Dovecot V2 - Configure

最後更新: 2018-03-15

目錄

  • dovecot
  • Auth Socket
  • mini Configure
  • Process Limit
  • Memory Limit
  • Rotating Logs
  • Log 的 Troubleshoot
  • Password Schemes
  • Password File
  • Logging
  • Cache
  • Out of memory
  • POP3 & IMAP Seen flag

 


doveconf

 

doveconf      # configuration dumping utility

dovecot(1) and dovecot-lda(1), will first get their settings by executing doveconf

  • -n                     # Show only settings with non-default values
  • -a                     # Show all settings with their currently configured values
  • -N                     # Show settings with non-default values and explicitly set default values
  • -c config-file      # By default /etc/dovecot/dovecot.conf
  • -f filter              # filter: protocol, service, remote

i.e. 來看 log 的 path

doveconf -f service=lda|grep log_path

debug_log_path =
info_log_path =
log_path = syslog

/etc/rsyslog.d/1-dovecot.conf

# sieve and LMTP
if $syslogfacility-text == 'local5' and ($msg contains "lmtp(" or $msg contains "lda(") then -/var/log/dovecot/lda.log
& stop

 


Auth Socket

 

login 的 socket:

service auth {
    unix_listener /var/spool/postfix/dovecot-auth {
        user = root
        group = postfix
        mode = 0660
    }
    unix_listener auth-master {
        user = root
        group = vmail
        mode = 0660
    }
    unix_listener auth-userdb {
        mode = 0660
        user = root
        group = vmail
    }
}

# lda 會連過去 auth-master 的

protocol lda {
    # Reference: http://wiki2.dovecot.org/LDA
    mail_plugins = autocreate
    
    # lda 連去 socket
    auth_socket_path = /var/run/dovecot/auth-master
    lda_mailbox_autocreate = yes
    postmaster_address = root
}

對應在 service auth

service auth {
    ...
    unix_listener auth-master {
        user = vmail
        group = vmail
        mode = 0666
    }
}

 



Dovecot 2.2 mini Configure

 

# 建立 id 為 2000 的 user 及 group

groupadd -g 2000 vmail

useradd -u 2000 -g 2000 -m -s /bin/nologin vmail

-rw-rw-r--  1 root    root    7453 Apr 29  2013 dovecot.conf

10-master.conf

listen = *

# Default: imap pop3 lmtp
# 什麼都不開是要 "protocols=none"
protocols = imap pop3 lmtp


mail_uid = 2000
mail_gid = 2000

first_valid_uid = 2000
last_valid_uid = 2000

log_path = /var/log/dovecot.log
mail_debug = no
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
# Possible values: no, plain, sha1.
auth_verbose_passwords = no

# no, yes, required. "ssl = yes" must be set globally if you require SSL for any protocol
ssl = no
verbose_ssl = no
# root:root 0444
#ssl_cert = </etc/pki/tls/certs/dovecot.pem
# root:root 0400
#ssl_key = </etc/pki/tls/private/dovecot.key

disable_plaintext_auth = no

mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/

auth_mechanisms = PLAIN LOGIN

default_process_limit = 200

service

service auth {
    unix_listener /var/spool/postfix/private/dovecot-auth {
        user = postfix
        group = postfix
        mode = 0666
    }
    unix_listener auth-master {
        user = vmail
        group = vmail
        mode = 0666
    }
    unix_listener auth-userdb {
        user = vmail
        group = vmail
        mode = 0660
    }
}

service imap-login {
    service_count = 1
    # idling processes are always kept around waiting for new connections.
    #process_min_avail = 10

    #process_limit = $default_process_limit
    process_limit = 100

    # Default 64MB value
    #vsz_limit = 64M
}

service pop3-login {
    service_count = 1
}

userdb & passdb

# Virtual mail accounts.
userdb {
    args = /usr/local/etc/dovecot/dovecot-mysql.conf
    driver = sql
}
passdb {
    args = /usr/local/etc/dovecot/dovecot-mysql.conf
    driver = sql
}

plugin

plugin {
    # Plugin: autocreate.
    autocreate = INBOX
    autocreate2 = Sent
    autocreate3 = Trash
    autocreate4 = Drafts
    autocreate5 = Junk
    autosubscribe = INBOX
    autosubscribe2 = Sent
    autosubscribe3 = Trash
    autosubscribe4 = Drafts
    autosubscribe5 = Junk
}

