Mail Access Server

Dovecot Logo

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Dovecot is an excellent choice for both small and large installations. It’s fast, simple to set up, requires no special administration and it uses very little memory.

Install Software

Dovecot is in the Ubuntu software packages repository:

$ sudo apt-get install dovecot-mysql dovecot-pop3d dovecot-imapd dovecot-managesieved

You will be asked about security certificate, and if a self-signed certificate should be created for you. Answer <No> to that, as we will use the already created Certificates and Keys.

The installation creates the following items:

  • The user and group dovecot for the mail server.

  • The user and group dovenull to process mail server logins.

  • The directory /etc/dovecot

  • The main configuration file /etc/dovecot/dovecot.conf

  • Various other configuration files in the directory /etc/dovecot/conf.d

  • The Ubuntu Upstart service configuration /etc/init/dovecot.conf

Other example configuration files are found in the /usr/share/doc/dovecot-core/example-config/ directory.

Main Configuration

The main configuration file /etc/dovecot/dovecot.conf has a limited amount of settings, as most things are included from individual files in the /etc/dovecot/conf.d directory.

Services

Dovecot can provide a number of mail services. We activate IMAP and LMTP.

# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp

IP-Addresses

Dovecot would bind to all available addresses, to change that, we remove the comment hashtag and set the IP address the IMAP server should listen to connections:

# A comma separated list of IPs or hosts where to listen in for connections. 
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = 127.0.0.1,192.0.2.40,::1,2001:db8::40

Database Connection

Dovecot can use our mailserver database to validate domains, mailboxes and authenticate users. The configuration is set in the file /etc/dovecot/dovecot-sql.conf.ext.

Type of Database

What type of database or server to use:

# Database driver: mysql, pgsql, sqlite
driver = mysql

Database Server Login

How to connect to the database server and what username and password to use:

# Database connection string. This is driver-specific setting.
connect = host=127.0.0.1 dbname=mailserver user=mailuser password=********

The database-name, user and password are identical to what you have set in /etc/postfix/mysql-virtual-mailbox-maps.cf for MTA - Mail Transfer Server.

Password Scheme

How are passwords stored (hashed) in the password database:

# Default password scheme.
default_pass_scheme = SHA512-CRYPT

The Dovecot Wiki describes the available password schemes.

Database Query

The MySQL query to retrieve username and (hashed) password for a mail-address.

# passdb query to retrieve the password. It can return fields:
#   password - The user's password. This field must be returned.
#   user - user@domain from the database. Needed with case-insensitive lookups.
#   username and domain - An alternative way to represent the "user" field.
#
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';

Services

The file /etc/dovecot/conf.d/10-master.conf defines the properties of the services Dovecot provides to other hosts.

We use Dovecot to provide the following services:

  • IMAP - for MUA to access their mailbox

  • LMTP & LDA - Delivery of mail to local mailboxes

  • AUTH - let other services (i.e. MSA or XMPP) authenticate users by Dovecot.

IMAP Settings

The IMAP service configuration can be left at its defaults.

LMTP - Local Mail Transport

  • When the MTA server has accepted a message from the Internet he uses an LDA to send it to the server who holds the recipients mailbox.

  • When the MSA server has accepted a message from an MUA he then sends it by LMTP to the MTA who takes care of the transer to other Internet domains.

  • A script running on a web-server creates a mail to a user, as part of some transaction (registraion confirmation, password-reset). The web server uses LMTP to send it to the MTA.

To allow our MTA Postfix to deliver mails to mailboxes trough the Dovecot LMTP service:

service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     mode = 0600
     user = postfix
     group = postfix
  }

The configuration file /etc/dovecot/conf.d/20-lmtp.conf holds settings specific to the LMTP service.

We load the Dovecot Sieve plugin.

protocol lmtp {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
}
			  

LDA - Local Delivery Agent

Local delivery happens when mails are to be delivered to a mailbox of the local system. Here are some uses-cases:

The file /etc/dovecot/conf.d/15-lda.conf is used to set-up local delivery.

The name and domain of our server is only availabel in our local LAN and not valid on the Internet. We therefore need to override the server-name and the postmaster mail address to values which are valid and recognizible, as these will be inserted in the header of messages.

# Address to use when sending rejection mails.
# Default is postmaster@<your domain>. %d expands to recipient domain.
postmaster_address = postmaster@example.net

# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
# in LMTP replies. Default is the system's real hostname@domain.
hostname = mail.example.net

We load the Dovecot Sieve plugin.

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  #mail_plugins = $mail_plugins
  mail_plugins = $mail_plugins sieve
}

AUTH Settings

Other services can use Dovecot for user authentication instead of maintaining their own user-database. A registred user on our mail server can use the same username and password with other services.

To allow our MSA Postfix to use the user authentication service, the UNIX socket that Postifx will access, needs specific access rights:

service auth {
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }

Transport Layer Security

See also the Dovecot SSL configuration in the Dovecot wiki.

The file /etc/dovecot/conf.d/10-ssl.conf contains settings for TLS protocol settings, certificates and keys.

We enforce encryption and server authentication on all connections:

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

Where the servers certificate and private key are stored:

ssl_cert = </etc/ssl/certs/example.net.chained.cert.pem
ssl_key = </etc/ssl/private/example.net.key.pem

Note

Note the “<” character in front of the filenames. Dovecot will fail with errors about unreadable PEM encoded key files, if they are omitted.

Diffie-Hellmann Parameters

Encryption strenght of session keys negotiated by Diffie-Hellman key exchange.

Dovecot creates its own DH parameters and also refesehes them periodically. There is no need to provide a DH parameters file, as with some other servers.

# DH parameters length to use.
ssl_dh_parameters_length = 4096

SSL & TLS Protocol Versions

# SSL protocols to use
# Default: !SSLv3
ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

Set our selected Cipher Suite Selection.

# SSL cipher list
# Default: ALL:!LOW:!SSLv2:!EXP:!aNULL

Let the server choose the cipher-suite during handhake.

# Prefer the server's order of ciphers over client's.

Authentication

The file /etc/dovecot/conf.d/10-auth.conf defines how users logins are processed.

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
#   gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain

Disable login for system users and enable the MySQL user database, by commenting out the first line with a hashtag and activating the auth- sql.conf.ext line with a exclamation mark:

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

The now included file /etc/dovecot/conf.d/auth-sql.conf.ext contains references to the database configuration file.

First where (hashed) paswords are retrieved for authenticating users:

passdb {
  driver = sql

  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
  args = /etc/dovecot/dovecot-sql.conf.ext
}

And how other used properties, like mailbox directory, are retrieved:

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
}

The parameter static above means. they are not retrieved from the database, but are all the same for all our users according to the values in args.

The args values are translated as follows:

  • The system user profile and group used who accesses the mailbox directory is vmail.

  • Mailboxes are stored in the directory /var/vmail/%d/%n/ where %d will be replaces by the domain name (e.g. example.net) and %n will be replaced by the user name.

  • allow_all_users=yes, is to allow mail delivery, also for mails to users not found yet in the database.

This basically means, that mails for user@example.net will be stored in the /var/vmail/example.net/user directory.

Mailbox Locations

In the file /etc/dovecot/conf.d/10-mail.conf we set up parameters for our virtual mailboxes.

mail_location = maildir:/var/vmail/%d/%n/Maildir
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
mail_uid = vmail
mail_gid = vmail

Sieve Filter Management Server

The ManageSieve server allows users to manage their own mail filters directly on the server.

The ManageSieve server is configured in the file /etc/dovecot/conf.d/20-managesieve.conf.

##
## ManageSieve specific settings
##

# Uncomment to enable managesieve protocol:
#protocols = $protocols sieve

# Service definitions

#service managesieve-login {
  #inet_listener sieve {
  #  port = 4190
  #}

  #inet_listener sieve_deprecated {
  #  port = 2000
  #}

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = 64M
#}

#service managesieve {
  # Max. number of ManageSieve processes (connections)
  #process_limit = 1024
#}

# Service configuration

protocol sieve {
  # Maximum ManageSieve command line length in bytes. ManageSieve usually does
  # not involve overly long command lines, so this setting will not normally
  # need adjustment
  #managesieve_max_line_length = 65536

  # Maximum number of ManageSieve connections allowed for a user from each IP
  # address.
  # NOTE: The username is compared case-sensitively.
  #mail_max_userip_connections = 10

  # Space separated list of plugins to load (none known to be useful so far).
  # Do NOT try to load IMAP plugins here.
  #mail_plugins =

  # MANAGESIEVE logout format string:
  #  %i - total number of bytes read from client
  #  %o - total number of bytes sent to client
  #managesieve_logout_format = bytes=%i/%o

  # To fool ManageSieve clients that are focused on CMU's timesieved you can
  # specify the IMPLEMENTATION capability that Dovecot reports to clients.
  # For example: 'Cyrus timsieved v2.2.13'
  #managesieve_implementation_string = Dovecot Pigeonhole

  # Explicitly specify the SIEVE and NOTIFY capability reported by the server
  # before login. If left unassigned these will be reported dynamically
  # according to what the Sieve interpreter supports by default (after login
  # this may differ depending on the user).
  #managesieve_sieve_capability =
  #managesieve_notify_capability =

  # The maximum number of compile errors that are returned to the client upon
  # script upload or script verification.
  #managesieve_max_compile_errors = 5

  # Refer to 90-sieve.conf for script quota configuration and configuration of
  # Sieve execution limits.
}