Tags Archives: dovecot

Installing Dovecot IMAP Server

These are my notes for installing and configuring Dovecot IMAP Server on a postfix emailserver system running Linux Ubuntu 20 LTS.

 

Install Dovecot Packages

 

Enter the following command to install Dovecot core package and the IMAP daemon package on Ubuntu server.

apt install -y dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd

 

If you use POP3 to fetch emails, then also install the dovecot-pop3d package.

 

sudo apt install dovecot-pop3d

 

Check Dovecot version:

 

dovecot –version

 

Enabling IMAP/POP3 Protocol

 

Edit the main config file. 

 

sudo nano /etc/dovecot/dovecot.conf

 

Add the following line to enable IMAP protocol.

 

protocols = imap

 

If you use POP3 to fetch emails, then also add POP3 protocol.

 

protocols = imap pop3

 

Configuring Mailbox Location

 

By default, Postfix and Dovecot use mbox format to store emails. Each user’s emails are stored in a single file /var/mail/username. You can run the following command to find the mail spool directory.

 

 

postconf mail_spool_directory

 

 

root@gemini:/etc/apache2/sites-enabled# postconf mail_spool_directory
mail_spool_directory = /var/mail
root@gemini:/etc/apache2/sites-enabled#

 

 

However, it is more usual to use the Maildir format to store email messages.

 

The config file for mailbox location is /etc/dovecot/conf.d/10-mail.conf.

 

nano /etc/dovecot/conf.d/10-mail.conf

 

The default configuration uses mbox mail format.

 

mail_location = mbox:~/mail:INBOX=/var/mail/%u

 

Change it to the following to make Dovecot use the Maildir format. Email messages will be stored under the Maildir directory under each user’s home directory.

 

mail_location = maildir:~/Maildir

 

We need to add the following line in the file. (On Ubuntu 18.04 and 20.04, this line is already in the file.)

 

mail_privileged_group = mail

 

Save and close the file. Then add dovecot to the mail group so that Dovecot can read the INBOX.

 

adduser dovecot mail

 

root@gemini:~# adduser dovecot mail
Adding user `dovecot’ to group `mail’ …
Adding user dovecot to group mail
Done.
root@gemini:~#

 

 

Using Dovecot to Deliver Email to Message Store

 

Although we configured Dovecot to store emails in Maildir format, by default, Postfix uses its built-in local delivery agent (LDA) to move inbound emails to the message store (inbox, sent, trash, Junk, etc), and this is by default saved in mbox format.

 

We need to configure Postfix to pass incoming emails to Dovecot, via the LMTP protocol, which is a simplified version of SMTP, so incoming emails will saved in Maildir format by Dovecot.

 

LMTP allows for a more scalable and reliable mail system. It also allows use of the sieve plugin to filter inbound messages to different folders.

 

Install the Dovecot LMTP Server

 

apt install dovecot-lmtpd

 

Edit the Dovecot main configuration file.

 

nano /etc/dovecot/dovecot.conf

 

Add lmtp to the supported protocols.

 

protocols = imap lmtp

 

Save and close the file. Then edit the Dovecot 10-master.conf file.

 

nano /etc/dovecot/conf.d/10-master.conf

 

Change the lmtp service definition to the following.

 

service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}

 

Next, edit the Postfix main configuration file.

 

nano /etc/postfix/main.cf

 

Add the following lines to the end of the file.

 

The first line tells Postfix to deliver incoming emails to local message store via the Dovecot LMTP server.

 

The second line disables SMTPUTF8 in Postfix, because Dovecot-LMTP doesn’t support this email extension.

 

mailbox_transport = lmtp:unix:private/dovecot-lmtp

smtputf8_enable = no

 

Save and close the file.

 

Configure the Dovecot Authentication Mechanism

 

Edit the authentication config file.

 

nano /etc/dovecot/conf.d/10-auth.conf

 

Uncomment the following line.

 

disable_plaintext_auth = yes

 

This will disable plaintext authentication when there’s no SSL/TLS encryption.

 

Then find the following line:

 

#auth_username_format = %Lu

 

 

Uncomment it and change its value to %n.

auth_username_format = %n

 

 

By default, when Dovecot tries to find or deliver emails for a user, it uses the full email address.

 

Since in this part, we only set up canonical mailbox users (using OS users as mailbox users), Dovecot can’t find the mailbox user in full domain format (username@your-domain.com).

 

So we need to set auth_username_format = %n to drop the domain part, then Dovecot should be able to find the mailbox user. This also allows us to use the full email address (username@your-domain.com) to log in.

 

ubuntu dovecot auth_username_format

 

Next, find the following line.

 

auth_mechanisms = plain

 

This line only enables the PLAIN authentication mechanism. LOGIN is another authentication mechanism you probably want to add to support older email clients.

 

auth_mechanisms = plain login

 

Save and close the file.

 

Configuring SSL/TLS Encryption

 

Next, edit SSL/TLS config file.

 

nano /etc/dovecot/conf.d/10-ssl.conf

 

Change ssl = yes to ssl = required to enforce encryption.

