forked from cheng/wallet
699bf5a2ac
to the new cool style imitating other successful open software movements. But all my navbars are the same navbar. The point of the new style is to make information readily available. We will want multiple button bars in the navbar, and possibly a related materials sidebar. Or perhaps simply link pages. We also need to change the introductory paragraph in every page to the abstract style.
247 lines
5.8 KiB
Markdown
247 lines
5.8 KiB
Markdown
---
|
|
title: Install Dovecot on Debian 10
|
|
sidebar: true
|
|
...
|
|
|
|
# Purpose
|
|
|
|
We want postfix working with Dovecot so that we can send and access our emails from email client such as thunderbird client on another computer.
|
|
|
|
# Enable SMTPS in postfix
|
|
|
|
## prerequisite
|
|
|
|
You have already enabled [postfix TLS] and made sure that it is working by checking your logs of emails successfully sent and received.
|
|
|
|
[postfix TLS]:set_up_build_environments.html#tls
|
|
|
|
## setup postfix to talk to dovecot
|
|
|
|
We are going to enable `smtps`, port 465, which your email client probably
|
|
refers to as `SSL/TLS` and `ufw` refers to as `'Postfix SMTPS'`
|
|
|
|
We are *not* going to enable `submission`, port 587, which your email client
|
|
probably refers to as `STARTTLS`, and `ufw` refers to as `'Postfix Submission'`,
|
|
because `STARTTLS` is vulnerable to downgrade attacks if
|
|
your enemies have substantial power over the network, and many major
|
|
email clients do not support it for that reason. Since we are using normal
|
|
passwords, a successful downgrade attack will leak the password, enabling
|
|
the enemy to read and modify mail from that client, and to send spearphish,
|
|
shill, scam, and spam emails as the client identity.
|
|
|
|
Passwords are a vulnerability, and in a hostile, untrustworthy, and
|
|
untrusting world need to be replaced by ZKA resting on a BIPS style
|
|
wallet secret, but we have to make do with `smtps` until we create something better.
|
|
|
|
```bash
|
|
nano /etc/postfix/master.cf
|
|
```
|
|
|
|
You will find the lines we are about to change already in the `master.cf` file,
|
|
but commented out, and some of them need to be amended.
|
|
|
|
```default
|
|
smtps inet n - y - - smtpd
|
|
-o syslog_name=postfix/smtps
|
|
-o smtpd_tls_wrappermode=yes
|
|
-o smtpd_sasl_auth_enable=yes
|
|
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
|
|
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
|
-o smtpd_sasl_type=dovecot
|
|
-o smtpd_sasl_path=private/auth
|
|
```
|
|
|
|
Now we tell postfix to talk to dovecot over lmtp
|
|
|
|
```bash
|
|
postconf -e mailbox_transport=lmtp:unix:private/dovecot-lmtp
|
|
postconf -e smtputf8_enable=no
|
|
```
|
|
|
|
Obviously this is not going to work until after we install and configure
|
|
dovecot, so don't restart and test postfix yet.
|
|
|
|
# Install Dovecot
|
|
|
|
```bash
|
|
apt -qy update && apt -qy upgrade
|
|
apt -qy install dovecot-imapd dovecot-pop3d dovecot-lmtpd
|
|
dovecot --version
|
|
# These instructions assume version 2.3 or above
|
|
nano /etc/dovecot/dovecot.conf
|
|
```
|
|
|
|
```default
|
|
protocols = imap pop3 lmtp
|
|
!include_try /usr/share/dovecot/protocols.d/*.protocol
|
|
```
|
|
|
|
## Authentication
|
|
|
|
Edit the authentication file for Dovecot and update following values.
|
|
|
|
```bash
|
|
nano /etc/dovecot/conf.d/10-auth.conf
|
|
```
|
|
|
|
```default
|
|
disable_plaintext_auth = yes
|
|
auth_mechanisms = plain
|
|
auth_username_format = %n
|
|
```
|
|
|
|
## Setup Mailbox Directory
|
|
|
|
After that, edit mail configuration file to configure location of the Mailbox. Make sure to set this to correct location where your email server is configure to save users emails.
|
|
|
|
```bash
|
|
nano /etc/dovecot/conf.d/10-mail.conf
|
|
```
|
|
|
|
```default
|
|
mail_location = maildir:~/Maildir
|
|
mail_privileged_group = mail
|
|
```
|
|
|
|
```bash
|
|
adduser dovecot mail
|
|
```
|
|
|
|
We already told postfix to talk to dovecot. Now we must tell dovecot to talk to postfix using lmtp.
