Configure Dovecot service (5/7)
Installation of dovecot
[root@mailserver ~]# yum install dovecot dovecot-mysql dovecot-pigeonhole
[root@mailserver ~]# vim
/etc/dovecot/dovecot.conf
[root@mailserver ~]# cat
/etc/dovecot/dovecot.conf
## Dovecot configuration file
# If you're in a hurry, see
http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n"
command gives a clean output of the changed settings. Use it
# instead of copy&pasting
files when posting to the Dovecot mailing list.
# '#' character and everything
after it is treated as comments. Extra spaces
# and tabs are ignored. If you
want to use either of these explicitly, put the
# value inside quotes, eg.:
key = "# char and trailing whitespace "
# Most (but not all) settings
can be overridden by different protocols and/or
# source/destination IPs by
placing the settings inside sections, for example:
# protocol imap { }, local
127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for
each setting, it's not required to uncomment
# those. These are exceptions
to this though: No sections (e.g. namespace {})
# or plugin settings are added
by default, they're listed only as examples.
# Paths are also just examples
with the real defaults being based on configure
# options. The paths listed
here are for configure --prefix=/usr
# --sysconfdir=/etc
--localstatedir=/var
# Protocols we want to be
serving.
protocols
= imap pop3 lmtp
# A comma separated list of
IPs or hosts where to listen in for connections.
# "*" listens in all
IPv4 interfaces, "::" listens in all IPv6 interfaces.
....
Output obmitted
....
# in filenames are intended to
make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried
to be included without giving an error if
# it's not found:
!include_try local.conf
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/conf.d/10-auth.conf
[root@mailserver ~]# cat
/etc/dovecot/conf.d/10-auth.conf
##
## Authentication processes
##
# Disable LOGIN command and
all other plaintext authentications unless
# SSL/TLS is used
(LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie.
you're connecting from the same computer), the
# connection is considered
secure and plaintext authentication is allowed.
# See also ssl=required
setting.
disable_plaintext_auth
= yes
#disable_plaintext_auth = no
# Authentication cache size
(e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail
require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached
data. After TTL expires the cached record is no
# longer used, *except* if the
main database lookup returns internal failure.
# We also try to handle
password changes automatically: If user's previous
....
Output Obmiited
....
# Take the username from
client's SSL certificate, using
# X509_NAME_get_text_by_NID()
which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert =
no
# Space separated list of
wanted authentication mechanisms:
# plain login digest-md5
cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also
disable_plaintext_auth setting.
auth_mechanisms
= plain login
##
## Password and user databases
##
#
# Password database is used to
verify user's password (and nothing more).
# You can have multiple
passdbs and userdbs. This is useful if you want to
# allow both system users
(/etc/passwd) and virtual users to login without
# duplicating the system users
into virtual database.
#
#
<doc/wiki/PasswordDatabase.txt>
#
# User database specifies
where mails are located and what user/group IDs
# own them. For single-UID
configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include
auth-system.conf.ext
!include
auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include
auth-passwdfile.conf.ext
#!include
auth-checkpassword.conf.ext
#!include
auth-vpopmail.conf.ext
#!include auth-static.conf.ext
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/conf.d/10-mail.conf
[root@mailserver ~]# cat
/etc/dovecot/conf.d/10-mail.conf
##
## Mailbox locations and
namespaces
##
# Location for users'
mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes
automatically. This won't work if the user
# doesn't yet have any mail,
so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving
a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also
need to tell Dovecot where the other mailboxes are
# kept. This is called the
"root mail directory", and it must be the first
# path given in the
mail_location setting.
#
# There are a few special
variables you can use, eg.:
#
# %u - username
# %n - user part in
user@domain, same as %u if there's no domain
# %d - domain part in
user@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt
for full list. Some examples:
#
# mail_location =
maildir:~/Maildir
# mail_location =
mbox:~/mail:INBOX=/var/mail/%u
# mail_location =
mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
#mail_location =
mail_location
= maildir:/var/spool/mail/%d/%n
# If you need to set multiple
mailbox locations or want to change default
# namespace settings, you can
do it by defining namespace sections.
