Liens
Description
Dovecot is a POP/IMAP (Post Office Protocol / Interactive Message Access Protocol) server.
Ports
port
|
description
|
143 incoming |
standard IMAP port. StartTLS protocol
|
993 incoming |
standard IMAPs port. TLS protocol
|
Commands
|
# display the current configuration
dovecot -n
|
Protocols
/etc/dovecot/dovecot.conf
|
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
|
/usr/share/dovecot/protocols.d/imapd.protocol
|
protocols = $protocols imap
|
Mailboxes
- mbox: store all the emails in a unique file
- maildir: store emails in directories
/etc/dovecot/conf.d/10-mail.conf
|
# use maildir for virtual users
mail_location = maildir:/var/mail/%u
# use maildir for system users
mail_location = maildir:~/maildir
|
|
Ensure to have installed dovecot-lmtp |
/etc/postfix/main.cf
|
# for virtual user setup
virtual_transport = lmtp:unix:private/dovecot-lmtp
# for a non virtual user setup ( as when mail_location = maildir:~/.maildir )
mailbox_transport = lmtp:unix:private/dovecot-lmtp
|
/etc/dovecot/conf.d/10-master.conf
|
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
|
Userdb lookup user@domain.net doesn't match user
/etc/dovecot/conf.d/10-auth.conf
|
# %n would drop away the domain if it was given
auth_username_format = %Ln
# auth_username_format=%{if;%d;eq;hostname.domain.net;%Ln;%Lu}
|
Authentication
/etc/dovecot/conf.d/10-auth.conf
|
# Disable plaintext authentications unless SSL/TLS is used or if you connect from localhost
disable_plaintext_auth = yes
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey gss-spnego
# NOTE: plain: envoie du mot de passe non-encrypté. Dans le cadre d'une connexion SSL/TLS ce n'est pas un problème.
auth_mechanisms = plain
|
By default, dovecot use system users and their passwords to connect.
/etc/dovecot/conf.d/10-auth.conf
|
# use system users
!include auth-system.conf.ext
|
/etc/dovecot/conf.d/auth-system.conf.ext
|
passdb {
driver = pam
# use /etc/pam.d/imap for IMAP
args = %s
}
userdb {
driver = passwd
}
|
/etc/pam.d/imap
|
# allow IMAP access only for users in /etc/imapusers file
auth required pam_listfile.so item=user sense=allow file=/etc/imapusers onerr=fail
|
/etc/imapusers
|
user1
user2
|
/etc/dovecot/conf.d/10-auth.conf
|
# use non-system users with passwd-file
!include auth-passwdfile.conf.ext
|
/etc/dovecot/conf.d/auth-passwdfile.conf.ext
|
passdb {
driver = passwd-file
args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/users
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users
}
|
/etc/dovecot/users
|
# password only
user:{SHA512-CRYPT}pass
# user:password:uid:gid:(gecos):home:(shell):extra_fields
user:{SHA512-CRYPT}pass:1000:1000::/home/user::userdb_mail=maildir:~/maildir allow_nets=::1,127.0.0.0/8,192.168.0.0/24,local
|
|
# generate an encrypted password
doveadm pw -s SHA512-CRYPT
# check the hash match the password
doveadm pw -V -t '{SHA512-CRYPT}hash'
# list available password schemes
doveadm pw -l
|
Needed configuration to use dovecot with postfix.
/etc/dovecot/conf.d/10-master.conf
|
service auth {
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
|
/etc/dovecot/conf.d/10-auth.conf
|
# add the login authentication mechanism
auth_mechanisms = plain login
|
/etc/dovecot/conf.d/10-ssl.conf
|
ssl = required
ssl_cert = </etc/letsencrypt/live/domain.fr/fullchain.pem
ssl_key = </etc/letsencrypt/live/domain.fr/privkey.pem
ssl_min_protocol = TLSv1.2
|
/etc/dovecot/conf.d/20-imap.conf
|
protocol imap {
mail_plugins = $mail_plugins imap_zlib
# imap_zlib: reduce the bandwidth usage of IMAP
}
|
Test
|
# imap
telnet localhost imap2
# OK * DOVECOT * READY
A1 LOGIN username password
# LOGGED IN
A2 LIST "" "*"
A3 EXAMINE INBOX
A5 LOGOUT
# imap
openssl s_client -connect localhost:143 -starttls imap
# imaps
openssl s_client -connect hostname.domain.net:993
|
Debug
/etc/dovecot/conf.d/10-logging.conf
|
# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = yes
# Even more verbose logging for debugging purposes.
auth_debug = yes
# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
auth_debug_passwords = yes
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = yes
|
- /var/log/syslog
- /var/log/mail.log
- /var/log/mail.err
/etc/dovecot/conf.d/10-logging.conf
|
# log debug and info only on mail.log and not on syslog anymore
debug_log_path = /var/log/mail.log
info_log_path = /var/log/mail.log
|
/etc/fail2ban/jail.d/enabled.local
|
[dovecot]
enabled = true
|
Application Android
Configuration
- Serveur IMAP: mail.domain.fr
- Sécurité: STARTTLS
- Authentification: PLAIN
- Port: 143
- Serveur SMTP: mail.domain.fr
- Sécurité: STARTTLS
- Port: 587
- Authentification: AUTOMATIC
UFW
|
# allow incoming IMAP (143) to fetch emails
sudo ufw allow "Dovecot IMAP"
# allow incoming IMAPs (993) to fetch emails
sudo ufw allow "Dovecot Secure IMAP"
|
Installation
|
sudo apt install dovecot-imapd dovecot-lmtpd
|