Distroname and release: Debian Stretch

Dovecot and MySQL with postfix

Here we will setup dovecot for SASL to use together with postfix.

I asume in this example, that there is already an fully working postfix configuration in place, including MySQL for authentication!
Secondly there should also be an full certificate pair in place, with chain, key and the certificate which must match the FQDN on the server you are connection to. (like imap.example.com).

Start by installing dovecot and the mysql support.
apt-get install dovecot-imap dovecot-mysql
  • passdb: can lookup/contain user,password, username (part of user) ,domain (part of user)
  • userdb: can lookup/contain uid,gid,home,user (changes username), mail (maillocation), etc.

Basic configuration

Set the auth mechanism for logins. This is safe since we send the unencrypted password inside an TLS connection!
Disable plaintext authentication, since we will force STARTTLS later on.
Lastly include the auth-sql.conf.ext file.


disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-sql.conf.ext
Force TLS/SSL.
ssl = required
You must have these certificates generated before this can be done.
Define the certificates, and set an strong DH key.

Make sure that permissions to the key file are properly set, for minimum restrictions!! (like 440, rr-)
ssl_cert = </etc/dovecot/mail_linuxlasse_net.crt
ssl_key = </etc/dovecot/private/insecure_ca.key
ssl_dh_parameters_length = 4096
Now restart dovecot for the firstime.
Warning!! Takes a long time, since it will generate an new dh key.
/etc/init.d/dovecot restart
Setting the dh parameter, will generate a new key at first restart, it should something like this in the mail.log
Jun  2 15:27:57 mailobie dovecot: ssl-params: Warning: Regenerating /var/lib/dovecot/ssl-parameters.dat for ssl_dh_parameters_length=4096
Jun  2 15:27:57 mailobie dovecot: ssl-params: Generating SSL parameters

MySQL configuration

Make sure that you set the correcet paths here, and also that the uid and gid is correct.
We are not doing SQL lookups for our USERS, since permissions, location, mailstructure is the same for all of our users (/var/spool/postfix/virtual/...etc)
If this was different between users, this has to be changed. We are using build in %d and %n to differentiate the users.
  • %d = domain, like example.com
  • %n = full part of user+domain like user@example.com
  • %u = username
driver = sql

userdb {
  driver = static
    args = uid=postfix gid=postfix home=/var/spool/postfix/virtual/%d/%n/Maildir
Define where the mails are located, and in which format (maildir in this example).
mail_location = maildir:/var/spool/postfix/virtual/%d/%n/Maildir
Now define the MySQL lookup inside the database where the users are stored.
Change the SQL to your own needs.
driver = mysql
connect = host= dbname=maildb user=postfix password=XXXX
default_pass_scheme = SHA256
password_query =  SELECT address, domain, user_passwd as password FROM users WHERE address = '%u' AND domain = '%d' and disabled=0
Finally restart dovecot again.
systemctl restart dovecot

Generating passwords

Passwords can be generated with the deoveadm tool, which will prompt you for the password, and next you can insert into the database, into the password field for the user.
doveadm pw -s sha512

Test the imap connection

Now do some simple testing, to see that STARTTLS is set.
telnet localhost 143
Escape character is '^]'.
bingo, STARTTLS is present You can view all settings with the below command, which will dump the configuration.
dovecot -n 

Postfix SASL

Make sure you can login after above tests on the IMAP protocol. Make sure it supports dovecot
postconf -a
Dovecot is present, OK to continue. Delete the /etc/postfix/sasl folder if this is present. It could be if an current SASL implementation is in place.
Then emable SASL and set it dovecot in postfix.
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sash_auth_enabled = yes
Restart postfix
/etc/init.d/postfix restart
Now everything should be working, and you should be able to send mails through postfix, with the users from dovecot.

These below steps are optional

Low level hardening

Disable SSLv3, TLS 1.1 if they are present, by changing the protocol list.
ssl_protocols = TLSv1.2

Improve logging

To see more details about OK/Fail login status'es, enable it like so.Logs will be available in the mail.log
auth_verbose = yes

Know issues and possible fixes

Aborted login (no auth attempts in 0 secs): user=<>,
Most likely because we try SSL, but only clear login is allowed, or we try clear login and only SSL is allowed Try to set/change it in /etc/dovecot/conf.d/10-auth.conf disable_plaintext_auth = no/yes

Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2018 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!