Servidor de Email – Parte 3 – Dovecot

This is the third part of the process of creating the mail server on a CentOS 8. If you came here by accident, You should read first the previous publications

Part 1 –; Instalação dos Pacotes

Part 2 –; Configurar MariaDB

Dovecot is an MDA (Mail Delivery Agent) means is an agent that transport messages from Postfix to virtual message boxes. In this section we will configure the Dovecot installation to force users to use SSL when they connect, in this way never sending passwords in plain text mode.

I always like to keep the original files of any definition for if I end up getting lost while changing settings. I can say that this step is not needed if you are doing this tutorial entirely, However, If you already have a previous configuration and is just improving it I strongly suggest you make copies of your files.

In our case, the configuration files will be in /etc/dovecot/conf.d/. We can then make copies with the command:

$ sudo cp -R /etc/dovecot/conf.d /etc/dovecot/conf.d.orig

Creating user

Dovecot will store messages (and all your content) in a directory defined in the configuration file and for it can do that must run under a user with the appropriate permissions. The following commands will create this user and group. I will use a common standard for these names that make it easy enough to search for solutions to problems on the internet.

$ sudo groupadd -g 5000 vmail
$ sudo adduser -g 5000 -G mail -u 5000 -d /var/mail vmail

Editing configuration Files

First file we configure authentication is. How do we use a table in MariaDB database to store users and passwords we point out that in two files. The first sets the authentication type and second as the Dovecot will do the authentication validation.

Edit the file /etc/dovecot/CONF.d/10-auth file and uncomment (or add) the lines below:

$ sudo vim /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext
!include auth-sql.conf.ext

After, Edit the file /etc/dovecot/CONF.d/auth-sql.conf.ext for you to have the following lines:

$ sudo vim /etc/dovecot/conf.d/auth-sql.conf.ext

# /etc/dovecot/conf.d/auth-sql.conf.ext
passdb {
  driver = sql
  args = /etc/dovecot/dovecot-mysql.conf.ext
}

userdb {
  driver = sql
  args = /etc/dovecot/dovecot-mysql.conf.ext
}

We must also set up the data connection with the MariaDB through file /etc/dovecot/dovecot-sql.conf.ext. This file is not created at the facility so we create.

$ sudo vim /etc/dovecot/dovecot-mysql.conf.ext

driver = mysql
connect = host=localhost dbname=mypostfixdb user=mypostfixdbuser password=mypostfixdbuser_password
default_pass_scheme = SHA512-CRYPT

# following should all be on one line.
password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 'vmail' as userdb_uid, 'mail' as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'

# following should all be on one line
user_query = SELECT concat('maildir:/home/vmail/', maildir) as mail, CONCAT('*:messages=10000:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1'

NOTE: Use the same data as that used in the passo que configurou a base de dados no MariaDB

We will make several changes to the main configuration file of the Dovecot which is the 10-master file. The number in front of the file indicates the load order (priority). You can user any editor of your choice. I like Vim because I'm so used to your commands, but nothing prevents to use nano for example.

$ sudo vim /etc/dovecot/conf.d/10-master.conf

To improve the security of the server and reduce attacks we will disable access unencrypted. To do so, we need to assign the value 0 for the attribute port in services Imap and POP3. Only IMAPS and pop3s will be available. You will need to use a SSL key that we will create later ahead.

service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

Change also the following settings:

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
#############################
service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
  # Auth process is run as this user.
  user = dovecot
}

service auth-worker {
  user = vmail
}

SSL Certificate

In order for us to use the encryption services required both in user authentication when accessing your account and to ensure that the postfixadmin and the RoundCube are under secure connections we must create the valid SSL keys. At this point we're going to do the configuration by creating a self-signed key (self-signed) which is created during the installation of the Dovecot. This key cannot be used to validate the secure browser connection. Later we will change this setting to use a SSL key obtained by Certbot (Lets Encrypt) in conjunction with Nginx and DNS settings.

If you are following the steps of this tutorial, you do not need to no change in the file /etc/dovecot/conf.d/10-ssl.conf which should contain the following lines

ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

If the files do not exist or alternatively recreate them (must be done if you have changed the hostname, for example) do the following:

Edit the file /etc/pki/dovecot/dovecot-openssl.cnf and change the entries according to the information that you have.

