Contents
Basic Configuration
/etc/dovecot/dovecot.conf
!include conf.d/*.conf protocols = imap lmtp
Mail Location and Namespaces
A private namespace configured for maildir or multi-dbox storage to hold the mailboxes and a public namespace configured for maildir storage with filesystem layout (/dir/subdir) and per user index-information. The index will be stored in the public dir under the home directories. This allows individual /SEEN information for the public namespace.
/etc/dovecot/conf.d/10-mail.conf
#mail_location = mdbox:~/mdbox mail_location = maildir:~/maildir mail_plugins = acl quota namespace { type = private separator = / prefix = hidden = no inbox = yes } namespace { type = public separator = / prefix = Public/ location = maildir:/var/vmail/public:LAYOUT=fs:INDEX=~/public list = yes subscriptions = no }
User Home directory structure: /var/vmail/<domain>/<user>/
-rw------- 1 vmail vmail 1489 2010-03-03 19:30 .dovecot.sieve -rw------- 1 vmail vmail 2897 2010-03-14 12:22 .dovecot.svbin drwx--S--- 4 vmail vmail 4096 2010-03-17 20:15 maildir drwx--S--- 4 vmail vmail 4096 2010-03-14 13:31 public
Authentication Databases
Per domain flat-files containing the virtual user's specific parameters, stored in a single passwd-like file. User logins are expected to be in full-qualified e-mail address format: user@domain.tld . Additional parameters may be used to override defaults, such as individual quotas or mailbox formats.
/etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain passdb { driver = passwd-file args = username_format=%u /var/vmail/auth.d/%d/passwd } userdb { driver = passwd-file args = username_format=%u /var/vmail/auth.d/%d/passwd }
/var/vmail/auth.d/<domain>/passwd
<user>@<domain>:{SSHA}xxxx:5000:5000::/var/vmail/<domain>/<user>::userdb_quota_rule=\ *:storage=5G userdb_acl_groups=PublicMailboxAdmins
Later on the auth service will be configured to run in the doveauth user context. Therefore the directory auth.d/ and its content will be owned by this user, while mails / ACLs / Sieve-Scripts, will be accessed using the vmail context specified in the passwd-file. To keep directory permissions simple these will be stored seperately under the conf.d/ tree.
Per-domain authentication and configuration structure /var/vmail
dr-x------ 3 doveauth dovecot 4096 2010-03-17 19:09 auth.d |--> domain.tld dr-x------ 3 vmail vmail 4096 2010-03-03 19:32 conf.d |--> domain.tld
Master Configuration
IMAP-Server bound to IP 1.2.3.4 on port 143 while the IMAPS Port (993) is disabled since STARTTLS will be used to request encryption over the standard IMAP port. The LMTP-Server is bound to a Unix socket configured with relevant permissions allowing Postfix to inject mails through it. Dovecot presents its Authentication Mechanism and User Database as another socket to Postfix allowing SASL submission.
Dovecot's authentication services will run in the doveauth user-context.
/etc/dovecot/conf.d/10-master.conf
service imap-login { inet_listener imap { address = 1.2.3.4 port = 143 } inet_listener imaps { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } service imap { } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } user = doveauth } service auth-worker { user = doveauth } verbose_proctitle = yes
Protocols
/etc/dovecot/conf.d/20-imapd.conf
protocol imap { mail_plugins = $mail_plugins imap_acl imap_quota mail_log notify }
/etc/dovecot/conf.d/20-lmtp.conf
protocol lmtp { postmaster_address = postmaster@domainname # required on my debian mail_plugins = $mail_plugins sieve }
Plugins
/etc/dovecot/conf.d/90-plugin.conf
plugin { #quota = dict:user::file:%h/mdbox/dovecot-quota quota = dict:user::file:%h/maildir/dovecot-quota quota_rule = *:storage=1GB quota_rule2 = Trash:storage=+10%% acl = vfile:/var/vmail/conf.d/%d/acls:cache_secs=300 }
/etc/dovecot/conf.d/90-sieve.conf
plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /var/vmail/conf.d/%d/sieve }
TLS
/etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/certs/domain_tld_2009.crt ssl_key = </etc/ssl/private/domain_tld_2009.key
Logging
Simple logging using the internal mechanism. See #Syslog Logging for more complex configurations.
