Archive for the Dovecot Category

Installing Dovecot 2 on CentOS

Posted by Filed Under Dovecot with Comments Off

Dovecot version 2 has been available for some time but it may not be in the repositories for CentOS for a long time to come.  This tutorial will show you how to perform a basic install of Dovecot version 2 and get it working for one domain…other tutorials will follow with addtional configurations.
Installation
Download a pre-built RPM
wget http://dl.atrpms.net/all/dovecot-2.0.9-1_125.el5.x86_64.rpm

yum install openssl-devel

The repository for CentOS 5.5 does not have the version required for postgresql-libs.  As a result you will need to enable the testing repository for CentOS.  Warning: Any time you install from the testing repository you will be taking on additional risk, so think twice about using it on a production machine.  Create access to the CentOS testing repo.  Add the Centos-Test.repo in /etc/yum.repos.d.

[c5-testing]
name=CentOS-5 Testing
baseurl=http://dev.centos.org/centos/$releasever/testing/$basearch/
enabled=0
gpgcheck=1
priority=1
gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing

Only enable the testing repository for this one package.

yum --enablerepo=c5-testing install postgresql-libs

rpm -ivh dovecot-2.0.9-1_125.el5.x86_64.rpm


Configuration: One Domain

The first example is setting up Dovecot for one domain and a local user.  The structure for Dovecot 2 is completely different from Dovecot 1, early versions, but the configuration is similar.  Now you have a directory inside of /etc/dovecot called conf.d which contains a number of smaller config files.

/etc/dovecot/conf.d
10-auth.conf      10-ssl.conf   90-acl.conf                  auth-ldap.conf.ext        auth-system.conf.ext
10-director.conf  15-lda.conf   90-plugin.conf               auth-master.conf.ext      auth-vpopmail.conf.ext
10-logging.conf   20-imap.conf  90-quota.conf                auth-passwdfile.conf.ext
10-mail.conf      20-lmtp.conf  auth-checkpassword.conf.ext  auth-sql.conf.ext
10-master.conf    20-pop3.conf  auth-deny.conf.ext           auth-static.conf.ext

These configuration files are read by Dovecot in order.

##### Basic Dovecot 2 Configuration #####
protocols = imap pop3 lmtp
login_greeting = Dovecot Available
mail_privileged_group = mail
!include conf.d/*.conf


The second file that must be edited is the mailbox location.

Mail Location
In order to get some idea of where the actual mailbox is, login as the user and run this command.

set | grep -i mail
HOSTNAME=mail.example.com
MAIL=/var/spool/mail/mike
MAILCHECK=60

Edit the 10-mail.conf  to allow the correct mail location.
This example, which uses mutt for the local user, will collect the mail in /var/spool/mail.  The “%u” represents the user name of the mail recipient.  When the mail has been read it can be moved to the user’s home directory and the mail folder.

mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u

dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.35.4-rscloud x86_64 CentOS release 5.5 (Final)
auth_verbose = yes
disable_plaintext_auth = no
login_greeting = Dovecot Available
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mbox_write_locks = fcntl
passdb {
driver = pam
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}

Mail File Lock
Verify the permissions and location of the mail directory and then provide additional permissions for Dovecot in this situation for the dotlock files.

ls -ld /var/spool/mail
drwxrwxr-x 2 root mail 4096 Mar 22 07:58 /var/spool/mail

In order to make sure that the mail file can be locked add this line.

mail_privileged_group = mail

Create Virtual Accounts with CRAM-MD5

Posted by Filed Under Dovecot with Comments Off

Virtual Accounts with CRAM-MD5
The major disadvantage of PLAIN text passwords on the server of course is that they are readable.  Even if your communication with the server is encrypted it is troubling to have readable passwords on the server.  You can easily change this by using the dovecotpw command and creating encrypted passwords.

As root login to the mail server and use the dovecotpw command as seen below.  It will ask for the password you want to encrypt and then provide you with the output.

