I have decided to blog an entry on installing Dovecot as POP3/POP3S server with SSL/TLS support on mbox-type mail settings.
Dovecot says:
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory.
You can find more of Dovecot here.
Some of the most notable features of Dovecot include:
* Dovecot is among the highest performing IMAP servers while still supporting the standard mbox and Maildir formats. The mailboxes are transparently indexed, which gives Dovecot its good performance while still providing full compatibility with existing mailbox handling tools.
* Dovecot's indexes are self-optimizing. They contain exactly what the user's client commonly needs, no more and no less.
* Dovecot is self-healing. It tries to fix most of the problems it notices by itself, such as broken index files. The problems are however logged so the administrator can later try to figure out what caused them.
* Dovecot tries to be admin-friendly. Common error messages are made as easily understandable as possible. Any crash, no matter how it happened, is considered a bug that will be fixed.
* Dovecot allows mailboxes and their indexes to be modified by multiple computers at the same time, while still performing well. This means that Dovecot works with NFS and clustered filesystems.
* Dovecot's user authentication is extremely flexible and feature rich, supporting many different authentication databases and mechanisms.
* Postfix 2.3+ and Exim 4.64+ users can do SMTP authentication directly against Dovecot's authentication backend without having to configure it separately.
* Dovecot supports easy migration from many existing IMAP and POP3 servers, allowing the change to be transparent to existing users.
* Dovecot supports workarounds for several bugs in IMAP and POP3 clients. Since the workarounds may cause the protocol exchange to be slightly less optimal, you can enable only the workarounds you need.
* Dovecot's design and implementation is highly focused on security. Rather than taking the traditional road of just fixing vulnerabilities whenever someone happens to report them, I offer 1000 EUR of my own money to the first person to find a security hole from Dovecot.
* Dovecot is easily extensible. Plugins can add new commands, modify existing behavior, add their own data into index files or even add support for new mailbox formats. For example quota and ACL support are completely implemented as plugins.
Status
* Complete IMAP4rev1 and POP3 support. IPv6, SSL and TLS are supported.
* Supports multiple commonly used IMAP extensions, including SORT, THREAD and IDLE.
* Shared mailboxes aren't officially yet supported, but ACL files are.
* Maildir++ quota is supported, but hard filesystem quota can be problematic.
* Dovecot is commonly used with Linux, Solaris, FreeBSD, OpenBSD, NetBSD and Mac OS X. See the Wiki page about OS compatibility for more.
INSTALLATION:
-------------
Here's how to install Dovecot serving POP3/POP3s request with SSL/TLS support
1. Yum install dovecot as follows:
# yum -y install dovecot
2. Go to /etc/ and make a backup of default dovecot.conf
# cp /etc/dovecot.conf /etc/dovecot.conf.orig
3. Launch your favorite text editor and modify /etc/dovecot.conf. Follow the below instructions:
Protocols we want to be service are pop3 and pop3s, the below lines should be present:
protocols = pop3 pop3s
IP or host address where dovecot would listen for connections. As of this time, it is not currently possible to specify multiple IP address but specifying "*" listens to all IPv4 IP address. "[::]" listens to all IPv6 IP address . Below is line would listen to all IPv4 IP addy.
listen = *
If you wish to change dovecot default port for POP3 and/or IMAP, you can enable the following options
protocol imap {
listen = *:10143
ssl_listen = *:10943
..
}
protocol pop3 {
listen = *:10100
..
}
You can change the port above. Ofcourse, you cannot put the same port for IMAP and POP3.
By default, plain text authentication is enabled. If you wish to disable plain text authentication and enable SSL/TLS, this can be done by doing so
disable_plaintext_auth = yes
Security feature to shut down all POP3 and IMAP processes when dovecot shutsdown, the below lines also shutsdown running POP3/IMAP processes if found.
shutdown_clients = yes
Log file can be customized as well. The below line would be the default value for dovecot log file.
log_path = /var/log/dovecot
For informational messages, you can include them to above log file or have a separate copy. This is optional as well and is not required. Just put a # key character if you wish to disable this feature.
info_log_path = /var/log/dovecot-info
By default, syslog facility is used. If further syslog customization is needed, this is possible by enabling the below lines and specifying a different syslog logging. This is optional and is not required.
syslog_facility = mail
Now, for SSL settings.
