Dovecot

Note: This Page was written with Fedora 12-14 in mind, and may not work correctly with other versions or distributions.
Dovecot is an open source IMAP and POP3 server for Linux systems, written with security primarily in mind. Although it's written in C, it uses several coding techniques to avoid most of the common pitfalls.
- For more information see: http://www.dovecot.org/
Installing Dovecot 2.0[edit | edit source]
Installing Dovecot is pretty straightforward, it's a c based program so gcc is used to compile it.
Prerequisite[edit | edit source]
yum -y install gcc gettext-devel
Method 1: Download Source Tar file[edit | edit source]
First Download the latest source code from: http://dovecot.org/download.html. Then run:
./configure --prefix=/usr/local --with-mysql make echo $?
make install echo $?
Method 2: From Mercurial source repository[edit | edit source]
mkdir -p /var/src/ cd /var/src/ hg clone http://hg.dovecot.org/dovecot-2.0/ cd /var/src/dovecot-2.0
./autogen.sh ./configure --prefix=/usr/local --with-mysql
make echo $?
make install echo $?
- To update Dovecot 2.0 when using Mercurial:
hg pull && hg update
Compiling Configuration Options[edit | edit source]
The below will compile Dovecot with support for TLS/SSL & compressed messages.
Compiling with mySQL Support
./configure --prefix=/usr --with-ssl=openssl --with-mysql --with-zlib
Compiling with LDAP Support
./configure --prefix=/usr --with-ssl=openssl --with-ldap --with-zlib
Compiling with SQLite Support
./configure --prefix=/usr --with-ssl=openssl --with-sqlite --with-zlib
Initial Setup of Dovecot When Compiled from Source[edit | edit source]
To keep everything simple and in your /etc/ directory run:
mv /usr/local/etc/dovecot.conf /etc/dovecot.conf ln -s /etc/dovecot.conf /usr/local/etc/dovecot.conf
Also make sure that the correct user and groups exist in /etc/passwd and /etc/group.
echo "virtualmail:x:1000:1000:virtualmail:/var/spool/virtualmailboxes:/sbin/nologin" >> /etc/passwd echo "virtualmail:x:1000:" >> /etc/group
Using the below init file, create a new file named /etc/init.d/dovecot, then run the following:
chmod 755 /etc/init.d/dovecot /sbin/chkconfig --add dovecot /sbin/chkconfig dovecot on /sbin/chkconfig --list dovecot
Dovecot INIT File[edit | edit source]
#!/bin/bash # # /etc/rc.d/init.d/dovecot # # Starts the dovecot daemon # # chkconfig: - 65 35 # description: Dovecot Imap Server # processname: dovecot # Source function library. . /etc/init.d/functions test -x /usr/local/sbin/dovecot || exit 0 RETVAL=0 prog="Dovecot Imap" start() { echo -n $"Starting $prog: " daemon /usr/local/sbin/dovecot RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/dovecot echo } stop() { echo -n $"Stopping $prog: " killproc /usr/local/sbin/dovecot RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/dovecot echo } case "$1" in start) start ;; stop) stop ;; reload|restart) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/dovecot ]; then stop start fi ;; status) status /usr/local/sbin/dovecot RETVAL=$? ;; *) echo $"Usage: $0 {condrestart|start|stop|restart|reload|status}" exit 1 esac exit $RETVAL
Configuring SSL/TLS[edit | edit source]
Self-signed SSL Certificates[edit | edit source]
Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:
- The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn't really bother verifying the certificate's fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user's password and so on.
- If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.
The only way to be fully secure is to import the SSL certificate to client's (or operating system's) list of trusted CA certificates prior to first connection. See SSL/CertificateClientImporting how to do it for different clients.
Building Dovcot's Self-Signed Certificates[edit | edit source]
Dovecot includes a script to build self-signed SSL certificates using OpenSSL. First you need to find the dovecot-openssl.cnf file.
- Configuring the Certificate Config File
The best way on Fedora to do this is via the locate command.
locate dovecot-openssl.cnf
Mine was located at /etc/pki/dovecot/dovecot-openssl.cnf. Now that you have found the file you need to add your server information to it, like this.
[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=US # State or Province Name (full name) ST=MN # Locality Name (eg. city) L=SaintPaul # Organization (eg. company) O=mattrude.com # Organizational Unit Name (eg. section) OU=IMAP server # Common Name (*.example.com is also possible) CN=*.mattrude.com # E-mail contact [email protected] [ cert_type ] nsCertType = server
- Build the Certificates
/usr/libexec/dovecot/mkcert.sh
And now restart Dovecot
/sbin/service dovecot restart
Testing your SSL Certificates[edit | edit source]
openssl s_client -ssl2 -connect mail.mattrude.com:993
Doveadm[edit | edit source]
Dovecot's administration utility can be used to manage various parts of Dovecot, as well as access users' mailboxes. Here's a list of some commonly used commands.
Doveadm - Expunge[edit | edit source]
The expunge command delete's messages from user's mailboxes, by criteria. This is useful mostly for house keeping tasks — such as deleting old messages from the users trash folder. When using dbox mailbox format, the messages are not deleted, but instead, the refcount is reduced by one for each message.[1] To test which messages a given search query would match, you can use doveadm fetch or doveadm search commands.[2]
- Expunge (delete) all messages older then 7 days in matt's Trash folder
doveadm expunge -u matt mailbox Trash savedbefore 7d
Doveadm - Purge[edit | edit source]
The doveadm purge command is used to remove all messages with refcount=0 from a user's mail storage. The refcount of a message is decreased to 0 when the user (or some administration utility) has expunged all instances of a message from all mailboxes.[3]
When you purge a dbox mailbox, you will be rebuilding the mailboxes without the already deleted mail in it.[4] Purging dose not delete, undeleted mail and is safe to run on users mailboxes.
