Tuesday, February 10, 2015

OpenBSD Mail Server - Part 6, Dovecot and Dovecot-Pigeonhole

1.  Install dovecot and dovecot-pigeonhole from packages.

2.  Edit login.conf per the docs in /usr/local/share/doc/pkg-readmes/dovecot-*.

3.  Set up Dovecot certificates per dovecot install message.

4.  Open port 993 in pf.conf for remote IMAP access.

5.  Edit /etc/dovecot/conf.d/20-lmtp.conf and uncomment the “mail_plugins” line and add "sieve" at the end. Might need to edit /etc/dovecot/conf.d/10-mail.conf and set mail_location to Maildir (see comments for examples) and also /etc/dovecot/conf.d/15-lda.conf to set postmaster_address.  Personally, I also like to edit 15-mailboxes.conf and add "auto = subscribe" for the Drafts, Junk, Trash, and Sent mailboxes so they are automatically created and subscribed to.  Sometimes, I also like to add Maildir and a sieve script (perhaps with a rule to automatically drop emails that have been tagged as spam by SpamAssassin to the Junk mailbox) to /etc/skel so those are there when a new user is added.

6.  Add dovecot to pkg_scripts and start it up.

7.  Edit /etc/mail/smtpd.conf so mail is delivered to lmtp instead of ~/Maildir like the following and then restart smtpd:

# cat /etc/mail/smtpd.conf
pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"

listen on lo0
listen on lo0 port 10026 tag CLAM_IN # incoming mail
listen on lo0 port 10028 tag CLAM_OUT # outgoing mail
listen on lo0 port 10036 tag SPAM_IN # incoming mail
listen on lo0 port 10029 tag DKIM_OUT # outgoing mail
listen on egress tls pki mail.example.com auth-optional
listen on egress port submission tls-require pki mail.example.com auth

table aliases db:/etc/mail/aliases.db
table vusers file:/etc/mail/vusers
table vdomains file:/etc/mail/vdomains

accept for local alias <aliases> deliver to maildir

# tagged mail returned from dkimproxy_out relay out
accept tagged DKIM_OUT for any relay

# tagged mail returned from spampd deliver to lmtp
accept tagged SPAM_IN for domain <vdomains> virtual <vusers> deliver to lmtp "/var/dovecot/lmtp"

# tagged mail returned from clamsmtpd either send to spampd or dkimproxy_out
accept tagged CLAM_IN for any relay via smtp:// # send to spampd
accept tagged CLAM_OUT for any relay via smtp:// # send to dkimproxy_out

# start here - untagged mail is sent to clamsmtpd
accept from any for domain <vdomains> relay via smtp:// # incoming mail
accept from local for any relay via smtp:// # outgoing mail

8. So now here is what’s happening:

Incoming mail:

pf -> relay to spamd -> send to opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10025 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10026 and tag it CLAM_IN -> -relay tagged CLAM_IN mail to spampd on port 10035 -> run it through SpamAssassin -> return to opensmtpd on lo0 port 10036 and tag it SPAM_IN -> deliver to dovecot/lmtp

Outoing mail (unchanged from last time):

opensmtpd on lo0 -> relay untagged mail to clamsmtpd on port 10027 -> relay to clamd on port 3310 -> return to clamsmtpd -> return to opensmtpd on lo0 port 10028 and tag it CLAM_OUT -> relay to dkimproxy on port 10030 -> add DKIM headers -> return to opensmtpd on lo0 port 10029 and tag it DKIM_OUT -> relay out

9.  Set up a sieve script in ~/.dovecot.sieve and send an email to the server in a way that triggers one of the sieve rules.  There will be something like this in /var/log/maillog:

Feb 3 22:35:34 server dovecot: lmtp(32707): Connect from local
Feb 3 22:35:34 server dovecot: lmtp(32707, joe): zyueLYaT0VTDfwAAfpiiTw: sieve: msgid=<1423020926.3895159.222819613.25E9282E@somedomain.com>: stored mail into mailbox 'Test'
Feb 3 22:35:34 server smtpd[5331]: delivery: Ok for 68ade8684466ea8c: from=<me@somedomain.com>, to=<joe@example.com>, user=joe, method=lmtp, delay=2s, stat=Delivered

10. For future reference, here is the output of "doveconf -n":

# 2.2.10: /etc/dovecot/dovecot.conf
# OS: OpenBSD 5.6 i386
first_valid_uid = 1000
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
 inbox = yes
 location =
 mailbox Drafts {
 special_use = \Drafts
 mailbox Junk {
 special_use = \Junk
 mailbox Sent {
 special_use = \Sent
 mailbox "Sent Messages" {
 special_use = \Sent
 mailbox Trash {
 special_use = \Trash
 prefix =
passdb {
 driver = bsdauth
plugin {
 sieve = ~/.dovecot.sieve
 sieve_dir = ~/sieve
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocols = imap pop3 lmtp sieve
service managesieve-login {
 inet_listener sieve {
 port = 4190
inet_listener sieve_deprecated {
 port = 2000
ssl_cert = </etc/ssl/dovecotcert.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
 driver = passwd
protocol lmtp {
 mail_plugins = " sieve"

11.  There are other tweaks that can done with dovecot, such as disabling POP3, running SSL IMAP on a port other than 993, etc.

1 comment:

  1. i have recibed follow error:

    dovecot: imap-login: Disconnected (auth failed, 4 attempts in 26 secs): user=, method=PLAIN

    where it takes dovecot your backend to define the credentials?