#
# You can have private, shared
and public namespaces. Private namespaces
# are for user's personal
mails. Shared namespaces are for accessing other
# users' mailboxes that have
been shared. Public namespaces are for shared
# mailboxes that are managed
by sysadmin. If you create any shared or public
# namespaces you'll typically
want to enable ACL plugin also, otherwise all
....
Output Obmitted
....
# Group to enable temporarily
for privileged operations. Currently this is
# used only with INBOX when
either its initial creation or dotlocking fails.
# Typically this is set to
"mail" to give access to /var/mail.
mail_privileged_group
= mail
# Grant access to these
supplementary groups for mail processes. Typically
# these are used to set up
access to shared mailboxes. Note that it may be
# dangerous to set these if
users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail
~/mail/var could allow a user to delete others'
# mailboxes, or ln -s
/secret/shared/box ~/mail/mybox would allow reading it).
mail_access_groups
= mail
# Allow full filesystem access
to clients. There's no access checks other than
# what the operating system
does for the active UID/GID. It works with both
# maildir and mboxes, allowing
you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access =
no
# Dictionary for key=value
mailbox attributes. Currently used by URLAUTH, but
# soon intended to be used by
METADATA as well.
#mail_attribute_dict =
##
## Mail processes
##
# Don't use mmap() at all.
This is required if you store indexes to shared
# filesystems (NFS or
clustered filesystem).
#mmap_disable = no
mmap_disable
= yes
# Rely on O_EXCL to work when
creating dotlock files. NFS supports O_EXCL
# since version 3, so this
should be safe to use nowadays by default.
#dotlock_use_excl = yes
# When to use fsync() or
fdatasync() calls:
# optimized (default):
Whenever necessary to avoid losing important data
# always: Useful with e.g.
NFS when write()s are delayed
# never: Never use it (best
performance, but crashes can lose data)
#mail_fsync = optimized
# Mail storage exists in NFS.
Set this to yes to make Dovecot flush NFS caches
# whenever needed. If you're
using only a single mail server this isn't needed.
#mail_nfs_storage = no
# Mail index files also exist
in NFS. Setting this to yes requires
# mmap_disable=yes and
fsync_disable=no.
#mail_nfs_index = no
# Locking method for index
files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks
which may create more disk I/O than other locking
# methods. NFS users: flock
doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory in which LDA/LMTP
temporarily stores incoming mails >128 kB.
#mail_temp_dir = /tmp
# Valid UID range for users,
defaults to 500 and above. This is mostly
# to make sure that users
can't log in as daemons or other system users.
# Note that denying root
logins is hardcoded to dovecot binary and can't
# be done even if
first_valid_uid is set to 0.
#first_valid_uid = 500
first_valid_uid
= 8
#last_valid_uid = 0
# Valid GID range for users,
defaults to non-root/wheel. Users having
# non-valid GID as primary
group ID aren't allowed to log in. If user
# belongs to supplementary
groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
first_valid_gid
= 12
#last_valid_gid = 0
# Maximum allowed length for
mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50
....
Output Obmitted
....
#mail_attachment_fs = sis
posix
# Hash format to use in
attachment filenames. You can add any text and
# variables: %{md4}, %{md5},
%{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated,
e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash =
%{sha1}
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/conf.d/10-master.conf
[root@mailserver ~]# cat
/etc/dovecot/conf.d/10-master.conf
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory
size) limit for service processes. This is mainly
# intended to catch and kill
processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally
used by login processes. This is the most untrusted
# user in Dovecot system. It
shouldn't have access to anything at all.
#default_login_user = dovenull
....
Output Obmitted
....
service auth {
# auth_socket_path points to
this userdb socket by default. It's typically
# used by dovecot-lda,
doveadm, possibly imap process, etc. Users that have
# full permissions to this
socket are able to get a list of all usernames and
# get the results of
everyone's userdb lookups.
#
# The default 0666 mode
allows anyone to connect to the socket, but the
# userdb lookups will
succeed only if the userdb returns an "uid" field that
# matches the caller
process's UID. Also if caller's uid or gid matches the
# socket's uid or gid the
lookup succeeds. Anything else causes a failure.
