- Written for CentOS 7.1, Dovecot 2.2.10.
- Users are system users (in
- Mailbox style is
Maildir(in their home folders.)
- Certificates are Comodo PositiveSSLs from NameCheap
Getting your mail is not something which can always be done via telnet (insecure) or SSH (e.g. in the case of virtual accounts.)1 Dovecot allows you to get your mail using the POP3 and/or IMAP protocols.
- The Dovecot instance will use POP3S and IMAPS in addition to POP3 and IMAP. When TLS properly implemented/initiated with the latter pair, there’s really no reason why the former would be required. Seems to be some debate about this.
- The Comodo certificates were chosen since they would work with Gmail and most other MUAs.
yum install dovecot systemctl enable dovecot
Turn off SSL (for now) in
ssl = no
/etc/dovecot/dovecot.conf and set the protocols you want to serve
protocols = imap pop3
Listen on IPv4 and IPv6 interfaces
listen = *, ::
Location for run time data
base_dir = /var/run/dovecot/
/etc/dovecot/conf.d/10-mail.conf, tell Dovecot where to find
mail_location = maildir:~/Maildir
Start the service and make sure it’s running
[root@example ~]# systemctl start dovecot [root@example ~]# netstat -tulpn | grep dovecot tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 7183/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 7183/dovecot tcp 0 0 :::110 :::* LISTEN 7183/dovecot tcp 0 0 :::143 :::* LISTEN 7183/dovecot
Make sure firewall is poked :)
Now we use TLS with the POP3 and IMAP ports. All authentication and message transfer will be done only over a secure connection.
/etc/dovecot/conf.d/10-ssl.conf to mandate SSL
ssl = required
And configure the certificates and keys you will use
ssl_cert = </etc/pki/tls/certs/example.com.crt ssl_key = </etc/pki/tls/private/example.com.key ssl_ca = </etc/pki/CA/certs/ca-bundle.pem
Now disable plaintext authentication in
disable_plaintext_auth = yes
Restart the dovecot service. You’ll see ports 993 and 995 in the
netstat output. Use OpenSSL to test the POP3S service first:
openssl s_client -connect example.com:995
You should be able to log in and check some test messages. The IMAP service should work fine as well.
Importantly, you should not be able to authenticate insecurely.
[root@example ~]# telnet example.com 110 Trying 126.96.36.199... Connected to example.com. Escape character is '^]'. +OK Dovecot ready. user testuser -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
This is good. Test like crazy!
When creating a CA bundle, go Root → Intermediate → Intermediate → … → Your Certificate.
When connecting via OpenSSL, note how POP3 and IMAP servers respond (with the greeting “I am ready”):
# IMAP * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] I am ready. # POP3 +OK I am ready.
If using Gmail as an MUA, it expects a POP3 server/response.