Recent Changes - Search:
Dovecot /

Install

(redirected from Openbsd.Dovecot)

Let's set up dovecot to allow users to read mail with IMAP and POP.

Installation

$ doas pkg_add dovecot

Configuration

A single user vmail will receive mail for all virtual users: 

$ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail

/var/vmail will be used to store virtual users' maildir folders. It will be managed by dovecot, which receives mail via LMTP.

In order to secure our passwords, we need to rearrange file permissions and owners: 

$ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/
$ doas chown _smtpd:_dovecot /etc/mail/passwd
$ doas chmod 770 /etc/mail/dkim/
$ doas chmod 440 /etc/mail/passwd
$ doas find /etc/mail -type f -exec chmod o-rwx '{}' +

In /etc/dovecot/dovecot.conf, add the following lines at the bottom of the file: 

protocols = imap pop3 lmtp
listen = 192.168.0.1, 2001:db8::
service lmtp {
  user = vmail
}

This tells dovecot to listen to the protocols IMAP, POP3, and LMTP. Note: We don't want to support submission with dovecot.

It also tells dovecot the public IPs you want it to listen on. Finally, the last block tells dovecot to change to the username vmail to listen for LMTP.

To aid with troubleshooting, you can consider adding these lines: 

auth_verbose=yes
auth_debug=yes
auth_debug_passwords=yes
mail_debug=yes
auth_verbose_passwords=sha1
verbose_ssl=yes

In /etc/dovecot/conf.d/10-auth.conf, first comment out auth-system.conf.ext 

#!include auth-system.conf.ext

This prevents dovecot from using BSD auth.

Then at the bottom of the file, add these lines: 

passdb {
   args = scheme=blf-crypt /etc/mail/passwd
   driver = passwd-file
}

userdb {
   args = uid=vmail gid=vmail home=/var/vmail/%d/%n
   driver = static
}

The first block defines our password database to use blowfish (see blowfish(3) and encrypt(1)).

The second block says that the mail must be read by user ID and group ID vmail, and that all mail will be in the folders /var/vmail/<domain>/<username>.

In /etc/dovecot/conf.d/10-mail.conf: 

mail_location = maildir:/var/vmail/%d/%n/Maildir

This again indicates all mail will be in the folders /var/vmail/<domain>/<username>.

In /etc/dovecot/conf.d/10-ssl.conf, make the changes to these lines: 

ssl = yes
...
ssl_cert = </etc/ssl/example.com.crt
ssl_key = </etc/ssl/private/example.com.key

You will need to replace example.com with your real domain.

Please read the instructions in the dovecot README in /usr/local/share/doc/pkg-readmes/dovecot. That file explains that you must add this login class to /etc/login.conf: 

dovecot:\
         :openfiles-cur=4096:\
         :openfiles-max=8192:\
         :tc=daemon:

WARNING: You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will not work.

NOTE: Allowing more open files than suggested in the README can help if you have many IP addresses.

WARNING: If login.conf.db exists, you will need to rebuild it: 

# [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf

But it is best to just remove /etc/login.conf.db since it is not required: 

$ doas rm /etc/login.conf.db

Starting dovecot

To start dovecot via rcctl: 

$ doas rcctl enable dovecot
$ doas rcctl start dovecot

Troubleshooting

Make sure to check /var/log/maillog: 

$ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143

When starting dovecot, you may find it fails: 

$ doas rcctl start dovecot
dovecot(failed)

When this happens, run the rc.d script with debugging turned on: 

$ doas /etc/rc.d/dovecot -d start
doing _rc_parse_conf
doing _rc_quirks
dovecot_flags empty, using default ><
doing rc_check
dovecot
doing rc_start
doing _rc_wait start
doing rc_check
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory
doing _rc_rm_runfile
(failed)

In this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: /etc/ssl/example.com.fullchain.pem (where example.com is replaced with my real domain). 

Jun  9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)
Jun  9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)