-
Notifications
You must be signed in to change notification settings - Fork 48
Server configuration: Dovecot v2.x
Dovecot is an open source IMAP and POP3 MDA (Mail Delivery Agent) for Linux/UNIX-like systems, written with security primarily in mind. This page explains how to configure Dovecot to authenticate users using Vexim database and serve them their e-mail.
Note: this manual is for Dovecot v.2. If you are using Dovecot v.1, you should refer to the other manual instead.
In fact, setting Dovecot up to work with Vexim is rather trivial. You have to change the following things in Dovecot configuration files. If you are using Debian or Ubuntu, your Dovecot configuration resides in /etc/dovecot/. The files are documented rather extensively, so we won't go through everything here.
If SIEVE filters should be used it is necessary to feed the mails directly from Exim to dovecot. This can be accomplished by a LTMP transport PR #247 or piping but piping should not be used anymore in this case as the sql queries in this writeup do not accept 'piped' user accounts.
-
The value of
first_valid_uidmust be low enough for virtual users to be able to log in. This setting is set inconf.d/10-mail.confconfiguration file. Its value must be at least as low as theuidof yourveximuser created during set up of Vexim. Same goes forfirst_valid_gid, although that defaults to1, so should not be a problem. Anyway, here's an example:first_valid_uid = 100
-
sqlpassword database must be enabled (and otherpassdb's disabled if you want Dovecot to only serve Vexim virtual users). This is done in theconf.d/10-auth.conffile. First of all, you should only allow plaintext passwords if a secured connection (SSL/TLS) is used:disable_plaintext_auth = yesThen use uncomment the SQL-authentication-backend at the very bottom of it, and adjust the includes as following:
#!include auth-system.conf.ext !include auth-sql.conf.ext #!include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.extThen open
conf.d/auth-sql.conf.extand make sure that itspassdbblock is uncommented. It should look somewhat like this:passdb { driver = sql # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext args = /etc/dovecot/dovecot-sql.conf.ext }You may also uncomment the
userdbblock which enablesprefetchuser database to avoid unnecessary SQL queries:userdb { driver = prefetch } -
Now, the passdb has to be configured properly. Edit the
dovecot-sql.conf.extfile as follows (make sure to adjust theconnectline to reflect your actual setup though). The fieldsproxy_maybe,relayto,host_imapare specific to veximpy and can be removed.driver = mysql connect = host=/var/run/mysqld/mysqld.sock dbname=vexim user=vexim password=CHANGE default_pass_scheme = CRYPT password_query = \ SELECT CONCAT(`u`.`localpart`, '@', `d`.`domain`) AS `user`, `u`.`crypt` AS `password`, \ CONCAT(`d`.`maildir`, '/', `u`.`localpart`) AS `userdb_home`, \ `u`.`uid` AS `userdb_uid`, `u`.`gid` AS `userdb_gid`, \ CONCAT('*:bytes=', `u`.`quota`, 'M') AS `userdb_quota_rule`, 'any-cert' AS `starttls`, \ IF(`d`.`host_imap` != 'mail1' AND `d`.`relayto` NOT IN ('localhost', '127.0.0.1'), 'Y', 'N') AS `proxy_maybe`, \ IF(`d`.`host_imap` != 'mail1' AND `d`.`relayto` NOT IN ('localhost', '127.0.0.1'), `d`.`relayto`, '127.0.0.1') AS `host` \ FROM `users` AS `u` \ JOIN `domains` AS `d` ON `d`.`domain_id` = `u`.`domain_id` \ WHERE `u`.`localpart` = '%n' \ AND `d`.`domain` = '%d' \ AND `u`.`enabled` = 1 AND `d`.`enabled` = 1 \ AND `d`.`host_imap` IN ('mail1', 'mail') \ AND `u`.`type` = 'local' user_query = \ SELECT CONCAT(`u`.`localpart`, '@', `d`.`domain`) AS `user`, `u`.`crypt` AS `password`, \ CONCAT(`d`.`maildir`, '/', `u`.`localpart`) AS `home`, \ `u`.`uid` AS `uid`, `u`.`gid` AS `gid`, \ CONCAT('*:bytes=', `u`.