Installazione di Dovecot e sieve su qmail + vpopmail

 

• Overview
• Installazione
• Configurazione
• Scarica i miei file di configurazione
• dovecot.conf
• 10-auth.conf
• auth-sql.conf.ext
• 10-director.conf
• 10-logging.conf
• Logrotate
• 10-mail.conf
• 10-master.conf
• 10-ssl.conf
• 15-lda.conf
• 15-mailboxes.conf
• 20-imap.conf
• 20-lmtp.conf
• 20-pop3.conf
• 90-plugin.conf
• 90-quota.conf

Changelog

• Nov 15, 2024
  - added a postlogin script to update the vpopmail.lastauth SQL table on login (see 10-master.conf, thanks kengheng)
• Aug 16, 2024
  - upgraded to v. 2.3.21.1
• Dec 29, 2023
  default_pass_scheme = SHA512-CRYPT (was MD5-CRYPT) in dovecot-sql.conf.ext, as vpopmail-5.6.x has now SHA512-CRYPT password by default
• Sep 17, 2023
  - upgraded to v. 2.3.21
• Feb 10, 2023
  - added a patch to restore the old vpopmail-auth driver (tx Ali Erturk TURKER)
• Nov 2, 2022
  -added mailbox_list_index = yes and mail_always_cache_fields = date.save to 10-mail.conf (tx JonTDW, more info here)
• Aug 9, 2022
  -improved the sql stuff in case of --disable-many-domains (tx kengheng)
• Apr 22, 2022
  -added Solr support (--with-solr)
• Apr 17, 2022
  -auth-sql.conf.ext: changed the userdb lookup for LDA from static to sql, as the home dir was not retrieved correctly if positioned in a subfolder (i.e. domains/0/domainname).
• June 20, 2021
  -15-mailboxes.conf: added Junk.TeachSpam and Junk.TeachNotSpam mailboxes to store messages for the learning/report system (more info here)
• March 17, 2021
  - 90-quota.conf: quota definition adjusted in this way quota = maildir:: as the GETQUOTA command was not returning the quota (thanks a.key)
• March 2, 2021
  - added domains limits support to password_query (you have to compile vpopmail --enable-mysql-limits)
• January 29, 2021
  - auth-sql.conf.ext now uses the userdb's prefetch driver in order to perform one single query when doing the auth
  - dovecot-sql.conf.ext has been modified to allow authentication both with real and alias domains, provided that you patched vpopmail accordingly. More info in this page.
  - the iterate_query in the sql driver now extracts the "user" field (was "username") as required by the docs.

Info

• Info: http://www.dovecot.org/
• Documentazione: https://doc.dovecot.org/
• Mail Server overview: http://wiki2.dovecot.org/MailServerOverview (chiuso!? qualcuno conosce un mirror della vecchia wiki?)
• Scarica: http://www.dovecot.org/releases/2.3/
• Versione usata: dovecot-2.3.21.1

Dovecot è un mail server IMAP e POP3 open-source per sistemi Linux/UNIX, scritto con la sicurezza in mente come prima cosa. Dovecot è una scelta eccellente sia per piccole che per grandi installazioni. E' veloce, semplice da installare, non richiede particolari operazioni di amministrazione e usa molta poca memoria.

Dovecot è semplice da configurare, il progetto è vivo e la documentazione è ricca e ben organizzata.

Ho trovato Dovecot così amichevole che ho deciso di lasciare qmail-pop3d e usare Dovecot non solo come IMAP ma anche come un server POP3. Mostrerò anche come configurare una connessione sicura.

Installazione

DOVECOT_VER=2.3.21.1

cd /usr/local/src
wget https://www.dovecot.org/releases/2.3/dovecot-${DOVECOT_VER}.tar.gz
tar xzf dovecot-${DOVECOT_VER}.tar.gz
chown -R root:root dovecot-${DOVECOT_VER}
cd dovecot-${DOVECOT_VER}

./configure \
        --prefix=/usr/local/dovecot \
        --with-sql \
        --with-mysql \
        --with-docs \
        --with-ssl \
        --without-shadow \
        --without-pam \
        --without-ldap \
        --without-pgsql \
        --without-sqlite \
        --with-solr

