Debian iTOps Tube

Tuesday, November 22, 2011

Configuring Your Dovecot POP / IMAP Mail Server

Configuring Your Dovecot POP / IMAP Mail Server

Each user on your Linux box will get mail sent to their account's mail folder, but sendmail just handles mail sent to your my-site.com domain. If you want to retrieve the mail from your Linux box's user account using a mail client such as Evolution, Microsoft Outlook or Outlook Express, then you have a few more steps. You'll also have to make your Linux box a POP mail server.


Linux comes with the easy to use dovecot IMAP/POP server package which requires very little configuration after installation.


Installing Dovecot

Most RedHat and Fedora Linux software product packages are available in the RPM format, whereas Debian and Ubuntu Linux use DEB format installation files. When searching for these packages remember that the filename usually starts with the software package name and is followed by a version number, as in dovecot-0.99.11-1.FC3.4.i386.rpm. (For help on downloading and installing the required packages, see Chapter 6, Installing Linux Software).


Starting Dovecot

The methodologies vary depending on the variant of Linux you are using as you'll see next.

Fedora / CentOS / RedHat

With these flavors of Linux you can use the chkconfig command to get dovecot configured to start at boot:


[root@bigboy tmp]# chkconfig dovecot on


To start, stop, and restart dovecot after booting use the service command:


[root@bigboy tmp]# service dovecot start
[root@bigboy tmp]# service dovecot stop
[root@bigboy tmp]# service dovecot restart

To determine whether dovecot is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the dovecot daemons.


[root@bigboy tmp]# service dovecot status
[root@bigboy tmp]# pgrep spam

Note: Remember to run the chkconfig command at least once to ensure dovecot starts automatically on your next reboot.

Ubuntu / Debian

With these flavors of Linux the commands are different. Try installing the sysv-rc-conf and sysvinit-utils DEB packages as they provide commands that simplify the process. (For help on downloading and installing the packages, see Chapter 6, Installing Linux Software)

You can use the sysv-rc-conf command to get dovecot configured to start at boot:


user@ubuntu:~$ sudo sysv-rc-conf dovecot on


To start, stop, and restart dovecot after booting the service command is the same:


user@ubuntu:~$ sudo service dovecot start
user@ubuntu:~$ sudo service dovecot stop
user@ubuntu:~$ sudo service dovecot restart

To determine whether dovecot is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the dovecot daemons.


user@ubuntu:~$ sudo service dovecot status
user@ubuntu:~$ pgrep dovecot

Note: Remember to run the sysv-rc-conf command at least once to ensure dovecot starts automatically on your next reboot.


Dovecot Configuration Files

You can define most of Dovecot's configuration parameters in the dovecot.conf file which may be located in either the /etc or /etc/dovecot directory depending on your version of Linux.


Remember to restart Dovecot after you make any changes to your configuration files. This is the only way to activate the new settings.


Choice of Protocols

You can select one of two protocols in your Dovecot configuration: IMAP and POP3. With POP3 your mail is downloaded to your computer so that you can work with it offline. If you access and reply to POP3 mail from different computers it will be difficult to get a complete picture of some threads as the replies sent on one computer won't be visible on the other. With IMAP your mail always remains on your mail server which eliminates this problem. It also allows you to create folders for your email which makes it easy to organize your e-mail and access it from anywhere.


Each of these protocols operate on a different TCP port as shown in Table 21-1.


Protocol TCP Port
POP110
POPS995
IMAP 143
IMAPS993

This information will be required for your configuration file as you will soon see. You should also make sure your firewall rules allow traffic to access your server on these ports.


Version 1.x

In this version, Dovecot would by default act as a server for IMAP, secure encrypted IMAP (IMAPS), POP and secure encrypted POP (POPS). You could limit this list by editing the protocols line in the /etc/dovecot.conf file and then restarting dovecot for the change to take effect.In the example below dovecot is configured to serve only POP3.


