HannibalWiki

User Tools

Site Tools

You are here: start » picoenterprise » mailstore
Trace: mailstore
picoenterprise:mailstore

Table of Contents

Dovecot IMAP-server (mail-store)

This howto is based on Debian-8.

Design assumptions.

  • the dovecot system is used as a blackbox, where only administrators have (shell) access.
  • dovecote data and config files are owned by dovecot:dovecot.
  • the system is in a secure (dmz) network (ie. only port 993 is exposed to the public network. The lmtp and sievemanage ports are firewalled).
  • mail delivery from the MTA should be done by LMTP.
  • the application configuration is designed to be used as a microservice in a container (for example Docker). All variable-data and config-stuff is consolidated in /var/dovecot (which can be used as the persistent-storage volume).
  • Imap users+passwords are in a file (i.e. no LDAP) and separated from operatingsystem users.
  • the Sieve filterrules are created on a separate system (for example with roundcube) and pushed over the network.

Installation

Requirements:

  • Debian-8
  • ssl/tls stuff (CA.cert , Site.cert , Site.key )

Software: 

apt-get install dovecot-core  dovecot-imapd  dovecot-lmtpd dovecot-sieve  dovecot-managesieved

The consolidated storage: 

mkdir /var/dovecot/
mkdir /var/dovecot/mail
mkdir /var/dovecot/sieve
mkdir /var/dovecot/conf
#
mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.DIST
ln -s /var/dovecot/conf/dovecot.conf /etc/dovecot/dovecot.conf
#
touch /var/dovecot/conf/dovecot.conf
touch /var/dovecot/conf/users
#
chown -R dovecot:dovecot  /var/dovecot

Imap-users

The IMAP-users are created by adding a line in the users file. It has two columns, separated by a colon. The first column is the username, the second line contans the sha512-crypt which can be generated by executing: 

doveadm pw -s SHA512-CRYPT

The result in /var/dovecot/conf/users will be: 

...
fred:{SHA512-CRYPT}$6$13gufAq3aelU5/mi$o6ocrfdZBwrZavSmd3XJLzmJChihhnfW3ibz6qfqbinKpi59Eblfsw/vYAM63L5Huu2BFZw3VSDaEPioUN.ki1
...

Configuration

All configuration is in /etc/dovecot/dovecot.conf 

# Dovecot version 2.2.13
# Debian-8.2 (x86_64)

log_path = /var/log/dovecot.log

mail_location = maildir:/var/dovecot/data/%n/mail

auth_mechanisms = plain login
disable_plaintext_auth = no

ssl_ca = </var/dovecot/ssl/CA.cert
ssl_cert = </var/dovecot/ssl/Site.cert
ssl_key = </var/dovecot/ssl/Site.key


# Default:
namespace inbox {
  inbox = yes
  location = 
     mailbox Mybox.Drafts {
       special_use = \Drafts
     }
     mailbox Mybox.Junk {
       special_use = \Junk
     }
     mailbox Mybox.Sent {
       special_use = \Sent
     }
     #mailbox "Mybox.Sent Messages" {
     #  special_use = \Sent
     #}
     mailbox Mybox.Trash {
       special_use = \Trash
     }
  prefix = 
}

passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%n /var/dovecot/conf/users
}

first_valid_uid = 2

userdb {
  # For static type, LDA verify the user's existence by lookup passdb
  #   ( http://wiki2.dovecot.org/UserDatabase/Static )
  driver = static
  args = uid=dovecot gid=dovecot home=/var/dovecot/data/%n/mail
}


protocols = "imap lmtp sieve"


protocol lmtp {
  mail_plugins = $mail_plugins sieve
}

service managesieve-login {
  inet_listener sieve {
    address = 0.0.0.0
    port = 4190
  }
  service_count = 1
  process_min_avail = 1
}

service managesieve {
}

#protocol managesieve {
#  disable_plaintext_auth = no
#}

protocol sieve {
}

plugin {
  sieve =      /var/dovecot/data/%n/managesieve/.dovecot.sieve
  sieve_dir =  /var/dovecot/data/%n/managesieve/sieve
}


# ###############################
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
  }
}

protocol imap {
  disable_plaintext_auth = no
}


service lmtp {
  inet_listener lmtp {
    address = 0.0.0.0
    port = 24
  }
  user = dovecot
}


service auth-worker {
  # Forbid to access /etc/shadow
  user = $default_internal_user
}

service auth {
  unix_listener /var/dovecot/sasl-private-auth {
    group = dovecot
    user = dovecot
    mode = 0666
  }
  # inet_listener saslauth {
  #  address = 0.0.0.0
  #   port = 12345
  #}
}

Literature

http://wiki2.dovecot.org/

Cyrus IMAP-server (mail-store)

Below a configuration with the config and user-info in files on the system.

Installation

apt-get install  cyrus-admin-2.4 cyrus-common-2.4 cyrus-clients-2.4 cyrus-doc-2.4 cyrus-imapd-2.4  sasl2-bin libcyrus-imap-perl24 libsasl2-modules

Extra stuff: 

apt-get install  postfix binutils xfsprogs

Configuration

The configuration below, creates an IMAP-server with listener on port 143 and 993. The 143 is configured to do only TLS (allowplaintext: 0). For debugging, this can be set to 'yes'.

/etc/default/saslauthd 

START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"

/etc/cyrus.conf 

START {

        recover         cmd="/usr/sbin/cyrus ctl_cyrusdb -r"
        delprune        cmd="/usr/sbin/cyrus expire -E 3"
        tlsprune        cmd="/usr/sbin/cyrus tls_prune"
}
SERVICES {
        imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
        imaps           cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
        lmtp            cmd="lmtpd -a 10.11.12.13" listen="0.0.0.0:24" prefork=0 maxchild=20
        sieve           cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100
        notify          cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1
}
EVENTS {
        checkpoint      cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30
        delprune        cmd="/usr/sbin/cyrus expire -E 3" at=0401
        tlsprune        cmd="/usr/sbin/cyrus tls_prune" at=0401
}

/etc/imapd.conf 

configdirectory: /var/lib/cyrus
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
admins: cyrus
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
allowplaintext: 0
sasl_mech_list: PLAIN LOGIN
sasl_pwcheck_method: saslauthd
sasl_auto_transition: no
tls_cert_file: /etc/cyrus/ssl/imap.example.com_pub-key-cert.pem
tls_key_file: /etc/cyrus/ssl/imap.example.com_priv-key.pem
tls_ca_file: /etc/cyrus/ssl/ExamplecomCA_pub-key-ca-cert.pem
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: 0.0.0.0:24
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
syslog_prefix: cyrus

Note: make sure the imap-cert, imap-key and CA-cert files are readable for the operatingsystem-user cyrus.

Create imap-users with: 

saslpasswd2 -c cyrus

Check the useraccountlist with: 

sasldblistusers2

And create mailboxes with: 

su - cyrus
cyradm localhost
cm user.cyrus
quit
exit
picoenterprise/mailstore.txt · Last modified: 2017/04/02 18:21 by Luc Nieland

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki