Dovecot
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Dovecot primarily aims to be a lightweight, fast and easy to set up open source mailserver. For more detailed information, please see the official Dovecot Wiki.
This article describes how to set up Dovecot for personal or small office use.
Configuration
Assumptions
- Each mail account served by Dovecot, has a local user account defined on the server.
- The server uses PAM to authenticate the user against the local user database (
/etc/passwd
). - TLS is used to encrypt the authentication password.
- The common Maildir format is used to store the mail in the user's home directory.
- A MDA has already been set up to deliver mail to the local users.
Create the TLS certificate
ssl_min_protocol
defaults to TLSv1. For more information see Server-side TLS.To obtain a certificate, see OpenSSL#Usage.
Alternatively you can generate the certificate using a script that comes with the dovecot package:
- Copy the example configuration:
cp /usr/share/doc/dovecot/dovecot-openssl.cnf /etc/ssl/dovecot-openssl.cnf
as the root user. - Edit to configure the certificate.
- Execute as the root user to generate the certificate.
The certificate/key pair is created as /etc/ssl/certs/dovecot.pem
and .
Run and then trust extract-compat
as the root user whenever you have
changed your certificate.
Dovecot configuration
- Create the dovecot configuration folder .
- Copy the and configuration files from to :
pacman by default some containers is configured not to extract the doc directories to packages. Please edit /etc/pacman.conf to prevent this.
The default configuration is ok for most systems, but make sure to read through the configuration files to see what options are available. See the quick configuration guide and dovecot configuration for more instructions.
By default dovecot will try to detect what mail storage system is in use on the system. To use the Maildir format edit to set .
Generate DH parameters
To generate a new DH parameters file (this will take very long):
# openssl dhparam -out /etc/dovecot/dh.pem 4096
then add the file to /etc/dovecot/conf.d/10-ssl.conf
ssl_dh = </etc/dovecot/dh.pem
PAM Authentication
To enable PAM authentication with Dovecot follow this section and then either #PAM Authentication with LDAP or #PAM Authentication with SSSD.
Edit by removing the comment in front of the PAM authentication section , like this:
# PAM authentication. Preferred nowadays by most systems. # PAM is typically used with either userdb passwd or userdb static. # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt> passdb { driver = pam # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] # [cache_key=<key>] [<service name>] args = session=yes dovecot }
If you also want to log login failures add to args.
By using the module and by adding the part in the directive, if an LDAP user logs in for the first time the corresponding home directory will be automatically created.
PAM Authentication with LDAP
If you are using an OpenLDAP or server for authentication instead, be sure to be able to login with your LDAP users first, as described in LDAP authentication. You can then write the following in remembering that the entries order is very important: In this way both LDAP and system users have their mailbox.
PAM Authentication with SSSD
If you are using SSSD for authentication You can then write the following in remembering that the entries order is very important:
/etc/pam.d/dovecot
auth sufficient pam_sss.so auth required pam_unix.so nullok account sufficient pam_sss.so account required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 session sufficient pam_sss.so
In this way both LDAP and system users have their mailbox.
Sieve
Sieve is a programming language that can be used to create filters for email on mail server.
Sieve Interpreter Plugin
This facilitates the actual Sieve filtering upon delivery.
- Install pigeonhole.
- Depending on your usage, add to in
- and/or
- Optionally, add configuration in section. See Sieve Interpreter Documentation for configuration options and default values.
Example: runcp /usr/share/doc/dovecot/example-config/conf.d/90-sieve.conf /etc/dovecot/conf.d/90-sieve.conf
and verify in :
/etc/dovecot/conf.d/
will not be read without a line in /etc/dovecot/dovecot.conf
like !include /etc/dovecot/conf.d/*.conf
. If you are following the Virtual user mail system guide, you may need to add this line.Example: SpamAssassin - move spam to "Junk" folder
- Add spamtest configuration
Note: This tests for "X-Spam_score" (which is the spam header format in default Exim configuration). Your header might look different, ie "X-Spam-Score".
- Create sieve script:
- To compile sieve, execute in shell and make sure the and the resulting files are world readable.
ManageSieve Server
This implements the ManageSieve protocol through which users can remotely manage Sieve scripts on the server.
- Follow the steps in #Sieve Interpreter Plugin above.
- Add to in
protocols = imap pop3 sieve
- Add minimal
- Restart . The managesieve daemon will listen on port 4190 by default.
Full Text Search
By default Dovecot does not index the full message content, which will result in slow response times for queries for bigger mailboxes. There is a number of FTS backends Dovecot can be hooked up to.
Dovecot needs a plugin for the chosen search backend. The plugin is included in dovecot but solr itself is not the easiest to set up. There are packages for Xapian () and Elasticsearch (dovecot-fts-elastic).
Starting the server
Tips and tricks
Generate hashes with non-default hash functions:
$ doveadm pw -s SHA512-CRYPT -p "password"
Ensure that the column in the database is large enough. A warning will be emitted if it is too small.
Remember to set the password password scheme: