Difference between revisions of "Dovecot"

From wiki
(Modernise TLS config)
(page title)
Line 1: Line 1:
 +
{{DISPLAYTITLE:Dovecot installation guide}}
 +
 
== Prerequisite ==
 
== Prerequisite ==
 
You will need to have setup [[Let’s Encrypt]] before going to this guide.
 
You will need to have setup [[Let’s Encrypt]] before going to this guide.

Revision as of 01:52, 6 August 2016


Prerequisite

You will need to have setup Let’s Encrypt before going to this guide.

Install

# apt install dovecot-imapd dovecot-managesieved

Configuration

Create System User

User vmail will be used to store mail related data

# adduser --system --home /var/vmail/ --uid 800 --group vmail
Adding system user `vmail' (UID 800) ...
Adding new group `vmail' (GID 800) ...
Adding new user `vmail' (UID 800) with group `vmail' ...
Creating home directory `/var/vmail/' ...

If the command complains about the UID or GID being in use, just increment the number. It can be anything between 500 and 999.

Authentication

Activate

Edit file /etc/dovecot/conf.d/10-auth.conf and make sure the only included authentication mechanism is passwdfile.

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

Edit file /etc/dovecot/conf.d/auth-passwdfile.conf.ext and set option default_fields

# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>

passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
}

userdb {
  driver = passwd-file
  args = username_format=%u /etc/dovecot/users

  # Default fields that can be overridden by passwd-file
  #default_fields = quota_rule=*:storage=1G
  default_fields = uid=vmail gid=vmail home=/var/vmail/%u

  # Override fields from passwd-file
  #override_fields = home=/home/virtual/%u
}

Create file /etc/dovecot/users

# touch /etc/dovecot/users
# chmod 640 /etc/dovecot/users
# chown root:dovecot /etc/dovecot/users

Add a User

First generate an encrypted password for the user

$ doveadm pw -s SHA512-CRYPT
Enter new password: 
Retype new password: 
{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1

Now add a line to /etc/dovecot/users

# Format is <user>:<password>::::::
# Generate passwords with: doveadm pw -s SHA512-CRYPT
jdoe:{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1::::::

Mail Storage

Configuration of the mail storage is done in /etc/dovecot/conf.d/10-mail.conf

mail_location = mdbox:~/mdbox

Sieve

Enable

To enable sieve filters during mail delivery, edit file /etc/dovecot/conf.d/15-lda.conf and uncomment/modify the following lines

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
}

ManageSieve

The manageSieve allows you mail client to set and modify the sieve scripts on your server. To enable it, uncomment/modify the following lines in /etc/dovecot/conf.d/20-managesieve.conf

protocols = $protocols sieve

service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}

If you change default port, don't forget to change it in the firewall configuration bellow.

Firewall

You will need to open 2 ports in your firewall:

  • 993 for imap
  • 4190 for managesieve (if enabled above)

Assuming that you configured nftables as described, you can edit file /etc/nftables/main_config.conf and add

# Dovecot
add element  inet main  tcp_port_in { 993, 4190 }

and activate it using

$ sudo /etc/nftables/reload_main.conf

TLS

Generate Certificate

This part assume that you've setup Let’s Encrypt.

Add your domain to /etc/nginx/sites-available/noweb

server_name imap.example.org;

Add your new certificate to /usr/local/sbin/renew_certificates

{
    'domains': ['imap.example.org'],
    'reload': [['service', 'dovecot', 'reload']]
}

And finally generate the certificate

# service nginx reload
$ sudo /usr/local/sbin/certmanage
Renewing certificate for imap.example.org that will expire on 0001-01-01

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for imap.example.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/imap.example.org/fullchain.pem. Your cert
   will expire on 2025-03-05. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Restarting services:
service dovecot reload
[ ok ] Reloading IMAP/POP3 mail server: dovecot.

Configure

Edit file /etc/dovecot/conf.d/10-ssl.conf and change the following settings

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/imap.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.example.org/privkey.pem

# DH parameters length to use.
ssl_dh_parameters_length = 2048

# SSL protocols to use
ssl_protocols = TLSv1.2

# SSL ciphers to use
ssl_cipher_list = EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !CAMELLIA !SEED

# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes

Limits

By default dovecot limit IMAP connections to 10 per IP and per user. Given that each email client can use multiple connections and that you might have multiple devices at home, it is quite easy to reach the limit.

On a server with few users, it is safe to raise the limit. To do so, edit mail_max_userip_connections in file /etc/dovecot/conf.d/20-imap.conf

protocol imap {
  ...

  # Maximum number of IMAP connections allowed for a user from each IP address.
  # NOTE: The username is compared case-sensitively.
  mail_max_userip_connections = 100

  ...
}

Fail2Ban

Create file /etc/fail2ban/jail.d/dovecot.conf with the following content

[dovecot]
enabled  = true