Posted in: mail

FreeBSD 9.1 configuring imap mail with dovecot

I’ve been running FreeBSD servers with imap for a while.  Untill now I’ve always used the uw-imapd server, but it’s not great at handling large mailboxes, so I’ve decided to move to dovecot’s imap server.

To install dovecot2 on freebsd 9 I use the ports collection as follows

cd /usr/ports/mail/dovecot2 && make install

I additionally selected the options for ldap, as I plan to use ldap later on.  Once installed the example config files need to be put in place for local customisation.  This is simply a copy from /usr/local/share/doc/dovecot/example-config.

I’m only running imap so I’ve amended the dovecot.conf file protocols entry to show

protocols = imap

Authentication

I want to use ldap to authenticate my users on dovecot,  however I have already configured FreeBSD to use pam, and have ldap configured along with pam integrated in to ldap.  as pam and ldap are already setup, the simplest way to get dovecot to use ldap is via the pam module for dovecot.

To configure authentication first we need to setup the pam config file for dovecot (/etc/pam.d/dovecot)  I’ve used the stock imap file from freebsd and added some lines to create the dovecot file.

#
# $FreeBSD: release/9.1.0/etc/pam.d/imap 170771 2007-06-15 11:33:13Z yar $
#
# PAM configuration for the "imap" service
#
# auth
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so try_first_ass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_nologin.so
account required pam_unix.so
account required /usr/local/lib/pam_ldap.so

Next the 10-auth.conf file needs to be checked,  I ensure that the auth_mechanism parameter is set to plain.  This means we use plain text passwords, but as they will be encapsulated in SSL this will be OK

auth_mechanism = plain

Finally for authentication we need to check the pam driver in the passdb section of the system-auth.ext config file.  The default configuration is OK, but I like to be explicit in which pam driver is being used:

STARTTLS

Enableing STARTTLS is really as simple as adding in ssl certficates to the 10-ssl.conf file as follows

ssl_cert = </usr/local/etc/dovecot/ssl/moon.rjctest.co.uk.crt
ssl_key = </usr/local/etc/dovecot/ssl/moon.rjctest.co.uk.key
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
ssl_key_password = topsecret

Mailbox Location and mail store

The last item to configure is the mail file location & indexes.  This only requires one configuration change as follows

mail_location = mbox:/var/mbox/%1u/%u:INBOX=/var/mail/%u:INDEX=/var/indexes/%d/%1n/%n

This configures dovecot to that the INBOX is located at /var/mail/<username>, the users mail folders are in /var/mbox/<1st letter of user name>/<user name>, and the indexes are in /var/indexes/<1st letter of user name>/<user name>.  You need to ensure the base directories extist,

mkdir -p /var/mail && mkdir -p /var/indexes && mkdir -p /var/mbox

I also set maildir_copy_with_hardlinks = yes for speed.

Now that it’s all configured edit /etc/rc.conf and add dovecot_enable=”YES” and start the service with service dovecot start