Table of Contents:
[Ref: OpenBSD 5.0, Dovecot 2.0.14, Installing Dovecot 2 on CentOS]
Client access, getting your e-mail from the mail server, is generally through programs that support the standard protocol for receiving mail (such as POP3, POP3S, IMAP, IMAPS.) In this guide we look at a basic configuration of dovecot as an imap, pop3, sasl server.
OpenBSD comes with some tools in the default install, and depending on your needs you may prefer those, or other tools in the ports tree. I hope this guide will help you in using it with our postfix guide
Install dovecot from the packages, and if you prefer some special configuration not in the standard package then you can use the ports system. For SQL support we’re installing the “mysql” flavor, although this is not necessary for the majority of the instructions below.
# pkg_add dovecot
dovecot-2.0.14:bzip2-1.0.6: ok dovecot-2.0.14: ok The following new rcscripts were installed: /etc/rc.d/dovecot See rc.d(8) for details. --- +dovecot-2.0.14 ------------------- Files to facilitate the generation of a self-signed certificate and key for Dovecot have been installed: /etc/ssl/dovecot-openssl.cnf (Edit this accordingly!) /usr/local/sbin/dovecot-mkcert.sh If this has been or will be accomplished by other means, use the following paths for the files: /etc/ssl/dovecotcert.pem /etc/ssl/private/dovecot.pem
Before we start dovecot, we need to take care of some resource requirements, such as increasing the number of file descriptors the program can use. We can configure this by creating a login class ‘dovecot’ in login.conf
File Fragment: /etc/login.conf
dovecot:\ :ignorenologin:\ :openfiles-cur=1024:\ :openfiles-max=2048:\ :tc=default:
To ensure the file is compiled, use cap_mkdb
[ -f /etc/login.conf.db ] && /usr/bin/cap_mkdb /etc/login.conf
Configure the _dovecot user account (in /etc/passwd) to use the login-class we’ve just created, by using vipw or the following command-line
$ sudo /usr/sbin/usermod -L dovecot _dovecotReplace the standard ‘daemon’ login class, with the one we’ve just created.
File Fragment: /var/db/pkg/dovecot-2.0.14/+DISPLAY
The following new rcscripts were installed: /etc/rc.d/dovecot See rc.d(8) for details.
To ensure dovecot is started on a system boot, add the above script to the rc.d script list:
File Fragment: /etc/rc.conf.local
pkg_scripts="dovecot"
Dovecot is now configured to start, at each system boot, but we haven’t configured it to work.
The dovecot ports/package provides a simplified approach for generating the SSL certificates. The configuration file is at /etc/ssl/dovecot-openssl.cnf, while the configuration tool is /usr/local/sbin/dovecot-mkcert.sh.
Files to facilitate the generation of a self-signed certificate and key for Dovecot have been installed: /etc/ssl/dovecot-openssl.cnf (Edit this accordingly!) /usr/local/sbin/dovecot-mkcert.sh
File Fragment: /etc/ssl/dovecot-openssl.cnf
[ req_dn ] # country (2 letter code) #C=FI # State or Province Name (full name) #ST=# Locality Name (eg. city) #L=Helsinki# Organization (eg. company) #O=Dovecot # Organizational Unit Name (eg. section) #OU=Imap Server # Common Name (*.example.com is also possible) #CN=imap.example.com # E-mail contact #emailAddress=postmaster@example.com
There are some unspecified options from above that may be interesting to you at a later stage.
If you’ve never used certificates before, or are just using these instructions on a test server, then just work with the sample configuration above. If you are ready to deploy your system, then please read the man pages and make some further reviews of your certificate files. The full openssl configuration file example in OpenBSD is stored as /etc/ssl/openssl.cnf
The dovecot install supplies the shell script
/usr/local/sbin/dovecot-mkcert.sh
to generate your SSL certificates using the source information provided in the above configuration file. Just run the script to generate your certificates
# /usr/local/sbin/dovecot-mkcert.sh
The first part of the script generates the private key using /etc/ssl/dovecot-openssl.cnf
Generating a 1024 bit RSA private key ...++++++ .................++++++ writing new private key to '/etc/ssl/private/dovecot.pem' -----
The second part of the script just outputs the signature from the generated key to assure us that it executed corrected (i.e. if you didn’t get the second part, then things failed badly.)
subject= (information text from above configuration file) SHA1 Fingerprint=(long fingerprint)
As shown in the ports documentation, /var/db/pkg/dovecot-2.0.14/+DISPLAY you can manually generate your own configuration/certificate files so long as you place the resulting files into a ‘known’ location:
File Fragment: /var/db/pkg/dovecot-2.0.14/+DISPLAY
If this has been or will be accomplished by other means, use the following paths for the files: /etc/ssl/dovecotcert.pem /etc/ssl/private/dovecot.pem
The location, and naming of the *.pem files are specified in your conf.d/10-ssl.conf file for the key/value pairs of ssl_cert_file and ssl_key_file.
