« Dovecot » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Balise : Révocation manuelle
 
(35 versions intermédiaires par le même utilisateur non affichées)
Ligne 3 : Ligne 3 :
* [https://wiki.dovecot.org/#Dovecot_configuration Dovecot wiki]
* [https://wiki.dovecot.org/#Dovecot_configuration Dovecot wiki]
* [https://help.ubuntu.com/community/Dovecot Dovecot on Ubuntu]
* [https://help.ubuntu.com/community/Dovecot Dovecot on Ubuntu]
= Description =
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server.
== Ports ==
{| class="wikitable wtp"
! port
! description
|-
| 143 incoming || standard IMAP port. StartTLS protocol
|-
| 993 incoming || standard IMAPs port. TLS protocol
|}


= Commands =
= Commands =
Ligne 21 : Ligne 34 :


= Mailboxes =
= Mailboxes =
* mbox: store all the emails in a unique file
* maildir: store emails in directories
<filebox fn='/etc/dovecot/conf.d/10-mail.conf'>
<filebox fn='/etc/dovecot/conf.d/10-mail.conf'>
# use maildir
# use maildir for virtual users
mail_location = maildir:/var/mail/%u
 
# use maildir for system users
mail_location = maildir:~/maildir
mail_location = maildir:~/maildir
</filebox>
= [https://doc.dovecot.org/configuration_manual/howto/postfix_dovecot_lmtp Postfix and Dovecot LMTP] =
{{info | Ensure to have installed {{boxx|dovecot-lmtp}}}}
<filebox fn='/etc/postfix/main.cf' lang='bash'>
# for virtual user setup
virtual_transport = lmtp:unix:private/dovecot-lmtp
# for a non virtual user setup ( as when mail_location = maildir:~/.maildir )
mailbox_transport = lmtp:unix:private/dovecot-lmtp
</filebox>
<filebox fn='/etc/dovecot/conf.d/10-master.conf'>
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
</filebox>
* [https://doc.dovecot.org/configuration_manual/protocols/lmtp_server LMTP Server]
== [https://serverfault.com/questions/260488/dovecot-user-lookup-fails-when-using-usernamedomain-format Userdb lookup failed] ==
Userdb lookup {{boxx|user@domain.net}} doesn't match {{boxx|user}}
<filebox fn='/etc/dovecot/conf.d/10-auth.conf'>
# %n would drop away the domain if it was given
auth_username_format = %Ln
# auth_username_format=%{if;%d;eq;hostname.domain.net;%Ln;%Lu}
</filebox>
</filebox>


Ligne 71 : Ligne 119 :
<filebox fn='/etc/dovecot/conf.d/10-auth.conf'>
<filebox fn='/etc/dovecot/conf.d/10-auth.conf'>
# use non-system users with passwd-file
# use non-system users with passwd-file
!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
</filebox>
</filebox>


Ligne 90 : Ligne 138 :
user:{SHA512-CRYPT}pass
user:{SHA512-CRYPT}pass


# password + user
# user:password:uid:gid:(gecos):home:(shell):extra_fields
user:{SHA512-CRYPT}pass:1000:1000::/home/user::userdb_mail=maildir:~/maildir allow_nets=192.168.0.0/24
user:{SHA512-CRYPT}pass:1000:1000::/home/user::userdb_mail=maildir:~/maildir allow_nets=::1,127.0.0.0/8,192.168.0.0/24,local
</filebox>
</filebox>


Ligne 108 : Ligne 156 :
* [https://serverfault.com/questions/357053/how-do-i-change-dovecot-virtual-user-passwords/440616#440616 How do I change Dovecot virtual user passwords?]
* [https://serverfault.com/questions/357053/how-do-i-change-dovecot-virtual-user-passwords/440616#440616 How do I change Dovecot virtual user passwords?]
* [https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ Password Schemes]
* [https://doc.dovecot.org/configuration_manual/authentication/password_schemes/ Password Schemes]
* [https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets Allow_nets extra field]
* [https://doc.dovecot.org/configuration_manual/authentication/allow_nets/ Allow_nets extra field]


= SASL client authentication =
= [https://doc.dovecot.org/configuration_manual/virtual_users/ Virtual Users] =
 
