HOWTO Secure Mail Server using Dovecot
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
Contents |
[edit] Introduction
dovecot is "an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Although it's written in C, it uses several coding techniques to avoid most of the common pitfalls."
Full details about Dovecot can be found at its website http://www.dovecot.org.
Because Virtual users is so indepth in this article, I may add another article later for non virtual users.
[edit] Installation
This setup will provide a pop3 server and an imap server, both as regular and secure. You will also have virus protection, spam protection, and an online inbox at http://server.com/squirrelmail. However this article will not go into explaining apache.
Add the following entries to /etc/portage/package.use:
| File: /etc/portage/package.use |
net-mail/dovecot pop3d mail-filter/dspam virtual-users |
Also be sure to add the 'png' use flag as dspam-web requires 'perl-dev/GD' to be compiled with it.
Next, remove ssmtp as it will usually conflict with postfix (unless you're using the mailwrapper utility, you can't have more than one MTA installed): emerge -Ca ssmtp
Install all the packages that are going to be used: emerge -au dovecot postfix clamav dspam dspam-web squirrelmail
Should the above fail with ssmtp blocking postfix, simply do: emerge -a postfix and try again.
Run the dovecot configuration script: emerge --config dovecot
[edit] Configuration
This is section needs clarification.
[edit] Setup Postfix
To install postfixadmin simply execute: emerge -a postfixadmin
Postfix will allow us to handle users with ease throughout this setup. Once postfixadmin is installed you can easily add aliases and mailboxes! So Let's start!
Create the mailbox locations with the correct privilidges:
mkdir /var/spool/postfix/virtual
chown postfix:postfix /var/spool/postfix/virtual
chmod a+rwx /var/spool/postfix/virtual
i don't think, this is a good idea, don't we have a user vmail, that does deal with the virtual directories?
The following are sample postfix configuration files. Note that you will need to change the user (UID) and group (GID) ID's to match those found on your system (in /etc/passwd and /etc/group respectively).
| File: /etc/postfix/main.cf |
alias_database = hash:/etc/postfix/aliases alias_maps = $alias_database myhostname = <yourhostname> mydomain = <your_domain> myorigin = $myhostname mydestination = $myhostname, localhost.$mydomain mail_spool_directory = /var/spool/mail home_mailbox = Mailbox debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb = $daemon_directory/$process_name $process_id & sleep 5 disable_vrfy_command = yes show_user_unknown_table_name = no virtual_transport = virtual virtual_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_minimum_uid = 207 # REMEBER THIS MUST BE CHANGED TO YOUR UID FOR "postfix" FROM /etc/passwd virtual_uid_maps = static:207 # REMEBER THIS MUST BE CHANGED TO YOUR UID FOR "postfix" FROM /etc/passwd virtual_gid_maps = static:207 # REMEBER THIS MUST BE CHANGED TO YOUR UID FOR "postfix" FROM /etc/passwd virtual_mailbox_base = /var/spool/postfix/virtual virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_mailbox_limit = 51200000 # Additional for quota support virtual_create_maildirsize = yes virtual_mailbox_extended = yes virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_limit_override = yes virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later. virtual_overquota_bounce = yes |
| File: /etc/postfix/mysql_virtual_alias_maps.cf |
user = postfix password = postfix hosts = localhost dbname = postfix table = alias select_field = goto where_field = address |
| File: /etc/postfix/mysql_virtual_domains_maps.cf |
user = postfix password = postfix hosts = localhost dbname = postfix table = domain select_field = description where_field = domain #additional_conditions = and backupmx = '0' and active = '1' |
| File: /etc/postfix/mysql_virtual_mailbox_maps.cf |
user = postfix password = postfix hosts = localhost dbname = postfix table = mailbox select_field = maildir where_field = username #additional_conditions = and active = '1' |
| File: /etc/postfix/mysql_relay_domains_maps.cf |
user = postfix password = postfix hosts = localhost dbname = postfix table = domain select_field = domain where_field = domain additional_conditions = and backupmx = '1' |
| File: /etc/postfix/mysql_virtual_mailbox_limit_maps.cf |
user = postfix password = postfix hosts = localhost dbname = postfix table = mailbox select_field = maildir where_field = quota #additional_conditions = and active = '1' |
And now we restart postfix: /etc/init.d/postfix restart
[edit] SQL Virtual Users Setup
Set up the Squirrelmail SQL tables using the following SQL
| Code: Squirrelmail Table setup SQL |
CREATE DATABASE squirrelmail; GRANT select,insert,update,delete ON squirrelmail.* TO Anonymous@localhost IDENTIFIED BY ''; USE squirrelmail; CREATE TABLE address ( owner varchar(128) DEFAULT '' NOT NULL, nickname varchar(16) DEFAULT '' NOT NULL, firstname varchar(128) DEFAULT '' NOT NULL, lastname varchar(128) DEFAULT '' NOT NULL, email varchar(128) DEFAULT '' NOT NULL, label varchar(255), PRIMARY KEY (owner,nickname), KEY firstname (firstname,lastname) ); CREATE TABLE userprefs ( user varchar(128) DEFAULT '' NOT NULL, prefkey varchar(64) DEFAULT '' NOT NULL, prefval blob DEFAULT '' NOT NULL, PRIMARY KEY (user,prefkey) ); |
[edit] SquirrelMail
see Install and Configuration for virtual users
[edit] Configuring Dovecot
The following are sample configurations for Dovecot. Again, note that you'll need to substitute in the correct UID and GID values.