File Fragment: /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/dovecotcert.pem ssl_key = </etc/ssl/private/dovecot.pem
Obviously, from the above, you can generate and store your keys in other places, so long as you update your configuration files to point to the new location.
Dovecot 2’s primary configuration file is:
/etc/dovecot/dovecot.conf
With specific configuration options in ./conf.d and loaded using the following sections in dovecot.conf
File Fragment: /etc/dovecot/dovecot.conf
# Most of the actual configuration gets included below. The filenames are # first sorted by their ASCII value and parsed in that order. The 00-prefixes # in filenames are intended to make it easier to understand the ordering. !include conf.d/*.conf # A config file can also tried to be included without giving an error if # it's not found: !include_try local.conf
Edit the dovecot.conf file to ensure protocols is enabled and we are allowing at least imap and pop3.
File Fragment: /etc/dovecot/dovecot.conf
# Protocols we want to be serving. protocols = imap pop3 lmtp
These protocols are managed in their own configuration settings under ./conf.d/
The dovecot package configures support of using the OpenBSD BSD Authentication to authenticating user accounts.
File Fragment: /etc/dovecot/conf.d/authentication.conf.ext
# PAM-like authentication for OpenBSD. #passdb { driver = bsdauth # [blocking=no] [cache_key= ] #args = } # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this # uses Name Service Switch, which is configured in /etc/nsswitch.conf. userdb { # driver = passwd # [blocking=no] #args = }
This means, the dovecot install let’s you retrieve mail (using the above approved “protocols”) for users on your server.
File Fragment: /etc/dovecot/conf.d/10-mail.confg
mail_location = maildir:~/Maildir
Before continuing, let’s just check to make sure we’ve got at least these parts working and not causing a conflict.
The default OpenBSD dovecot package supports authentication through the OpenBSD password file so we need at least one valid system user account to test the install.
To make sure that we execute ‘dovecot’ with the increased file descriptors,
# /etc/rc.d/dovecot start
dovecot(ok)
Check for error messages by looking at /var/log/maillog (using tail -f /var/log/maillog) and you should get a message such as the following
dovecot: master: Dovecot v2.0.14 starting up dovecot: ssl-params: Generating SSL parameters dovecot: ssl-params: SSL parameters regeneration completed
Check running processes to ensure that dovecot is running with the appropriate login class configuration.
# ps auxw | grep dovecot
run it and put the output here.
To test POP3 we connect with my system-user account (samt).
$ telnet localhost pop3
Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK Dovecot ready.
USER samt
+OK
PASS mypassword
+OK Logged in.
LIST
+OK 0 messages: .
QUIT
+OK Logging out. Connection closed by foreign host.
File: /var/log/maillog:
Reviewing the log file should reveal something like the below just after the user/pass have been passed to dovecot
dovecot: pop3-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=23835, secured
File: /var/log/maillog:
On disconnection you should receive a disconnect log entry.
dovecot: POP3(samt): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
A list of common POP3 commands courtesy of SOL4.net
| Command | Functional Description |
|---|---|
| LIST | Lists the messages in the mailbox together with their sizes. also can be used with the message number to return specific message sizes. |
| RETR messageID | Retrieve the message specified by messageID, displays it to the screen. |
| DELE messageID | Delete the message specified by messageID. |
| RSET | Undo any changes made. |
| STAT | List the number of messages and the total mailbox size. |
| QUIT | Close the connection. |
The same basic look test with IMAP
Screen Session
# telnet localhost imap
Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
a1 login samt mypassword
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
a2 select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted. * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1323400084] UIDs valid * OK [UIDNEXT 1] Predicted next UID * OK [HIGHESTMODSEQ 1] Highest a2 OK [READ-WRITE] Select completed.
a3 logout
* BYE Logging out a3 OK Logout completed. Connection closed by foreign host.
Again, we review /var/log/maillog for dovecot’s messages and after successfully entering the correct user/password combination we should get a log entry similar to the below.
File Fragment: /var/log/maillog
dovecot: imap-login: Login: user=<samt>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Likewise, on QUITting, we should get the disconnect log entry.
File Fragment: /var/log/maillog
dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=31498, secured dovecot: imap(samt): Disconnected: Logged out bytes=26/641
It seems our server is working correctly.