logo
vision scalability social networking revelation source
Set up build environments.
Wireguard.
nix.

Install Dovecot on Debian 10

abstract: These files are not specific to rhocoin. This is a note on setting up dovecot. Every time I mess around and encounter some grief, I add to this pile of notes.

1 Purpose

We want postfix working with Dovecot so that we can send and access our emails from email client such as thunderbird client on another computer.

2 Enable SMTPS in postfix

2.1 prerequisite

You have already enabled postfix TLS and made sure that it is working by checking your logs of emails successfully sent and received.

2.2 setup postfix to talk to dovecot

We are going to enable smtps, port 465, which your email client probably refers to as SSL/TLS and ufw refers to as 'Postfix SMTPS'

We are not going to enable submission, port 587, which your email client probably refers to as STARTTLS, and ufw refers to as 'Postfix Submission', because STARTTLS is vulnerable to downgrade attacks if your enemies have substantial power over the network, and many major email clients do not support it for that reason. Since we are using normal passwords, a successful downgrade attack will leak the password, enabling the enemy to read and modify mail from that client, and to send spearphish, shill, scam, and spam emails as the client identity.

Passwords are a vulnerability, and in a hostile, untrustworthy, and untrusting world need to be replaced by ZKA resting on a BIPS style wallet secret, but we have to make do with smtps until we create something better.

nano /etc/postfix/master.cf

You will find the lines we are about to change already in the master.cf file, but commented out, and some of them need to be amended.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Now we tell postfix to talk to dovecot over lmtp

postconf -e mailbox_transport=lmtp:unix:private/dovecot-lmtp
postconf -e smtputf8_enable=no

Obviously this is not going to work until after we install and configure dovecot, so don’t restart and test postfix yet.

3 Install Dovecot

apt -qy update && apt -qy upgrade
apt -qy install dovecot-imapd dovecot-pop3d dovecot-lmtpd
dovecot --version
# These instructions assume version 2.3 or above
nano /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp
!include_try /usr/share/dovecot/protocols.d/*.protocol

3.1 Authentication

Edit the authentication file for Dovecot and update following values.

nano /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain
auth_username_format = %n

3.2 Setup Mailbox Directory

After that, edit mail configuration file to configure location of the Mailbox. Make sure to set this to correct location where your email server is configure to save users emails.

nano /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
mail_privileged_group = mail
adduser dovecot mail

We already told postfix to talk to dovecot. Now we must tell dovecot to talk to postfix using lmtp.

nano /etc/dovecot/conf.d/10-master.conf

Delete the old service lmtp definition`, and replace it with:

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   mode = 0600
   user = postfix
   group = postfix
  }
}

Delete the old service auth definition, and replace it with:

# Postfix smtp-auth
service auth {
    unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
    }
}

3.3 Setup SSL

nano /etc/dovecot/conf.d/10-ssl.conf
ssl=required
ssl_cert = </etc/letsencrypt/live/rhocoin.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/rhocoin.org/privkey.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2

3.4 Auto-create Sent and Trash Folder

nano /etc/dovecot/conf.d/15-mailboxes.conf

Add the line auto = subscribe to the special folders entries:

 mailbox Trash {
    `auto = subscribe
    special_use = \Trash
 }

 mailbox Junk {
    `auto = subscribe
    special_use = \Junk
 }

 mailbox Drafts {
   `auto = subscribe
    special_use = \Drafts
 }

 mailbox Trash {
    `auto = subscribe
    special_use = \Trash
 }

 mailbox Sent {
    `auto = subscribe
    special_use = \Sent
 }

3.5 Manage Dovecot Service

To enable Dovecot service.

systemctl enable dovecot.service
systemctl restart postfix dovecot
systemctl status dovecot
systemctl status postfix
ss -lnpt | grep master
ss -lnpt | grep dovecot

3.6 Open ports

ufw allow IMAPS
ufw allow POP3S
ss -lnpt | grep master
ss -lnpt | grep dovecot
ufw status verbose

You did set ufw to default deny incoming, so that IMAP and POP3 are blocked.

4 Configure Desktop Email Client

Edit 🠆 Account Settings 🠆 Account Actions 🠆 Add Mail Account

Select manual configuration, SSL/TLS, and normal password.

Now send and receive some test emails, as you did before, but this time you will be receiving them on your desktop, rather than logging in and using thunderbird

As before:

cat /var/log/mail.log | grep -E '(warning|error|fatal|panic)'

5 Next steps

Now that you have an email service that people can access from their desktop using an email client such as thunderbird, you probably want several other domain names and hosts to use it.

6 Credits

This tutorial is largely based on the excellent linuxbabe tutorial

Creative Commons License reaction.la gpg key 154588427F2709CD9D7146B01C99BB982002C39F
This work is licensed under the Creative Commons Attribution 4.0 International License.