/etc/dovecot/conf.d/10-logging.conf
log_path = /var/log/dovecot.log info_log_path = /var/log/dovecot-info.log mail_debug = no
Syslog Logging
/etc/dovecot/conf.d/10-logging.conf
#log_path = #info_log_path = mail_debug = no syslog_facility = local1
/etc/rsyslog.conf
local1.* -/var/log/dovecot.log local1.info -/var/log/dovecot.info local1.warn -/var/log/dovecot.warn local1.err -/var/log/dovecot.err :msg,contains,"stored mail into mailbox"\ -/var/log/dovecot.lmtp
/etc/logrotate.d/dovecot
/var/log/dovecot.log /var/log/dovecot.info /var/log/dovecot.warn /var/log/dovecot.err /var/log/dovecot.lmtp { weekly rotate 52 missingok notifempty compress delaycompress create 640 root adm sharedscripts postrotate /bin/kill -USR1 'cat /var/run/dovecot/master.pid 2>/dev/null' 2>/dev/null || true endscript }
Postfix Configuration
In this configuration Postfix will only accept SASL requests on its submission port (TCP:587) and will not accept them on Port 25. As Dovecot is used as authentication backend in this example, this will not break inbound mail flow in case the authentication mechanism is down e.g. due to upgrading to a new build. The configuration of the submission port is handled in master.cf overriding possible main.cf settings. Several sanity checks are performed upon submission like recipient domain validation and sender map checks. Final delivery is performed through Dovecot's LMTP server via a socket.
/etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP biff = no append_dot_mydomain = no myhostname = mail.domain.tld inet_protocols = ipv4 inet_interfaces = 1.2.3.4 masquerade_domains = masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient mydestination = $myhostname, localhost.$mydomain mynetworks_style = subnet virtual_mailbox_domains = domain.tld, domain1.tld virtual_mailbox_base = /var/vmail virtual_minimum_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_alias_maps = hash:/etc/postfix/virtual virtual_transport = lmtp:unix:private/dovecot-lmtp strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access, reject_unknown_client_hostname smtpd_helo_required = yes smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_helo_hostname, reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unverified_recipient, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, check_policy_service unix:public/postgrey policyd-spf_time_limit = 3600 smtpd_milters = unix:public/dkim-filter non_smtpd_milters = unix:public/dkim-filter milter_protocol = 6 unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 unknown_local_recipient_reject_code = 550 smtpd_tls_cert_file=/etc/postfix/server.pem smtpd_tls_key_file=/etc/ssl/private/domain_tld.key smtpd_tls_security_level = may smtp_tls_security_level = may smtpd_tls_ask_ccert = yes smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 20480000 queue_run_delay = 300s minimal_backoff_time = 300s master_service_disable =
Postfix Master Configuration
The submission port is configured to only accept TLS secured transmissions. Login Map checks will verify the authenticated SASL user is authorized to send using different MAIL FROM aliases.
/etc/postfix/master.cf
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/postfix/virtual -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,\ permit_sasl_authenticated,reject #smtps inet n - - - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp -o smtp_header_checks=pcre:/etc/postfix/header_checks_outbound # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} # python-postfix-policyd-spf policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/python /usr/bin/policyd-spf retry unix - - - - - error
Additional hints about this howto (30. July 2010)
Postfix listens on all interfaces by default so it's not really needed to set this:
inet_interfaces = 1.2.3.4
These options are not needed:
masquerade_domains = masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient
These options are not needed if the Dovecot LDA or LMTP is used (these options are only relevant for the Postfix LDA "virtual"):
virtual_mailbox_base = /var/vmail virtual_minimum_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000
These options are also not required - instead use only smtpd_recipient_restrictions:
smtpd_client_restrictions = ... smtpd_helo_restrictions = ... smtpd_sender_restrictions = ...
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_recipient_domain reject_unknown_sender_domain permit_mynetworks reject_unauth_destination
In master.cf these options are not needed:
-o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/postfix/virtual -o smtpd_sender_restrictions=reject_sender_login_mismatch
It's better to use smtpd_recipient_restrictions like this:
-o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,\ permit_sasl_authenticated,reject
Also you do not need to set
-o smtpd_sasl_local_domain=$myhostname
When you do not want to you sender_login_maps it's not needed to set
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
in master.cf. Don't use
check_policy_service unix:private/policyd-spf, check_policy_service unix:public/postgrey
in any smtpd_*_restriction in main.cf if these policy servers are not installed! Also don't use
policyd-spf_time_limit = 3600 smtpd_milters = unix:public/dkim-filter non_smtpd_milters = unix:public/dkim-filter milter_protocol = 6
if you don't have installed dkim-filter (dkim milter) or SPF policy server. These options are not needed because because this are default values:
queue_run_delay = 300s minimal_backoff_time = 300s master_service_disable =
Here's a more cleaner Postfix configuration (only with recommend options):
smtpd_banner = $myhostname ESMTP biff = no append_dot_mydomain = no myhostname = mail.domain.tld inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain virtual_mailbox_domains = domain.tld, domain1.tld virtual_alias_maps = hash:/etc/postfix/virtual virtual_transport = lmtp:unix:private/dovecot-lmtp strict_rfc821_envelopes = yes disable_vrfy_command = yes smtpd_helo_required = yes smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination permit smtpd_tls_cert_file=/etc/postfix/server.pem smtpd_tls_key_file=/etc/ssl/private/domain_tld.key smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 20480000
master.cf
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o fallback_relay= showq unix n - - - - showq error unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache retry unix - - - - - error