![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2018-03-15
目錄
- dovecot
- Ports Usage
- Auth Socket
- mini Configure
- Process Limit
- Memory Limit
- Rotating Logs
- Logs
- sieve log to another file
- Password Schemes
- Password File
- Logging
- Cache
- Out of memory
- POP3 & IMAP Seen flag
- Port Settings
doveconf
doveconf # configuration dumping utility
dovecot(1) and dovecot-lda(1), will first get their settings by executing doveconf
- -n # Show only settings with non-default values
- -a # Show all settings with their currently configured values
- -N # Show settings with non-default values and explicitly set default values
- -c config-file # By default /etc/dovecot/dovecot.conf
- -f filter # filter: protocol, service, remote
i.e. 來看 log 的 path
doveconf -f service=lda|grep log_path
debug_log_path = info_log_path = log_path = syslog
/etc/rsyslog.d/1-dovecot.conf
# sieve and LMTP
if $syslogfacility-text == 'local5' and ($msg contains "lmtp(" or $msg contains "lda(") then -/var/log/dovecot/lda.log
& stop
Ports Usage
24/tcp # lmtp 4190/tcp # managesieve-login 12340/tcp # quota-status 24242/tcp # stats
Auth Socket
login 的 socket:
service auth {
unix_listener /var/spool/postfix/dovecot-auth {
user = root
group = postfix
mode = 0660
}
unix_listener auth-master {
user = root
group = vmail
mode = 0660
}
unix_listener auth-userdb {
mode = 0660
user = root
group = vmail
}
}# lda 會連過去 auth-master 的
protocol lda {
# Reference: http://wiki2.dovecot.org/LDA
mail_plugins = autocreate
# lda 連去 socket
auth_socket_path = /var/run/dovecot/auth-master
lda_mailbox_autocreate = yes
postmaster_address = root
}對應在 service auth
service auth {
...
unix_listener auth-master {
user = vmail
group = vmail
mode = 0666
}
}
Dovecot 2.2 mini Configure
# 建立 id 為 2000 的 user 及 group
groupadd -g 2000 vmail
useradd -u 2000 -g 2000 -m -s /bin/nologin vmail
-rw-rw-r-- 1 root root 7453 Apr 29 2013 dovecot.conf
10-master.conf
listen = *
# Default: imap pop3 lmtp
# 什麼都不開是要 "protocols=none"
protocols = imap pop3 lmtp
mail_uid = 2000
mail_gid = 2000
first_valid_uid = 2000
last_valid_uid = 2000
log_path = /var/log/dovecot.log
mail_debug = no
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
# Possible values: no, plain, sha1.
auth_verbose_passwords = no
# no, yes, required. "ssl = yes" must be set globally if you require SSL for any protocol
ssl = no
verbose_ssl = no
# root:root 0444
#ssl_cert = </etc/pki/tls/certs/dovecot.pem
# root:root 0400
#ssl_key = </etc/pki/tls/private/dovecot.key
disable_plaintext_auth = no
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
auth_mechanisms = PLAIN LOGIN
default_process_limit = 200
service
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
user = postfix
group = postfix
mode = 0666
}
unix_listener auth-master {
user = vmail
group = vmail
mode = 0666
}
unix_listener auth-userdb {
user = vmail
group = vmail
mode = 0660
}
}
Login processes
- imap-login
- pop3-login
By default they are run as a non-privileged dovenull user chrooted into a non-writable directory
containing only authentication UNIX sockets.
Login processes also handle proxying the SSL and TLS connections even after the user has logged in.
This way all the SSL code runs in the same restricted environment
service imap-login {
service_count = 1
# To avoid startup latency for new client connections
process_min_avail = 10
process_limit = 50
# Default 64MB value
#vsz_limit = 64M
}
service pop3-login {
service_count = 1
}service_count
Number of client connections to handle until the process kills itself. 0 means unlimited.
process_*
# Default: process_limit = $default_process_limit
# SSL 的 connection 也會佔用一個
process_limit = 50
# To avoid startup latency for new client connections
# Default: 0
process_min_avail = 10
userdb & passdb
# Virtual mail accounts.
userdb {
args = /usr/local/etc/dovecot/dovecot-mysql.conf
driver = sql
}
passdb {
args = /usr/local/etc/dovecot/dovecot-mysql.conf
driver = sql
}
plugin
plugin {
# Plugin: autocreate.
autocreate = INBOX
autocreate2 = Sent
autocreate3 = Trash
autocreate4 = Drafts
autocreate5 = Junk
autosubscribe = INBOX
autosubscribe2 = Sent
autosubscribe3 = Trash
autosubscribe4 = Drafts
autosubscribe5 = Junk
}protocol
protocol lda {
# Reference: http://wiki2.dovecot.org/LDA
mail_plugins = autocreate
auth_socket_path = /var/run/dovecot/auth-master
log_path = /var/log/sieve.log
lda_mailbox_autocreate = yes
postmaster_address = root
}
protocol imap {
mail_plugins = autocreate
imap_client_workarounds = tb-extra-mailbox-sep
mail_max_userip_connections = 30
}
protocol pop3 {
mail_plugins = $mail_plugins
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv
mail_max_userip_connections = 30
}
mail_max_userip_connections
Default: 10
Over 時會 "Maximum number of concurrent IMAP connections exceeded"
pop3_uidl_format format
...
namespace
namespace {
type = private
separator = /
prefix =
#location defaults to mail_location.
inbox = yes
}
pop3_uidl_format
UIDL - Unique Identifier
UIDL to avoid to receive the same email more than once.
