红帽全球峰会第 1 章 Configuring and maintaining a Dovecot IMAP and POP3 server
Dovecot is a high-performance mail delivery agent (MDA) with a focus on security. You can use IMAP or POP3-compatible email clients to connect to a Dovecot server and read or download emails.
Key features of Dovecot:
- The design and implementation focuses on security
- Two-way replication support for high availability to improve the performance in large environments
-
Supports the high-performance
dboxmailbox format, but alsomboxandMaildirfor compatibility reasons - Self-healing features, such as fixing broken index files
- Compliance with the IMAP standards
- Workaround support to bypass bugs in IMAP and POP3 clients
1.1. Setting up a Dovecot server with PAM authentication
Dovecot supports the Name Service Switch (NSS) interface as a user database and the Pluggable Authentication Modules (PAM) framework as an authentication backend. With this configuration, Dovecot can provide services to users who are available locally on the server through NSS.
Use PAM authentication if accounts:
-
Are defined locally in the
/etc/passwdfile - Are stored in a remote database but they are available locally through the System Security Services Daemon (SSSD) or other NSS plugins.
1.1.1. Installing Dovecot
The dovecot package provides:
-
The
dovecotservice and the utilities to maintain it - Services that Dovecot starts on demand, such as for authentication
- Plugins, such as server-side mail filtering
-
Configuration files in the
/etc/dovecot/directory -
Documentation in the
/usr/share/doc/dovecot/directory
Procedure
Install the
dovecotpackage:# dnf install dovecot注意If Dovecot is already installed and you require clean configuration files, rename or remove the
/etc/dovecot/directory. Afterwards, reinstall the package. Without removing the configuration files, thednf reinstall dovecotcommand does not reset the configuration files in/etc/dovecot/.
1.1.2. Configuring TLS encryption on a Dovecot server
Dovecot provides a secure default configuration. For example, TLS is enabled by default to transmit credentials and data encrypted over networks. To configure TLS on a Dovecot server, you only need to set the paths to the certificate and private key files. Additionally, you can increase the security of TLS connections by generating and by using Diffie-Hellman parameters to provide perfect forward secrecy (PFS).
Prerequisites
- Dovecot is installed.
The following files have been copied to the listed locations on the server:
-
The server certificate:
/etc/pki/dovecot/certs/server.example.com.crt -
The private key:
/etc/pki/dovecot/private/server.example.com.key -
The Certificate Authority (CA) certificate:
/etc/pki/dovecot/certs/ca.crt
-
The server certificate:
-
The hostname in the
Subject DNfield of the server certificate matches the server’s Fully-qualified Domain Name (FQDN). - If the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the Red Hat Knowledgebase solution TLS extension "Extended Master Secret" enforced.
Procedure
Set secure permissions on the private key file:
# chown root:root /etc/pki/dovecot/private/server.example.com.key # chmod 600 /etc/pki/dovecot/private/server.example.com.keyGenerate a file with Diffie-Hellman parameters:
# openssl dhparam -out /etc/dovecot/dh.pem 4096Depending on the hardware and entropy on the server, generating Diffie-Hellman parameters with 4096 bits can take several minutes.
Set the paths to the certificate and private key files in the
/etc/dovecot/conf.d/10-ssl.conffile:Update the
ssl_certandssl_keyparameters, and set them to use the paths of the server’s certificate and private key:ssl_cert = </etc/pki/dovecot/certs/server.example.com.crt ssl_key = </etc/pki/dovecot/private/server.example.com.keyUncomment the
ssl_caparameter, and set it to use the path to the CA certificate:ssl_ca = </etc/pki/dovecot/certs/ca.crtUncomment the
ssl_dhparameter, and set it to use the path to the Diffie-Hellman parameters file:ssl_dh = </etc/dovecot/dh.pem
重要To ensure that Dovecot reads the value of a parameter from a file, the path must start with a leading
<character.
Next step
1.1.3. Preparing Dovecot to use virtual users
By default, Dovecot performs many actions on the file system as the user who uses the service. However, configuring the Dovecot back end to use one local user to perform these actions has several benefits:
- Dovecot performs file system actions as a specific local user instead of using the user’s ID (UID).
- Users do not need to be available locally on the server.
- You can store all mailboxes and user-specific files in one root directory.
- Users do not require a UID and group ID (GID), which reduces administration efforts.
- Users who have access to the file system on the server cannot compromise their mailboxes or indexes because they cannot access these files.
- Setting up replication is easier.
Prerequisites
- Dovecot is installed.
Procedure
Create the
vmailuser:# useradd --home-dir /var/mail/ --shell /usr/sbin/nologin vmailDovecot will later use this user to manage the mailboxes. For security reasons, do not use the
dovecotordovenullsystem users for this purpose.If you use a different path than
/var/mail/, set themail_spool_tSELinux context on it, for example:# semanage fcontext -a -t mail_spool_t "<path>(/.)?"* # restorecon -Rv <path>Grant write permissions on
/var/mail/only to thevmailuser:# chown vmail:vmail /var/mail/ # chmod 700 /var/mail/Uncomment the
mail_locationparameter in the/etc/dovecot/conf.d/10-mail.conffile, and set it to the mailbox format and location:mail_location = sdbox:/var/mail/%n/With this setting:
-
Dovecot uses the high-performant
dboxmailbox format insinglemode. In this mode, the service stores each mail in a separate file, similar to themaildirformat. -
Dovecot resolves the
%nvariable in the path to the username. This is required to ensure that each user has a separate directory for its mailbox.
-
Dovecot uses the high-performant
1.1.4. Using PAM as the Dovecot authentication backend
By default, Dovecot uses the Name Service Switch (NSS) interface as the user database and the Pluggable Authentication Modules (PAM) framework as the authentication backend.
Customize the settings to adapt Dovecot to your environment and to simplify administration by using the virtual users feature.
Prerequisites
- Dovecot is installed.
- The virtual users feature is configured.
Procedure
Update the
first_valid_uidparameter in the/etc/dovecot/conf.d/10-mail.conffile to define the lowest user ID (UID) that can authenticate to Dovecot:first_valid_uid = 1000By default, users with a UID greater than or equal to
1000can authenticate. If required, you can also set thelast_valid_uidparameter to define the highest UID that Dovecot allows to log in.In the
/etc/dovecot/conf.d/auth-system.conf.extfile, add theoverride_fieldsparameter to theuserdbsection as follows:userdb { driver = passwd override_fields = uid=vmail gid=vmail home=/var/mail/%n/ }Due to the fixed values, Dovecot does not query these settings from the
/etc/passwdfile. As a result, the home directory defined in/etc/passwddoes not need to exist.
Next step
1.1.5. Completing the Dovecot configuration
Once you have installed and configured Dovecot, open the required ports in the firewalld service, and enable and start the service. Afterwards, you can test the server.
Prerequisites
The following has been configured in Dovecot:
- TLS encryption
- An authentication backend
- Clients trust the Certificate Authority (CA) certificate.
Procedure
If you want to provide only an IMAP or POP3 service to users, uncomment the
protocolsparameter in the/etc/dovecot/dovecot.conffile, and set it to the required protocols. For example, if you do not require POP3, set:protocols = imap lmtpBy default, the
imap,pop3, andlmtpprotocols are enabled.Open the ports in the local firewall. For example, to open the ports for the IMAPS, IMAP, POP3S, and POP3 protocols, enter:
# firewall-cmd --permanent --add-service=imaps --add-service=imap --add-service=pop3s --add-service=pop3 # firewall-cmd --reloadEnable and start the
dovecotservice:# systemctl enable --now dovecot
Verification
Use a mail client, such as Mozilla Thunderbird, to connect to Dovecot and read emails. The settings for the mail client depend on the protocol you want to use:
Expand 表 1.1. Connection settings to the Dovecot server Protocol Port Connection security Authentication method IMAP
143
STARTTLS
PLAIN[a]
IMAPS
993
SSL/TLS
PLAIN[a]
POP3
110
STARTTLS
PLAIN[a]
POP3S
995
SSL/TLS
PLAIN[a]
[a] The client transmits data encrypted through the TLS connection. Consequently, credentials are not disclosed.Note that this table does not list settings for unencrypted connections because, by default, Dovecot does not accept plain text authentication on connections without TLS.
Display configuration settings with non-default values:
# doveconf -n
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}