= [https://help.ubuntu.com/community/PostfixDovecotSASL#Dovecot SASL client authentication] =
Needed configuration to use {{boxx|dovecot}} with {{boxx|postfix}}.
Needed configuration to use {{boxx|dovecot}} with {{boxx|postfix}}.
<filebox fn='/etc/dovecot/conf.d/10-master.conf'>
<filebox fn='/etc/dovecot/conf.d/10-master.conf'>
Ligne 117 : Ligne 167 :
   unix_listener /var/spool/postfix/private/auth {
   unix_listener /var/spool/postfix/private/auth {
     mode = 0666
     mode = 0666
    user = postfix
    group = postfix
   }
   }
}
}
Ligne 132 : Ligne 184 :
ssl_cert = </etc/letsencrypt/live/domain.fr/fullchain.pem
ssl_cert = </etc/letsencrypt/live/domain.fr/fullchain.pem
ssl_key = </etc/letsencrypt/live/domain.fr/privkey.pem
ssl_key = </etc/letsencrypt/live/domain.fr/privkey.pem
ssl_min_protocol = TLSv1.2
</filebox>
</filebox>


= [https://wiki.dovecot.org/IMAPServer IMAP] =
= [https://doc.dovecot.org/configuration_manual/imap_compress IMAP Compression] =
<filebox fn='/etc/dovecot/conf.d/20-imap.conf'>
<filebox fn='/etc/dovecot/conf.d/20-imap.conf'>
protocol imap {
protocol imap {
Ligne 152 : Ligne 206 :
A3 EXAMINE INBOX
A3 EXAMINE INBOX
A5 LOGOUT
A5 LOGOUT
# imap
openssl s_client -connect localhost:143 -starttls imap


# imaps
# imaps
openssl s_client -connect mail.domain.fr:993
openssl s_client -connect hostname.domain.net:993
</kode>
</kode>


Ligne 168 : Ligne 225 :
# problem can be debugged. Enabling this also enables auth_debug.
# problem can be debugged. Enabling this also enables auth_debug.
auth_debug_passwords = yes
auth_debug_passwords = yes
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = yes
</filebox>
</filebox>


= Log =
= [https://doc.dovecot.org/admin_manual/logging Logging] =
* {{boxx|/var/log/syslog}}
* {{boxx|/var/log/mail.log}}
* {{boxx|/var/log/mail.err}}
* {{boxx|/var/log/mail.err}}
<filebox fn='/etc/dovecot/conf.d/10-logging.conf'>
# log debug and info only on mail.log and not on syslog anymore
debug_log_path = /var/log/mail.log
info_log_path = /var/log/mail.log
</filebox>
= [[Fail2ban]] =
<filebox fn='/etc/fail2ban/jail.d/enabled.local' lang='ini'>
[dovecot]
enabled = true
</filebox>


= Application Android =
= Application Android =
Ligne 191 : Ligne 266 :
sudo ufw allow "Dovecot IMAP"
sudo ufw allow "Dovecot IMAP"


# allow incoming SMTP (587) to submit emails
# allow incoming IMAPs (993) to fetch emails
sudo ufw allow "Postfix Submission"
sudo ufw allow "Dovecot Secure IMAP"
</kode>
</kode>


= Installation =
= Installation =
<kode lang='bash'>
<kode lang='bash'>
sudo apt install dovecot-imapd
sudo apt install dovecot-imapd dovecot-lmtpd
</kode>
</kode>

Dernière version du 4 septembre 2023 à 13:56

Liens

Description

Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server.

Ports

port description
143 incoming standard IMAP port. StartTLS protocol
993 incoming standard IMAPs port. TLS protocol

Commands

Bash.svg 
# display the current configuration
dovecot -n

Protocols

/etc/dovecot/dovecot.conf 
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
/usr/share/dovecot/protocols.d/imapd.protocol 
protocols = $protocols imap

Mailboxes

  • mbox: store all the emails in a unique file
  • maildir: store emails in directories
/etc/dovecot/conf.d/10-mail.conf 
# use maildir for virtual users
mail_location = maildir:/var/mail/%u

# use maildir for system users
mail_location = maildir:~/maildir

Postfix and Dovecot LMTP

Ensure to have installed dovecot-lmtp
/etc/postfix/main.cf 
# for virtual user setup
virtual_transport = lmtp:unix:private/dovecot-lmtp
# for a non virtual user setup ( as when mail_location = maildir:~/.maildir )
mailbox_transport = lmtp:unix:private/dovecot-lmtp
/etc/dovecot/conf.d/10-master.conf 
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}

Userdb lookup failed

Userdb lookup user@domain.net doesn't match user

/etc/dovecot/conf.d/10-auth.conf 
# %n would drop away the domain if it was given
auth_username_format = %Ln
# auth_username_format=%{if;%d;eq;hostname.domain.net;%Ln;%Lu}

Authentication

/etc/dovecot/conf.d/10-auth.conf 
# Disable plaintext authentications unless SSL/TLS is used or if you connect from localhost
disable_plaintext_auth = yes

# Space separated list of wanted authentication mechanisms:
#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey gss-spnego
# NOTE: plain: envoie du mot de passe non-encrypté. Dans le cadre d'une connexion SSL/TLS ce n'est pas un problème.
auth_mechanisms = plain

System users

By default, dovecot use system users and their passwords to connect.