The mail server assigns an unique identifier for every email in the same account.
UIDL in POP3 can be any valid asc-ii characters,
and the UIDL may be reused by POP3 server if the email with the UIDL has been deleted from the server
# Telnet cmd
# Default: show all
UIDL [msg]
msg: a message-number (optional)
Dovecot Setting
# # %u - Mail UID # %v - Mailbox UIDVALIDITY # %m - MD5 sum of the mailbox headers in hex (mbox only) # %f - filename (maildir only) # pop3_uidl_format = %08Xu%08Xv
Process Limit
default_process_limit = 100
default_client_limit = 1000
service_count
Number of client connections to handle until the process kills itself. (0 means unlimited. )
client_limit
Maximum number of simultaneous client connections.
If set to 0, default_client_limit is used instead.
process_limit
Maximum number of processes that can exist for this service.
This setting defines the maximum number of child processes that Dovecot can spawn.
If set to 0, default_process_limit is used instead.
每個 client 可以有多個 process,
Memory Limit
# 當一個 Folder 有 7 萬多個 Mail 時
... imap(U@D): Fatal: block_alloc(1048576): Out of memory
... imap(U@D): Fatal: master: service(imap):
child 14839 returned error 83 (Out of memory (service imap { vsz_limit=256 MB },
you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)
Rotating Logs
/etc/logrotate.d/dovecot
/var/log/dovecot.log {
missingok
notifempty
delaycompress
sharedscripts
postrotate
doveadm log reopen
endscript
}man doveadm-log
查看 log file 的位置
doveadm log find
Debug: /var/log/dovecot.log Info: /var/log/dovecot.log Warning: /var/log/dovecot.log Error: /var/log/dovecot.log Fatal: /var/log/dovecot.log
測試 log file 是否可寫入
doveadm log test
May 20 12:14:01 doveadm: Debug: This is Dovecot's debug log (1716178441) May 20 12:14:01 doveadm: Info: This is Dovecot's info log (1716178441) May 20 12:14:01 doveadm: Warning: This is Dovecot's warning log (1716178441) May 20 12:14:01 doveadm: Error: This is Dovecot's error log (1716178441) May 20 12:14:01 doveadm: Fatal: This is Dovecot's fatal log (1716178441)
logrotate
doveadm log reopen
causes doveadm to reopen all log files (log_path, info_log_path and debug_log_path)
Logs
# 查看 log file 的位置
doveadm log find
<1>
在 postfix 見到
080ED23907 437 Thu Aug 14 15:35:10 sender@???
(temporary failure. Command output: Can't open log file /var/log/dovecot.log: Permission denied)
receive@???解決:
protocol lda { ........
log_path = /var/log/sieve.log
}
touch /var/log/sieve.log
chown vmail. /var/log/sieve.log
chmod 660 /var/log/sieve.log
/etc/logrotate.d/sieve
/var/log/sieve.log {
missingok
delaycompress
compress
weekly
rotate 10
create 0660 vmail vmail
sharedscripts
postrotate
doveadm log reopen
endscript
}<2>
log
pop3(someone): Error: mkdir(/home/someone/mail/.imap/INBOX) failed: Operation not permitted pop3(someone): Error: chown(/home/someone/mail/.imap/INBOX, -1, 12(mail)) failed: Operation not permitted (egid=2203(someone), group based on /var/mail/someone)
原因
dovecot copy 唔到 /var/mail/ 內的 file 去 user 的 home directory
解決
<1>
chmod 0600 /var/mail/*
<2>
# Grant access to these supplementary groups for mail processes.
mail_access_groups=mail
<3> secured ?
Feb 3 15:30:43 vm dovecot: imap-login: Disconnected (auth failed, 1 attempts):
user=<user@domain>, method=PLAIN, rip=R.R.R.R, lip=L.L.L.L
Feb 4 01:39:06 vm dovecot: imap-login: Disconnected (auth failed, 1 attempts):
user=<user@domain>, method=PLAIN, rip=::1, lip=::1, secured
sieve log to another file
[1] By Dovecot Config
protocol lda {
mail_plugins = $mail_plugins sieve
log_path = /var/log/dovecot-sieve.log
...
