Dovecot Email Delivery

Dovecot is an IMAP server. It takes responsibility for connecting your email client (Thunderbird, etc.) to your mail box. Dovecot will also configured to provide authentication (username and password) support to Postfix that is used when an authorized user goes to send email via Postfix.

To be clear, your email client will connect to Dovecot using a protocol called IMAP (or POP). In this way Dovecot provides access to your mailboxes and when you are reading your email you are using Dovecot. When you to go send mail from your email client, it connects directly to Postfix using a protocol called SMTP: Dovecot is not needed. However, before you can be allowed to access your email you need to prove that you are authorized to access it. This is referred to as authentication. To support this, Dovecot provides support for authentication. In the earlier simpler days of the Internet before Spam, authentication was not required to send email. However these days you also need to authenticate yourself to prove that you are authorized to send mail. Sending mail is handled by Postfix, but rather than building authentication into Postfix as well, Postfix is instead configured to use Dovecot for authentication when sending email.

Installing Dovecot

On Redhat systems (Redhat, Fedora, Centos) you install Dovecot using:

sudo yum install dovecot

Configuring Dovecot

The configuration files for Dovecot are usually found in /etc/dovecot. I recommend leaving the default configuration alone and just adding your modifications into local.conf. This file is read last and so any settings it contains will override the same settings that are contained in the default configuration.

Basic Configuration

The first part of the configuration specifies which protocols to support (IMAP and/or POP3) and where the mailboxes can be found:

#protocols = imap pop3
protocols = imap

mail_location = maildir:~/mail

Transport Layer Security (SSL)

This assumes that you have already created an certificate using OpenSSL. The one I am using is named ssl-140409:

# TLS/SSL protocols to use (avoid older SSL protocols)
ssl_protocols = !SSLv2  !SSLv3

# SSL ciphers to use
ssl_cipher_list = ALL:!ADH:!EXPORT:!SSLv2:!aNULL:!eNULL:RC4+RSA:+HIGH:-MEDIUM:-LOW
ssl_prefer_server_ciphers = yes

# SSL certificate
ssl=required
ssl_cert = </etc/pki/tls/certs/ssl-140409.crt
ssl_key = </etc/pki/tls/private/ssl-140409.key

Authentication

The following is used to configure authentication:

auth_mechanisms = plain
passdb {
    driver = passwd-file
    args = /etc/dovecot/passwd
}
userdb {
    driver = static
    args = uid=vmail gid=vmail home=/home/vmail/%d/%n allow_all_users=yes
}
service auth {
    unix_listener auth-client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
    }
    user = root
}

auth_mechanisms specifies the various forms in which the password can be passed to Dovecot (there may be more than one specified). Using plain is fine because it will only be passed through an SSL tunnel, and so will not be exposed.

passdb specifies password database, in this case ‘/etc/dovecot/passwd’. It takes the form:

dickie@nurdletech.com:{PLAIN}zDu8g8AJf9vv
dickie@turtleneck.com:{PLAIN}2WyoQEsJcSFo
admin@nurdletech.com:{PLAIN}LnycHhpZwQsN

Each consists of the email for each of the virtual mail boxes (much match values given to Postfix in the virtual_mailbox_maps file). After the email address there is a colon and then a specification of how the password is encoded enclosed in braces. Finally there is the encoded password. Of course, if the encoding is specified as PLAIN, there is no encoding and the password is given directly. However it is more secure it you do encode the passwords. To do so, run:

doveadm pw -s SSHA

can copy its output into the file (SSHA employs a salted SSH1 hash, but there are many others available).

userdb specifies parameters used when creating the virtual mailboxes.

Finally, service auth specifies the parameters for a socket that is created to allow Postfix to communicate with Dovecot to support authentication. The path is the location of the socket (the last part of this path should be specified to Postfix in smtpd_sasl_path).

Configuring Dovecot as the Local Delivery Agent

The following is sufficient to configure the Dovecot LDA:

protocol lda {
    postmaster_address = admin@nurdletech.com
}

Configuring the Firewall

The most common filewall on Linux is iptables, however the more recent versions of Fedora have shifted to using firewalld. These instructions are for firewalld on Fedora.

If you do not have firewalld you can get it on a Redhat system (Redhat, Fedora, CentOs) by running as root:

yum install firewalld

You would then activate it using:

systemctl enable firewalld
systemctl start firewalld

In order for Dovecot to operate, we must punch hole in the firewall to allow the mail out. In particular we need to open port 993 (imaps). To do so, as root run:

firewall-cmd --permanent --add-service=imaps

Doing so loads this rule into the firewalld persistent configuration, but does not modify the currently active rules. To activate our new rule, run:

firewall-cmd --reload

Now, list the rules to make sure they are both correct and active:

firewall-cmd --list-all

Running Dovecot

Start Dovecot using:

systemctl start dovecot

If Dovecot is already running, and you have changed a configuration file, you can get Dovecot to reread these files using:

systemctl reload dovecot

You can stop Dovecot with:

systemctl stop dovecot

You can get Dovecot status with:

systemctl status dovecot

Once Dovecot is running, you should configure your email client and confirm that you can both view the mailboxes and you can send messages. Look in /var/log/maillog for messages from Dovecot.

Once Dovecot is running properly, you can enable it so that it starts automatically when the server starts using:

systemctl enable dovecot

Configuring Email Client

Use the following to configure Thunderbird to use your new Postfix/Dovecot email system:

IMAP server: nurdletech.com
    Port: 993
    Security: SSL/TLS
    Authentication Method: normal password
    Username: dickie@nurdletech.com
SMTP server: nurdletech.com
    Port: 587
    Security: STARTTLS
    Authentication Method: normal password
    Username: dickie@nurdletech.com

Use the following to configure Mutt to use your new Postfix/Dovecot email system:

set spoolfile=imaps://nurdletech.com:993/INBOX
set folder=imaps://nurdletech.com:993/
set smtp_url=smtp://dickie@nurdletech.com@nurdletech.com:587
#               ^ do not use smtps here

# Alternative ways of giving username and password
set imap_user="dickie@nurdletech.com"
set imap_pass="`abraxas -q work-email-fallback`"
set smtp_pass=$imap_pass
set smtp_authenticators="plain"