Raspberry Pi Email Server Part 2: Dovecot

Dovecot Logo

This is the second part of a five part tutorial that will show you how to install a full featured email server on your Raspberry Pi. This tutorial covers Dovecot, which provides SASL authentication and IMAP capabilities. The parts are:

The Introduction & Contents Page (read first)
Raspberry Pi Email Server Part 1: Postfix
Raspberry Pi Email Server Part 2: Dovecot
Raspberry Pi Email Server Part 3: Squirrelmail
Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin
Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve

Fixing the errors that appeared during dovecot installation

In part 1, when you installed Dovecot I mentioned that you might see some errors like this:

Creating config file /etc/dovecot/conf.d/20-imap.conf with new version
[....] Restarting IMAP/POP3 mail server: dovecotError: socket() failed: Address family not supported by protocol
Error: service(imap-login): listen(::, 143) failed: Address family not supported by protocol
Error: socket() failed: Address family not supported by protocol
Error: service(imap-login): listen(::, 993) failed: Address family not supported by protocol
Fatal: Failed to start listeners
 failed!
invoke-rc.d: initscript dovecot, action "restart" failed.
dpkg: error processing dovecot-imapd (--configure):
 subprocess installed post-installation script returned error exit status 1
Setting up dovecot-ldap (1:2.1.7-7) ...

These errors are caused by the lack of IPv6 support, which I mentioned in the previous tutorial. To remove the errors, open the main dovecot configuration file (/etc/dovecot/dovecot.conf) and find this line:

listen = *, ::

And change it to:

listen = *

The * means “all IPv4 addresses”, the :: means “all IPv6 addresses”. Now restart Dovecot, and you shouldn’t get any errors:

sudo service dovecot restart

Note: since I wrote this tutorial, there have been a few small changes to the default configuration file - you may find that the line is commented (with a # at the start of the line). If so, remember to uncomment it when you make your changes!

Tell Dovecot where your Mailbox is

Open /etc/dovecot/conf.d/10-mail.conf and find this line:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Change it to this:

mail_location = maildir:~/Maildir

Instruct Postfix to use Dovecot SASL

Now we need to tell Postfix that we would like to use Dovecot for SASL authentication. Open /etc/postfix/main.cf and add these lines:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Now tell Dovecot to listen for SASL authentication requests from Postfix. Open /etc/dovecot/conf.d/10-master.conf and comment out the current block that begins with service auth (place a # at the start of each line). Replace it with this:

service auth {
        unix_listener /var/spool/postfix/private/auth {
                mode = 0660
                user = postfix
                group = postfix
        }
}

Now you want to enable plain text logins. Do it by adding these two lines to /etc/dovecot/conf.d/10-auth.conf. Make sure they are not already present in the file, or your settings may be overwritten with the default ones if the default is declared later in the file than the lines you add. If the parameters are already present, you can either modify the existing lines or comment them out and add these new ones:

disable_plaintext_auth = no
auth_mechanisms = plain login

Note that although the logins are in plain text, we will be setting Postfix up later so that it only allows you to use plaintext logins from within SSL/TLS. This means that your login and password will sent in an encrypted session - you wouldn't see them in plain text if you used a packet sniffer, for example. For now, we’re allowing unencrypted plain text logins so that we can test logging in with Telnet. Since the connection is local (from the Pi to the Pi), your password isn’t being sent over any insecure networks so this is fine.

Testing SASL

Creating a new user for testing purposes is a good idea. Let’s call this temporary user testmail and give it the password test1234 Use this command to add the user, and follow the prompts including setting a password.

sudo adduser testmail

Now restart Postfix and Dovecot:

sudo service postfix restart
sudo service dovecot restart

We’re now going to try and send an email after authenticating with SASL. The server is expecting to see a base64 encoded version of your username and password, so we have to convert it first. There are three ways of doing this, so I've given examples below using the testmail username and test1234 password:

#Method No.1
echo -ne '\000testmail\000test1234' | openssl base64

#Method No.2
perl -MMIME::Base64 -e 'print encode_base64("\0testmail\0test1234");'

#Method No.3
printf '\0%s\0%s' 'testmail' 'test1234' | openssl base64

I have discovered that if your password starts with a number, methods 1 and 2 don’t work. Assuming the username and password are testmail and test1234, the commands produce this:

AHRlc3RtYWlsAHRlc3QxMjM0

WARNING: If you’re having problems with authentication and you paste examples to forums or mailing lists, be aware that it is really easy to convert this back into your username and password (hence the creation of a test user). If you're using your real username and password to test, redact it before posting!

