This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.

Basic Configuration

/etc/dovecot/dovecot.conf

!include conf.d/*.conf
protocols = imap lmtp

Mail Location and Namespaces

A private namespace configured for maildir or multi-dbox storage to hold the mailboxes and a public namespace configured for maildir storage with filesystem layout (/dir/subdir) and per user index-information. The index will be stored in the public dir under the home directories. This allows individual /SEEN information for the public namespace.

/etc/dovecot/conf.d/10-mail.conf

#mail_location = mdbox:~/mdbox
mail_location = maildir:~/maildir
mail_plugins = acl quota
namespace {
  type = private
  separator = /
  prefix =
  hidden = no
  inbox = yes
}
namespace {
  type = public
  separator = /
  prefix = Public/
  location = maildir:/var/vmail/public:LAYOUT=fs:INDEX=~/public
  list = yes
  subscriptions = no
}

User Home directory structure: /var/vmail/<domain>/<user>/

-rw------- 1 vmail vmail 1489 2010-03-03 19:30 .dovecot.sieve
-rw------- 1 vmail vmail 2897 2010-03-14 12:22 .dovecot.svbin
drwx--S--- 4 vmail vmail 4096 2010-03-17 20:15 maildir
drwx--S--- 4 vmail vmail 4096 2010-03-14 13:31 public

Authentication Databases

Per domain flat-files containing the virtual user's specific parameters, stored in a single passwd-like file. User logins are expected to be in full-qualified e-mail address format: user@domain.tld . Additional parameters may be used to override defaults, such as individual quotas or mailbox formats.

/etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain
passdb {
  driver = passwd-file
  args = username_format=%u /var/vmail/auth.d/%d/passwd
}
userdb {
  driver = passwd-file
  args = username_format=%u /var/vmail/auth.d/%d/passwd
}

/var/vmail/auth.d/<domain>/passwd

<user>@<domain>:{SSHA}xxxx:5000:5000::/var/vmail/<domain>/<user>::userdb_quota_rule=\
*:storage=5G userdb_acl_groups=PublicMailboxAdmins

Later on the auth service will be configured to run in the doveauth user context. Therefore the directory auth.d/ and its content will be owned by this user, while mails / ACLs / Sieve-Scripts, will be accessed using the vmail context specified in the passwd-file. To keep directory permissions simple these will be stored seperately under the conf.d/ tree.

Per-domain authentication and configuration structure /var/vmail

dr-x------ 3 doveauth dovecot  4096 2010-03-17 19:09 auth.d |--> domain.tld
dr-x------ 3 vmail    vmail    4096 2010-03-03 19:32 conf.d |--> domain.tld

Master Configuration

IMAP-Server bound to IP 1.2.3.4 on port 143 while the IMAPS Port (993) is disabled since STARTTLS will be used to request encryption over the standard IMAP port. The LMTP-Server is bound to a Unix socket configured with relevant permissions allowing Postfix to inject mails through it. Dovecot presents its Authentication Mechanism and User Database as another socket to Postfix allowing SASL submission.

Dovecot's authentication services will run in the doveauth user-context.

/etc/dovecot/conf.d/10-master.conf

service imap-login {
  inet_listener imap {
  address = 1.2.3.4
  port = 143
  }
  inet_listener imaps {
  port = 0
  }
}
service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0660
   user = postfix
  }
}
service imap {
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = doveauth
}
service auth-worker {
 user = doveauth
}
verbose_proctitle = yes

Protocols

/etc/dovecot/conf.d/20-imapd.conf

protocol imap {
  mail_plugins = $mail_plugins imap_acl imap_quota mail_log notify
}

/etc/dovecot/conf.d/20-lmtp.conf

protocol lmtp {
  postmaster_address = postmaster@domainname   # required on my debian
  mail_plugins = $mail_plugins sieve
}

Plugins

/etc/dovecot/conf.d/90-plugin.conf

plugin {
  #quota = dict:user::file:%h/mdbox/dovecot-quota
  quota = dict:user::file:%h/maildir/dovecot-quota
  quota_rule = *:storage=1GB
  quota_rule2 = Trash:storage=+10%%
  acl = vfile:/var/vmail/conf.d/%d/acls:cache_secs=300
}

/etc/dovecot/conf.d/90-sieve.conf

plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_global_dir = /var/vmail/conf.d/%d/sieve
}

TLS

/etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/ssl/certs/domain_tld_2009.crt
ssl_key = </etc/ssl/private/domain_tld_2009.key

Logging

Simple logging using the internal mechanism. See #Syslog Logging for more complex configurations.

/etc/dovecot/conf.d/10-logging.conf

log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
mail_debug = no

Syslog Logging

/etc/dovecot/conf.d/10-logging.conf

#log_path =
#info_log_path =
mail_debug = no
syslog_facility = local1

/etc/rsyslog.conf

local1.*                          -/var/log/dovecot.log
local1.info                       -/var/log/dovecot.info
local1.warn                       -/var/log/dovecot.warn
local1.err                        -/var/log/dovecot.err
:msg,contains,"stored mail into mailbox"\
                                  -/var/log/dovecot.lmtp

/etc/logrotate.d/dovecot

/var/log/dovecot.log
/var/log/dovecot.info
/var/log/dovecot.warn
/var/log/dovecot.err
/var/log/dovecot.lmtp
{
        weekly
        rotate 52
        missingok
        notifempty
        compress
        delaycompress
        create 640 root adm
        sharedscripts
        postrotate
        /bin/kill -USR1 'cat /var/run/dovecot/master.pid 2>/dev/null' 2>/dev/null || true
        endscript
}

Postfix Configuration

In this configuration Postfix will only accept SASL requests on its submission port (TCP:587) and will not accept them on Port 25. As Dovecot is used as authentication backend in this example, this will not break inbound mail flow in case the authentication mechanism is down e.g. due to upgrading to a new build. The configuration of the submission port is handled in master.cf overriding possible main.cf settings. Several sanity checks are performed upon submission like recipient domain validation and sender map checks. Final delivery is performed through Dovecot's LMTP server via a socket.

/etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no

myhostname = mail.domain.tld
inet_protocols = ipv4
inet_interfaces = 1.2.3.4
masquerade_domains =
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
mydestination = $myhostname, localhost.$mydomain
mynetworks_style = subnet

virtual_mailbox_domains = domain.tld, domain1.tld
virtual_mailbox_base = /var/vmail
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = lmtp:unix:private/dovecot-lmtp

strict_rfc821_envelopes = yes
disable_vrfy_command = yes

smtpd_client_restrictions =
 check_client_access hash:/etc/postfix/client_access,
 reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions =
 check_helo_access hash:/etc/postfix/helo_access,
 reject_invalid_helo_hostname,
 reject_unknown_helo_hostname,
 reject_non_fqdn_helo_hostname
smtpd_sender_restrictions =
 reject_unknown_sender_domain
smtpd_recipient_restrictions =
 reject_unknown_recipient_domain,
 reject_non_fqdn_recipient,
 reject_unverified_recipient,
 permit_mynetworks,
 reject_unauth_destination,
 check_policy_service unix:private/policyd-spf,
 check_policy_service unix:public/postgrey

policyd-spf_time_limit = 3600
smtpd_milters = unix:public/dkim-filter
non_smtpd_milters = unix:public/dkim-filter
milter_protocol = 6

unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554
unknown_local_recipient_reject_code = 550

smtpd_tls_cert_file=/etc/postfix/server.pem
smtpd_tls_key_file=/etc/ssl/private/domain_tld.key
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 20480000

queue_run_delay = 300s
minimal_backoff_time = 300s
master_service_disable =

Postfix Master Configuration

The submission port is configured to only accept TLS secured transmissions. Login Map checks will verify the authenticated SASL user is authorized to send using different MAIL FROM aliases.

/etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,\
     permit_sasl_authenticated,reject
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
  -o smtp_header_checks=pcre:/etc/postfix/header_checks_outbound
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
# python-postfix-policyd-spf
policyd-spf  unix  -       n       n       -       0       spawn
  user=nobody argv=/usr/bin/python /usr/bin/policyd-spf
retry     unix  -       -       -       -       -       error

Additional hints about this howto (30. July 2010)

Postfix listens on all interfaces by default so it's not really needed to set this:

 inet_interfaces = 1.2.3.4

These options are not needed:

 masquerade_domains =
 masquerade_exceptions = root
 masquerade_classes = envelope_sender, header_sender, header_recipient

These options are not needed if the Dovecot LDA or LMTP is used (these options are only relevant for the Postfix LDA "virtual"):

 virtual_mailbox_base = /var/vmail
 virtual_minimum_uid = 100
 virtual_uid_maps = static:5000
 virtual_gid_maps = static:5000

These options are also not required - instead use only smtpd_recipient_restrictions:

smtpd_client_restrictions = ...
smtpd_helo_restrictions = ...
smtpd_sender_restrictions = ...

smtpd_recipient_restrictions =
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 reject_unknown_recipient_domain
 reject_unknown_sender_domain
 permit_mynetworks
 reject_unauth_destination

In master.cf these options are not needed:

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch

It's better to use smtpd_recipient_restrictions like this:

 -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,\
    permit_sasl_authenticated,reject

Also you do not need to set

 -o smtpd_sasl_local_domain=$myhostname

When you do not want to you sender_login_maps it's not needed to set

 -o smtpd_sender_login_maps=hash:/etc/postfix/virtual

in master.cf. Don't use

 check_policy_service unix:private/policyd-spf,
 check_policy_service unix:public/postgrey

in any smtpd_*_restriction in main.cf if these policy servers are not installed! Also don't use

 policyd-spf_time_limit = 3600
 smtpd_milters = unix:public/dkim-filter
 non_smtpd_milters = unix:public/dkim-filter
 milter_protocol = 6

if you don't have installed dkim-filter (dkim milter) or SPF policy server. These options are not needed because because this are default values:

 queue_run_delay = 300s
 minimal_backoff_time = 300s
 master_service_disable =

Here's a more cleaner Postfix configuration (only with recommend options):

smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no

myhostname = mail.domain.tld
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain
virtual_mailbox_domains = domain.tld, domain1.tld
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = lmtp:unix:private/dovecot-lmtp

strict_rfc821_envelopes = yes
disable_vrfy_command = yes

smtpd_helo_required = yes
smtpd_recipient_restrictions =
 reject_unknown_recipient_domain,
 reject_non_fqdn_recipient,
 permit_mynetworks,
 reject_unauth_destination
 permit

smtpd_tls_cert_file=/etc/postfix/server.pem
smtpd_tls_key_file=/etc/ssl/private/domain_tld.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 20480000

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
 -o fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
retry     unix  -       -       -       -       -       error

HowTo/VirtualUserFlatFilesPostfix (last edited 2013-09-19 12:30:09 by nrbg-4dbe690b)