Skip to content
Marko Schulz 24. February - 13:27 24. February - 13:27

Dovecot installieren und konfigurieren

Diese Dokumentation bezieht sich auf die Dovecot 2.4+ Version.

Alle Postfächer gehören virtuellen Benutzern. Um Postfächer zu verwalten, benötigen wir einen Systembenutzer, der Eigentümer aller Postfächer ist. Diesen Benutzer vmail erstellen wir wie folgt.

groupadd -g 5000 vmail
useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/vmail -m vmail
mkdir -p /var/vmail
  • Mailuser vmail mit UID/GID 5000.
  • Kein Login erlaubt (nologin).
  • Mailverzeichnisse werden unter /var/vmail angelegt.

Als nächstes erstellen wir uns ein Verzeichnis für globale Sieve Filter.

mkdir -p /etc/dovecot/sieve

Dann erstellen wir die globalen Sieve-Filters für Spam/Lernen.

cat <<FILTER | tee /etc/dovecot/sieve/learn-ham.sieve >/dev/null
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_ham"];
FILTER

cat <<FILTER | tee /etc/dovecot/sieve/learn-spam.sieve >/dev/null
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
pipe :copy "rspamc" ["learn_spam"];
FILTER

Erläuterung

  • learn-ham.sieve Leitet nicht-spam Mails an Rspamd zum Lernen weiter.
  • learn-spam.sieve Leitet Spam-Mails an Rspamd zum Lernen weiter.
  • pipe :copy Mail wird kopiert, Original bleibt im Postfach.
cat <<FILTER | tee /etc/dovecot/sieve/spam-global.sieve >/dev/null
require ["fileinto","mailbox"];

if anyof(
    header :contains ["X-Spam-Flag"] "YES",
    header :contains ["X-Spam"] "Yes",
    header :contains ["Subject"] "*** SPAM ***"
    )
{
    fileinto :create "Spam";
    stop;
}
FILTER
  • spam-global.sieve Verschiebt alle als Spam markierten Mails in den Ordner Spam.

Dann erstellen wir die MySQL-Backend Konfiguration in der Datei conf.d/auth-mysql.conf.ext für die Dovecot Authentifizierung.

sqlpw='<MYSECRET>'

cat <<AUTH | tee /etc/dovecot/conf.d/auth-mysql.conf.ext >/dev/null
sql_driver = mysql

mysql 127.0.0.1 {
  user = postfixadmin
  password = $sqlpw
  dbname = postfixadmin
}

userdb sql {
    query = SELECT CONCAT('/var/vmail/',maildir) AS home, \
        CONCAT('maildir:/var/vmail/',maildir) AS mail, \
        5000 AS uid, 5000 AS gid, CONCAT('*:bytes=',quota) AS quota_rule, \
        CONCAT(quota, 'B') AS quota_storage_size \
        FROM mailbox WHERE username = '%{user}' AND active = 1
    iterate_query = SELECT username AS user FROM mailbox
}

passdb sql {
    default_password_scheme = SHA512‑CRYPT
    query = SELECT username AS user,password FROM mailbox \
        WHERE username = '%{user}' AND active='1'
}
AUTH

Erläuterung

  • userdb legt fest, wo Postfächer liegen, welche UID/GID genutzt werden und welche Quotas gelten.
  • passdb authentifiziert Benutzer gegen MySQL, Passwort mit SHA512‑CRYPT.

Dann erstellen wir die Konfiguration in conf.d/99-auth.conf, welche die Authentifizierungs-Backends aktiviert.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-auth.conf >/dev/null
!include auth-system.conf.ext   # Linux-PAM / System-User
!include auth-mysql.conf.ext    # MySQL-Backend
CONFIG
  • System-User bleibt aktiv, aber dein MySQL-Backend wird zusätzlich genutzt.

Dann erstellen wir die IMAP- conf.d/99-imap.conf und LMTP-Konfiguration conf.d/99-lmtp.conf.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-imap.conf >/dev/null
protocol imap {
  mail_plugins {
    imap_quota = yes
    imap_sieve = yes
  }
  mail_max_userip_connections = 50
  imap_idle_notify_interval = 29 mins
}
CONFIG

cat <<CONFIG | tee /etc/dovecot/conf.d/99-lmtp.conf >/dev/null
lmtp_rcpt_check_quota = yes
protocol lmtp {
  mail_plugins {
    sieve = yes
    notify = yes
    push_notification = yes
  }
  postmaster_address = postmaster@tuxnet24.de
  auth_username_format = %{user | lower}
}
CONFIG
  • IMAP-Plugin imap_quota und imap_sieve aktiviert.
  • LMTP wird genutzt, um Mails aus Postfix in Maildir zu liefern.
  • Quotas werden bei LMTP geprüft.

Dann erstellen wir die Konfiguration conf.d/99-logging.conf für das Logging.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-logging.conf >/dev/null
log_path = /var/log/dovecot.log

log_debug = category=auth
log_debug = category=mail
log_debug = category=ssl
log_debug = category=imap
log_debug = category=lmtp

log_timestamp = "%Y-%m-%d %H:%M:%S "
CONFIG
  • Alle wichtigen Kategorien werden ins Log geschrieben, inkl. Auth, Mail, SSL, IMAP, LMTP.

