Dovecot
Contents
About
Thanks
Thanks to Thomas Leistner for his great tutorial!
Thomas Leister - Mailserver on Debian Stretch
Lot's of information was taken from and compared to Thomas' work.
DNS SRV Records
Follow DNS#SRV Mail
then bind9#Changing a dynamic zone with views
Installation
Install keyring
Adjust /etc/apt/sources.list.d/dovecot.list
Set preferences
Install Dovecot and its plugins
Please take a look at
Debian#unattended upgrades
Variables
There are several variables that can be used in the Dovecot configuration. Here is a link to the wiki from which i copied:
Dovecot Wiki Variables
You can use special variables in several places:
- mail_location setting and namespace locations
- static userdb and passwd-file userdb template strings
- LDAP and SQL userdb query strings
- log prefix for imap/pop3 process
- Plugin settings
The variables that work everywhere are:
Variable |
Long name |
Description |
%% |
|
'%' character |
%u |
user |
full username (e.g. user@domain) |
%n |
username |
user part in user@domain, same as %u if there's no domain |
%d |
domain |
domain part in user@domain, empty if user there's no domain |
%s |
service |
imap, pop3, smtp, deliver. (v1.0 uses uppercased IMAP and POP3) |
%p |
pid |
PID of the current process (login or imap/pop3 process) |
%l |
lip |
local IP address |
%r |
rip |
remote IP address |
These variables work almost everywhere else except in Dovecot-auth (userdb queries/templates):
Variable |
Long name |
Description |
%h |
home |
home directory. Use of ~/ is better whenever possible. |
%i |
uid |
UNIX UID of the user |
These variables work only in Dovecot-auth:
Variable |
Long name |
Description |
%w |
password |
plaintext password from plaintext authentication mechanism |
%m |
mech |
authentication mechanism, e.g. PLAIN (v1.0.rc27+) |
%a |
lport |
Local port (v1.1+) |
%b |
rport |
Remote port (v1.1+) |
%c |
secured |
"secured" string with SSL, TLS and localhost connections. Otherwise empty. (v1.0.rc27+) |
%k |
cert |
"valid" if client had sent a valid client certificate, otherwise empty. (v1.2.alpha4+) |
These variables work only in login_log_format_elements setting:
Variable |
Long name |
Description |
%m |
mech |
authentication mechanism, e.g. PLAIN |
%a |
lport |
Local port (v1.1+) |
%b |
rport |
Remote port (v1.1+) |
%c |
secured |
SSL, TLS or empty |
%k |
ssl_security |
SSL protocol and cipher information, e.g. "TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)" (v1.1.3+) |
%e |
mail_pid |
Mail process (imap/pop3) PID that handles the post-login connection (v1.2+) |
Long variable names can be used with v1.2.alpha5+ like %{long_name} or with L modifier: %L{long_name}.
Modifiers
You can apply a modifiers for each variable (e.g. %Ls = pop3):
- %L - lowercase
- %U - uppercase
- %E - escape '"', "'" and '\' characters by inserting '\' before them. Note that variables in SQL queries are automatically escaped, you don't need to use this modifier for them.
- %X - parse the variable as a base-10 number, and convert it to base-16 (hexadecimal)
- %R - reverse the string
- %H - take a 32bit hash of the variable and return it as hex. You can also limit the hash value. For example %256Hu gives values 0..ff. You might want padding also, so %2.256Hu gives 00..ff. This can be useful for example in dividing users automatically to multiple partitions.
- %H hash function is a bit bad if all the strings end with the same text, so if you're hashing usernames being in user@domain form, you probably want to reverse the username to get better hash value variety, e.g. %3RHu.
- %M - return the string's MD5 sum as hex.
- %D - return "sub.domain.org" as "sub,dc=domain,dc=org" (for LDAP queries)
- %T - Trim trailing whitespace (v1.1.rc6+)
You can take a substring of the variable by giving optional offset followed by '.' and width after the '%' character. For example %2u gives first two characters of the username. %2.1u gives third character of the username.
If the offset is negative, it counts from the end, for example %-2.2i gives the UID mod 100 (last two characters of the UID printed in a string). If a positive offset points outside the value, empty string is returned, if a negative offset does then the string is taken from the start.
If the width is prefixed with zero, the string isn't truncated, but only padded with '0' character if the string is shorter. For example %04i may return "0001", "1000" and "12345". %1.04i for the same string would return "001", "000" and "2345".
The modifiers are applied from left-to-right order, except the substring is always taken from the final string.
Mail location
Default encoding is modified UTF7 (mUTF-7), but may be changed with option :UTF-8
Please see IETF RFC3501 INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4 rev1
Can be configured in
/etc/dovecot/conf.d/10-mail.conf
1 ##
2 ## Mailbox locations and namespaces
3 ##
4
5 # Location for users' mailboxes. The default is empty, which means that Dovecot
6 # tries to find the mailboxes automatically. This won't work if the user
7 # doesn't yet have any mail, so you should explicitly tell Dovecot the full
8 # location.
9 #
10 # If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
11 # isn't enough. You'll also need to tell Dovecot where the other mailboxes are
12 # kept. This is called the "root mail directory", and it must be the first
13 # path given in the mail_location setting.
14 #
15 # There are a few special variables you can use, eg.:
16 #
17 # %u - username
18 # %n - user part in user@domain, same as %u if there's no domain
19 # %d - domain part in user@domain, empty if there's no domain
20 # %h - home directory
21 #
22 # See doc/wiki/Variables.txt for full list. Some examples:
23 #
24 # mail_location = maildir:~/Maildir
25 # mail_location = mbox:~/mail:INBOX=/var/mail/%u
26 # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
27 #
28 # <doc/wiki/MailLocation.txt>
29 #
30 #mail_location = mbox:~/mail:INBOX=/var/mail/%u
31 mail_location = maildir:~/Maildir
Namespaces, hierarchical mailboxes and usernames with dots
#WIP
You'll probably get a problem, if you combine
- multiple domains
- And therefor your usernames contain
the DNS label delimiter . to be distinct
- And therefor your usernames contain
- shared namespaces.
The Maildir hierarchy separator is set to ., which is the default
Hardcoded in src/lib-storage/list/mailbox-list-maildir.c
Possible solutions
Avoid dots in your username
- not really an option
Use a single domain
- not really an option
- Change all other separators
maildir:LAYOUT=fs
NS->sep = °
- Smarter UserDB/PassDB
Path to UserDB or PassDB contains %d
- only local parts in UserDB, that must not contain dots.
Add the replacement character for . to auth_username_chars
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@,Add a translation from . to e.g. ,
auth_username_translation = .,
- Smarter UserDB/PassDB
auth_username_translation
Default: <empty>
If set, performs username character translations before querying the auth database.
The value is a string formed of sets of from and to characters alternating. A value of #@/@ means that # and / will both be translated to the @ character.
In /etc/dovecot/conf.d/10-auth.conf
1 # List of allowed characters in username. If the user-given username contains
2 # a character not listed in here, the login automatically fails. This is just
3 # an extra check to make sure user can't exploit any potential quote escaping
4 # vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
5 # set this value to empty.
6 #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
7 auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@,
8
9
10 # Username character translations before it's looked up from databases. The
11 # value contains series of from -> to characters. For example "#@/@" means
12 # that '#' and '/' characters are translated to '@'.
13 #auth_username_translation =
14 auth_username_translation = .°
So, your passwd and userdb has to list a first_sname@domain°tld. How to map this to ldap?