Install prefix . : /usr/local/dovecot 
File offsets ... : 64bit 
I/O polling .... : epoll 
I/O notifys .... : inotify 
SSL ............ : yes (OpenSSL) 
GSSAPI ......... : no 
passdbs ........ : static passwd passwd-file checkpassword sql 
                 : -shadow -pam -bsdauth -ldap 
userdbs ........ : static prefetch passwd passwd-file checkpassword sql 
                 : -ldap 
CFLAGS ......... : -std=gnu99 -g -O2 -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -mfunction-return=keep -mindirect-branch=keep -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2   
SYSTEMD ........ : simple - (no unit file) 
SQL drivers .... : mysql 
                 : -pgsql -sqlite -cassandra 
Full text search : squat solr 
                 : -lucene

In caso di compilazione su ambienti systemd potrebbe essere necessario aggiungere l'opzione --with-systemd systemdsystemunitdir al configure (grazie a Bob Greco), per esempio:

--with-systemd
systemdsystemunitdir=/lib/systemd/system

E' bene controllare se SSL è stato rivelato e se il backend per l'autenticazione sql/mysql è supportato. Ora è possibile compilare:

make

Se la vecchia versione è ancora in esecuzione è necessario stopparla prima di installare e quindi sovrascrivere.

dovecotctl stop
rm /usr/local/dovecot
make install

cd /usr/local
mv dovecot dovecot-${DOVECOT_VER}
ln -s dovecot-${DOVECOT_VER} dovecot

Configurazione

Creiamo un utente e un gruppo dovecot e la cartella log.

groupadd dovecot
useradd -g dovecot dovecot
useradd -g dovecot dovenull

mkdir -p /usr/local/dovecot/var/run/dovecot
# vpopmail user must have access here
chmod -R o+rx /usr/local/dovecot/var/run/dovecot

mkdir -p /var/log/dovecot 
touch /var/log/dovecot/dovecot.log
chgrp vchkpw /var/log/dovecot/dovecot.log
chmod 660 /var/log/dovecot/dovecot.log

I file di configurazione devono essere copiati dalla cartella share/doc to etc/docevot

cd /usr/local/dovecot/etc/dovecot
cp -rp /usr/local/dovecot/share/doc/dovecot/example-config/* .

Modificare le variabili PATH e MANPATH (aggiungere una riga come questa anche a /etc/profile):

export PATH=$PATH:/usr/local/dovecot/bin
export MANPATH=$MANPATH:/usr/local/dovecot/share/manexport PATH=$PATH:/usr/local/dovecot/bin

Scarica i file di configurazione

• Scarica da qui

Se non vuoi avere il problema di modificare tutti i file di configurazione e sei orientato a seguire più o meno alla lettera le indicazioni che seguono puoi scaricare i miei file di configurazione e modificare solo un minimo di righe.

cd /usr/local/dovecot
mv etc etc-bak
wget http://notes.sagredo.eu/files/qmail/dovecot/dovecot.conf.tar.gz
tar xzf dovecot.conf.tar.gz
mv dovecot-etc etc
cd etc/dovecot
chown -R root:root .

dovecot.conf

protocols = imap pop3
# delete IP6 addresses here
listen = *
dict {
 #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
 #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
!include conf.d/*.conf
!include_try local.conf

Notare che tutti i file conf.d/*.conf saranno inclusi, quindi è necessario rinominare ciò che non si vuole caricare.

10-auth.conf

# if the roundcube connection is from the local net this is secure provided that the 143 port is firewalled for the outnet
# put yes if you have rounducube on localhost
disable_plaintext_auth = no
# To append @domain to username in plaintext logins
auth_default_realm = defaultdomain.net
auth_mechanisms = plain login # the sql drivers requires that the pwd is transmitted with no encryption
# !include auth-system.conf.ext # now commented
# !include auth-vpopmail.conf.ext # commented
!include auth-sql.conf.ext

A partire dalla versione 2.3.13 il driver vpopmail-auth è stato rimosso da Dovecot. Colro che volessero rimanere con il vecchio driver per vpopmail possono fare riferimento alla patch mantenuta da Ali Erturk TURKER, che riporta in vita in driver originario per vpopmail.

