RSS

  • YouTube
  • LinkedIn
  • Google

Servidor de Email –; Part 3 ; Dovecot

Share in your social media
  •  ;
  •  ;
  •  ;
  •  ;

This is the third part of the process of creating the mail server on a CentOS 7. If you came here by accident, You should read first the previous publications

Part 1 ; Installation of packages

Part 2 ; Configuring MariaDB

Dovecot is an MDA (Mail Delivery Agent) means is an agent that transport messages from Postfix to virtual message boxes. In this section we will configure the Dovecot installation to force users to use SSL when they connect, in this way never sending passwords in plain text mode.

I always like to keep the original files of any definition for if I end up getting lost while changing settings. I can say that this step is not needed if you are doing this tutorial entirely, However, If you already have a previous configuration and is just improving it I strongly suggest you make copies of your files.

In our case, the configuration files will be in /etc/dovecot/conf.d/. We can then make copies with the command:

Creating user

Dovecot will store messages (and all your content) in a directory defined in the configuration file and for it can do that must run under a user with the appropriate permissions. The following commands will create this user and group. I will use a common standard for these names that make it easy enough to search for solutions to problems on the internet.

Editing configuration Files

First file we configure authentication is. How do we use a table in MariaDB database to store users and passwords we point out that in two files. The first sets the authentication type and second as the Dovecot will do the authentication validation.

Edit the file /etc/dovecot/CONF.d/10-auth file and uncomment (or add) the lines below:

After, Edit the file /etc/dovecot/CONF.d/auth-sql.conf.ext for you to have the following lines:

ATTENTION: The last few lines that differ slightly from the original commentary about the argument Home.

We must also set up the data connection with the MariaDB through file /etc/dovecot/dovecot-sql.conf.ext. This file is not created at the facility so we create.

NOTE: Use the same data as that used in the step to set up the database in MariaDB

We will make several changes to the main configuration file of the Dovecot which is the 10-master file. The number in front of the file indicates the load order (priority). You can user any editor of your choice. I like Vim because I'm so used to your commands, but nothing prevents to use nano for example.

To improve the security of the server and reduce attacks we will disable access unencrypted. For this we assign the door is sufficient 0 for imap and pop3 services. Only imaps and pop3s are available. You will need to use a SSL key that we will create later ahead.

Change also the following settings:

SSL Certificate

So we can use the cryptographic services necessary both in user authentication to access your account and to ensure that the postfixadmin and roundcube are under secure connections create SSL keys valid. At this point we're going to do the configuration by creating a self-signed key (self-signed) which is created during the installation of the Dovecot. This key cannot be used to validate the secure browser connection. Later we will change this setting to use a SSL key obtained by Certbot (Lets Encrypt) in conjunction with Nginx and DNS settings.

If you are following the steps of this tutorial, you do not need to no change in the file /etc/dovecot/conf.d/10-ssl.conf which should contain the following lines

If the files do not exist or alternatively recreate them (must be done if you have changed the hostname, for example) do the following:

Edit the file /etc/pki/dovecot/dovecot-openssl.cnf and change the entries according to the information that you have.

After you have changed the file, If the files already exist /etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem, delete them and then run the script mkcert.sh.

The output of the script should be something like this:

Other configuration still in the file/etc/dovecot/conf.d/10-ssl.conf related to encryption is the optional attribute ssl_dh. Add or uncomment the line:

and run the following command to generate the file .PEM:

Running the above command usually take a long time, sometimes even near 1 time. You can also use a command below to generate the same file more quickly.

Log file

By default Dovecot will use the log mechanism syslog the CentOS, that usually sends the information to the file /var/log/messages. As later I will show you how to spread several attempts to attack and one of them includes the use of the script fail2ban, that makes analysis of logs is best define a unique file so we don't have to monitor log file that changes constantly.

To define a unique log file, Let's open the Dovecot log configuration /etc/dovecot/CONF.d/10-logging file and change or add the following lines.

Save the file and restart the service

Make sure the file/var/log/dovecot.log has been created and contains information indicating that the service is operating normally.

Firewall rules

If you are following this tutorial from the start in a default installation, It is possible that the connection ports are closed to the outside world. The commands below aim to release the doors imaps (993), pop3s (995) before you can connect an email client like Outlook or Gmail. Even if they are open, later in another publication, I'm going to show you a list of firewall rules to improve safety.

First make sure that the service firewalld is running. If you are stopped, probably all the doors that have a listener service will be open.

Check the line of the State that can be as Active (running) or as inactive (dead). If you're as inactive, There is no need to continue. If you're as active, We will list which ports are open externally.

In the example above, only dhcpv6-client and ssh are allowed. We then add the required ports to receive and send e-mail externally.

As you can see in the example, Add imaps and pop3s services that are being heard by Dovecot service. Later we will also add the smtp ports and submission that will be heard by the Postfix (master). Note that I won't open the imap and pop3 ports unsafe because I want to force the use of SSL/TLS.

To make sure that the doors are open you can even try doing telnet ports 993 and 995 another system on the same network and verify that the file /var/log/dovecot.log Displays the attempts. If you do not have conditions at the time of taking the test in this way check the output of the command below?

And that's all for now. Then We configure Postfix 3.


Share in your social media
  •  ;
  •  ;
  •  ;
  •  ;

Comments (2)

  1. [;] Servidor de Email –; Part 3 ; Dovecot [;]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.