FreeBSD email server - Part 3: Dovecot, IMAP and SASL

Welcome to the second part of my FreeBSD email server series. In this series, I will guide you through setting up your own email service. Be sure to read the previous parts before trying to continue on this part in case you have not done so yet.

This part will guide you through setting up Dovecot. This service will deal with the SASL authentication to your email server and making your email boxes accessible via IMAP. While this guide does not cover POP3 functionality, Dovecot can handle this as well.

Just like the Postfix setup, Dovecot has quite a few configuration options to set before it will work as expected in this setup. If you have questions after reading the full guide, please find me on IRC. You can find details on how to do so on my homepage.

Installing Dovecot

Dovecot will also be installed from the ports tree from FreeBSD. As this guide assumes you are working through them in order, explanation of acquiring the ports tree will be omitted here.

You can start the installation procedure with the following commands.

cd /usr/ports/mail/dovecot2
make configure install

Again, like with the Postfix installation, leave the default options on and add the PGSQL option so Dovecot can use PostgreSQL as the database back-end.

Enabling Dovecot

Enable the Dovecot service for rcinit.

echo 'dovecot_enable="YES"' >> /etc/rc.conf.local

Configuring Dovecot

To start of with Dovecot configuration, copy over the sample files first.

cp -r /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot/.

Now you can start editing a number of pesky files. The file names of the headings all appear relative to /usr/local/etc/dovecot.

dovecot.conf

Here you only have to set which protocols you want to enable. Set them as follows.

protocols = imap lmtp

conf.d/10-master.cf

The master.cf configuration file indicates which sockets Dovecot should use and provide and as which user its processes should be ran. Keep the defaults as they are, with the exception of the following two blocks.

service imap-login

This will enable imaps, IMAP over SSL, and disable plain IMAP.

service-imap-login {
    inet_listener imap {
        port = 0
    }

    inet_listener imaps {
        port = 993
        ssl = yes
    }
}

services

This will instruct Dovecot to provide a service for authentication and lmtp the local mail transport protocol. This is required to deliver the email files into the correct email box location in the file system.

service auth {
    unix_listener auth-userdb {
        mode = 0600
        user = postfix
        group = postfix
    }

    unix_listener /var/spool/postfix/private/auth {
        mode = 0666
        user = postfix
        group = postfix
    }

    user = dovecot
}

service lmtp {
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        mode = 0600
        user = postfix
        group = postfix
    }
}

service auth-worker {
    user = postfix
}

conf.d/10-ssl.conf

Here you have to enable SSL and provide the correct paths to your SSL key in order for Dovecot to work with them.

ssl = required
ssl_cert = < /usr/local/etc/letsencrypt/live/domain.tld/fullchain.pem
ssl_key = < /usr/local/etc/letsencrypt/live/domain.tld/privkey.pem

conf.d/10-mail.conf

The mail.conf location instructs Dovecot which location to appoint for storing the email files. %d expands to the domain name, while %n expands to the local part of the email address.

mail_home = /srv/mail/%d/%n
mail_location = maildir:~/Maildir

Make sure the location set by mail_home exists and is owned by postfix!

mkdir -p /srv/mail
chown postfix:postfix /srv/mail

conf.d/10-auth.conf

This file deals with the authentication provided by Dovecot. Mostly, which mechanisms should be supported and what mechanism should be used to get the actual credentials to check against. Make sure the following options are set as given

disable_plaintext_auth = yes
auth_mechanisms = plain 

Also, make sure !include auth-system.conf.ext is commented out. It is not commented out by default, so you will have to do this manually. In addition, you have to uncomment !include auth-sql.conf.ext.

conf.d/auth-sql.conf.ext

This is the file included from 10-auth.conf. It instructs Dovecot to use SQL as the driver for the password and user back-ends.

passdb {
    driver = sql
    args = /usr/local/etc/dovecot/dovecot-sql-conf.ext
}

userdb {
    driver = prefetch
}

userdb {
    driver = sql
    args = /usr/local/etc/dovecot/dovecot-sql-conf.ext
}

dovecot-sql.conf.ext

The final configuration file entails the queries which should be used to get the required information about the users. Make sure to update the password and possibly other parameters used to connect to the database. You may have to update the 125 as well, as this has to be identical to the UID of postfix.

As a side note, if you are following this tutorial on a machine that does not support Blowfish in the default glib, which is nearly every GNU+Linux setup, you can not use BLF-CRYPT as the default_pass_scheme. You will have to settle for the SHA-512 scheme instead.

driver = pgsql
connect = host=127.1 dbname=mail user=postfix password=incredibly-secret!
default_pass_scheme = BLF-CRYPT
password_query = \
    SELECT \
        local AS user, \
        password, \
        '/srv/mail/%d/%n' AS userdb_home, \
        125 AS userdb_uid, \
        125 AS userdb_gid \
    FROM users \
    WHERE local='%n' AND domain='%d';

user_query = \
    SELECT \
        '/srv/mail/%d/%n' AS home \
        125 AS uid, \
        125 AS gid \
    FROM users \
    WHERE local='%n' AND domain='%d';

Conclusion

After this part, you should be left with a functioning email server that provides IMAP over a secure connection. While this is great on itself, for actual use in the wild, you should setup some additional services. Therefore, in the next part, we will deal with practices that "authenticate" your emails as legit messages. Be sure to read up on it!