Through the Algorithms and Life

ISPMail on RHEL (Part Four)

Francesco Piraneo Giuliano

Configuring Dovecot

Dovecot is the POP3/IMAP server and we use also to provide user’s authentication when sending email. Because I consider POP3 obsolete, I’m going to suggest to disable it.

Through this article we’re going to modify files on the /etc/dovecot/conf.d/ directory to fit our needs.

10-auth.conf

On this file we’re going to configure authentication mechanism and served protocols.

auth_mechanisms = plain login

Note: login is required for outlook users; if you’re outlook haters or NoMicrosoft purist, you know what to do. I prefer letting the user choose its own way.

disable_plaintext_auth = yes

I removed the # to comment out the option to enforce the requirements of the TLS encrypted connection; should be default but better to be clear!

#!include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext

This enables SQL as the auth backend. We will configure the details later!

The default served protocols are the ones below:

# Protocols we want to be serving.
#protocols = imap pop3 lmtp submission

As stated above I consider POP3 obsolete so I prefers to remove it from the served protocols:

# Protocols we want to be serving.
protocols = imap lmtp

Note: lmtp is used to communicate between postfix and dovecot.

dovecot-sql.conf.ext

This file defines the details about the authentication picking data from an SQL database. It’s not created automatically in AlmaLinux, so you have to create it from scratch.

driver = sqlite
connect = /etc/dovecot/mailserver.db
default_pass_scheme = SHA256-CRYPT
user_query = SELECT email AS user, '/var/vmail/%d/%n' AS home, 5000 AS uid, 5000 AS gid FROM virtual_users WHERE email='%u'
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u'
iterate_query = SELECT email AS user FROM virtual_users

Once editing is done, save and fix the permissions and ownership:

chown root:root /etc/dovecot/dovecot-sql.conf.ext
chmod go= /etc/dovecot/dovecot-sql.conf.ext

10-mail.conf

Edit the following:

mail_location = maildir:~/Maildir

This is the directory where dovecot place and read email files.

separator = .

Hierarchy separator for IMAP directories; please be careful when migrating data from old versions of Christoph’s guide; when installing a brand new instance decide for the best.

10-master.conf

Locate the service auth section and modify the following:

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }

# Postfix smtp-lmtp
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}

The above Postfix smtp-auth part setup allows postfix to use dovecot as authentication service creating a unix socket postfix can read or write. The Postfix smtp-lmtp allows postfix delivers email to dovecot to be saved to the local directory.

10-ssl.conf

ssl = required

Enforce the requirement of ssl encryption; this should be set as default.

ssl_cert = </etc/letsencrypt/live/webmail.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/webmail.example.org/privkey.pem

This instruct dovecot to use the actual ssl certs instead of the snakeoil ones. Of course change the webmail.example.com with the actual directory of your certificates!

20-lmtp.conf

We modify this file to enable sieve server-side rules:

protocol lmtp {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
}

Restarting dovecot

Once all the modifications has been done, you can proceed to restart dovecot and check if everything works as expected.

# systemctl restart dovecot
# systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
     Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; preset: disabled)
     Active: active (running) since Fri 2025-01-17 15:56:15 UTC; 2s ago
       Docs: man:dovecot(1)
             https://doc.dovecot.org
    Process: 48424 ExecStartPre=/usr/libexec/dovecot/prestartscript (code=exited, status=0/SUCCESS)
   Main PID: 48430 (dovecot)
     Status: "v2.3.16 (7e2e900c1a) running"
      Tasks: 4 (limit: 22956)
     Memory: 5.3M
        CPU: 70ms
     CGroup: /system.slice/dovecot.service
             ├─48430 /usr/sbin/dovecot -F
             ├─48431 dovecot/anvil
             ├─48432 dovecot/log
             └─48433 dovecot/config
Jan 17 15:56:15 vps07 systemd[1]: Starting Dovecot IMAP/POP3 email server...
Jan 17 15:56:15 vps07 dovecot[48430]: master: Dovecot v2.3.16 (7e2e900c1a) starting up for imap, lmtp
Jan 17 15:56:15 vps07 systemd[1]: Started Dovecot IMAP/POP3 email server.

Verifications

On the /var/spool/postfix/private directory, the following unix sockets must be presents:

# pwd
/var/spool/postfix/private
# ls -l
total 0
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 anvil
srw-rw----. 1 postfix postfix 0 Mar 14 15:13 auth
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 bounce
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 defer
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 discard
srw-------. 1 postfix postfix 0 Mar 14 15:13 dovecot-lmtp
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 error
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 lmtp
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 local
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 proxymap
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 proxywrite
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 relay
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 retry
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 rewrite
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 scache
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 smtp
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 tlsmgr
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 trace
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 verify
srw-rw-rw-. 1 postfix postfix 0 Mar 13 14:52 virtual

At this point dovecot can be tested with mutt; be sure you have an entry for your imap server on your dns zone.

For further information on how to test with mutt: https://workaround.org/ispmail-bookworm/testing-imap/

Make Postfix use Dovecot for authentication

We don’t rely on Postfix for user’s authentication; we use dovecot instead so we modify Postfix accordingly.

All files to be modified are on /etc/postfix directory.

main.cf

smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes

Leave a Reply

Your email address will not be published. Required fields are marked *