Red Hat Summit1.3. Setting up a Dovecot server with MariaDB SQL authentication
If you store users and passwords in a MariaDB SQL server, you can configure Dovecot to use it as the user database and authentication backend. With this configuration, you manage accounts centrally in a database, and users have no local access to the file system on the Dovecot server.
Centrally managed accounts are also a benefit if you plan to set up multiple Dovecot servers with replication to make your mailboxes highly available.
1.3.1. Installing Dovecot
The dovecot package provides:
-
The
dovecotservice and the utilities to maintain it - Services that Dovecot starts on demand, such as for authentication
- Plugins, such as server-side mail filtering
-
Configuration files in the
/etc/dovecot/directory -
Documentation in the
/usr/share/doc/dovecot/directory
Procedure
Install the
dovecotpackage:# dnf install dovecot참고If Dovecot is already installed and you require clean configuration files, rename or remove the
/etc/dovecot/directory. Afterwards, reinstall the package. Without removing the configuration files, thednf reinstall dovecotcommand does not reset the configuration files in/etc/dovecot/.
1.3.2. Configuring TLS encryption on a Dovecot server
Dovecot provides a secure default configuration. For example, TLS is enabled by default to transmit credentials and data encrypted over networks. To configure TLS on a Dovecot server, you only need to set the paths to the certificate and private key files. Additionally, you can increase the security of TLS connections by generating and by using Diffie-Hellman parameters to provide perfect forward secrecy (PFS).
Prerequisites
- Dovecot is installed.
The following files have been copied to the listed locations on the server:
-
The server certificate:
/etc/pki/dovecot/certs/server.example.com.crt -
The private key:
/etc/pki/dovecot/private/server.example.com.key -
The Certificate Authority (CA) certificate:
/etc/pki/dovecot/certs/ca.crt
-
The server certificate:
-
The hostname in the
Subject DNfield of the server certificate matches the server’s Fully-qualified Domain Name (FQDN). - If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
Set secure permissions on the private key file:
# chown root:root /etc/pki/dovecot/private/server.example.com.key # chmod 600 /etc/pki/dovecot/private/server.example.com.keyGenerate a file with Diffie-Hellman parameters:
# openssl dhparam -out /etc/dovecot/dh.pem 4096Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters with 4096 bits can take several minutes.
Set the paths to the certificate and private key files in the
/etc/dovecot/conf.d/10-ssl.conffile:Update the
ssl_certandssl_keyparameters, and set them to use the paths of the server’s certificate and private key:ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.keyUncomment the
ssl_caparameter, and set it to use the path to the CA certificate:ssl_ca = </etc/pki/dovecot/certs/ca.crtUncomment the
ssl_dhparameter, and set it to use the path to the Diffie-Hellman parameters file:ssl_dh = </etc/dovecot/dh.pem
중요To ensure that Dovecot reads the value of a parameter from a file, the path must start with a leading
<character.
Next step
1.3.3. Preparing Dovecot to use virtual users
By default, Dovecot performs many actions on the file system as the user who uses the service. However, configuring the Dovecot back end to use one local user to perform these actions has several benefits:
- Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
- Users do not need to be available locally on the server.
- You can store all mailboxes and user-specific files in one root directory.
- Users do not require a UID and group ID (GID), which reduces administration efforts.
- Users who have access to the file system on the server cannot compromise their mailboxes or indexes because they cannot access these files.
- Setting up replication is easier.
Prerequisites
- Dovecot is installed.
Procedure
Create the
vmailuser:# useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmailDovecot will later use this user to manage the mailboxes. For security reasons, do not use the
dovecotordovenullsystem users for this purpose.If you use a different path than
/var/mail/, set themail_spool_tSELinux context on it, for example:# semanage fcontext -a -t mail_spool_t "<path>(/.)?"* # restorecon -Rv <path>Grant write permissions on
/var/mail/only to thevmailuser:# chown vmail:vmail /var/mail/ # chmod 700 /var/mail/Uncomment the
mail_locationparameter in the/etc/dovecot/conf.d/10-mail.conffile, and set it to the mailbox format and location:mail_location = sdbox:/var/mail/%n/With this setting:
-
Dovecot uses the high-performant
dboxmailbox format insinglemode. In this mode, the service stores each mail in a separate file, similar to themaildirformat. -
Dovecot resolves the
%nvariable in the path to the username. This is required to ensure that each user has a separate directory for its mailbox.
