navigation
Home
admin
|
Dovecot
October 18th, 2016
|
Installation de dovecot 2.2.13 sur une Debian Jessie.
 Cette installation fait suite à l'installation de postfix décrite ici : http://perso.univ-lemans.fr/~brichard/systeme/?doc=Postfix
Dovecot sera utilisé comme "local delivery agent" (dovecot-lda) en lieu et place de postfix pour la remise des emails.
| Table des matières |  |
Installation des paquets
Configuration
Intégration dans postfix
Messages d'erreurs
Tests
Certificats
Configuration des logs
Cassification
Quota
| Installation des paquets | |
apt-get install dovecot-core dovecot-ldap dovecot-imapd |
| Configuration | |
 Modification de conf.d/10-auth.conf
La recherche des utilisateurs et de leur mots de passe va s'affectuer dans un AD :
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-ldap.conf.ext |
Avec :
cat auth-ldap.conf.ext
# Authentication for LDAP users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.LDAP.txt>
passdb {
driver = ldap
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
args = /etc/dovecot/dovecot-ldap.conf.ext
}
# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
#userdb {
# driver = prefetch
#}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
# Default fields can be used to specify defaults that LDAP may override
#default_fields = home=/home/virtual/%u
}
|
et :
cat /etc/dovecot/dovecot-ldap.conf.ext
## This file is commonly accessed via passdb {} or userdb {} section in
## conf.d/auth-ldap.conf.ext
[...]
## Default password scheme. "{scheme}" before password overrides this.
## List of supported schemes is in: http://wiki2.dovecot.org/Authentication
##default_pass_scheme = CRYPT
hosts = xxx.xxx.xxx.xxx:389
dn = CN=test,ou=Utilisateurs,dc=domaine,dc=fr
dnpass = unmdp
debug_level = 0
auth_bind = yes
ldap_version = 3
base = ou=Utilisateurs,dc=domaine,dc=fr
scope = subtree
# Specify the base storage for email here
user_attrs=sAMAccountName=home=/home/%$
#user_filter= (&(objectClass=user)(objectClass=person)(sAMAccountName=%u)(badPasswordTime=*">
user_filter= (&(objectClass=user)(objectClass=person)(|(mail=%u)(sAMAccountName=%u">(badPasswordTime=*">
pass_attrs=sAMAccountName=user
pass_filter = (&(objectClass=user)(objectClass=person)(sAMAccountName=%u)(badPasswordTime=*">
|
Modification de conf.d/10-mail.conf
mail_location = maildir:%h
mail_uid = 500
mail_gid = 500
mail_privileged_group = vmail |
Modification de conf.d/10-master.conf
Désactivation du pop :
service pop3-login {
inet_listener pop3 {
port = 0
#port = 110
}
inet_listener pop3s {
port = 0
#port = 995
#ssl = yes
}
} |
Ajustement des droits :
unix_listener auth-userdb {
mode = 0600
user = vmail
group = vmail
} |
Modification de conf.d/10-logging.conf
Modification de conf.d/10-ssl.conf
ssl = yes
#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
|
 Le chevron '<' devant les chemins est important !
| Intégration dans postfix | |
# cat /etc/postfix/master.cf
[...]
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
# |
Une source d'informations : http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/
| Messages d'erreurs | |
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/dovecot-ldap.conf line 17: Unknown setting: hosts
Solution : installer le paquet dovecot-ldap
Source : http://dovecot.org/list/dovecot/2012-April/082457.html
Error: userdb(xxxxx): client doesn't have lookup permissions for this user: userdb reply doesn't contain uid (to bypass this check, set: service auth { unix_listener /var/run/dovecot/auth-userdb { mode=0777 } })
Cf plus haut et les droits positionnés sur unix_listener auth-userdb dans le fichier 10-master.conf
| Tests | |
# telnet localhost 143
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
. login usertest xxx
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
. list "" "*"
* LIST (HasNoChildren) "." INBOX.Trash
* LIST (HasNoChildren) "." INBOX.Sent
* LIST (HasNoChildren) "." INBOX.Drafts
* LIST (HasNoChildren) "." rentr&AOk-e2014
* LIST (HasChildren) "." INBOX
. OK List completed.
