18 January 2009

Replace courier-imap by dovecot for emails server under GNU/Linux

The courier-imap package, and linked packages, have been replaced by dovecot from Fedora 8 (or earlier).
Anyway, it's still possible to maintain mailboxes part of your full and secured GNU/Linux emails server, compiling the source code of courier-imap.

If you still want to benefit from up-to-date package, using yum or if you want a more secured system, you should migrate to dovecot.

To begin, there is a tool allowing to migrate "metadata" from courier-imap to dovecot.

This is how to configure dovecot editing the /etc/dovecot.conf file, according to the configuration of the full and secured GNU/Linux emails server:
- define clearly what protocols you want to avoid wasting resources and potential security hole (See this post for equivalent for courier)
protocols = pop3 pop3s

- define the certificate and the key to use (can be the same of the smtp server)
ssl_cert_file = /etc/postfix/smtpd.cert
ssl_key_file = /etc/postfix/smtpd.key

- define the mail location
mail_location = maildir:/home/vmail/%d/%n

- define the mail UID, GID and the privileged group:
mail_uid = 5000
mail_gid = 5000
mail_privileged_group = vmail

- comment the imap or pop3 begin/end line according to your needs

- specify pop3 UIDL format for it to be compatible with the existing courier metadat
pop3_uidl_format = %u-%v

- specify the mechanisms into the auth default part
mechanisms = plain login

- comment all lines corresponding to auth you do not want (like for pam for instance)

- specify path of ONE specific file (you will create) to request the SQL database to get password and user information in the same request (optimization) (respect the order which is important, "userdb prefetch" must be before "userdb sq" part)
passdb sql {
args = /etc/dovecot-mysql.conf
}
userdb prefetch {
}
userdb sql {
args = /etc/dovecot-mysql.conf
}

- create a file with SQL query and connect information (/etc/dovecot-mysql.conf), replacing mail, admin and XXX with your corresponding databse name, privileged user login and password (default_pass_scheme is very important and must be defined according to the function used when adding password to database; in this case it correspond to the ENCRYPT function):
## /etc/dovecot-mysql.conf contents ##
driver = mysql
default_pass_scheme = CRYPT
connect = host=localhost dbname=mail user=admin password=XXX

# Extended request allowing to get password and all user information at same time.
password_query = SELECT password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 AS userdb_uid, 5000 AS userdb_gid, concat('dirsize:storage=',quota) AS userdb_quota FROM users WHERE email = '%u'

# Used only for deliver (see LDA).
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=',quota) AS quota FROM users WHERE email ='%u'
## /etc/dovecot-mysql.conf contents ##

- (facultative) activate debug information in case something goes wrong
mail_debug = yes
auth_debug = yes
auth_debug_passwords = yes

- restart the dovecot service
service dovecot restart

- attempts to connect to your imap/pop server with your favorite email client, checking the log file (default is /var/log/maillog)

- (facultative) disabled debug information if no more needed

2 comments:

  1. To disable anonymous and weak cipher possibility when using dovecot, define ssl_cipher_list into /etc/dovecote.conf :
    ssl_cipher_list = ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:!SSLv2:HIGH

    Such security issue can be checked with Nessus:
    http://nessus.org/nessus/

    ReplyDelete
  2. Thanks for mentioning "respect the order which is important, "userdb prefetch" must be before "userdb sq" part" in the article. It was exactly my problem: I had userdb prefetch "after" userdb sql in dovecot.conf. You've helped solve what seemed a mysterious problem. Thanks!

    ReplyDelete

Thank you for your visit, let's share your point of view: