Configuring Dovecot
Dovecot is used by users to retrieve mails via POP3 or IMAP.
Of course Dovecot has to be installed on the mailstore, but if if we have several mailstores (or if we plan to add more). We will need a POP/IMAP proxy that will "route" connexion to the mailstore hosting the mailbox we want to retrieve mails from. Dovecot being a really great POP/IMAP server, it is also possible to make it act as proxy on the mx server (but it can be placed somewhere else).
Dovecot on the mailstore:
We will now configure dovecot on the mailstore. There are 2 configuration files to edit, the global /etc/dovecot/dovecot.conf:
protocols = imap imaps pop3 pop3s managesieve
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:%h/MailDir
mail_privileged_group = mail
#mail_debug = yes
first_valid_uid = 8
last_valid_uid = 8
first_valid_gid = 8
last_valid_gid = 8
protocol imap {
mail_plugins = quota imap_quota
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
mail_plugins = quota
}
protocol managesieve {
login_executable = /usr/lib/dovecot/managesieve-login
mail_executable = /usr/lib/dovecot/managesieve
}
protocol lda {
postmaster_address = postmaster@denetor.middle.earth
hostname = denetor@middle.earth
mail_plugins = quota sieve
auth_socket_path = /var/run/dovecot/auth-master
sieve_global_path = /var/sieve/global
sieve=~/.dovecot.sieve
}
auth default {
mechanisms = plain login
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb prefetch {
}
user = root
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
group = mail
}
client {
path = /var/run/dovecot/auth-client
mode = 0660
group = mail
}
}
}
dict {
}
plugin {
quota = maildir:User quota
quota_warning = storage=90%% /usr/local/bin/quota-warning.sh 90
sieve_before = /var/sieve/global
}
... and the ldap part configuration file /etc/dovecot/dovecot-ldap.conf:
uris = ldap://ldap.middle.earth
dn = uid=dovecot,dc=middle,dc=earth
dnpass = dovecotpopper
ldap_version = 3
base = dc=%d,ou=domains,dc=middle,dc=earth
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,mailQuota=quota_rule=*:storage=%$
user_filter = (&(objectClass=inetLocalMailRecipient)(objectClass=posixAccount)(uid=%n))
pass_attrs = mailRoutingAddress=user,userPassword=password,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid,mailQuota=userdb_quota_rule=*:storage=%$
pass_filter = (&(objectClass=inetLocalMailRecipient)(objectClass=posixAccount)(uid=%n))
default_pass_scheme = LDAP-MD5
As part of the sieve filtering we have defined a global filter that will be used to store in the 'Junk' mailfolder mails classified as spam by spamassassin.
sudo mkdir /var/sieve
This filter is /var/sieve/global:
require "fileinto";
if header :contains ["X-Spam-Flag"] ["Yes"] {
fileinto "Junk";
stop;
}
sudo chown mail -R /var/sieve
As part of the quota plugin we need to create a short script that will warn users in case they reach the threshold limit. It will sit in /usr/local/bin/quota-warning.sh:
#!/bin/sh
PERCENT=$1
FROM="postmaster@denetor.middle.earth"
qwf="/tmp/quota.warning.$$"
echo "From: $FROM
To: $USER
To: postmaster@domain.org
Subject: Your email quota is $PERCENT% full
Content-Type: text/plain; charset='UTF-8'
This message is automatically created
by mail delivery software.
The size of your mailbox has exceeded
a warning threshold that is
set by the system administrator.
You *must* delete mails or empty some folders
or you may loose emails in the future.">> $qwf
cat $qwf | /usr/sbin/sendmail -f $FROM "$USER"
rm -f $qwf
exit 0
sudo chmod +x /usr/local/bin/quota-warning.sh
Dovecot on the MX:
On this host we configure Dovecot to act like a proxy. Proxying to the right mailstore in controlled by the LDAP attribute mailHost. Even if each user has its own mailHost attribute, the configuration presented in this howto involves a domain must be hosted on a single mailstore.
The dovecot config is as follows, /etc/dovecot/dovecot.conf:
protocols = imap imaps pop3 pop3s managesieve
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_process_per_connection = no
login_processes_count = 8
mail_uid = 8
mail_gid = 8
mail_privileged_group = mail
first_valid_uid = 8
last_valid_uid = 8
first_valid_gid = 8
last_valid_gid = 8
protocol imap {
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
protocol managesieve {
}
auth default {
mechanisms = plain login
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb passwd {
}
userdb static {
}
user = nobody
}
dict {
}
plugin {
}
... and /etc/dovecot/dovecot-ldap.conf:
uris = ldap://ldap.middle.earth
dn = uid=dovecot,dc=middle,dc=earth
dnpass = dovecotpopper
base = dc=%d,ou=domains,dc=middle,dc=earth
pass_attrs==nopassword=1,=password=,=proxy=y,mailHost=host,=destuser=%u
pass_filter = (&(objectClass=inetLocalMailRecipient)(objectClass=posixAccount)(uid=%n))
Extra Notes:
- If you want to use several mailstores and benefit of bayesian filtering site wide, you can use an sql database to store bayesian data and share it on all mailstores (unfortunately, bayesian storage in ldap in not possible now).
- To manage users, domains and all kind of addresses you can use any ldap client, as long as you follow the examples in sample data. PHPLDAPAdmin can be a good alternative if you don't feel confortable with ldif format.
- There dozens of webmail around the web which you can use in this setup. I personnaly have a preferrence for roundcube webmail which offers features that integrates very well here, mostly because it has plugins for sieve filtering, LDAP directory and more.
- As users informations are stored in LDAP it is quite easy to setup a centralized address book that can be queried by many mail clients.
If you use such directory, most clients will use the "mail" LDAP Attribute, so addresses not defined as mail won't show up during search.
Security Notes:
- In this howto, all operations are run by the "mail" user. This may not be wise to do it in production (read "real internet") environment. You can create a specific user that would replace the "mail" user, tweaking the config will then be necessary.
- Dovecot is shipped with default certicates that should be replaced in production environment (the procedure for exim relay applies).