103Dovecot - amagerard/Mail GitHub Wiki

HOME

Redhat10/Mail

1- Network 2- Postfix 3- Dovecot 4- Postfixadmin 5- PostfixMariaDB 6- DovecotMariaDB
7- RelaySmtp 8- Troubleshoot 9- Selinux 10- GnomeShell 11- Maintenance

3. Dovecot.

3.1 Part Two.

Part two: send and receive messages from local accounts.
SSL is enabled.

Dovecot is the IMAP server.
It allows you to receive emails.
The ports used are: 143(TLS) , 993 (SSL).

3.2 Create certificates.

I need:
/etc/ssl/certs/hermes.crt (to be created).
/etc/ssl/certs/CA.crt (already exists).
/etc/ssl/private/hermes.key (to be created).
Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create hermes.key and hermes.crt.

openssl ecparam -genkey -name prime256v1 -out /etc/ssl/private/hermes-ecc.key  
openssl req -new  -days 365 -key /etc/ssl/private/hermes-ecc.key -out /etc/ssl/certs/hermes-ecc.csr  
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/hermes-ecc.crt -in /etc/ssl/certs/hermes-ecc.csr  
  
chmod 400 /etc/ssl/private/hermes-ecc.key  
chmod 400 /etc/ssl/certs/hermes-ecc.crt

3.3 Postfix configuration for SSL.

vi /etc/postfix/main.cf

#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem  
smtpd_tls_cert_file = /etc/ssl/certs/hermes-ecc.crt  
#smtpd_tls_key_file = /etc/pki/tls/private/postfix.key  
smtpd_tls_key_file = /etc/ssl/private/hermes-ecc.key  
#smtp_tls_CApath = /etc/pki/tls/certs  
smtp_tls_CApath = /etc/ssl/certs  
#smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt  
smtp_tls_CAfile = /etc/ssl/certs/CA-ecc.crt

3.4 Enable Postfix submission service.

Mail clients will be able to submit emails to the Postfix SMTP server.
vi /etc/postfix/master.cf
You must add or modify the lines.

#dnsblog   unix  -       -       n       -       0       dnsblog  
#tlsproxy  unix  -       -       n       -       0       tlsproxy  
submission inet n       -       n       -       -       smtpd  
  -o syslog_name=postfix/submission  
  -o smtpd_tls_security_level=encrypt  
  -o smtpd_tls_wrappermode=no  
  -o smtpd_sasl_auth_enable=yes  
#  -o smtpd_tls_auth_only=yes  
#  -o smtpd_reject_unlisted_recipient=no  
#  -o smtpd_client_restrictions=$mua_client_restrictions  
#  -o smtpd_helo_restrictions=$mua_helo_restrictions  
#  -o smtpd_sender_restrictions=$mua_sender_restrictions  
#  -o smtpd_recipient_restrictions=  
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject  
   -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject  
   -o smtpd_sasl_type=dovecot  
   -o smtpd_sasl_path=private/auth  
#  -o milter_macro_daemon_name=ORIGINATING  
submissions     inet  n       -       n       -       -       smtpd  
  -o syslog_name=postfix/submissions  
  -o smtpd_tls_wrappermode=yes  
  -o smtpd_sasl_auth_enable=yes  
#  -o smtpd_reject_unlisted_recipient=no  
#  -o smtpd_client_restrictions=$mua_client_restrictions  
#  -o smtpd_helo_restrictions=$mua_helo_restrictions  
#  -o smtpd_sender_restrictions=$mua_sender_restrictions  
#  -o smtpd_recipient_restrictions=  
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject  
   -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject  
   -o smtpd_sasl_type=dovecot  
   -o smtpd_sasl_path=private/auth  
#  -o milter_macro_daemon_name=ORIGINATING  
#  
#  Do not modify the following lines until the end

Supported ssl and tls versions.
openssl ciphers -v | awk '{print $2}' | sort | uniq

SSLv3  
TLSv1  
TLSv1.2  
TLSv1.3

vi /etc/postfix/main.cf
Add at end of file.

