Dovecot

From Wikitech

Dovecot is an IMAP and POP3 server, and is used on Wikimedia's IMAP server sanger.

For instructions on how to do user/email account management, see Mail#IMAP_account_management

Dovecot can be installed from the Ubuntu dovecot-imap package, which also pulls in dovecot-common.

Configuration

The configuration file resides in /etc/dovecot/dovecot.conf. Dovecot has very reasonable defaults, so not many settings need to be changed.

Main configuration

Protocols

We only support IMAP over SSL/TLS:

protocols = imaps

SSL

Dovecot needs an SSL certificate and private key to support SSL. Point it at the relevant files using the settings:

ssl_cert_file = /etc/ssl/certs/wikimedia.org.pem
ssl_key_file = /etc/ssl/private/wikimedia.org.key

It opens these as root, so file permissions should not be a problem.

login max processes count

The default max amount of login processes is too low, so raise it:

login_max_processes_count = 1024

Mail location

As we have a unified virtual users IMAP setup, the Maildir directory can be determined using a template:

mail_location = maildir:/var/vmail/%d/%n

Mail extra groups

The Ubuntu default configuration has group mail added by default; this is not needed in our configuration.

#mail_extra_groups = mail

Maildir optimizations

When copying a message, do it with hard links whenever possible. This makes the performance much better, and it's unlikely to have any side effects.

maildir_copy_with_hardlinks = yes

Mail processes

Show more verbose process titles (in ps). Currently shows user name and IP address. Useful for seeing who are actually using the IMAP processes (eg. shared mailboxes or if same uid is used for multiple accounts).

verbose_proctitle = yes

Restrict allowed UIDs to be used for accessing mail to precisely the vmail UID:

first_valid_uid = 107
last_valid_uid = 107

Protocol IMAP

Two plugins are loaded for quota support. The quota plugin enforces the actual quotas, imap_quota supports quota information over the IMAP protocol for clients that support it.

protocol imap {
  mail_plugins = quota imap_quota
}

Authorization

We use PLAIN authorization using a SQLite password database. We could use the static user db mapping, if it weren't for per-user quota support. Therefore we (ab)use the SQL language to achieve the same result (see below).

auth default {
  mechanisms = plain

  passdb sql {
    args = /etc/dovecot/dovecot-sql.conf
  }
  userdb sql {
    args = /etc/dovecot/dovecot-sql.conf
  }
  ...

Authorization processes should run under a separate uid. The account dovecot-auth has been created for this purpose:

# adduser --system --home /var/run/dovecot --no-create-home --ingroup vmail --disabled-password --disabled-login dovecot-auth
  ...
  user = dovecot-auth
}

SQL configuration

Details of SQL queries are specified in the file /etc/dovecot/dovecot-sql.conf.

We're using SQLite:

driver = sqlite
connect = /var/vmaildb/user.db

The default password hashing scheme is Salted SSHA-1:

default_pass_scheme = SSHA

To obtain the password field for a given username, the following SQL query is used:

password_query = SELECT localpart||'@'||domain AS user, password FROM account WHERE localpart='%n' AND domain='%d'

Escaping of the username is handled by Dovecot, see the main configuration file.

The user database query is only needed because of the quota field:

user_query = SELECT '107' AS uid, '112' AS gid, 'maildir:ignore=Trash:storage='||quota AS quota FROM account WHERE localpart='%n' AND domain='%d'

See also

  • Mail for Dovecot LDA configuration, and the rest of the mail system.

External documentation