$ doas pkg_add dovecot
Configuration
A single user vmail will receive mail for all virtual users:
$ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail
/var/vmail will be used to store virtual users' maildir folders. It will be managed by
dovecot, which receives mail via LMTP.
In order to secure our passwords, we need to remove world readable permissions
from /etc/mail and change file ownership:
$ doas chmod -R o-rx /etc/mail/
$ doas chown -R _smtpd:_dovecot /etc/mail/
In /etc/dovecot/dovecot.conf, add the following lines at the bottom of the file:
protocols = imap pop3 lmtp
listen = 192.168.0.1, 2001:db8::
service lmtp {
user = vmail
}
This tells dovecot to listen to the protocols IMAP, POP3, and LMTP.
Note: We don't want to support submission with dovecot.
It also tells dovecot the public IPs you want it to listen on. Finally, the last
block tells dovecot to change to the username vmail to listen for LMTP.
To aid with troubleshooting, you can consider adding these lines:
auth_verbose=yes
auth_debug=yes
auth_debug_passwords=yes
mail_debug=yes
auth_verbose_passwords=sha1
verbose_ssl=yes
In /etc/dovecot/conf.d/10-auth.conf, first comment out auth-system.conf.ext
#!include auth-system.conf.ext
This prevents dovecot from using BSD auth.
Then at the bottom of the file, add these lines:
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}
userdb {
args = uid=vmail gid=vmail home=/var/vmail/%25d/%25n
driver = static
}
The first block defines our password database to use blowfish (see blowfish(3) and encrypt(1)).
The second block says that the mail must be read by user ID and group ID vmail, and
that all mail will be in the folders /var/vmail//.
In /etc/dovecot/conf.d/10-mail.conf:
mail_location = maildir:/var/vmail/%25d/%25n/Maildir
This again indicates all mail will be in the folders /var/vmail//.
In /etc/dovecot/conf.d/10-ssl.conf, make the changes to these lines:
ssl = yes
...
ssl_cert = </etc/ssl/example.com.crt
ssl_key = </etc/ssl/private/example.com.key
You will need to replace example.com with your real domain.
Please read the instructions in the dovecot README in /usr/local/share/doc/pkg-readmes/dovecot
. That file explains that you must add this login class to /etc/login.conf:
dovecot:\
:openfiles-cur=4096:\
:openfiles-max=8192:\
:tc=daemon:
WARNING: You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will not work.
NOTE: Allowing more open files than suggested in the README can help if you have many IP addresses.
WARNING: If login.conf.db exists, you will need to rebuild it:
# [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf
But it is best to just remove /etc/login.conf.db since it is not required:
$ doas rm /etc/login.conf.db
Starting dovecot
To start dovecot via rcctl:
$ doas rcctl enable dovecot
$ doas rcctl start dovecot
Troubleshooting
Make sure to check /var/log/maillog:
$ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143
When starting dovecot, you may find it fails:
$ doas rcctl start dovecot
dovecot(failed)
When this happens, run the rc.d script with debugging turned on:
$ doas /etc/rc.d/dovecot -d start
doing _rc_parse_conf
doing _rc_quirks
dovecot_flags empty, using default ><
doing rc_check
dovecot
doing rc_start
doing _rc_wait start
doing rc_check
doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory
doing _rc_rm_runfile
(failed)
In this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: /etc/ssl/example.com.fullchain.pem
(where example.com is replaced with my real domain).
Jun 9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)
Jun 9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)