-
Notifications
You must be signed in to change notification settings - Fork 0
/
dovecot.sh
348 lines (301 loc) · 11.9 KB
/
dovecot.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
#!/bin/sh
# vim:set syntax=sh:
# kate: syntax bash;
# SPDX-License-Identifier: CC-BY-SA-4.0
# Copyright 2021 Jakob Meng, <[email protected]>
exit # do not run any commands when file is executed
#
# Dovecot
#
################################################################################
# Dovecot on Debian 8 (Jessie), Debian 9 (Stretch), Debian 10 (Buster) and Debian 11 (Bullseye)
# Ref.:
# /usr/share/doc/dovecot-core/README.Debian.gz
# https://wiki2.dovecot.org/AuthDatabase/SQL
# https://wiki.dovecot.org/DomainLost
apt-get install dovecot-pop3d
cd /tmp/
cp -raiv /usr/share/dovecot/dovecot-openssl.cnf .
sed -i -e "s/@commonName@/$(hostname --fqdn)/g" dovecot-openssl.cnf
sed -i -e "s/@emailAddress@/root@$(hostname --fqdn)/g" dovecot-openssl.cnf
# rm /etc/dovecot/dovecot.pem /etc/dovecot/private/dovecot.pem
/usr/share/dovecot/mkcert.sh
[ -e /etc/dovecot/local.conf ] && \
mv -i /etc/dovecot/local.conf /etc/dovecot/local.conf.$(date +%Y%m%d%H%M%S --reference /etc/dovecot/local.conf)
cat << EOF >> /etc/dovecot/local.conf
# Dovecot configuration file
# 2011-2021 Jakob Meng, <[email protected]>
# Enable mail group temporarily for privileged operations. This is used with the INBOX when either its initial creation
# or dotlocking fails. Typically, this is set to mail to give access to /var/mail. Without this, errors will be raised
# when writing to /var/mail, e.g.:
#
# Jun 6 17:40:48 WildWildWest dovecot: pop3(johnwayne): Error: file_dotlock_create(/var/mail/johnwayne) failed: Permission denied (euid=1000(johnwayne) egid=1000(johnwayne) missing +w perm: /var/mail, euid is not dir owner) (set mail_privileged_group=mail)
#
# Ref.: https://doc.dovecot.org/settings/core/
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%n
# Debugging Output
#auth_debug=yes
#auth_debug_passwords=yes
EOF
# Either listen to localhost only
cat << EOF >> /etc/dovecot/local.conf
# Listen to localhost only
listen = localhost
EOF
#
# or listen to hostname but then disable non-ssl connections
cat << EOF >> /etc/dovecot/local.conf
listen = $(hostname --fqdn)
# Disable non-ssl imap and non-ssl pop3
service imap-login {
inet_listener imap {
port = 0
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
}
EOF
# Only required on Debian 8 (Jessie) or Debian 9 (Stretch).
# TLS is enabled by default in Dovecot since Debian 10 (Buster).
cat << 'EOF' >> /etc/dovecot/local.conf
# Enable SSL
ssl = yes
#ssl_cert = </etc/ssl/certs/dovecot.crt
#ssl_key = </etc/ssl/private/dovecot.key
#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key
# Debugging SSL connections
#verbose_ssl = yes
EOF
# Disable PAM authentication
sed -i -e 's/^\!include auth-system\.conf\.ext/#\!include auth-system\.conf\.ext/g' /etc/dovecot/conf.d/10-auth.conf
