forked from cheng/wallet
246 lines
5.9 KiB
Markdown
246 lines
5.9 KiB
Markdown
|
---
|
||
|
lang: en
|
||
|
title: Install Dovecot on Debian 10
|
||
|
---
|
||
|
# Purpose
|
||
|
|
||
|
We want postfix working with Dovecot so that we can send and access our emails from email client such as thunderbird client on another computer.
|
||
|
|
||
|
# Enable SMTPS in postfix
|
||
|
|
||
|
## prerequisite
|
||
|
|
||
|
You have already enabled [postfix TLS] and made sure that it is working by checking your logs of emails successfully sent and received.
|
||
|
|
||
|
[postfix TLS]:set_up_build_environments.html#tls
|
||
|
|
||
|
## setup postfix to talk to dovecot
|
||
|
|
||
|
We are going to enable `smtps`, port 465, which your email client probably
|
||
|
refers to as `SSL/TLS` and `ufw` refers to as `'Postfix SMTPS'`
|
||
|
|
||
|
We are *not* going to enable `submission`, port 587, which your email client
|
||
|
probably refers to as `STARTTLS`, and `ufw` refers to as `'Postfix Submission'`,
|
||
|
because `STARTTLS` is vulnerable to downgrade attacks if
|
||
|
your enemies have substantial power over the network, and many major
|
||
|
email clients do not support it for that reason. Since we are using normal
|
||
|
passwords, a successful downgrade attack will leak the password, enabling
|
||
|
the enemy to read and modify mail from that client, and to send spearphish,
|
||
|
shill, scam, and spam emails as the client identity.
|
||
|
|
||
|
Passwords are a vulnerability, and in a hostile, untrustworthy, and
|
||
|
untrusting world need to be replaced by ZKA resting on a BIPS style
|
||
|
wallet secret, but we have to make do with `smtps` until we create something better.
|
||
|
|
||
|
```bash
|
||
|
nano /etc/postfix/master.cf
|
||
|
```
|
||
|
|
||
|
You will find the lines we are about to change already in the `master.cf` file,
|
||
|
but commented out, and some of them need to be amended.
|
||
|
|
||
|
```default
|
||
|
smtps inet n - y - - smtpd
|
||
|
-o syslog_name=postfix/smtps
|
||
|
-o smtpd_tls_wrappermode=yes
|
||
|
-o smtpd_sasl_auth_enable=yes
|
||
|
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
||
|
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||
|
-o smtpd_sasl_type=dovecot
|
||
|
-o smtpd_sasl_path=private/auth
|
||
|
```
|
||
|
|
||
|
Now we tell postfix to talk to dovecot over lmtp
|
||
|
|
||
|
```bash
|
||
|
postconf -e mailbox_transport=lmtp:unix:private/dovecot-lmtp
|
||
|
postconf -e smtputf8_enable=no
|
||
|
```
|
||
|
|
||
|
Obviously this is not going to work until after we install and configure
|
||
|
dovecot, so don't restart and test postfix yet.
|
||
|
|
||
|
# Install Dovecot
|
||
|
|
||
|
```bash
|
||
|
apt -qy update && apt -qy upgrade
|
||
|
apt -qy install dovecot-imapd dovecot-pop3d dovecot-lmtpd
|
||
|
dovecot --version
|
||
|
# These instructions assume version 2.3 or above
|
||
|
nano /etc/dovecot/dovecot.conf
|
||
|
```
|
||
|
|
||
|
```default
|
||
|
protocols = imap pop3 lmtp
|
||
|
!include_try /usr/share/dovecot/protocols.d/*.protocol
|
||
|
```
|
||
|
|
||
|
## Authentication
|
||
|
|
||
|
Edit the authentication file for Dovecot and update following values.
|
||
|
|
||
|
```bash
|
||
|
nano /etc/dovecot/conf.d/10-auth.conf
|
||
|
```
|
||
|
|
||
|
```default
|
||
|
disable_plaintext_auth = yes
|
||
|
auth_mechanisms = plain
|
||
|
auth_username_format = %n
|
||
|
```
|
||
|
|
||
|
## Setup Mailbox Directory
|
||
|
|
||
|
After that, edit mail configuration file to configure location of the Mailbox. Make sure to set this to correct location where your email server is configure to save users emails.
|
||
|
|
||
|
```bash
|
||
|
nano /etc/dovecot/conf.d/10-mail.conf
|
||
|
```
|
||
|
|
||
|
```default
|
||
|
mail_location = maildir:~/Maildir
|
||
|
mail_privileged_group = mail
|
||
|
```
|
||
|
|
||
|
```bash
|
||
|
adduser dovecot mail
|
||
|
```
|
||
|
|
||
|
We already told postfix to talk to dovecot. Now we must tell dovecot to talk to postfix using lmtp.