Note: Unfortunately the POP3 and IMAP protocols send your username and password unencrypted which exposes your users to attacks. Dovecot expects you to use the more secure POP3S or IMAPS methods and therefore disables the use of plain text passwords by default. To enable the acceptance of plain text authentication the disable_plaintext_auth command needs to be set to "no", as the example also shows.



#
# File /etc/dovecot.conf sample
#

# Protocols we want to be serving imap imaps pop3 pop3s
#protocols = imap imaps pop3 pop3s
protocols = pop3
disable_plaintext_auth = no

You should always try to use secure POP3S or IMAPS for better peace of mind. More details on how to do this with newer versions of Dovecot will be covered next.


Version 2.x and Newer

In more recent versions, the syntax of the dovecot.conf statements used to define protocols has changed.

Both POP3 and IMAP settings are configured in a service section and you can define the IP addresses each should use and the TCP ports on which they should listen.

In this example, we have disabled IMAPS and POP3 by setting their inet_listener ports to zero. POP3S is working on address 192.168.1.100 while IMAP works on the localhost address 127.0.0.1. Both POP3S and IMAP listen on their respective TCP ports.


# Required to make POPS / IMAPS to work with certificates
ssl = yes


service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    address = 192.168.1.100
  }
}

service imap-login {
  inet_listener imap {
    address = 127.0.0.1
    port = 143
  }
  inet_listener imaps {
    port = 0
  }
}

IMAPS and POP3S commonly rely on the use of SSL certificates for encryption. You make Dovecot aware that you intend to use this method with the ssl command. This is also shown in the example. It is an important step.


Note: Always remember to restart Dovecot in order for these settings to take effect.


Verifiying Whether Dovecot is Listening

You can then use the netstat command to do a simple preliminary test to make sure dovecot is listening on the correct ports. In this example we see that IMAP is listening on localhost and POPS is listening on the NIC IP address of server bigboy. It proof that our configuration works.


[root@bigboy tmp]# netstat -ta | egrep -i 'pop|imap' 
tcp        0      0 localhost:imap              *:*    LISTEN
tcp        0      0 bigboy:pop3s       *:*             LISTEN
[root@bigboy tmp]#

It is often insufficient to use this as your only test. Try using the telnet command from another location to verify that remote client can contact your mail server on the correct ports. If they cannot, you may have a routing or firewall issue, or dovecot may not be running. In this example we are testing on the POPS port, 995.


[root@bigboy tmp]# telnet mail.my-site.com 995
Trying 192.168.1.100...
Connected to mail.simiya.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[root@bigboy tmp]#

Connection problems could also be the result of typical network issues outlined in Chapter 4, "Simple Network Troubleshooting". Review this chapter if you find yourself having problems related to basic connectivity.


Configuring SSL Certificates for POP3S and IMAPS

As mentioned previously, when configuring POP3S and IMAPS you need to let Dovecot know where your certificates are. By default the certificates are named dovecot.pem and references to them should be found in your dovecot.conf file or one of its daughter configuration files in the /etc/dovecot/conf.d directory.The configuration should look like this.


ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

You can verify these commands are listed in your Dovecot configuration file tree. This can be done with a simple recursive grep command which searches /etc/dovecot and its subdirectories for files with the string dovecot.pem in them. In this case the statements are found in the 10-ssl.conf file in the /etc/dovecot/conf.d directory.


[root@bigboy tmp]# grep -ir dovecot.pem /etc/dovecot/
/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
/etc/dovecot/conf.d/10-ssl.conf:ssl_key = </etc/pki/dovecot/private/dovecot.pem
[root@bigboy tmp]#

After finding the references you should verify that the files exist. This can be done with the locate command. Here we see the file locations previously listed in the configuration file match files that actually reside in the filesystem.


 [root@bigboy tmp]# locate dovecot.pem
/etc/pki/dovecot/certs/dovecot.pem
/etc/pki/dovecot/private/dovecot.pem
[root@bigboy tmp]#

What do you do if you don't have these files? Don't worry, you can easily create them and this will be covered next.

Configuring SSL Certificates for POP3S and IMAPS

What do you do if you don't have these files? Don't worry, you can easily create them and this will be covered next. The mkcert.sh file will generate your Dovecot certificates for you using the data configured in the dovecot-openssl.cnf file. You can use the locate command to find both files.


[root@bigboy tmp]# locate mkcert.sh
/usr/libexec/dovecot/mkcert.sh
[root@bigboy tmp]# locate dovecot-openssl.cnf
/etc/pki/dovecot/dovecot-openssl.cnf
[root@bigboy tmp]#

Though the contents of the dovecot-openssl.cnf file will be sufficient to genterate the SSL certificates, you may want to customize it to meet the needs of your organization as seen here.


# File: dovecot-openssl.cnf
#

[ req_dn ]
# country (2 letter code)
C=US

# State or Province Name (full name)
ST=California

# Locality Name (eg. city)
L=San Francisco

# Organization (eg. company)
O=My-Site Inc

# Organizational Unit Name (eg. section)
OU=My-Site IT Department

# Common Name (*.example.com is also possible)

# E-mail contact

The next step is to tun the mkcert.sh script and make sure the keys are in the right location.


[root@bigboy tmp]# /usr/libexec/dovecot/mkcert.sh
Generating a 1024 bit RSA private key
...........++++++
......................++++++
writing new private key to '/etc/pki/dovecot/private/dovecot.pem'
-----

subject= /OU=My-Site IT Department/CN=mail.my-site.com/emailAddress=postmaster@my-site.com
SHA1 Fingerprint=A0:F9:95:1B:90:21:B9:B2:45:5B:CC:DF:20:2C:9E:25:74:69:F1:DD
[root@bigboy tmp]# 

Now that your certificates have been created you should be ready to start serving secure email to your users.


Dovecot uses its own certificates and the method described here shows you how to create your own. If you are part of an enterprise with its own domain, you should invest in getting your SSL certificates created by an official certificate authority like Verisign. All email clients recognize organizations like these and will operate using POPS and IMAPS without displaying an error message stating that the certificate comes from an untrusted source.


For additional security you can install a separate certificate on all the client computers and configure Dovecot to only interact with clients these known credentials. How do this is beyond the scope of this book, but should be investigated to reduce your security risk.


Dovecot Mailboxes

Though sendmail sends your email to a local user account, Linux may store the content of the mail in one of many formats. Two common methods are mbox and maildir.


Dovecot uses the mail_location directive to define the type of mail format and the location of its files. This directive may be found in either your dovecot.conf file or one of its daughter configuration files in the /etc/dovecot/conf.d directory. It may also be commented out.


Verify that these directives are listed in your Dovecot configuration file tree. This can be done with a simple recursive grep command which searches /etc/dovecot and its subdirectories for files with the string mail_location in them. In this case the statements are found in the 10-mail.conf file in the /etc/dovecot/conf.d directory.


[root@bigboy tmp]# grep -ir mail_location /etc/dovecot
/etc/dovecot/conf.d/10-mail.conf:#   mail_location = maildir:~/Maildir
/etc/dovecot/conf.d/10-mail.conf:#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
/etc/dovecot/conf.d/10-mail.conf:#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
/etc/dovecot/conf.d/10-mail.conf:#mail_location = 
/etc/dovecot/conf.d/10-mail.conf:#mail_location = mbox:~/mail:INBOX=/var/mail/%u
[root@bigboy tmp]#

If you look closely, you will notice that the references are all commented out. The following sections will show you how to determine which method to use. If you select the incorrect method, then you won't be able to download your mail, because Dovecot will be looking for it in the wrong location!

Configuring Dovecot for mbox

Mbox mail is stored in the directory /var/mail. Each user is assigned a single file that contains all their mail and the filename is the same as Linux username. If there are files in /var/mail, as seen below, you are most likely using the mbox method.


[root@bigboy tmp]# ls /var/mail/
user1 user2 user3 user4 user5 user6 user7 user8 user9 
[root@bigboy tmp]#

The configuration for mbox requires the addition of this line to your dovecot.conf file, or as in our case, uncommenting a similar line from the 10-mail.conf file. Either method will work.


mail_location = mbox:~/mail:INBOX=/var/mail/%u


Note: Remember to restart Dovecot for this setting to be activated.