}/etc/logrotate.d/dovecot
/var/log/dovecot-sieve.log
/var/log/dovecot.log {
compress
weekly
rotate 10
create 0600 vmail vmail
missingok
# Use bzip2 for compress.
compresscmd /usr/bin/bzip2
uncompresscmd /usr/bin/bunzip2
compressoptions -9
compressext .bz2
postrotate
doveadm log reopen
endscript
}[2] By rsyslog
/etc/rsyslog.d/dovecot.conf
# sieve and LMTP
if $syslogfacility-text == 'local5' and ($msg contains "lmtp(" or $msg contains "lda(") then -/var/log/dovecot/lda.log
& stop
Password Schemes
- default_pass_scheme
- dovecot.conf:auth_mechanisms
MD5-CRYPT: A weak but common scheme often used in /etc/shadow. The encrypted password will start with $1$
PLAIN: Password is in plaintext.
PLAIN-MD5: MD5 sum of the password stored in hex.
Default schemes:
dovecot-mysql.conf:
default_pass_scheme = CRYPT
dovecot.conf:
auth_mechanisms = PLAIN LOGIN
Password File
Ver: dovecot-2.3.8
dovecot.conf
#!include conf.d/*.conf
local.conf
protocols = imap pop3 lmtp submission
# conf.d/10-master.conf
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
# auth-passwdfile.conf.ext
passdb {
driver = passwd-file
# CRYPT is used by default
args = scheme=CRYPT username_format=%u /etc/dovecot/users.db
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users.db
}
Remark
username_format
- %u # full username (e.g. user@domain)
- %n # user part in user@domain, same as %u if there’s no domain
Passwd-file
This file is compatible with a normal /etc/passwd file, and a password file used by libpam-pwdfile PAM plugin.
Format:
user:password:uid:gid:(gecos):home:(shell):extra_fields
建立 password file
cd /etc/dovecot
touch users.db
chmod 640 users.db
chgrp dovecot users.db
# 建立 pw
doveadm pw -s SHA512-CRYPT
cat users.db
username:{type}password
Logging
Global log 設定
#log_path = syslog #info_log_path = #debug_log_path = #syslog_facility = mail
LDA 的 log
protocol lda {
..
# remember to give proper permissions for these files as well
log_path = /var/log/dovecot-lda-errors.log
info_log_path = /var/log/dovecot-lda.log
}IMAP Log
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %{fetch_hdr_count} - Number of mails with mail header data sent to client
# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
# %{fetch_body_count} - Number of mails with mail body data sent to client
# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
# %{deleted} - Number of mails where client added \Deleted flag
# %{expunged} - Number of mails that client expunged, which does not include automatically expunged mails
# %{autoexpunged} - Number of mails that were automatically expunged after client disconnected
# %{trashed} - Number of mails that client copied/moved to the special_use=\Trash mailbox.
# %{appended} - Number of mails saved during the session
imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
body_bytes=%{fetch_body_bytes}POP3 Log
# POP3 logout format string:
# Checking: doveconf pop3_logout_format
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
Remark
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %t - number of TOP commands
# %p - number of bytes sent to client as a result of TOP command
# %r - number of RETR commands
# %b - number of bytes sent to client as a result of RETR command
# %d - number of deleted messages
# %m - number of messages (before deletion)
# %s - mailbox size in bytes (before deletion)
# %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly
i.e.
Setting
mail_debug = no auth_verbose = yes auth_debug = no auth_debug_passwords = no
# connect 了但沒有 login 成功或失敗 (入了 Username 但沒有入 Password 都係呢個 log )
... pop3-login: Info: Aborted login (no auth attempts in 2 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<?>
# imap, pop3 及 smtp 的 login 失敗都是這 log
... auth-worker(3085): Info: sql(User@MyDomain,127.0.0.1): Password mismatch
# 成功 login
... pop3-login: Info: Login: user=<User@MyDomain>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3189, secured, session=<?>
# logout 時的總結
... pop3(User@MyDomain): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/153, size=8946533
Cache
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
Sending SIGUSR2 to dovecot-auth makes it log the number of cache hits and misses. You can use that information for tuning the cache size and TTL.
Out of memory
log
...: imap(USER@DOMAIN): Error: mmap(size=174466872) failed with file /home/vmail/vmail1/DOMAIN/USER/Maildir/.archive2021A/dovecot.index.cache: Cannot allocate memory
Config
default_vsz_limit = 256 M
service imap {
vsz_limit = 256 M
}
POP3 & IMAP Seen flag
Why does Dovecot add \Seen flag for mails that have been RETRed?
pop3_no_flag_updates=yes
與 login 有關
Port Settings
方式 1
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imap2 {
port = 1143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
* Port number where to listen. 0 disables the listener.
* process_limit and process_min_avail set to the number of CPU cores
* client_limit needs to be set high enough to be able to serve all the needed connections
Maximum number of simultaneous client connections per process.
(max connections = process_limit * client_limit)
方式 2
iptables -t nat -A PREROUTING -p tcp --dport 1143 -j REDIRECT --to-port 143
