Table of Contents:
[OpenBSD 4.0 Stable]
Some people are signing the praises of dovecot as an imap, pop3, sasl server for its speed and security features.
I can't really add anything to the discussion of whether this is better or not, but I hope this guide will help you in using it with our postfix guide.
These instructions were tested with OpenBSD 4.0 Stable and dovecot rc15, a packaged port released after the OpenBSD 4.0 release.
Although we will be testing dovecot installation from basic install we are installing are more complete package to ensure further enhancements later in the documentation.
# cd /usr/ports/mail/dovecot
# env FLAVOR="ldap mysql" make package
===> Building package for
dovecot-1.0.rc15-ldap-mysql
Switching to /usr/ports/mail/dovecot/pkg/PFRAG.shared
Link to /usr/ports/packages/i386/ftp/dovecot-1.0.rc15-ldap-mysql.tgz
Link to /usr/ports/packages/i386/cdrom/dovecot-1.0.rc15-ldap-mysql.tgz
pkg_add dovecot-1.0.rc15-ldap-mysql
dovecot-1.0.rc15-ldap-mysql: complete
--- dovecot-1.0.rc15-ldap-mysql -------------------
Files to facilitate the generation of a self-signed
certificate and key for Dovecot have been installed:
/etc/ssl/dovecot-openssl.cnf (Edit this accordingly!)
/usr/local/sbin/dovecot-mkcert.sh
If this has been or will be accomplished by other means,
use the following paths for the files:
/etc/ssl/dovecotcert.pem
/etc/ssl/private/dovecot.pem
If you wish to have Dovecot started automatically at boot time,
simply add the follow lines to /etc/rc.local:
if [ -x /usr/local/sbin/dovecot ]; then
echo -n ' dovecot'; /usr/local/sbin/dovecot
fi
Following through on the installation instructions from the dovecot package:
The dovecot ports/package provides a simplified approach for generating the SSL certificates. The configuration file is at /etc/ssl/dovecot-openssl.cnf, while the configuration tool is /usr/local/sbin/dovecot-mkcert.sh.
The file should be mostly self-explanatory, if you need any further help look at the man page for openssl(1).
File Fragment: /etc/ssl/dovecot-openssl.cnf
[ req_dn ]
# country (2 letter code)
#C=FI
# State or Province Name (full name)
#ST=
# Locality Name (eg. city)
#L=Helsinki
# Organization (eg. company)
#O=Dovecot
# Organizational Unit Name (eg. section)
#OU=Imap Server
# Common Name (*.example.com is also possible)
#CN=imap.example.com
# E-mail contact
#emailAddress=postmaster@example.com
There are some unspecified options from above that may be interesting to you at a later stage.
If you've never used certificates before, or are just using these instructions on a test server, then just work with the sample configuration above. If you are ready to deploy your system, then please read the man pages and make some further reviews of your certificate files. The full openssl configuration file example in OpenBSD is stored as /etc/ssl/openssl.cnf
The ports supplied /usr/local/sbin/dovecot-mkcert is a nice shell script to generate your SSL certificates using the source information provided in the above configuration file. Just run the script to generate your certificates
# /usr/local/sbin/dovecot-mkcert.sh
The first part of the script generates the private key using /etc/ssl/dovecot-openssl.cnf
Generating a 1024 bit RSA private key
...++++++
.................++++++
writing new private key to '/etc/ssl/private/dovecot.pem'
-----
The second part of the script just outputs the signature from the generated key to assure us that it executed corrected (i.e. if you didn't get the second part, then things failed badly.)
subject= (information text from above configuration file)
MD5 Fingerprint=(long fingerprint)
As shown in the ports documentation, you can manually generate your own configuration/certificate files so long as you place the resulting files into a 'known' location:
/etc/ssl/dovecotcert.pem
/etc/ssl/private/dovecot.pem
The location, and naming of the *.pem files are specified in your /etc/dovecot.conf file for the key/value pairs of ssl_cert_file and ssl_key_file.
We will test pop3 and imap so let us ensure this is configured for dovecot in the /etc/dovecot.conf file. Edit the dovecot.conf file to ensure protocols is enabled and we are allowing at least imap and pop3.
File Fragment: /etc/dovecot.conf
# Protocols we want to be serving: imap imaps pop3
pop3s
# If you only want to use dovecot-auth, you can set this to "none".
protocols = imap imaps pop3 pop3s
Before continuing, let's just check to make sure we've got at least these parts working and not causing a conflict.
The default installation of OpenBSD dovecot packages supports authentication through the password file [ref: http://wiki.dovecot.org/AuthDatabase/Passwd.] so we will need at least one valid system user account for testing the dovecot install.