- Purge all deleted items in user matt's mailbox:
doveadm purge -u matt
Doveadm - Quota[edit | edit source]
The quota get and quota recalc commands are only available when the global mail_plugins setting contains the quota plugin.[5]
- List current quota status for a user (-u) or all users (-A):
doveadm quota get -u matt
- List the quota storage value for ALL users:
doveadm quota get -A |grep "STORAGE"
- Rebuild a single user's quota values:
doveadm quota recalc -u matt
- Rebuild ALL users's quota values:
doveadm quota recalc -A
Doveadm - Fetch[edit | edit source]
Doveadm Fetch will display the actule message, or part of the message, depending on what you ask for.
- To view the header of all emails with the subject of Milly, in the user matts mailbox:
doveadm fetch -u matt hdr subject Milly
Doveadm - Search[edit | edit source]
- To view the number of messages, by user, in their Trash folder:
doveadm search -A mailbox Trash |awk '{print $1}' |sort |uniq -c
- Show all messages older then 30 days in user matt's Inbox:
doveadm search -u matt mailbox INBOX savedbefore 30d
- Show all messages older then 30 days for user matt, in any folder:
doveadm search -u matt mailbox "*" savedbefore 30d
Dsync[edit | edit source]
Dsync is Dovecot's mailbox synchronization utility. It can be used for several different use cases: Two-way synchronization of mailboxes in different servers (via ssh), creating backups of mails to a remote server, and convert mailboxes from/to different mailbox formats.
Backing up a Users mailbox[edit | edit source]
dsync -u user -o mail_location=mdbox:/var/mailboxes/newmailbox mirror mdbox:/var/mailboxes/oldmailbox
In the above example, the user being backed up is user, we are coping the mailbox to /var/mailboxes/newmailbox, and creating it in the mdbox format. The orignal mailbox lives at /var/mailboxes/oldmailbox and also happen to be in the mdbox format.
Dovecot Plugins[edit | edit source]
Dovecot's Quota Plugin[edit | edit source]
The below assumes your using mdbox so dirsize or dict:sql will be the fastest. Since we already have sql setup, were going to go with that.
Enabling the Quota Plugin
mail_plugins = $mail_plugins quota protocol imap { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = $mail_plugins imap_quota } plugin { # SQL backend: quota = dict:User quota::proxy::quota quota_rule = *:storage=1024M:messages=100000 quota_rule2 = Trash:storage=+20%% quota_rule3 = Junk:storage=+20%% } dict { quota = mysql:/etc/dovecot/dovecot-dict-mysql.conf }
The dovecot-dict-mysql.conf file should containe something like this
connect = host=localhost dbname=postfix user=postfix password=postfix map { pattern = priv/quota/storage table = quota username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota username_field = username value_field = messages }
And lastly, add the following table to your email servers database in mySQL.
CREATE TABLE quota ( username varchar(100) not null, bytes bigint not null default 0, messages integer not null default 0, primary key (username) );
Dovecot's Expire Plugin[edit | edit source]
Dovecot's Trash Plugin[edit | edit source]
Dovecot's Zlib Plugin[edit | edit source]
Dovecot's AntiSpam Plugin[edit | edit source]
The Dovecot Antispam plugin will allow users to indicate Spam messages by moving them into their Junk folder.[6] Unlike Dovecot's other plugins, Antispam is an external plugin you must download and install separately.
The Dovecot Antispam plugin has internally four types of folders. Different actions are programmed when you move the mail from one folder to the other. The following table describes the actions depending on the source and destination folders.[7]
dst\src | Spam | Trash | Unsure | Other |
---|---|---|---|---|
Spam | ignored | ignored | spam | spam |
Trash | ignored | ignored | forbidden | ignored |
Unsure | forbidden | forbidden | forbidden | forbidden |
Other | ham | ignored | ham | ignored |
Downloading & Compiling the Plugin[edit | edit source]
hg clone http://hg.dovecot.org/dovecot-antispam-plugin cd dovecot-antispam-plugin
./autogen.sh ./configure --prefix=/usr make make install
Configuring Dovecot's AntiSpam Plugin[edit | edit source]
protocol imap { mail_plugins = $mail_plugins antispam }
Troubleshooting Dovecot[edit | edit source]
See: http://bobpeers.com/technical/telnet_imap.php
- Connectiong into Dovecot with telnet
telnet mail.example.com 143
- Connecting into Dovecot using a SSL connection
openssl s_client -connect mail.example.com:993
- Logging In
. login <username> <password>
- Listing Imap Directories
. list "" "*"
- Selecting an Imap Directory
. select Save
References[edit | edit source]
- ↑ http://wiki2.dovecot.org/Tools/Doveadm/Purge#section_description
- ↑ http://wiki2.dovecot.org/Tools/Doveadm/Expunge#section_description
- ↑ http://wiki2.dovecot.org/Tools/Doveadm/Purge#section_description
- ↑ http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
- ↑ http://wiki2.dovecot.org/Tools/Doveadm/Quota#section_description
- ↑ Plugins/Antispam - Dovecot Wiki Introduction
- ↑ Dovecot AntiSpam - man file