Quanto segue invece riguarda la configurazione del driver sql. Il motivo per cui sql secondo me è migliore è che vpopmail manca della possibilità di fare iterazioni con dovadm, cosa necessaria per l'expunge dello spam e dei vecchi messaggi del cestino.

Il driver sql (almeno per come l'ho settato io) richiede la trasmissione plain delle password. Questo non è un problema se chiudiamo le porte 110 e 143 non sicure. Piuttosto ricordarsi di settare dovecot per non passare la password in MD5.

auth-sql.conf.ext

• Esempi con user e domain limits qui https://wiki.dovecot.org/AuthDatabase/VPopMail (chiuso!?)

passdb {
  driver = sql
  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
  args = /usr/local/dovecot/etc/dovecot/dovecot-sql.conf.ext
}

# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
userdb {
  driver = prefetch
}

# This is needed for LDA and the iteration feature. They both need a userdb sql query.
# The order of the declared drivers is important. Leave this at the end, otherwise
# it will be used also for the login instead of the prefetch, which is faster.
userdb {
  driver = sql
  args = /usr/local/dovecot/etc/dovecot/dovecot-sql.conf.ext
}

dovecot-sql.conf.ext

NB: la password_query richiede ora che si sia creata la tabella aliasdomains su mysql come spiegato qui. Se invece non si ha intenzione di usare aliasdomains su mysql è possibile usare questo altro file e rinominarlo dovecot-sql.conf.ext. Se invece sei indeciso lascia le cose come vengono spiegate qui sotto.

# This file is opened as root, so it should be owned by root and mode 0600.
#
# Database driver: mysql, pgsql, sqlite
driver = mysql

# Database connection string. This is driver-specific setting.
#
connect = host=[MySQL IP] dbname=vpopmail user=vpopmail password=[PASSWORD]

# Default password scheme.
#
default_pass_scheme = SHA512-CRYPT

# passdb query to retrieve the password. It can return fields:
#   password - The user's password. This field must be returned.
#   user - user@domain from the database. Needed with case-insensitive lookups.
#   username and domain - An alternative way to represent the "user" field.
#
# The "user" field is often necessary with case-insensitive lookups to avoid
# e.g. "name" and "nAme" logins creating two different mail directories. If
# your user and domain names are in separate fields, you can return "username"
# and "domain" fields instead of "user".
#
# The query can also return other fields which have a special meaning, see
# https://doc.dovecot.org/configuration_manual/authentication/password_database_extra_fields/
#
# Commonly used available substitutions (see
# https://doc.dovecot.org/configuration_manual/config_file/config_variables/
# for full list):
#   %u = entire user@domain
#   %n = user part of user@domain
#   %d = domain part of user@domain
#
# Note that these can be used only as input to SQL query. If the query outputs
# any of these substitutions, they're not touched. Otherwise it would be
# difficult to have eg. usernames containing '%' characters.
#
# Example:
#   password_query = SELECT userid AS user, pw AS password \
#     FROM users WHERE userid = '%u' AND active = 'Y'
#
# (Thanks to Arturo Blanco for his hints concerning vpopmail limits
#  and to Alexandre Fonceca for quota_rule addition)
#
# NB: This query requires that the sql-aliasdomains patch has been installed
#     and that you have the aliasdomains dbtable
#     More info here https://notes.sagredo.eu/en/qmail-notes-185/dovecot-vpopmail-auth-driver-removal-migrating-to-the-sql-driver-241.html
password_query = \
	SELECT \
		CONCAT(vpopmail.pw_name, '@', vpopmail.pw_domain) AS user, \
  		vpopmail.pw_passwd AS password, \
                vpopmail.pw_dir AS userdb_home, \
                89 AS userdb_uid, \
                89 AS userdb_gid, \
                CONCAT('*:bytes=', REPLACE(SUBSTRING_INDEX(vpopmail.pw_shell, 'S', 1), 'NOQUOTA', '0')) AS userdb_quota_rule \
	FROM vpopmail \
		LEFT JOIN aliasdomains ON aliasdomains.alias='%d' \
                LEFT JOIN limits ON limits.domain = '%d' \
	WHERE \
		vpopmail.pw_name='%n' \
		AND \
		(vpopmail.pw_domain='%d' OR vpopmail.pw_domain=aliasdomains.domain) \
                AND \
                ('%a'!='995' OR !(vpopmail.pw_gid & 2)) \
                AND \
                ('%r'!='<WEBMAIL-IP>' OR !(vpopmail.pw_gid & 4)) \
                AND \
                ('%r'='<WEBMAIL-IP>' OR '%a'!='993' OR !(vpopmail.pw_gid & 8)) \
                AND \ 
                ('%r'!='<WEBMAIL-IP>' OR COALESCE(disable_webmail,0)!=1) \ 
                AND \ 
                ('%r'='<WEBMAIL-IP>' OR COALESCE(disable_imap,0)!=1)

