Dovecot

Contents 1 Installing Dovecot 2.0 1.1 Prerequisite 1.2 Method 1: Download Source Tar file 1.3 Method 2: From Mercurial source repository 1.4 Compiling Configuration Options 1.5 Initial Setup of Dovecot When Compiled from Source 1.6 Dovecot INIT File 2 Configuring SSL/TLS 2.1 Self-signed SSL Certificates 2.1.1 Building Dovcot's Self-Signed Certificates 2.2 Testing your SSL Certificates 3 Doveadm 3.1 Doveadm - Expunge 3.2 Doveadm - Purge 3.3 Doveadm - Quota 3.4 Doveadm - Fetch 3.5 Doveadm - Search 4 Dsync 4.1 Backing up a Users mailbox 5 Dovecot Plugins 5.1 Dovecot's Quota Plugin 5.2 Dovecot's Expire Plugin 5.3 Dovecot's Trash Plugin 5.4 Dovecot's Zlib Plugin 6 Dovecot's AntiSpam Plugin 6.1 Downloading & Compiling the Plugin 6.2 Configuring Dovecot's AntiSpam Plugin 7 Troubleshooting Dovecot 8 References

Dovecot is an open source IMAP and POP3 server for Linux systems, written with security primarily in mind. Although it's written in C, it uses several coding techniques to avoid most of the common pitfalls.

• For more information see: http://www.dovecot.org/

Installing Dovecot 2.0

Installing Dovecot is pretty straightforward, it's a c based program so gcc is used to compile it.

Prerequisite

yum -y install gcc gettext-devel

Method 1: Download Source Tar file

First Download the latest source code from: http://dovecot.org/download.html. Then run:

./configure --prefix=/usr/local --with-mysql
make
echo $?

make install
echo $?

Method 2: From Mercurial source repository

mkdir -p /var/src/
cd /var/src/
hg clone http://hg.dovecot.org/dovecot-2.0/
cd /var/src/dovecot-2.0

./autogen.sh
./configure --prefix=/usr/local --with-mysql

make
echo $?

make install
echo $?

• To update Dovecot 2.0 when using Mercurial:

hg pull && hg update

Compiling Configuration Options

The below will compile Dovecot with support for TLS/SSL & compressed messages.

Compiling with mySQL Support

./configure --prefix=/usr --with-ssl=openssl --with-mysql --with-zlib

Compiling with LDAP Support

./configure --prefix=/usr --with-ssl=openssl --with-ldap --with-zlib

Compiling with SQLite Support

./configure --prefix=/usr --with-ssl=openssl --with-sqlite --with-zlib

Initial Setup of Dovecot When Compiled from Source

To keep everything simple and in your /etc/ directory run:

mv /usr/local/etc/dovecot.conf /etc/dovecot.conf
ln -s /etc/dovecot.conf /usr/local/etc/dovecot.conf

Also make sure that the correct user and groups exist in /etc/passwd and /etc/group.

echo "virtualmail:x:1000:1000:virtualmail:/var/spool/virtualmailboxes:/sbin/nologin" >> /etc/passwd
echo "virtualmail:x:1000:" >> /etc/group

Using the below init file, create a new file named /etc/init.d/dovecot, then run the following:

chmod 755 /etc/init.d/dovecot
/sbin/chkconfig --add dovecot
/sbin/chkconfig dovecot on
/sbin/chkconfig --list dovecot

Dovecot INIT File

#!/bin/bash
#
#	/etc/rc.d/init.d/dovecot
#
# Starts the dovecot daemon
#
# chkconfig: - 65 35
# description: Dovecot Imap Server
# processname: dovecot
# Source function library.
. /etc/init.d/functions

test -x /usr/local/sbin/dovecot || exit 0

RETVAL=0
prog="Dovecot Imap"

start() {
       echo -n $"Starting $prog: "
	daemon /usr/local/sbin/dovecot
	RETVAL=$?
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/dovecot
	echo
}

stop() {
	echo -n $"Stopping $prog: "
	killproc /usr/local/sbin/dovecot
	RETVAL=$?
	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/dovecot
	echo
}

case "$1" in
  start)
	start
	;;
  stop)
	stop
	;;
  reload|restart)
	stop
	start
	RETVAL=$?
	;;
  condrestart)
	if [ -f /var/lock/subsys/dovecot ]; then
	    stop
	    start
	fi
	;;
  status)
	status /usr/local/sbin/dovecot
	RETVAL=$?
	;;
  *)
	echo $"Usage: $0 {condrestart|start|stop|restart|reload|status}"
	exit 1
esac

exit $RETVAL

Configuring SSL/TLS

Self-signed SSL Certificates

Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:

• The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn't really bother verifying the certificate's fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user's password and so on.
• If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.

The only way to be fully secure is to import the SSL certificate to client's (or operating system's) list of trusted CA certificates prior to first connection. See SSL/CertificateClientImporting how to do it for different clients.

Building Dovcot's Self-Signed Certificates

Dovecot includes a script to build self-signed SSL certificates using OpenSSL. First you need to find the dovecot-openssl.cnf file.

• Configuring the Certificate Config File

The best way on Fedora to do this is via the locate command.

locate dovecot-openssl.cnf

Mine was located at /etc/pki/dovecot/dovecot-openssl.cnf. Now that you have found the file you need to add your server information to it, like this.

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=US

# State or Province Name (full name)
ST=MN

# Locality Name (eg. city)
L=SaintPaul

# Organization (eg. company)
O=mattrude.com

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=*.mattrude.com

# E-mail contact
emailAddress=post@mattrude.com

[ cert_type ]
nsCertType = server

• Build the Certificates

/usr/libexec/dovecot/mkcert.sh

And now restart Dovecot

/sbin/service dovecot restart

Testing your SSL Certificates

openssl s_client -ssl2 -connect mail.mattrude.com:993

Doveadm

Dovecot's administration utility can be used to manage various parts of Dovecot, as well as access users' mailboxes. Here's a list of some commonly used commands.

Doveadm - Expunge

The expunge command delete's messages from user's mailboxes, by criteria. This is useful mostly for house keeping tasks — such as deleting old messages from the users trash folder. When using dbox mailbox format, the messages are not deleted, but instead, the refcount is reduced by one for each message.^[1] To test which messages a given search query would match, you can use doveadm fetch or doveadm search commands.^[2]

• Expunge (delete) all messages older then 7 days in matt's Trash folder

doveadm expunge -u matt mailbox Trash savedbefore 7d

Doveadm - Purge

The doveadm purge command is used to remove all messages with refcount=0 from a user's mail storage. The refcount of a message is decreased to 0 when the user (or some administration utility) has expunged all instances of a message from all mailboxes.^[3]

When you purge a dbox mailbox, you will be rebuilding the mailboxes without the already deleted mail in it.^[4] Purging dose not delete, undeleted mail and is safe to run on users mailboxes.

• Purge all deleted items in user matt's mailbox:

doveadm purge -u matt

Doveadm - Quota

The quota get and quota recalc commands are only available when the global mail_plugins setting contains the quota plugin.^[5]

• List current quota status for a user (-u) or all users (-A):

doveadm quota get -u matt

• List the quota storage value for ALL users:

doveadm quota get -A |grep "STORAGE"

• Rebuild a single user's quota values:

doveadm quota recalc -u matt

• Rebuild ALL users's quota values:

doveadm quota recalc -A

Doveadm - Fetch

Doveadm Fetch will display the actule message, or part of the message, depending on what you ask for.

• To view the header of all emails with the subject of Milly, in the user matts mailbox:

doveadm fetch -u matt hdr subject Milly

Doveadm - Search

• To view the number of messages, by user, in their Trash folder:

doveadm search -A mailbox Trash |awk '{print $1}' |sort |uniq -c

• Show all messages older then 30 days in user matt's Inbox:

doveadm search -u matt mailbox INBOX savedbefore 30d

• Show all messages older then 30 days for user matt, in any folder:

doveadm search -u matt mailbox "*" savedbefore 30d

Dsync

Dsync is Dovecot's mailbox synchronization utility. It can be used for several different use cases: Two-way synchronization of mailboxes in different servers (via ssh), creating backups of mails to a remote server, and convert mailboxes from/to different mailbox formats.

Backing up a Users mailbox

dsync -u user -o mail_location=mdbox:/var/mailboxes/newmailbox mirror mdbox:/var/mailboxes/oldmailbox

In the above example, the user being backed up is user, we are coping the mailbox to /var/mailboxes/newmailbox, and creating it in the mdbox format. The orignal mailbox lives at /var/mailboxes/oldmailbox and also happen to be in the mdbox format.

Dovecot Plugins

Dovecot's Quota Plugin

• http://wiki2.dovecot.org/Quota

The below assumes your using mdbox so dirsize or dict:sql will be the fastest. Since we already have sql setup, were going to go with that.

Enabling the Quota Plugin

mail_plugins = $mail_plugins quota

protocol imap {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins imap_quota
}

plugin {
  # SQL backend:
  quota = dict:User quota::proxy::quota
  quota_rule = *:storage=1024M:messages=100000
  quota_rule2 = Trash:storage=+20%%
  quota_rule3 = Junk:storage=+20%%
}

dict {
  quota = mysql:/etc/dovecot/dovecot-dict-mysql.conf
}

The dovecot-dict-mysql.conf file should containe something like this

connect = host=localhost dbname=postfix user=postfix password=postfix
map {
  pattern = priv/quota/storage
  table = quota
  username_field = username
  value_field = bytes
}
map {
  pattern = priv/quota/messages
  table = quota
  username_field = username
  value_field = messages
}

And lastly, add the following table to your email servers database in mySQL.

CREATE TABLE quota (
  username varchar(100) not null,
  bytes bigint not null default 0,
  messages integer not null default 0,
  primary key (username)
);

Dovecot's Expire Plugin

• http://wiki2.dovecot.org/Plugins/Expire

Dovecot's Trash Plugin

• http://wiki2.dovecot.org/Plugins/Trash

Dovecot's Zlib Plugin

• http://wiki2.dovecot.org/Plugins/Zlib

Dovecot's AntiSpam Plugin

The Dovecot Antispam plugin will allow users to indicate Spam messages by moving them into their Junk folder.^[6] Unlike Dovecot's other plugins, Antispam is an external plugin you must download and install separately.

The Dovecot Antispam plugin has internally four types of folders. Different actions are programmed when you move the mail from one folder to the other. The following table describes the actions depending on the source and destination folders.^[7]

dst\src	Spam	Trash	Unsure	Other
Spam	ignored	ignored	spam	spam
Trash	ignored	ignored	forbidden	ignored
Unsure	forbidden	forbidden	forbidden	forbidden
Other	ham	ignored	ham	ignored

Downloading & Compiling the Plugin

hg clone http://hg.dovecot.org/dovecot-antispam-plugin
cd dovecot-antispam-plugin

./autogen.sh
./configure --prefix=/usr
make
make install

Configuring Dovecot's AntiSpam Plugin

protocol imap {
    mail_plugins = $mail_plugins antispam
}

Troubleshooting Dovecot

See: http://bobpeers.com/technical/telnet_imap.php

• Connectiong into Dovecot with telnet

telnet mail.example.com 143

• Connecting into Dovecot using a SSL connection

openssl s_client -connect mail.example.com:993

• Logging In

. login <username> <password>

• Listing Imap Directories

. list "" "*"

• Selecting an Imap Directory

. select Save

References