We will first start the dovecot program and take a quick look to see whether it is responding to services the default configuration allows (pop3, and imap)
# /usr/local/sbin/dovecot
Check for error messages by looking at /var/log/maillog (using tail -f /var/log/maillog) and you should get a message such as the following
File Fragment: /var/log/maillog
dovecot: Dovecot v1.0.rc15 starting up
Now, we can check basic POP3 and IMAP services to see if they respond to access to their ports.
POP3 we'll just connect with my system-user account (samt) and check to see if it responds.
Screen Session
$ telnet localhost pop3
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
USER samt
+OK
PASS mypassword
+OK Logged in.
LIST
+OK 0 messages:
.
QUIT
+OK Logging out.
Connection closed by foreign host.
/var/log/maillog: Reviewing the successful log file should reveal something like the below just after the user/pass have been passed to dovecot
dovecot: pop3-login: Login: user=<samt>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
/var/log/maillog: and on disconnection you should receive a disconnect log item.
dovecot: POP3(samt): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
A list of common POP3 commands is shown below, courtesy of SOL4.net
| Command | Functional Description |
| LIST | Lists the messages in the mailbox together with their sizes. also can be used with the message number to return specific message sizes. |
| RETR messageID | Retrieve the message specified by messageID, displays it to the screen. |
| DELE messageID | Delete the message specified by messageID. |
| RSET | Undo any changes made. |
| STAT | List the number of messages and the total mailbox size. |
| QUIT | Close the connection. |
The same basic look test with IMAP
Screen Session
# telnet localhost imap
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Dovecot ready.
a1 login samt mypassword
a1 OK Logged in.
a2 select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags
permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1165837992] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
a2 OK [READ-WRITE] Select completed.
a3 logout
* BYE Logging out
a3 OK Logout completed.
Connection closed by foreign host.
Again, we review /var/log/maillog for dovecot's messages and after successfully entering the correct user/password combination we should get a log entry similar to the below.
File Fragment: /var/log/maillog
dovecot: imap-login: Login: user=<samt>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Likewise, on QUITting, we should get the disconnect log entry.
File Fragment: /var/log/maillog
dovecot: IMAP(samt): Disconnected: Logged out
It seems our server is working correctly.
Configuring for auto-start of dovecot during reboot is a little more complicated with this option than it may need to be. Essentially, this configuration will depart by setting and looking for an enabling option in the /etc/rc.conf.local file.
Add the following option in the rc.conf.local file.
File Fragment: /etc/rc.conf.local
dovecot=YES
Add the following to your /etc/rc.local file.
File Fragment: /etc/rc.local
if [ X"${dovecot}" != X"NO" -a -x /usr/local/sbin/dovecot ];
then
echo -n ' dovecot'; /usr/local/sbin/dovecot
fi
Our addition to /etc/rc.local looks to see whether we've enabled dovecot in rc.conf.local and then starts dovecot.
At this point, you should be able to service IMAP and POP3 without any difficulty using this dovecot configuration. Before using this configuration you should at least check the dovecot documentation and in particular the "Client issues and configuration"
A few minor configuration file tweaks that should be mostly relevant for OpenBSD servers. The configuration file is well documented and should explain why these changes may be useful.
File Fragment: /etc/dovecot.conf
first_valid_uid = 1000
last_valid_uid = 32766
first_valid_uid would normally be 1000 when using dovecot for system user accounts only. If you will be using dovecot to exclusively handle virtual user accounts, then first and last uid should be set to the UID you specify for postfix. In our scenario we would use '901' which is our example configuration setting for using postfix with virtual user accounts.
[ref: doc/wiki/Variables.txt]
[ref: doc/wiki/AuthDatabase.PasswdFile.txt]
The above test, satisfies when using system user accounts, but if we were using Virtual User Accounts and text files we need to configure dovecot to retrieve the authentication information from our specified text files.
To continue this exercise we'll assume that you have Postfix functioning with virtual users identified using a hash file (i.e. passwords are not recorded with Postfix's virtual user account details.)
File Fragment: /etc/postfix/main.cf
virtual_mailbox_base = /var/spool/postfix/vmail
virtual_mailbox_domains = hash:/etc/postfix/virtual/mailbox/domains
virtual_virtual_mailbox_maps = hash:/etc/postfix/virtual/mailbox/alpha.example.org
The account information are in the file /etc/postfix/virtual/mailbox/alpha.example.org (specified in the /etc/postfix/main.cf file clipped above.)
