Dovecot V2 - Configure

最後更新: 2018-03-15

目錄

  • Version 2
  • mini Configure
  • Password Schemes
  • Process Limit
  • Memory Limit
  • Rotating Logs
  • Log 的 Troubleshoot
  • Password Schemes
  • Cache

 


Version 2

 

doveconf      <---   configuration dumping utility

dovecot(1) and dovecot-lda(1), will first get their settings by executing doveconf.

  • -n                     # Show only settings with non-default values
  • -a                     # Show all settings with their currently configured values.
  • -N                     # Show settings with non-default values and explicitly set default values.
  • -c config-file      # By default /etc/dovecot/dovecot.conf

 

Auth socket

login 的 socket:

service auth {
    unix_listener /var/spool/postfix/dovecot-auth {
        user = root
        group = postfix
        mode = 0660
    }
    unix_listener auth-master {
        user = root
        group = vmail
        mode = 0660
    }
    unix_listener auth-userdb {
        mode = 0660
        user = root
        group = vmail
    }
}

# lda 會連過去 auth-master 的

protocol lda {
    # Reference: http://wiki2.dovecot.org/LDA
    mail_plugins = autocreate
    
    # lda 連去 socket
    auth_socket_path = /var/run/dovecot/auth-master
    lda_mailbox_autocreate = yes
    postmaster_address = root
}

對應在 service auth

service auth {
.....................
    unix_listener auth-master {
        user = vmail
        group = vmail
        mode = 0666
    }
.................
}

 



Dovecot 2.2 mini Configure

 

# 建立 id 為 2000 的 user 及 group

groupadd -g 2000 vmail

useradd -u 2000 -g 2000 -m -s /bin/nologin vmail

-rw-rw-r--  1 root    root    7453 Apr 29  2013 dovecot.conf

10-master.conf

listen = *

# Default: imap pop3 lmtp
# 什麼都不開是要 "protocols=none"
protocols = imap pop3 lmtp


mail_uid = 2000
mail_gid = 2000

first_valid_uid = 2000
last_valid_uid = 2000

log_path = /var/log/dovecot.log
mail_debug = no
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
# Possible values: no, plain, sha1.
auth_verbose_passwords = no

# no, yes, required. "ssl = yes" must be set globally if you require SSL for any protocol
ssl = no
verbose_ssl = no
# root:root 0444
#ssl_cert = </etc/pki/tls/certs/dovecot.pem
# root:root 0400
#ssl_key = </etc/pki/tls/private/dovecot.key

disable_plaintext_auth = no

mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/

auth_mechanisms = PLAIN LOGIN

default_process_limit = 200


service auth {
    unix_listener /var/spool/postfix/private/dovecot-auth {
        user = postfix
        group = postfix
        mode = 0666
    }
    unix_listener auth-master {
        user = vmail
        group = vmail
        mode = 0666
    }
    unix_listener auth-userdb {
        user = vmail
        group = vmail
        mode = 0660
    }
}

# Virtual mail accounts.
userdb {
    args = /usr/local/etc/dovecot/dovecot-mysql.conf
    driver = sql
}
passdb {
    args = /usr/local/etc/dovecot/dovecot-mysql.conf
    driver = sql
}

plugin {
    # Plugin: autocreate.
    autocreate = INBOX
    autocreate2 = Sent
    autocreate3 = Trash
    autocreate4 = Drafts
    autocreate5 = Junk
    autosubscribe = INBOX
    autosubscribe2 = Sent
    autosubscribe3 = Trash
    autosubscribe4 = Drafts
    autosubscribe5 = Junk
}

protocol lda {
    # Reference: http://wiki2.dovecot.org/LDA
    mail_plugins = autocreate
    auth_socket_path = /var/run/dovecot/auth-master
    log_path = /var/log/sieve.log
    lda_mailbox_autocreate = yes
    postmaster_address = root
}

protocol imap {
    mail_plugins = autocreate
    imap_client_workarounds = tb-extra-mailbox-sep

    # Default is 10.
    mail_max_userip_connections = 100
}

protocol pop3 {
    # mail_plugins = $mail_plugins
    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
    pop3_uidl_format = %08Xu%08Xv

    # Default is 10.
    mail_max_userip_connections = 100
}

service imap-login {
    service_count = 1
    # idling processes are always kept around waiting for new connections.
    #process_min_avail = 10

    #process_limit = $default_process_limit
    process_limit = 100

    # default 64MB value
    #vsz_limit = 64M
}

service pop3-login {
    service_count = 1
}

namespace {
    type = private
    separator = /
    prefix =
    #location defaults to mail_location.
    inbox = yes
}

 

pop3_uidl_format

UIDL - Unique Identifier

UIDL to avoid to receive the same email more than once.

The mail server assigns an unique identifier for every email in the same account.

