Configure Dovecot

First we need to create a new system user that will own all virtual mailboxes for security reasons. The following shell commands will create a system group vmail with group ID (GID) 5000 and a system user vmail with user ID (UID) 5000. Make sure that UID and GID are not yet used or choose another – the number can be anything between 1000 and 65000 that is not yet used:

  sudo groupadd -g 5000 vmail
  sudo useradd -g vmail -u 5000 vmail -d /var/vmail -m
  sudo chown -R vmail:vmail /var/vmail

Make sure this line exist in the /etc/dovecot/dovecot.conf:

!include conf.d/*.conf

Edit /etc/dovecot/conf.d/10-auth.conf and add :

auth_mechanisms = plain login

• You need to add the login mechanism if you have Outlook users.

These two mechanisms would ask for a password without enforcing encryption. But by default, Dovecot sets disable_plaintext_auth = yes which ensures that authentication is only accepted over TLS-encrypted connections.

At the end of this file you will find various authentication backends that Dovecot ships with. By default it will use system users (those from the /etc/passwd). But we want to use the MariaDB database backend so go ahead and change this block to:

#!include auth-system.conf.ext
!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext

Change the mail_location in /etc/dovecot/conf.d/10-mail.conf to:

mail_location = maildir:~/Maildir

This is the directory where Dovecot will look for the emails of a specific user. The tilde character (~) means the user’s home directory. That does not make sense yet. But further down on this page we will tell Dovecot what the home directory is supposed to mean. For example user1@example.org will have his home directory in /var/vmail/example1.org/user1.

NOTE: Further down in the 10-mail.conf file you will find sections defining the namespaces ¹. Those are folder structures that your email client sees when connecting to the mail server. If you use POP3 you can only access the inbox – which is where all incoming email is stored. Using the IMAP protocol you get access to a hierarchy of folders and subfolders. And you can even share folders between users. Or use a public folder that can be accessed by anyone – even anonymously. So IMAP is generally to be preferred.

Edit the /etc/dovecot/conf.d/10-master.conf file which deals with typical service ports like IMAP or POP3.

NOTE: Don’t worry about the standard unencrypted TCP ports 110 (for POP3) and 143 (for IMAP). They can be kept activated. If a user connects to these ports they will have to issue a STARTTLS command to switch into encrypted mode before they are allowed to send their password. There is basically no difference between using an plaintext port like 110 for POP3 and then using STARTTLS – or connecting to the encrypted 995 port for POP3s (secure).

A change is needed in the service auth {...} section because we want Postfix to allow Dovecot as an authentication service. Add the following lines in the previously mentioned section:

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
  mode = 0660
  user = postfix
  group = postfix
}

Earlier in this guide we created both a key and a certificate file to encrypt the communication with POP3 and IMAPs between the users and your mail server.

Edit the file /etc/dovecot/conf.d/10-ssl.conf to configure the certificate and key file path:

ssl_cert = </etc/letsencrypt/live/example1.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example1.com/privkey.pem

And enforce TLS encryption by setting:

  ssl = required

Dovecot reads the /etc/dovecot/conf.d/auth-sql.conf.ext which defines how to find user information in your database. There are two sections in this file:

1. userdb: where to find a user’s mailbox in the file system
2. passdb: where to find the user’s hashed password

By default Dovecot will run two queries at your database. One for the userdb that gets information like the user ID, group ID, home directory and quota. And another for the passdb that gets the hashed password.

The userdb section already reads:

userdb {
   driver = sql
   args = /etc/dovecot/dovecot-sql.conf.ext
}

As you can see Dovecot uses an SQL database lookup to get that information. Edit the file /etc/dovecot/dovecot-sql.conf.ext for more information. You will find this file well documented although all configuration directives are commented out. Add these lines at the bottom of the file:

driver = mysql

connect = \
  host=127.0.0.1 \
  dbname=mailserver \
  user=mailserver \
  password=x893dNj4stkHy1MKQq0USWBaX4ZZdq

user_query = SELECT email as user, \
  concat('*:bytes=', quota) AS quota_rule, \
  '/var/vmail/%d/%n' AS home, \
  5000 AS uid, 5000 AS gid \
  FROM virtual_users WHERE email='%u'

password_query = SELECT password FROM virtual_users WHERE email='%u'

iterate_query = SELECT email AS user FROM virtual_users

NOTE: Ending a line with a backslash (\) means that it is continued on the next line. It keeps the configuration more readable.

What these lines mean:

• driver: The kind of database. MariaDB is the same kind as MySQL.
• connect: Information to access MySQL database (username, password, etc…)
• user_query: An SQL query that returns the user name (the email address), the quota, the home directory, user ID and group ID.
• password_query: this SQL query just gets the password hash from the database
• iterate_query: "doveadm" uses this query to get a list of all users. That allows you to use the doveadm user '*' command later.

The user_query gets several pieces of information from the database:

• email AS user: It gets the the email field from the database which corresponds to the user name. Dovecot expects it in the user field so we set an alias to user.
• userdb_quota_rule: This is the user’s quota in bytes. It is the maximum space on disk that the user can occupy. As documented Dovecot expects the quota in a special format like *:bytes=10000 if the user should not be able to store more than 10,000 bytes. That’s why we begin the string with *:bytes=.
• userdb_home: This leads to the directory where all emails and various control files for this user are located. The placeholder %d replaces the domain and %n the user part. So for user1 that makes it /var/vmail/example.org/user1.
• userdb_uid and userdb_gid: Those are the user ID and group ID of vmail user – 5000 for both. Dovecot uses it to set the permissions of files it creates. As all users share the same system user vmail this is just a static number.

Make sure that only root can access the SQL configuration file so nobody else is reading your database access passwords:

sudo chown root:root /etc/dovecot/dovecot-sql.conf.ext
sudo chmod go= /etc/dovecot/dovecot-sql.conf.ext

Restart Dovecot:

  sudo systemctl restart dovecot

Look at your /var/log/mail.log logfile. You should see:

Dovecot v2.3.13 (f79e8e7e4) starting up for imap, lmtp, sieve, pop3 (core dumps disabled)