-
Dovecot uses the high-performant
1.3.4. Using a MariaDB SQL database as the Dovecot authentication backend
Dovecot can read accounts and passwords from a MariaDB database and use it to authenticate users when they log in to the IMAP or POP3 service. The benefits of this authentication method include:
- Administrators can manage users centrally in a database.
- Users have no access locally on the server.
Prerequisites
- Dovecot is installed.
- The virtual users feature is configured.
- Connections to the MariaDB server support TLS encryption.
-
The
dovecotDBdatabase exists in MariaDB, and theuserstable contains at least ausernameandpasswordcolumn. -
The
passwordcolumn contains passwords encrypted with a scheme that Dovecot supports. -
The passwords either use the same scheme or have a
{pw-storage-scheme}prefix. -
The
dovecotMariaDB user has read permission on theuserstable in thedovecotDBdatabase. -
The certificate of the Certificate Authority (CA) that issued the MariaDB server’s TLS certificate is stored on the Dovecot server in the
/etc/pki/tls/certs/ca.crtfile. - If the FIPS mode is enabled, this Dovecot server supports the Extended Master Secret (EMS) extension or uses TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
Install the
dovecot-mysqlpackage:# dnf install dovecot-mysqlConfigure the authentication backends in the
/etc/dovecot/conf.d/10-auth.conffile:Comment out
includestatements forauth-*.conf.extauthentication backend configuration files that you do not require, for example:#!include auth-system.conf.extEnable SQL authentication by uncommenting the following line:
!include auth-sql.conf.ext
Edit the
/etc/dovecot/conf.d/auth-sql.conf.extfile, and add theoverride_fieldsparameter to theuserdbsection as follows:userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }Due to the fixed values, Dovecot does not query these settings from the SQL server.
Create the
/etc/dovecot/dovecot-sql.conf.extfile with the following settings:driver = mysql** connect = host=mariadb_srv.example.com dbname=dovecotDB user=dovecot password=_<dovecotPW>_ ssl_ca=/etc/pki/tls/certs/ca.crt default_pass_scheme = SHA512-CRYPT user_query = SELECT username FROM users WHERE username='%u'; password_query = SELECT username AS user, password FROM users WHERE username='%u'; iterate_query = SELECT username FROM users;To use TLS encryption to the database server, set the
ssl_caoption to the path of the certificate of the CA that issued the MariaDB server certificate. For a working certificate validation, the hostname of the MariaDB server must match the hostname used in its TLS certificate.If the password values in the database contain a
{<pw-storage-scheme>}prefix, you can omit thedefault_pass_schemesetting.The queries in the file must be set as follows:
-
For the
user_queryparameter, the query must return the username of the Dovecot user. The query must also return only one result. -
For the
password_queryparameter, the query must return the username and the password, and Dovecot must use these values in theuserandpasswordvariables. Therefore, if the database uses different column names, use theASSQL command to rename a column in the result. -
For the
iterate_queryparameter, the query must return a list of all users.
-
For the
Set secure permissions on the
/etc/dovecot/dovecot-sql.conf.extfile:# chown root:root /etc/dovecot/dovecot-sql.conf.ext # chmod 600 /etc/dovecot/dovecot-sql.conf.ext
Next step
1.3.5. Completing the Dovecot configuration
Once you have installed and configured Dovecot, open the required ports in the firewalld service, and enable and start the service. Afterwards, you can test the server.
Prerequisites
The following has been configured in Dovecot:
- TLS encryption
- An authentication backend
- Clients trust the Certificate Authority (CA) certificate.
Procedure
If you want to provide only an IMAP or POP3 service to users, uncomment the
protocolsparameter in the/etc/dovecot/dovecot.conffile, and set it to the required protocols. For example, if you do not require POP3, set:protocols = imap lmtpBy default, the
imap,pop3, andlmtpprotocols are enabled.Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP, POP3S, and POP3 protocols, enter:
# firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 # firewall-cmd --reloadEnable and start the
dovecotservice:# systemctl enable --now dovecot
Verification
Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The settings for the mail client depend on the protocol you want to use:
Expand 표 1.3. Connection settings to the Dovecot server Protocol Port Connection security Authentication method IMAP
143
STARTTLS
PLAIN[a]
IMAPS
993
SSL/TLS
PLAIN[a]
POP3
110
STARTTLS
PLAIN[a]
POP3S
995
SSL/TLS
PLAIN[a]
[a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.Note that this table does not list settings for unencrypted connections because, by default, Dovecot does not accept plain text authentication on connections without TLS.
Display configuration settings with non-default values:
# doveconf -n
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}