--- lang: en title: Install Dovecot on Debian 10 --- # Purpose We want postfix working with Dovecot so that we can send and access our emails from email client such as thunderbird client on another computer. # Enable SMTPS in postfix ## prerequisite You have already enabled [postfix TLS] and made sure that it is working by checking your logs of emails successfully sent and received. [postfix TLS]:set_up_build_environments.html#tls ## setup postfix to talk to dovecot We are going to enable `smtps`, port 465, which your email client probably refers to as `SSL/TLS` and `ufw` refers to as `'Postfix SMTPS'` We are *not* going to enable `submission`, port 587, which your email client probably refers to as `STARTTLS`, and `ufw` refers to as `'Postfix Submission'`, because `STARTTLS` is vulnerable to downgrade attacks if your enemies have substantial power over the network, and many major email clients do not support it for that reason. Since we are using normal passwords, a successful downgrade attack will leak the password, enabling the enemy to read and modify mail from that client, and to send spearphish, shill, scam, and spam emails as the client identity. Passwords are a vulnerability, and in a hostile, untrustworthy, and untrusting world need to be replaced by ZKA resting on a BIPS style wallet secret, but we have to make do with `smtps` until we create something better. ```bash nano /etc/postfix/master.cf ``` You will find the lines we are about to change already in the `master.cf` file, but commented out, and some of them need to be amended. ```default smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth ``` Now we tell postfix to talk to dovecot over lmtp ```bash postconf -e mailbox_transport=lmtp:unix:private/dovecot-lmtp postconf -e smtputf8_enable=no ``` Obviously this is not going to work until after we install and configure dovecot, so don't restart and test postfix yet. # Install Dovecot ```bash apt -qy update && apt -qy upgrade apt -qy install dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot --version # These instructions assume version 2.3 or above nano /etc/dovecot/dovecot.conf ``` ```default protocols = imap pop3 lmtp !include_try /usr/share/dovecot/protocols.d/*.protocol ``` ## Authentication Edit the authentication file for Dovecot and update following values. ```bash nano /etc/dovecot/conf.d/10-auth.conf ``` ```default disable_plaintext_auth = yes auth_mechanisms = plain auth_username_format = %n ``` ## Setup Mailbox Directory After that, edit mail configuration file to configure location of the Mailbox. Make sure to set this to correct location where your email server is configure to save users emails. ```bash nano /etc/dovecot/conf.d/10-mail.conf ``` ```default mail_location = maildir:~/Maildir mail_privileged_group = mail ``` ```bash adduser dovecot mail ``` We already told postfix to talk to dovecot. Now we must tell dovecot to talk to postfix using lmtp. ```bash nano /etc/dovecot/conf.d/10-master.conf ``` Delete the old `service lmtp` definition`, and replace it with: ```default service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } ``` Delete the old `service auth` definition, and replace it with: ```bash # Postfix smtp-auth service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } ``` ## Setup SSL ```bash nano /etc/dovecot/conf.d/10-ssl.conf ``` ```default ssl=required ssl_cert =