1
0
forked from cheng/wallet
wallet/docs/dovecot.md

245 lines
5.8 KiB
Markdown
Raw Normal View History

---
title: Install Dovecot on Debian 10
---
# Purpose
We want postfix working with Dovecot so that we can send and access our emails from email client such as thunderbird client on another computer.
# Enable SMTPS in postfix
## prerequisite
You have already enabled [postfix TLS] and made sure that it is working by checking your logs of emails successfully sent and received.
[postfix TLS]:set_up_build_environments.html#tls
## setup postfix to talk to dovecot
We are going to enable `smtps`, port 465, which your email client probably
refers to as `SSL/TLS` and `ufw` refers to as `'Postfix SMTPS'`
We are *not* going to enable `submission`, port 587, which your email client
probably refers to as `STARTTLS`, and `ufw` refers to as `'Postfix Submission'`,
because `STARTTLS` is vulnerable to downgrade attacks if
your enemies have substantial power over the network, and many major
email clients do not support it for that reason. Since we are using normal
passwords, a successful downgrade attack will leak the password, enabling
the enemy to read and modify mail from that client, and to send spearphish,
shill, scam, and spam emails as the client identity.
Passwords are a vulnerability, and in a hostile, untrustworthy, and
untrusting world need to be replaced by ZKA resting on a BIPS style
wallet secret, but we have to make do with `smtps` until we create something better.
```bash
nano /etc/postfix/master.cf
```
You will find the lines we are about to change already in the `master.cf` file,
but commented out, and some of them need to be amended.
```default
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
```
Now we tell postfix to talk to dovecot over lmtp
```bash
postconf -e mailbox_transport=lmtp:unix:private/dovecot-lmtp
postconf -e smtputf8_enable=no
```
Obviously this is not going to work until after we install and configure
dovecot, so don't restart and test postfix yet.
# Install Dovecot
```bash
apt -qy update && apt -qy upgrade
apt -qy install dovecot-imapd dovecot-pop3d dovecot-lmtpd
dovecot --version
# These instructions assume version 2.3 or above
nano /etc/dovecot/dovecot.conf
```
```default
protocols = imap pop3 lmtp
!include_try /usr/share/dovecot/protocols.d/*.protocol
```
## Authentication
Edit the authentication file for Dovecot and update following values.
```bash
nano /etc/dovecot/conf.d/10-auth.conf
```
```default
disable_plaintext_auth = yes
auth_mechanisms = plain
auth_username_format = %n
```
## Setup Mailbox Directory
After that, edit mail configuration file to configure location of the Mailbox. Make sure to set this to correct location where your email server is configure to save users emails.
```bash
nano /etc/dovecot/conf.d/10-mail.conf
```
```default
mail_location = maildir:~/Maildir
mail_privileged_group = mail
```
```bash
adduser dovecot mail
```
We already told postfix to talk to dovecot. Now we must tell dovecot to talk to postfix using lmtp.
```bash
nano /etc/dovecot/conf.d/10-master.conf
```
Delete the old `service lmtp` definition`, and replace it with:
```default
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
```
Delete the old `service auth` definition, and replace it with:
```bash
# Postfix smtp-auth
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
```
## Setup SSL
```bash
nano /etc/dovecot/conf.d/10-ssl.conf
```
```default
ssl=required
ssl_cert = </etc/letsencrypt/live/rhocoin.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/rhocoin.org/privkey.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
```
## Auto-create Sent and Trash Folder
```bash
nano /etc/dovecot/conf.d/15-mailboxes.conf
```
Add the line `auto = subscribe` to the special folders entries:
```default
mailbox Trash {
`auto = subscribe
special_use = \Trash
}
mailbox Junk {
`auto = subscribe
special_use = \Junk
}
mailbox Drafts {
`auto = subscribe
special_use = \Drafts
}
mailbox Trash {
`auto = subscribe
special_use = \Trash
}
mailbox Sent {
`auto = subscribe
special_use = \Sent
}
```
## Manage Dovecot Service
To enable Dovecot service.
```bash
systemctl enable dovecot.service
systemctl restart postfix dovecot
systemctl status dovecot
systemctl status postfix
ss -lnpt | grep master
ss -lnpt | grep dovecot
```
## Open ports
- don't enable IMAP - 143
- IMAPS - 993
- don't enable POP3 - 110
- POP3S - 995
```bash
ufw allow IMAPS
ufw allow POP3S
ss -lnpt | grep master
ss -lnpt | grep dovecot
ufw status verbose
```
You did set ufw to default deny incoming, so that IMAP and POP3 are blocked.
# Configure Desktop Email Client
Edit 🠆 Account Settings 🠆 Account Actions 🠆 Add Mail Account
Select manual configuration, SSL/TLS, and normal password.
Now send and receive some test emails, as you did before, but this time
you will be receiving them on your desktop, rather than logging in and using thunderbird
As before:
```bash
cat /var/log/mail.log | grep -E '(warning|error|fatal|panic)'
```
# Next steps
Now that you have an email service that people can access from their
desktop using an email client such as thunderbird, you probably
[want several other domain names and hosts to use it](set_up_build_environments.html#virtual-domains-and-virtual-users).
# Credits
This tutorial is largely based on the excellent [linuxbabe] tutorial
[linuxbabe]:https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot
"Install Dovecot IMAP server on Ubuntu & Enable TLS Encryption"
{target="_blank"}