File Fragment: /etc/postfix/virtual/mailbox/alpha.example.org
#account-name ===> storage location (note: last forward slash is significant)
alfred@alpha.example.org alpha.example.org/alfred/
bob@alpha.example.org alpha.example.org/bob/
charlie@alpha.example.org alpha.example.org/charlie/
There is good documentation with dovecot on how to set up text files for password authentication and below is a continuing of our sample.
File Fragment: /etc/dovecot.conf
# There are a few special variables you can use, eg.:
# See doc/wiki/Variables.txt for full list. Some examples:
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if there's no domain
#
# <doc/wiki/MailLocation.txt> #
mail_location = maildir:/var/spool/postfix/vmail/%d/%n
# passwd-like file with specified location
# <doc/wiki/AuthDatabase.PasswdFile.txt>
passdb passwd-file {
args = /etc/dovecot/auth/%d/passwdfile
}
userdb static {
args = uid=901 gid=901 home=/var/spool/postfix/vmail/%d/%n
}
Refer to the dovecot documentation at doc/wiki/AuthDatabase.PasswdFile.txt but a simplified example is shown below.
FileFile Fragment: /etc/dovecot/auth/alpha.example.org/passwdfile
alfred:{PLAIN}dumbpassword1
bob:{PLAIN}dumbpassword2
charlie:{PLAIN}dumbpassword3
Peruse the documentation for encrypted passwords, we're just using plain text passwords here because it is simpler for test installs.
Go for it.
Now, we are getting into a little more complicated, if things do not work out well, a good suggestion to enable more verbose logging, such as:
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
Two log files that become critical in verifying your configuration are /var/log/maillog and /var/mysql/myhost.log.
The above dovecot.conf settings will show more verbose information from dovecot into the standard mail log (/var/log/maillog) while watching transactions to the mysql server through /var/mysql/myhost.log can also provide more information on server behaviour.
Use two screens dedicated to maillog and /var/mysql/myhost.log
# tail -f /var/log/maillog
The /etc/dovecot.conf has a lot of the available settings commented out (using # at the beginning of the line) so it would seem best to look through the configuration file and make changes in place.
The following changes are to tell dovecot to use :
File Fragment: /etc/dovecot.conf
mail_location = maildir:/var/spool/postfix/vmail/%d/%u
passdb sql {
args = /etc/dovecot-mysql.conf
}
userdb sql {
args = /etc/dovecot-mysql.conf
}
An important note about the mail_location variable is that you should select one that is compatible with the settings that you will use in both our postfix configuration and our PostfixAdmin configuration.
Our SQL configuration file will contain key/value pairs for how dovecot will access the sql provider.
File : /etc/dovecot-mysql.conf
# Database driver: mysql, pgsql
driver = mysql
# Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, and CRYPT.
default_pass_scheme = CRYPT
# Database options
connect = host=localhost dbname=mail user=dovecot password=dovecotpassword
password_query = SELECT password FROM mailbox WHERE username = '%u' AND active =
'1'
user_query = SELECT maildir, 901 AS uid, 901 AS gid FROM mailbox WHERE
username = '%u' AND active = '1'
# eof
Notes:
For mysql servers running post 4.1 releases (i.e. this includes 5.x releases) there is a difference in the libraries which essentially means that mysql's password function creates a different (longer) result in post 4.1 releases than pre 4.1 releases.
Dovecot's 1.0rc15 (and earlier) releases seem to be using libraries of the MySQL pre-4.1 era, so if you are using a later version of MySQL, then we have to add the following 'hacks' to your portfolio.
We will first create a user account for our dovecot daemon to access our MySQL server, and because we are using a post 4.1 release, we will also ensure a shorter/older passphrase by using the old_password command.
Enter the mysql client and enter the following commands
Screen Session
# mysql -u root -p
Welcome to the MySQL monitor. Commands end with ; or
\g.
Your MySQL connection id is 12 to server version: 5.0.24a-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
mysql> grant select on mail.* to 'dovecot'@'localhost' identified by 'dovecotpassword';
Query OK, 0 rows affected (0.00 sec)
mysql> set password for 'dovecot'@'localhost' = old_password('dovecotpassword');
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.02 sec)
Using the above changes the longer hashed 'dovecotpassword' to an 'older format' shorter hash of 'dovecotpassword'.
Note:
The database 'mail' references the same database used by our postfix installation, and also the same database for our postfixadmin installation.
It's time to test and see whether we've configured our system correctly. We will kill the current dovecot and start a new connection.
# pkill -HUP dovecot
Our maillog file should give us an idea if our mysql configuration is mostly good.
File Fragment: /var/log/maillog
dovecot: SIGHUP received - reloading configuration
dovecot: auth-worker(default): mysql: Connected to localhost (mail)
'mail' above refers to our MySQL database, so if you have an error with this 'auth-worker' you might check whether the password is correct, or whether the database is correctly entered above.