If you wish to enable SSL with Dovecot, the below line should be enabled with an IP address
ssl_listen = *
and enabling
ssl_disable = no
If you need to enable SSL/TLS certificate and private key, this can be done with the following lines. Make sure they are root readable only.
ssl_cert_file = /etc/pki/dovecot/certs/myexample.pem
ssl_key_file = /etc/pki/dovecot/private/myexample.pem
Creating the encoded X.509 SSL/TLS certificate can be done in more than 2 ways. Here is the easiest way to do it.
# cd /etc/pki/tls/certs
# make myexample.pem
and answer all the below questions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Country Name (2 letter code) [GB]: US
State or Province Name (full name) [Berkshire]: LA
Locality Name (eg, city) [Newbury]: SF
Organization Name (eg, company) [My Company Ltd]: MyCompany
Organizational Unit Name (eg, section) []: Finance
Common Name (eg, your name or your server's hostname) []: host.mydomain.com
Email Address []: email@mydomain.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am not going to cover how to create this certificate file the harder way or in much details as that would be out of dovecot coverage. Verification of these PEM files would also not be covered by this dovecot blog entry. Generating RSA private keys would not also be covered here.
Just make sure they are readable only by root, as for this setup, dovecot master process would run as root, but login-process would be spawned by dovecot user account.
# chmod 400 /etc/pki/dovecot/certs/myexample.pem
# chmod 400 /etc/pki/dovecot/private/myexample.pem
# chown root:root /etc/pki/dovecot/certs/myexample.pem
# chown root:root /etc/pki/dovecot/private/myexample.pem
Optionally, if the key file is password protected, you can specify the password using the below parameter. This is not required for dovecot setup simplicity.
ssl_key_password = mypassword
And for trusted SSL certificate authorities, if any, this can be specified with the below lines. This is optional and not required by default.
ssl_ca_file = /etc/pki/dovecot/certs/ifany.ca
>The above certificate authorities and its creation or request would not also be discussed in details.
For verbose SSL error logging, this can enabled using the below argument
verbose_ssl = yes
An existing user to be used when the dovecot login process begins can be specified using the below line. As default, dovecot user is used, make sure dovecot user account is not bash-enabled account for security purposes.
login_user = dovecot
The only reason to implement a chroot login process is to run a chrooted dovecot. This is not mandatory and disabled by default. If you wish to enable it, you can specify this with the below line
login_chroot = yes
Alternatively, you can set the maximum process size if you use login_process_per_connection feature. This can be customized with the below line. The default value is 32.
login_process_size = 64
If you are implementing dovecot with SSL/TLS feature, login process are created with its own process, which is more secure. Disabling it would make the dovecot login process faster which is a trade off of not having a more secure process.
login_process_per_connection = yes
Docevot spawned children limit can be customized using the next line. If you have thousand of dovecot user at a time, it is adviseable to increase the value here.
login_max_processes_count = 128
login_max_connections = 256
auth_worker_max_count = 30
Customized login greetings can be done like the below. When you do a telnet to dovecot port, this is what you get from the port reply.
login_greeting = Lets RockNRoll
Leave the below setup to its default values for logging format to logfiles
login_log_format
login_log_format_elements
If you wish to require a valid SSL client certificate, which is optional, this can be done using the below argument. It is disabled by default.
ssl_require_client_cert = yes
Locking the mailbox for the entire POP3 session is not adviseable.
pop3_lock_session = no
With the above setup, considering that you are not implementing a database of user accounts or mdir email settings, dovecot can be started successfull at this point.
# service dovecot start
Dovecot should start successfully.
If you wish to customized dovecot.conf further, you can proceed by reading more of dovecot feature and customization from its dovecot.conf.
More arguments and extra checking shown below
If the user-given username contains a character not listed in here, the login automatically fails. This is for additional anti brute-force and dictionary attacks security settings.
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
If a more verbose logging is required, this can be done with the following
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
Further mbox-specific settings can also be customized. Below are some customizeable values
mbox_read_locks = fcntl
mbox_write_locks = fcntl
mbox_lock_timeout = 300
mbox_dirty_syncs = no
mbox_lazy_writes = no
mbox_min_index_size = 0
mbox_dotlock_change_timeout = 60
There is no required modication that needs to be done under POP3 specific settings. It should work with default values.
