Client connections using dovecot

[Ref: OpenBSD 5.0, Dovecot 2.0.14, Installing Dovecot 2 on CentOS]

Client access, getting your e-mail from the mail server, is generally through programs that support the standard protocol for receiving mail (such as POP3, POP3S, IMAP, IMAPS.) In this guide we look at a basic configuration of dovecot as an imap, pop3, sasl server.

OpenBSD comes with some tools in the default install, and depending on your needs you may prefer those, or other tools in the ports tree. I hope this guide will help you in using it with our postfix guide

Install

Install dovecot from the packages, and if you prefer some special configuration not in the standard package then you can use the ports system. For SQL support we're installing the "mysql" flavor, although this is not necessary for the majority of the instructions below.

# pkg_add dovecot
 
dovecot-2.0.14:bzip2-1.0.6: ok
dovecot-2.0.14: ok
The following new rcscripts were installed: /etc/rc.d/dovecot
See rc.d(8) for details.
--- +dovecot-2.0.14 -------------------
Files to facilitate the generation of a self-signed
certificate and key for Dovecot have been installed:
/etc/ssl/dovecot-openssl.cnf (Edit this accordingly!)
/usr/local/sbin/dovecot-mkcert.sh

If this has been or will be accomplished by other means,
use the following paths for the files:
/etc/ssl/dovecotcert.pem
/etc/ssl/private/dovecot.pem

Resource Requirements

Before we start dovecot, we need to take care of some resource requirements, such as increasing the number of file descriptors the program can use. We can configure this by creating a login class 'dovecot' in login.conf

File Fragment: /etc/login.conf

    dovecot:\
            :ignorenologin:\
            :openfiles-cur=1024:\
            :openfiles-max=2048:\
            :tc=default:

To ensure the file is compiled, use cap_mkdb

cap_mkdb /etc/login.conf

Configure the _dovecot user account (in /etc/passwd) to use the login-class we've just created, by using vipw or the following command-line

$ sudo /usr/sbin/usermod -L dovecot _dovecot

Replace the standard 'daemon' login class, with the one we've just created.

Auto-start configuration

File Fragment: /var/db/pkg/dovecot-2.0.14/+DISPLAY

 
The following new rcscripts were installed: /etc/rc.d/dovecot
See rc.d(8) for details.

To ensure dovecot is started on a system boot, add the above script to the rc.d(8) script list:

File Fragment: /etc/rc.conf.local

pkg_scripts="dovecot"

Dovecot is now configured to start, at each system boot, but we haven't configured it to work.

SSL Certificates

The dovecot ports/package provides a simplified approach for generating the SSL certificates. The configuration file is at /etc/ssl/dovecot-openssl.cnf, while the configuration tool is /usr/local/sbin/dovecot-mkcert.sh.

Files to facilitate the generation of a self-signed
certificate and key for Dovecot have been installed:
/etc/ssl/dovecot-openssl.cnf (Edit this accordingly!)
/usr/local/sbin/dovecot-mkcert.sh

File Fragment: /etc/ssl/dovecot-openssl.cnf

[ req_dn ]
# country (2 letter code)
#C=FI
# State or Province Name (full name)
#ST=# Locality Name (eg. city)
#L=Helsinki# Organization (eg. company)
#O=Dovecot
# Organizational Unit Name (eg. section)
#OU=Imap Server

# Common Name (*.example.com is also possible)
#CN=imap.example.com
# E-mail contact
#emailAddress=postmaster@example.com

There are some unspecified options from above that may be interesting to you at a later stage.

If you've never used certificates before, or are just using these instructions on a test server, then just work with the sample configuration above. If you are ready to deploy your system, then please read the man pages and make some further reviews of your certificate files. The full openssl configuration file example in OpenBSD is stored as /etc/ssl/openssl.cnf

Generate Certificates

The dovecot install supplies the shell script

/usr/local/sbin/dovecot-mkcert.sh

to generate your SSL certificates using the source information provided in the above configuration file. Just run the script to generate your certificates

# /usr/local/sbin/dovecot-mkcert.sh

The first part of the script generates the private key using /etc/ssl/dovecot-openssl.cnf

Generating a 1024 bit RSA private key
...++++++
.................++++++
writing new private key to '/etc/ssl/private/dovecot.pem'
-----

The second part of the script just outputs the signature from the generated key to assure us that it executed corrected (i.e. if you didn't get the second part, then things failed badly.)

subject= (information text from above configuration file)
SHA1 Fingerprint=(long fingerprint)

As shown in the ports documentation, /var/db/pkg/dovecot-2.0.14/+DISPLAY you can manually generate your own configuration/certificate files so long as you place the resulting files into a 'known' location:

File Fragment: /var/db/pkg/dovecot-2.0.14/+DISPLAY

If this has been or will be accomplished by other means,
use the following paths for the files:
/etc/ssl/dovecotcert.pem
/etc/ssl/private/dovecot.pem

The location, and naming of the *.pem files are specified in your conf.d/10-ssl.conf file for the key/value pairs of sslcertfile and sslkeyfile.