WARNING: ntp-client and dovecot often do not work well together! ntp-client will abruptly shift the date, which can cause dovecot to kill itself during the boot process to avoid random errors caused by the date shift. Use ntpd instead, and possibly add ntpd to the "after" section of /etc/init.d/dovecot to make sure ntpd is started up before dovecot.
| File: /etc/dovecot/dovecot-mysql.conf |
driver = mysql connect = dbname=postfix user=postfix host=localhost password=postfix default_pass_scheme = PLAIN password_query = SELECT password FROM mailbox WHERE username = '%u' user_query = SELECT maildir, 97 AS uid, 97 AS gid FROM mailbox WHERE username = '%u' |
| File: /etc/dovecot/dovecot.conf |
auth_verbose = yes
mail_debug = yes
base_dir = /var/run/dovecot/
protocols = imap imaps pop3 pop3s
listen = *
shutdown_clients = yes
log_path = /var/log/mail.log
info_log_path = /var/log/mail.log
log_timestamp = "%b %d %H:%M:%S "
syslog_facility = mail
disable_plaintext_auth = no
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
login_chroot = yes
login_user = postmaster
login_process_per_connection = yes
login_processes_count = 2
login_max_processes_count = 128
login_max_connections = 256
login_greeting = Welcome to Rukie's Mail Server.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
login_log_format = %$: %s
default_mail_env = maildir:/var/spool/postfix/virtual/%d/%n
first_valid_uid = 97 # REMEBER THIS MUST BE CHANGED TO YOUR UID FOR "postfix" FROM /etc/passwd
pop3_uidl_format = %08Xu%08Xv
auth default {
mechanisms = PLAIN
userdb sql {
args = /etc/dovecot/dovecot-mysql.conf
}
passdb sql {
args = /etc/dovecot/dovecot-mysql.conf
}
user = root
count = 2
}
mail_extra_groups = mail
mail_debug = yes
|
[edit] Postfix Admin
To begin setting up PostfixAdmin, open a browser, go to http://localhost/postfixadmin and start the setup process by clicking on the "setup" link. Once the setup process has completed, you'll need to delete the setup script: rm /var/www/localhost/htdocs/postfixadmin/setup.php
Open up the postfix admin config file (/var/www/localhost/htdocs/postfixadmin/config.inc.php by default) and change the following settings:
- "change-this-to-your-domain.tld" to your domain.
- config_path to YES
- domain_in_mailbox to NO
- 'encrypt' to 'cleartext'
You will also need to change your postfix user/pass from the usual admin:admin to something more secure. To do this run: htpasswd2 /var/www/localhost/htdocs/postfixadmin/admin/.htpasswd admin (You may also want to consider changing the username)
To keep local users from reading your postfixadmin directory, execute the following to change its permissions:
chown -R apache:apache /var/www/localhost/htdocs/postfixadmin/
chmod -R 700 /var/www/localhost/htdocs/postfixadmin/
[edit] DSPAM
see DSPAM for further information
[edit] Test Your Server
Now that you know the most important settings, you can go and start dovecot with: /etc/init.d/dovecot start
Make sure you see the "Dovecot starting up" message in your log file (/var/log/mail.log).
Try logging in with telnet (in the telnet-bsd package): telnet localhost 143
It should reply with the * OK Dovecot ready. message. If not, it's not running for some reason. Probably some configuration mistake, see log file for errors.
Try to log in with: login testuser@domain.tld yourpass
You should see the x OK Logged in. message. If not, authentication failed for some reason. You can look at the error in /var/log/mail.log
To logout run: logout
Try logging in with a real IMAP client and make sure everything works.
[edit] Usage
Dovecot is best used to access mailboxes using either POP3 or IMAP. It can also incorporate a whole host of features, such as...
- Virtual users with...
- Exim
- OpenLDAP
- PostgreSQL
- Postfix
- POP before SMTP
- SSL / TLS
- SASL
- NFS
- ACLs
For the most basic use of accessing your mail on your server, just install and go.
[edit] Used Sources
- http://www.dovecot.org/
- http://wiki.dovecot.org/
- http://bliki.rimuhosting.com/space/knowledgebase/linux/mail/postfixadmin+on+debian+sarge
Concerns or Compliments? Please use the Discussion section.