# <WEBMAIL-IP> is the IP of your webmail web server. 
# I'm assuming that the imap connection is only on port 993 and the pop3 connection is on port 995. 
# Adjust to your needs 
# 
# logically this means: 
# 
# ************************** USER LIMITS via vpopmail.pw_gid filed 
# SELECT user 
# WHEN POP is not disabled for that user connecting on port 995 (995 is the pop3s port allowed from remote in my configuration) 
# AND WHEN webmail access is not disabled for that user when connecting from <WEBMAIL-IP> 
# AND WHEN IMAP is not disabled for that user connecting on port 993 (993 is the imap port allowed from remote 
# in my configuration) unless his remote ip the one belonging to the webmail 
# 
# ************************* DOMAIN LIMITS via limits table 
# AND WHEN WEBMAIL access for the domain is not disabled 
# AND WHEN IMAP access for the domain is not disabled when not connecting from <WEBMAIL-IP>


# userdb query to retrieve the user information. It can return fields:
#   uid - System UID (overrides mail_uid setting)
#   gid - System GID (overrides mail_gid setting)
#   home - Home directory
#   mail - Mail location (overrides mail_location setting)
#
# None of these are strictly required. If you use a single UID and GID, and
# home or mail directory fits to a template string, you could use userdb static
# instead.
#
# Examples:
#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
#
# This query is for the iteration feature (no need to use aliasdomains here)
user_query = \
        SELECT \
                vpopmail.pw_dir AS home, \
                89 AS uid, \
                89 AS gid \
        FROM vpopmail \
        WHERE \
                vpopmail.pw_name='%n' \
                AND \
                vpopmail.pw_domain='%d'

# Query to get a list of all usernames.
iterate_query = SELECT CONCAT(pw_name,'@',pw_domain) AS user FROM vpopmail

Poichè questo file contiene la password di accesso a mysql ed è aperto solo da rott, bisogna settarne i permessi:

chmod go-wrx dovecot-sql.conf.ext

"One table per domain" query

• Scarica la procedura sql

La soluzione precedente deve essere migliorata quando si salvano gli account in una tabella separata per ogni dominio (--disable-many-domains), perchè è necessario recuparare il dominio reale in caso di alias, calcolare la tabella del database di conseguenza e quindi eseguire la password_query e la user_query. Per eseguire questo compito è necessario far uso delle "stored procedures" del linguaggio sql (ringrazio Pablo Murillo per avermi passato un suo esempio iniziale che mi ha messo sulla buona strada).

Ho dunque creato una procedura chiamata "dovecot_password_query_disable_many_domains" che si occupa di eseguire in backgriound tutto ciò che è il lavoro sporco in linguaggio sql restituendo in uscita le nostre query con il dominio reale cercato e la tabella utenti corretta:

password_query = CALL dovecot_password_query_disable_many_domains('%n','%d','127.0.0.1','%r','%a')
user_query = CALL dovecot_user_query_disable_many_domains('%n','%d')

Per installare le procedure è necessario scaricare ed eseguire il codice qui sotto come segue:

wget https://notes.sagredo.eu/files/qmail/patches/vpopmail/disable-many-domains_procedures.txt
mysql < dovecot-pwd-query_disable-many-domains.txt -u root -p