Separators
Defaults
master_user_separator = *
recipient_delimiter = +
/etc/dovecot/conf.d/10-mail.conf
To avoid collisions separators should not be listed in auth_username_chars
Default: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
Choice of separators
^°!§%&=?;:#¹²³
Master-Config
Set some realistic default limits
process_limit = 2 * no of cores
service_count = 1024 for service imap, lmtp and pop3 to limit memory-usage and prevent possible memory-leaks
service_count = 1 to raise security
process_min_avail = 1 minimum available login processes for imap and pop3 to reduce delay
/etc/dovecot/conf.d/10-master.conf
1 default_process_limit = 16
2 default_client_limit = 128
3
4 # Default VSZ (virtual memory size) limit for service processes. This is mainly
5 # intended to catch and kill processes that leak memory before they eat up
6 # everything.
7 default_vsz_limit = 256M
8
9 # Login user is internally used by login processes. This is the most untrusted
10 # user in Dovecot system. It shouldn't have access to anything at all.
11 #default_login_user = dovenull
12
13 # Internal user is used by unprivileged processes. It should be separate from
14 # login user, so that login processes can't disturb other processes.
15 #default_internal_user = dovecot
16
17 service imap-login {
18 inet_listener imap {
19 #port = 143
20 }
21 inet_listener imaps {
22 #port = 993
23 #ssl = yes
24 }
25
26 # Number of connections to handle before starting a new process. Typically
27 # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
28 # is faster. <doc/wiki/LoginProcess.txt>
29 service_count = 1
30
31 # Number of processes to always keep waiting for more connections.
32 process_min_avail = 2
33
34 # If you set service_count=0, you probably need to grow this.
35 #vsz_limit = $default_vsz_limit
36 }
37
38 service pop3-login {
39 inet_listener pop3 {
40 #port = 110
41 }
42 inet_listener pop3s {
43 #port = 995
44 #ssl = yes
45 }
46 # Number of connections to handle before starting a new process. Typically
47 # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
48 # is faster. <doc/wiki/LoginProcess.txt>
49 service_count = 1
50
51 # Number of processes to always keep waiting for more connections.
52 process_min_avail = 1
53
54 # If you set service_count=0, you probably need to grow this.
55 #vsz_limit = $default_vsz_limit
56 }
57
58 service lmtp {
59 #vsz_limit = $default_vsz_limit
60 process_limit = 4
61 service_count = 1024
62 process_min_avail = 1
63
64 unix_listener /var/spool/postfix/private/dovecot-lmtp {
65 user = postfix
66 group = postfix
67 mode = 0600
68 }
69
70 # Create inet listener only if you can't use the above UNIX socket
71 inet_listener lmtp {
72 # Avoid making LMTP visible for the entire internet
73 address = 127.0.0.1
74 port = 24
75 }
76 }
77
78 service imap {
79 # Most of the memory goes to mmap()ing files. You may need to increase this
80 # limit if you have huge mailboxes.
81 #vsz_limit = $default_vsz_limit
82
83 # Max. number of IMAP processes (connections)
84 #process_limit = 1024
85 service_count = 1024
86 process_min_avail = 1
87
88 }
89
90 service pop3 {
91 # Max. number of POP3 processes (connections)
92 #process_limit = 1024
93 #vsz_limit = $default_vsz_limit
94 service_count = 1024
95 }
96
97 service auth {
98 # auth_socket_path points to this userdb socket by default. It's typically
99 # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
100 # full permissions to this socket are able to get a list of all usernames and
101 # get the results of everyone's userdb lookups.
102 #
103 # The default 0666 mode allows anyone to connect to the socket, but the
104 # userdb lookups will succeed only if the userdb returns an "uid" field that
105 # matches the caller process's UID. Also if caller's uid or gid matches the
106 # socket's uid or gid the lookup succeeds. Anything else causes a failure.
107 #
108 # To give the caller full permissions to lookup all users, set the mode to
109 # something else than 0666 and Dovecot lets the kernel enforce the
110 # permissions (e.g. 0777 allows everyone full permissions).
111 unix_listener auth-userdb {
112 #mode = 0666
113 #user =
114 #group =
115 }
116
117 # Postfix smtp-auth
118 #unix_listener /var/spool/postfix/private/auth {
119 # mode = 0666
120 #}
121
122 # Auth process is run as this user.
123 #user = $default_internal_user
124 }
125
126 service auth-worker {
127 # Auth worker process is run as root by default, so that it can access
128 # /etc/shadow. If this isn't necessary, the user should be changed to
129 # $default_internal_user.
130 #user = root
131 }
132
133 service dict {
134 # If dict proxy is used, mail processes should have access to its socket.
135 # For example: mode=0660, group=vmail and global mail_access_groups=vmail
136 unix_listener dict {
137 #mode = 0600
138 #user =
139 #group =
140 }
141 }
vmail setup
Create system group vmail
1 addgroup --system vmail
Create system user vmail
Adjust first_valid_uid and last_valid_uid to match exactly the user vmail in /etc/dovecot/conf.d/10-mail.conf
1 # Valid UID range for users, defaults to 500 and above. This is mostly
2 # to make sure that users can't log in as daemons or other system users.
3 # Note that denying root logins is hardcoded to dovecot binary and can't
4 # be done even if first_valid_uid is set to 0.
5 #first_valid_uid = 500
6 #last_valid_uid = 0
7 first_valid_uid = 109
8 last_valid_uid = 109
Prepare filesystem
Change filesystem permissions on /var/vmail to give some privileges to the group "vmail".
Configure Dovecot
dovecot-auth
Dovecot should host a socket which the MTA can use for authentication. This socket should be located in chroot-directory of the postfix-services. queue_directory = /var/spool/postfix
So here is an excerpt from /etc/dovecot/conf.d/10-master.conf
1 service auth {
2 # auth_socket_path points to this userdb socket by default. It's typically
3 # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
4 # full permissions to this socket are able to get a list of all usernames and
5 # get the results of everyone's userdb lookups.
6 #
7 # The default 0666 mode allows anyone to connect to the socket, but the
8 # userdb lookups will succeed only if the userdb returns an "uid" field that
9 # matches the caller process's UID. Also if caller's uid or gid matches the
10 # socket's uid or gid the lookup succeeds. Anything else causes a failure.
11 #
12 # To give the caller full permissions to lookup all users, set the mode to
13 # something else than 0666 and Dovecot lets the kernel enforce the
14 # permissions (e.g. 0777 allows everyone full permissions).
15 unix_listener auth-userdb {
16 #mode = 0666
17 #user =
18 #group =
19 }
20
21 ### POSTFIX SMTP-AUTH
22 # SHOULD BE LOCATED IN POSTFIX´s queue_directory (default: /var/spool/postfix)
23 # TO MAKE SURE CHROOTED SERVICES CAN ACCESS THEM.
24 unix_listener /var/spool/postfix/private/dovecot-auth {
25 #mode = 0666 #default
26 mode = 0660
27 user = postfix
28 group = postfix
29 }
30
31 # Auth process is run as this user.
32 #user = $default_internal_user
33 }
So there are finally two sockets:
one for dovecot-lda, doveadm, possibly imap, … at /run/dovecot/auth-userdb
one for postfix´s pruposes at /var/spool/postfix/private/dovecot-auth
Both should exist to ensure sane operation.
