Install
Let's set up dovecot to allow users to read mail with IMAP and POP.
Installation
$ doas pkg_add dovecot
Configuration
A single user vmail will receive mail for all virtual users:
$ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail
/var/vmail will be used to store virtual users' maildir folders. It will be managed by dovecot, which receives mail via LMTP.
In order to secure our passwords, we need to rearrange file permissions and owners:
$ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/ $ doas chown _smtpd:_dovecot /etc/mail/passwd $ doas chmod 770 /etc/mail/dkim/ $ doas chmod 440 /etc/mail/passwd $ doas find /etc/mail ! -path /etc/mail -exec chmod o-rwx '{}' +
In /etc/dovecot/dovecot.conf, add the following lines at the bottom of the file:
protocols = imap pop3 lmtp listen = 192.168.0.1, 2001:db8:: service lmtp { user = vmail }
This tells dovecot to listen to the protocols IMAP, POP3, and LMTP. Note: We don't want to support submission with dovecot.
It also tells dovecot the public IPs you want it to listen on. Finally, the last block tells dovecot to change to the username vmail to listen for LMTP.
To aid with troubleshooting, you can consider adding these lines:
auth_verbose=yes auth_debug=yes auth_debug_passwords=yes mail_debug=yes auth_verbose_passwords=sha1 verbose_ssl=yes
In /etc/dovecot/conf.d/10-auth.conf, first comment out auth-system.conf.ext
#!include auth-system.conf.ext
This prevents dovecot from using BSD auth.
Then at the bottom of the file, add these lines:
passdb { args = scheme=blf-crypt /etc/mail/passwd driver = passwd-file } userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n driver = static }
The first block defines our password database to use blowfish (see blowfish(3) and encrypt(1)).
The second block says that the mail must be read by user ID and group ID vmail, and that all mail will be in the folders /var/vmail/<domain>/<username>.
In /etc/dovecot/conf.d/10-mail.conf:
mail_location = maildir:/var/vmail/%d/%n/Maildir
This again indicates all mail will be in the folders /var/vmail/<domain>/<username>.
In /etc/dovecot/conf.d/10-ssl.conf, make the changes to these lines:
ssl = yes ... ssl_cert = </etc/ssl/example.com.crt ssl_key = </etc/ssl/private/example.com.key
You will need to replace example.com with your real domain.
Please read the instructions in the dovecot README in /usr/local/share/doc/pkg-readmes/dovecot
. That file explains that you must add this login class to /etc/login.conf:
dovecot:\ :openfiles-cur=4096:\ :openfiles-max=8192:\ :tc=daemon:
WARNING: You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will not work.
NOTE: Allowing more open files than suggested in the README can help if you have many IP addresses.
WARNING: If login.conf.db exists, you will need to rebuild it:
# [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf
But it is best to just remove /etc/login.conf.db since it is not required:
$ doas rm /etc/login.conf.db
Starting dovecot
To start dovecot via rcctl:
$ doas rcctl enable dovecot $ doas rcctl start dovecot
Troubleshooting
Make sure to check /var/log/maillog:
$ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143
When starting dovecot, you may find it fails:
$ doas rcctl start dovecot dovecot(failed)
When this happens, run the rc.d script with debugging turned on:
$ doas /etc/rc.d/dovecot -d start doing _rc_parse_conf doing _rc_quirks dovecot_flags empty, using default >< doing rc_check dovecot doing rc_start doing _rc_wait start doing rc_check doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory doing _rc_rm_runfile (failed)
In this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: /etc/ssl/example.com.fullchain.pem
(where example.com is replaced with my real domain).
Jun 9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750) Jun 9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)