_uid = 200
mail_gid = 12

We set the IDs defined by these lines earlier in the series, if you need to verify they are correct, you can use “cat /etc/passwd | grep mailreader” it should return “mailreader:x:200:12::/home/mail:/sbin/nologin” which gives you the user ID number, and “cat /etc/group | grep mail” should return “mail:x:12:postfix” telling you the group ID number. You can update the lines accordingly, but if you followed this guide up until this point, the given lines should work.

Authentication

You should still have “dovecot.conf” open. If you closed it, open it again….I’ll wait. We need to configure user authentication so our users can check their email. Add the following lines to dovecot.confdon’t close it yet, were not quite done yet:

#Dovecot Authentication:
disable_plaintext_auth = no
auth_mechanisms = plain login

Default Folders

Most mailservers have a few folders automatically created for the users, so why shouldn’t ours? To accomplish this we will use a plugin called “autocreate”. Paste the following lines into dovecot.conf:

#Autocreate Folders:
protocol imap {
namespace inbox {
 #prefix = INBOX. # the namespace prefix isn't added again to the mailbox names.
inbox = yes
 mailbox Sent {
 auto = subscribe # autocreate and autosubscribe the Sent mailbox
 special_use = \Sent
 }
 mailbox Trash {
 auto = subscribe
 special_use = \Trash
 }
 mailbox Drafts {
 auto = subscribe
 special_use = \Drafts
 }
 mailbox Spam {
 auto = subscribe
 special_use = \Junk
 }
}
}

Now it is safe to save and close the file.

Postfix Authentication

We have to go back to configuring Postfix now so we can make it accept emails from Dovecot. Open master.cf so we can uncomment some lines we added in Part 2:

nano /etc/postfix/master.cf

Under “submission” you need to add two overwrites. Again if you have been following the series for this configuration, the following lines should already be in master.cf and you simply need to uncomment them: (Remember there needs to be two spaces before the ‘-o’)

  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Then at the end of the file add these lines:

#Dovecot:
dovecot unix - n n - - pipe
 flags=DRhu user=mailreader:mailreader argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

Now close master.cf and open the dovecot configuration file:

nano /etc/dovecot/dovecot.conf

Add the following lines to the end of dovecot.conf so we can send email:

#Sending Mail
service auth {
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
 }
}

If you skip the above step you will get errors like these ones in “/var/log/maillog”:

vps postfix/sumbission/smtpd[23598]: warning: SASL: Connect to private/auth failed: No such file or directory
vps postfix/sumbission/smtpd[23598]: fatal: no SASL authentication mechanisms
vps postfix/master[23586]: warning: process /usr/libexec/postfix/smtpd pid 23598 exit status 1
vps postfix/master[23586]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

That should be all that needs to be done, go ahead and restart the services, and your server will be configured to provide IMAP and POP3.

systemctl restart postfix
systemctl restart dovecot

Remember we haven’t opened any firewall rules other than 7025 for ViMbAdmin. If you open Ports 993 and 995 you could start using your mailserver in it’s current state.

Side Notes

If you want to see what encryption modes Dovecot is capable of using, run the following command:

doveadm pw -l

For encrypting passwords use:

doveadm pw -p plain_text_password -s sha512 -r 100

Conclusion

After finishing this section you technically have a fully functional mailserver, however we aren’t done yet. Almost any email service provider gives their users the ability to check their email with nothing more than a web browser, so in Part 7 we will cover webmail with Roundcube.

If you have missed any of the previous parts, you can find them using the links below:

Part 1: Preparing the Server and Certificates Part 2: Installing Postfix Part 3: Installing PostgreSQL Part 4: Installing ViMbAdmin Part 5: Mail Filters