UIDL in POP3 can be any valid asc-ii characters,

and the UIDL may be reused by POP3 server if the email with the UIDL has been deleted from the server

# Telnet cmd

# Default: show all

UIDL [msg]

msg: a message-number (optional)

Dovecot  Setting

#
# %u - Mail UID
# %v - Mailbox UIDVALIDITY
# %m - MD5 sum of the mailbox headers in hex (mbox only)
# %f - filename (maildir only)
#
pop3_uidl_format = %08Xu%08Xv

 

 


Process Limit

 

default_process_limit = 100

default_client_limit = 1000

client_limit:

    Maximum number of simultaneous client connections.  (If set to 0, default_client_limit is used instead. )

service_count:

    Number of client connections to handle until the process kills itself.  (0 means unlimited. )

process_limit

    Defaults to 1024, which means that the number of simultaneous IMAP (or POP3 or ManageSieve) connections

 


Memory Limit

# 當一個 Folder 有 7 萬多個 Mail 時

... imap(U@D): Fatal: block_alloc(1048576): Out of memory
... imap(U@D): Fatal: master: service(imap):
  child 14839 returned error 83 (Out of memory (service imap { vsz_limit=256 MB },
  you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)

 


Rotating Logs

 

/etc/logrotate.d/dovecot

/var/log/dovecot.log {
  missingok
  notifempty
  delaycompress
  sharedscripts
  postrotate
    doveadm log reopen
  endscript
}

 


log 的 troubleshoot

 

# 查看 log file 的位置

doveadm log find

<1>

在 postfix 見到

080ED23907      437 Thu Aug 14 15:35:10  sender@???
(temporary failure. Command output: Can't open log file /var/log/dovecot.log: Permission denied)
                                         receive@???

解決:

protocol lda {    ........
    log_path = /var/log/sieve.log
}

touch /var/log/sieve.log

chown vmail. /var/log/sieve.log

chmod 660 /var/log/sieve.log

/etc/logrotate.d/sieve

/var/log/sieve.log {
    missingok
    delaycompress
    compress
    weekly
    rotate 10
    create 0660 vmail vmail
    sharedscripts
    postrotate
        doveadm log reopen
    endscript
}

<2>

log

pop3(someone): Error: mkdir(/home/someone/mail/.imap/INBOX) failed: Operation not permitted

pop3(someone): Error: chown(/home/someone/mail/.imap/INBOX, -1, 12(mail))
failed: Operation not permitted (egid=2203(someone), group based on /var/mail/someone)

原因

dovecot copy 唔到 /var/mail/ 內的 file 去 user 的 home directory

解決

<1>

chmod 0600 /var/mail/*

<2>

# Grant access to these supplementary groups for mail processes.

mail_access_groups=mail

<3> secured ?

Feb  3 15:30:43 vm dovecot: imap-login: Disconnected (auth failed, 1 attempts): 
    user=<user@domain>, method=PLAIN, rip=R.R.R.R, lip=L.L.L.L
Feb  4 01:39:06 vm dovecot: imap-login: Disconnected (auth failed, 1 attempts): 
    user=<user@domain>, method=PLAIN, rip=::1, lip=::1, secured

 


Password Schemes

 

  • default_pass_scheme
  • dovecot.conf:auth_mechanisms

MD5-CRYPT: A weak but common scheme often used in /etc/shadow. The encrypted password will start with $1$

PLAIN: Password is in plaintext.
PLAIN-MD5: MD5 sum of the password stored in hex.

Default schemes:

dovecot-mysql.conf:

default_pass_scheme = CRYPT

dovecot.conf:

auth_mechanisms = PLAIN LOGIN


Logging

 

Global log 設定

#log_path = syslog
#info_log_path =
#debug_log_path =
#syslog_facility = mail

LDA 的 log

protocol lda {
 ..
  # remember to give proper permissions for these files as well
  log_path = /var/log/dovecot-lda-errors.log
  info_log_path = /var/log/dovecot-lda.log
}

IMAP Log

#  %i - total number of bytes read from client
#  %o - total number of bytes sent to client

#  %{fetch_hdr_count} - Number of mails with mail header data sent to client
#  %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
#  %{fetch_body_count} - Number of mails with mail body data sent to client
#  %{fetch_body_bytes} - Number of bytes with mail body data sent to client

#  %{deleted} - Number of mails where client added \Deleted flag
#  %{expunged} - Number of mails that client expunged, which does not include automatically expunged mails
#  %{autoexpunged} - Number of mails that were automatically expunged after client disconnected

#  %{trashed} - Number of mails that client copied/moved to the special_use=\Trash mailbox.
#  %{appended} - Number of mails saved during the session

imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
  trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
  hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
  body_bytes=%{fetch_body_bytes}

POP3 Log

# POP3 logout format string:

# Checking: doveconf pop3_logout_format

pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s

Remark

#  %i - total number of bytes read from client
#  %o - total number of bytes sent to client

#  %t - number of TOP commands
#  %p - number of bytes sent to client as a result of TOP command

#  %r - number of RETR commands
#  %b - number of bytes sent to client as a result of RETR command

#  %d - number of deleted messages
#  %m - number of messages (before deletion)

#  %s - mailbox size in bytes (before deletion)

#  %u - old/new UIDL hash. may help finding out if UIDLs changed unexpectedly

i.e.

Setting

mail_debug = no
auth_verbose = yes
auth_debug = no
auth_debug_passwords = no

# connect 了但沒有 login 成功或失敗 (入了 Username 但沒有入 Password 都係呢個 log )

... pop3-login: Info: Aborted login (no auth attempts in 2 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<?>

# imap, pop3 及 smtp 的 login 失敗都是這 log

... auth-worker(3085): Info: sql(User@MyDomain,127.0.0.1): Password mismatch

# 成功 login

... pop3-login: Info: Login: user=<User@MyDomain>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3189, secured, session=<?>

# logout 時的總結

... pop3(User@MyDomain): Info: Disconnected: Logged out top=0/0, retr=0/0, del=0/153, size=8946533

 


Cache

 

# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour

Sending SIGUSR2 to dovecot-auth makes it log the number of cache hits and misses. You can use that information for tuning the cache size and TTL.

 


與 login 有關

 

Link