`quota`, 'M') AS `quota_rule`, \ IF(`d`.`host_imap` != 'mail1' AND `d`.`relayto` NOT IN ('localhost', '127.0.0.1'), 'Y', 'N') AS `proxy_maybe`, \ IF(`d`.`host_imap` != 'mail1' AND `d`.`relayto` NOT IN ('localhost', '127.0.0.1'), `d`.`relayto`, '127.0.0.1') AS `host` \ FROM `users` AS `u` \ JOIN `domains` AS `d` ON `d`.`domain_id` = `u`.`domain_id` \ WHERE `u`.`localpart` = '%n' \ AND `d`.`domain` = '%d' \ AND `u`.`enabled` = 1 AND `d`.`enabled` = 1 \ AND `d`.`host_imap` IN ('mail1', 'mail') \ AND `u`.`type` = 'local' iterate_query = \ SELECT \ CONCAT(`u`.`localpart`, '@', `d`.`domain`) AS `user`, \ `d`.`domain` \ FROM `users` AS `u` \ JOIN `domains` AS `d` ON `d`.`domain_id` = `u`.`domain_id` \ WHERE \ `u`.`enabled` = 1 \ AND `d`.`enabled` = 1 \ AND `u`.`type` = 'local'
Dovecot expects the SELECT to return a set of columns with particular names, hence usage of the AS keyword above.
-
password_queryreturns all fields that are necessary. -
user_querywill be used if you don't enableprefetchuser database and/or if you use Dovecot LDA to deliver e-mails. Either way, even if that query won't be used, there is no harm in having it defined. -
iterate_querywill be used by doveadm when iterating over multiple accounts.
To configure proper user quota support and reporting for IMAP
-
in
conf.d/10-mail.confenable quota plugin:mail_plugins = $mail_plugins quota -
do the same in
conf.d/20-imap.conf:protocol imap { mail_plugins = $mail_plugins imap_quota } -
in
conf.d/90-quota.confenable at least one quota backend:plugin { quota = maildir:User quota }
After applying all configuration and restarting Dovecot, you can test your quota configuration by running the following command from your root shell:
doveadm quota get -A
If configuration is correct, you should see two lines of output per virtual user (one for STORAGE and one for MESSAGE quotas):
Username Quota name Type Value Limit %
postmaster@example.org User quota STORAGE 9 - 0
postmaster@example.org User quota MESSAGE 9 - 0
otheruser@example.org User quota STORAGE 6 2048 0
otheruser@example.org User quota MESSAGE 5 - 0
For the referenceSTORAGE values are reported in KiB (Kibibytes).
- add a to the master config
11-master-override.conf:
service lmtp {
user = vmail
}
- create a configfile
conf.d/21-lmtp-override.conf:
protocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins sieve
}
Encryption# should always be used to protect your mails and login credentials. You can use the same certificates you created for Exim. There is nothing specific to Vexim here, so just follow the official SSL configuration guide from the Dovecot Wiki. For the cipher selection, we recommend to use a current set of "secure" ciphers, bettercrypto.org provides some reviewed default configs in a PDF file for /etc/dovecot/conf.d/10-ssl.conf:
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
# SSL protocols to use, disable SSL, use TLS only
ssl_protocols = !SSLv3 !SSLv2
# SSL ciphers to use
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH\
\:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4\
\:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
# Prefer the server's order of ciphers over client's. (Dovecot >=2.2.6 Required)
ssl_prefer_server_ciphers = yes
# Diffie-Hellman parameters length (Default is 1024, Dovecot >=2.2.7 Required)
# ToDo: for ReGenerating DH-Parameters:
# manually delete /var/lib/dovecot/ssl-parameters.dat and restart
# Dovecot to regenerate /var/lib/dovecot/ssl-parameters.dat
ssl_dh_parameters_length = 2048
# Disable Compression (Dovecot >= 2.2.14 Required, check with `dovecot --version`)
# ssl_options = no_compression
Once you have applied all the changes above, you should restart Dovecot and start testing your setup. It should already work!