 

ssl = required

 

Then find the following lines.

 

ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key

 

By default, Dovecot uses a self-signed TLS certificate. Replace them with the following values, which specify the location of your Let’s Encrypt TLS certificate and private key. Don’t leave out the < character, this is necessary.

 

ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem

 

ssl_cert = </etc/letsencrypt/live/mail.kevwells.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.kevwells.com/privkey.pem

Next, find the following line.

#ssl_prefer_server_ciphers = no

It’s good practice to use the server order of ciphers over that of clients, so uncomment this line and change the value to yes.

 

ssl_prefer_server_ciphers = yes

We can also disable inscure SSLv3, TLSv1 and TLSv1.1 by adding the following line.

ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

Note: If using Dovecot version 2.3.x or above (as in Ubuntu 20.04), then you should add the following line instead.

This forces Dovecot to use TLSv1.2 or TLSv1.3.

Please don’t add this line if you use Dovecot version 2.2.x. ssl_min_protocol = TLSv1.2

Save and close the file.

Configuring SASL Authentication

Edit the following file.

nano /etc/dovecot/conf.d/10-master.conf

 

Change service auth section to the following so that Postfix can find the Dovecot authentication server.

Please be careful about the syntax.

Every opening bracket should be terminated by a closing bracket.

service auth

{ unix_listener /var/spool/postfix/private/auth

{ mode = 0660 user = postfix group = postfix }

}

Save and close the file.

Auto-create Sent and Trash Folder

 

Edit the below config file.

nano /etc/dovecot/conf.d/15-mailboxes.conf

To auto-create a folder, simply add the following line in the mailbox section.

auto = create

Example:

mailbox Trash

{

auto = create special_use = \Trash

}

 

Some common folders you will want to create includes:

 

Drafts, Junk, Trash and Sent.

 

The Sent folder will be created under the user’s home directory when the user send the first email.

 

The Trash folder will be created when the user deletes an email for the first time, etc.

 

 

After you save and close all above config files, restart Postfix and Dovecot.

systemctl restart postfix dovecot

 

Dovecot will be listening on port 143 (IMAP) and 993 (IMAPS),

 

as can be seen with:

 

ss -lnpt | grep dovecot

 

If there’s a configuration error, dovecot will fail to restart, so it’s a good idea to check if Dovecot is running with the following command.

 

systemctl status dovecot

 

root@gemini:/etc/dovecot/conf.d# systemctl status postfix

 

● postfix.service – Postfix Mail Transport Agent Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)

 

Active: active (exited) since Wed 2022-03-09 20:34:54 UTC; 4s ago Process: 190752 ExecStart=/bin/true (code=exited, status=0/SUCCESS)

 

Main PID: 190752 (code=exited, status=0/SUCCESS)

 

Mar 09 20:34:54 gemini systemd[1]: Starting Postfix Mail Transport Agent… Mar 09 20:34:54 gemini systemd[1]: Finished Postfix Mail Transport Agent.

 

root@gemini:/etc/dovecot/conf.d# systemctl status dovecot

 

● dovecot.service – Dovecot IMAP/POP3 email server Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)

 

Active: active (running) since Wed 2022-03-09 20:34:51 UTC; 11s ago Docs: man:dovecot(1) http://wiki2.dovecot.org/

 

Main PID: 189907 (dovecot) Tasks: 4 (limit: 2274) Memory: 6.5M CGroup: /system.slice/dovecot.service ├─189907 /usr/sbin/dovecot -F ├─189921 dovecot/anvil ├─189922 dovecot/log └─189923 dovecot/config Mar 09 20:34:51

 

gemini systemd[1]: Started Dovecot IMAP/POP3 email server. Mar 09 20:34:51 gemini dovecot[189907]:

doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf
Mar 09 20:34:51 gemini dovecot[189907]: doveconf:

 

Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:97: ssl_protocols has been replaced by ssl_min_protocol

 

Mar 09 20:34:51 gemini dovecot[189907]: master: Dovecot v2.3.7.2 (3c910f64b) starting up for imap, lmtp (core dumps disabled)

 

Mar 09 20:34:51 gemini dovecot[189922]: config: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf

 

Mar 09 20:34:51 gemini dovecot[189922]: config: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:97: ssl_protocols has been replaced by ssl_min_protocol

 

root@gemini:/etc/dovecot/conf.d#

 

root@gemini:/etc/postfix# systemctl restart postfix
root@gemini:/etc/postfix# ss -lnpt | grep dovecot
LISTEN 0 100 0.0.0.0:143 0.0.0.0:* users:((“dovecot”,pid=192085,fd=35))
LISTEN 0 100 0.0.0.0:993 0.0.0.0:* users:((“dovecot”,pid=192085,fd=37))
LISTEN 0 100 [::]:143 [::]:* users:((“dovecot”,pid=192085,fd=36))
LISTEN 0 100 [::]:993 [::]:* users:((“dovecot”,pid=192085,fd=38))
root@gemini:/etc/postfix#

 

Create Virtual Mail Box Domains

 

 

The main.cf configuration file instructs postfix to look for email domains in the /etc/postfix/virtual_mailbox_domains file. Create the file:

 

 

$ sudo nano /etc/postfix/virtual_mailbox_domains

 

Add the information below to the file and replace example.com with your domain name.