Another reference point would be the MySQL log file /var/mysql/myhost.log, which should have something like the below:
File Fragment: /var/mysql/myhost.log
Connect dovecot@localhost on mail
[ref: The Network People, Inc. Mail Server Testing ]
If you've successfully installed dovecot with mysql above, and have gone through the Configuring a Virtual Email Service - MySQL in our postfix installation guide, (or you have installed your own MySQL virtual user accounts) then we can perform some testing, validating whether our configuration actually works.
Screen Session
$ telnet localhost pop3
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
user charlie@alpha.example.org
+OK
pass charlie
+OK Logged in.
list
+OK 3 messages:
1 503
2 445
3 503
.
retr 3
+OK 503 octets
Return-Path: <samt@example.org>
X-Original-To: charlie@alpha.example.org
Delivered-To: charlie@alpha.example.org
Received: from example.org (unknown [IPv6:::1])
by myhost.example.org (Postfix) with ESMTP id 9A6165A950;
Fri, 9 Feb 2007 13:50:26 +1300 (TOT)
Subject: Welcome MySQL based virtual users
Message-Id: <20070209005037.9A6165A950@myhost.example.org>
Date: Fri, 9 Feb 2007 13:50:26 +1300 (TOT)
From: samt@example.org
To: undisclosed-recipients:;
Hopefully you've received this email message without fault ?
.
QUIT
+OK Logging out.
Connection closed by foreign host.
The maillog file should show success similar to the below
File Fragment: /var/log/maillog
pop3-login: Login: user=<charlie@alpha.example.org>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
POP3(charlie@alpha.example.org): Disconnected: Logged out top=0/0, retr=1/519,
del=0/3, size=1451
Again, a review of the mysql transaction log can be helpful in diagnosing errors.
File Fragment: /var/mysql/myhost.log
Connect dovecot@localhost on mail
Query SELECT password FROM mailbox WHERE username = 'charlie@alpha.example.org'
AND active = '1'
Query SELECT maildir, 901 AS uid, 901 AS gid FROM mailbox WHERE username =
'charlie@alpha.example.org' AND active = '1'
You get an Authentication failed even though you know and swear that you have entered the correct password?
We use telnet on the localhost to test imap's configuration
Screen Session
$ telnet localhost imap
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Dovecot ready.
a1 login charlie@alpha.example.org charlie
a1 OK Logged in.
a2 select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags
permitted.
* 3 EXISTS
* 0 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1170991431] UIDs valid
* OK [UIDNEXT 4] Predicted next UID
a2 OK [READ-WRITE] Select completed.
a3 fetch 3 body[text]
* 3 FETCH (BODY[TEXT] {66}
Hopefully you've received this email message without fault ?
)
a3 OK Fetch completed.
a4 close
a4 OK Close completed.
a5 logout
* BYE Logging out
a5 OK Logout completed.
Connection closed by foreign host.
Note:
a1, a2, .., a5 are randomly selected unique leaders (in this case we're just making things sequential)
"a3 fetch 3 body[text]", the number '3' refers to the '3 EXISTS' in the list returned by 'a2 select inbox'
Your maillog file is your friend and will give you clues to where you can check for other errors.
File Fragment: /var/log/maillog
auth-worker(default): mysql: Connected to localhost
(mail)
imap-login: Login: user=<charlie@alpha.example.org>, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, secured
IMAP(charlie@alpha.example.org): Disconnected: Logged out
Likewise the mysql transaction log should give further assistance should the installation be having problems.
File Fragment: /var/mysql/myhost.log
Connect dovecot@localhost on mail
Query SELECT password FROM mailbox WHERE username = 'charlie@alpha.example.org'
AND active = '1'
Query SELECT maildir, 901 AS uid, 901 AS gid FROM mailbox WHERE username =
'charlie@alpha.example.org' AND active = '1'
POP3 Access using Telnet from sol4.net
The Network People, Inc. Mail Server Testing
SMTP: Simple Mail Transfer Protocol - How the client transfers mail, and
Copyright (c) 2007 Samiuela LV Taufa. All Rights Reserved.
I reserve the right to be totally incorrect even at the best advice of betters. In other words, I'm probably wrong in enough places for you to call me an idiot, but don't 'cause you'll hurt my sensibilities, just tell me where I went wrong and I'll try again.
You are permitted and encouraged to use this guide for fun or for profit as you see fit. If you republish this work in what-ever form, it would be nice (though not enforceable) to be credited.
|
dovecot - serving imap, pop, and sasl |
Copyright © 2000/1/2 NoMoa.COM All rights reserved.