Create a userdb/passdb
In simple vmail-setup the authentication backend could be a passwd-file like this
Passwd without domain
/etc/dovecot/private/users
1 ### GENERIC USER TABLE
2 ### SEE:
3 ### * https://wiki.dovecot.org/AuthDatabase/PasswdFile
4 ### * https://wiki.dovecot.org/Variables
5 ### FORMAT:
6 ### user:password:uid:gid:(gecos):home:(shell):extra_fields
7
8 ### FUNCTIONAL
9 ### NETIQUETTE: https://tools.ietf.org/html/rfc2142
10 abuse@rockstable.it:{SSHA512}{SSHA512}smGWyb1It8QL7egG7mKqvhSRPdIxtfz158/1MUs2lEkfmG8zX8niBAy92ZjPHSHUpw+rJnhTTLHp5dror2lmJ7CqSWU=::::::
11 hostmaster@rockstable.it:{SSHA512}{SSHA512}AMuwUobg7SitDJg5XUyf1ef1oLGtrBFdxHYL3Jgl9DGmrAUVml2iBWd/gcwbaVEVx49WgN30mI0gy9xlody4//ZU6jk=::::::
12 noc@rockstable.it:{SSHA512}{SSHA512}79ItZuJrSEG0O5EcEg9upK1bFvoMl0nekbxIhHijEFT4PIAtE5+Nx3wpHmsg61BIFmSl5Xqe3BMNB+iCUc0JljKJVFs=::::::
13 postmaster@rockstable.it:{SSHA512}{SSHA512}0arTl9KDB6xgbk8SkA43zlmRMoGEEEH14TmpFID4rhY0eI31ZM4/LeDCIIxXWBkeHff97ckiuIIPXpyhQ0QvqxIG5EQ=::::::
14 security@rockstable.it:{SSHA512}{SSHA512}HbiuNTykP6t9+o6dJZA6IlkTwS6W9XQTEARwsyNd4ZIU/l5fnkwWqyj7Xs0CffSG8Vzf5PqaFPaVmMNjOzmBXDYrG8g=::::::
15 webmaster@rockstable.it:{SSHA512}{SSHA512}TdMXpIjB9yDu8tInu6W5/Rxqe9Z0HR8a+E0sY5lChF/ZeytXl/xkVcF4HcPbCl9mD/GcVixuCRSBGPdtSFYCZq6oyQk=::::::
16
17 ### BUSINESS
18 accounting@rockstable.it:{SSHA512}{SSHA512}+Pf5fUPHSBW2PpavpNjqZaUbwP6y9wLL/RTUaeKaesxhXbZOYQM76Q8l8LVnjdbBDzsdLo8cY9b/8AkZHIfzy30q434=::::::
19 contact@rockstable.it:{SSHA512}{SSHA512}+Pf5fUPHSBW2PpavpNjqZaUbwP6y9wLL/RTUaeKaesxhXbZOYQM76Q8l8LVnjdbBDzsdLo8cY9b/8AkZHIfzy30q434=::::::
20 info@rockstable.it:{SSHA512}{SSHA512}dCeSzjjCw7Tutt5wZ3jP6hJ2fX5q+0eRyrh1HD19z/nDMJ8bYiC9WSOdT3gtdpvY6hjxm2g4zxybxHJVYAw+biKLCO0=::::::
21 marketing@rockstable.it:{SSHA512}{SSHA512}4omqL8SXFGgZ8laaxptkISopUu18JFsApfdkTm7/oqDQO7JxaI4wnbuiiRwHxfWScqgymH7j9InKsIzUxq04d2vcOJY=::::::
22 sales@rockstable.it:{SSHA512}{SSHA512}xV18/qQr90wglpstabHcRegOkxZf56b7H+jFVbl9sd8QwFTg1XEm8uEgy9FACG3fbE9S2QCi1W3Y4Q+XmpFTRv7T9+s=::::::
23 support@rockstable.it:{SSHA512}{SSHA512}6dE6fESM9SSg65ib8ZwewpcRcLkv74Jb1kVXuLIzcYIebKJ2Gq20UF8ISoNHbZTHDeUL+TG19GLqT7D7MhCx+uo6100=::::::
24
25 ### PERSONAL
26 tobias_stein@rockstable.it:{SSHA512}{SSHA512}tYldaJSyqrRfgsvBr35FN2jNWvan648hRVu55xpo4XZI3OpNzr7DaBDRoTLtpAAb5sqRdnbJPph8hPoK3QjJpQfs5uI=::::::
Filled up with various auto-generated saltet hashes - don't waste gpu-time cracking them.
Passwd without domain
/etc/dovecot/private/rockstable.it/users
1 ### GENERIC USER TABLE
2 ### SEE:
3 ### * https://wiki.dovecot.org/AuthDatabase/PasswdFile
4 ### * https://wiki.dovecot.org/Variables
5 ### FORMAT:
6 ### user:password:uid:gid:(gecos):home:(shell):extra_fields
7
8 ### FUNCTIONAL
9 ### NETIQUETTE: https://tools.ietf.org/html/rfc2142
10 abuse:{SSHA512}{SSHA512}smGWyb1It8QL7egG7mKqvhSRPdIxtfz158/1MUs2lEkfmG8zX8niBAy92ZjPHSHUpw+rJnhTTLHp5dror2lmJ7CqSWU=::::::
11 hostmaster:{SSHA512}{SSHA512}AMuwUobg7SitDJg5XUyf1ef1oLGtrBFdxHYL3Jgl9DGmrAUVml2iBWd/gcwbaVEVx49WgN30mI0gy9xlody4//ZU6jk=::::::
12 noc:{SSHA512}{SSHA512}79ItZuJrSEG0O5EcEg9upK1bFvoMl0nekbxIhHijEFT4PIAtE5+Nx3wpHmsg61BIFmSl5Xqe3BMNB+iCUc0JljKJVFs=::::::
13 postmaster:{SSHA512}{SSHA512}0arTl9KDB6xgbk8SkA43zlmRMoGEEEH14TmpFID4rhY0eI31ZM4/LeDCIIxXWBkeHff97ckiuIIPXpyhQ0QvqxIG5EQ=::::::
14 security:{SSHA512}{SSHA512}HbiuNTykP6t9+o6dJZA6IlkTwS6W9XQTEARwsyNd4ZIU/l5fnkwWqyj7Xs0CffSG8Vzf5PqaFPaVmMNjOzmBXDYrG8g=::::::
15 webmaster:{SSHA512}{SSHA512}TdMXpIjB9yDu8tInu6W5/Rxqe9Z0HR8a+E0sY5lChF/ZeytXl/xkVcF4HcPbCl9mD/GcVixuCRSBGPdtSFYCZq6oyQk=::::::
16
17 ### BUSINESS
18 accounting:{SSHA512}{SSHA512}+Pf5fUPHSBW2PpavpNjqZaUbwP6y9wLL/RTUaeKaesxhXbZOYQM76Q8l8LVnjdbBDzsdLo8cY9b/8AkZHIfzy30q434=::::::
19 contact:{SSHA512}{SSHA512}+Pf5fUPHSBW2PpavpNjqZaUbwP6y9wLL/RTUaeKaesxhXbZOYQM76Q8l8LVnjdbBDzsdLo8cY9b/8AkZHIfzy30q434=::::::
20 info:{SSHA512}{SSHA512}dCeSzjjCw7Tutt5wZ3jP6hJ2fX5q+0eRyrh1HD19z/nDMJ8bYiC9WSOdT3gtdpvY6hjxm2g4zxybxHJVYAw+biKLCO0=::::::
21 marketing:{SSHA512}{SSHA512}4omqL8SXFGgZ8laaxptkISopUu18JFsApfdkTm7/oqDQO7JxaI4wnbuiiRwHxfWScqgymH7j9InKsIzUxq04d2vcOJY=::::::
22 sales:{SSHA512}{SSHA512}xV18/qQr90wglpstabHcRegOkxZf56b7H+jFVbl9sd8QwFTg1XEm8uEgy9FACG3fbE9S2QCi1W3Y4Q+XmpFTRv7T9+s=::::::
23 support:{SSHA512}{SSHA512}6dE6fESM9SSg65ib8ZwewpcRcLkv74Jb1kVXuLIzcYIebKJ2Gq20UF8ISoNHbZTHDeUL+TG19GLqT7D7MhCx+uo6100=::::::
24
25 ### PERSONAL
26 tobias_stein:{SSHA512}{SSHA512}tYldaJSyqrRfgsvBr35FN2jNWvan648hRVu55xpo4XZI3OpNzr7DaBDRoTLtpAAb5sqRdnbJPph8hPoK3QjJpQfs5uI=::::::
Configure the passwd-file
Take care of ownership and permissions
Enable that USER-/PASSDB in the last lines of /etc/dovecot/conf.d/10-auth.conf
1 #!include auth-deny.conf.ext
2 #!include auth-master.conf.ext
3
4 #!include auth-system.conf.ext
5 #!include auth-sql.conf.ext
6 #!include auth-ldap.conf.ext
7 !include auth-passwdfile.conf.ext
8 #!include auth-checkpassword.conf.ext
9 #!include auth-vpopmail.conf.ext
10 #!include auth-static.conf.ext
Configure the passwd-file driver
Hint: /path/to/passwd.file must be last argument in args = …!
