Skip to main content

Configuring Dovecot with IndiMail

IndiMail stores it's virtual user information in MySQL. However, IndiMail can work with virtually any IMAP/POP3 server which has a mechanism to authenticate using PAM and can use the system's passwd database for user's home directory. This is because IndiMail provides a PAM module and a NSS service described below. The beauty of providing both PAM and NSS is that you do not have to modify a single line of code anywhere. In this respect, IndiMail is probably the most flexible messaging server available at the moment.

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory. Though I do not use dovecot, I have heard excellent reviews from users about dovecot. It took me less than 20 minutes to download dovecot today and have it working with IndiMail with all existing mails intact and accessible. So at the moment, my IndiMail installation is working with both courier-imap and dovecot simultaneously (with different IMAP/POP3 ports assigned to courier-imap and dovecot).

Like most of imap/pop3 servers, dovecot is configurable and can use multiple methods to authenticate and as well get other information about the user such as home directory, user id, etc.

IndiMail provides pam-multi(8) as a flexible Password Authentication Module. For providing the userdb information using the standard passwd mechanism, IndiMail provides the pwdlookup service. The pwdlookup service uses nssd(8) daemon which provides Name Service Switch. NSS provides a mechanism by which standard functions, which look into /etc/passwd, /etc/shadow, can be extended to look into external sources. nssd provides IndiMail's database as an alternate UNIX configuration database for /etc/passwd, /etc/shadow and /etc/group. The additional source for passwd database can be enabled by adding 'nssd' in /etc/nsswitch.conf as an alternate source for passwd database.

% grep passwd /etc/nsswitch.conf
#passwd: db files nisplus nis
passwd: files nssd


pam-multi along with pwdlookup services makes it easy to have dovecot work with IndiMail without modifying a single line of code of dovecot. You just need to configure 3 additonal config files - /var/indimail/etc/nssd.conf, /etc/pam.d/pam-multi and /etc/dovecot.conf. Here is what is required

File /var/indimail/etc/nssd.conf

getpwnam SELECT pw_name,'x',555,555,pw_gecos,pw_dir,pw_shell \
FROM indimail \
WHERE pw_name='%1$s' and pw_domain='%2$s' \
LIMIT 1
getspnam SELECT pw_name,pw_passwd,'1','0','99999','0','0','-1','0' \
FROM indimail \
WHERE pw_name='%1$s'and pw_domain='%2$s' \
LIMIT 1
getpwent SELECT pw_name,'x',555,555,pw_gecos,pw_dir,pw_shell \
FROM indimail LIMIT 100
getspent SELECT pw_name,pw_passwd,'1','0','99999','0','0','-1','0' \
FROM indimail

host localhost
database indimail
username indimail
password ssh-1.5-
socket /tmp/mysql.sock
pidfile /tmp/nsvsd.pid
threads 5
timeout -1
facility daemon
priority err

File /etc/pam.d/pam-multi

#
# auth required pam-multi.so args -s /var/indimail/modules/iauth.so -d
# account required pam-multi.so args -s /var/indimail/modules/iauth.so -d
#
auth required pam-multi.so args -s /var/indimail/modules/iauth.so
account required pam-multi.so args -s /var/indimail/modules/iauth.so
#pam_selinux.so close should be the first session rule
session required pam_selinux.so close
#pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke


The above is for fedora. You may have to change the configuration for your OS. Consult your OS pam documentation

If you have installed IndiMail using RPM, you will be having pwdlookup service configured and running. Ensure that pwdlookup service is running

% sudo /var/indimail/bin/svstat /service/pwdlookup
/service/pwdlookup/: up (pid 8397) 1091 seconds


To improve passwd lookup performance, you may want to have nscd(8) daemon started.