#Force TLSv1.3  
smtpd_tls_mandatory_protocols = !SSLv3, !TLSv1.3  
smtp_tls_mandatory_protocols  = !SSLv3, !TLSv1.3  
smtpd_tls_protocols           = !SSLv3, !TLSv1.3  
smtp_tls_protocols            = !SSLv3, !TLSv1.3

systemctl restart postfix
Checking ports 25, 465 and 587.
ss -lnpt | grep master

LISTEN 0   100    0.0.0.0:587     0.0.0.0:*   users:(("master",pid=3203,fd=17))  
LISTEN 0   100    0.0.0.0:465     0.0.0.0:*   users:(("master",pid=3393,fd=20))  
LISTEN 0   100    0.0.0.0:25      0.0.0.0:*   users:(("master",pid=3203,fd=13))

3.5 Dovecot

3.5.1 Installation.

dnf install dovecot
vi /etc/dovecot/dovecot.conf

# Protocols we want to be serving.  
#protocols = imap pop3 lmtp submission  
protocols = imap pop3 lmtp  
# desactivation Ipv6  
#listen = *, ::  
listen = *

systemctl enable --now dovecot

3.5.2 Mail folder path.

postconf mail_spool_directory

mail_spool_directory = /var/mail

3.5.3 Configuration.

Please follow the following...

vi /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir  
mail_privileged_group = mail

Add dovecot to group mail.
gpasswd -a dovecot mail

Edit the LMTP service definition.
vi /etc/dovecot/conf.d/10-master.conf

service lmtp {  
 unix_listener /var/spool/postfix/private/dovecot-lmtp {  
   mode = 0660  
   user = postfix  
   group = postfix  
  }  
}

vi /etc/postfix/main.cf

#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp  
mailbox_transport = lmtp:unix:private/dovecot-lmtp  
# Add to end of file  
smtputf8_enable = no

vi /etc/dovecot/conf.d/10-auth.conf

#auth_username_format = %Lu  
auth_username_format = %n  
#auth_mechanisms = plain  
auth_mechanisms = plain login

SASL Authentication between Postfix and Dovecot.
vi /etc/dovecot/conf.d/10-master.conf

# Postfix smtp-auth  
    unix_listener  /var/spool/postfix/private/auth  {  
    mode = 0660  
    user = postfix  
    group = postfix  
    }  
  
  # Auth process is run as this user.  
  #user = $default_internal_user  
}

Automatic creation folders.
vi /etc/dovecot/conf.d/15-mailboxes.conf

To automatically create a folder, just add the following line in the mailbox section.
auto = create

namespace inbox {  
  # These mailboxes are widely used and could perhaps be created automatically:  
  mailbox Drafts {  
    auto = create  
    special_use = \Drafts  
  }  
  mailbox Junk {  
    special_use = \Junk  
  }  
  mailbox Trash {  
    auto = create  
    special_use = \Trash  
  }  
  
  # For \Sent mailboxes there are two widely used names. We'll mark both of  
  # them as \Sent. User typically deletes one of them if duplicates are created.  
  mailbox Sent {  
    auto = create  
    special_use = \Sent  
  }  
  mailbox "Sent Messages" {  
   auto = create  
   special_use = \Sent  
  }

Configuring SSL/TLS encryption.
vi /etc/dovecot/conf.d/10-ssl.conf

ssl = required  
#ssl_cert = </etc/pki/dovecot/certs/dovecot.pem  
#ssl_key = </etc/pki/dovecot/private/dovecot.pem  
ssl_cert = </etc/pki/tls/certs/hermes-ecc.crt  
ssl_key = </etc/pki/tls/private/hermes-ecc.key  
ssl_ca = </etc/pki/tls/certs/CA-ecc.crt  
ssl_dh = </etc/dovecot/dh.pem  
ssl_min_protocol = TLSv1.2  
ssl_cipher_list = PROFILE=SYSTEM  
#ssl_prefer_server_ciphers = no  
ssl_prefer_server_ciphers = yes

Generate the diffie-hellman parameter.
openssl dhparam -out /etc/dovecot/dh.pem 4096
Generate this file takes more than 15 minutes.

Restart postfix and dovecot.
systemctl restart postfix
systemctl restart dovecot

3.5.4 Test emails with Geary.

This test requires the installation of GnomeShell.
See GnomeShell.

Install Geary with dnf or apt.
Geary is available with Flatpack or Flathub.
https://flathub.org/en/apps/org.gnome.Geary.

Create 2 local accounts on the server.
Name: <Username>
Email address: [email protected]
Password : <your password>

You have to do some research on how to choose STARTTLS and TLS.
The geary configuration is:
/home/<your username>/.config/geary/account_0[n]

Do several tests with the 2 local accounts.
IMAP 143 STARTTLS , 993 TLS
SMTP 587 STARTTLS , 465 TLS

For Windows, you must install version 128 ESR of Thunderbird.
Then test sending and receiving emails with STARTTLS and TLS.
Then update Thunderbird.

⚠️ **GitHub.com Fallback** ⚠️