Dovecot (2.1)

Dovecot seems to be a natural fit for Postfix. As complex as these configurations look, building up to them was a relatively painless process.

Except for quotas. Save yourself the pain unless you really need them.

/etc/dovecot.conf

 * listen = 198.51.100.187, 2001:db8::4
 * Set this to your ips, obviously.
 * login_greeting = Dovecot ready (or whatever greeting you feel like)

/etc/dovecot/dovecot-sql.conf
Editing guidelines:


 * driver = mysql
 * connect = host=/var/run/mysqld/mysqld.sock dbname=mail user=vmreader password=yourpasshere
 * default_pass_scheme = SSHA256
 * Or choose whatever
 * user_query = SELECT CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',u.username) AS home, 999 AS uid, 999 AS gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
 * Obviously set the home directory appropriately.
 * password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
 * Note the md5 hash splitting - you can add further subtrees:
 * password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,2),'/',substring(md5(u.username),3,2),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
 * or additional characters:
 * password_query = SELECT CONCAT(u.username,'@',d.domain_name) AS user, u.mailpass AS password, CONCAT('/var/vmail/',d.domain_name,'/',substring(md5(u.username),1,3),'/',substring(md5(u.username),4,3),'/',u.username) AS userdb_home, 999 AS userdb_uid, 999 AS userdb_gid FROM mail_users AS u, mail_domains AS d WHERE u.isactive AND u.ID_DOMAIN=d.ID_DOMAIN AND d.domain_name='%d' AND u.username='%n'
 * But when you clearly don't need it, too many subtrees is more of a nuisance than a feature.

/etc/dovecot/conf.d/auth-sql.conf.ext
#
 * 1) Authentication for SQL users. Included from auth.conf.
 * 1) 

passdb { driver = sql

# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext args = /etc/dovecot/dovecot-sql.conf }

userdb { driver = prefetch }
 * 1) "prefetch" user database means that the passdb already provided the
 * 2) needed information and there's no need to do a separate userdb lookup.
 * 3) 

userdb { driver = sql args = /etc/dovecot/dovecot-sql.conf }
 * 1) for the LDA

/etc/dovecot/conf.d/10-auth.conf

 * disable_plaintext_auth = yes
 * auth_username_format = %Lu
 * auth_mechanisms = plain login
 * Comment out system include, uncomment sql include

/etc/dovecot/conf.d/10-logging.conf
## ##
 * 1) Log destination.

log_path = syslog
 * 1) Log file to use for error messages. "syslog" logs to syslog,
 * 2) /dev/stderr logs to stderr.


 * 1) Log file to use for informational messages. Defaults to log_path.
 * 2) info_log_path =
 * 3) Log file to use for debug messages. Defaults to info_log_path.
 * 4) debug_log_path =

syslog_facility = local2
 * 1) Syslog facility to use if you're logging to syslog. Usually if you don't
 * 2) want to use "mail", you'll use local0..local7. Also other standard
 * 3) facilities are supported.
 * 4) Trying to figure out mailing issues with dovecot cluttering the logs is annoying.
 * 5) Get it out of there.

## ##
 * 1) Logging verbosity and debugging.

auth_verbose = yes
 * 1) Log unsuccessful authentication attempts and the reasons why they failed.

# no, plain and sha1. sha1 can be useful for detecting brute force password
 * 1) In case of password mismatches, log the attempted password. Valid values are
 * 1) attempts vs. user simply trying the same password over and over again.
 * 2) auth_verbose_passwords = no

auth_debug = yes
 * 1) Even more verbose logging for debugging purposes. Shows for example SQL
 * 2) queries.


 * 1) In case of password mismatches, log the passwords and used scheme so the
 * 2) problem can be debugged. Enabling this also enables auth_debug.
 * 3) auth_debug_passwords = no

mail_debug = yes
 * 1) Enable mail process debugging. This can help you figure out why Dovecot
 * 2) isn't finding your mails.

verbose_ssl = yes
 * 1) Show protocol level SSL errors.

/etc/dovecot/conf.d/10-mail.conf
Nine nine nine nine...


 * mail_location = maildir:/var/vmail/%d/%2Mn/%n/Maildir
 * maildir_broken_filename_sizes = yes
 * mail_privileged_group = vmail
 * valid_chroot_dirs = /var/vmail


 * mail_uid = 999
 * mail_gid = 999


 * first_valid_uid = 999
 * last_valid_uid = 999


 * first_valid_gid = 999
 * last_valid_gid = 999

/etc/dovecot/conf.d/10-master.conf
Only planning to listen on IMAP over ssl, so:

service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } service imap-login { inet_listener imap { port = 0 }  inet_listener imaps { port = 993 ssl = yes }  process_min_avail = 2 }

/etc/dovecot/conf.d/10-ssl.conf
SSL is teh future.

ssl = required ssl_cert = </etc/maincert/example.crt ssl_key = </etc/maincert/example.key

You can block older protocols and bad ciphers, as well - the format is standard for OpenSSL just as nginx is. Set them accordingly.

/etc/dovecot/conf.d/15-lda.conf

 * Set your postmaster address, naturally.

recipient_delimiter = _
 * 1) Again, make sure you are consistent with setting this everywhere else.

lda_mailbox_autocreate = yes
 * 1) Should saving a mail to a nonexistent mailbox automatically create it?

lda_mailbox_autosubscribe = yes
 * 1) Should automatically created mailboxes be also automatically subscribed?

protocol lda { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = sieve }

/etc/dovecot/conf.d/15-mailboxes
Uncomment and autosubscribe the basics:

mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash }

/etc/dovecot/conf.d/90-sieve.conf
We're not using this for a whole lot, really. This and the following file automagically move stuff that Spamassassin thinks are spam into the junk folder.


 * sieve_before = /var/vmail/presieve
 * Make sure to create the directory.
 * recipient_delimiter = _
 * In the event that we use sieve for more, we don't want to mess this up.

/var/vmail/presieve/spamtojunk.sieve
require ["fileinto"]; if header :contains "X-Spam-Flag" ["YES"] { fileinto "Junk"; stop; }
 * 1) Move spam to Junk folder


 * Ensure is owned by vmail user:group, chmod 640
 * sievec spamtojunk.sieve

And enjoy!