 

 

protocol

protocol lda {
    # Reference: http://wiki2.dovecot.org/LDA
    mail_plugins = autocreate
    auth_socket_path = /var/run/dovecot/auth-master
    log_path = /var/log/sieve.log
    lda_mailbox_autocreate = yes
    postmaster_address = root
}

protocol imap {
    mail_plugins = autocreate
    imap_client_workarounds = tb-extra-mailbox-sep

    # Default is 10.
    mail_max_userip_connections = 100
}

protocol pop3 {
    # mail_plugins = $mail_plugins
    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
    pop3_uidl_format = %08Xu%08Xv

    # Default is 10.
    mail_max_userip_connections = 100
}



 

namespace

namespace {
    type = private
    separator = /
    prefix =
    #location defaults to mail_location.
    inbox = yes
}

 

 

pop3_uidl_format

UIDL - Unique Identifier

UIDL to avoid to receive the same email more than once.

The mail server assigns an unique identifier for every email in the same account.

UIDL in POP3 can be any valid asc-ii characters,

and the UIDL may be reused by POP3 server if the email with the UIDL has been deleted from the server

# Telnet cmd

# Default: show all

UIDL [msg]

msg: a message-number (optional)

Dovecot  Setting

#
# %u - Mail UID
# %v - Mailbox UIDVALIDITY
# %m - MD5 sum of the mailbox headers in hex (mbox only)
# %f - filename (maildir only)
#
pop3_uidl_format = %08Xu%08Xv

 

 


Process Limit

 

default_process_limit = 100

default_client_limit = 1000

service_count

    Number of client connections to handle until the process kills itself.  (0 means unlimited. )

client_limit

    Maximum number of simultaneous client connections.

    If set to 0, default_client_limit is used instead.

process_limit

    Maximum number of processes that can exist for this service.

    This setting defines the maximum number of child processes that Dovecot can spawn.

    If set to 0, default_process_limit is used instead.

每個 client 可以有多個 process,

 

 


Memory Limit

# 當一個 Folder 有 7 萬多個 Mail 時

... imap(U@D): Fatal: block_alloc(1048576): Out of memory
... imap(U@D): Fatal: master: service(imap):
  child 14839 returned error 83 (Out of memory (service imap { vsz_limit=256 MB },
  you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)

 


Rotating Logs

 

/etc/logrotate.d/dovecot

/var/log/dovecot.log {
  missingok
  notifempty
  delaycompress
  sharedscripts
  postrotate
    doveadm log reopen
  endscript
}

 


log 的 troubleshoot

 

# 查看 log file 的位置

doveadm log find

<1>

在 postfix 見到

080ED23907      437 Thu Aug 14 15:35:10  sender@???
(temporary failure. Command output: Can't open log file /var/log/dovecot.log: Permission denied)
                                         receive@???

解決:

protocol lda {    ........
    log_path = /var/log/sieve.log
}

touch /var/log/sieve.log

chown vmail. /var/log/sieve.log

chmod 660 /var/log/sieve.log

/etc/logrotate.d/sieve

/var/log/sieve.log {
    missingok
    delaycompress
    compress
    weekly
    rotate 10
    create 0660 vmail vmail
    sharedscripts
    postrotate
        doveadm log reopen
    endscript
}

<2>

log

pop3(someone): Error: mkdir(/home/someone/mail/.imap/INBOX) failed: Operation not permitted

pop3(someone): Error: chown(/home/someone/mail/.imap/INBOX, -1, 12(mail))
failed: Operation not permitted (egid=2203(someone), group based on /var/mail/someone)

原因

dovecot copy 唔到 /var/mail/ 內的 file 去 user 的 home directory

解決

<1>

chmod 0600 /var/mail/*

<2>

# Grant access to these supplementary groups for mail processes.

mail_access_groups=mail

<3> secured ?

Feb  3 15:30:43 vm dovecot: imap-login: Disconnected (auth failed, 1 attempts): 
    user=<user@domain>, method=PLAIN, rip=R.R.R.R, lip=L.L.L.L
Feb  4 01:39:06 vm dovecot: imap-login: Disconnected (auth failed, 1 attempts): 
    user=<user@domain>, method=PLAIN, rip=::1, lip=::1, secured

 


Password Schemes

 

  • default_pass_scheme
  • dovecot.conf:auth_mechanisms

MD5-CRYPT: A weak but common scheme often used in /etc/shadow. The encrypted password will start with $1$

PLAIN: Password is in plaintext.
PLAIN-MD5: MD5 sum of the password stored in hex.