# dovecotpw
Enter new password:
Retype new password:
{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6

In the /etc/dovecot directory create two files, userdb for a list of users and passdb for the encrypted passwords.

userdb
This file has a list of the users and the location of their virtual accounts.  Note the virtual accounts are accounts that you have set up for the domains that you manage mail for, this is not the canonical domain on the server.  For example, if you set up a mail server and the hostname is mail.my_mail_server.com then mail accounts that are local will be canonical accounts with a home directory.  However, virtual accounts for the virtual domains that your mail server uses will not be able to login to the server as you can see from the /bin/false.  These are only mail users who can retrieve mail.

tom@example.com::510:510::/var/spool/vhosts/example.com/:/bin/false::
sue@example.com::510:510::/var/spool/vhosts/example.com/:/bin/false::
joe@secondexample.com::510:510::/var/spool/vhosts/spidertools.com/:/bin/false::

passdb
The passdb will include the users and their passwords.  You can see that virtual users must be indicated by username and the domain they have an account with. The password that was encrypted is then listed after their name.

tom@example.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
sue@example.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6
joe@secondexample.com:{HMAC-MD5}e02d374fde0dc75a17a557039a3a5338c7743304777dccd376f332bee68d2cf6

Here is the configuration you must add to /etc/dovecot.conf in order to use CRAM-MD5 with the virtual accounts.

}

default_mail_env = maildir:/var/spool/vhosts/%d/%n
auth_mechanisms = plain DIGEST-MD5 CRAM-MD5
auth_verbose = yes
auth default {
mechanisms = plain cram-md5
passdb passwd-file {
args = /etc/dovecot/passdb
}
userdb static {
args = uid=virtual gid=virtual /etc/dovecot/userdb
}
}

Dovecot with PLAIN Authentication and SSL/TLS

Posted by Filed Under Dovecot with Comments Off

Authentication with Dovecot

PLAIN authentication has the advantage of being supported by all clients.  Certainly the disadvantage is that you have visible passwords on the wire, but that is easy to solve with SSL/TLS.  This means that it is easier to set up SSL/TLS  and PLAIN passwords than it is to fight the many hassles that come with other options.  Here are some links that show how to use SSL/TLS.

Introduction to SSL/TLS

Postfix and TLS

Testing SSL Connections with Dovecot

The major drawback of storing PLAIN passwords on the box is that if you have an attacker get access to those they will own your email.  The other side of this is that you are still in trouble if they have access to your box.  The imperative is that setting up a mail server is not just about Postfix of Dovecot it is also about security that serves to protect your system as a whole including firewalls, policies, permissions, processes, etc.

Using Dovecot with Multiple Domains

Posted by Filed Under Dovecot with 2 Comments

See Dovecot installation below for details on how to set up Dovecot.  In this section, the focus will be on creating passwords for users on multiple domains with Dovecot.

Edit your /etc/dovecot.conf file to reflect these changes

}

default_mail_env = maildir:/var/spool/vhosts/%d/%n
auth_mechanisms = plain DIGEST-MD5 CRAM-MD5
auth_verbose = yes
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/passdb
}
userdb static {
args = uid=virtual gid=virtual /etc/dovecot/userdb
}
}

The first line will define the maildir format and show dovecot where the users are located.  The %d represents the domain and the %n represents the username.  So if you have two domains called example.com and myexample.com with two users called tom and joe it would look like this:

/var/spool/vhosts/example.com/tom/new
cur
tmp
/var/spool/vhosts/myexample.com/joe/new
cur
tmp

Note that each user must have these three directories created, new, cur, and tmp.

The auth_mechanisms shows which methods for authentication will be used.  The next two lines represent the user database and the user password database for the virtual domains.
User Database
The /etc/dovecot/userdb is a file that will contain the users for the virtual domains.  These users will not be able to login to the server itself.  They will only be able to retrieve mail.  The format of the file is:

tom@example.com::1000:1000::/var/spool/vhosts/example.com/:/bin/false::
joe@myexample.com::1000:1000::/var/spool/vhosts/myexample.com/:/bin/false::

Note that in this example the user and group virtual were created above with the uid and gid of 1000 so that that user may read the mail for the users to have access.

Password Database
The password database is a file /etc/dovecot/passdb that will include the encrypted passwords of each user on the virtual hosts.  You may use the utility that is available with dovecot for creating passwords called dovecotpw.  SSHA is a strong scheme that is easy to use.  Note that each time you create a password it uses random salts to create a unique SSHA hash so that creating the same password twice will have different answers.

# dovecotpw -s ssha
Enter new password:
Retype new password:
{SSHA}9ivQ2nS4Ri9PZMNrZLs0a15weuD8Q/6s

Now the passwd file entry will look like this:
mike:{SSHA}9ivQ2nS4Ri9PZMNrZLs0a15weuD8Q/6s

The password that you used to create the encryption would be what the user will use.

Another way of creating these passwords is to use the utility mkpasswd.  mkpasswd is a script written by  Aaron Sherman in 1995 which creates encrypted passwords.  You may download this file from a number of locations on the Internet.  Save the script to the /root directory and chmod 755 so it will execute.
You will need to put a “./” before the utility to get it to execute.  In the example it is creating a password for the term mynewpassword.  This text then can be added to the database.

# ./mkpasswd mynewpassword
mynewpassword : o8J38mzOgsS7E

Here md5 encryption is added with the -5 option.  Note the password is now much longer.
# ./mkpasswd -5 mynewpassword
mynewpassword : $1$r6NIrFZ9$n12Hx7Z3BnjwgtkFAatCQ/

Here is the database format for /etc/dovecot/passdb.

joe@example.com:o8J38mzOgsS7E
Be sure to chmod 640 the /etc/dovecot/passdb file.

Here is a reference to the help file for mkpasswd:
# ./mkpasswd –help
Usage:
mkpasswd [-5Pdhqrv] [-s|--salt STRING] [-w|--wordlist FILE] [-n|--number N]
[-p|--pattern STRING] [-X|--max-password-length N]

options:

-h|-?|–help         Print summary help
–man                Show manual
-v|–verbose         Verbose output
-d|–debug           Debugging mode
-q|–quiet           Suppress excess output
-r|–random          Choose a random pattern
-s|–salt STRING     Use STRING as the salt for on-way encryption
-w|–wordlist FILE   Use FILE as the source for randomly chosen words
-n|–number N        Produce N passwords
-p|–pattern STRING  Use STRING as the password pattern
-C|–ciphertext      Don’t produce the plain text password
-N|–non-words       Discard results that are words (combinations)
-P|–plaintext       Don’t produce the encrypted password
-R|–extra-random    Re-seed RNG from entropy pool constantly
-U|–unix-crypt      Turn off MD5 (this is the default)
-X|–max-password-length N
Produce passwords no more than N characters long
-5|–md5-format      Use MD5 password encryption
–extra-long         Allow extra-long random patterns
–punctuation STR    Use STR as the valid punctuation
–punctuation add:STR        Add STR to the punctuation list
–strict             Strict mode (same as -rR5 plus harder patt

Testing SSL Connections With Dovecot

Posted by Filed Under Dovecot with Comments Off

Testing the SSL Connections
# openssl s_client -connect localhost:993
CONNECTED(00000003)
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
verify return:1

Certificate chain
0 s:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
i:/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com

Server certificate
—–BEGIN CERTIFICATE—–
MIICQzCCAaygAwIBAgIJAPTV7oRo6JRMMA0GCSqGSIb3DQEBBQUAMFgxFDASBgNV
BAsTC0lNQVAgc2VydmVyMRkwFwYDVQQDExBpbWFwLmV4YW1wbGUuY29tMSUwIwYJ
KoZIhvcNAQkBFhZwb3N0bWFzdGVyQGV4YW1wbGUuY29tMB4XDTA3MDcwMjAxMzYy
N1oXDTA4MDcwMTAxMzYyN1owWDEUMBIGA1UECxMLSU1BUCBzZXJ2ZXIxGTAXBgNV
BAMTEGltYXAuZXhhbXBsZS5jb20xJTAjBgkqhkiG9w0BCQEWFnBvc3RtYXN0ZXJA
ZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJLttD7lNlyk
4IqT+39jJ8AUFDzFiGSjUzJN+dHwMtSOXIfdI/2wJ9zRA/ams6R5vYoM8xaRvQA1
sS+nqjKwDzv0gXJbadCNlCoanR8wdoYHD0CCTJUuthE4m5dJxWHDLPaISKBjercd
sYV2+kH03Jvi/ss0yytX1V+kPNmotm3ZAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE
AwIGQDANBgkqhkiG9w0BAQUFAAOBgQAzT9mEBKkpJskrT1siKqbEdTpksD9dOZPs
x67CoEY5zDn4u2dcaDnzP50c5THzkLU+ubB+a+F70pqhiufFG8gVB6xswEfe7MBi
TYX03DHK0dx4aL22r1P/5Ayu9VdI19Cayj/ZRZ5HzAJUcU+MHep/tDrlNTXkNwyB
FHaZ3rTsMQ==
—–END CERTIFICATE—–
subject=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
issuer=/OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com

No client certificate CA names sent

SSL handshake has read 1147 bytes and written 340 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : DHE-RSA-AES256-SHA
Session-ID: 6828F13357DE7E3F7D488E28ED371724E57E8E645ECD6913ED00F0BAAD32C336
Session-ID-ctx:
Master-Key: 38DE76160DB9306EC347DB9047D9CA67E2CF507A1B0893E34991C0622EA633F873B5FCB6AE6A054A9702266FA7F13FD0
Key-Arg   : None
Krb5 Principal: None
Start Time: 1190798551
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)

OK Dovecot ready.