10-director.conf

Se non si vuole usare il servizio Director rinominare il file di configurazione, di modo che non venga caricato:

mv 10-director.conf 10-director.conf.disabled

10-logging.conf

Impostare il file log. Personalmente preferisco avere un logfile dedicato per dovecot (per default è syslog)

log_path = /var/log/dovecot/dovecot.log
plugin {
}

Logrotate

Salvare lo script qui sotto come /etc/logrotate.d/dovecot:

cat > /etc/logrotate.d/dovecot << __EOF__
/var/log/dovecot/*.log {
missingok
notifempty
delaycompress
sharedscripts
postrotate
/usr/local/dovecot/bin/doveadm log reopen
endscript
}
__EOF__

10-mail.conf

Dobbiamo dire a Dovecot qual è la locazione delle mailbox. Dovecot cercherà la cartella Maildir nella home directory (%h):

mail_location = maildir:%h/Maildir
namespace inbox {
  inbox = yes
}

Impostare a 89 (userid dell'utente vpopmail) mail_uid e mail_gid. Lo stesso per quanto riguarda first/last id dal momento che vogliamo gestire solo utenti vpopmail:

mail_uid = 89
mail_gid = 89

mail_privileged_group = 89
mail_access_groups = 89

first_valid_uid = 89
last_valid_uid = 89

first_valid_gid = 89
last_valid_gid = 89

Creare la cartella per il socket:

mkdir -p /usr/local/dovecot/var/run/dovecot

Impostare il socket e la cartella dei plugin:

auth_socket_path = /usr/local/dovecot/var/run/dovecot/auth-userdb
mail_plugin_dir = /usr/local/dovecot/lib/dovecot
mail_plugins = $mail_plugins quota

Infine è necessario abilitare questa opzione a causa dei problemi dovuti al bug (ora riparato) nella patch maildir++ per qmail patch (grazie a MG)

##
## Maildir-specific settings
##

# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
maildir_broken_filename_sizes = yes

Altre opzioni (maggiori info qui):

# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are 
# also required for IMAP NOTIFY extension to be enabled. 
mailbox_list_index = yes

# The fields specified here are always added to cache when saving mails, 
# even if the client never accesses these fields. 
mail_always_cache_fields = date.save

File 10-master.conf

Prima di continuare legge questo con cura.

#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
default_login_user = vpopmail

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
default_internal_user = dovecot

service imap-login {
  inet_listener imap {
    #port = 143
  }
  inet_listener imaps {
    #port = 993
    #ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    #port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
}

service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port = 
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
  # executable = imap postlogin
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
  # executable = pop3 postlogin
}

# Updates the vpopmail.lastauth SQL table on login. Uncomment the executable line on imap and pop3 services
service postlogin {
 executable = script-login /usr/local/dovecot/etc/dovecot_postlogin.sh
 user = $default_login_user
 unix_listener postlogin {
 user = vpopmail
 group = vchkpw
 mode = 0660
 }
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    mode = 0600
    user = vpopmail
    group = vchkpw
  }

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  # Auth process is run as this user.
  user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  user = $default_internal_user
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user = 
    #group = 
  }
}

# The following lines concerning stats service's configuration are not part of the example configuration file shipped by Dovecot.
# I'm adding them becasue in v.2.3.9.3 I found a "Permission denied" error for /var/run/dovecot/stats-writer in my qmail-send log
service stats {
  unix_listener stats-reader {
    user = vpopmail
    group = vchkpw
    mode = 0660
  }
  unix_listener stats-writer {
    user = vpopmail
    group = vchkpw
    mode = 0660
  }
}

E' possibile lanciare l'esecuzione di uno script postlogin /usr/local/dovecot/etc/dovecot_postlogin.sh per aggiornare la tabella SQL vpopmail.lastauth dopo il login. In questo caso è necessario decommentare la riga "executable" nei servizi imap e pop3.

