Dovecot

De Banane Atomic
Version datée du 4 septembre 2023 à 13:56 par Nicolas (discussion | contributions) (→‎Logging)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Aller à la navigationAller à la recherche

Liens

Description

Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server.

Ports

port description
143 incoming standard IMAP port. StartTLS protocol
993 incoming standard IMAPs port. TLS protocol

Commands

Bash.svg
# display the current configuration
dovecot -n

Protocols

/etc/dovecot/dovecot.conf
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
/usr/share/dovecot/protocols.d/imapd.protocol
protocols = $protocols imap

Mailboxes

  • mbox: store all the emails in a unique file
  • maildir: store emails in directories
/etc/dovecot/conf.d/10-mail.conf
# use maildir for virtual users
mail_location = maildir:/var/mail/%u

# use maildir for system users
mail_location = maildir:~/maildir

Postfix and Dovecot LMTP

Ensure to have installed dovecot-lmtp
/etc/postfix/main.cf
# for virtual user setup
virtual_transport = lmtp:unix:private/dovecot-lmtp
# for a non virtual user setup ( as when mail_location = maildir:~/.maildir )
mailbox_transport = lmtp:unix:private/dovecot-lmtp
/etc/dovecot/conf.d/10-master.conf
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}

Userdb lookup failed

Userdb lookup user@domain.net doesn't match user

/etc/dovecot/conf.d/10-auth.conf
# %n would drop away the domain if it was given
auth_username_format = %Ln
# auth_username_format=%{if;%d;eq;hostname.domain.net;%Ln;%Lu}

Authentication

/etc/dovecot/conf.d/10-auth.conf
# Disable plaintext authentications unless SSL/TLS is used or if you connect from localhost
disable_plaintext_auth = yes

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey gss-spnego
# NOTE: plain: envoie du mot de passe non-encrypté. Dans le cadre d'une connexion SSL/TLS ce n'est pas un problème.
auth_mechanisms = plain

System users

By default, dovecot use system users and their passwords to connect.

/etc/dovecot/conf.d/10-auth.conf
# use system users
!include auth-system.conf.ext
/etc/dovecot/conf.d/auth-system.conf.ext
passdb {
  driver = pam
  # use /etc/pam.d/imap for IMAP
  args = %s
}

userdb {
  driver = passwd
}
/etc/pam.d/imap
# allow IMAP access only for users in /etc/imapusers file
auth    required        pam_listfile.so item=user sense=allow file=/etc/imapusers onerr=fail
/etc/imapusers
user1
user2

Passwd-file

/etc/dovecot/conf.d/10-auth.conf
# use non-system users with passwd-file
!include auth-passwdfile.conf.ext
/etc/dovecot/conf.d/auth-passwdfile.conf.ext
passdb {
  driver = passwd-file
  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users
}

userdb {
  driver = passwd-file
  args = username_format=%u /etc/dovecot/users
}
/etc/dovecot/users
# password only
user:{SHA512-CRYPT}pass

# user:password:uid:gid:(gecos):home:(shell):extra_fields
user:{SHA512-CRYPT}pass:1000:1000::/home/user::userdb_mail=maildir:~/maildir allow_nets=::1,127.0.0.0/8,192.168.0.0/24,local
Bash.svg
# generate an encrypted password 
doveadm pw -s SHA512-CRYPT

# check the hash match the password
doveadm pw -V -t '{SHA512-CRYPT}hash'

# list available password schemes
doveadm pw -l

Virtual Users

SASL client authentication

Needed configuration to use dovecot with postfix.

/etc/dovecot/conf.d/10-master.conf
service auth {
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}
/etc/dovecot/conf.d/10-auth.conf
# add the login authentication mechanism
auth_mechanisms = plain login

TLS

/etc/dovecot/conf.d/10-ssl.conf
ssl = required

ssl_cert = </etc/letsencrypt/live/domain.fr/fullchain.pem
ssl_key = </etc/letsencrypt/live/domain.fr/privkey.pem

ssl_min_protocol = TLSv1.2

IMAP Compression

/etc/dovecot/conf.d/20-imap.conf
protocol imap {
  mail_plugins = $mail_plugins imap_zlib
  # imap_zlib: reduce the bandwidth usage of IMAP
}

Test

Bash.svg
# imap
telnet localhost imap2
# OK * DOVECOT * READY
A1 LOGIN username password
# LOGGED IN
A2 LIST "" "*"
A3 EXAMINE INBOX
A5 LOGOUT

# imap
openssl s_client -connect localhost:143 -starttls imap

# imaps
openssl s_client -connect hostname.domain.net:993

Debug

/etc/dovecot/conf.d/10-logging.conf
# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = yes

# Even more verbose logging for debugging purposes.
auth_debug = yes

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
auth_debug_passwords = yes

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = yes

Logging

  • /var/log/syslog
  • /var/log/mail.log
  • /var/log/mail.err
/etc/dovecot/conf.d/10-logging.conf
# log debug and info only on mail.log and not on syslog anymore
debug_log_path = /var/log/mail.log
info_log_path = /var/log/mail.log

Fail2ban

/etc/fail2ban/jail.d/enabled.local
[dovecot]
enabled = true

Application Android

  • Blue Mail

Configuration

  • Serveur IMAP: mail.domain.fr
  • Sécurité: STARTTLS
  • Authentification: PLAIN
  • Port: 143
  • Serveur SMTP: mail.domain.fr
  • Sécurité: STARTTLS
  • Port: 587
  • Authentification: AUTOMATIC

UFW

Bash.svg
# allow incoming IMAP (143) to fetch emails
sudo ufw allow "Dovecot IMAP"

# allow incoming IMAPs (993) to fetch emails
sudo ufw allow "Dovecot Secure IMAP"

Installation

Bash.svg
sudo apt install dovecot-imapd dovecot-lmtpd