Dovecot
Prerequisite
You will need to have setup Let’s Encrypt before going to this guide.
Install
# apt install dovecot-imapd dovecot-managesieved
Configuration
Create System User
User vmail will be used to store mail related data
# adduser --system --home /var/vmail/ --uid 800 --group vmail
Adding system user `vmail' (UID 800) ...
Adding new group `vmail' (GID 800) ...
Adding new user `vmail' (UID 800) with group `vmail' ...
Creating home directory `/var/vmail/' ...
If the command complains about the UID or GID being in use, just increment the number. It can be anything between 500 and 999.
Authentication
Activate
Edit file /etc/dovecot/conf.d/10-auth.conf
and make sure the only included authentication mechanism is passwdfile.
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
Edit file /etc/dovecot/conf.d/auth-passwdfile.conf.ext
and set option default_fields
# Authentication for passwd-file users. Included from 10-auth.conf.
#
# passwd-like file with specified location.
# <doc/wiki/AuthDatabase.PasswdFile.txt>
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users
# Default fields that can be overridden by passwd-file
#default_fields = quota_rule=*:storage=1G
default_fields = uid=vmail gid=vmail home=/var/vmail/%u
# Override fields from passwd-file
#override_fields = home=/home/virtual/%u
}
Create file /etc/dovecot/users
# touch /etc/dovecot/users
# chmod 640 /etc/dovecot/users
# chown root:dovecot /etc/dovecot/users
Add a User
First generate an encrypted password for the user
$ doveadm pw -s SHA512-CRYPT
Enter new password:
Retype new password:
{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1
Now add a line to /etc/dovecot/users
# Format is <user>:<password>::::::
# Generate passwords with: doveadm pw -s SHA512-CRYPT
jdoe:{SHA512-CRYPT}$6$o5TBpwJqGhEgsq3G$YGUPIDDkAJGaRYdMrW4kNWQzEyCwyeJAxnnyyphcR8MjPUo4yzUNy55sgAP0Qx73CI72XzUqIFGlKUvir7QkR1::::::
Mail Storage
Configuration of the mail storage is done in /etc/dovecot/conf.d/10-mail.conf
mail_location = mdbox:~/mdbox
TLS
Generate Certificate
This part assume that you've setup Let’s Encrypt.
Add your domain to /etc/nginx/sites-available/noweb
server_name imap.example.org;
Add your new certificate to /usr/local/sbin/renew_certificates
{
'domains': ['imap.example.org'],
'reload': [['service', 'dovecot', 'reload']]
}
And finally generate the certificate
# service nginx reload
$ sudo /usr/local/sbin/certmanage
Renewing certificate for imap.example.com that will expire on 0001-01-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for imap.example.com
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/imap.example.com/fullchain.pem. Your cert
will expire on 2025-03-05. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Restarting services:
service dovecot reload
[ ok ] Reloading IMAP/POP3 mail server: dovecot.
Configure
Edit file /etc/dovecot/conf.d/10-ssl.conf
and change the following settings
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/imap.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.example.org/privkey.pem
# DH parameters length to use.
ssl_dh_parameters_length = 2048
# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3
# SSL ciphers to use
ssl_cipher_list = EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !CAMELLIA !SEED
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
Fail2Ban
Create file /etc/fail2ban/jail.d/dovecot.conf
with the following content
[dovecot]
enabled = true