Default schemes:

dovecot-mysql.conf:

default_pass_scheme = CRYPT

dovecot.conf:

auth_mechanisms = PLAIN LOGIN

 


Password File

 

Ver: dovecot-2.3.8

dovecot.conf

#!include conf.d/*.conf

local.conf

protocols = imap pop3 lmtp submission

# conf.d/10-master.conf
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}

# auth-passwdfile.conf.ext
passdb {
  driver = passwd-file
  # CRYPT is used by default
  args = scheme=CRYPT username_format=%u /etc/dovecot/users.db
}
userdb {
  driver = passwd-file
  args = username_format=%u /etc/dovecot/users.db
}

Remark

username_format

  • %u          # full username (e.g. user@domain)
  • %n         # user part in user@domain, same as %u if there’s no domain

Passwd-file

This file is compatible with a normal /etc/passwd file, and a password file used by libpam-pwdfile PAM plugin.

Format:

user:password:uid:gid:(gecos):home:(shell):extra_fields

建立 password file

cd /etc/dovecot

touch users.db

chmod 640 users.db

chgrp dovecot users.db

# 建立 pw

doveadm pw -s SHA512-CRYPT

cat users.db

username:{type}password

 


Logging

 

Global log 設定

#log_path = syslog
#info_log_path =
#debug_log_path =
#syslog_facility = mail

LDA 的 log

protocol lda {
 ..
  # remember to give proper permissions for these files as well
  log_path = /var/log/dovecot-lda-errors.log
  info_log_path = /var/log/dovecot-lda.log
}

IMAP Log

#  %i - total number of bytes read from client
#  %o - total number of bytes sent to client

#  %{fetch_hdr_count} - Number of mails with mail header data sent to client
#  %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
#  %{fetch_body_count} - Number of mails with mail body data sent to client
#  %{fetch_body_bytes} - Number of bytes with mail body data sent to client

#  %{deleted} - Number of mails where client added \Deleted flag
#  %{expunged} - Number of mails that client expunged, which does not include automatically expunged mails
#  %{autoexpunged} - Number of mails that were automatically expunged after client disconnected

#  %{trashed} - Number of mails that client copied/moved to the special_use=\Trash mailbox.
#  %{appended} - Number of mails saved during the session

imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
  trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
  hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
  body_bytes=%{fetch_body_bytes}

POP3 Log

# POP3 logout format string:

# Checking: doveconf pop3_logout_format

pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s

Remark

#  %i - total number of bytes read from client
#  %o - total number of bytes sent to client

#  %t - number of TOP commands
#  %p - number of bytes sent to client as a result of TOP command

#  %r - number of RETR commands
#  %b - number of bytes sent to client as a result of RETR command

#  %d - number of deleted messages
#  %m - number of messages (before deletion)

#  %s - mailbox size in bytes (before deletion)

#  %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly

i.e.

Setting

mail_debug = no
auth_verbose = yes
auth_debug = no
auth_debug_passwords = no

# connect 了但沒有 login 成功或失敗 (入了 Username 但沒有入 Password 都係呢個 log )

... pop3-login: Info: Aborted login (no auth attempts in 2 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<?>

# imap, pop3 及 smtp 的 login 失敗都是這 log

... auth-worker(3085): Info: sql(User@MyDomain,127.0.0.1): Password mismatch

# 成功 login

... pop3-login: Info: Login: user=<User@MyDomain>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3189, secured, session=<?>

# logout 時的總結

... pop3(User@MyDomain): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/153, size=8946533

 


Cache

 

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

Sending SIGUSR2 to dovecot-auth makes it log the number of cache hits and misses. You can use that information for tuning the cache size and TTL.

 


Out of memory

 

log

...: imap(USER@DOMAIN): Error: mmap(size=174466872) failed with file
  /home/vmail/vmail1/DOMAIN/USER/Maildir/.archive2021A/dovecot.index.cache: Cannot allocate memory

Config

default_vsz_limit = 256 M

service imap {
    vsz_limit = 256 M
}

 


POP3 & IMAP Seen flag

 

Why does Dovecot add \Seen flag for mails that have been RETRed?

pop3_no_flag_updates=yes

 


與 login 有關

 

Link

 


 

 

 

Creative Commons license icon Creative Commons license icon