Dovecot

Dovecot is an IMAP (Internet Message Access Protocol) server that allows remote clients to access their mail. There are other protocols and servers, but Dovecot has about 75% of the internet and is a good choice.

Preparation

Use the same server you installed Postfix on. Just forward a couple additional ports.

• 465 TCP
• 993 TCP

Installation

Since we’re on Trixie we’ll get a fairly current dovecot 2.4. It’s config is slightly different than what came with pervious versions. You can also use Dovecot’s repo but there’s not a significant advantage.

sudo apt install dovecot-imapd dovecot-submissiond

Configuration

Storage

Debian adds some defaults that prevent Dovecot from auto-detecting things. Let’s correct that.

sudo vi /etc/dovecot/conf.d/10-mail.conf

# Search for these under 'Debian defaults'

# Comment these out
#mail_driver = mbox
#mail_home = /home/%{user | username}
#mail_path = %{home}/mail
#mail_inbox_path = /var/mail/%{user}

# Add these right below 
mail_driver = maildir 
mail_path = %{owner_home}/Maildir

#TODO - should these be in namespace inbox?

Encryption

Dovecot comes with it’s own default cert. This isn’t trusted, but Thunderbird will prompt you and you can choose to accept it. This will be fine for now. We’ll generate a valid cert later.

Credentials

Dovecot checks passwords against the local unix system by default. This is normally of the form you. If you’d like to allow [email protected] as well, make this edit.

sudo vi /etc/dovecot/conf.d/10-auth.conf

# Uncomment this line to allow optional your.org after username
auth_username_format = %{user|username|lower}

IMAP Protocol

RFC 8314 strongly recommends IMAPS (Implicit TLS) on port 993 over explicit on port 143. Dovecot accepts both by default and it’s generally recommended to leave them as long as ssl=required remains (set by default) so that clear-text passwords are not accepted.

We’re not forwarding port 143 (Explicit) here, but you can if you want to support older clients.

Submission Service

One potential surprise is that IMAP is only for viewing mail. To send it, you use the SMTP protocol to talk directly to Postfix.

That doesn’t support authentication however, and since we don’t want just anyone relaying messages, it’s disabled for non-local IPs. Instead, you use a separate process called the submission service.

We’ve installed Dovecot’s submission service as it’s newer and easier to set up. Postfix even suggests considering it over theirs. It really just a simply proxy for Postfix that requires you to login.

The RFC recommends clients connect by implicit TLS to port 465. Both types (implicit and explicit) are enabled by default and it’s generally recommended to leave it, as long as plain text passwords remain prohibited as they are by default. Port forward as needed.

The only configuration needed it to set the localhost as the relay.

# Set the relay as localhost where postfix runs
sudo sed -i 's/#submission_relay_host =/submission_relay_host = localhost/' /etc/dovecot/conf.d/20-submission.conf
sudo systemctl reload dovecot.service

If you do want to disable either of these services, set the port = 0. Commenting them out just leaves them on by default.

Testing

nc -zv mail.your.org 993
nc -zv mail.your.org 465

If it’s working from outside your network, but not inside, you may need to enable [reflection] aka hairpin NAT. This will be different per firewall vendor, but in OPNSense it’s:

Firewall -> Settings -> Advanced

 # Enable these settings
Reflection for port forwards
Reflection for 1:1
Automatic outbound NAT for Reflection

Clients

Thunderbird and others will successfully discover the correct ports and services when you provide your email address of [email protected]. Make sure to use the login a

Next Steps

Now that you’ve got the basics working, let’s secure things a little more

• Set up security

Sources

https://dovecot.org/list/dovecot/2019-July/116661.html