 

example.com #domain

 

Use the postmap command to change /etc/postfix/virtual_mailbox_domains to a format recognizable by Postfix. Run this command every time you edit the file, for instance, after adding more domains to the file.

 

 

$ sudo postmap /etc/postfix/virtual_mailbox_domains

 

Edit the /etc/postfix/master.cf configuration file to enable the SMTP service.

 

 

$ sudo nano /etc/postfix/master.cf

 

Find the entry below.

 

 


#submission inet n – y – – smtpd

Remove the pound symbol at the beginning of the line.

 

 


submission inet n – y – – smtpd

Save and close the file.

 

 

Configure Dovecot to use secure authentication. Edit the Dovecot 10-auth.conf file.

 

$ sudo nano /etc/dovecot/conf.d/10-auth.conf

Find the entry below.

 

# disable_plaintext_auth = yes

Uncomment the setting above by removing the # character to disable plain text authorization.

 

disable_plaintext_auth = yes

 

Find the entry below.

 

auth_mechanisms = plain

Change the authentication mechanisms from plain to plain login.

 

auth_mechanisms = plain login

Disable the Dovecot default authentication behavior that requires users to have a system account to use the email service. Find the line:

 

!include auth-system.conf.ext

Add a pound symbol at the beginning of the line to comment it out.

 

#!include auth-system.conf.ext

Find the line:

 

#!include auth-passwdfile.conf.ext

Remove the # symbol at the beginning to enable Dovecot to use a password file.

 

!include auth-passwdfile.conf.ext

 

Save and close the file.

 

Edit the Dovecot password file, auth-passwdfile.conf.ext.

 

$ sudo nano /etc/dovecot/conf.d/auth-passwdfile.conf.ext

 

The file looks similar to the one shown below.

 

passdb {

driver = passwd-file

args = scheme=CRYPT username_format=%u /etc/dovecot/users

}

 

userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users

}

 

Make the changes to the file, as shown below.

 

passdb {
driver = passwd-file
args = scheme=PLAIN username_format=%u /etc/dovecot/dovecot-users
}

 

userdb {
driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

 

Save and close the file.

 

Create the /etc/dovecot/dovecot-users password file. This file is a plain text database that holds email users on your server.

 

 

nano /etc/dovecot/dovecot-users

 

Add the users that you want to use the email service to the file by following the format below. Replace EXAMPLE_PASSWORD with a strong password. Also, replace example.com with your domain name.

 

admin@example.com:{plain}EXAMPLE_PASSWORD
info@example.com:{plain}EXAMPLE_PASSWORD
billing@example.com:{plain}EXAMPLE_PASSWORD

 

Save and close the file.

 

Configure Dovecot to Use the SSL Certificate. Open the /etc/dovecot/conf.d/10-ssl.conf file.

 

$ sudo nano /etc/dovecot/conf.d/10-ssl.conf
Find the line:

 

ssl = yes
Change the ssl value from yes to required.

 

ssl = required
Locate the two entries below.

 

#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem
Change the two entries above and make sure they are pointing to the SSL certificate for your domain. For instance, if you are using the Let’s Encrypt certificate, your entries will be similar to those shown below. Replace example.com with your domain name.

 

ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
Save and close the file.
Restart the postfix and dovecot services to use the new settings.

 

$ sudo service postfix restart
$ sudo service dovecot restart

 

root@gemini:/etc/postfix# echo “This is a test email.” | mail -s “Test email” -r kevin@kevwells.com kevin@kevwells.com
root@gemini:/etc/postfix#

 

The final thing to set up is forwarding, so you’ll get emails sent to root on the system at your personal, external email address.

 

To configure Postfix so that system-generated emails will be sent to your email address, you need to edit the /etc/aliases file.

 

sudo nano /etc/aliases

 

The full contents of the file on a default installation of Ubuntu 16.04 are as follows:

 

/etc/aliases
# See man 5 aliases for format
postmaster: root

 

With that setting, system generated emails are sent to the root user. What you want to do is edit it so that those emails are rerouted to your email address.

 

To accomplish that, edit the file so that it reads:

 

/etc/aliases

 

# See man 5 aliases for format
postmaster: root
root: your_email_address

 

Replace your_email_address with your personal email address. When finished, save and close the file. For the change to take effect, run the following command:

 

sudo newaliases

 

You may now test that it works by sending an email to the root account using:

 

echo “This is the body of the email” | mail -s “This is the subject line” root

 

root@gemini:/# cat /etc/aliases
# See man 5 aliases for format
postmaster: root
root: kevin@kevwells.com
root@gemini:/#
root@gemini:/# newaliases
root@gemini:/#

 

You should receive the email at your email address. If not, check your spam folder.

 

Continue Reading