====== G) Configuring Dovecot ======

Dovecot configuation is stored in **/etc/dovecot**. There is a master file called **dovecot.conf** but most of the changes need to be applied to the files under **/etc/dovecot/conf.d**. 

For each file, i will show you the changes from the defaults that you need to apply.

**NOTE:** Dovecot 2.4 introduced some changes to the config file. The following has been adapted to this new format.

===== Main changes =====

You need to enable the selected protocols and change the login greeting, as i don't like to let others know that i use dovecot, for security reasons.

Edit **doveconf.conf**:
<code>
dovecot_config_version = 2.4.2
dovecot_storage_version = 2.4.2

!include_try conf.d/*.conf

protocols {
  imap = yes
  lmtp = yes
  sieve = yes
}

mail_home = /home/vmail/storage/%{user | domain}/%{user | username}
mail_driver = maildir
mail_path = ~/maildir

mail_uid = vmail
mail_gid = vmail

namespace inbox {
  inbox = yes
  separator = /
}

sql_driver = sqlite
sqlite_path = /home/vmail/database/vmail.sqlite3

passdb sql {
  query = SELECT username, domain, password FROM mailbox WHERE username = '%{user}' AND active = 1
}

userdb sql {
  query = SELECT CONCAT('/home/vmail/storage/', maildir) AS home, CONCAT('maildir:storage=', quota) AS quota FROM mailbox WHERE username = '%{user}' AND active = 1
  iterate_query = SELECT username AS user FROM mailbox
}
</code>

===== Setup link to postfix =====

Changes in **conf.d/10-master.conf**:
<code>
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
</code>

This is required because postfix will use dovecot to deliver mail to mailboxes internally and to perform SASL authentication as well.

===== Setup Sieve =====

Sieve let's you create custom filters that will filter your inbound emails.

Changes in **conf.d/90-sieve.conf**:
<code>
sieve_script personal {
  path = /home/vmail/storage/%{user | domain}/%{user | username}/sieve
}
</code>

And enable sieve for lmtp (local delivery), edit **conf.d/20-lmtp.conf**:
<code>
protocol lmtp {
    mail_plugins {
    sieve = yes
  }
</code>


===== Setup authentication =====

Changes in **conf.d/10-auth.conf**:
<code>
auth_mechanisms = plain login
</code>

===== Setup mailboxes =====

Changes in **conf.d/10-mail.conf**:
<code>
mail_home = /home/vmail/storage/%{user | domain}/%{user | username}
mail_driver = maildir
mail_path = ~/maildir

mail_uid = vmail
mail_gid = vmail
</code>

===== Setup TLS =====

You need to point to the Let's Encrypt certificates.

Changes in **conf.d/10-ssl.conf**:
<code>
ssl = yes
ssl_server {
  cert_file = /etc/dovecot/fullchain.pem
  key_file = /etc/dovecot/privkey.pem
}
</code>

For this to work, you need to ensure that the certs are properly moved after being renewed by Let's Encrypt. I use the following post hook in **/etc/letsencrypt/renewal-hooks/post/dovecot.sh**:
<file - dovecot.sh>
cp /etc/letsencrypt/live/[cert path]/privkey.pem /etc/dovecot/privkey.pem
cp /etc/letsencrypt/live/[cert path]/fullchain.pem /etc/dovecot/fullchain.pem
chmod o+r /etc/dovecot/privkey.pem /etc/dovecot/fullchain.pem
/etc/init.d/dovecot restart
</file>

the chmod is required for command line tools using **doveadm**, like PostfixAdmin.

===== Testing =====

Start dovecot

Check that login works:
<code bash>
doveadm auth test -a /var/spool/postfix/private/auth user@mydomain.com
</code>

Test IMAP:
<code bash>
telnet mail.mydomain.com 143
Trying 1.2.3.4...
Connected to mail.mydomain.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] IMAP </code>

Test that login works:
<code bash>
telnet 127.0.0.1 1143
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] IMAP server ready.
a login user@mydomain.com password
a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE] Logged in
</code>

Test TLS works:
<code bash>
openssl s_client -connect mail.mydomain.com:993
[ expect similar output as above ]
</code>

Test STARTTLS works:
<code bash>
openssl s_client -connect mail.mydomain.com:143 -starttls imap
[ expect similar output as above ]
</code>

If all those checks worked fine, your dovecot seems all set!