Dovecot
Dovecot is an IMAP and POP3 server, and is used on Wikimedia's IMAP server sanger.
For instructions on how to do user/email account management, see Mail#IMAP_account_management
Dovecot can be installed from the Ubuntu dovecot-imap package, which also pulls in dovecot-common.
Configuration
The configuration file resides in /etc/dovecot/dovecot.conf. Dovecot has very reasonable defaults, so not many settings need to be changed.
Main configuration
Protocols
We only support IMAP over SSL/TLS:
protocols = imaps
SSL
Dovecot needs an SSL certificate and private key to support SSL. Point it at the relevant files using the settings:
ssl_cert_file = /etc/ssl/certs/wikimedia.org.pem ssl_key_file = /etc/ssl/private/wikimedia.org.key
It opens these as root, so file permissions should not be a problem.
login max processes count
The default max amount of login processes is too low, so raise it:
login_max_processes_count = 1024
Mail location
As we have a unified virtual users IMAP setup, the Maildir directory can be determined using a template:
mail_location = maildir:/var/vmail/%d/%n
Mail extra groups
The Ubuntu default configuration has group mail added by default; this is not needed in our configuration.
#mail_extra_groups = mail
Maildir optimizations
When copying a message, do it with hard links whenever possible. This makes the performance much better, and it's unlikely to have any side effects.
maildir_copy_with_hardlinks = yes
Mail processes
Show more verbose process titles (in ps). Currently shows user name and IP address. Useful for seeing who are actually using the IMAP processes (eg. shared mailboxes or if same uid is used for multiple accounts).
verbose_proctitle = yes
Restrict allowed UIDs to be used for accessing mail to precisely the vmail UID:
first_valid_uid = 107 last_valid_uid = 107
Protocol IMAP
Two plugins are loaded for quota support. The quota plugin enforces the actual quotas, imap_quota supports quota information over the IMAP protocol for clients that support it.
protocol imap {
mail_plugins = quota imap_quota
}
Authorization
We use PLAIN authorization using a SQLite password database. We could use the static user db mapping, if it weren't for per-user quota support. Therefore we (ab)use the SQL language to achieve the same result (see below).
auth default {
mechanisms = plain
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
...
Authorization processes should run under a separate uid. The account dovecot-auth has been created for this purpose:
# adduser --system --home /var/run/dovecot --no-create-home --ingroup vmail --disabled-password --disabled-login dovecot-auth
... user = dovecot-auth }
SQL configuration
Details of SQL queries are specified in the file /etc/dovecot/dovecot-sql.conf.
We're using SQLite:
driver = sqlite connect = /var/vmaildb/user.db
The default password hashing scheme is Salted SSHA-1:
default_pass_scheme = SSHA
To obtain the password field for a given username, the following SQL query is used:
password_query = SELECT localpart||'@'||domain AS user, password FROM account WHERE localpart='%n' AND domain='%d'
Escaping of the username is handled by Dovecot, see the main configuration file.
The user database query is only needed because of the quota field:
user_query = SELECT '107' AS uid, '112' AS gid, 'maildir:ignore=Trash:storage='||quota AS quota FROM account WHERE localpart='%n' AND domain='%d'
See also
- Mail for Dovecot LDA configuration, and the rest of the mail system.