#
# To give the caller full
permissions to lookup all users, set the mode to
# something else than 0666
and Dovecot lets the kernel enforce the
# permissions (e.g. 0777
allows everyone full permissions).
unix_listener
auth-userdb {
mode
= 0600
user
= mail
group
= mail
}
# Postfix smtp-auth
unix_listener
/var/spool/postfix/private/auth {
mode
= 0660
user
= postfix
group
= postfix
}
# Auth process is run as
this user.
#user =
$default_internal_user
}
service auth-worker {
# Auth worker process is run
as root by default, so that it can access
# /etc/shadow. If this isn't
necessary, the user should be changed to
# $default_internal_user.
#user = root
}
service dict {
# If dict proxy is used,
mail processes should have access to its socket.
# For example: mode=0660,
group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/conf.d/10-ssl.conf
[root@mailserver ~]# cat
/etc/dovecot/conf.d/10-ssl.conf
##
## SSL settings
##
# SSL/TLS support: yes, no,
required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap,
allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are
still allowed for local connections
#ssl = required
ssl
= yes
# PEM encoded X.509 SSL/TLS
certificate and private key. They're opened before
# dropping root privileges, so
keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh
can be used to easily generate self-signed
# certificate, just make sure
to update the domains in dovecot-openssl.cnf
#ssl_cert =
</etc/pki/dovecot/certs/dovecot.pem
#ssl_key =
</etc/pki/dovecot/private/dovecot.pem
ssl_cert
= </etc/pki/tls/certs/mailserver.example.com.crt
ssl_key
= </etc/pki/tls/certs/mailserver.example.com.key
# If key file is password
protected, give the password here. Alternatively
# give it when starting
dovecot with -p parameter. Since this file is often
# world-readable, you may want
to place this setting instead to a different
# root owned 0600 file by
using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted
certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes.
The file should contain the CA certificate(s)
# followed by the matching
CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
#ssl_ca =
# Require that CRL check
succeeds for client certificates.
#ssl_require_crl = yes
....
Output Obmitted
....
# Prefer the server's order of
ciphers over client's.
#ssl_prefer_server_ciphers =
no
# SSL crypto device to use,
for valid values run "openssl engine"
#ssl_crypto_device =
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/conf.d/15-lda.conf
[root@mailserver ~]# cat
/etc/dovecot/conf.d/15-lda.conf
##
## LDA specific settings (also
used by LMTP)
##
# Address to use when sending
rejection mails.
# Default is postmaster@<your
domain>. %d expands to recipient domain.
postmaster_address
= postmaster@example.com
# Hostname to use in various
parts of sent mails (e.g. in Message-Id) and
# in LMTP replies. Default is
the system's real hostname@domain.
hostname
= mailserver.example.com
# If user is over quota,
return with temporary failure instead of
# bouncing the mail.
#quota_full_tempfail = no
# Binary to use for sending
mails.
#sendmail_path =
/usr/sbin/sendmail
# If non-empty, send mails via
this SMTP host[:port] instead of sendmail.
#submission_host =
# Subject: header to use for
rejection mails. You can use the same variables
# as for rejection_reason
below.
#rejection_subject = Rejected:
%s
# Human readable error message
for rejection mails. You can use variables:
# %n = CRLF, %r = reason, %s
= original subject, %t = recipient
#rejection_reason = Your
message to <%t> was automatically rejected:%n%r
# Delimiter character between
local-part and detail in email address.
#recipient_delimiter = +
# Header where the original
recipient address (SMTP's RCPT TO: address) is taken
# from if not available
elsewhere. With dovecot-lda -a parameter overrides this.
# A commonly used header for
this is X-Original-To.
#lda_original_recipient_header
=
# Should saving a mail to a
nonexistent mailbox automatically create it?
#lda_mailbox_autocreate = no
lda_mailbox_autocreate
= yes
# Should automatically created
mailboxes be also automatically subscribed?
#lda_mailbox_autosubscribe =
no
lda_mailbox_autosubscribe
= yes
protocol lda {
# Space separated list of
plugins to load (default is global mail_plugins).
