.. index::
   single: dovecot

.. _dovecot:

Dovecot Email Delivery
======================
Dovecot is an IMAP server. It takes responsibility for connecting your email 
client (Thunderbird, etc.) to your mail box.  Dovecot will also configured to 
provide authentication (username and password) support to Postfix that is used 
when an authorized user goes to send email via Postfix.

To be clear, your email client will connect to Dovecot using a protocol called 
IMAP (or POP).  In this way Dovecot provides access to your mailboxes and when 
you are reading your email you are using Dovecot.  When you to go send mail from 
your email client, it connects directly to Postfix using a protocol called SMTP: 
Dovecot is not needed. However, before you can be allowed to access your email 
you need to prove that you are authorized to access it. This is referred to as 
authentication. To support this, Dovecot provides support for authentication.  
In the earlier simpler days of the Internet before Spam, authentication was not 
required to send email. However these days you also need to authenticate 
yourself to prove that you are authorized to send mail. Sending mail is handled 
by Postfix, but rather than building authentication into Postfix as well, 
Postfix is instead configured to use Dovecot for authentication when sending 
email.

Installing Dovecot
------------------
On Redhat systems (Redhat, Fedora, Centos) you install Dovecot using::

   sudo yum install dovecot

Configuring Dovecot
-------------------

The configuration files for Dovecot are usually found in /etc/dovecot.  
I recommend leaving the default configuration alone and just adding your 
modifications into local.conf. This file is read last and so any settings it 
contains will override the same settings that are contained in the default 
configuration.

Basic Configuration
~~~~~~~~~~~~~~~~~~~

The first part of the configuration specifies which protocols to support (IMAP 
and/or POP3) and where the mailboxes can be found::

   #protocols = imap pop3
   protocols = imap

   mail_location = maildir:~/mail

Transport Layer Security (SSL)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This assumes that you have already created an certificate using OpenSSL.  The 
one I am using is named ssl-140409::

   # TLS/SSL protocols to use (avoid older SSL protocols)
   ssl_protocols = !SSLv2  !SSLv3

   # SSL ciphers to use
   ssl_cipher_list = ALL:!ADH:!EXPORT:!SSLv2:!aNULL:!eNULL:RC4+RSA:+HIGH:-MEDIUM:-LOW
   ssl_prefer_server_ciphers = yes

   # SSL certificate
   ssl=required
   ssl_cert = </etc/pki/tls/certs/ssl-140409.crt
   ssl_key = </etc/pki/tls/private/ssl-140409.key


Authentication
~~~~~~~~~~~~~~

The following is used to configure authentication::

   auth_mechanisms = plain
   passdb {
       driver = passwd-file
       args = /etc/dovecot/passwd
   }
   userdb {
       driver = static
       args = uid=vmail gid=vmail home=/home/vmail/%d/%n allow_all_users=yes
   }
   service auth {
       unix_listener auth-client {
           path = /var/spool/postfix/private/auth
           mode = 0660
           user = postfix
           group = postfix
       }
       user = root
   }

*auth_mechanisms* specifies the various forms in which the password can be 
passed to Dovecot (there may be more than one specified). Using *plain* is fine 
because it will only be passed through an SSL tunnel, and so will not be 
exposed.

*passdb* specifies password database, in this case '/etc/dovecot/passwd'. It 
takes the form::

   dickie@nurdletech.com:{PLAIN}zDu8g8AJf9vv
   dickie@turtleneck.com:{PLAIN}2WyoQEsJcSFo
   admin@nurdletech.com:{PLAIN}LnycHhpZwQsN

Each consists of the email for each of the virtual mail boxes (much match values 
given to Postfix in the virtual_mailbox_maps file). After the email address 
there is a colon and then a specification of how the password is encoded 
enclosed in braces. Finally there is the encoded password. Of course, if the 
encoding is specified as PLAIN, there is no encoding and the password is given 
directly. However it is more secure it you do encode the passwords. To do so, 
run::

   doveadm pw -s SSHA

can copy its output into the file (SSHA employs a salted SSH1 hash, but there 
are many others available).

*userdb* specifies parameters used when creating the virtual mailboxes.

Finally, *service auth* specifies the parameters for a socket that is created to 
allow Postfix to communicate with Dovecot to support authentication. The path is 
the location of the socket (the last part of this path should be specified to 
Postfix in *smtpd_sasl_path*).


Configuring Dovecot as the Local Delivery Agent
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following is sufficient to configure the Dovecot LDA::

   protocol lda {
       postmaster_address = admin@nurdletech.com
   }


Configuring the Firewall
------------------------
The most common filewall on Linux is *iptables*, however the more recent 
versions of Fedora have shifted to using *firewalld*. These instructions are for 
*firewalld* on Fedora.

If you do not have *firewalld* you can get it on a Redhat system (Redhat, 
Fedora, CentOs) by running as root::

   yum install firewalld

You would then activate it using::

   systemctl enable firewalld
   systemctl start firewalld

In order for Dovecot to operate, we must punch hole in the firewall to allow the 
mail out.  In particular we need to open port 993 (imaps). To do so, as root 
run::

   firewall-cmd --permanent --add-service=imaps

Doing so loads this rule into the *firewalld* persistent configuration, but does 
not modify the currently active rules. To activate our new rule, run::

   firewall-cmd --reload

Now, list the rules to make sure they are both correct and active::

   firewall-cmd --list-all


Running Dovecot
---------------

Start Dovecot using::

   systemctl start dovecot

If Dovecot is already running, and you have changed a configuration file, you 
can get Dovecot to reread these files using::

   systemctl reload dovecot

You can stop Dovecot with::

   systemctl stop dovecot

You can get Dovecot status with::

   systemctl status dovecot

Once Dovecot is running, you should configure your email client and confirm that 
you can both view the mailboxes and you can send messages.  Look in 
/var/log/maillog for messages from Dovecot.

Once Dovecot is running properly, you can enable it so that it starts 
automatically when the server starts using::

   systemctl enable dovecot


Configuring Email Client
------------------------

Use the following to configure Thunderbird to use your new Postfix/Dovecot email 
system::

   IMAP server: nurdletech.com
       Port: 993
       Security: SSL/TLS
       Authentication Method: normal password
       Username: dickie@nurdletech.com
   SMTP server: nurdletech.com
       Port: 587
       Security: STARTTLS
       Authentication Method: normal password
       Username: dickie@nurdletech.com


Use the following to configure Mutt to use your new Postfix/Dovecot email 
system::

   set spoolfile=imaps://nurdletech.com:993/INBOX
   set folder=imaps://nurdletech.com:993/
   set smtp_url=smtp://dickie@nurdletech.com@nurdletech.com:587
   #               ^ do not use smtps here

   # Alternative ways of giving username and password
   set imap_user="dickie@nurdletech.com"
   set imap_pass="`abraxas -q work-email-fallback`"
   set smtp_pass=$imap_pass
   set smtp_authenticators="plain"