10-ssl.conf

Naturalmente vogliamo abilitarre il supporto SSL. Prima di tutto creiamo un certificato SSL auto-firmato. Dovecot include uno script per generare il certificato SSL usando  OpenSSL. Nella directory sorgente questo file esiste in  doc/mkcert.sh:

cd /usr/local/src/dovecot/doc

mkcert.sh creerà il certificato SSL. Prima di lanciare mkcert.sh bisogna personalizzare il certificato modificando il file dovecot-openssl.cnf (nella stessa cartella):

> nano dovecot-openssl.cnf

[ req ]
default_bits = 4096
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=IT

# State or Province Name (full name)
ST=Italy

# Locality Name (eg. city)
L=MyLocality

# Organization (eg. company)
O=My Organization Name

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=mymailserver.net

# E-mail contact
emailAddress=postmaster@mymailserver.net

[ cert_type ]
nsCertType = server

Ora siamo pronti a creare il certificato SSL:

# sh mkcert.sh

e i file  /etc/ssl/private/dovecot.pem e /etc/ssl/certs/dovecot.pem sono stati creati. Si ricordino le loro locazioni perchè poi bisogna inserirle in 10-ssl.conf:

ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem

Ricordare di disabilitare SSLv3 perchè ormai obsoleto:

ssl_min_protocol = TLSv1

Generare un nuovo parametro SSH DH dalla linea di comando come segue:

openssl dhparam -out /usr/local/dovecot/etc/dh.pem 4096

e modificare di conseguenza il parametro ssl_dh:

ssl_dh = </usr/local/dovecot/etc/dh.pem

Installare un certificato SSL valido

Una volta che il server è stato testato, prima di andare in produzione, sarà il caso di rimpiazzare il certificato provvisorio creato con uno valido fornito da Let's Encrypt. Per maggiori dettagli si veda la pagina apposita.

Una volta ottenuto il certificato sarà sufficiente modificare come segue le seguenti du linee del file 10-ssl.conf:

ssl_cert = </etc/dehydrated/certs/mx.mydomain.tld/fullchain.pem
ssl_key = </etc/dehydrated/certs/mx.mydomain.tld/privkey.pem

15-lda.conf

Come già detto dovecot agirà anche come una LDA dato che vogliamo gestire le sieve rules e i filtri delle email in arrivo.

postmaster_address = postmaster@yourdomain.net
hostname = mail.yourdomain.net

submission_host = 0.0.0.0:25

# the next two to auto create folders
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins quota # if you want to use sieve put sieve here
}

15-mailboxes.conf

La variabile autoexpunge assicura la cancellazione dei vecchi messaggi dalle cartelle Trash e Junk dopo un certo numero di giorni.

namespace inbox {

  #mailbox name {
    # auto=create will automatically create this mailbox.
    # auto=subscribe will both create and subscribe to the mailbox.
    #auto = no

    # Space separated list of IMAP SPECIAL-USE attributes as specified by
    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
    #special_use =
  #}

  # These mailboxes are widely used and could perhaps be created automatically:
  mailbox Drafts {
    special_use = \Drafts
    auto = subscribe
  }
  mailbox Junk {
    special_use = \Junk
    auto = subscribe
    autoexpunge = 30d
  }
  mailbox "Junk.TeachSpam" { 
    auto = subscribe 
    autoexpunge = 5d 
  } 
  mailbox "Junk.TeachNotSpam" { 
    auto = subscribe 
    autoexpunge = 30d 
  }
  mailbox Trash {
    special_use = \Trash
    auto = subscribe
    autoexpunge = 60d
  }

  # For \Sent mailboxes there are two widely used names. We'll mark both of
  # them as \Sent. User typically deletes one of them if duplicates are created.
  mailbox Sent {
    special_use = \Sent
    auto = subscribe
 }
#  mailbox "Sent Messages" {
#    special_use = \Sent
#    auto = subscribe
# }
}

20-imap.conf

protocol imap {
  mail_plugins = $mail_plugins imap_quota
}

20-lmtp.conf

Se non si vuole abilitare il supporto per il proxying ad altri server LMTP/SMTP si disabiliti lmtp:

mv 20-lmtp.conf 20-lmtp.conf.disabled

20-pop3.conf

protocol pop3 {
  mail_plugins = $mail_plugins quota
}

90-plugin.conf

##
## Plugin settings
##

# All wanted plugins must be listed in mail_plugins setting before any of the
# settings take effect. See <doc/wiki/Plugins.txt> for list of plugins and
# their configuration. Note that %variable expansion is done for all values.

plugin {
#setting_name = value
}

90-quota.conf

Abilitare la funzionalità maildir++

quota = maildir::