#mail_plugins =
$mail_plugins
mail_plugins
= sieve
}
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/conf.d/20-pop3.conf
[root@mailserver ~]# cat
/etc/dovecot/conf.d/20-pop3.conf
##
## POP3 specific settings
##
# Don't try to set mails
non-recent or seen with POP3 sessions. This is
# mostly intended to reduce
disk I/O. With maildir it doesn't move files
# from new/ to cur/, with mbox
it doesn't write Status-header.
#pop3_no_flag_updates = no
# Support LAST command which
exists in old POP3 specs, but has been removed
# from new ones. Some clients
still wish to use this though. Enabling this
# makes RSET command clear all
\Seen flags from messages.
#pop3_enable_last = no
....
Output Obmitted
....
# If you want UIDL
compatibility with other POP3 servers, use:
# UW's ipop3d :
%08Xv%08Xu
# Courier : %f or
%v-%u (both might be used simultaneosly)
# Cyrus (<= 2.1.3) : %u
# Cyrus (>= 2.1.4) :
%v.%u
# Dovecot v0.99.x : %v.%u
# tpop3d : %Mf
#
# Note that Outlook 2003 seems
to have problems with %v.%u format which was
# Dovecot's default, so if
you're building a new server it would be a good
# idea to change this.
%08Xu%08Xv should be pretty fail-safe.
#
pop3_uidl_format
= %08Xu%08Xv
# Permanently save UIDLs sent
to POP3 clients, so pop3_uidl_format changes
# won't change those UIDLs.
Currently this works only with Maildir.
#pop3_save_uidl = no
# What to do about duplicate
UIDLs if they exist?
# allow: Show duplicates to
clients.
# rename: Append a temporary
-2, -3, etc. counter after the UIDL.
#pop3_uidl_duplicates = allow
# This option changes POP3
behavior so that it's not possible to actually
# delete mails via POP3, only
hide them from future POP3 sessions. The mails
# will still be counted
towards user's quota until actually deleted via IMAP.
# Use e.g. "$POP3Deleted"
as the value (it will be visible as IMAP keyword).
# Make sure you can legally
archive mails before enabling this setting.
#pop3_deleted_flag =
# POP3 logout format string:
# %i - total number of bytes
read from client
# %o - total number of bytes
sent to client
# %t - number of TOP commands
# %p - number of bytes sent
to client as a result of TOP command
# %r - number of RETR
commands
# %b - number of bytes sent
to client as a result of RETR command
# %d - number of deleted
messages
# %m - number of messages
(before deletion)
# %s - mailbox size in bytes
(before deletion)
# %u - old/new UIDL hash. may
help finding out if UIDLs changed unexpectedly
#pop3_logout_format =
top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
# Workarounds for various
client bugs:
# outlook-no-nuls:
# Outlook and Outlook
Express hang if mails contain NUL characters.
# This setting replaces
them with 0x80 character.
# oe-ns-eoh:
# Outlook Express and
Netscape Mail breaks if end of headers-line is
# missing. This option
simply sends it if it's missing.
# The list is space-separated.
pop3_client_workarounds
= outlook-no-nuls oe-ns-eoh
protocol pop3 {
# Space separated list of
plugins to load (default is global mail_plugins).
#mail_plugins =
$mail_plugins
# Maximum number of POP3
connections allowed for a user from each IP address.
# NOTE: The username is
compared case-sensitively.
#mail_max_userip_connections
= 10
}
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/conf.d/20-managesieve.conf
[root@mailserver ~]# cat
/etc/dovecot/conf.d/20-managesieve.conf
##
## ManageSieve specific
settings
##
# Uncomment to enable
managesieve protocol:
protocols
= $protocols sieve
# Service definitions
#service managesieve-login {
#inet_listener sieve {
# port = 4190
#}
#inet_listener
sieve_deprecated {
# port = 2000
#}
# Number of connections to
handle before starting a new process. Typically
# the only useful values are
0 (unlimited) or 1. 1 is more secure, but 0
# is faster.
<doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to
always keep waiting for more connections.
#process_min_avail = 0
# If you set
service_count=0, you probably need to grow this.
#vsz_limit = 64M
#}
....
Output Obmitted
....
# The maximum number of
compile errors that are returned to the client upon
# script upload or script
verification.
