Complete Virtual Mail Server/Dovecot to Database

From Gentoo Wiki
Jump to:navigation Jump to:search
This page contains changes which are not marked for translation.


Note
This article is part of the Complete Virtual Mail Server series, and may require previous parts to have been read or followed.

Dovecot will be used to provide IMAP services.

To use POP3, which is explicitly discouraged, see Complete Virtual Mail Server/POP3.

Installing Courier-IMAP

USE flags

net-mail/dovecot has a few USE flags that need to be examined.

USE flags for net-mail/dovecot An IMAP and POP3 server written with security primarily in mind

argon2 Add support for ARGON2 password schemes
caps Use Linux capabilities library to control privilege
doc Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
ipv6 Add support for IP version 6
kerberos Add kerberos support
ldap Add LDAP support (Lightweight Directory Access Protocol)
lua Enable Lua scripting support
lucene Add lucene full text search (FTS) support using dev-cpp/clucene
lz4 Enable support for lz4 compression (as implemented in app-arch/lz4)
managesieve Add managesieve protocol support
mysql Add mySQL Database support
pam Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip
postgres Add support for the postgresql database
rpc Add support for NFS quotas
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
sieve Add sieve support
solr Add solr full text search (FTS) support
sqlite Add support for sqliteembedded sql database
static-libs Build static versions of dynamic libraries as well
stemmer Add libstemmer support (for FTS)
suid Enable setuid root program(s)
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking
tcpd Add support for TCP wrappers
textcat Add libtextcat language guessing support for full text search (FTS)
unwind Add support for call stack unwinding and function name resolution
zstd Add support for zstd (de)compression

Regarding the database flags, only choose the desired database backend. Other flags may be activated if their functionality is desired.

Emerge

root #emerge --ask net-mail/dovecot

Configuring dovecot

FILE /etc/dovecot/dovecot.confenable imap
protocols = imap
FILE /etc/dovecot/conf.d/10-mail.confmailbox setup
mail_location = maildir:%h
namespace inbox { 
  inbox = yes
}
mail_uid = 5000
mail_gid = 5000
mailbox_list_index = yes
mailbox_idle_check_interval = 30 secs
maildir_copy_with_hardlinks = yes
FILE /etc/dovecot/conf.d/10-ssl.confTLS setup
ssl = yes
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384

Configuring the authentication mechanism

PostgreSQL

FILE /etc/dovecot/conf.d/10-auth.confAuthentication setup
disable_plaintext_auth = yes
auth_default_realm = example.com
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_failure_delay = 2 secs
auth_mechanisms = plain login
!include auth-sql.conf.ext
FILE /etc/dovecot/dovecot-sql.conf.extConnection with postgres
driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=secret
default_pass_scheme = CRYPT
password_query = \
  SELECT local_part AS username, domain, password FROM mailbox WHERE local_part = '%n' AND domain = '%d'
user_query = \
  SELECT local_part AS user, CONCAT('/var/vmail/',maildir) AS home FROM mailbox WHERE local_part = '%n' AND domain = '%d'

Access permissions

Permissions must be set correctly, as the files can contain sensitive password information:

root #chmod 660 /etc/dovecot/dovecot-sql.conf.ext

Testing authentication

Dovecot includes a simple testing utility. It requires a valid username as parameter.

To perform some basic tests, start dovecot:

root #rc-service dovecot start

Run the auth utility with the testuser:

root #dovecot auth login testuser
passdb: testuser auth succeeded
extra fields:
  user=testuser@example.com
  
  original_user=testuser
userdb extra fields:
  testuser
  home=/var/vmail/example.com/testuser/
  auth_mech=PLAIN

Testing IMAP

Dovecot should be started:

root #rc-service dovecot start

Once started, telnet could be used to identify initial problems. Once logging in with telnet works, a mail client can be used:

user $telnet example.com 143
Trying 127.0.0.1...
Connected to example.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
1 LOGIN testuser secret 
1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE] Logged in
1 LOGOUT
* BYE Logging out
1 OK LOGOUT completed (0.001 + 0.000 secs).
Connection closed by foreign host.

If testing works properly, add dovecot to the default runlevel:

root #rc-update add dovecot default