Using Dovecot with Multiple Domains

December 10, 2008 Dovecot

See Dovecot installation below for details on how to set up Dovecot.  In this section, the focus will be on creating passwords for users on multiple domains with Dovecot.

Edit your /etc/dovecot.conf file to reflect these changes

}

default_mail_env = maildir:/var/spool/vhosts/%d/%n
auth_mechanisms = plain DIGEST-MD5 CRAM-MD5
auth_verbose = yes
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/passdb
}
userdb static {
args = uid=virtual gid=virtual /etc/dovecot/userdb
}
}

The first line will define the maildir format and show dovecot where the users are located.  The %d represents the domain and the %n represents the username.  So if you have two domains called example.com and myexample.com with two users called tom and joe it would look like this:

/var/spool/vhosts/example.com/tom/new
cur
tmp
/var/spool/vhosts/myexample.com/joe/new
cur
tmp

Note that each user must have these three directories created, new, cur, and tmp.

The auth_mechanisms shows which methods for authentication will be used.  The next two lines represent the user database and the user password database for the virtual domains.
User Database
The /etc/dovecot/userdb is a file that will contain the users for the virtual domains.  These users will not be able to login to the server itself.  They will only be able to retrieve mail.  The format of the file is:

tom@example.com::1000:1000::/var/spool/vhosts/example.com/:/bin/false::
joe@myexample.com::1000:1000::/var/spool/vhosts/myexample.com/:/bin/false::

Note that in this example the user and group virtual were created above with the uid and gid of 1000 so that that user may read the mail for the users to have access.

Password Database
The password database is a file /etc/dovecot/passdb that will include the encrypted passwords of each user on the virtual hosts.  You may use the utility that is available with dovecot for creating passwords called dovecotpw.  SSHA is a strong scheme that is easy to use.  Note that each time you create a password it uses random salts to create a unique SSHA hash so that creating the same password twice will have different answers.

# dovecotpw -s ssha
Enter new password:
Retype new password:
{SSHA}9ivQ2nS4Ri9PZMNrZLs0a15weuD8Q/6s

Now the passwd file entry will look like this:
mike:{SSHA}9ivQ2nS4Ri9PZMNrZLs0a15weuD8Q/6s

The password that you used to create the encryption would be what the user will use.

Another way of creating these passwords is to use the utility mkpasswd.  mkpasswd is a script written by  Aaron Sherman in 1995 which creates encrypted passwords.  You may download this file from a number of locations on the Internet.  Save the script to the /root directory and chmod 755 so it will execute.
You will need to put a “./” before the utility to get it to execute.  In the example it is creating a password for the term mynewpassword.  This text then can be added to the database.

# ./mkpasswd mynewpassword
mynewpassword : o8J38mzOgsS7E

Here md5 encryption is added with the -5 option.  Note the password is now much longer.
# ./mkpasswd -5 mynewpassword
mynewpassword : $1$r6NIrFZ9$n12Hx7Z3BnjwgtkFAatCQ/

Here is the database format for /etc/dovecot/passdb.

joe@example.com:o8J38mzOgsS7E
Be sure to chmod 640 the /etc/dovecot/passdb file.

Here is a reference to the help file for mkpasswd:
# ./mkpasswd –help
Usage:
mkpasswd [-5Pdhqrv] [-s|--salt STRING] [-w|--wordlist FILE] [-n|--number N]
[-p|--pattern STRING] [-X|--max-password-length N]

options:

-h|-?|–help         Print summary help
–man                Show manual
-v|–verbose         Verbose output
-d|–debug           Debugging mode
-q|–quiet           Suppress excess output
-r|–random          Choose a random pattern
-s|–salt STRING     Use STRING as the salt for on-way encryption
-w|–wordlist FILE   Use FILE as the source for randomly chosen words
-n|–number N        Produce N passwords
-p|–pattern STRING  Use STRING as the password pattern
-C|–ciphertext      Don’t produce the plain text password
-N|–non-words       Discard results that are words (combinations)
-P|–plaintext       Don’t produce the encrypted password
-R|–extra-random    Re-seed RNG from entropy pool constantly
-U|–unix-crypt      Turn off MD5 (this is the default)
-X|–max-password-length N
Produce passwords no more than N characters long
-5|–md5-format      Use MD5 password encryption
–extra-long         Allow extra-long random patterns
–punctuation STR    Use STR as the valid punctuation
–punctuation add:STR        Add STR to the punctuation list
–strict             Strict mode (same as -rR5 plus harder patt

Tags: ,

Comments (2)

 

  1. Guus says:

    Hi Mike,

    I’m struggeling with Dovecot getting it reading the PostfixAdmin written passwords.
    I’ve tried PLAN MD5 etc.. but nothing works. The Postfix MySQL database is written by PostfixAdmin and contains MD5 encrypted password, but Dovecot can’t decrypt them.
    If I try different encryptions, I just get ‘imap-login: Internal login failure’ or ‘imap-login: Aborted login’.

    Any help is appreciated.

    regards,
    Guus

  2. mike says:

    Are these local users or virtual, and are you using IMAP or IMAPS?