commit - 1cf421e0f2109ed4f56b910e86aa9e141d64f971
commit + 82985e18ec43adc209fa65b872326d082779750f
blob - /dev/null
blob + 4b6206c429d40849b3f13919c4ec89c2f22ca71f (mode 644)
--- /dev/null
+++ wiki.d/Dovecot.Install-Draft,del-1714175707
+version=pmwiki-2.3.20 ordered=1 urlencoded=1
+agent=Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
+author=sylv1a
+charset=UTF-8
+csum=find command changed to also lock down directories
+ctime=1621334182
+host=2a0b:f4c0:16c:14::1
+name=Dovecot.Install-Draft
+rev=21
+targets=Openbsd.Loginconf,Openbsd.Rcctl
+text=Let's set up dovecot to allow users to read mail with IMAP and POP.%0a%0a!! Installation%0a%0a[@%0a$ doas pkg_add dovecot%0a@]%0a%0a!! Configuration%0a%0aA single user vmail will receive mail for all virtual users:%0a[@%0a$ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail%0a@]%0a%0a/var/vmail will be used to store virtual users' maildir folders. It will be managed by%0adovecot, which receives mail via LMTP.%0a%0aIn order to secure our passwords, we need to rearrange file permissions and owners:%0a%0a[@%0a$ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/%0a$ doas chown _smtpd:_dovecot /etc/mail/passwd%0a$ doas chmod 770 /etc/mail/dkim/%0a$ doas chmod 440 /etc/mail/passwd%0a$ doas find /etc/mail ! -path /etc/mail -exec chmod o-rwx '{}' +%0a@]%0a%0aIn /etc/dovecot/dovecot.conf, add the following lines at the bottom of the file:%0a%0a[@%0aprotocols = imap pop3 lmtp%0alisten = 192.168.0.1, 2001:db8::%0aservice lmtp {%0a user = vmail%0a}%0a@]%0a%0aThis tells dovecot to listen to the protocols IMAP, POP3, and LMTP.%0a'''Note''': We don't want to support submission with dovecot.%0a%0aIt also tells dovecot the public IPs you want it to listen on. Finally, the last%0ablock tells dovecot to change to the username vmail to listen for LMTP.%0a%0aTo aid with troubleshooting, you can consider adding these lines:%0a%0a[@%0aauth_verbose=yes%0aauth_debug=yes%0aauth_debug_passwords=yes%0amail_debug=yes%0aauth_verbose_passwords=sha1%0averbose_ssl=yes%0a@]%0a%0aIn /etc/dovecot/conf.d/10-auth.conf, first comment out auth-system.conf.ext %0a%0a[@%0a#!include auth-system.conf.ext%0a@]%0a%0aThis prevents dovecot from using BSD auth.%0a%0aThen at the bottom of the file, add these lines:%0a%0a[@%0apassdb {%0a args = scheme=blf-crypt /etc/mail/passwd%0a driver = passwd-file%0a}%0a%0auserdb {%0a args = uid=vmail gid=vmail home=/var/vmail/%25d/%25n%0a driver = static%0a}%0a@]%0a%0aThe first block defines our password database to use blowfish (see [[https://man.openbsd.org/blowfish|blowfish(3)]] and [[https://man.openbsd.org/encrypt|encrypt(1)]]).%0a%0aThe second block says that the mail must be read by user ID and group ID vmail, and%0athat all mail will be in the folders /var/vmail/%3cdomain>/%3cusername>.%0a%0aIn /etc/dovecot/conf.d/10-mail.conf:%0a%0a[@%0amail_location = maildir:/var/vmail/%25d/%25n/Maildir%0a@]%0a%0aThis again indicates all mail will be in the folders /var/vmail/%3cdomain>/%3cusername>.%0a%0aIn /etc/dovecot/conf.d/10-ssl.conf, make the changes to these lines:%0a%0a[@%0assl = yes%0a...%0assl_cert = %3c/etc/ssl/example.com.crt%0assl_key = %3c/etc/ssl/private/example.com.key%0a@]%0a%0aYou will need to replace example.com with your real domain.%0a%0aPlease read the instructions in the dovecot README in @@/usr/local/share/doc/pkg-readmes/dovecot@@. That file explains that you must add this [[openbsd/loginconf|login class]] to /etc/login.conf:%0a%0a[@%0adovecot:\%0a :openfiles-cur=4096:\%0a :openfiles-max=8192:\%0a :tc=daemon:%0a@]%0a%0a'''WARNING''': You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will '''not''' work.