One Server to Rule them all — DOVECOT

Part 6 — DOVECOT

We are getting there. Now we are on part 6 of the “One Server to Rule them all” series, this time covering the installation of the popular DOVECOT and testing it with an Ubuntu workstation client, running Thunderbird.

Dovecot is an open-source email server software that provides both the Internet Message Access Protocol (IMAP) and the Post Office Protocol (POP3) for email retrieval, which we will test by retrieving and managing email messages from our server.

Before we go on, here are some key features and functions of Dovecot:

IMAP and POP3 Support:

Dovecot primarily serves as an IMAP server, which allows users to access their email messages stored on a remote server while keeping those messages synchronized between multiple devices. It also supports POP3, another protocol for email retrieval.

Secure Communication:

Dovecot supports secure communication through protocols like IMAPS (IMAP over TLS/SSL) and POP3S (POP3 over TLS/SSL) to ensure that email data is encrypted during transmission.

Mailbox and Folder Management:

Dovecot supports the creation of mailboxes (folders) and offers a flexible folder structure for organizing email messages.

Authentication and Authorization:

Dovecot provides authentication mechanisms to verify the identity of users trying to access their email accounts. It can integrate with various authentication methods, such as LDAP, PAM, and more.

Integration with MTA:

Dovecot is often used in conjunction with a Mail Transfer Agent (MTA), such as Postfix or Exim, which handles the sending and receiving of email. Dovecot stores and serves email to users after the MTA has received it.

Plugins and Extensibility:

Dovecot is highly extensible and supports various plugins to add additional functionality. For example, you can use plugins for email filtering, indexing, and authentication.

Performance and Scalability:

Dovecot is known for its performance and efficiency, making it suitable for both small and large email systems.

Compatibility:

Dovecot works well with a wide range of email clients, making it a popular choice for hosting email services on servers.

Installation

Easy enough start:

sudo apt install dovecot-imapd dovecot-pop3d

Now for some configuration:

sudo nano /etc/dovecot/dovecot.conf

We will be adding the following lines:

• add: protocols = imap pop3
• add: mail_location = maildir:~/Maildir

And:

sudo nano /etc/dovecot/conf.d/10-auth.conf

• add: disable_plaintext_auth = no
• add: auth_mechanisms = plain login

Finally:

sudo nano /etc/dovecot/conf.d/10-ssl.conf

• amend: ssl_cert = </etc/postfix/ssl/postfix.crt
• amend: ssl_key = </etc/postfix/ssl/postfix.key
• amend: ssl_client_ca_dir = /etc/postfix/ssl/

As we have made amendments, we should restart the Dovecot service:

This completes the basic setup to enable us to work with our server, as far as email from the client is concerned. There are some other items (to be discussed later) that we will also install.

Now we can look to work with our first client to connect and do some testing. I will be using a fully updated Ubuntu workstation 22:04 LTS, with a default firewall.

The details in this case will be:

• hostname: ubuntu001.jetj.ltd
• IP: 192.168.122.84

In order to work effectively as we are running within our development environment, we need to ensure that are using the correct DNS server to pick up our email host.

As we are practising for the CySa+ lets amend it in the terminal. We can use the `nmcli` command to review our current settings:

karti@ubuntu001:~$ nmcli
enp1s0: connected to Wired connection 1
        "Red Hat Virtio"
        ethernet (virtio_net), 52:54:00:E6:97:2A, hw, mtu 1500
        ip4 default
        inet4 192.168.122.84/24
        route4 192.168.122.0/24 metric 100
        route4 169.254.0.0/16 metric 1000
        route4 default via 192.168.122.1 metric 100
        inet6 fe80::1301:5f47:8757:bd6c/64
        route6 fe80::/64 metric 1024

lo: unmanaged
        "lo"
        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536

DNS configuration:
        servers: 192.168.122.1
        interface: enp1s0

        servers: 2001:db8::1 2001:db8::2
        interface: enp1s0

Use "nmcli device show" to get complete information about known devices and
"nmcli connection show" to get an overview on active connection profiles.

Consult nmcli(1) and nmcli-examples(7) manual pages for complete usage details.

Prior to editing the file we use the following command to find the actual name:

karti@ubuntu001:~$ nmcli connection show
NAME                UUID                                  TYPE      DEVICE 
Wired connection 1  d960b4a6-de97-305e-b36d-c5bff35015a5  ethernet  enp1s0

This provides the name we use in the interactive editor:

karti@ubuntu001:~$ sudo nmcli con edit Wired\ connection\ 1 
[sudo] password for karti: 

===| nmcli interactive connection editor |===

Editing existing '802-3-ethernet' connection: 'Wired connection 1'

Type 'help' or '?' for available commands.
Type 'print' to show all the connection properties.
Type 'describe [<setting>.<prop>]' for detailed property description.

You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, sriov, ethtool, match, ipv4, ipv6, hostname, tc, proxy
nmcli>

We add the DNS server address (IPv4 and IPv6):

nmcli> set ipv4.dns 192.168.122.120
nmcli> set ipv6.dns 2001:db8::1,2001:db8::2
nmcli> save
Connection 'Wired connection 1' (d960b4a6-de97-305e-b36d-c5bff35015a5) successfully updated.

Now we have saved it we can exit and reload the configuration:

nmcli> quit
karti@ubuntu001:~$ sudo nmcli con reload
karti@ubuntu001:~$

With that set up we can now start to get Thunderbird ready as the email client. Open up the application:

And add in your user details. Then continue:

Then click done. This will bring up a security exception as our certificate is self signed. Just confirm:

The account has been created.

Now we see our mailbox in all it’s glory. So, without a pause — let’s create our first email on Thunderbird:

When we hit send we get another security exception, this time for sending emails. Again confirm:

You will get a send error:

Just OK that, and hit send again and the message will go through.

We can check by looking in the sent folder:

If we use mutt as we did previously from Jane’s account we see we have an email:

Let’s reply from the server back to John:

And as we see it has worked as expected. That finished this particular session, however, there is just one more item I wanted to highlight.

If you want to use this set up and actually create folders within your account on Thunderbird, in order to synchronise you need to do the following:

sudo nano /etc/dovecot/dovecot.conf

Locate the mail_location setting and ensure it’s set as follows, allowing sub-directories within the user’s Maildir:

mail_location = maildir:~/Maildir:INDEX=~/Maildir

And then enable sub-folders to be created within the user’s Maildir. Now, you’ll need to define a namespace to specify how these subfolders will be handled. Add a namespace section like this to your Dovecot configuration file:

namespace inbox {
  separator = /
  inbox = yes
}

This will now synchronise your folders.Enjoy!!

So, in summary we have now setup a working email server that is running on STARTTLS, running TLSv1.3 and working between ports 25 and 143. We have fully tested it with the default Thunderbird client and even allowed the user to create his own mail folders.

We have a few more settings to complete in our journey, such as DKIM and DMARC, that will all help to solidify the email security on our “One Server to Rule them all.”

I hope you have enjoyed reading this and it was of some benefit. Hope to see you in the next session.

Ref: Part 6 One Server to Rule them all — DOVECOT