chown root.dovecot /etc/dovecot/local.conf
chmod a-rwx,u+rw,g+r /etc/dovecot/local.conf
service dovecot restart
####################
# (Optional) Enable non-ssl pop3, but only on localhost
vi /etc/dovecot/local.conf
# Edit:
# service pop3-login {
# inet_listener pop3 {
# port = 110
# address = localhost
# }
# }
####################
# (Optional) Downgrade auth_mechanisms for Thunderbird when using option "Verschlüsseltes Passwort"
# WARNING: Use only on encrypted or local connections to dovecot!!!
cat << 'EOF' >> /etc/dovecot/local.conf
# ATTENTION:
# Only enabled because Thunderbird 31 has problems with self-signed certificates and dovecot listens to localhost only!
auth_mechanisms = plain cram-md5
EOF
####################
# (Optional) Authentication via Passwd-file
# Ref.: https://doc.dovecot.org/configuration_manual/authentication/passwd_file/
cat << 'EOF' >> /etc/dovecot/local.conf
# Authentication via Passwd-file
# Ref.: https://doc.dovecot.org/configuration_manual/authentication/passwd_file/
userdb {
driver = passwd-file
args = username_format=%n /etc/dovecot/users
}
passdb {
driver = passwd-file
args = username_format=%n /etc/dovecot/users
}
EOF
# or on Debian 10 (Buster)
sed -i -e 's/^#\!include auth-passwdfile\.conf\.ext/\!include auth-passwdfile\.conf\.ext/g' conf.d/10-auth.conf
# Generate password hash with doveadm
# Ref.: https://doc.dovecot.org/configuration_manual/authentication/password_schemes/#authentication-password-schemes
doveadm pw -s SHA512-CRYPT
# Create passwd file with username and password hash
# Ref.: https://doc.dovecot.org/configuration_manual/authentication/passwd_file/
cat << 'EOF' >> /etc/dovecot/users
user:{plain}secret:1000:1000:,,,:/home/user:/usr/sbin/nologin
EOF
chown root.dovecot /etc/dovecot/users
chmod u=rw,g=r,o= /etc/dovecot/users
systemctl restart dovecot.service
systemctl status dovecot.service
####################
# (Optional) Authentication via MySQL / MariaDB
# Ref.: https://doc.dovecot.org/configuration_manual/authentication/sql/
apt-get install dovecot-mysql
cat << 'EOF' >> /etc/dovecot/local.conf
# Authentication via MySQL / MariaDB
userdb {
driver = sql
args = /etc/dovecot/local-mysql.conf.ext
}
passdb {
driver = sql
args = /etc/dovecot/local-mysql.conf.ext
}
EOF
[ -e /etc/dovecot/local-mysql.conf.ext ] && \
mv -i /etc/dovecot/local-mysql.conf.ext /etc/dovecot/local-mysql.conf.ext.$(date +%Y%m%d%H%M%S --reference /etc/dovecot/local-mysql.conf.ext)
SQL_DATABASE=dovecot
SQL_USERNAME=dovecot
SQL_PASSWORD=secret
[ ! -e /etc/dovecot/local-mysql.conf.ext ] && \
cat << EOF >> /etc/dovecot/local-mysql.conf.ext
# 2011-2020 Jakob Meng, <[email protected]>
# Compare with default configuration using this command:
# meld /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/local-mysql.conf.ext
#
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-sql.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/SQL