%0a%0a'''NOTE''': Allowing more open files than suggested in the README can help if you have many IP addresses.%0a%0a'''WARNING''': If login.conf.db exists, you will need to rebuild it:%0a%0a[@%0a# [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf%0a@]%0a%0aBut it is best to just remove /etc/login.conf.db since it is not required:%0a%0a[@%0a$ doas rm /etc/login.conf.db%0a@]%0a%0a!! Starting dovecot%0a%0aTo start dovecot via [[openbsd/rcctl|rcctl]]:%0a%0a[@%0a$ doas rcctl enable dovecot%0a$ doas rcctl start dovecot%0a@]%0a%0a!! Troubleshooting%0a%0aMake sure to check /var/log/maillog:%0a%0a[@%0a$ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143%0a@]%0a%0aWhen starting dovecot, you may find it fails:%0a%0a[@%0a$ doas rcctl start dovecot%0adovecot(failed)%0a@]%0a%0aWhen this happens, run the rc.d script with debugging turned on:%0a%0a[@%0a$ doas /etc/rc.d/dovecot -d start%0adoing _rc_parse_conf%0adoing _rc_quirks%0adovecot_flags empty, using default >%3c%0adoing rc_check%0adovecot%0adoing rc_start%0adoing _rc_wait start%0adoing rc_check%0adoveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory%0adoing _rc_rm_runfile%0a(failed)%0a@]%0a%0aIn this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: @@/etc/ssl/example.com.fullchain.pem@@ (where example.com is replaced with my real domain).%0a%0a[@%0aJun 9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,%3caiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)%0aJun 9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,%3caiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)%0a@]%0a
+time=1714175622
+author:1714175622=sylv1a
+csum:1714175622=find command changed to also lock down directories
+diff:1714175622:1697743078:=26c26%0a%3c $ doas find /etc/mail ! -path /etc/mail -exec chmod o-rwx '{}' +%0a---%0a> $ doas find /etc/mail -type f -exec chmod o-rwx '{}' +%0a
+host:1714175622=2a0b:f4c0:16c:14::1
+author:1697743078=sylv1a
+csum:1697743078=Fix file permission and owners section
+diff:1697743078:1678134050:=19,20c19,21%0a%3c In order to secure our passwords, we need to rearrange file permissions and owners:%0a%3c %0a---%0a> In order to secure our passwords, we need to remove world readable permissions%0a> from /etc/mail and change file ownership:%0a> %0a22,26c23,24%0a%3c $ doas chown -R _dkimsign:_dkimsign /etc/mail/dkim/%0a%3c $ doas chown _smtpd:_dovecot /etc/mail/passwd%0a%3c $ doas chmod 770 /etc/mail/dkim/%0a%3c $ doas chmod 440 /etc/mail/passwd%0a%3c $ doas find /etc/mail -type f -exec chmod o-rwx '{}' +%0a---%0a> $ doas chmod -R o-rx /etc/mail/%0a> $ doas chown -R _smtpd:_dovecot /etc/mail/%0a
+host:1697743078=2a0b:f4c2:2::56
+author:1678134050=jrmu
+diff:1678134050:1678133636:=94c94%0a%3c ssl_cert = %3c/etc/ssl/example.com.crt%0a---%0a> ssl_cert = %3c/etc/ssl/example.com.fullchain.pem%0a
+host:1678134050=38.87.162.154
+author:1678133636=jrmu
+diff:1678133636:1678079855:=20,21c20,21%0a%3c from /etc/mail and change file ownership:%0a%3c %0a---%0a> from /etc/mail:%0a> %0a24d23%0a%3c $ doas chown -R _smtpd:_dovecot /etc/mail/%0a
+host:1678133636=38.87.162.154
+author:1678079855=jrmu
+csum:1678079855=dkim is moved to /etc/dkim/ so there is no longer a need to change file ownership
+diff:1678079855:1643492127:=20,21c20,21%0a%3c from /etc/mail:%0a%3c %0a---%0a> from /etc/mail and change file ownership:%0a> %0a23a24%0a> $ doas chown -R _smtpd:_dovecot /etc/mail/%0a