Creating Keys for Dovecot

Posted by Filed Under Dovecot with Comments Off

Creating a Keys
First edit the file /etc/pki/dovecot-openssl.cnf.  In this file create all of the settings for your site.  Now move into  the /usr/share/doc/dovecot-1.0/examples folder and you will see an executable called mkcert.sh.  Run that executable to create the necessary keys.
./mkcert.sh
Copy the keys to the correct location, deleting the default keys.

cp dovecot.pem  /etc/pki/dovecot/certs
cp dovecot.pem  /etc/pki/dovecot/private

chmod 600  /etc/pki/dovecot/certs
chmod 600  /etc/pki/dovecot/private
Restart Dovecot and Postfix.

Creating a Private Key – Second Method
Move into the /etc/pki/tls/certs directory and run the command below.  You will be asked to provide information about the location and name of your company as well as contacts.  This private key can be used to create a self-signed certificate.  The certificate functions much like a public key.
# make dovecot.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req  -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 >  dovecot.pem ; \
echo “”    >> dovecot.pem ; \
cat $PEM2 >> dovecot.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
……..++++++
…………………………++++++
writing new private key to ‘/tmp/openssl.pM9442′
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Montana
Locality Name (eg, city) [Newbury]:Trout Creek
Organization Name (eg, company) [My Company Ltd]:My Company
Organizational Unit Name (eg, section) []:Sales
Common Name (eg, your name or your server’s hostname) []:mail
Email Address []:mike@somewhere.com

Postfix and TLS

Posted by Filed Under Dovecot with Comments Off

Check for TLS Support in Postfix
By running this command you can verify that TLS is supported by your version of Postfix.  Each of these parameters should exist.

# postconf -d | grep tls
lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_starttls_timeout = 300s
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_cert_file =
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_scert_verifydepth = 5
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 5
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_starttls_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH
tls_low_cipherlist = !EXPORT:ALL:+RC4:@STRENGTH
tls_medium_cipherlist = !EXPORT:!LOW:ALL:+RC4:@STRENGTH
tls_null_cipherlist = !aNULL:eNULL+kRSA
tls_random_bytes = 32
tls_random_exchange_name = ${config_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom

Once you have verified this information edit the main.cf file and add these lines:
smtpd_tls_cert_file=/etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file=/etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls=yes

Note that the keys have been developed with the default location for Dovecot and the name  of dovecot.pem.  The important point is that the location be exactly the same for Postfix and Dovecot.  That is all you need to do for Postfix.  Reload Postfix.

By using the netstat command you will be able to verify the listening ports that dovecot is using.

Introduction to TLS and SSL

Posted by Filed Under Dovecot with 1 Comment

TLS or Transport Layer Security is a protocol that is encrypted and is a close relative of SSL.  Actually TLS has developed from SSL and has backward compatibility.  SSL, Secure Sockets Layer, is a protocol or language that is used to encrypt communication between clients and servers. This type of communication is necessary when transporting sensitive information like credit card processing.   The OpenSSL project, http://openssl.org  is an organization working to develop a cryptography library based on SSL v2/v3 and TLS v1.

What the Process of TLS or SSL Provides
1. TLS and SSL Provides – Authentication – the SSL server authentication allows a user to verify the server identity. The use of public-key cryptology allows a client to verify that the server has a valid certificate and public ID and that it has been issued a certificate of authority (CA). The client can hold a list of trusted CAs.
2. TLS  and SSL Provides Verification of the User - the user is verified in the process in the same way as the server and using the same methods as the server verification.
3. TLS and SSL Provides Encryption – the entire communication between the client and the server is encrypted.

Installation of TLS or SSL Communication
At times it is important to encrypt the communication between the server and the client in order to protect the data that is being transferred. SSL, Secure Socket Layer ins enabled on Apache using the mod_ssl module. Once SSL has been enabled on Apache secure communication will occur over port 443 using the https:// in the browser.   Note this is encrypted communication based on the 443 port where TLS is encrypted communication based on port 993.  The focus at this point is creating encryption for Dovecot so the TLS application will be described not the implementation of SSL for port 443.

« Older Entries