Dovecot

[TOC]

  • Written for CentOS 7.1, Dovecot 2.2.10.
  • Users are system users (in /etc/aliases)
  • Mailbox style is Maildir (in their home folders.)
  • Certificates are Comodo PositiveSSLs from
    NameCheap

Pre-Flight

Getting your mail is not something which can always be done via telnet
(insecure) or SSH (e.g. in the case of virtual accounts.)[^1]
Dovecot allows you to get your mail using the
POP3 and/or IMAP protocols.

On SSL

  • The Dovecot instance will use POP3S and IMAPS in addition to POP3
    and IMAP. When TLS properly implemented/initiated with the latter
    pair, there’s really no reason why the former would be required.
    Seems to be some
    debate
    about this.
  • The Comodo certificates were chosen since they would work with
    Gmail

    and most other MUAs.

Installation

yum install dovecot  
systemctl enable dovecot

Configuration

Turn off SSL (for now) in /etc/dovecot/conf.d/10-ssl.conf.

ssl = no

Initial Configuration

Edit /etc/dovecot/dovecot.conf and set the protocols you want to serve

protocols = imap pop3

Listen on IPv4 and IPv6 interfaces

listen = *, ::

Location for run time data

base_dir = /var/run/dovecot/

Now, in /etc/dovecot/conf.d/10-mail.conf, tell Dovecot where to find
the messages

mail_location = maildir:~/Maildir

Start the service and make sure it’s running

[root@example ~]# systemctl start dovecot  
[root@example ~]# netstat -tulpn | grep dovecot  
tcp   0      0 0.0.0.0:110      0.0.0.0:*         LISTEN      7183/dovecot  
tcp   0      0 0.0.0.0:143      0.0.0.0:*         LISTEN      7183/dovecot  
tcp   0      0 :::110           :::*              LISTEN      7183/dovecot  
tcp   0      0 :::143           :::*              LISTEN      7183/dovecot

Testing

You can now telnet to either ports 110 (POP3)
or 143 (IMAP).
The syntaxes differ quite a bit.

Make sure firewall is poked :)

Securing

Now we use TLS with the POP3 and IMAP ports. All authentication and
message transfer will be done only over a secure connection.

Edit /etc/dovecot/conf.d/10-ssl.conf to mandate SSL

ssl = required

And configure the certificates and keys you will use

ssl_cert = </etc/pki/tls/certs/example.com.crt  
ssl_key = </etc/pki/tls/private/example.com.key  
ssl_ca = </etc/pki/CA/certs/ca-bundle.pem

Now disable plaintext authentication in /etc/dovecot/10-auth.conf

disable_plaintext_auth = yes

Restart the dovecot service. You’ll see ports 993 and 995 in the
netstat output. Use OpenSSL to test the POP3S service first:

openssl s_client -connect example.com:995

You should be able to log in and check some test messages. The IMAP
service should work fine as well.

Importantly, you should not be able to authenticate insecurely.

[root@example ~]# telnet example.com 110
Trying 96.126.123.32...  
Connected to example.com.  
Escape character is '^]'.  
+OK Dovecot ready.  
user testuser
-ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

This is good. Test like crazy!

Other Notes

  • When creating a CA bundle, go Root ‚Üí Intermediate ‚Üí
    Intermediate → … → Your Certificate
    .

  • When connecting via OpenSSL, note how POP3 and IMAP servers respond
    (with the greeting ‚ÄúI am ready‚ÄĚ):

      # IMAP  
      * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] I am ready.
      
      # POP3  
      +OK I am ready.
    

    If using Gmail as an MUA, it expects a POP3 server/response.

References

Footnotes

[^1]: I suppose you could use OpenSSL…
but who does that?