% /etc/init.d/nscd start
Starting nscd: [ OK ]


Finally, the following configuration will be needed for dovecot
File /etc/dovecot.conf

# User to use for the login process. Create a completely new user for this,
# and don't use it anywhere else. The user must also belong to a group where
# only it has access, it's used to control access for authentication process.
# Note that this user is NOT used to access mails.
login_user = qmaill

#
mail_location = maildir:~/Maildir

# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names.
mail_uid = 555
mail_gid = 555


passdb pam {
# PAM authentication. Preferred nowadays by most systems.
# Note that PAM can only be used to verify if user's password is correct,
# so it can't be used as userdb. If you don't want to use a separate user
# database (passwd usually), you can use static userdb.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work.

# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=]
# [cache_key=] []
args = session=yes pam-multi
}


Restart/start dovecot and your user's should be able to access their Maildirs using dovecot using POP3, IMAP, POP3S or IMAPS

Note: IndiMail's pam-multi is installed in /lib/security, lib64/security or /usr/lib/pam depending on your OS.

If you have installed IndiMail using source, you will also require to install pam-multi, nssd from
https://sourceforge.net/projects/indimail/files/mailpack/mailpack-1.1
Post a Comment

Popular posts from this blog

IndiMail Installation for newbies in < 10 steps

Installing Indimail using YUM/APT Repository Install OS
OpenSUSE
openSUSE Leap 42.3
openSUSE Leap 42.2
openSUSE 13.2
openSUSE 13.1
SUSE Linux Enterprise 12 SP2
SUSE Linux Enterprise 12 SP1
SUSE Linux Enterprise 12
Red Hat
Feodra 27
Fedora 26
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
CentOS 7
CentOS 6
Debian
Debian 8.0
Debian 7.0
Ubuntu 17.04
Ubuntu 16.10
Ubuntu 16.04
Ubuntu 14.04
Ubuntu 12.04
Click the below URL for Install Instructions
https://software.opensuse.org/download.html?project=home%3Aindimail&package=indimail Shutdown MySQL if already running and disable MySQL from being started up by the system % /etc/init.d/mysqld stop % sudo chkconfig mysqld off % /bin/rm -f /service/mysql.3306/down
Start IndiMail
% sudo service indimail start Check Servicess
% sudo /usr/bin/svstat /service/* /service/clamd: up (pid 1014) 2985 seconds /service/dnscache: up (pid 1021) 2985 seconds /service/fetchmail: down 2985 seconds /service/freshclam: up (pid 1020) 2…

Using Docker Engine to Run IndiMail / IndiMail-MTA

IndiMail now has docker images. You can read about installing Dockerhere. Once you have installed docker-engine, you need to start it. Typically it would be
$ sudo service docker start
To avoid having to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.
Warning: The docker group is equivalent to the root user; For details on how this impacts security in your system, see Docker Daemon Attack Surface for details.$ sudo groupadd docker $ sudo usermod -aG docker your_username
Log out and login again to ensure your user is running with the correct permissions. You can run the unix id command to confirm that you have the docker group privileges. e.g.
$ id -a uid=1000(mbhangui) gid=1000(mbhangui) groups=1000(mbhangui),10(wheel),545(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Now we need to pull the docker image for I…

Writing Filters for IndiMail

IndiMail provides multiple methods by which you can intercept an email in transit and modify the email headers or the email body. A filter is a simple program that expects the raw email on standard input and outputs the message text back on standard output. The program /bin/cat can be used as a filter which simply copies the standard input to standard output without modifying anything. Some methods can be used before the mail gets queued and some methods can be used before the execution of local / remote delivery.

It is not necessary for a filter to modify the email. You can have a filter just to extract the headers or body and use that information for some purpose. IndiMail also provides the following programs - 822addr(1), 822headerfilter(1), 822bodyfilter(1), 822field(1), 822fields(1), 822header(1), 822body(1), 822headerok(1), 822received(1), 822date(1), 822fields(1) to help in processing emails.

Let us say that we have written a script /usr/local/bin/myfilter. The myfilter program …