03Dovecot - amagerard/Mail GitHub Wiki
| 1- Network | 2- Postfix | 3- Dovecot | 4- Postfixadmin | 5- PostfixMariaDB | 6- DovecotMariaDB |
|---|---|---|---|---|---|
| 7- RelaySmtp | 8- Troubleshoot | 9- Selinux | 10- GnomeShell | 11- Backup |
Part two: send and receive messages from local accounts.
SSL is enabled.
Dovecot is the IMAP server.
It allows you to receive emails.
The ports used are: 143(TLS) , 993 (SSL).
I need:
/etc/ssl/certs/hermes.crt (to be created).
/etc/ssl/certs/CA.crt (already exists).
/etc/ssl/private/hermes.key (to be created).
Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create hermes.key and hermes.crt.
openssl genrsa -out /etc/ssl/private/hermes.key 4096
openssl req -new -days 365 -key /etc/ssl/private/hermes.key -out /etc/ssl/certs/hermes.csr
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/hermes.crt -in /etc/ssl/certs/hermes.csr
chmod 400 /etc/ssl/private/hermes.key
chmod 400 /etc/ssl/certs/hermes.crt
rm /etc/ssl/certs/hermes.csr
vi /etc/postfix/main.cf
#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_cert_file = /etc/ssl/certs/hermes.crt
#smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_key_file = /etc/ssl/private/hermes.key
#smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CApath = /etc/ssl/certs
#smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CAfile = /etc/ssl/certs/CA.crt
Mail clients will be able to submit emails to the Postfix SMTP server.
vi /etc/postfix/master.cf
You must add or modify the lines.
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
# -o milter_macro_daemon_name=ORIGINATING
Supported ssl and tls versions.
openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
vi /etc/postfix/main.cf
Add to end of file.
#Force TLSv1.3
smtpd_tls_mandatory_protocols = !SSLv3, !TLSv1.3
smtp_tls_mandatory_protocols = !SSLv3, !TLSv1.3
smtpd_tls_protocols = !SSLv3, !TLSv1.3
smtp_tls_protocols = !SSLv3, !TLSv1.3
systemctl restart postfix
Checking ports 25, 465 and 587.
ss -lnpt | grep master
LISTEN 0 100 0.0.0.0:587 0.0.0.0:* users:(("master",pid=3203,fd=17))
LISTEN 0 100 0.0.0.0:465 0.0.0.0:* users:(("master",pid=3393,fd=20))
LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("master",pid=3203,fd=13))
dnf install dovecot
vi /etc/dovecot/dovecot.conf
# Protocols we want to be serving.
#protocols = imap pop3 lmtp submission
protocols = imap pop3 lmtp
# desactivation Ipv6
#listen = *, ::
listen = *
systemctl enable --now dovecot
postconf mail_spool_directory
mail_spool_directory = /var/mail
Please follow the following...
vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
mail_privileged_group = mail
Add dovecot to group mail.
gpasswd -a dovecot mail
Edit the LMTP service definition.
vi /etc/dovecot/conf.d/10-master.conf
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
vi /etc/postfix/main.cf
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailbox_transport = lmtp:unix:private/dovecot-lmtp
# mettre à la fin du fichier
smtputf8_enable = no
vi /etc/dovecot/conf.d/10-auth.conf
#auth_username_format = %Lu
auth_username_format = %n
#auth_mechanisms = plain
auth_mechanisms = plain login
SASL Authentication between Postfix and Dovecot.
vi /etc/dovecot/conf.d/10-master.conf
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0600
user = postfix
group = postfix
}
# Auth process is run as this user.
#user = $default_internal_user
}
Automatic creation of the trash.
vi /etc/dovecot/conf.d/15-mailboxes.conf
To automatically create a folder, just add the following line in the mailbox section.
auto = create
Example:
mailbox Trash {
auto = create
special_use = \Trash
}
Configuring SSL/TLS encryption.
vi /etc/dovecot/conf.d/10-ssl.conf
ssl = required
#ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
#ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_cert = </etc/pki/tls/certs/hermes.crt
ssl_key = </etc/pki/tls/private/hermes.key
ssl_ca = </etc/pki/tls/certs/CA.crt
ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = PROFILE=SYSTEM
#ssl_prefer_server_ciphers = no
ssl_prefer_server_ciphers = yes
Generate the diffie-hellman parameter.
openssl dhparam -out /etc/dovecot/dh.pem 4096
Generate this file takes more than 15 minutes.
Restart postfix and dovecot.
systemctl restart postfix
systemctl restart dovecot
This test requires the installation of GnomeShell.
See GnomeShell.
Create 2 local accounts on the server.
Name: <Username>
Email address: [email protected]
Password : <your password>
Accept certificate for IMAP and SMTP.
Note: The first connection to SMTP requires a second connection.
Do several tests with the 2 local accounts.
IMAP 143 TLS , 993 SSL
SMTP 587 TLS , 465 SSL