|
||
|
|
||
|
```bash
|
||
|
nano /etc/dovecot/conf.d/10-master.conf
|
||
|
```
|
||
|
|
||
|
Delete the old `service lmtp` definition`, and replace it with:
|
||
|
|
||
|
```default
|
||
|
service lmtp {
|
||
|
unix_listener /var/spool/postfix/private/dovecot-lmtp {
|
||
|
mode = 0600
|
||
|
user = postfix
|
||
|
group = postfix
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
Delete the old `service auth` definition, and replace it with:
|
||
|
|
||
|
```bash
|
||
|
# Postfix smtp-auth
|
||
|
service auth {
|
||
|
unix_listener /var/spool/postfix/private/auth {
|
||
|
mode = 0660
|
||
|
user = postfix
|
||
|
group = postfix
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
## Setup SSL
|
||
|
|
||
|
```bash
|
||
|
nano /etc/dovecot/conf.d/10-ssl.conf
|
||
|
```
|
||
|
|
||
|
```default
|
||
|
ssl=required
|
||
|
ssl_cert = </etc/letsencrypt/live/rhocoin.org/fullchain.pem
|
||
|
ssl_key = </etc/letsencrypt/live/rhocoin.org/privkey.pem
|
||
|
ssl_prefer_server_ciphers = yes
|
||
|
ssl_min_protocol = TLSv1.2
|
||
|
```
|
||
|
|
||
|
## Auto-create Sent and Trash Folder
|
||
|
```bash
|
||
|
nano /etc/dovecot/conf.d/15-mailboxes.conf
|
||
|
```
|
||
|
|
||
|
Add the line `auto = subscribe` to the special folders entries:
|
||
|
|
||
|
```default
|
||
|
mailbox Trash {
|
||
|
`auto = subscribe
|
||
|
special_use = \Trash
|
||
|
}
|
||
|
|
||
|
mailbox Junk {
|
||
|
`auto = subscribe
|
||
|
special_use = \Junk
|
||
|
}
|
||
|
|
||
|
mailbox Drafts {
|
||
|
`auto = subscribe
|
||
|
special_use = \Drafts
|
||
|
}
|
||
|
|
||
|
mailbox Trash {
|
||
|
`auto = subscribe
|
||
|
special_use = \Trash
|
||
|
}
|
||
|
|
||
|
mailbox Sent {
|
||
|
`auto = subscribe
|
||
|
special_use = \Sent
|
||
|
}
|
||
|
```
|
||
|
|
||
|
## Manage Dovecot Service
|
||
|
|
||
|
To enable Dovecot service.
|
||
|
|
||
|
```bash
|
||
|
systemctl enable dovecot.service
|
||
|
systemctl restart postfix dovecot
|
||
|
systemctl status dovecot
|
||
|
systemctl status postfix
|
||
|
ss -lnpt | grep master
|
||
|
ss -lnpt | grep dovecot
|
||
|
```
|
||
|
|
||
|
## Open ports
|
||
|
|
||
|
- don't enable IMAP - 143
|
||
|
- IMAPS - 993
|
||
|
- don't enable POP3 - 110
|
||
|
- POP3S - 995
|
||
|
|
||
|
```bash
|
||
|
ufw allow IMAPS
|
||
|
ufw allow POP3S
|
||
|
ss -lnpt | grep master
|
||
|
ss -lnpt | grep dovecot
|
||
|
ufw status verbose
|
||
|
```
|
||
|
|
||
|
You did set ufw to default deny incoming, so that IMAP and POP3 are blocked.
|
||
|
|
||
|
# Configure Desktop Email Client
|
||
|
|
||
|
Edit 🠆 Account Settings 🠆 Account Actions 🠆 Add Mail Account
|
||
|
|
||
|
Select manual configuration, SSL/TLS, and normal password.
|
||
|
|
||
|
Now send and receive some test emails, as you did before, but this time
|
||
|
you will be receiving them on your desktop, rather than logging in and using thunderbird
|
||
|
|
||
|
As before:
|
||
|
|
||
|
```bash
|
||
|
cat /var/log/mail.log | grep -E '(warning|error|fatal|panic)'
|
||
|
```
|
||
|
|
||
|
# Next steps
|
||
|
|
||
|
Now that you have an email service that people can access from their
|
||
|
desktop using an email client such as thunderbird, you probably
|
||
|
[want several other domain names and hosts to use it](set_up_build_environments.html#virtual-domains-and-virtual-users).
|
||
|
|
||
|
# Credits
|
||
|
|
||
|
This tutorial is largely based on the excellent [linuxbabe] tutorial
|
||
|
|
||
|
[linuxbabe]:https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot
|
||
|
"Install Dovecot IMAP server on Ubuntu & Enable TLS Encryption"
|
||
|
{target="_blank"}
|