Skip to content

Dovecot

Installing Dovecot

Here we install Dovecot (an IMAP and POP3 server), MySQL support, and Sieve. Sieve will automatically put the mails into the corresponding folders. It means that, for each domain, it will create a corresponding folder, and inside that a corresponding folder of a virtual user to store its email files. The official documentation for Dovecot can be found at https://wiki2.dovecot.org/

apt install dovecot-core dovecot-imapd dovecot-sieve dovecot-managesieved

Check the Dovecot version:

dovecot --version

Configuring Dovecot

Now check that imap support is enabled:

nano /usr/share/dovecot/protocols.d/imapd.protocol

Check the file exists and the contents are:

protocols = $protocols imap

and also that the following line exists in the dovecot.conf file:

nano /etc/dovecot/dovecot.conf

!include_try /usr/share/dovecot/protocols.d/*.protocol

Change the default mailbox location and change format from mbox to maildir:

nano /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir
mail_privileged_group = mail

Add dovecot to the mail group so that Dovecot can read the inbox:

adduser dovecot mail

Configure authentication mechanism to disable plaintext authentication when there's no SSL/TLS encryption. We'll also configure so a full email address needs to be used to login rather than just the username.

nano /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes
auth_username_format = %n

# Change the below to 'plain login' to support older email clients
auth_mechanisms = plain

Next we'll configure SSL/TLS encryption:

nano /etc/dovecot/conf.d/10-ssl.conf

ssl = required
ssl_cert = </etc/letsencrypt/ecc-certs/websrv1.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/ecc-certs/websrv1.example.com/privkey.pem
ssl_alt_cert = </etc/letsencrypt/rsa-certs/websrv1.example.com/fullchain.pem
ssl_alt_key = </etc/letsencrypt/rsa-certs/websrv1.example.com/privkey.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
ssl_dh = </etc/ssl/certs/dhparam.pem
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
# Use the below instead if requiring higher compatibility at the expense of greater security
#ssl_cipher_list = EECDH+AES:EDH+AES+aRSA

Enable SASL authentication between Postfix and Dovecot

nano /etc/dovecot/conf.d/10-master.conf

service auth {
    unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
    }
}

Auto create the sent and trash folder

nano /etc/dovecot/conf.d/15-mailboxes.conf

mailbox Trash {
    auto = subscribe
    special_use = \Trash
}

mailbox Sent {
    auto = subscribe
    special_use = \Sent
}

mailbox Drafts {
  special_use = \Drafts
  auto = subscribe
}

mailbox Spam {
  special_use = \Junk
  auto = subscribe
}

mailbox Junk {
  special_use = \Junk
}

Restart Dovecot and Postfix:

systemctl restart dovecot && systemctl restart postfix

Now we'll configure Dovecot to deliver email to the message store by using LMTP instead of LDA. This is required in order to use the sieve plugin later to filter inbound messages to different folders.

First we need to install the plugin:

apt update && apt install dovecot-lmtpd

Installing the plugin should have automatically created a new file at /usr/share/dovecot/protocols.d/lmtpd.protocol

Now edit the 10-master.conf configuration file:

nano /etc/dovecot/conf.d/10-master.conf

Change the lmtp service definition to the following:

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
  }
}

Edit the main Postfix configuration file:

nano /etc/postfix/main.cf

mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtputf8_enable = no

The second line disables SMTPUTF8 in Postfix, because Dovecot-LMTP doesn’t support this email extension.

Edit the /etc/dovecot/conf.d/15-lda.conf file and set the postmaster_address email address.

nano /etc/dovecot/conf.d/15-lda.conf

postmaster_address = postmaster@example.com

As we use LMTP that’s where we need to tell the lmtp service that we want to use Dovecot’s “sieve” plugin. Simply put Sieve is a way to manage server-side email rules. This will be necessary later when we integrate RSpamd

nano /etc/dovecot/conf.d/20-lmtp.conf

mail_plugins = $mail_plugins sieve

Also add the imap_sieve plugin to the imap service:

nano /etc/dovecot/conf.d/20-imap.conf

mail_plugins = $mail_plugins imap_sieve

Restart Dovecot and Postfix:

systemctl restart postfix dovecot

Firewall

Add the following exceptions to iptables. You can either add them to a config file to import, or precede each line with 'sudo iptables' and run each command manually. If you also use IPv6 the repeat with the command 'sudo ip6tables'

-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT -m comment --comment "SMTP"
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT -m comment --comment "Submission"
-A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT -m comment --comment "IMAPS"

-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --sport 25 -j ACCEPT -m comment --comment "SMTP"
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT -m comment --comment "SMTP"
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --sport 587 -j ACCEPT -m comment --comment "Submission"
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --sport 993 -j ACCEPT -m comment --comment "IMAPS"