/etc/dovecot/conf.d/auth-checkpassword.conf.ext
1 # Authentication for passwd-file users. Included from 10-auth.conf.
2 #
3 # passwd-like file with specified location.
4 # <doc/wiki/AuthDatabase.PasswdFile.txt>
5
6 ### GENERIC USER TABLE
7 passdb {
8 driver = passwd-file
9 args = username_format=%u scheme=SSHA512 /etc/dovecot/private/%d/users
10 }
11
12 userdb {
13 driver = passwd-file
14 args = username_format=%u /etc/dovecot/private/%d/users
15
16 # Default fields that can be overridden by passwd-file
17 default_fields = uid=vmail gid=vmail home=/var/vmail/%d/%n
18 # quota_rule=*:storage=10G
19
20 # Override fields from passwd-file
21 # override_fields =
22 }
23
24 ### MASTER USER TABLE
25 auth_master_user_separator = *
26
27 passdb {
28 driver = passwd-file
29 args = username_format=%u /etc/dovecot/private/%d/users.master
30 master = yes
31 ### AUTHENTICATION MUST EXIST AND SUCCEED
32 pass = yes
33 }
%u is Full-Username with local and domain part (without +extension)
- Default fields can be overridden in passwd-file
passwd-file can be overridden with override_fields =
Script: Add users to Dovecot UserDB/Passdb
- Validates email-addresses against regex.
Usual output goes to STDERR so SDTOUT can directly be appended to /etc/dovecot/users.
- Check for strength with cracklib.
- Retries, no echo of passwords to TTY.
- Quiete robust.
Just a wrapper for doveadm pw
/usr/local/sbin/doveadm_adduser.sh
1 #!/bin/bash
2
3 ### INIT
4 RETRY=0
5 FILE_PWD="/etc/dovecot/users"
6 DIR_VMAIL="/var/vmaili/%d/%n"
7 ADDRESS="$1"
8 PASSWORD=""
9
10
11 ### SANITIZE INPUTS
12 if [ -z "$ADDRESS" ]; then
13 echo "Missing the email-address. Exiting …" >&2
14 exit 3
15 elif ! grep -qE "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" <<< "$ADDRESS"; then
16 echo "Not a valid email-address: \"$ADDRESS\". Exiting …" >&2
17 exit 3
18 fi
19
20 set -eu
21
22
23 ### DEFINE FUNCTIONS
24 read_password () {
25 local PASS1
26 local PASS2
27 local CRACKLIB_RETURN
28 local CRACKLIB_MESSAGE
29
30 if [ "$RETRY" -eq 3 ]; then
31 echo "Too many failures. Exiting…" >&2
32 exit 2
33 fi
34
35 read -sp "Please enter password: " PASS1 >&2
36 stty echo
37 echo >&2
38
39 echo -n "Checking password with cracklib: " >&2
40 CRACKLIB_RETURN="$(cracklib-check <<< "$PASS1")"
41 CRACKLIB_MESSAGE="${CRACKLIB_RETURN#*: }"
42 echo "${CRACKLIB_MESSAGE}." >&2
43 if [ "$CRACKLIB_MESSAGE" != "OK" ]; then
44 echo -e "Please retry…\n" >&2
45 echo $RETRY
46 RETRY=$((RETRY+1))
47 read_password
48 fi
49
50 if [ -n "$PASSWORD" ]; then
51 return 0
52 fi
53
54 read -sp "Please repeat password: " PASS2 >&2
55 stty echo
56 echo >&2
57
58 if [ ! "$PASS1" = "$PASS2" ]; then
59 echo -e "Passwords did not match. Please retry…\n" >&2
60 RETRY=$((RETRY+1))
61 read_password
62 else
63 PASSWORD="$PASS1"
64 fi
65 }
66
67 ### MAIN
68 read_password
69 HASH="$(doveadm pw -s SSHA512 -p "$PASSWORD" -u "$ADDRESS")"
70 echo "$ADDRESS:$HASH::::::"
dovecot-lmtpd
As opposed to smtp, where it is necessary to queue mail, in lmtp the receiving side has no mail-queue.
Dovecot will act as a lmtp-server an receive email from the MTA. The MTA will also wait for the protocol response and decide if the network-facing smtp-process should permit or reject the email.
/etc/dovecot/conf.d/20-lmtp.conf
1 ##
2 ## LMTP specific settings
3 ##
4
5 # Support proxying to other LMTP/SMTP servers by performing passdb lookups.
6 #lmtp_proxy = no
7
8 # When recipient address includes the detail (e.g. user+detail), try to save
9 # the mail to the detail mailbox. See also recipient_delimiter and
10 # lda_mailbox_autocreate settings.
11 #lmtp_save_to_detail_mailbox = no
12
13 # Verify quota before replying to RCPT TO. This adds a small overhead.
14 #lmtp_rcpt_check_quota = no
15
16 # Which recipient address to use for Delivered-To: header and Received:
17 # header. The default is "final", which is the same as the one given to
18 # RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
19 # parameter, "none" uses nothing. Note that "none" is currently always used
20 # when a mail has multiple recipients.
21 #lmtp_hdr_delivery_address = final
22
23 protocol lmtp {
24 # Space separated list of plugins to load (default is global mail_plugins).
25 mail_plugins = $mail_plugins sieve
26 postmaster_address = postmaster@rockstable.it
27 }
/etc/dovecot/conf.d/10-master.conf
1 service lmtp {
2 ### IMPROVE SECURITY
3 user = vmail
4 ### ADJUST PERFORMANCE
5 #process_min_avail = 2
6
7 ### /run/dovecot/lmtp
8 unix_listener lmtp {
9 #mode = 0666
10 }
11
12 ### POSTFIX LMTP-SOCKET
13 # SHOULD BE LOCATED IN POSTFIX´s queue_directory (default: /var/spool/postfix)
14 # TO MAKE SURE CHROOTED SERVICES CAN ACCESS THEM.
