Difference between revisions of "Dovecot"

From wiki
(mail_location)
(TLS)
Line 95: Line 95:
 
<syntaxhighlight lang="sh">
 
<syntaxhighlight lang="sh">
 
mail_location = mdbox:~/mdbox
 
mail_location = mdbox:~/mdbox
 +
</syntaxhighlight>
 +
 +
=== TLS ===
 +
 +
==== Generate Certificate ====
 +
 +
This part assume that you've setup [https://letsencrypt.org/ Let’s Encrypt] according to the [[TLS|TLS Guide]].
 +
 +
Add your domain to <code>/etc/nginx/sites-available/noweb</code>
 +
<syntaxhighlight lang="nginx">
 +
server_name imap.example.org;
 +
</syntaxhighlight>
 +
 +
Add your new certificate to <code>/usr/local/sbin/renew_certificates</code>
 +
<syntaxhighlight lang="python">
 +
{
 +
    'domains': ['imap.example.org'],
 +
    'reload': [['service', 'dovecot', 'reload']]
 +
}
 +
</syntaxhighlight>
 +
 +
And finally generate the certificate
 +
<syntaxhighlight lang="console">
 +
# service nginx reload
 +
# /usr/local/sbin/renew_certificates
 +
Renewing certificate for imap.example.org that will expire on 0001-01-01
 +
 +
 +
 +
IMPORTANT NOTES:
 +
- Congratulations! Your certificate and chain have been saved at
 +
  /etc/letsencrypt/live/imap.example.org/fullchain.pem. Your cert
 +
  will expire on 2016-12-12. To obtain a new version of the
 +
  certificate in the future, simply run Let's Encrypt again.
 +
- If you like Let's Encrypt, please consider supporting our work by:
 +
 +
  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
 +
  Donating to EFF:                    https://eff.org/donate-le
 +
 +
Restarting services:
 +
service dovecot reload
 +
[ ok ] Reloading IMAP/POP3 mail server: dovecot.
 +
</syntaxhighlight>
 +
 +
==== Configure ====
 +
 +
Edit file <code>/etc/dovecot/conf.d/10-ssl.conf</code> and change the following settings
 +
<syntaxhighlight lang="sh">
 +
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
 +
ssl = required
 +
 +
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 +
# dropping root privileges, so keep the key file unreadable by anyone but
 +
# root. Included doc/mkcert.sh can be used to easily generate self-signed
 +
# certificate, just make sure to update the domains in dovecot-openssl.cnf
 +
ssl_cert = </etc/letsencrypt/live/imap.example.org/fullchain.pem
 +
ssl_key = </etc/letsencrypt/live/imap.example.org/privkey.pem
 +
 +
# DH parameters length to use.
 +
ssl_dh_parameters_length = 2048
 +
 +
# SSL protocols to use
 +
ssl_protocols = !SSLv2 !SSLv3
 +
 +
# SSL ciphers to use
 +
ssl_cipher_list = EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !CAMELLIA !SEED
 +
 +
# Prefer the server's order of ciphers over client's.
 +
ssl_prefer_server_ciphers = yes
 
</syntaxhighlight>
 
</syntaxhighlight>
  

Revision as of 02:38, 18 March 2016


Warning Warning: This page is a work in progress and is not completed. Important informations might be missing or wrong.

Install

# apt install dovecot-imapd dovecot-managesieved

Configuration

Create System User

User vmail will be used to store mail related data 

# adduser --system --home /var/vmail/ --uid 800 --group vmail
Adding system user `vmail' (UID 800) ...
Adding new group `vmail' (GID 800) ...
Adding new user `vmail' (UID 800) with group `vmail' ...
Creating home directory `/var/vmail/' ...

If the command complains about the UID or GID being in use, just increment the number. It can be anything between 500 and 999.

Authentication

Activate

Edit file /etc/dovecot/conf.d/10-auth.conf and make sure the only included authentication mechanism is passwdfile. 

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext


Edit file /etc/dovecot/conf.d/auth-passwdfile.conf.ext and set option default_fields 

# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>

passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
}

userdb {
  driver = passwd-file
  args = username_format=%u /etc/dovecot/users

  # Default fields that can be overridden by passwd-file
  #default_fields = quota_rule=*:storage=1G
  default_fields = uid=vmail gid=vmail home=/var/vmail/%u

  # Override fields from passwd-file
  #override_fields = home=/home/virtual/%u
}


Create file /etc/dovecot/users 

# touch /etc/dovecot/users
# chmod 640 /etc/dovecot/users
# chown root:dovecot /etc/dovecot/users

Add a User

First generate an encrypted password for the user 

$ doveadm pw -s SHA512-CRYPT
Enter new password: 
Retype new password: 
{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1

Now add a line to /etc/dovecot/users 

# Format is <user>:<password>::::::
# Generate passwords with: doveadm pw -s SHA512-CRYPT
vincent:{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1::::::

Mail Storage

Configuration of the mail storage is done in /etc/dovecot/conf.d/10-mail.conf 

mail_location = mdbox:~/mdbox

TLS

Generate Certificate

This part assume that you've setup Let’s Encrypt according to the TLS Guide.

Add your domain to /etc/nginx/sites-available/noweb 

server_name imap.example.org;

Add your new certificate to /usr/local/sbin/renew_certificates 

{
    'domains': ['imap.example.org'],
    'reload': [['service', 'dovecot', 'reload']]
}

And finally generate the certificate 

# service nginx reload
# /usr/local/sbin/renew_certificates
Renewing certificate for imap.example.org that will expire on 0001-01-01



IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/imap.example.org/fullchain.pem. Your cert
   will expire on 2016-12-12. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Restarting services:
service dovecot reload
[ ok ] Reloading IMAP/POP3 mail server: dovecot.

Configure

Edit file /etc/dovecot/conf.d/10-ssl.conf and change the following settings 

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/imap.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.example.org/privkey.pem

# DH parameters length to use.
ssl_dh_parameters_length = 2048

# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use
ssl_cipher_list = EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !CAMELLIA !SEED

# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes

Fail2Ban

Create file /etc/fail2ban/jail.d/dovecot.conf with the following content 

[dovecot]
enabled  = true
Retrieved from ‘https://wiki.meurisse.org/index.php?title=Dovecot&oldid=209