+host:1678079855=38.87.162.154
+author:1643492127=forero
+csum:1643492127=comment out
+diff:1643492127:1638102641:=46,50c46,50%0a%3c auth_verbose=yes%0a%3c auth_debug=yes%0a%3c auth_debug_passwords=yes%0a%3c mail_debug=yes%0a%3c auth_verbose_passwords=sha1%0a---%0a> #auth_verbose=yes%0a> #auth_debug=yes%0a> #auth_debug_passwords=yes%0a> #mail_debug=yes%0a> #auth_verbose_passwords=sha1%0a
+host:1643492127=181.53.13.19
+author:1638102641=Hawk
+diff:1638102641:1629674123:=123,131d122%0a%3c @]%0a%3c %0a%3c !! Starting dovecot%0a%3c %0a%3c To start dovecot via [[openbsd/rcctl|rcctl]]:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable dovecot%0a%3c $ doas rcctl start dovecot%0a
+host:1638102641=2001:8a0:6813:4501:18d4:42f5:d6fb:184f
+author:1629674123=mkf
+diff:1629674123:1629671676:=12c12%0a%3c [@%0a---%0a> %0a14d13%0a%3c @]%0a
+host:1629674123=198.251.81.133
+author:1629671676=mkf
+diff:1629671676:1625144041:=158d157%0a%3c [@%0a161c160%0a%3c @]%0a---%0a> %0a
+host:1629671676=198.251.81.133
+author:1625144041=jrmu
+diff:1625144041:1624173605:=10,16d9%0a%3c %0a%3c A single user vmail will receive mail for all virtual users:%0a%3c %0a%3c $ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail%0a%3c %0a%3c /var/vmail will be used to store virtual users' maildir folders. It will be managed by%0a%3c dovecot, which receives mail via LMTP.%0a
+host:1625144041=125.224.28.174
+author:1624173605=jrmu
+diff:1624173605:1623221713:=11,13c11,13%0a%3c In order to secure our passwords, we need to remove world readable permissions%0a%3c from /etc/mail and change file ownership:%0a%3c %0a---%0a> In order to allow dovecot to read /etc/mail/passwd (which is owned by _mail), we need%0a> to add _dovecot to the _mail group:%0a> %0a15,16c15%0a%3c $ doas chmod -R o-rx /etc/mail/%0a%3c $ doas chown -R _smtpd:_dovecot /etc/mail/%0a---%0a> $ doas usermod -G _mail _dovecot%0a
+host:1624173605=38.81.163.143
+author:1623221713=jrmu
+diff:1623221713:1623220959:=149,152d148%0a%3c %0a%3c Jun 9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,%3caiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)%0a%3c Jun 9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,%3caiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)%0a%3c %0a
+host:1623221713=38.81.163.143
+author:1623220959=jrmu
+diff:1623220959:1623220200:=124,148d123%0a%3c When starting dovecot, you may find it fails:%0a%3c %0a%3c [@%0a%3c $ doas rcctl start dovecot%0a%3c dovecot(failed)%0a%3c @]%0a%3c %0a%3c When this happens, run the rc.d script with debugging turned on:%0a%3c %0a%3c [@%0a%3c $ doas /etc/rc.d/dovecot -d start%0a%3c doing _rc_parse_conf%0a%3c doing _rc_quirks%0a%3c dovecot_flags empty, using default >%3c%0a%3c doing rc_check%0a%3c dovecot%0a%3c doing rc_start%0a%3c doing _rc_wait start%0a%3c doing rc_check%0a%3c doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory%0a%3c doing _rc_rm_runfile%0a%3c (failed)%0a%3c @]%0a%3c %0a%3c In this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: @@/etc/ssl/example.com.fullchain.pem@@ (where example.com is replaced with my real domain).%0a
+host:1623220959=38.81.163.143
+author:1623220200=jrmu
+diff:1623220200:1623219060:=113c113%0a%3c $ doas rm /etc/login.conf.db%0a---%0a> # rm /etc/login.conf.db%0a118,119d117%0a%3c Make sure to check /var/log/maillog:%0a%3c %0a123d120%0a%3c %0a
+host:1623220200=38.81.163.143
+author:1623219060=jrmu