15 unix_listener /var/spool/postfix/private/dovecot-lmtp {
16 mode = 0660
17 user = postfix
18 group = postfix
19 }
20
21 ## Create inet listener only if you can't use the above UNIX socket
22 #inet_listener lmtp {
23 # # Avoid making LMTP visible for the entire internet
24 # address = 127.0.0.1
25 # port = 24
26 #}
27 }
Make sure protocols are enabled
In Debian they are added by includes in /etc/dovecot/dovecot.conf. So it should already be active, when you installed the package dovecot-lmtpd.
1 grep -H "" /usr/share/dovecot/protocols.d/*.protocol
2 /usr/share/dovecot/protocols.d/imapd.protocol:protocols = $protocols imap
3 /usr/share/dovecot/protocols.d/lmtpd.protocol:protocols = $protocols lmtp
4 /usr/share/dovecot/protocols.d/managesieved.protocol:protocols = $protocols sieve
5 /usr/share/dovecot/protocols.d/submissiond.protocol:protocols = $protocols submission
Now return to postfix#vmail_setup to complete the setup.
Master Users
It's possible to configure master users who are able to log in as other users. It's also possible to directly log in as any user using a master password.
Possible usecases:
- Allow a Masteruser "Spam" to read the mailboxes "INBOX/Junk" to train the Spam detection.
- Login to some functional accounts like abuse, hostmaster, … to change acls for sharing
Create Master User Passdb
This is a separate file, because the master-user has no own mailbox. Therefore no record in the userdb is necessary.
/etc/dovecot/private/users.master
1 ### MASTER USER TABLE
2 ### MASTER USERS CAN LOGIN TO ANY OTHER ACCOUNTS USING
3 ### USERNAME: destination_login*master_login
4 ### PASSWORD: $MASTER_PASSWORD
5 ### where "*" is auth_master_user_separator
6 ### See:
7 ### * https://wiki.dovecot.org/Authentication/MasterUsers
8 ### FORMAT:
9 ### user:password:uid:gid:(gecos):home:(shell):extra_fields
10 master@rockstable.it:{SSHA512}MasterUserPasswordHash::::::
Tighten unix-permissions
Enable Master Users
Append this to the configuration in /etc/dovecot/conf.d/auth-passwdfile.conf.ext
Reload dovecot
1 doveadm reload
Configure ACLs
Surveillance is not an option!
Master-User are subject to acl checks, too. The should be limited to the minimal power they need to have. -> Privacy by Design and Default!
ACLs
Configure ACLs
/etc/dovecot/conf.d/10-mail.conf
/etc/dovecot/conf.d/10-mail.conf
1 protocol imap {
2 # Space separated list of plugins to load (default is global mail_plugins).
3 mail_plugins = $mail_plugins imap_acl
4
5 # Maximum number of IMAP connections allowed for a user from each IP address.
6 # NOTE: The username is compared case-sensitively.
7 #mail_max_userip_connections = 10
8 }
Enable
Global-ACLs -> acl
shared mailbox dictionary -> acl_shared_dict
/etc/dovecot/conf.d/90-acl.conf
1 ##
2 ## Mailbox access control lists.
3 ##
4
5 # vfile backend reads ACLs from "dovecot-acl" file from mail directory.
6 # You can also optionally give a global ACL directory path where ACLs are
7 # applied to all users' mailboxes. The global ACL directory contains
8 # one file for each mailbox, eg. INBOX or sub.mailbox. cache_secs parameter
9 # specifies how many seconds to wait between stat()ing dovecot-acl file
10 # to see if it changed.
11 plugin {
12 acl = vfile:/etc/dovecot/dovecot-acl-global:cache_secs=300
13 }
14
15 # To let users LIST mailboxes shared by other users, Dovecot needs a
16 # shared mailbox dictionary. For example:
17 plugin {
18 acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes
19 }
Give Imap-Process (UID: vmail) access to directory /var/lib/dovecot/db
Global ACLs
/etc/dovecot/dovecot-acl-global
1 ### GLOBAL DOVECOT-ACL
2 ###
3 ### SEE:
4 ### * https://wiki2.dovecot.org/ACL
5 ###
6 ### HINTS:
7 ### * ORDER MATTERS
8 ### * GLOBAL OVERRIDES PERSONAL
9 ### * DO NOT USE <TABS> TO INDENT OR SEPARATE (PICKY PARSER)
10 ### FORMAT:
11 ### <identifier> <ACLs> [:<named ACLs>]
12 ### WHERE <identifier> IS ONE OF:
13 ### group-override=group name
14 ### user=user name
15 ### owner
16 ### group=group name
17 ### authenticated
18 ### anyone (or anonymous, which is alias for anyone)
19 ### WHERE <ACLs> ARE:
20 ### The currently supported ACLs and their corresponding named ACLs are:
21 ### l lookup Mailbox is visible in mailbox list. Mailbox can be subscribed to.
22 ### r read Mailbox can be opened for reading.
23 ### w write Message flags and keywords can be changed, except \Seen and \Deleted
24 ### s write-seen \Seen flag can be changed
25 ### t write-deleted \Deleted flag can be changed
26 ### i insert Messages can be written or copied to the mailbox
27 ### p post Messages can be posted to the mailbox by LDA, e.g. from Sieve scripts
28 ### e expunge Messages can be expunged
29 ### k create Mailboxes can be created (or renamed) directly under this mailbox
30 ### (but not necessarily under its children, see ACL Inheritance section above)
31 ### (renaming also requires delete rights)
32 ### x delete Mailbox can be deleted
33 ### a admin Administration rights to the mailbox
34 ### (currently: ability to change ACLs for mailbox)
35
36 ### ALLOW MASTER USER TO DO ANYTHING
37 * user=master@rockstable.it lrwstipekxa
38 ### NOONE CAN DELETE OWN MAILBOX "Junk"
39 INBOX.Junk owner lrwstipeka
Administrate ACLs
List all mailboxes
1 doveadm mailbox list -A
Get all ACLs on INBOX and filter global acls
1 doveadm acl get -A 'INBOX' | grep -v global
2 Username ID Global Rights
3 contact@rockstable.it user=tobias_stein@rockstable.it admin create delete expunge insert lookup post read write write-deleted write-seen
4 abuse@rockstable.it user=tobias_stein@rockstable.it admin create delete expunge insert lookup post read write write-deleted write-seen
5 hostmaster@rockstable.it user=tobias_stein@rockstable.it admin create delete expunge insert lookup post read write write-deleted write-seen
6 postmaster@rockstable.it user=tobias_stein@rockstable.it admin create delete expunge insert lookup post read write write-deleted write-seen
7 webmaster@rockstable.it user=tobias_stein@rockstable.it admin create delete expunge insert lookup post read write write-deleted write-seen
Add ACL
1 ### doveadm acl add [-u user|-A|-F file] [-S socket_path] mailbox id right [right ...]
2 doveadm acl add \
3 -u contact@rockstable.it \
4 INBOX \
5 user=tobias_stein@rockstable.it \
6 lookup read write write-seen write-deleted insert post expunge create delete admin
7
8 ### AND IN A SCRIPTABLE FORMAT -> YOU GET THE IDEA, CHANGE THE FILTER TO YOUR NEEDS
9 for ACCOUNT in $(egrep -o '^([a-zA-Z0-9.@_]*)' /etc/dovecot/private/users); do
10 doveadm acl add \
11 -u "$ACCOUNT" \
12 INBOX \
13 user=tobias_stein@rockstable.it \
14 lookup read write write-seen write-deleted insert post expunge create delete admin
15 done
Test ACLs
1 doveadm acl debug -u login_user@domain shared/destination_user@domain.tld/SHARED_MAILBOX
Crypto
- configure certificates
set length of Diffie-Hellman parameters to a high level (<= 1024bit is broken)
- make crypto mandatory
- prefer server ciphers
- disable broken and weak protocols and ciphers
1 ##
2 ## SSL settings
3 ##
4
5 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
6 ssl = required
7
8 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
9 # dropping root privileges, so keep the key file unreadable by anyone but
10 # root. Included doc/mkcert.sh can be used to easily generate self-signed
11 # certificate, just make sure to update the domains in dovecot-openssl.cnf
12 ssl_cert = </etc/dovecot/dovecot.pem
13 ssl_key = </etc/dovecot/private/dovecot.pem
14
15 # If key file is password protected, give the password here. Alternatively
16 # give it when starting dovecot with -p parameter. Since this file is often
17 # world-readable, you may want to place this setting instead to a different
18 # root owned 0600 file by using ssl_key_password = <path.