STARTING DOVECOT:
-----------------
# service dovecot start
CHECKING DOVECOT PROCESS/PORTS:
--------------------------------
# netstat -latpanu | grep dovecot
# ss -a | grep pop3
# cat /etc/services | grep pop3
# telnet ip-address-here 110
# ps axuw | grep dovecot
LOG MONITORING:
---------------
# tailf /var/log/dovecot
HTH
For further reading, you can visit these pages:
Dovecot site here: , and here, more authentication wiki here, and virtualusers here.
Subscription
Categories
- HowTos (612)
- Linux Devices (40)
- Linux Diggs (620)
- Linux News (1541)
- Linux Videos (24)
Recent Posts
Blog Archive
-
▼
2007
(340)
-
▼
August
(95)
- KCron - GUI task scheduler
- Linux backups powered by Tar
- INQ7 front page image retrieval
- using wget for data and file transfers
- BibleTime - Bible study from Linux howto
- human readable DVD/CD drive technical details
- sound-juicer - alternative audio CD ripper install
- Stellarium - watch the sky from Linux
- Munin - monitor linux hosts install howto
- blocking yahoo chat messenger
- string manipulation using cut linux command
- graphing skystream DVB receiver's Eb/No and signal...
- BZFlag - 3D multi-player tank game install howto
- screenshot and snapshot creations howtos
- string parsing using bash
- grep multiple character from string or file
- enable and disable of telnet service
- grep multiple strings from a file
- remove spaces from filenames
- ISO creation and CD/DVD burning from terminal
- send a message to user's terminal
- retrieve GMail emails via terminal using fetchmail
- more of activating and deactivating network card
- set new mysql password
- TIP: enable thumbnail display images from apache
- monitor large mailbox users
- using the linux yes command
- string manipulation using tr linux command
- install and play 2D chess game in linux
- more firefox tips and tricks
- recover root password on linux
- establish ssh connection from different port
- uniq linux command
- remove blank lines using grep or sed
- date and time sync via NTP server howto
- who am I
- delete spam email and folder regularly howto
- hello world bash and perl script
- passwordless rdesktop session with XP howto
- force VGA screen resolution and screen mode
- RealPlayer 10 for linux install howto
- Grip - CD ripper install howto
- Banshee - music management and playback
- gnome music applet install howto
- Pirut and yum-updatesd - software management
- Alacarte - editing panel menus install howto
- access NTFS drive in Fedora
- FileLight - graphical disk usage and statistics
- TestDisk- partition tool install howto
- using /dev/null in linux terminal
- yahoo messenger in fedora install howto
- check and repair MS-DOS file systems howto
- using fdformat and mkdosfs from terminal
- Tremulous - Quake 3 install howto
- block consecutive IP address using scripts
- using floppy linux command from terminal
- display word or text file in reversed pattern
- convert a file to equivalent hex/binary code
- spell check text file from terminal
- create screen timer from linux howto
- recreate deleted /dev/null
- harddisk monitoring using smartctl
- bind ssh to selected IP address
- restrict su command to superuser only
- thunderbird install howto
- dovecot POP3/POP3S server with SSL/TLS install howto
- qpopper POP3 server install howto
- my other linux pages
- more ssh log parsing and monitoring
- checking daemon service bash script
- HTML CHM help file viewer install howto
- du - the disk usage linux command howto
- gnome language translator install howto
- display linux memory information howto
- display the number of processor howto
- 3d tabletennis game install howto
- Nokia N70 on Fedora via USB data cable
- Fedora 7 as guest host from VirtualBox
- at - jobs scheduling howto
- Nokia 70 linux connection via bluetooth dongle howto
- crontab - jobs scheduling howto
- managing daemon services howto
- create your own linux OS distro howto
- kernel devel headers install howto
- more multimedia browser plugins install howto
- numlock on with X install howto
- Fedora and RHEL differences
- create virtual terminals with single ssh connection
- virtual CentOS using VMWare 5.5.4 install howto
- VMware workstation 5.5.4 install howto
- 50 quick linux command tips part 4
- 5 SysAds permanent static route story
- ssh log parsing and monitoring
- removable drives, devices and media preferences
- gnome-blog desktop blogging install howto
-
▼
August
(95)
Tuesday, August 14, 2007
dovecot POP3/POP3S server with SSL/TLS install howto
Subscribe to:
Post Comments (Atom)
ILoveTux - howtos and news | About | Contact | TOS | Policy
0 comments:
Post a Comment