Dovecot IMAP/POP3 server

Slackware make uses of the UW (University of Washington) IMAP server. This was probably once a good choice, but not any longer, since there are better IMAP servers available.

I use the Horde framework with IMP, the Internet Messaging Program. IMP is written in PHP and provides webmail access to IMAP and POP3 accounts. Unlike previous versions of IMP, 4.1+ no longer contains the "namespace", "hierarchies", or "folders" parameters. Instead, namespace configuration is automatically detected from the remote server.

This startles users of UW-IMAP because all files in the home directory now show up in the folders list and all sorts of namespaces appear that didn't appear before. Additionally, this results in drastically increased login times to IMP.

In fact, this is not a IMP problem, it is a UW-IMAP configutation problem. The problem has been known for a long time, still there is no easy workaround for this.

Some day I decided to move to Dovecot, an open source IMAP and POP3 server. Dovecot primarily aims to be lightweight, fast and easy to set up and has been written primarily with security in mind. Dovecot can work with standard mbox, Maildir, and its own dbox format. It is fully compatible with UW IMAP and Courier IMAP servers.

 

Steps to move

Move to Dovecot takes only a few steps:

  1. Get Dovecot sources or even better, grab the Slackware Dovecot package from Piir-Stuff
  2. Install the Dovecot package
  3. Adjust the configuration file "dovecot.conf" in /etc
  4. Make adjustments to fire up dovecot

 

Dovecot configuration file

You find the dovecot configuration file in /etc/dovecot.conf. If you're in a hurry, see http://wiki.dovecot.org/QuickConfiguration. Otherwise, proceed trough the options step by step and adjust as needed.

For the complete dovecot documentation visit the website.

 

Options in dovecot.conf

Example settings (grep -v "#" /etc/dovecot.conf):

 

# Only do this in combination with TLS / SLL. Otherwise, your password are in severe danger!

disable_plaintext_auth = no


# TLS / SSL - see dedicated section in this article

ssl_cert_file = /etc/ssl/misc/dovecotcert.pem
ssl_key_file = /etc/ssl/misc/dovecotkey.pem
ssl_ca_file = /etc/ssl/misc/demoCA/cacert.pem
ssl_verify_client_cert = yes
ssl_cipher_list = HIGH:MEDIUM


protocol imap {
}

protocol pop3 {
}

protocol lda {
postmaster_address =
}


# Authentication section. I still use shadow and passwd. Last part in this section provides SASL for the Postfix mailer. See dedicated article.

auth default {
mechanisms = plain login

passdb shadow {
}

userdb passwd {
}

user = root

ssl_require_client_cert = no

socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0666
user = postfix
group = postfix
}
}
}


dict {
}

plugin {
}

 

Set up TLS / SSL

I use TLS to secure my passwords and mails in transport. To do so is a three step process:

  1. Get a server certificate
  2. Adjust dovecot.conf
  3. Check your mail client for the presence of the CA certificate


Get a server certificate

You can use a "official" certificate or go with your own CA and certificate. You may want to use a "official" certificate in a productive environment with different parties accessing your server. This is not a must, but you would have to assure the proper distribution of your CA certificate to all parties accessing your server.

For a list of authorities providing official certificates, have a look in the authorities certificate section of your web browser.

If you prefer to go with your own CA and certificate, refer to the dedicated article (OpenSSL CA) on Piir-Stuff.

 

Adjust dovecot.conf

To enable TLS, adjust your dovecot settings correspondingly. The authentication section is not mandatory and only required if you want to use client certificates for authentication.

 

# This is the server certificate - either a self made or official certificate
ssl_cert_file = /etc/ssl/misc/dovecotcert.pem

# The server key file
ssl_key_file = /etc/ssl/misc/dovecotkey.pem

# The certificate of the issuing CA - the obe the server certificate is based on
ssl_ca_file = /etc/ssl/misc/demoCA/cacert.pem

# Encryption strength - the higher, the better
ssl_cipher_list = HIGH:MEDIUM


# Authentication section
# Whether client certificates should be used and forced
ssl_require_client_cert = no

# Whether client certificates should be verified
ssl_verify_client_cert = yes


Check your mail client for the presence of the CA certificate

you will receive a waning notice, if the CA certificate of the issuing CA is not in the authorities store of your mail client. In order to avoid this, check the authorities store of your mail client. If it is missing, get the issuing CA certificate and import it.

 

Fire up dovecot

You can do this either by inetd or a startup script from /etc/rc.d

Option 1: inetd

Disable the original UW IMAP daemon and have the new Dovecot daemon in /usr/libexec/dovecot started.

 

#imap2 stream tcp nowait root /usr/sbin/tcpd imapd
imap2 stream tcp nowait root /usr/sbin/tcpd /usr/libexec/dovecot/imap-login

 

Option 2: Startup script from /etc/rc.d

 

#!/bin/bash
# Copyright 2006, Alan Hicks, Lizella, GA
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#


dovecot_start()
{
echo "Firing up dovecot."
dovecot
}

dovecot_stop()
{
echo "Shutting down dovecot."
killall dovecot
}

dovecot_restart()
{
dovecot_stop
sleep 5 # Give it time to clean-up if it needs it.
dovecot_start
}

case $1 in
'start')
dovecot_start
;;
'stop')
dovecot_stop
;;
'restart')
dovecot_restart
;;
*)
echo "usage $0 start|stop|restart"
esac