19 #ssl_key_password =
20
21 # PEM encoded trusted certificate authority. Set this only if you intend to use
22 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
23 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
24 #ssl_ca =
25
26 # Require that CRL check succeeds for client certificates.
27 #ssl_require_crl = yes
28
29 # Directory and/or file for trusted SSL CA certificates. These are used only
30 # when Dovecot needs to act as an SSL client (e.g. imapc backend). The
31 # directory is usually /etc/ssl/certs in Debian-based systems and the file is
32 # /etc/pki/tls/cert.pem in RedHat-based systems.
33 #ssl_client_ca_dir =
34 #ssl_client_ca_file =
35
36 # Request client to send a certificate. If you also want to require it, set
37 # auth_ssl_require_client_cert=yes in auth section.
38 #ssl_verify_client_cert = no
39
40 # Which field from certificate to use for username. commonName and
41 # x500UniqueIdentifier are the usual choices. You'll also need to set
42 # auth_ssl_username_from_cert=yes.
43 #ssl_cert_username_field = commonName
44
45 # DH parameters length to use.
46 ssl_dh_parameters_length = 4096
47
48 # SSL protocols to use
49 #ssl_protocols = !SSLv2
50 ssl_protocols = !SSLv2 !SSLv3 !TLSv1
51
52 # SSL ciphers to use
53 #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
54 ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!TLSv1:!EXP:!aNULL:!RC4@STRENGTH
55
56 # Prefer the server's order of ciphers over client's.
57 ssl_prefer_server_ciphers = yes
58
59 # SSL crypto device to use, for valid values run "openssl engine"
60 #ssl_crypto_device =
61
62 # SSL extra options. Currently supported options are:
63 # no_compression - Disable compression.
64 ssl_options = no_compression
ldap
sieve
Configuration
Enable sieve by adding it to mail_plugins in
/etc/dovecot/conf.d/20-lmtp.conf
1 ##
2 ## LMTP specific settings
3 ##
4
5 # Support proxying to other LMTP/SMTP servers by performing passdb lookups.
6 #lmtp_proxy = no
7
8 # When recipient address includes the detail (e.g. user+detail), try to save
9 # the mail to the detail mailbox. See also recipient_delimiter and
10 # lda_mailbox_autocreate settings.
11 #lmtp_save_to_detail_mailbox = no
12
13 # Verify quota before replying to RCPT TO. This adds a small overhead.
14 #lmtp_rcpt_check_quota = no
15
16 # Which recipient address to use for Delivered-To: header and Received:
17 # header. The default is "final", which is the same as the one given to
18 # RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
19 # parameter, "none" uses nothing. Note that "none" is currently always used
20 # when a mail has multiple recipients.
21 #lmtp_hdr_delivery_address = final
22
23 protocol lmtp {
24 # Space separated list of plugins to load (default is global mail_plugins).
25 mail_plugins = $mail_plugins sieve
26 postmaster_address = postmaster@rockstable.it
27 }
Create a directory containing the global sieve scripts.
Set global sieve directory by setting sieve_global and
Filter Spam to Mailbox "Junk" before User-Scripts are run with sieve_before
/etc/dovecot/conf.d/90-sieve.conf
1 ##
2 ## Settings for the Sieve interpreter
3 ##
4
5 # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
6 # by adding it to the respective mail_plugins= settings.
7
8 # The Sieve interpreter can retrieve Sieve scripts from several types of
9 # locations. The default `file' location type is a local filesystem path
10 # pointing to a Sieve script file or a directory containing multiple Sieve
11 # script files. More complex setups can use other location types such as
12 # `ldap' or `dict' to fetch Sieve scripts from remote databases.
13 #
14 # All settings that specify the location of one ore more Sieve scripts accept
15 # the following syntax:
16 #
17 # location = [<type>:]path[;<option>[=<value>][;...]]
18 #
19 # If the type prefix is omitted, the script location type is 'file' and the
20 # location is interpreted as a local filesystem path pointing to a Sieve script
21 # file or directory. Refer to Pigeonhole wiki or INSTALL file for more
22 # information.
23
24 plugin {
25 # The location of the user's main Sieve script or script storage. The LDA
26 # Sieve plugin uses this to find the active script for Sieve filtering at
27 # delivery. The "include" extension uses this location for retrieving
28 # :personal" scripts. This is also where the ManageSieve service will store
29 # the user's scripts, if supported.
30 #
31 # Currently only the 'file:' location type supports ManageSieve operation.
32 # Other location types like 'dict:' and 'ldap:' can currently only
33 # be used as a read-only script source ().
34 #
35 # For the 'file:' type: use the ';active=' parameter to specify where the
36 # active script symlink is located.
37 # For other types: use the ';name=' parameter to specify the name of the
38 # default/active script.
39 sieve = file:~/sieve;active=~/.dovecot.sieve
40
41 # The default Sieve script when the user has none. This is the location of a
42 # global sieve script file, which gets executed ONLY if user's personal Sieve
43 # script doesn't exist. Be sure to pre-compile this script manually using the
44 # sievec command line tool if the binary is not stored in a global location.
45 # --> See sieve_before for executing scripts before the user's personal
46 # script.
47 #sieve_default = /var/lib/dovecot/sieve/default.sieve
48
49 # The name by which the default Sieve script (as configured by the
50 # sieve_default setting) is visible to the user through ManageSieve.
51 #sieve_default_name =
52
53 # Location for ":global" include scripts as used by the "include" extension.
54 sieve_global = /var/lib/dovecot/sieve/global
55
56 # The location of a Sieve script that is run for any message that is about to
57 # be discarded; i.e., it is not delivered anywhere by the normal Sieve
58 # execution. This only happens when the "implicit keep" is canceled, by e.g.
59 # the "discard" action, and no actions that deliver the message are executed.
60 # This "discard script" can prevent discarding the message, by executing
61 # alternative actions. If the discard script does nothing, the message is
62 # still discarded as it would be when no discard script is configured.
63 #sieve_discard =
64
65 # Location Sieve of scripts that need to be executed before the user's
66 # personal script. If a 'file' location path points to a directory, all the
67 # Sieve scripts contained therein (with the proper `.sieve' extension) are
68 # executed. The order of execution within that directory is determined by the
69 # file names, using a normal 8bit per-character comparison.
70 #
71 # Multiple script locations can be specified by appending an increasing number
72 # to the setting name. The Sieve scripts found from these locations are added
73 # to the script execution sequence in the specified order. Reading the
74 # numbered sieve_before settings stops at the first missing setting, so no
75 # numbers may be skipped.
76 sieve_before = /var/lib/dovecot/sieve/global/Junk.sieve
77 #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
78 #sieve_before3 = (etc...)
79
80 # Identical to sieve_before, only the specified scripts are executed after the
81 # user's script (only when keep is still in effect!). Multiple script
82 # locations can be specified by appending an increasing number.
