« Dovecot » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
(→Test) |
|||
(9 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 6 : | Ligne 6 : | ||
= Description = | = Description = | ||
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server. | Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server. | ||
== Ports == | |||
{| class="wikitable wtp" | |||
! port | |||
! description | |||
|- | |||
| 143 incoming || standard IMAP port. StartTLS protocol | |||
|- | |||
| 993 incoming || standard IMAPs port. TLS protocol | |||
|} | |||
= Commands = | = Commands = | ||
Ligne 221 : | Ligne 231 : | ||
</filebox> | </filebox> | ||
= | = [https://doc.dovecot.org/admin_manual/logging Logging] = | ||
* {{boxx|/var/log/syslog}} | |||
* {{boxx|/var/log/mail.log}} | |||
* {{boxx|/var/log/mail.err}} | * {{boxx|/var/log/mail.err}} | ||
<filebox fn='/etc/dovecot/conf.d/10-logging.conf'> | |||
# log debug and info only on mail.log and not on syslog anymore | |||
debug_log_path = /var/log/mail.log | |||
info_log_path = /var/log/mail.log | |||
</filebox> | |||
= [[Fail2ban]] = | |||
<filebox fn='/etc/fail2ban/jail.d/enabled.local' lang='ini'> | |||
[dovecot] | |||
enabled = true | |||
</filebox> | |||
= Application Android = | = Application Android = | ||
Ligne 242 : | Ligne 266 : | ||
sudo ufw allow "Dovecot IMAP" | sudo ufw allow "Dovecot IMAP" | ||
# allow incoming | # allow incoming IMAPs (993) to fetch emails | ||
sudo ufw allow " | sudo ufw allow "Dovecot Secure IMAP" | ||
</kode> | </kode> | ||
Dernière version du 4 septembre 2023 à 13:56
Liens
Description
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server.
Ports
port | description |
---|---|
143 incoming | standard IMAP port. StartTLS protocol |
993 incoming | standard IMAPs port. TLS protocol |
Commands
# display the current configuration dovecot -n |
Protocols
/etc/dovecot/dovecot.conf |
# Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol |
/usr/share/dovecot/protocols.d/imapd.protocol |
protocols = $protocols imap |
Mailboxes
- mbox: store all the emails in a unique file
- maildir: store emails in directories
/etc/dovecot/conf.d/10-mail.conf |
# use maildir for virtual users mail_location = maildir:/var/mail/%u # use maildir for system users mail_location = maildir:~/maildir |
Postfix and Dovecot LMTP
Ensure to have installed dovecot-lmtp |
/etc/postfix/main.cf |
# for virtual user setup virtual_transport = lmtp:unix:private/dovecot-lmtp # for a non virtual user setup ( as when mail_location = maildir:~/.maildir ) mailbox_transport = lmtp:unix:private/dovecot-lmtp |
/etc/dovecot/conf.d/10-master.conf |
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } |
Userdb lookup failed
Userdb lookup user@domain.net doesn't match user
/etc/dovecot/conf.d/10-auth.conf |
# %n would drop away the domain if it was given auth_username_format = %Ln # auth_username_format=%{if;%d;eq;hostname.domain.net;%Ln;%Lu} |
Authentication
/etc/dovecot/conf.d/10-auth.conf |
# Disable plaintext authentications unless SSL/TLS is used or if you connect from localhost disable_plaintext_auth = yes # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey gss-spnego # NOTE: plain: envoie du mot de passe non-encrypté. Dans le cadre d'une connexion SSL/TLS ce n'est pas un problème. auth_mechanisms = plain |
System users
By default, dovecot use system users and their passwords to connect.
/etc/dovecot/conf.d/10-auth.conf |
# use system users !include auth-system.conf.ext |
/etc/dovecot/conf.d/auth-system.conf.ext |
passdb { driver = pam # use /etc/pam.d/imap for IMAP args = %s } userdb { driver = passwd } |
/etc/pam.d/imap |
# allow IMAP access only for users in /etc/imapusers file auth required pam_listfile.so item=user sense=allow file=/etc/imapusers onerr=fail |
/etc/imapusers |
user1 user2 |
Passwd-file
/etc/dovecot/conf.d/10-auth.conf |
# use non-system users with passwd-file !include auth-passwdfile.conf.ext |
/etc/dovecot/conf.d/auth-passwdfile.conf.ext |
passdb { driver = passwd-file args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users } userdb { driver = passwd-file args = username_format=%u /etc/dovecot/users } |
/etc/dovecot/users |
# password only user:{SHA512-CRYPT}pass # user:password:uid:gid:(gecos):home:(shell):extra_fields user:{SHA512-CRYPT}pass:1000:1000::/home/user::userdb_mail=maildir:~/maildir allow_nets=::1,127.0.0.0/8,192.168.0.0/24,local |
# generate an encrypted password doveadm pw -s SHA512-CRYPT # check the hash match the password doveadm pw -V -t '{SHA512-CRYPT}hash' # list available password schemes doveadm pw -l |
- How to make dovecot password independent of server password?
- How do I change Dovecot virtual user passwords?
- Password Schemes
- Allow_nets extra field
Virtual Users
SASL client authentication
Needed configuration to use dovecot with postfix.
/etc/dovecot/conf.d/10-master.conf |
service auth { # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } |
/etc/dovecot/conf.d/10-auth.conf |
# add the login authentication mechanism auth_mechanisms = plain login |
TLS
/etc/dovecot/conf.d/10-ssl.conf |
ssl = required ssl_cert = </etc/letsencrypt/live/domain.fr/fullchain.pem ssl_key = </etc/letsencrypt/live/domain.fr/privkey.pem ssl_min_protocol = TLSv1.2 |
IMAP Compression
/etc/dovecot/conf.d/20-imap.conf |
protocol imap { mail_plugins = $mail_plugins imap_zlib # imap_zlib: reduce the bandwidth usage of IMAP } |
Test
# imap telnet localhost imap2 # OK * DOVECOT * READY A1 LOGIN username password # LOGGED IN A2 LIST "" "*" A3 EXAMINE INBOX A5 LOGOUT # imap openssl s_client -connect localhost:143 -starttls imap # imaps openssl s_client -connect hostname.domain.net:993 |
Debug
/etc/dovecot/conf.d/10-logging.conf |
# Log unsuccessful authentication attempts and the reasons why they failed. auth_verbose = yes # Even more verbose logging for debugging purposes. auth_debug = yes # In case of password mismatches, log the passwords and used scheme so the # problem can be debugged. Enabling this also enables auth_debug. auth_debug_passwords = yes # Enable mail process debugging. This can help you figure out why Dovecot # isn't finding your mails. mail_debug = yes |
Logging
- /var/log/syslog
- /var/log/mail.log
- /var/log/mail.err
/etc/dovecot/conf.d/10-logging.conf |
# log debug and info only on mail.log and not on syslog anymore debug_log_path = /var/log/mail.log info_log_path = /var/log/mail.log |
Fail2ban
/etc/fail2ban/jail.d/enabled.local |
[dovecot] enabled = true |
Application Android
- Blue Mail
Configuration
- Serveur IMAP: mail.domain.fr
- Sécurité: STARTTLS
- Authentification: PLAIN
- Port: 143
- Serveur SMTP: mail.domain.fr
- Sécurité: STARTTLS
- Port: 587
- Authentification: AUTOMATIC
UFW
# allow incoming IMAP (143) to fetch emails sudo ufw allow "Dovecot IMAP" # allow incoming IMAPs (993) to fetch emails sudo ufw allow "Dovecot Secure IMAP" |
Installation
sudo apt install dovecot-imapd dovecot-lmtpd |