Learn Linux Series (#9) - e-mail server (Dovecot)

in utopian-io •  7 years ago  (edited)

Learn Linux Series (#9) - e-mail server (Dovecot)

What Will I Learn?

  • What is Dovecot
  • How to install Dovecot
  • How to configure Dovecot
  • Creating certificates and keys
  • How to add Dovecot to autostart
  • Reading e-mails from the console

Requirements

  • Linux system installed
  • Basic knowledge of terminal operation
  • Average knowledge of linux commands
  • Motivation when something goes wrong

Difficulty

  • Intermediate


  • What is Dovecot


    Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory.

    Dovecot supports:
  1. IMAP, POP3, IPv6, SSL and TLS protocols;
  2. mbox boxes and Maildir;
  3. simultaneous access to mailboxes by other programs (thus it can work on NFS resources or clustered file systems);
  4. authentication mechanisms: PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5, APOP, NTLM, GSS-SPNEGO, GSSAPI, RPA, OPT, SKEY;
  5. many databases storing credentials, e.g. PAM, system passwd files, LDAP, SQL databases (MySQL, PostgreSQL, SQLite) and others;
  6. mechanism of plugins that extend functionality (eg Quota, ACLs).

    Dovecot has been designed and programmed especially with regard to safety issues. In order to support this thesis, the author offers a 1000€ prize for the person who will be the first to demonstrate a remotely exploitable security gap in Dovecot giving access to someone else's box without knowing the password . Timo Sirainen submitted the offer on January 22, 2006 and so far - despite finding various security-related errors in the program - the conditions of the competition were not met.


  • How to install and configure Dovecot

First, we install Dovecot and openssl (if this package has not been installed before, because we will use it to encrypt connection data, etc.).

zypper in dovecot21 openssl

it is worth to create a backup copy of the configuration file:

cd /etc/dovecot
cp dovecot.conf dovecot.conf.backup

We create the initial configuration file by pattern:

doveconf -n > dovecot.conf-new
mv dovecot.conf-new dovecot.conf (do not create a file right away dovecot.conf: doveconf -n > dovecot.conf, because there will be errors regarding the lack of SSL certificates).

We edit the file (vi /etc/dovecot/dovecot.conf) and set / add the following options:
mail_location = maildir:~/Maildir #location of mailboxes
With this setting of mail_location, we delete or comment on the entire namespace inbox section (marked in black, because in this case we will not need it):

namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = Drafts
  }
  mailbox Junk {
    special_use = Junk
  }
  mailbox Sent {
    special_use = Sent
  }
  mailbox "Sent Messages" {
    special_use = Sent
  }
  mailbox Trash {
    special_use = Trash
  }
  prefix =
}

login_greeting = My POP3 / IMAP server #information presented by dovecot after logging in (establishing the session) POP3

listen = * # listen on all network interfaces

protocols = "imap pop3" # serviced mail protocols

ssl = yes # enable ssl encryption

ssl_cert = # path to the certificate - do not forget about the beginning of the entry with the majority sign "<" otherwise you will see the following warnings in the logs: "Can not load ssl_cert: There is no valid PEM certificate. (You probably forgot '<' from ssl_cert = </ etc / dovecot / ssl / certyfikat.pem) "

ssl_key = # path to the key - note do not forget the beginning of the entry with the majority sign "<"

disable_plaintext_auth = yes # disable logging in with plain text (plain text - unencrypted).



Save the above configuration. Now, we will create a certificate and a key to which the above-mentioned configuration indicates.

mkdir /etc/dovecot/ssl
cd /etc/dovecot/ssl
openssl req -new -x509 -nodes -out certificate.pem -keyout key.pem -days 365

Enter your domain details, in particular pay attention to the option
"Common Name", which is intended to indicate the name of your domain.

Country Name (2 letter code) [AU]: EN # country
State or Province Name (full name) [Some-State]: Texas # province
Locality Name (eg, city) []: Glasgow # city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Utopian-io # name of our company
Organizational Unit Name (eg, section) []: Programming # section / department of the company
Common Name (e.g. server FQDN or YOUR name) []: utopian.io # domain name
Email Address []: [email protected] # e-mail address for contacts regarding the certificate

We check the correctness of key generation with the command:

openssl rsa -in klucz.pem -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----

[...]

-----END RSA PRIVATE KEY-----

If you see such a message, we acknowledge that the key has been generated correctly.

Now check the certificate information:

openssl x509 -noout -text -in certyfikat.pem

the message should appear:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16436464367657346376 (0xcf48ed216ab49e87)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=EN, ST=Texas, L=Glasgow, O=Utopian-io, OU=Programing, CN=utopian.io/[email protected]
        Validity
            Not Before: Mar  20 15:54:17 2018 GMT
            Not After : Mar  19 15:54:17 2022 GMT
        Subject: C=EN, ST=Texas, L=Glasgow, O=Utopian-io, OU=Programing, CN=utopian.io/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                [...]
            X509v3 Authority Key Identifier:
                [...]

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         [...]

It looks like everything is OK. So we start Dovecot and add it to autostart:

service dovecot start
service dovecot status
chkconfig dovecot on

Let's try to send a message using SMTP

telnet localhost 25

Trying ::1...
Connected to localhost.
Escape character is '^]'.

ehlo utopian.io

250-mail.utopian.io
250-PIPELINING
250-SIZE
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

mail from: [email protected]

250 2.1.0 Ok

rcpt to: [email protected]

250 2.1.5 Ok

data

354 End data with.

Subject: Shipping test #enter

We're testing sending #enter messages

. # remember to put a full stop at the end of the message

250 2.0.0 Ok: queued as 2E23E1C0F15 #Announcement added to the delivery queue with ID 2E23E1C0F15

quit

221 2.0.0 Bye

Connection closed by foreign host.


  • In that case, let's try to read this email from the console:
openssl s_client -connect localhost:995

[...] +OK Dovecot ready.

user test

+OK

pass test

+OK Logged in.

stat

+OK 1 486

list

+OK 1 messages:

1 486

.TEST TEST TEST!

retr 1 # shows the content of the ID 1 message
+OK 486 octets
Return-Path:
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from utopian.io (localhost [IPv6:::1])
        by mail.utopian.io with ESMTP id 2E23E1C0F15
        for ; Mon,  3 Aug 2015 12:57:13 +0200 (CEST)
Subject: Shipping test
Message-Id: <[email protected]>
Date: Mon,  3 Aug 2015 12:57:13 +0200 (CEST)
From: [email protected]


.TEST TEST TEST!
quit

+OK Logging out.
closed





Curriculum



Posted on Utopian.io - Rewarding Open Source Contributors

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Your contribution cannot be approved because it does not follow the Utopian Rules.

Low quality. You were convicted of plagiarism.

You can contact us on Discord.
[utopian-moderator]

Hey @espoem, I just gave you a tip for your hard work on moderation. Upvote this comment to support the utopian moderators and increase your future rewards!