83 #sieve_after =
84 #sieve_after2 =
85 #sieve_after2 = (etc...)
86
87 # Which Sieve language extensions are available to users. By default, all
88 # supported extensions are available, except for deprecated extensions or
89 # those that are still under development. Some system administrators may want
90 # to disable certain Sieve extensions or enable those that are not available
91 # by default. This setting can use '+' and '-' to specify differences relative
92 # to the default. For example `sieve_extensions = +imapflags' will enable the
93 # deprecated imapflags extension in addition to all extensions were already
94 # enabled by default.
95 #sieve_extensions = +notify +imapflags
96
97 # Which Sieve language extensions are ONLY available in global scripts. This
98 # can be used to restrict the use of certain Sieve extensions to administrator
99 # control, for instance when these extensions can cause security concerns.
100 # This setting has higher precedence than the `sieve_extensions' setting
101 # (above), meaning that the extensions enabled with this setting are never
102 # available to the user's personal script no matter what is specified for the
103 # `sieve_extensions' setting. The syntax of this setting is similar to the
104 # `sieve_extensions' setting, with the difference that extensions are
105 # enabled or disabled for exclusive use in global scripts. Currently, no
106 # extensions are marked as such by default.
107 #sieve_global_extensions =
108
109 # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
110 # setting, the used plugins can be specified. Check the Dovecot wiki
111 # (wiki2.dovecot.org) or the pigeonhole website
112 # (http://pigeonhole.dovecot.org) for available plugins.
113 # The sieve_extprograms plugin is included in this release.
114 #sieve_plugins =
115
116 # The separator that is expected between the :user and :detail
117 # address parts introduced by the subaddress extension. This may
118 # also be a sequence of characters (e.g. '--'). The current
119 # implementation looks for the separator from the left of the
120 # localpart and uses the first one encountered. The :user part is
121 # left of the separator and the :detail part is right. This setting
122 # is also used by Dovecot's LMTP service.
123 #recipient_delimiter = +
124
125 # The maximum size of a Sieve script. The compiler will refuse to compile any
126 # script larger than this limit. If set to 0, no limit on the script size is
127 # enforced.
128 #sieve_max_script_size = 1M
129
130 # The maximum number of actions that can be performed during a single script
131 # execution. If set to 0, no limit on the total number of actions is enforced.
132 #sieve_max_actions = 32
133
134 # The maximum number of redirect actions that can be performed during a single
135 # script execution. If set to 0, no redirect actions are allowed.
136 #sieve_max_redirects = 4
137
138 # The maximum number of personal Sieve scripts a single user can have. If set
139 # to 0, no limit on the number of scripts is enforced.
140 # (Currently only relevant for ManageSieve)
141 #sieve_quota_max_scripts = 0
142
143 # The maximum amount of disk storage a single user's scripts may occupy. If
144 # set to 0, no limit on the used amount of disk storage is enforced.
145 # (Currently only relevant for ManageSieve)
146 #sieve_quota_max_storage = 0
147
148 # The primary e-mail address for the user. This is used as a default when no
149 # other appropriate address is available for sending messages. If this setting
150 # is not configured, either the postmaster or null "<>" address is used as a
151 # sender, depending on the action involved. This setting is important when
152 # there is no message envelope to extract addresses from, such as when the
153 # script is executed in IMAP.
154 #sieve_user_email =
155
156 # The path to the file where the user log is written. If not configured, a
157 # default location is used. If the main user's personal Sieve (as configured
158 # with sieve=) is a file, the logfile is set to <filename>.log by default. If
159 # it is not a file, the default user log file is ~/.dovecot.sieve.log.
160 #sieve_user_log =
161
162 # Specifies what envelope sender address is used for redirected messages.
163 # The following values are supported for this setting:
164 #
165 # "sender" - The sender address is used (default).
166 # "recipient" - The final recipient address is used.
167 # "orig_recipient" - The original recipient is used.
168 # "user_email" - The user's primary address is used. This is
169 # configured with the "sieve_user_email" setting. If
170 # that setting is unconfigured, "user_mail" is equal to
171 # "recipient".
172 # "postmaster" - The postmaster_address configured for the LDA.
173 # "<user@domain>" - Redirected messages are always sent from user@domain.
174 # The angle brackets are mandatory. The null "<>" address
175 # is also supported.
176 #
177 # This setting is ignored when the envelope sender is "<>". In that case the
178 # sender of the redirected message is also always "<>".
179 #sieve_redirect_envelope_from = sender
180
181 ## TRACE DEBUGGING
182 # Trace debugging provides detailed insight in the operations performed by
183 # the Sieve script. These settings apply to both the LDA Sieve plugin and the
184 # IMAPSIEVE plugin.
185 #
186 # WARNING: On a busy server, this functionality can quickly fill up the trace
187 # directory with a lot of trace files. Enable this only temporarily and as
188 # selective as possible.
189
190 # The directory where trace files are written. Trace debugging is disabled if
191 # this setting is not configured or if the directory does not exist. If the
192 # path is relative or it starts with "~/" it is interpreted relative to the
193 # current user's home directory.
194 #sieve_trace_dir =
195
196 # The verbosity level of the trace messages. Trace debugging is disabled if
197 # this setting is not configured. Possible values are:
198 #
199 # "actions" - Only print executed action commands, like keep,
200 # fileinto, reject and redirect.
201 # "commands" - Print any executed command, excluding test commands.
202 # "tests" - Print all executed commands and performed tests.
203 # "matching" - Print all executed commands, performed tests and the
204 # values matched in those tests.
205 #sieve_trace_level =
206
207 # Enables highly verbose debugging messages that are usually only useful for
208 # developers.
209 #sieve_trace_debug = no
210
211 # Enables showing byte code addresses in the trace output, rather than only
212 # the source line numbers.
213 #sieve_trace_addresses = no
214 }
Sieve Scripts
Examples
Junk.sieve
Build for rspamd with X-Spam
/var/lib/dovecot/sieve/global/Junk.sieve
Compile it with sievec
1 sievec /var/lib/dovecot/sieve/global/Junk.sieve
Sync email between imap accounts
imapsync
Written in perl.
Install on Debian Buster:
1 apt install -y \
2 git \
3 libauthen-ntlm-perl \
4 libcgi-pm-perl \
5 libcrypt-openssl-rsa-perl \
6 libdata-uniqid-perl \
7 libencode-imaputf7-perl \
8 libfile-copy-recursive-perl \
9 libfile-tail-perl \
10 libio-socket-inet6-perl \
11 libio-socket-ssl-perl \
12 libio-tee-perl \
13 libhtml-parser-perl \
14 libjson-webtoken-perl \
15 libmail-imapclient-perl \
16 libparse-recdescent-perl \
17 libmodule-scandeps-perl \
18 libreadonly-perl \
19 libregexp-common-perl \
20 libsys-meminfo-perl \
21 libterm-readkey-perl \
22 libtest-mockobject-perl \
23 libtest-pod-perl \
24 libunicode-string-perl \
25 liburi-perl \
26 libwww-perl \
27 libtest-nowarnings-perl \
28 libtest-deep-perl \
29 libtest-warn-perl \
30 make \
31 cpanminus
32 git clone 'https://github.com/imapsync/imapsync.git' '/opt/imapsync'
33 cd /opt/imapsync
Change all the crendials before and after migration.
Create a file for the credentials credentials.csv and protect it
1 chmod 600 credentials.csv
This file should contain a list of ";"-delimited 6-tupels with credentials lines.
