Tuesday, August 14, 2007

dovecot POP3/POP3S server with SSL/TLS install howto

I have decided to blog an entry on installing Dovecot as POP3/POP3S server with SSL/TLS support on mbox-type mail settings.

Dovecot says:
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory.

You can find more of Dovecot here.

Some of the most notable features of Dovecot include:

* Dovecot is among the highest performing IMAP servers while still supporting the standard mbox and Maildir formats. The mailboxes are transparently indexed, which gives Dovecot its good performance while still providing full compatibility with existing mailbox handling tools.
* Dovecot's indexes are self-optimizing. They contain exactly what the user's client commonly needs, no more and no less.
* Dovecot is self-healing. It tries to fix most of the problems it notices by itself, such as broken index files. The problems are however logged so the administrator can later try to figure out what caused them.
* Dovecot tries to be admin-friendly. Common error messages are made as easily understandable as possible. Any crash, no matter how it happened, is considered a bug that will be fixed.
* Dovecot allows mailboxes and their indexes to be modified by multiple computers at the same time, while still performing well. This means that Dovecot works with NFS and clustered filesystems.
* Dovecot's user authentication is extremely flexible and feature rich, supporting many different authentication databases and mechanisms.
* Postfix 2.3+ and Exim 4.64+ users can do SMTP authentication directly against Dovecot's authentication backend without having to configure it separately.
* Dovecot supports easy migration from many existing IMAP and POP3 servers, allowing the change to be transparent to existing users.
* Dovecot supports workarounds for several bugs in IMAP and POP3 clients. Since the workarounds may cause the protocol exchange to be slightly less optimal, you can enable only the workarounds you need.
* Dovecot's design and implementation is highly focused on security. Rather than taking the traditional road of just fixing vulnerabilities whenever someone happens to report them, I offer 1000 EUR of my own money to the first person to find a security hole from Dovecot.
* Dovecot is easily extensible. Plugins can add new commands, modify existing behavior, add their own data into index files or even add support for new mailbox formats. For example quota and ACL support are completely implemented as plugins.

Status

* Complete IMAP4rev1 and POP3 support. IPv6, SSL and TLS are supported.
* Supports multiple commonly used IMAP extensions, including SORT, THREAD and IDLE.
* Shared mailboxes aren't officially yet supported, but ACL files are.
* Maildir++ quota is supported, but hard filesystem quota can be problematic.
* Dovecot is commonly used with Linux, Solaris, FreeBSD, OpenBSD, NetBSD and Mac OS X. See the Wiki page about OS compatibility for more.

INSTALLATION:
-------------

Here's how to install Dovecot serving POP3/POP3s request with SSL/TLS support

1. Yum install dovecot as follows:

# yum -y install dovecot

2. Go to /etc/ and make a backup of default dovecot.conf

# cp /etc/dovecot.conf /etc/dovecot.conf.orig

3. Launch your favorite text editor and modify /etc/dovecot.conf. Follow the below instructions:

Protocols we want to be service are pop3 and pop3s, the below lines should be present:

protocols = pop3 pop3s

IP or host address where dovecot would listen for connections. As of this time, it is not currently possible to specify multiple IP address but specifying "*" listens to all IPv4 IP address. "[::]" listens to all IPv6 IP address . Below is line would listen to all IPv4 IP addy.

listen = *

If you wish to change dovecot default port for POP3 and/or IMAP, you can enable the following options

protocol imap {
listen = *:10143
ssl_listen = *:10943
..
}
protocol pop3 {
listen = *:10100
..
}

You can change the port above. Ofcourse, you cannot put the same port for IMAP and POP3.
By default, plain text authentication is enabled. If you wish to disable plain text authentication and enable SSL/TLS, this can be done by doing so

disable_plaintext_auth = yes

Security feature to shut down all POP3 and IMAP processes when dovecot shutsdown, the below lines also shutsdown running POP3/IMAP processes if found.

shutdown_clients = yes

Log file can be customized as well. The below line would be the default value for dovecot log file.

log_path = /var/log/dovecot

For informational messages, you can include them to above log file or have a separate copy. This is optional as well and is not required. Just put a # key character if you wish to disable this feature.

info_log_path = /var/log/dovecot-info

By default, syslog facility is used. If further syslog customization is needed, this is possible by enabling the below lines and specifying a different syslog logging. This is optional and is not required.

syslog_facility = mail

Now, for SSL settings.

If you wish to enable SSL with Dovecot, the below line should be enabled with an IP address

ssl_listen = *

and enabling

ssl_disable = no

If you need to enable SSL/TLS certificate and private key, this can be done with the following lines. Make sure they are root readable only.

ssl_cert_file = /etc/pki/dovecot/certs/myexample.pem
ssl_key_file = /etc/pki/dovecot/private/myexample.pem

Creating the encoded X.509 SSL/TLS certificate can be done in more than 2 ways. Here is the easiest way to do it.

# cd /etc/pki/tls/certs
# make myexample.pem

and answer all the below questions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Country Name (2 letter code) [GB]: US
State or Province Name (full name) [Berkshire]: LA
Locality Name (eg, city) [Newbury]: SF
Organization Name (eg, company) [My Company Ltd]: MyCompany
Organizational Unit Name (eg, section) []: Finance
Common Name (eg, your name or your server's hostname) []: host.mydomain.com
Email Address []: email@mydomain.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am not going to cover how to create this certificate file the harder way or in much details as that would be out of dovecot coverage. Verification of these PEM files would also not be covered by this dovecot blog entry. Generating RSA private keys would not also be covered here.

Just make sure they are readable only by root, as for this setup, dovecot master process would run as root, but login-process would be spawned by dovecot user account.

# chmod 400 /etc/pki/dovecot/certs/myexample.pem
# chmod 400 /etc/pki/dovecot/private/myexample.pem
# chown root:root /etc/pki/dovecot/certs/myexample.pem
# chown root:root /etc/pki/dovecot/private/myexample.pem

Optionally, if the key file is password protected, you can specify the password using the below parameter. This is not required for dovecot setup simplicity.

ssl_key_password = mypassword

And for trusted SSL certificate authorities, if any, this can be specified with the below lines. This is optional and not required by default.

ssl_ca_file = /etc/pki/dovecot/certs/ifany.ca
>The above certificate authorities and its creation or request would not also be discussed in details.

For verbose SSL error logging, this can enabled using the below argument

verbose_ssl = yes

An existing user to be used when the dovecot login process begins can be specified using the below line. As default, dovecot user is used, make sure dovecot user account is not bash-enabled account for security purposes.

login_user = dovecot

The only reason to implement a chroot login process is to run a chrooted dovecot. This is not mandatory and disabled by default. If you wish to enable it, you can specify this with the below line

login_chroot = yes

Alternatively, you can set the maximum process size if you use login_process_per_connection feature. This can be customized with the below line. The default value is 32.

login_process_size = 64

If you are implementing dovecot with SSL/TLS feature, login process are created with its own process, which is more secure. Disabling it would make the dovecot login process faster which is a trade off of not having a more secure process.

login_process_per_connection = yes

Docevot spawned children limit can be customized using the next line. If you have thousand of dovecot user at a time, it is adviseable to increase the value here.

login_max_processes_count = 128
login_max_connections = 256
auth_worker_max_count = 30

Customized login greetings can be done like the below. When you do a telnet to dovecot port, this is what you get from the port reply.

login_greeting = Lets RockNRoll

Leave the below setup to its default values for logging format to logfiles

login_log_format
login_log_format_elements

If you wish to require a valid SSL client certificate, which is optional, this can be done using the below argument. It is disabled by default.

ssl_require_client_cert = yes

Locking the mailbox for the entire POP3 session is not adviseable.

pop3_lock_session = no

With the above setup, considering that you are not implementing a database of user accounts or mdir email settings, dovecot can be started successfull at this point.

# service dovecot start

Dovecot should start successfully.

If you wish to customized dovecot.conf further, you can proceed by reading more of dovecot feature and customization from its dovecot.conf.
More arguments and extra checking shown below

If the user-given username contains a character not listed in here, the login automatically fails. This is for additional anti brute-force and dictionary attacks security settings.

auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

If a more verbose logging is required, this can be done with the following

auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

Further mbox-specific settings can also be customized. Below are some customizeable values

mbox_read_locks = fcntl
mbox_write_locks = fcntl
mbox_lock_timeout = 300
mbox_dirty_syncs = no
mbox_lazy_writes = no
mbox_min_index_size = 0
mbox_dotlock_change_timeout = 60

There is no required modication that needs to be done under POP3 specific settings. It should work with default values.

STARTING DOVECOT:
-----------------

# service dovecot start

CHECKING DOVECOT PROCESS/PORTS:
--------------------------------

# netstat -latpanu | grep dovecot
# ss -a | grep pop3
# cat /etc/services | grep pop3
# telnet ip-address-here 110
# ps axuw | grep dovecot

LOG MONITORING:
---------------

# tailf /var/log/dovecot

HTH

For further reading, you can visit these pages:

Dovecot site here: , and here, more authentication wiki here, and virtualusers here.

0 comments:

Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy