=====Dovecot IMAP-server (mail-store)=====

This howto is based on Debian-8.



Design assumptions.
  * the dovecot system is used as a blackbox, where only administrators have (shell) access.
  * dovecote data and config files are owned by dovecot:dovecot.
  * the system is in a secure (dmz) network (ie. only port 993 is exposed to the public network. The lmtp and sievemanage ports are firewalled).
  * mail delivery from the MTA should be done by LMTP.
  * the application configuration is designed to be used as a microservice in a container (for example Docker). All variable-data and config-stuff is consolidated in /var/dovecot (which can be used as the persistent-storage volume).
  * Imap users+passwords are in a file (i.e. no LDAP) and separated from operatingsystem users.
  * the Sieve filterrules are created on a separate system (for example with roundcube) and pushed over the network.



====Installation====

Requirements:
  * Debian-8
  * ssl/tls stuff (CA.cert , Site.cert , Site.key )


Software:
  apt-get install dovecot-core  dovecot-imapd  dovecot-lmtpd dovecot-sieve  dovecot-managesieved


The consolidated storage:

  mkdir /var/dovecot/
  mkdir /var/dovecot/mail
  mkdir /var/dovecot/sieve
  mkdir /var/dovecot/conf
  #
  mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.DIST
  ln -s /var/dovecot/conf/dovecot.conf /etc/dovecot/dovecot.conf
  #
  touch /var/dovecot/conf/dovecot.conf
  touch /var/dovecot/conf/users
  #
  chown -R dovecot:dovecot  /var/dovecot


===Imap-users===
The IMAP-users are created by adding a line in the users file. It has two columns, separated by a colon. The first column is the username, the second line contans the sha512-crypt which can be generated by executing:

  doveadm pw -s SHA512-CRYPT


The result in /var/dovecot/conf/users will be:
  ...
  fred:{SHA512-CRYPT}$6$13gufAq3aelU5/mi$o6ocrfdZBwrZavSmd3XJLzmJChihhnfW3ibz6qfqbinKpi59Eblfsw/vYAM63L5Huu2BFZw3VSDaEPioUN.ki1
  ...


====Configuration====

All configuration is in /etc/dovecot/dovecot.conf

<code>
# Dovecot version 2.2.13
# Debian-8.2 (x86_64)

log_path = /var/log/dovecot.log

mail_location = maildir:/var/dovecot/data/%n/mail

auth_mechanisms = plain login
disable_plaintext_auth = no

ssl_ca = </var/dovecot/ssl/CA.cert
ssl_cert = </var/dovecot/ssl/Site.cert
ssl_key = </var/dovecot/ssl/Site.key


# Default:
namespace inbox {
  inbox = yes
  location = 
     mailbox Mybox.Drafts {
       special_use = \Drafts
     }
     mailbox Mybox.Junk {
       special_use = \Junk
     }
     mailbox Mybox.Sent {
       special_use = \Sent
     }
     #mailbox "Mybox.Sent Messages" {
     #  special_use = \Sent
     #}
     mailbox Mybox.Trash {
       special_use = \Trash
     }
  prefix = 
}

passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%n /var/dovecot/conf/users
}

first_valid_uid = 2

userdb {
  # For static type, LDA verify the user's existence by lookup passdb
  #   ( http://wiki2.dovecot.org/UserDatabase/Static )
  driver = static
  args = uid=dovecot gid=dovecot home=/var/dovecot/data/%n/mail
}


protocols = "imap lmtp sieve"


protocol lmtp {
  mail_plugins = $mail_plugins sieve
}

service managesieve-login {
  inet_listener sieve {
    address = 0.0.0.0
    port = 4190
  }
  service_count = 1
  process_min_avail = 1
}

service managesieve {
}

#protocol managesieve {
#  disable_plaintext_auth = no
#}

protocol sieve {
}

plugin {
  sieve =      /var/dovecot/data/%n/managesieve/.dovecot.sieve
  sieve_dir =  /var/dovecot/data/%n/managesieve/sieve
}


# ###############################
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
  }
}

protocol imap {
  disable_plaintext_auth = no
}


service lmtp {
  inet_listener lmtp {
    address = 0.0.0.0
    port = 24
  }
  user = dovecot
}


service auth-worker {
  # Forbid to access /etc/shadow
  user = $default_internal_user
}

service auth {
  unix_listener /var/dovecot/sasl-private-auth {
    group = dovecot
    user = dovecot
    mode = 0666
  }
  # inet_listener saslauth {
  #  address = 0.0.0.0
  #   port = 12345
  #}
}
</code>



====Literature====
http://wiki2.dovecot.org/






=====Cyrus IMAP-server (mail-store)=====

Below a configuration with the config and user-info in files on the system.


====Installation====

  apt-get install  cyrus-admin-2.4 cyrus-common-2.4 cyrus-clients-2.4 cyrus-doc-2.4 cyrus-imapd-2.4  sasl2-bin libcyrus-imap-perl24 libsasl2-modules



Extra stuff:
  apt-get install  postfix binutils xfsprogs




====Configuration====

The configuration below, creates an IMAP-server with listener on port 143 and 993. The 143 is configured to do only TLS (allowplaintext: 0). For debugging, this can be set to 'yes'.


/etc/default/saslauthd

<code>
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
</code>




/etc/cyrus.conf

<code>
START {

        recover         cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
        delprune        cmd="/usr/sbin/cyrus expire -E 3"
        tlsprune        cmd="/usr/sbin/cyrus tls_prune"
}
SERVICES {
        imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
        imaps           cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
        lmtp            cmd="lmtpd -a 10.11.12.13" listen="0.0.0.0:24" prefork=0 maxchild=20
        sieve           cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100
        notify          cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
        checkpoint      cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30
        delprune        cmd="/usr/sbin/cyrus expire -E 3" at=0401
        tlsprune        cmd="/usr/sbin/cyrus tls_prune" at=0401
}
</code>



/etc/imapd.conf

<code>
configdirectory: /var/lib/cyrus
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
admins: cyrus
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: 0
sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
tls_cert_file: /etc/cyrus/ssl/imap.example.com_pub-key-cert.pem
tls_key_file: /etc/cyrus/ssl/imap.example.com_priv-key.pem
tls_ca_file: /etc/cyrus/ssl/ExamplecomCA_pub-key-ca-cert.pem
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: 0.0.0.0:24
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
syslog_prefix: cyrus
</code>


Note: make sure the imap-cert, imap-key and CA-cert files are readable for the operatingsystem-user cyrus.


Create imap-users with:

  saslpasswd2 -c cyrus


Check the useraccountlist with:

  sasldblistusers2


And create mailboxes with:

  su - cyrus
  cyradm localhost
  cm user.cyrus
  quit
  exit