Wrap it with a little script like this one
imapsync_wrapper.sh
1 #!/bin/bash -eu
2
3 ### INIT
4 declare -a OPTIONS
5 declare -a DEPENCENCIES
6
7 DEPENDENCIES=(
8 "git" "libauthen-ntlm-perl" "libcgi-pm-perl" "libcrypt-openssl-rsa-perl"
9 "libdata-uniqid-perl" "libencode-imaputf7-perl" "libfile-copy-recursive-perl"
10 "libfile-tail-perl" "libio-socket-inet6-perl" "libio-socket-ssl-perl"
11 "libio-tee-perl" "libhtml-parser-perl" "libjson-webtoken-perl"
12 "libmail-imapclient-perl" "libparse-recdescent-perl" "libmodule-scandeps-perl"
13 "libreadonly-perl" "libregexp-common-perl" "libsys-meminfo-perl"
14 "libterm-readkey-perl" "libtest-mockobject-perl" "libtest-pod-perl"
15 "libunicode-string-perl" "liburi-perl" "libwww-perl" "libtest-nowarnings-perl"
16 "libtest-deep-perl" "libtest-warn-perl" "make" "cpanminus"
17 )
18
19
20 ### DEFAULTS
21 FILE_CREDENTIALS="credentials.csv"
22 FILE_LOG="imapsync.log"
23 GIT_REPO="https://github.com/imapsync/imapsync.git"
24 IMAPSYNC="/opt/imapsync/imapsync"
25 LOG=false
26 TIMEOUT=120
27 OPTIONS=( "--no-modulesversion" )
28
29
30 SELF="$(basename "$0")"
31
32 usage () {
33 cat <<-EOL
34 $SELF [options]
35
36 options:
37 -c|--credentials FILE Path to credtials file
38 (Default: credentials.csv, delimited by ";")
39 -h|--help Display this help
40 -i|--imapsync PATH Path to imapsync
41 -l|--log PATH Path to log file
42 -p|--preparations Show preparations/installation instructions
43 -t|--timeout Timeout for server connections (Default: 120s)
44 EOL
45 }
46
47 preparations () {
48 cat <<-EOL
49 ### INSTALLATION INSTRUCTIONS (DEBIAN BUSTER)
50 apt install -y ${DEPENDENCIES[@]}
51 git clone \
52 'https://github.com/imapsync/imapsync.git' \
53 "$(dirname "$IMAPSYNC")"
54 EOL
55 }
56
57 ### PARSE CLI OPTIONS
58 # Note that we use "$@" to let each command-line parameter expand to a
59 # separate word. The quotes around "$@" are essential!
60 # We need TEMP as the 'eval set --' would nuke the return value of getopt.
61 TEMP=$(getopt \
62 -o 'c:hi:l::pt:' \
63 --long 'credentials:,help,imapsync:,log::,preparationsi,timeout:' \
64 -n "$SELF" -- "$@")
65
66 if [ $? -ne 0 ]; then
67 echo 'Terminating...' >&2
68 exit 1
69 fi
70
71 # Note the quotes around "$TEMP": they are essential!
72 eval set -- "$TEMP"
73 unset TEMP
74
75 while true; do
76 case "$1" in
77 #'-a'|'--a-long')
78 # echo 'Option a'
79 # shift
80 # continue
81 #;;
82 '-c'|'--credentials')
83 FILE_CREDENTIALS="$2"
84 shift 2
85 continue
86 ;;
87 '-h'|'--help')
88 usage
89 exit 0
90 ;;
91 '-i'|'--imapsync')
92 IMAPSYNC="$2"
93 shift 2
94 continue
95 ;;
96 '-l'|'--log')
97 LOG=true
98 case "$2" in
99 '') : ;;
100 *) FILE_LOG="$2" ;;
101 esac
102 shift 2
103 continue
104 ;;
105 '-p'|'--preparations')
106 preparations
107 exit 0
108 ;;
109 '-t'|'--timeout')
110 TIMEOUT="$2"
111 shift 2
112 continue
113 ;;
114 '--')
115 shift
116 break
117 ;;
118 *)
119 echo 'Internal error!' >&2
120 exit 1
121 ;;
122 esac
123 done
124
125 #echo 'Remaining arguments:'
126 #for arg; do
127 # echo "--> '$arg'"
128 #done
129
130 ### SANITIZE
131 if $LOG; then
132 if [ -n "$FILE_LOG" ]; then
133 OPTIONS+=( "--logfile" "$FILE_LOG" )
134 else
135 echo "Invalid argument to option -l|--log: '$FILE_LOG'"
136 exit 2
137 fi
138 fi
139
140 if [ -z "$FILE_CREDENTIALS" ]; then
141 echo "Missing argument to parameter '-c|--credentials': '$FILE_CREDENTIALS'"
142 exit 2
143 fi
144
145 if [ ! -e "$FILE_CREDENTIALS" ]; then
146 echo "Credentials file cannot be found: '$FILE_CREDENTIALS'"
147 exit 2
148 fi
149 if [ ! -r "$FILE_CREDENTIALS" ]; then
150 echo "Credentials file cannot be read: '$FILE_CREDENTIALS'"
151 exit 2
152 fi
153
154 if [ ! -e "$IMAPSYNC" ]; then
155 echo "Argument to option '-i|--imapsync' seams not to be a executable file: '$IMAPSYNC'"
156 exit 2
157 fi
158
159 if [ -n "$TIMEOUT" ]; then
160 OPTIONS+=( "--timeout1" "$TIMEOUT" "--timeout2" "$TIMEOUT" )
161 fi
162
163 ### Generate a name for a pipe (-u|--dry-run)
164 PIPE_PASS1="$(mktemp -u)"
165 PIPE_PASS2="$(mktemp -u)"
166
167 ### Create FIFO pipe
168 mkfifo -m 600 "$PIPE_PASS1"
169 mkfifo -m 600 "$PIPE_PASS2"
170
171 ### LINES IN CREDENTIALS STARTING WITH "#"
172 ### ARE CONSIDERED A COMMENT AND FILTERED
173 { while IFS=';' read -r HOST1 USER1 PASS1 HOST2 USER2 PASS2; do
174 ### PASS PASSWORD VIA COMMANDLINE (INSECURE)
175 #$IMAPSYNC \
176 # "${OPTIONS[@]}" \
177 # --host1 "$HOST1" --user1 "$USER1" --password1 "$PASS1" \
178 # --host2 "$HOST2" --user2 "$USER2" --password2 "$PASS2"
179
180 ### PASS PASSWORDS VIA FIFO (SAFER)
181 echo "$PASS1" > "$PIPE_PASS1" &
182 echo "$PASS2" > "$PIPE_PASS2" &
183 $IMAPSYNC \
184 "${OPTIONS[@]}" \
185 --host1 "$HOST1" --user1 "$USER1" --passfile1 "$PIPE_PASS1" \
186 --host2 "$HOST2" --user2 "$USER2" --passfile2 "$PIPE_PASS2"
187 done ; } <<< $(grep -v '^#' "$FILE_CREDENTIALS")
188
189 # Delete the directory entries
190 rm "$PIPE_PASS1" "$PIPE_PASS2"
Make a entry with crontab -e
WORKS!1!!
Administration
Account Information
Lookup user
It's also possible to use * and ? wildcards (e.g. *.?oe@example.net).
Remove Account
Misc
KMail Import assistant
Kmail import wizaŕd does not work
1 aptitude install akonadi-import-wizard
Read Microsoft Outlook PST-File
Read a PST-file of Outlook 2003 (only POP3) and convert to a standard and importable format e.g. mbox.
1 aptitude install pst-utils