#managesieve_max_compile_errors
= 5
# Refer to 90-sieve.conf for
script quota configuration and configuration of
# Sieve execution limits.
}
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/conf.d/90-sieve.conf
[root@mailserver ~]# cat
/etc/dovecot/conf.d/90-sieve.conf
##
## Settings for the Sieve
interpreter
##
# Do not forget to enable the
Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the
respective mail_plugins= settings.
plugin {
# The path to the user's
main active script. If ManageSieve is used, this the
# location of the symbolic
link controlled by ManageSieve.
#sieve = ~/.dovecot.sieve
sieve
= /home/vmail/%Ld/%Ln.sieve/.dovecot.sieve
# The default Sieve script
when the user has none. This is a path to a global
# sieve script file, which
gets executed ONLY if user's private Sieve script
# doesn't exist. Be sure to
pre-compile this script manually using the sievec
# command line tool.
# --> See sieve_before
fore executing scripts before the user's personal
# script.
#sieve_default =
/var/lib/dovecot/sieve/default.sieve
# Directory for :personal
include scripts for the include extension. This
# is also where the
ManageSieve service stores the user's scripts.
#sieve_dir = ~/sieve
sieve_dir
= /home/vmail/%Ld/%Ln.sieve/
# Directory for :global
include scripts for the include extension.
#sieve_global_dir =
# Path to a script file or a
directory containing script files that need to be
# executed before the user's
script. If the path points to a directory, all
# the Sieve scripts
contained therein (with the proper .sieve extension) are
# executed. The order of
execution within a directory is determined by the
# file names, using a normal
8bit per-character comparison. Multiple script
# file or directory paths
can be specified by appending an increasing number.
#sieve_before =
#sieve_before2 =
#sieve_before3 = (etc...)
# Identical to sieve_before,
only the specified scripts are executed after the
# user's script (only when
keep is still in effect!). Multiple script file or
# directory paths can be
specified by appending an increasing number.
#sieve_after =
#sieve_after2 =
#sieve_after2 = (etc...)
# Which Sieve language
extensions are available to users. By default, all
# supported extensions are
available, except for deprecated extensions or
# those that are still under
development. Some system administrators may want
# to disable certain Sieve
extensions or enable those that are not available
# by default. This setting
can use '+' and '-' to specify differences relative
# to the default. For
example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags
extension in addition to all extensions were already
# enabled by default.
sieve_extensions
= +notify +imapflags
# Which Sieve language
extensions are ONLY available in global scripts. This
# can be used to restrict
the use of certain Sieve extensions to administrator
# control, for instance when
these extensions can cause security concerns.
# This setting has higher
precedence than the `sieve_extensions' setting
# (above), meaning that the
extensions enabled with this setting are never
# available to the user's
personal script no matter what is specified for the
# `sieve_extensions'
setting. The syntax of this setting is similar to the
# `sieve_extensions'
setting, with the difference that extensions are
# enabled or disabled for
exclusive use in global scripts. Currently, no
# extensions are marked as
such by default.
#sieve_global_extensions =
....
Output Obmitted
....
# The maximum amount of disk
storage a single user's scripts may occupy. If
# set to 0, no limit on the
used amount of disk storage is enforced.
# (Currently only relevant
for ManageSieve)
#sieve_quota_max_storage = 0
}
[root@mailserver ~]#
[root@mailserver ~]# vim
/etc/dovecot/dovecot-sql.conf.ext
[root@mailserver ~]# cat
/etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=localhost
dbname=vmaildb user=vmailuser password=redhat@123
user_query = SELECT
CONCAT("/home/vmail/", domain) AS home, 8 AS uid, 12 AS
gid, 'maildir:/var/spool/mail/%d/%n' AS mail,
CONCAT("dirsize:storage=", quota) AS quota FROM mailbox
WHERE username = '%u' AND active = '1'
password_query = SELECT
username AS user, password, CONCAT("/var/spool/mail/",
domain) AS userdb_home, 8 AS userdb_uid, 12 AS userdb_gid FROM
mailbox WHERE username = '%u' AND active='1'
iterate_query = SELECT
username AS user FROM mailbox WHERE active='1'
[root@mailserver ~]#
[root@mailserver ~]# chmod
0600 /etc/dovecot/dovecot-sql.conf.ext
[root@mailserver ~]# systemctl restart dovecot
