C. Secure Dovecot

Dovecot server can do IMAPS pretty much right out of the box... so let's get it installed on secure-mail. As usual, Debian takes the majority of the work off our hands:

# apt-get install dovecot-imapd

For our purposes, we didn't need POP3 (and really, neither should you), but if you wanted it, just append dovecot-pop3d to the end of that command.

Open up the Dovecot configuration file located in /etc/dovecot/dovecot.conf and make it look the following. There is probably already lots of default configuration done, so you will probably only need to uncomment certain sections and change minor things. Pay close attention to the ssl_ sections of the file, as they are different on this server.

## Dovecot configuration file
#
base_dir = /var/run/dovecot/
#
# imap imaps pop3 pop3s (use imaps and pop3s if configured for SSL)
protocols = imaps
#
# Uncomment the ssl_listen statements and comment out listen if using SSL
protocol imap {
# listen = *:143
ssl_listen = *:993
}
#protocol pop3 {
#listen = *:110
# ssl_listen = *:995
#}
#
log_timestamp = “%Y-%m-%d %H:%M:%S ”
syslog_facility = mail
#
# Uncomment these if using SSL
ssl_cert_file = /etc/ssl/example.com/mailserver/mail-cert.pem
ssl_key_file = /etc/ssl/example.com/mailserver/mail-key.pem
#ssl_ca_file = /etc/ssl/mycompany/ca/mycompany.pem
#ssl_verify_client_cert = yes
ssl_parameters_regenerate = 168
verbose_ssl = no
#
# Where the mailboxes are located
mail_location = maildir:/vmail/%d/%u
#
mail_extra_groups = mail
mail_debug = no
first_valid_uid = 150
last_valid_uid = 150
maildir_copy_with_hardlinks = yes
#
protocol imap {
login_executable = /usr/lib/dovecot/imap-login
mail_executable = /usr/lib/dovecot/imap
imap_max_line_length = 65536
}
#protocol pop3 {
#login_executable = /usr/lib/dovecot/pop3-login
#mail_executable = /usr/lib/dovecot/pop3
#pop3_uidl_format = %08Xu%08Xv
#}
protocol lda {
postmaster_address = postmaster@mydomain.com
sendmail_path = /usr/lib/sendmail
auth_socket_path = /var/run/dovecot/auth-master
}
#
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
#
auth default {
 mechanisms = plain
 passdb sql {
 args = /etc/dovecot/dovecot-sql.conf
 }
 userdb sql {
 args = /etc/dovecot/dovecot-sql.conf
 }
 user = nobody
 socket listen {
 master {
 path = /var/run/dovecot/auth-master
 mode = 0660
 user = vmail
 group = mail
 }
 client {
 path = /var/spool/postfix/private/auth
 mode = 0660
 user = postfix
 group = postfix
 }
 }
 #
 # If you want client certificates, use these lines
 # ssl_require_client_cert = yes
 # ssl_username_from_cert = yes
}

NOTE: You can't just copy the above configuration and expect it to work! You're going to need to incorporate any changes above into your own configuration.

The Dovecot configuration is almost complete, but just as with the prior configuration, the MySQL settings need to be incorporated.

Open the file /etc/dovecot/dovecot-sql.conf and make sure that the following is present.

driver = mysql
connect = host=sql-1.internal.example.com dbname=virtual_mail user=vmail_user password=vmail_user_password
# The new name for MD5 is MD5-CRYPT so you might need to change this depending on version
default_pass_scheme = MD5
# Get the mailbox
user_query = SELECT '/vmail/%d/%n' AS home, 'maildir:/vmail/%d/%n' AS mail, 150 AS uid, 8 AS gid, CONCAT('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
# Get the password
password_query = SELECT username AS user, password, '/vmail/%d/%n' AS userdb_home, 'maildir:/vmail/%d/%n' AS userdb_mail, 150 AS userdb_uid, 8 AS userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'
# If using client certificates for authentication, comment the above and uncomment the following
#password_query = SELECT null AS password, '%u' AS user

Since we've stored our MySQL password in plain-text format in this document, we're going to want to make sure we're the only ones who can read it!

# chmod 600 /etc/dovecot/*.conf
# chown vmail /etc/dovecot/*.conf

The External/Secure Dovecot configuration is now finished!  go ahead and resart the dovecot service:

# invoke-rc.d dovecot restart

... and your external/insecure users can now check for email on secure-mail.example.com!

This page is licensed under a Creative Commons License.