From 8216d3a1831442bd849396454b587548b688a587 Mon Sep 17 00:00:00 2001 From: revsuine Date: Wed, 20 Nov 2024 21:07:07 +0000 Subject: [PATCH] content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: get to point where you can login with email client --- ..._server_alpine_postfix_dovecot_tutorial.md | 241 ++++++++++++++++++ 1 file changed, 241 insertions(+) diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md index 8e62572..4e6f120 100644 --- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md +++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md @@ -295,6 +295,16 @@ Now set `mydomain` to the domain you intend to send email from. For instance, my `myorigin` determines the domain name in the `From:` field of locally sent emails. So you could for instance set this to `revsuine.xyz`. +Set `mydestination` to the following: + +```conf +mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +``` + +`mydestination` states the list of domains your machine will consider itself the destination for, e.g. if `mydomain` is +set to `revsuine.xyz` then any emails sent to `username@revsuine.xyz` will be sent to my server according to the above +configuration. + `maillog_file` denotes where Postfix's log file is. By default this is `/var/log/messages`; you may want to configure Postfix to have a dedicated log file like `/var/log/postfix.log`. @@ -532,6 +542,237 @@ mailbox_transport = lmtp:unix:private/dovecot-lmtp smtputf8_enable = no ``` +## Configuring authentication + +Edit `/etc/dovecot/conf.d/10-auth.conf` and uncomment the following line: + +```conf +disable_plaintext_auth = yes +``` + +This disables plaintext authentication *unless* SSL/TLS is used. + +In the same file, configure `auth_username_format`. As the variable name suggests, this denotes the format the server +expects usernames in for authentication. Setting it to `%n` removes the domain, so to sign in to `user@domain.com` +you'd enter your username as `user`. For this setup, you should set `auth_username_format` to `%n`, because we are +using Unix user accounts for email accounts; Dovecot wouldn't be able to find `user@domain.com` because the mailbox +user is just `user`. + +In the same file again, `auth_mechanisms` is a space-separated list of authentication mechanisms your server uses. Set +this to + +```conf +auth_mechanisms = plain login +``` + +`login` is mostly to support older email clients, but is optional. + +Edit `/etc/dovecot/conf.d/10-master.conf`, and change `service auth` to the following: + +```conf +service auth { + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } +} +``` + +Now we need to set the actual mechanism through which the server knows what password to expect, and what users exist. +We will use a file at `/etc/dovecot/passwd` to manage this. Edit `/etc/dovecot/conf.d/auth-passwdfile.conf.ext` to be +the following: + +```conf +passdb { + driver = passwd-file + args = scheme=argon2id username_format=%n /etc/dovecot/passwd +} + +userdb { + driver = passwd +} +``` + +See [this documentation](https://doc.dovecot.org/main/core/config/auth/schemes.html) to decide on a password scheme to +use. I picked `argon2id` as the most secure option, however also the most expensive option, so it may be a poor option +if you have many users. Dovecot recommends that, if using ARGON2ID, you set `vsz_limit = 2G` for the `auth` service. To +do that with our setup, edit `/etc/dovecot/conf.d/10-master.conf` and add the line + +```conf +vsz_limit = 2G +``` + +to the `service auth {}` section. + +Now we want to include this file. Edit `/etc/dovecot/10-auth.conf` and ensure it includes this line, and that other +`!include` lines for other `auth-*.conf.ext` files are commented out: + +```conf +!include auth-passwdfile.conf.ext +``` + +## Creating a user + +Now let's create a user. We will be using a Unix user account, so create one with `adduser` if you don't already have +one. Their Unix username will be their email username, and what appears before the `@` in their email address. They +should also be in the `mail` group. So for instance: + + # adduser revsuine + # adduser revsuine mail + +We will not, however, be using their Unix password for authentication. Instead, we'll set them a password dedicated for +their email account. Create or edit the `/etc/dovecot/passwd` text file. Have a look at the following example: + +```passwd +revsuine:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$H1oyL7UdwUWiBuZGnyXorQ$3aW/cfyNdrjoHw3OK7HlOzwgKqdg61prln8QMtWJijg +muffalo:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$KLnLOiqlhbhOPLhmTUqllA$Raki8Rw/+eOgJzDSEXxtw0mqI+aYLyFf+gpi+MQTdfo +thrumbo:{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$8R4rVQ2hlKmiZ0Zmyzwg0g$tkesrePjJfLAEKu1wyJY1tu6V+fR5+C6/etyKq6WJlQ +``` + +This lists three users, `revsuine`, `muffalo`, and `thrumbo` (those are their usernames). These will all be system +users in the `mail` group. After the colon is the ARGON2ID hash of their password. + +If you're storing passwords with ARGON2ID, to get what goes after the colon in your passwd file, run this command: + + # doveadm pw -s argon2id + +You will be prompted to enter a password, and then it will output exactly what to put after the colon, such as +`{ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$H1oyL7UdwUWiBuZGnyXorQ$3aW/cfyNdrjoHw3OK7HlOzwgKqdg61prln8QMtWJijg`. Each +user is their own line of the file. + +Set up your `/etc/dovecot/passwd` file accordingly, making sure each user listed is also a system user, because we are +storing their mail in their home directories. + +## Use your TLS certificate + +Edit `/etc/dovecot/conf.d/10-ssl.conf` and set the following options (some should already be present, so you should +just change their values): + +```conf +ssl = required +ssl_cert = + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
IncomingOutgoing
Server typeIMAPSMTP
Server`mail.domain.com`, or whatever your MX record is set to
Port993465
UsernameYour system username; this should be the contents of your email address before the `@`
EncryptionSSL/TLS
AuthenticationPasswordPLAIN (shows up as `Normal password` in Thunderbird)
+ +With our setup, we are also able to use STARTTLS on port 143 (incoming) and 587 (outgoing) too. + +You should be able to send and receive emails as normal now. + [^server_trust]: This is only true to the extent that your server is not compromised. You could say there's an order of