Now it is time to take a look at the maildir method.

Configuring Dovecot for maildir

Maildir mails are almost always stored in a ~/Maildir/ directory in the users' home directory. Unlike the mbox method, with maildir each mail is stored in a separate file.

To configure Dovecot for your maildir mail, use this directive:


mail_location = maildir:~/Maildir


Note: Remember to restart Dovecot for this setting to be activated.

You are done! That was easy.

Different distributions of Linux use differing methods of storing email. If neither mbox or maildir seems to be the method your system is using then check the Dovecot website at dovecot.org for further details.


Configuring Your Mail Clients

By default your POP / IMAP e-mail accounts will be the regular Linux user accounts in which sendmail has deposited mail. You can now configure your e-mail client to use your use your new mail server quite easily. For example to configure POPS Mail, set your POPS mail server in the client program to be the IP address of your Linux mail server. Use your Linux user username and password when prompted.


If you are using a self signed SSL certificate, your mail client will give a warning an ask whether the certificate should be accepted. You will have to say "yes'.

Next, set your SMTP mail server to be the IP address/domain name of your Linux mail server.


How to handle overlapping email addresses.

If you have user overlap, such as John Smith (john@my-site.com) and John Brown (john@another-site.com), both users will get sent to the Linux user account john by default. You have two options for a solution:


  • Make the user part of the email address different, john1@my-site.com and john2@another-site.com for example, and create Linux accounts john1 and john2. If the users insist on overlapping names, then you may need to modify your virtusertable file.

  • Create the user accounts john1 and john2 and point virtusertable entries for john@my-site.com to account john1 and point john@another-site.com entries to account john2. The POP configuration in Outlook Express for each user should retrieve their mail via POP using john1 and john2, respectively.

With this trick you'll be able to handle many users belonging to multiple domains without many address overlap problems.


Troubleshooting Dovecot Mail

The very first troubleshooting step is to determine whether your server is accessible on the correct TCP ports. For example, with POP use TCP port 110 or for POPS use port of 995. Lack of connectivity could be caused by a firewall with incorrect permit, NAT, or port forwarding rules to your server. Test this from both inside your network and from the Internet. (Troubleshooting TCP with TELNET is covered in Chapter 4, "Simple Network Troubleshooting")


Always Start with Logging

Whenever you are in doubt turn on Dovecot's debugging features to reveal more about what is happening. In more recent versions of Dovecot, the logging sections in dovecot.conf have been moved to a logging configuration file in the /etc/dovecot/conf.d directory. In this example the file is named 10-logging.conf.


 [root@bigboy tmp]# ls /etc/dovecot/conf.d/*log*
/etc/dovecot/conf.d/10-logging.conf
[root@bigboy tmp]#

The file has many sections that allow you to turn on very verbose debugging level messages for authentication, SSL, and general messaging. It is an invaluable source of troubleshooting information. Dovecot logs to the /var/log/maillog file. For details on setting up Linux logging refer to Chapter 5, "Troubleshooting with syslog." Here are some good examples:

  • In this case the Maildir mail_location method was incorrectly chosen and the expected mail files were not found

Dec  5 20:49:47 bigboy dovecot: pop3(mail-user1): Debug: maildir: access(/home/users/mail-user1/Maildir, rwx): failed: No such file or directory
Dec  5 20:49:47 bigboy dovecot: pop3(mail-user1): Debug: maildir: couldn't find root dir

  • In this case Dovecot's autodetection method failed to determine the correct mail_location. The directive had to be manually added.

Dec  5 09:10:26 bigboy dovecot: pop3(mail-user2): Error: user lhn-mail: Initialization failed: mail_location not set and autodetection failed: Mail storage autodetection failed with home=/home/users/mail-user2

Whenever there is any doubt, look for the error message in the log file, try to understand what it means and what could be done to fix the problem. Remember, finding help for your problem on the Internet will be much easier if you search for key parts of your log message.

No comments:

Post a Comment