Dann definieren wir die Konfiguration der Mailboxen und Namespace in conf.d/99-mailboxes.conf.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-mailboxes.conf >/dev/null
namespace inbox {
  inbox = yes
  mailbox Drafts { special_use = \Drafts; auto = subscribe }
  mailbox Spam   { special_use = \Junk; auto = subscribe   }
  mailbox Trash  { special_use = \Trash; auto = subscribe; quota_storage_extra = 100M }
  mailbox Sent   { special_use = \Sent; auto = subscribe   }
  mailbox "Sent Messages" { special_use = \Sent            }
}
CONFIG

Die Mail Speicherpfade werden in der conf.d/99-mail.conf definiert.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-mail.conf >/dev/null
mail_uid = vmail
mail_gid = vmail
mail_privileged_group = mail
mail_driver = maildir
mail_path = /var/vmail/%{user|domain}/%{user|username}
mail_inbox_path = /var/vmail/%{user|domain}/%{user|username}
mailbox_list_layout = fs
CONFIG
  • Maildir wird als Speicherformat genutzt.
  • UID/GID vmail sorgt für sichere Trennung der Maildaten.

ManageSieve konfigurieren wir in der conf.d/99-managesieve.conf Datei.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-managesieve.conf >/dev/null
protocols { sieve = yes }

service managesieve-login {
  inet_listener sieve { port = 4190 }
  inet_listener sieve_deprecated { port = 2000 }
}

service managesieve {}
protocol sieve {}
CONFIG
  • Clients können per ManageSieve Regeln hochladen.
  • Port 4190 ist Standard.

Die Master-Service & Listener Datei conf.d/99-master.conf erstellen wir wie folgt.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-master.conf >/dev/null
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

service submission-login {
  inet_listener submission {
    port = 587
  }
  inet_listener submissions {
    port = 465
  }
}

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0660
    user = postfix
    group = postfix
  }
}

service imap {
}

service submission {
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    mode = 0660
    user = vmail
    group = vmail
  }
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # \$SET:default_internal_user.
  user = vmail
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    mode = 0660
    user = vmail
    group = vmail
  }
}
CONFIG
  • LMTP-Socket für Postfix.
  • Auth-Socket für Postfix SMTP-Auth.
  • SSL für IMAPS/SMTPS.

Quota & Limits definieren wir in der Datei conf.d/99-quota.conf.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-quota.conf >/dev/null
mail_plugins {
  quota = yes
}

quota "User quota" {
  warning warn-95 {
    quota_storage_percentage = 95
    execute quota-warning {
      args = 95 %{user}
    }
  }
  warning warn-80 {
    quota_storage_percentage = 80
    execute quota-warning {
      args = 80 %{user}
    }
  }
}

service quota-warning {
  executable = script /usr/local/bin/quota-warning
  user = vmail
  unix_listener quota-warning {
    user = vmail
  }
}

quota "User quota" {
  driver = maildir
  #driver = fs
  #driver = count

  quota_exceeded_message = Benutzer %{user} hat das Speichervolumen ueberschritten. / User %{user} has exhausted allowed storage space.
}
CONFIG
  • 80 % und 95 %-Warnungen, Script /usr/local/bin/quota-warning wird aufgerufen.
  • Maildir-Quota aktiv, überschreiten erzeugt Fehlermeldung.

Die Sieve-Integration erstellen wir in der Dateie conf.d/99-sieve.conf.

cat <<CONFIG | tee /etc/dovecot/conf.d/99-sieve.conf >/dev/null
sieve_script spam-global {
  type = before
  path = /etc/dovecot/sieve/spam-global.sieve
}

sieve_script personal {
  type = personal
  path = /var/vmail/%{user | domain }/%{user | username }/sieve
  active_path = /var/vmail/%{user | domain }/%{user | username }/sieve/.dovecot.sieve
}

imapsieve_from Spam {
  sieve_script ham {
    type = before
    cause = copy
    path = /etc/dovecot/sieve/learn-ham.sieve
  }
}
mailbox Spam {
  sieve_script spam {
    type = before
    cause = copy
    path = /etc/dovecot/sieve/learn-spam.sieve
  }
}

sieve_pipe_bin_dir = /usr/bin
sieve_global_extensions {
  vnd.dovecot.pipe = yes
}
sieve_plugins {
  sieve_imapsieve = yes
  sieve_extprograms = yes
}

recipient_delimiter = +
CONFIG

Die SSL/TLS Konfiguration definieren wir in der Datei conf.d/99-ssl.conf.

domain=example.com
cat <<CONFIG | tee /etc/dovecot/conf.d/99-ssl.conf >/dev/null
ssl = yes
ssl_server_cert_file = /etc/apache2/custom.d/ssl/${domain}/fullchain.pem
ssl_server_key_file = /etc/apache2/custom.d/ssl/${domain}/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_server_prefer_ciphers = server
CONFIG
  • TLS 1.2+ obligatorisch.
  • Sichere Cipherliste für IMAPS/SMTPS.

Nun erstellen wir noch die Custom Sieve Filter.

domain="example.com"
mailbox="info"
mkdir -p /var/vmail/${domain}/${mailbox}/sieve/
touch /var/vmail/${domain}/${mailbox}/sieve/.dovecot.sieve
sievec /var/vmail/${domain}/${mailbox}/sieve/.dovecot.sieve
  • Lege eine Test-Mailbox an.
  • .dovecot.sieve wird kompiliert, damit Dovecot Sieve nutzen kann.

Als letzten Schritt aktivieren wir den Dovecot Service und starten diesen neu.

systemctl enable dovecot
systemctl restart dovecot
systemctl status dovecot
  • Prüft, ob IMAP, LMTP, Sieve und TLS korrekt starten.