[Dovecot] IMAP over SSL

petsy12 at lavabit.com petsy12 at lavabit.com
Tue Nov 27 15:32:33 EET 2012 

Hello.

I've never tried Dovecot. Here is my attempt to enable IMAP over SSL
on port 993. (BTW, I don't want to use port 143 at all.)

# dovecot -n

log_timestamp: %Y-%m-%d %H:%M:%S
protocols: imaps
listen: *:143,[::]:143
ssl_listen: *:993,[::]:993
ssl: required
ssl_cert_file: /etc/dovecot/keycert.pem
ssl_key_file: /etc/dovecot/keycert.pem
ssl_cipher_list: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!NULL:@STRENGTH
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:~/Maildir
mbox_write_locks: fcntl dotlock
auth default:
  passdb:
    driver: pam
  userdb:
    driver: passwd

1. Here is a snippet from dovecot.conf. Is it correct? Should I change
something? (Note that I don't want to enable IMAP on port 143.)

protocols = imaps

protocol imap {
		 listen     = *:143,[::]:143
		 ssl_listen = *:993,[::]:993
		 }

disable_plaintext_auth = yes

ssl_listen = *:993,[::]:933

ssl = required

ssl_cert_file = /etc/dovecot/keycert.pem
ssl_key_file  = /etc/dovecot/keycert.pem

ssl_cipher_list = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!NULL:@STRENGTH

2. I don't understand the syntax connected with auth. What auth
options are enabled by default?

dovecot.conf:

No sections (e.g. namespace {}) or plugin settings are added by
default, they're listed only as examples.

Does it mean that passdb pam will use defaults (e.g. session=yes,
setrcred=yes)?

 passdb pam {
    # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
    # [cache_key=<key>] [<service name>]
    #
    # session=yes makes Dovecot open and immediately close PAM session. Some
    # PAM plugins need this to work, such as pam_mkhomedir.
    #
    # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
    # need that. They aren't ever deleted though, so this isn't enabled by
    # default.
    #
    # max_requests specifies how many PAM lookups to do in one process before
    # recreating the process. The default is 100, because many PAM plugins
    # leak memory.
    #
    # cache_key can be used to enable authentication caching for PAM
    # (auth_cache_size also needs to be set). It isn't enabled by default
    # because PAM modules can do all kinds of checks besides checking
password,
    # such as checking IP address. Dovecot can't know about these checks
    # without some help. cache_key is simply a list of variables (see
    # /usr/share/doc/dovecot-common/wiki/Variables.txt) which must match
    # for the cached data to be used.
    # Here are some examples:
    #   %u - Username must match. Probably sufficient for most uses.
    #   %u%r - Username and remote IP address must match.
    #   %u%s - Username and service (ie. IMAP, POP3) must match.
    #
    # The service name can contain variables, for example %Ls expands to
    # pop3 or imap.
    #
    # Some examples:
    #   args = session=yes %Ls
    #   args = cache_key=%u dovecot
    #args = dovecot
  }

3. Here is the output of `openssl s_client -tls1 -connect
mail.example.com:993`. Is it OK?

[snip]

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression

[snip]

Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN] Dovecot ready.

Also, where can I read about these options?

Any comments are appreciated.

More information about the dovecot mailing list