+diff:1623219060:1623217016:=67,71c67,68%0a%3c The first block defines our password database to use blowfish (see [[https://man.openbsd.org/blowfish|blowfish(3)]] and [[https://man.openbsd.org/encrypt|encrypt(1)]]).%0a%3c %0a%3c The second block says that the mail must be read by user ID and group ID vmail, and%0a%3c that all mail will be in the folders /var/vmail/%3cdomain>/%3cusername>.%0a%3c %0a---%0a> and add the new passdb/userdb conf settings.%0a> %0a78,81c75,76%0a%3c This again indicates all mail will be in the folders /var/vmail/%3cdomain>/%3cusername>.%0a%3c %0a%3c In /etc/dovecot/conf.d/10-ssl.conf, make the changes to these lines:%0a%3c %0a---%0a> In /etc/dovecot/conf.d/10-ssl.conf, I make these changes:%0a> %0a83c78%0a%3c ssl = yes%0a---%0a> ssl = required %0a85,86c80,82%0a%3c ssl_cert = %3c/etc/ssl/example.com.fullchain.pem%0a%3c ssl_key = %3c/etc/ssl/private/example.com.key%0a---%0a> ssl_cert = %3c/etc/ssl/ircnow.org.fullchain.pem%0a> ssl_key = %3c/etc/ssl/private/ircnow.org.key%0a> %0a89,92c85%0a%3c You will need to replace example.com with your real domain.%0a%3c %0a%3c Please read the instructions in the dovecot README in @@/usr/local/share/doc/pkg-readmes/dovecot@@. That file explains that you must add this [[openbsd/loginconf|login class]] to /etc/login.conf:%0a%3c %0a---%0a> As hinted in the instructions in the dovecot README in /usr/local/share/doc/pkg-readmes/dovecot, you want to add to /etc/login.conf:%0a104,105c97,98%0a%3c '''WARNING''': If login.conf.db exists, you will need to rebuild it:%0a%3c %0a---%0a> Then rebuild login.conf.db:%0a> %0a108,113d100%0a%3c @]%0a%3c %0a%3c But it is best to just remove /etc/login.conf.db since it is not required:%0a%3c %0a%3c [@%0a%3c # rm /etc/login.conf.db%0a
+host:1623219060=38.81.163.143
+author:1623217016=jrmu
+diff:1623217016:1622990602:=28,33c28,30%0a%3c This tells dovecot to listen to the protocols IMAP, POP3, and LMTP.%0a%3c '''Note''': We don't want to support submission with dovecot.%0a%3c %0a%3c It also tells dovecot the public IPs you want it to listen on. Finally, the last%0a%3c block tells dovecot to change to the username vmail to listen for LMTP.%0a%3c %0a---%0a> We don't want to support submission with dovecot. We only want to listen on our%0a> public IPv4 and IPv6 addresses. We want to provide lmtp with user vmail.%0a> %0a45,46c42,43%0a%3c In /etc/dovecot/conf.d/10-auth.conf, first comment out auth-system.conf.ext %0a%3c %0a---%0a> In /etc/dovecot/conf.d/10-auth.conf, I make these changes:%0a> %0a49,55d45%0a%3c @]%0a%3c %0a%3c This prevents dovecot from using BSD auth.%0a%3c %0a%3c Then at the bottom of the file, add these lines:%0a%3c %0a%3c [@%0a67c57%0a%3c and add the new passdb/userdb conf settings.%0a---%0a> Comment out auth-system.conf.ext and add the new passdb/userdb conf settings.%0a
+host:1623217016=38.81.163.143
+author:1622990602=mkf
+csum:1622990602=ssl_dh_parameters_length is not required anymore
+diff:1622990602:1622797748:=72c72%0a%3c %0a---%0a> ssl_dh_parameters_length = 2048%0a
+host:1622990602=188.226.131.252
+author:1622797748=jrmu
+diff:1622797748:1622797722:=12,13c12,13%0a%3c to add _dovecot to the _mail group:%0a%3c %0a---%0a> to add dovecot to the _mail group:%0a> %0a15c15%0a%3c $ doas usermod -G _mail _dovecot%0a---%0a> $ doas usermod -G _mail dovecot%0a
+host:1622797748=38.81.163.143
+author:1622797722=jrmu
+diff:1622797722:1622719537:=10,16d9%0a%3c %0a%3c In order to allow dovecot to read /etc/mail/passwd (which is owned by _mail), we need%0a%3c to add dovecot to the _mail group:%0a%3c %0a%3c [@%0a%3c $ doas usermod -G _mail dovecot%0a%3c @]%0a
+host:1622797722=38.81.163.143
+author:1622719537=jrmu
+diff:1622719537:1621334182:=1,4c1,2%0a%3c Let's set up dovecot to allow users to read mail with IMAP and POP.%0a%3c %0a%3c !! Installation%0a%3c %0a---%0a> Here is how I set up dovecot.%0a> %0a9,12c7,8%0a%3c !! Configuration%0a%3c %0a%3c In /etc/dovecot/dovecot.conf, add the following lines at the bottom of the file:%0a%3c %0a---%0a> In /etc/dovecot/dovecot.conf, add these lines at the very bottom:%0a> %0a14,15d9%0a%3c protocols = imap pop3 lmtp%0a%3c listen = 192.168.0.1, 2001:db8::%0a18a13,19%0a> %0a> #auth_verbose=yes%0a> #auth_debug=yes%0a> #auth_debug_passwords=yes%0a> #mail_debug=yes%0a> #auth_verbose_passwords=sha1%0a> verbose_ssl=yes%0a21,33c22,25%0a%3c We don't want to support submission with dovecot. We only want to listen on our%0a%3c public IPv4 and IPv6 addresses. We want to provide lmtp with user vmail.%0a%3c %0a%3c To aid with troubleshooting, you can consider adding these lines:%0a%3c %0a%3c [@%0a%3c #auth_verbose=yes%0a%3c #auth_debug=yes%0a%3c #auth_debug_passwords=yes%0a%3c #mail_debug=yes%0a%3c #auth_verbose_passwords=sha1%0a%3c verbose_ssl=yes%0a%3c @]%0a---%0a> You can turn on debugging, verbose ssl, and so forth as you need to help troubleshoot.%0a> %0a> In /etc/dovecot/conf.d/10-auth.conf, I make these changes:%0a> %0a
+host:1622719537=38.81.163.143
+author:1621334182=jrmu
+diff:1621334182:1621334182:=1,79d0%0a%3c Here is how I set up dovecot.%0a%3c %0a%3c [@%0a%3c $ doas pkg_add dovecot%0a%3c @]%0a%3c %0a%3c In /etc/dovecot/dovecot.conf, add these lines at the very bottom:%0a%3c %0a%3c [@%0a%3c service lmtp {%0a%3c user = vmail%0a%3c }%0a%3c %0a%3c #auth_verbose=yes%0a%3c #auth_debug=yes%0a%3c #auth_debug_passwords=yes%0a%3c #mail_debug=yes%0a%3c #auth_verbose_passwords=sha1%0a%3c verbose_ssl=yes%0a%3c @]%0a%3c %0a%3c You can turn on debugging, verbose ssl, and so forth as you need to help troubleshoot.%0a%3c %0a%3c In /etc/dovecot/conf.d/10-auth.conf, I make these changes:%0a%3c %0a%3c [@%0a%3c #!include auth-system.conf.ext%0a%3c passdb {%0a%3c args = scheme=blf-crypt /etc/mail/passwd%0a%3c driver = passwd-file%0a%3c }%0a%3c %0a%3c userdb {%0a%3c args = uid=vmail gid=vmail home=/var/vmail/%25d/%25n%0a%3c driver = static%0a%3c }%0a%3c @]%0a%3c %0a%3c Comment out auth-system.conf.ext and add the new passdb/userdb conf settings.%0a%3c %0a%3c In /etc/dovecot/conf.d/10-mail.conf:%0a%3c %0a%3c [@%0a%3c mail_location = maildir:/var/vmail/%25d/%25n/Maildir%0a%3c @]%0a%3c %0a%3c In /etc/dovecot/conf.d/10-ssl.conf, I make these changes:%0a%3c %0a%3c [@%0a%3c ssl = required %0a%3c ...%0a%3c ssl_cert = %3c/etc/ssl/ircnow.org.fullchain.pem%0a%3c ssl_key = %3c/etc/ssl/private/ircnow.org.key%0a%3c ssl_dh_parameters_length = 2048%0a%3c @]%0a%3c %0a%3c As hinted in the instructions in the dovecot README in /usr/local/share/doc/pkg-readmes/dovecot, you want to add to /etc/login.conf:%0a%3c [@%0a%3c dovecot:\%0a%3c :openfiles-cur=4096:\%0a%3c :openfiles-max=8192:\%0a%3c :tc=daemon:%0a%3c @]%0a%3c %0a%3c '''WARNING''': You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will '''not''' work.%0a%3c %0a%3c '''NOTE''': Allowing more open files than suggested in the README can help if you have many IP addresses.%0a%3c %0a%3c Then rebuild login.conf.db:%0a%3c %0a%3c [@%0a%3c # [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c [@%0a%3c $ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143%0a%3c @]%0a
+host:1621334182=38.81.163.143