|
|
|
|
```bash
|
|
nano /etc/dovecot/conf.d/10-master.conf
|
|
```
|
|
|
|
Delete the old `service lmtp` definition`, and replace it with:
|
|
|
|
```default
|
|
service lmtp {
|
|
unix_listener /var/spool/postfix/private/dovecot-lmtp {
|
|
mode = 0600
|
|
user = postfix
|
|
group = postfix
|
|
}
|
|
}
|
|
```
|
|
|
|
Delete the old `service auth` definition, and replace it with:
|
|
|
|
```bash
|
|
# Postfix smtp-auth
|
|
service auth {
|
|
unix_listener /var/spool/postfix/private/auth {
|
|
mode = 0660
|
|
user = postfix
|
|
group = postfix
|
|
}
|
|
}
|
|
```
|
|
|
|
## Setup SSL
|
|
|
|
```bash
|
|
nano /etc/dovecot/conf.d/10-ssl.conf
|
|
```
|
|
|
|
```default
|
|
ssl=required
|
|
ssl_cert = </etc/letsencrypt/live/rhocoin.org/fullchain.pem
|
|
ssl_key = </etc/letsencrypt/live/rhocoin.org/privkey.pem
|
|
ssl_prefer_server_ciphers = yes
|
|
ssl_min_protocol = TLSv1.2
|
|
```
|
|
|
|
## Auto-create Sent and Trash Folder
|
|
```bash
|
|
nano /etc/dovecot/conf.d/15-mailboxes.conf
|
|
```
|
|
|
|
Add the line `auto = subscribe` to the special folders entries:
|
|
|
|
```default
|
|
mailbox Trash {
|
|
`auto = subscribe
|
|
special_use = \Trash
|
|
}
|
|
|
|
mailbox Junk {
|
|
`auto = subscribe
|
|
special_use = \Junk
|
|
}
|
|
|
|
mailbox Drafts {
|
|
`auto = subscribe
|
|
special_use = \Drafts
|
|
}
|
|
|
|
mailbox Trash {
|
|
`auto = subscribe
|
|
special_use = \Trash
|
|
}
|
|
|
|
mailbox Sent {
|
|
`auto = subscribe
|
|
special_use = \Sent
|
|
}
|
|
```
|
|
|
|
## Manage Dovecot Service
|
|
|
|
To enable Dovecot service.
|
|
|
|
```bash
|
|
systemctl enable dovecot.service
|
|
systemctl restart postfix dovecot
|
|
systemctl status dovecot
|
|
systemctl status postfix
|
|
ss -lnpt | grep master
|
|
ss -lnpt | grep dovecot
|
|
```
|
|
|
|
## Open ports
|
|
|
|
- don't enable IMAP - 143
|
|
- IMAPS - 993
|
|
- don't enable POP3 - 110
|
|
- POP3S - 995
|
|
|
|
```bash
|
|
ufw allow IMAPS
|
|
ufw allow POP3S
|
|
ss -lnpt | grep master
|
|
ss -lnpt | grep dovecot
|
|
ufw status verbose
|
|
```
|
|
|
|
You did set ufw to default deny incoming, so that IMAP and POP3 are blocked.
|
|
|
|
# Configure Desktop Email Client
|
|
|
|
Edit 🠆 Account Settings 🠆 Account Actions 🠆 Add Mail Account
|
|
|
|
Select manual configuration, SSL/TLS, and normal password.
|
|
|
|
Now send and receive some test emails, as you did before, but this time
|
|
you will be receiving them on your desktop, rather than logging in and using thunderbird
|
|
|
|
As before:
|
|
|
|
```bash
|
|
cat /var/log/mail.log | grep -E '(warning|error|fatal|panic)'
|
|
```
|
|
|
|
# Next steps
|
|
|
|
Now that you have an email service that people can access from their
|
|
desktop using an email client such as thunderbird, you probably
|
|
[want several other domain names and hosts to use it](set_up_build_environments.html#virtual-domains-and-virtual-users).
|
|
|
|
# Credits
|
|
|
|
This tutorial is largely based on the excellent [linuxbabe] tutorial
|
|
|
|
[linuxbabe]:https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot
|
|
"Install Dovecot IMAP server on Ubuntu & Enable TLS Encryption"
|
|
{target="_blank"}
|