Introduction

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory.

Installation

This guide will help you set up a complete email server using Postfix as MTA, OpenLDAP as a back-end for users, and Dovecot for SASL authentication, LDA and IMAP server.

This guide assumes you already have installed Postfix and OpenLDAP (on localhost) (with it's directory structure and users). If not, you won't find explications here on how to get those (please search this wiki on how to set up Postfix and LDAP). This guide explains in details how to integrate all the above services with Dovecot in order to get the multi user mail server.

To continue, please use your favorite package manager and install dovecot.

sudo apt-get install dovecot

SASL

First let's us set-up SASL authentication. Check out PostfixDovecotSASL page to get it done. Next, to use Dovecot for delivery (LDA), we'll have to add the following to the dovecot.conf

  socket listen {
    master {
      # Master socket provides access to userdb information. It's typically
      # used to give Dovecot's local delivery agent access to userdb so it
      # can find mailbox locations.
      path = /var/run/dovecot/auth-master
      mode = 0660
      # Default user/group is the one who started dovecot-auth (root)
      user = mail
      group = mail
    }
    client {
      # The client socket is generally safe to export to everyone. Typical use
      # is to export it to your SMTP server so it can do SMTP AUTH lookups
      # using it.
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }

General

To enable imap ( you can also enable imaps, just add ssl_cert_file, ssl_key_file and ssl_ca_file values to dovecot.conf ), add the following:

# Here you can add imaps
protocols = imap
# Allow postfix to access login process
login_user = postfix
# Add a login greeting
login_greeting = Dovecot IMAP server!

Our user's home folder will be taken from LDAP, so we should consider this when setting up the mail location for users:

# I found it's the best to go this way, in order to preserve a logical directory structure
mail_location = maildir:~/Maildir

Considering the homefolder path and the LDAP base, don't forget to give the right permission to the folder where user's home folder will be created. If LDAP users are in group users then

sudo chgrp users /home
sudo chmod 775 /home

should solve the permissions problem.

I advise you add

mail_full_filesystem_access = no

to the dovecot.conf in order to maintain the security level of you system.

For security you should also know the minimum uid and gid of the LDAP users, that value should be used at

first_valid_uid = 2000
last_valid_uid = 0
first_valid_gid = 2000
last_valid_gid = 0

Also due to performance issues, it is recommended to set up

maildir_copy_with_hardlinks = no

Because LDAP users may not be written in a standard way, I recommend you using

auth_username_format = %Lu

this will convert to lowercase usernames.

If you decided to use imaps and your certificates are self signed, consider using this

ssl_require_client_cert = no

IMAP

At IMAP settings (protocol imap) add the right imap and imap-login

login_executable = /usr/lib/dovecot/imap-login
mail_executable = /usr/lib/dovecot/imap

You might consider using several plugins like quota for example, then add those at

mail_plugins = quota imap_quota

And finally I advise you to enable dovecot's workarounds in order to make it perfectly compatible to most of the IMAP clients

imap_client_workarounds = outlook-idle delay-newmail netscape-eoh tb-extra-mailbox-sep

LDA

At LDA specific settings (protocol lda) add the basics ( I included quota cause I included it in IMAP settings )

postmaster_address = your@email.tld
mail_plugins = quota
sendmail_path = /usr/lib/sendmail

Check SASL in order to use this

auth_socket_path = /var/run/dovecot/auth-master

And finally, I recommend you setting up the logs, at least until your system will not be 100% working. This logs helped me a lot!

log_path = /var/log/dovecot-deliver.log
info_log_path = /var/log/dovecot-deliver.log

Plugins

In order to use plugins settings (our case quotas), add this

plugin {
  quota = maildir
  quota_rule = *:storage=50M
  quota_rule2 = Trash:storage=10%%
  quota_rule3 = Spam:storage=20%%
}

Postfix

To enable virtual alias maps of the LDAP users (in short the recipients table from LDAP) and LDAP users to be able to login for sending emails , add

virtual_alias_maps =
        hash:/etc/postfix/virtual
        ldap:/etc/postfix/ldap_virtual_users.cf

smtpd_sender_login_maps = ldap:/etc/postfix/ldap_senders.cf

Where a ldap_<somethig>.cf file will look like this

server_host = ldap://localhost
search_base = ou=users,dc=domain,dc=tld
bind = no

query_filter = (&(objectclass=orgMailService)(|(aliasMail=%s)(aliasMailAlternateAddress=%s)))
result_attribute = uid
domain = domain.tld

To enforce security add this rules

smtpd_client_restrictions=
        permit_mynetworks,
        permit

smtpd_recipient_restrictions=
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        permit_auth_destination,
        reject_unauth_destination,
        reject

smtpd_sender_restrictions=
        reject_unknown_sender_domain,
        reject_unlisted_sender,
        reject_authenticated_sender_login_mismatch,
        permit

I assume you already added the required values to use PostfixDovecotSASL. To enable dovecot for delivery use this

mailbox_transport = dovecot
mailbox_command = /usr/lib/dovecot/deliver
dovecot_destination_recipient_limit = 1
virtual_transport = dovecot

Now to allow dovecot for delivery, add the following entry to master.cf

# delivery through dovecot
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=mail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}

The -d ${user} argument is necessary to be able to deliver email to LDAP users IMAP mailboxes, otherwise you might get errors like

Authenticated user not found

Save and restart the postfix and dovecot.

Now, in order to be able to deliver mails for different uids, we have to set up sticky bit to the delivery executable. Something like

chmod u+s /usr/lib/dovecot/deliver

Should be enough! This should be all.

Testing

Was done on a vanilla installation of Ubuntu 8.04.2

Postfix/DovecotLDAP (last edited 2009-03-29 20:25:30 by sushkov)