src/_posts/2016-10-31-freebsd-mailserver-part-3-dovecot-imap-sasl.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223

---
title: "FreeBSD email server - Part 3: Dovecot, IMAP and SASL"
date: 2016-10-31 07:57:50
tags: Tutorial FreeBSD Email Dovecot IMAP SASL
layout: post
---

Welcome to the second part of my FreeBSD email server series. In this series, I
will guide you through setting up your own email service. Be sure to read the
previous parts before trying to continue on this part in case you have not done
so yet.

This part will guide you through setting up [Dovecot][dovecot]. This service
will deal with the SASL authentication to your email server and making your email
boxes accessible via IMAP. While this guide does not cover POP3 functionality,
Dovecot can handle this as well.

Just like the Postfix setup, Dovecot has quite a few configuration options to
set before it will work as expected in this setup. If you have questions after
reading the full guide, please find me on IRC. You can find details on how to
do so on [my homepage][home].

## Installing Dovecot
Dovecot will also be installed from the ports tree from FreeBSD. As this guide
assumes you are working through them in order, explanation of acquiring the
ports tree will be omitted here.

You can start the installation procedure with the following commands.

{% highlight sh %}
cd /usr/ports/mail/dovecot2
make configure install
{% endhighlight %}

Again, like with the Postfix installation, leave the default options on and add
the `PGSQL` option so Dovecot can use PostgreSQL as the database back-end.

## Enabling Dovecot
Enable the Dovecot service for rcinit.

{% highlight sh %}
echo 'dovecot_enable="YES"' >> /etc/rc.conf.local
{% endhighlight %}

## Configuring Dovecot
To start of with Dovecot configuration, copy over the sample files first.

{% highlight sh %}
cp -r /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot/.
{% endhighlight %}

Now you can start editing a number of pesky files. The file names of the
headings all appear relative to `/usr/local/etc/dovecot`.

### dovecot.conf
Here you only have to set which protocols you want to enable. Set them as
follows.

{% highlight ini %}
protocols = imap lmtp
{% endhighlight %}

### conf.d/10-master.cf
The `master.cf` configuration file indicates which sockets Dovecot should use
and provide and as which user its processes should be ran. Keep the defaults as
they are, with the exception of the following two blocks.

#### service imap-login
This will enable imaps, IMAP over SSL, and disable plain IMAP.

{% highlight ini %}
service-imap-login {
    inet_listener imap {
        port = 0
    }

    inet_listener imaps {
        port = 993
        ssl = yes
    }
}
{% endhighlight %}

#### services
This will instruct Dovecot to provide a service for authentication and `lmtp`
the **local mail transport protocol**. This is required to deliver the email
files into the correct email box location in the file system.

{% highlight ini %}
service auth {
    unix_listener auth-userdb {
        mode = 0600
        user = postfix
        group = postfix
    }

    unix_listener /var/spool/postfix/private/auth {
        mode = 0666
        user = postfix
        group = postfix
    }

    user = dovecot
}

service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        mode = 0600
        user = postfix
        group = postfix
    }
}

service auth-worker {
    user = postfix
}
{% endhighlight %}

### conf.d/10-ssl.conf
Here you have to enable SSL and provide the correct paths to your SSL key in
order for Dovecot to work with them.

{% highlight ini %}
ssl = required
ssl_cert = < /usr/local/etc/letsencrypt/live/domain.tld/fullchain.pem
ssl_key = < /usr/local/etc/letsencrypt/live/domain.tld/privkey.pem
{% endhighlight %}

### conf.d/10-mail.conf
The mail.conf location instructs Dovecot which location to appoint for storing
the email files. `%d` expands to the domain name, while `%n` expands to the
local part of the email address.

{% highlight ini %}
mail_home = /srv/mail/%d/%n
mail_location = maildir:~/Maildir
{% endhighlight %}

Make sure the location set by `mail_home` exists and is owned by `postfix`!

{% highlight sh %}
mkdir -p /srv/mail
chown postfix:postfix /srv/mail
{% endhighlight %}

### conf.d/10-auth.conf
This file deals with the authentication provided by Dovecot. Mostly, which
mechanisms should be supported and what mechanism should be used to get the
actual credentials to check against.  Make sure the following options are set
as given

{% highlight ini %}
disable_plaintext_auth = yes
auth_mechanisms = plain 
{% endhighlight %}

Also, make sure `!include auth-system.conf.ext` is commented **out**. It is not
commented out by default, so you will have to do this manually. In addition,
you have to uncomment `!include auth-sql.conf.ext`.

### conf.d/auth-sql.conf.ext
This is the file included from `10-auth.conf`. It instructs Dovecot to use SQL as
the driver for the password and user back-ends.

{% highlight ini %}
passdb {
    driver = sql
    args = /usr/local/etc/dovecot/dovecot-sql-conf.ext
}

userdb {
    driver = prefetch
}

userdb {
    driver = sql
    args = /usr/local/etc/dovecot/dovecot-sql-conf.ext
}
{% endhighlight %}

### dovecot-sql.conf.ext
The final configuration file entails the queries which should be used to get the
required information about the users. Make sure to update the `password` and possibly
other parameters used to connect to the database. You may have to update the `125` as
well, as this has to be identical to the `UID` of `postfix`.

As a side note, if you are following this tutorial on a machine that does
**not** support Blowfish in the default glib, which is nearly every GNU+Linux
setup, you **can not** use `BLF-CRYPT` as the `default_pass_scheme`. You will
have to settle for the `SHA-512` scheme instead.

{% highlight ini %}
driver = pgsql
connect = host=127.1 dbname=mail user=postfix password=incredibly-secret!
default_pass_scheme = BLF-CRYPT
password_query = \
    SELECT \
        local AS user, \
        password, \
        '/srv/mail/%d/%n' AS userdb_home, \
        125 AS userdb_uid, \
        125 AS userdb_gid \
    FROM users \
    WHERE local='%n' AND domain='%d';

user_query = \
    SELECT \
        '/srv/mail/%d/%n' AS home \
        125 AS uid, \
        125 AS gid \
    FROM users \
    WHERE local='%n' AND domain='%d';
{% endhighlight %}

## Conclusion
After this part, you should be left with a functioning email server that
provides IMAP over a secure connection. While this is great on itself, for
actual use in the wild, you should setup some additional services. Therefore,
in the next part, we will deal with practices that "authenticate" your emails
as legit messages. Be sure to read up on it!

[dovecot]: http://dovecot.org/
[home]: {{ "/" | prepend: site.baseurl }}