- Written for CentOS 7.1, Dovecot 2.2.10.
- Users are system users (in
- Mailbox style is
Maildir(in their home folders.)
- Certificates are Comodo PositiveSSLs from
Getting your mail is not something which can always be done via telnet
(insecure) or SSH (e.g. in the case of virtual accounts.)[^1]
Dovecot allows you to get your mail using the
POP3 and/or IMAP protocols.
- The Dovecot instance will use POP3S and IMAPS in addition to POP3
and IMAP. When TLS properly implemented/initiated with the latter
pair, there’s really no reason why the former would be required.
Seems to be some
- The Comodo certificates were chosen since they would work with
and most other MUAs.
yum install dovecot systemctl enable dovecot
Turn off SSL (for now) in
ssl = no
/etc/dovecot/dovecot.conf and set the protocols you want to serve
protocols = imap pop3
Listen on IPv4 and IPv6 interfaces
listen = *, ::
Location for run time data
base_dir = /var/run/dovecot/
/etc/dovecot/conf.d/10-mail.conf, tell Dovecot where to find
mail_location = maildir:~/Maildir
Start the service and make sure it’s running
[root@example ~]# systemctl start dovecot [root@example ~]# netstat -tulpn | grep dovecot tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 7183/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 7183/dovecot tcp 0 0 :::110 :::* LISTEN 7183/dovecot tcp 0 0 :::143 :::* LISTEN 7183/dovecot
Make sure firewall is poked :)
Now we use TLS with the POP3 and IMAP ports. All authentication and
message transfer will be done only over a secure connection.
/etc/dovecot/conf.d/10-ssl.conf to mandate SSL
ssl = required
And configure the certificates and keys you will use
ssl_cert = </etc/pki/tls/certs/example.com.crt ssl_key = </etc/pki/tls/private/example.com.key ssl_ca = </etc/pki/CA/certs/ca-bundle.pem
Now disable plaintext authentication in
disable_plaintext_auth = yes
Restart the dovecot service. You’ll see ports 993 and 995 in the
netstat output. Use OpenSSL to test the POP3S service first:
openssl s_client -connect example.com:995
You should be able to log in and check some test messages. The IMAP
service should work fine as well.
Importantly, you should not be able to authenticate insecurely.
[root@example ~]# telnet example.com 110 Trying 18.104.22.168... Connected to example.com. Escape character is '^]'. +OK Dovecot ready. user testuser -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
This is good. Test like crazy!
When creating a CA bundle, go Root → Intermediate →
Intermediate → … → Your Certificate.
When connecting via OpenSSL, note how POP3 and IMAP servers respond
(with the greeting “I am ready”):
# IMAP * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] I am ready. # POP3 +OK I am ready.
If using Gmail as an MUA, it expects a POP3 server/response.
[^1]: I suppose you could use OpenSSL…
but who does that?