Dovecot
Dovecot is an IMAP (Internet Message Access Protocol) server that allows remote clients to access their mail. There are other protocols and servers, but Dovecot has about 75% of the internet and is a good choice.
Installation
sudo apt install dovecot-imapd
sudo apt install dovecot-submissiond
Configuration
Storage
Both Postfix and Dovecot use mbox storage format by default. This is one big file with all your mail in it and doesn’t scale well. Switch to the newer maildir format where your messages are stored as individual files.
# Change where Postfix delivers mail.
sudo postconf -e "home_mailbox = Maildir/"
sudo systemctl reload postfix.service
# Change where Dovecot looks for mail.
sudo sed -i 's/^mail_location.*/mail_location = maildir:~\/Maildir/' /etc/dovecot/conf.d/10-mail.conf
sudo systemctl reload dovecot.service
Encryption
Dovecot comes with it’s own default cert. This isn’t trusted, but Thunderbird will prompt you and you can choose to accept it. This will be fine for now. We’ll generate a valid cert later.
Credentials
Dovecot checks passwords against the local unix system by default and no changes are needed.
Submissions
One potential surprise is that IMAP is only for viewing existing mail. To send mail, you use the SMTP protocol and relay messages to your mail server. But we have relaying turned off, as we don’t want just anyone relaying messages.
The solution is to enable authentication and by convention this is done by a separate port process, called the Submission Server.
We’ve installed Dovecot’s submission server as it’s newer and easier to set up. Postfix even suggests considering it, rather than theirs. The only configuration needed it to set the localhost as the relay.
# Set the relay as localhost where postfix runs
sudo sed -i 's/#submission_relay_host =/submission_relay_host = localhost/' /etc/dovecot/conf.d/20-submission.conf
sudo systemctl reload dovecot.service
Port Forwarding
Forward ports 143 and 587 to your mail server and test that you can connect from both inside and outside your LAN.
nc -zf mail.your.org 143
nc -zf mail.your.org 587
If it’s working from outside your network, but not inside, you may need to enable [reflection] aka hairpin NAT. This will be different per firewall vendor, but in OPNSense it’s:
Firewall -> Settings -> Advanced
# Enable these settings
Reflection for port forwards
Reflection for 1:1
Automatic outbound NAT for Reflection
Clients
Thunderbird and others will successfully discover the correct ports and services when you provide your email address of [email protected]
.
Notes
TLS
Dovecot defaults to port 587 for the submission service which is an older standard for explicit TLS. It’s now recommended by RFC to use implicit TLS on port 465 and you can add a new “submissions” service for that, while leaving the default in place. Clients will pick their fav. Thunderbird defaults to the 465 when both are available.
Note: leaving the default sumbission port commented out just means it will use the default port. Comment out the whole block to disable.
vi /etc/dovecot/conf.d/10-master.conf
# Change the default of
service submission-login {
inet_listener submission {
#port = 587
}
}
to
service submission-login {
inet_listener submission {
#port = 587
}
inet_listener submissions {
port = 465
ssl = yes
}
}
# And reload
sudo systemctl reload dovecot.service
Make sure to port forward 465 at the firewall as well
Next Steps
Now that you’ve got the basics working, let’s secure things a little more
- Set up security
Sources
https://dovecot.org/list/dovecot/2019-July/116661.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.