User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
email:configure-dovecot [2025/03/03 14:34] – created willyemail:configure-dovecot [2026/01/22 17:58] (current) – [Setup Sieve] willy
Line 1: Line 1:
-====== Configuring Dovecot ======+====== G) Configuring Dovecot ======
  
 +Dovecot configuation is stored in **/etc/dovecot**. There is a master file called **dovecot.conf** but most of the changes need to be applied to the files under **/etc/dovecot/conf.d**. 
  
-<file - dovecot.conf> +For each file, i will show you the changes from the defaults that you need to apply.
-log_path = syslog +
-syslog_facility = mail +
-mail_debug = no +
-auth_debug = no +
-auth_debug_passwords = no +
-auth_verbose = no +
-base_dir = /var/run/dovecot/ +
-listen = * +
-protocols = imap sieve  +
-login_greeting = IMAPD ready.+
  
-# Mailbox setup +**NOTE:** Dovecot 2.4 introduced some changes to the config file. The following has been adapted to this new format. 
-mail_location maildir:/home/vmail/storage/%d/%n/maildir + 
-namespace inbox {  +===== Main changes ===== 
-  inbox = yes+ 
 +You need to enable the selected protocols and change the login greeting, as i don't like to let others know that i use dovecot, for security reasons. 
 + 
 +Edit **doveconf.conf**: 
 +<code> 
 +dovecot_config_version = 2.4.2 
 +dovecot_storage_version = 2.4.2 
 + 
 +!include_try conf.d/*.conf 
 + 
 +protocols 
 +  imap = yes 
 +  lmtp = yes 
 +  sieve = yes
 } }
-mail_uid = 5000 
-mail_gid = 5000 
-mailbox_list_index = yes 
-mailbox_idle_check_interval = 30 secs 
-maildir_copy_with_hardlinks = yes 
  
-# Sieve +mail_home = /home/vmail/storage/%{user | domain}/%{user | username} 
-managesieve_notify_capability mailto +mail_driver maildir 
-managesieve_sieve_capability fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date+mail_path ~/maildir
  
-# Authentication and login +mail_uid vmail 
-disable_plaintext_auth yes +mail_gid vmail 
-auth_default_realm mydomain.com + 
-auth_mechanisms = plain login +namespace inbox { 
-auth_realms mydomain.com +  inbox yes 
-auth_failure_delay 2 secs+  separator 
 +}
  
-# SQLite link 
 sql_driver = sqlite sql_driver = sqlite
 sqlite_path = /home/vmail/database/vmail.sqlite3 sqlite_path = /home/vmail/database/vmail.sqlite3
 +
 passdb sql { passdb sql {
-  query = SELECT username, domain, password FROM mailbox WHERE username = '%u' AND active = 1+  query = SELECT username, domain, password FROM mailbox WHERE username = '%{user}' AND active = 1
 } }
 +
 userdb sql { userdb sql {
-  query = SELECT CONCAT('/home/vmail/storage/', maildir) AS home, CONCAT('maildir:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = 1+  query = SELECT CONCAT('/home/vmail/storage/', maildir) AS home, CONCAT('maildir:storage=', quota) AS quota FROM mailbox WHERE username = '%{user}' AND active = 1
   iterate_query = SELECT username AS user FROM mailbox   iterate_query = SELECT username AS user FROM mailbox
 } }
 +</code>
 +
 +===== Setup link to postfix =====
 +
 +Changes in **conf.d/10-master.conf**:
 +<code>
 +service lmtp {
 +  unix_listener /var/spool/postfix/private/dovecot-lmtp {
 +    group = postfix
 +    mode = 0660
 +    user = postfix
 +  }
  
 service auth { service auth {
Line 54: Line 67:
   }   }
 } }
 +</code>
  
-# SSL TLS setup+This is required because postfix will use dovecot to deliver mail to mailboxes internally and to perform SASL authentication as well. 
 + 
 +===== Setup Sieve ===== 
 + 
 +Sieve let's you create custom filters that will filter your inbound emails. 
 + 
 +Changes in **conf.d/90-sieve.conf**: 
 +<code> 
 +sieve_script personal { 
 +  path = /home/vmail/storage/%{user | domain}/%{user | username}/sieve 
 +
 +</code> 
 + 
 +And enable sieve for lmtp (local delivery), edit **conf.d/20-lmtp.conf**: 
 +<code> 
 +protocol lmtp { 
 +    mail_plugins { 
 +    sieve = yes 
 +  } 
 +</code> 
 + 
 + 
 +===== Setup authentication ===== 
 + 
 +Changes in **conf.d/10-auth.conf**: 
 +<code> 
 +auth_mechanisms = plain login 
 +</code> 
 + 
 +===== Setup mailboxes ===== 
 + 
 +Changes in **conf.d/10-mail.conf**: 
 +<code> 
 +mail_home = /home/vmail/storage/%{user | domain}/%{user | username} 
 +mail_driver = maildir 
 +mail_path = ~/maildir 
 + 
 +mail_uid = vmail 
 +mail_gid = vmail 
 +</code> 
 + 
 +===== Setup TLS ===== 
 + 
 +You need to point to the Let's Encrypt certificates. 
 + 
 +Changes in **conf.d/10-ssl.conf**: 
 +<code>
 ssl = yes ssl = yes
-ssl_cert </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem +ssl_server { 
-ssl_key </etc/letsencrypt/live/mail.mydomain.com/privkey.pem +  cert_file = /etc/dovecot/fullchain.pem 
-ssl_min_protocol = TLSv1.2 +  key_file = /etc/dovecot/privkey.pem 
-ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384+} 
 +</code>
  
 +For this to work, you need to ensure that the certs are properly moved after being renewed by Let's Encrypt. I use the following post hook in **/etc/letsencrypt/renewal-hooks/post/dovecot.sh**:
 +<file - dovecot.sh>
 +cp /etc/letsencrypt/live/[cert path]/privkey.pem /etc/dovecot/privkey.pem
 +cp /etc/letsencrypt/live/[cert path]/fullchain.pem /etc/dovecot/fullchain.pem
 +chmod o+r /etc/dovecot/privkey.pem /etc/dovecot/fullchain.pem
 +/etc/init.d/dovecot restart
 </file> </file>
  
 +the chmod is required for command line tools using **doveadm**, like PostfixAdmin.
 +
 +===== Testing =====
 +
 +Start dovecot
 +
 +Check that login works:
 +<code bash>
 +doveadm auth test -a /var/spool/postfix/private/auth user@mydomain.com
 +</code>
 +
 +Test IMAP:
 +<code bash>
 +telnet mail.mydomain.com 143
 +Trying 1.2.3.4...
 +Connected to mail.mydomain.com.
 +Escape character is '^]'.
 +* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] IMAP </code>
 +
 +Test that login works:
 +<code bash>
 +telnet 127.0.0.1 1143
 +Trying 127.0.0.1...
 +Connected to 127.0.0.1.
 +Escape character is '^]'.
 +* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] IMAP server ready.
 +a login user@mydomain.com password
 +a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE] Logged in
 +</code>
 +
 +Test TLS works:
 +<code bash>
 +openssl s_client -connect mail.mydomain.com:993
 +[ expect similar output as above ]
 +</code>
 +
 +Test STARTTLS works:
 +<code bash>
 +openssl s_client -connect mail.mydomain.com:143 -starttls imap
 +[ expect similar output as above ]
 +</code>
  
 +If all those checks worked fine, your dovecot seems all set!