Red Hat Summit1.2. Setting up a Dovecot server with LDAP authentication
If your infrastructure uses an LDAP server to store accounts, you can authenticate Dovecot users against it. In this case, you manage accounts centrally in the directory and, users do not required local access to the file system on the Dovecot server.
Centrally-managed accounts are also a benefit if you plan to set up multiple Dovecot servers with replication to make your mailboxes high available.
1.2.1. Installing Dovecot
The dovecot package provides:
-
The
dovecotservice and the utilities to maintain it - Services that Dovecot starts on demand, such as for authentication
- Plugins, such as server-side mail filtering
-
Configuration files in the
/etc/dovecot/directory -
Documentation in the
/usr/share/doc/dovecot/directory
Procedure
Install the
dovecotpackage:# dnf install dovecot참고If Dovecot is already installed and you require clean configuration files, rename or remove the
/etc/dovecot/directory. Afterwards, reinstall the package. Without removing the configuration files, thednf reinstall dovecotcommand does not reset the configuration files in/etc/dovecot/.
1.2.2. Configuring TLS encryption on a Dovecot server
Dovecot provides a secure default configuration. For example, TLS is enabled by default to transmit credentials and data encrypted over networks. To configure TLS on a Dovecot server, you only need to set the paths to the certificate and private key files. Additionally, you can increase the security of TLS connections by generating and by using Diffie-Hellman parameters to provide perfect forward secrecy (PFS).
Prerequisites
- Dovecot is installed.
The following files have been copied to the listed locations on the server:
-
The server certificate:
/etc/pki/dovecot/certs/server.example.com.crt -
The private key:
/etc/pki/dovecot/private/server.example.com.key -
The Certificate Authority (CA) certificate:
/etc/pki/dovecot/certs/ca.crt
-
The server certificate:
-
The hostname in the
Subject DNfield of the server certificate matches the server’s Fully-qualified Domain Name (FQDN). - If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
Set secure permissions on the private key file:
# chown root:root /etc/pki/dovecot/private/server.example.com.key # chmod 600 /etc/pki/dovecot/private/server.example.com.keyGenerate a file with Diffie-Hellman parameters:
# openssl dhparam -out /etc/dovecot/dh.pem 4096Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters with 4096 bits can take several minutes.
Set the paths to the certificate and private key files in the
/etc/dovecot/conf.d/10-ssl.conffile:Update the
ssl_certandssl_keyparameters, and set them to use the paths of the server’s certificate and private key:ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.keyUncomment the
ssl_caparameter, and set it to use the path to the CA certificate:ssl_ca = </etc/pki/dovecot/certs/ca.crtUncomment the
ssl_dhparameter, and set it to use the path to the Diffie-Hellman parameters file:ssl_dh = </etc/dovecot/dh.pem
중요To ensure that Dovecot reads the value of a parameter from a file, the path must start with a leading
<character.
Next step
1.2.3. Preparing Dovecot to use virtual users
By default, Dovecot performs many actions on the file system as the user who uses the service. However, configuring the Dovecot back end to use one local user to perform these actions has several benefits:
- Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
- Users do not need to be available locally on the server.
- You can store all mailboxes and user-specific files in one root directory.
- Users do not require a UID and group ID (GID), which reduces administration efforts.
- Users who have access to the file system on the server cannot compromise their mailboxes or indexes because they cannot access these files.
- Setting up replication is easier.
Prerequisites
- Dovecot is installed.
Procedure
Create the
vmailuser:# useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmailDovecot will later use this user to manage the mailboxes. For security reasons, do not use the
dovecotordovenullsystem users for this purpose.If you use a different path than
/var/mail/, set themail_spool_tSELinux context on it, for example:# semanage fcontext -a -t mail_spool_t "<path>(/.)?"* # restorecon -Rv <path>Grant write permissions on
/var/mail/only to thevmailuser:# chown vmail:vmail /var/mail/ # chmod 700 /var/mail/Uncomment the
mail_locationparameter in the/etc/dovecot/conf.d/10-mail.conffile, and set it to the mailbox format and location:mail_location = sdbox:/var/mail/%n/With this setting:
-
Dovecot uses the high-performant
dboxmailbox format insinglemode. In this mode, the service stores each mail in a separate file, similar to themaildirformat. -
Dovecot resolves the
%nvariable in the path to the username. This is required to ensure that each user has a separate directory for its mailbox.
-
Dovecot uses the high-performant
1.2.4. Using LDAP as the Dovecot authentication backend
Users in an LDAP directory can usually authenticate themselves to the directory service. Dovecot can use this to authenticate users when they log in to the IMAP and POP3 services. This authentication method has several benefits, such as:
- Administrators can manage users centrally in the directory.