/etc/dovecot/conf.d/10-auth.conf 
# use system users
!include auth-system.conf.ext
/etc/dovecot/conf.d/auth-system.conf.ext 
passdb {
  driver = pam
  # use /etc/pam.d/imap for IMAP
  args = %s
}

userdb {
  driver = passwd
}
/etc/pam.d/imap 
# allow IMAP access only for users in /etc/imapusers file
auth    required        pam_listfile.so item=user sense=allow file=/etc/imapusers onerr=fail
/etc/imapusers 
user1
user2

Passwd-file

/etc/dovecot/conf.d/10-auth.conf 
# use non-system users with passwd-file
!include auth-passwdfile.conf.ext
/etc/dovecot/conf.d/auth-passwdfile.conf.ext 
passdb {
  driver = passwd-file
  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users
}

userdb {
  driver = passwd-file
  args = username_format=%u /etc/dovecot/users
}
/etc/dovecot/users 
# password only
user:{SHA512-CRYPT}pass

# user:password:uid:gid:(gecos):home:(shell):extra_fields
user:{SHA512-CRYPT}pass:1000:1000::/home/user::userdb_mail=maildir:~/maildir allow_nets=::1,127.0.0.0/8,192.168.0.0/24,local
Bash.svg 
# generate an encrypted password 
doveadm pw -s SHA512-CRYPT

# check the hash match the password
doveadm pw -V -t '{SHA512-CRYPT}hash'

# list available password schemes
doveadm pw -l

Virtual Users

SASL client authentication

Needed configuration to use dovecot with postfix.

/etc/dovecot/conf.d/10-master.conf 
service auth {
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}
/etc/dovecot/conf.d/10-auth.conf 
# add the login authentication mechanism
auth_mechanisms = plain login

TLS

/etc/dovecot/conf.d/10-ssl.conf 
ssl = required

ssl_cert = </etc/letsencrypt/live/domain.fr/fullchain.pem
ssl_key = </etc/letsencrypt/live/domain.fr/privkey.pem

ssl_min_protocol = TLSv1.2

IMAP Compression

/etc/dovecot/conf.d/20-imap.conf 
protocol imap {
  mail_plugins = $mail_plugins imap_zlib
  # imap_zlib: reduce the bandwidth usage of IMAP
}

Test

Bash.svg 
# imap
telnet localhost imap2
# OK * DOVECOT * READY
A1 LOGIN username password
# LOGGED IN
A2 LIST "" "*"
A3 EXAMINE INBOX
A5 LOGOUT

# imap
openssl s_client -connect localhost:143 -starttls imap

# imaps
openssl s_client -connect hostname.domain.net:993

Debug

/etc/dovecot/conf.d/10-logging.conf 
# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = yes

# Even more verbose logging for debugging purposes.
auth_debug = yes

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
auth_debug_passwords = yes

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = yes

Logging

  • /var/log/syslog
  • /var/log/mail.log
  • /var/log/mail.err
/etc/dovecot/conf.d/10-logging.conf 
# log debug and info only on mail.log and not on syslog anymore
debug_log_path = /var/log/mail.log
info_log_path = /var/log/mail.log

Fail2ban

/etc/fail2ban/jail.d/enabled.local 
[dovecot]
enabled = true

Application Android

  • Blue Mail

Configuration

  • Serveur IMAP: mail.domain.fr
  • Sécurité: STARTTLS
  • Authentification: PLAIN
  • Port: 143
  • Serveur SMTP: mail.domain.fr
  • Sécurité: STARTTLS
  • Port: 587
  • Authentification: AUTOMATIC

UFW

Bash.svg 
# allow incoming IMAP (143) to fetch emails
sudo ufw allow "Dovecot IMAP"

# allow incoming IMAPs (993) to fetch emails
sudo ufw allow "Dovecot Secure IMAP"

Installation

Bash.svg 
sudo apt install dovecot-imapd dovecot-lmtpd
Récupérée de « http://wiki.bananeatomic.fr/index.php?title=Dovecot&oldid=29415 »