File Fragment: /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/ssl/dovecotcert.pem
ssl_key = </etc/ssl/private/dovecot.pem

Obviously, from the above, you can generate and store your keys in other places, so long as you update your configuration files to point to the new location.

Basic Configuration

Dovecot 2's primary configuration file is:

/etc/dovecot/dovecot.conf

With specific configuration options in ./conf.d and loaded using the following sections in dovecot.conf

File Fragment: /etc/dovecot/dovecot.conf

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

Enable Services

Edit the dovecot.conf file to ensure protocols is enabled and we are allowing at least imap and pop3.

File Fragment: /etc/dovecot/dovecot.conf

# Protocols we want to be serving.
protocols = imap pop3 lmtp

These protocols are managed in their own configuration settings under ./conf.d/

  • 20-imap.conf
  • 20-lmtp.conf
  • 20-pop3.conf

Authentication

The dovecot package configures support of using the OpenBSD BSD Authentication to authenticating user accounts.

File Fragment: /etc/dovecot/conf.d/authentication.conf.ext

# PAM-like authentication for OpenBSD.
# 
passdb {
  driver = bsdauth
  # [blocking=no] [cache_key=]
  #args =
}

# System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
userdb {
  # 
  driver = passwd
  # [blocking=no]
  #args =
}

This means, the dovecot install let's you retrieve mail (using the above approved "protocols") for users on your server.

Location

File Fragment: /etc/dovecot/conf.d/10-mail.confg

mail_location = maildir:~/Maildir

Verification

Before continuing, let's just check to make sure we've got at least these parts working and not causing a conflict.

The default OpenBSD dovecot package supports authentication through the OpenBSD password file so we need at least one valid system user account to test the install.

Starting Dovecot

To make sure that we execute 'dovecot' with the increased file descriptors,

#  /etc/rc.d/dovecot start
dovecot(ok)

Check for error messages by looking at /var/log/maillog (using tail -f /var/log/maillog) and you should get a message such as the following

dovecot: master: Dovecot v2.0.14 starting up
dovecot: ssl-params: Generating SSL parameters
dovecot: ssl-params: SSL parameters regeneration completed

Check running processes to ensure that dovecot is running with the appropriate login class configuration.

# ps auxw | grep dovecot

run it and put the output here.

Test POP3

To test POP3 we connect with my system-user account (samt).

$ telnet localhost pop3
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
USER samt
+OK
PASS  mypassword
+OK Logged in.
LIST
+OK 0 messages:
.
QUIT
+OK Logging out.
Connection closed by foreign host.

File: /var/log/maillog:

Reviewing the log file should reveal something like the below just after the user/pass have been passed to dovecot

dovecot: pop3-login: Login: user=, method=PLAIN, 
rip=127.0.0.1, lip=127.0.0.1, mpid=23835, secured

File: /var/log/maillog:

On disconnection you should receive a disconnect log entry.

dovecot: POP3(samt): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0

A list of common POP3 commands courtesy of SOL4.net

Command Functional Description
LIST Lists the messages in the mailbox together with their sizes. also can be used with the message number to return specific message sizes.
RETR messageID Retrieve the message specified by messageID, displays it to the screen.
DELE messageID Delete the message specified by messageID.
RSET Undo any changes made.
STAT List the number of messages and the total mailbox size.
QUIT Close the connection.
Test IMAP

The same basic look test with IMAP

Screen Session

# telnet localhost imap
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] 
Dovecot ready.
a1 login samt mypassword
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY 
THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED 
I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] 
Logged in
a2 select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1323400084] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
a2 OK [READ-WRITE] Select completed.
a3 logout
* BYE Logging out
a3 OK Logout completed.
Connection closed by foreign host.

Again, we review /var/log/maillog for dovecot's messages and after successfully entering the correct user/password combination we should get a log entry similar to the below.

File Fragment: /var/log/maillog

dovecot: imap-login: Login: user=<samt>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

Likewise, on QUITting, we should get the disconnect log entry.

File Fragment: /var/log/maillog

dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=31498, secured
dovecot: imap(samt): Disconnected: Logged out bytes=26/641

It seems our server is working correctly.

Reference Resources