- The LDAP accounts do not require any special attributes. They only need to be able to authenticate to the LDAP server. Consequently, this method is independent from the password storage scheme used on the LDAP server.
- Users do not need to be available locally on the server through the Name Service Switch (NSS) interface and the Pluggable Authentication Modules (PAM) framework.
Prerequisites
- Dovecot is installed.
- The virtual users feature is configured.
- Connections to the LDAP server support TLS encryption.
- RHEL on the Dovecot server trusts the Certificate Authority (CA) certificate of the LDAP server.
- If users are stored in different trees in the LDAP directory, a dedicated LDAP account for Dovecot exists to search the directory. This account requires permissions to search for Distinguished Names (DNs) of other users.
- If the FIPS mode is enabled, this Dovecot server supports the Extended Master Secret (EMS) extension or uses TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
Configure the authentication backends in the
/etc/dovecot/conf.d/10-auth.conffile:Comment out
includestatements forauth-*.conf.extauthentication backend configuration files that you do not require, for example:#!include auth-system.conf.extEnable LDAP authentication by uncommenting the following line:
!include auth-ldap.conf.ext
Edit the
/etc/dovecot/conf.d/auth-ldap.conf.extfile, and add theoverride_fieldsparameter as follows to theuserdbsection:userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }Due to the fixed values, Dovecot does not query these settings from the LDAP server. Consequently, these attributes also do not have to be present.
Create the
/etc/dovecot/dovecot-ldap.conf.extfile with the following settings:Depending on the LDAP structure, configure one of the following:
If users are stored in different trees in the LDAP directory, configure dynamic DN lookups:
dn = cn=dovecot_LDAP,dc=example,dc=com dnpass = <password> pass_filter = (&(objectClass=posixAccount)(uid=%n))Dovecot uses the specified DN, password, and filter to search the DN of the authenticating user in the directory. In this search, Dovecot replaces
%nin the filter with the username. Note that the LDAP search must return only one result.If all users are stored under a specific entry, configure a DN template:
auth_bind_userdn = cn=%n,ou=People,dc=example,dc=com
Enable authentication binds to the LDAP server to verify Dovecot users:
auth_bind = yesSet the URL to the LDAP server:
uris = ldaps://LDAP-srv.example.comFor security reasons, only use encrypted connections by using LDAPS or the
STARTTLScommand over the LDAP protocol. For the latter, additionally addtls = yesto the settings.For a working certificate validation, the hostname of the LDAP server must match the hostname used in its TLS certificate.
Enable the verification of the LDAP server’s TLS certificate:
tls_require_cert = hardSet the base DN to the DN where to start searching for users:
base = ou=People,dc=example,dc=comSet the search scope:
scope = onelevelDovecot searches with the
onelevelscope only in the specified base DN and with thesubtreescope also in subtrees.
Set secure permissions on the
/etc/dovecot/dovecot-ldap.conf.extfile:# chown root:root /etc/dovecot/dovecot-ldap.conf.ext # chmod 600 /etc/dovecot/dovecot-ldap.conf.ext
Next step
1.2.5. Completing the Dovecot configuration
Once you have installed and configured Dovecot, open the required ports in the firewalld service, and enable and start the service. Afterwards, you can test the server.
Prerequisites
The following has been configured in Dovecot:
- TLS encryption
- An authentication backend
- Clients trust the Certificate Authority (CA) certificate.
Procedure
If you want to provide only an IMAP or POP3 service to users, uncomment the
protocolsparameter in the/etc/dovecot/dovecot.conffile, and set it to the required protocols. For example, if you do not require POP3, set:protocols = imap lmtpBy default, the
imap,pop3, andlmtpprotocols are enabled.Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP, POP3S, and POP3 protocols, enter:
# firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 # firewall-cmd --reloadEnable and start the
dovecotservice:# systemctl enable --now dovecot
Verification
Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The settings for the mail client depend on the protocol you want to use:
Expand 표 1.2. Connection settings to the Dovecot server Protocol Port Connection security Authentication method IMAP
143
STARTTLS
PLAIN[a]
IMAPS
993
SSL/TLS
PLAIN[a]
POP3
110
STARTTLS
PLAIN[a]
POP3S
995
SSL/TLS
PLAIN[a]
[a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.Note that this table does not list settings for unencrypted connections because, by default, Dovecot does not accept plain text authentication on connections without TLS.
Display configuration settings with non-default values:
# doveconf -n
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}