#
# For the sql passdb module, you'll need a database with a table that
# contains fields for at least the username and password. If you want to
# use the user@domain syntax, you might want to have a separate domain
# field as well.
#
# If your users all have the same uig/gid, and have predictable home
# directories, you can use the static userdb module to generate the home
# dir based on the username and domain. In this case, you won't need fields
# for home, uid, or gid in the database.
#
# If you prefer to use the sql userdb module, you'll want to add fields
# for home, uid, and gid. Here is an example table:
#
# CREATE TABLE users (
# username VARCHAR(128) NOT NULL,
# domain VARCHAR(128) NOT NULL,
# password VARCHAR(64) NOT NULL,
# home VARCHAR(255) NOT NULL,
# uid INTEGER NOT NULL,
# gid INTEGER NOT NULL,
# active CHAR(1) DEFAULT 'Y' NOT NULL
# );
# Database driver: mysql, pgsql, sqlite
driver = mysql
# Database connection string. This is driver-specific setting.
#
# HA / round-robin load-balancing is supported by giving multiple host
# settings, like: host=sql1.host.org host=sql2.host.org
#
# pgsql:
# For available options, see the PostgreSQL documentation for the
# PQconnectdb function of libpq.
# Use maxconns=n (default 5) to change how many connections Dovecot can
# create to pgsql.
#
# mysql:
# Basic options emulate PostgreSQL option names:
# host, port, user, password, dbname
#
# But also adds some new settings:
# client_flags - See MySQL manual
# connect_timeout - Connect timeout in seconds (default: 5)
# read_timeout - Read timeout in seconds (default: 30)
# write_timeout - Write timeout in seconds (default: 30)
# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
# ssl_cert, ssl_key - For sending client-side certificates to server
# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
# ssl_verify_server_cert - Verify that the name in the server SSL certificate
# matches the host (default: no)
# option_file - Read options from the given file instead of
# the default my.cnf location
# option_group - Read options from the given group (default: client)
#
# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
# Note that currently you can't use spaces in parameters.
#
# sqlite:
# The path to the database file.
#
# Examples:
# connect = host=192.168.1.1 dbname=users
# connect = host=sql.example.com dbname=virtual user=virtual password=blarg
# connect = /etc/dovecot/authdb.sqlite
#
#connect =
connect = host=localhost dbname=$(SQL_DATABASE) user=$(SQL_USERNAME) password=$(SQL_PASSWORD)
# Default password scheme.
#
# List of supported schemes is in
# http://wiki2.dovecot.org/Authentication/PasswordSchemes
#
#default_pass_scheme = MD5
default_pass_scheme = PLAIN
# passdb query to retrieve the password. It can return fields:
# password - The user's password. This field must be returned.
# user - user@domain from the database. Needed with case-insensitive lookups.
# username and domain - An alternative way to represent the "user" field.
#
# The "user" field is often necessary with case-insensitive lookups to avoid
# e.g. "name" and "nAme" logins creating two different mail directories. If
# your user and domain names are in separate fields, you can return "username"
# and "domain" fields instead of "user".
#
# The query can also return other fields which have a special meaning, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#
# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
# for full list):
# %u = entire user@domain
# %n = user part of user@domain
# %d = domain part of user@domain
#
# Note that these can be used only as input to SQL query. If the query outputs
# any of these substitutions, they're not touched. Otherwise it would be
# difficult to have eg. usernames containing '%' characters.
#
# Example:
# password_query = SELECT userid AS user, pw AS password \
# FROM users WHERE userid = '%u' AND active = 'Y'
#
#password_query = \
# SELECT username, domain, password \
# FROM users WHERE username = '%n' AND domain = '%d'
password_query = SELECT userid AS username, domain, password FROM users WHERE userid = '%n' AND domain = '%d'
# userdb query to retrieve the user information. It can return fields:
# uid - System UID (overrides mail_uid setting)
# gid - System GID (overrides mail_gid setting)
# home - Home directory
# mail - Mail location (overrides mail_location setting)
#
# None of these are strictly required. If you use a single UID and GID, and
# home or mail directory fits to a template string, you could use userdb static
# instead. For a list of all fields that can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#
# Examples:
# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
#
#user_query = \
# SELECT home, uid, gid \
# FROM users WHERE username = '%n' AND domain = '%d'
user_query = SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d'
# If you wish to avoid two SQL lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
# also have to return userdb fields in password_query prefixed with "userdb_"
# string. For example:
#password_query = \
# SELECT userid AS user, password, \
# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
# FROM users WHERE userid = '%u'
# Query to get a list of all usernames.
#iterate_query = SELECT username AS user FROM users
# For using doveadm -A:
iterate_query = SELECT userid AS username, domain FROM users
EOF
chown root.dovecot /etc/dovecot/local-mysql.conf.ext
chmod u=rw,g=r,o= /etc/dovecot/local-mysql.conf.ext
systemctl restart dovecot.service
systemctl status dovecot.service
################################################################################