Difference between revisions of "Dovecot"
m (.org) |
|||
Line 39: | Line 39: | ||
#!include auth-static.conf.ext | #!include auth-static.conf.ext | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
Edit file <code>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</code> and set option <code>default_fields</code> | Edit file <code>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</code> and set option <code>default_fields</code> | ||
Line 65: | Line 64: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
Create file <code>/etc/dovecot/users</code> | Create file <code>/etc/dovecot/users</code> | ||
Line 146: | Line 144: | ||
# Prefer the server's order of ciphers over client's. | # Prefer the server's order of ciphers over client's. | ||
ssl_prefer_server_ciphers = yes | ssl_prefer_server_ciphers = yes | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Limits === | ||
+ | By default dovecot limit IMAP connections to 10 per IP and per user. Given that each email client can use multiple connections and that you might have multiple devices at home, it is quite easy to reach the limit. | ||
+ | |||
+ | On a server with few users, it is safe to raise the limit. To do so, edit <code>mail_max_userip_connections</code> in file <code>/etc/dovecot/conf.d/20-imap.conf</code><syntaxhighlight lang="sh"> | ||
+ | protocol imap { | ||
+ | ... | ||
+ | |||
+ | # Maximum number of IMAP connections allowed for a user from each IP address. | ||
+ | # NOTE: The username is compared case-sensitively. | ||
+ | mail_max_userip_connections = 50 | ||
+ | |||
+ | ... | ||
+ | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 06:29, 27 April 2016
Prerequisite
You will need to have setup Let’s Encrypt before going to this guide.
Install
# apt install dovecot-imapd dovecot-managesieved
Configuration
Create System User
User vmail will be used to store mail related data
# adduser --system --home /var/vmail/ --uid 800 --group vmail
Adding system user `vmail' (UID 800) ...
Adding new group `vmail' (GID 800) ...
Adding new user `vmail' (UID 800) with group `vmail' ...
Creating home directory `/var/vmail/' ...
If the command complains about the UID or GID being in use, just increment the number. It can be anything between 500 and 999.
Authentication
Activate
Edit file /etc/dovecot/conf.d/10-auth.conf
and make sure the only included authentication mechanism is passwdfile.
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
Edit file /etc/dovecot/conf.d/auth-passwdfile.conf.ext
and set option default_fields
# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users
# Default fields that can be overridden by passwd-file
#default_fields = quota_rule=*:storage=1G
default_fields = uid=vmail gid=vmail home=/var/vmail/%u
# Override fields from passwd-file
#override_fields = home=/home/virtual/%u
}
Create file /etc/dovecot/users
# touch /etc/dovecot/users
# chmod 640 /etc/dovecot/users
# chown root:dovecot /etc/dovecot/users
Add a User
First generate an encrypted password for the user
$ doveadm pw -s SHA512-CRYPT
Enter new password:
Retype new password:
{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1
Now add a line to /etc/dovecot/users
# Format is <user>:<password>::::::
# Generate passwords with: doveadm pw -s SHA512-CRYPT
jdoe:{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1::::::
Mail Storage
Configuration of the mail storage is done in /etc/dovecot/conf.d/10-mail.conf
mail_location = mdbox:~/mdbox
TLS
Generate Certificate
This part assume that you've setup Let’s Encrypt.
Add your domain to /etc/nginx/sites-available/noweb
server_name imap.example.org;
Add your new certificate to /usr/local/sbin/renew_certificates
{
'domains': ['imap.example.org'],
'reload': [['service', 'dovecot', 'reload']]
}
And finally generate the certificate
# service nginx reload
$ sudo /usr/local/sbin/certmanage
Renewing certificate for imap.example.org that will expire on 0001-01-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for imap.example.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/imap.example.org/fullchain.pem. Your cert
will expire on 2025-03-04. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Restarting services:
service dovecot reload
[ ok ] Reloading IMAP/POP3 mail server: dovecot.
Configure
Edit file /etc/dovecot/conf.d/10-ssl.conf
and change the following settings
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/imap.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.example.org/privkey.pem
# DH parameters length to use.
ssl_dh_parameters_length = 2048
# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3
# SSL ciphers to use
ssl_cipher_list = EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !CAMELLIA !SEED
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
Limits
By default dovecot limit IMAP connections to 10 per IP and per user. Given that each email client can use multiple connections and that you might have multiple devices at home, it is quite easy to reach the limit.
On a server with few users, it is safe to raise the limit. To do so, edit mail_max_userip_connections
in file /etc/dovecot/conf.d/20-imap.conf
protocol imap {
...
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
mail_max_userip_connections = 50
...
}
Fail2Ban
Create file /etc/fail2ban/jail.d/dovecot.conf
with the following content
[dovecot]
enabled = true