. examine INBOX
* FLAGS (Answered Flagged Deleted Seen Draft Junk NonJunk)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 1501 EXISTS
* 0 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1377591710] UIDs valid
* OK [UIDNEXT 1516] Predicted next UID
* OK [HIGHESTMODSEQ 5] Highest
. OK [READ-ONLY] Examine completed (0.003 secs).
. logout
* BYE Logging out
. OK Logout completed.
|
Attention au point ('.') devant la commande login
| Certificats | |
Les certificats peuvent être recréés avec le script http://dovecot.org/doc/mkcert.sh
cf http://wiki2.dovecot.org/SSL/CertificateCreation
Tests des certificats :
$ openssl s_client -connect serveur_imap:imaps
CONNECTED(00000003)
depth=0 O = Dovecot mail server, OU = @commonName@, CN = @commonName@, emailAddress = @emailAddress@
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = @commonName@, CN = @commonName@, emailAddress = @emailAddress@
verify return:1
---
Certificate chain
0 s:/O=Dovecot mail server/OU=@commonName@/CN=@commonName@/emailAddress=@emailAddress@
i:/O=Dovecot mail server/OU=@commonName@/CN=@commonName@/emailAddress=@emailAddress@
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
. login usertest xxx
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
|
| Configuration des logs | |
dovecot
# cat /etc/dovecot/conf.d/10-logging.conf
[...]
syslog_facility = local0
[...]
|
rsyslog
# cat /etc/rsyslog.conf
# /etc/rsyslog.conf Configuration file for rsyslog.
[...]
mail.* -/var/log/mail.log
local0.* -/var/log/dovecot.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
local0.info -/var/log/dovecot.info
local0.warn -/var/log/dovecot.warn
local0.err /var/log/dovecot.err
[...]
|
| Cassification | |
Nous avons dans un premier temps authentifié les utilisateurs avec un LDAP.
Ca n'est pas forcément complètement pertinent. Ainsi, dans notre cas il va etre nécessaire de "cassifier" dovecot. Nous allons pour cela commencer par utiliser pam pour authentifier les utilisateurs.
Nous utilisons winbind : http://perso.univ-lemans.fr/~brichard/logiciels/?doc=Samba_4_et_Winbind
libpam-ccreds
La librairie libpam-ccreds permet de mettre en cache les informations d'authentification et ainsi d'accélérer les échanges.
apt-get install libpam-ccreds |
Modification de conf.d/10-auth.conf
auth_mechanisms = plain login
!include auth-system.conf.ext
#!include auth-ldap.conf.ext |
avec un auth-system.conf.ext modifié : l'authentification est faite via pam (config par défaut), la recherche des utilisateurs (utilisée pour la remise des mails, déléguée par postfix à dovecot) est faite via ldap :
cat auth-system.conf.ext
# Authentication for system users. Included from 10-auth.conf.
#
passdb {
driver = pam
# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
# [cache_key=<key>] [<service name>]
#args = dovecot
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
# Default fields can be used to specify defaults that LDAP may override
#default_fields = home=/home/virtual/%u
} |
Installation de libpam-cas et configuration de pam_cas.conf
cf http://wiki.mdl29.net/doku.php?id=braveo:docinstall:cas:pam
et
http://wiki.mdl29.net/doku.php?id=braveo:docinstall:cas:dovecot
En bref :
apt-get install libpam-ldap |
Modification du fichier /etc/pam.d/dovecot
On indique au système d'aller interroger pam_cas puis, si la réponse est négative, winbind :
auth sufficient /lib/security/pam_ccreds.so action=validate service_specific
auth [success=1 new_authtok_reqd=done default=die] /lib/security/pam_cas.so -simap://localhost -f/etc/security/pam_cas.conf
auth [success=ok default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth optional /lib/security/pam_ccreds.so action=store timeout=300 service_specific |
| Quota | |
conf.d/10-mail.conf
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
mail_plugins = $mail_plugins quota |
conf.d/20-imap.conf
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins imap_quota
}
|
Source : http://wiki2.dovecot.org/Quota
get user's quota
doveadm quota get-u user1 |
Source : http://wiki2.dovecot.org/Tools/Doveadm/Quota
|
|
Contact
|
|---|
Pour m'envoyer un mail,
Pour me laisser un commentaire :richard.brunooo
chez
gmail.com |  |
|
|