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
# country (2 letter code)
C=BR
# State or Province Name (full name)
ST=SAO PAULO
# Locality Name (eg. city)
L=SAO PAULO
# Organization (eg. company)
O=MRE Development
# Organizational Unit Name (eg. section)
OU=IMAP Server
# Common Name (*.example.com is also possible)
CN=mail.meudominio.com.br
# E-mail contact
emailAddress=postmaster@meudominio.com.br

[ cert_type ]
nsCertType = server

After you have changed the file, If the files already exist /etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem, delete them and then run the script mkcert.sh.

$ sudo rm -f /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/private/dovecot.pem 
$ sudo /usr/libexec/dovecot/mkcert.sh

The output of the script should be something like this:

Generating a 1024 bit RSA private key
............++++++
........++++++
writing new private key to '/etc/pki/dovecot/private/dovecot.pem'
-----

subject= /C=BR/ST=SAO PAULO/L=SAO PAULO/O=MRE Development/OU=IMAP server/CN=mail.meudominio.com.br/emailAddress=postmaster@meudominio.com.br
SHA1 Fingerprint=FA:86:97:8F:52:06:04:71:BA:DC:07:BA:33:6A:9B:3F:8A:EE:ED:C5

Other configuration still in the file/etc/dovecot/conf.d/10-ssl.conf related to encryption is the optional attribute ssl_dh. Add or uncomment the line:

ssl_dh = </etc/dovecot/dh.pem

and run the following command to generate the file .PEM:

Attention: Running the command below usually takes a long time, sometimes even near 1 time. You can also use a command to generate the same file faster.

$ openssl dhparam -out /etc/dovecot/dh.pem

If you want to use the quick mode on your own, the command is just following.

$ dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem

Log file

By default Dovecot will use the log mechanism syslog the CentOS, that usually sends the information to the file /var/log/messages. As later I will show you how to block several attempts at attacks and one of them includes using the script Fail2ban, that does log analysis it is better to define a unique file so that we do not have to monitor a file that changes constantly.

To define a unique log file, Let's open the Dovecot log configuration /etc/dovecot/CONF.d/10-logging file and change or add the following lines.

log_path = /var/log/dovecot.log
auth_verbose = yes
auth_verbose_passwords = sha1:8

Save the file and restart the service

$ sudo systemctl restart dovecot

Make sure the file/var/log/dovecot.log has been created and contains information indicating that the service is operating normally.

$ sudo tail /var/log/dovecot.log
Apr 24 22:45:58 master: Info: Dovecot v2.2.36 (1f10bfa63) starting up for imap, pop3, lmtp (core dumps disabled)

Firewall rules

If you are following this tutorial from the start in a default installation, It is possible that the connection ports are closed to the outside world. The commands below aim to release the doors imaps (993), pop3s (995) before you can connect an email client like Outlook or Gmail. Even if they are open, later in another publication, I'm going to show you a list of firewall rules to improve safety.

First make sure that the service firewalld is running. If you are stopped, probably all the doors that have a listener service will be open.

$ sudo systemctl status firewalld

Check the line of the State that can be as Active (running) or as inactive (dead). If you're as inactive, There is no need to continue. If you're as active, We will list which ports are open externally.

$ sudo firewall-cmd --list-services
ssh dhcpv6-client

In the example above, only dhcpv6-client and ssh are allowed. We then add the required ports to receive and send e-mail externally.

$ sudo firewall-cmd --add-service=pop3s --permanent
success
$ sudo firewall-cmd --add-service=imaps --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --list-services
ssh dhcpv6-client imaps pop3s

As you can see in the example, Add imaps and pop3s services that are being heard by Dovecot service. Later we will also add the smtp ports and submission that will be heard by the Postfix (master). Note that I won't open the imap and pop3 ports unsafe because I want to force the use of SSL/TLS.

To make sure that the doors are open you can even try doing telnet ports 993 and 995 another system on the same network and verify that the file /var/log/dovecot.log Displays the attempts. If you do not have conditions at the time of taking the test in this way check the output of the command below?

$ sudo netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      1/systemd
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      2669/sshd
tcp        0      0 0.0.0.0:imaps           0.0.0.0:*               LISTEN      5946/dovecot
tcp        0      0 0.0.0.0:pop3s           0.0.0.0:*               LISTEN      5946/dovecot
tcp        0      0 mail.meudominio.com:ssh    gateway:65257           ESTABLISHED 4631/sshd: myuser

And that's all for now. Then We configure Postfix 3.