Now, still logged into the Pi via SSH, you can telnet port 25 to test whether or not SASL is working. There’s only one extra step, which is the AUTH PLAIN command that comes after ehlo but before mail from. For testing, the permit_mynetworks parameter should be commented out under your postfix smtpd_recipient_restrictions block in /etc/postfix/main.cf. If you’re following on from Raspberry Pi Email Server Part 1: Postfix then this should already be the case. If you have to change it, remember to reload postfix (sudo service postfix reload) after you change the value. Here’s an example:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 samhobbs ESMTP Postfix (Debian/GNU)
ehlo facebook.com
250-samhobbs
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3RtYWlsAHRlc3QxMjM0
235 2.7.0 Authentication successful
mail from:testmail
250 2.1.0 Ok
rcpt to:me@externalemail.com
250 2.1.5 Ok
data
354 End data with .
Subject: This is my first email that has been authenticated with Dovecot SASL
Woop woop
.
250 2.0.0 Ok: queued as B87133F768
quit
221 2.0.0 Bye
Connection closed by foreign host.

Now try again but enter the username/password incorrectly (base64 encode something random) – you should get an error message and the email won’t send. If everything went to plan, then SASL is working properly!

You can now uncomment permit_mynetworks again.

Separating Incoming email (unauthenticated) from Outgoing Email (SASL authenticated)

It’s probably a good idea to have a dedicated port for sending outgoing email…here’s why: Port 25 doesn’t require (but does offer) SSL/TLS encryption. If you mess up configuring your mail client you could end up letting it authenticate with SASL over insecure connections. Using a different port that only accepts SSL/TLS connections removes the risk that a poorly configured email client could be sending your password unencrypted over dodgy networks. There are two ports you can use for this:

  1. 465: SMTP over SSL
  2. 587: Email submission

587 is the “official” port for email clients (like K9 mail, Thunderbird and Outlook) to use when submitting messages to the Mail Submission Agent (your email server) – the submission may be encrypted or unencrypted depending on the server configuration. 465 was a port that was assigned for SMTP with SSL/TLS before the STARTTLS protocol was introduced, back in the days when you chose your port and that decided on the type of connection you were going to get (encrypted or unencrypted).

STARTTLS changed things because it allows you to connect with an unencrypted connection (like the one you get with Telnet), and then upgrade to an encrypted connection without changing port… so when STARTTLS was introduced, SMTPS on port 465 was removed from the standard because you could do the same thing with a single port (25).

However, I think there is some value in specifying a port for submission that only accepts SSL/TLS encrypted connections, and won’t work if the connection isn’t encrypted. This means that if you misconfigure your email client it just won’t work, instead of working and sending your password in an unencrypted format. So, anyway… Here’s how to set up Postfix to listen on port 465 for encrypted connections. The first step is telling Postfix to listen on port 465, so open /etc/postfix/master.cf and uncomment the line:

smtps     inet  n       -       -       -       -       smtpd

Now restart Postfix:

sudo service postfix restart

Test whether Postfix is listening on port 465:

telnet localhost 465
Trying 127.0.0.1...                                                                           
Connected to localhost.                                                                       
Escape character is '^]'.
220 samhobbs.co.uk ESMTP Postfix (Debian/GNU)
ehlo samhobbs.co.uk
250-samhobbs
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

OK, so now it’s listening on the right port, but it’s allowing unencrypted connections. Here’s how you force TLS on port 465: open /etc/postfix/master.cf and find the line you uncommented earlier. Below it are some options, you want to edit them so that they look like this (i.e. uncomment lines 2 and 3):

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes

Line 3 is forcing TLS on port 465, and line 2 means that connections to port 465 have a different label in the logs, which can be useful for debugging.

sudo service postfix restart

Now try connecting with Telnet again… you should be able to establish a connection, but not receive any prompts from the server:

telnet localhost 465                                            
Trying 127.0.0.1...                                                                           
Connected to localhost.
Escape character is '^]'.
exit
exit
Connection closed by foreign host.

Now try openssl:

openssl s_client -connect localhost:465 -quiet
depth=0 CN = samhobbs
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = samhobbs
verify return:1
220 samhobbs.co.uk ESMTP Postfix (Debian/GNU)
quit
221 2.0.0 Bye

Good: we are able to start a TLS encrypted connection. We got some errors because the certificate is self-signed (it's not signed by a certificate that is in the trusted root store on the server) but this is OK because we're just using the certificate for testing for now. When you come back later to set up a proper certificate, you can use this command to verify it. The -CApath option tells openssl where the trusted certificates are stored on your system:

openssl s_client -connect localhost:465 -quiet -CApath /etc/ssl/certs

Successful validation looks something like this:

sam@samhobbs:~$ openssl s_client -connect localhost:465 -quiet -CApath /etc/ssl/certs
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1                                                                              
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1                                                                              
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1                                                                              
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = samhobbs.co.uk                 
verify return:1                                                                              
220 samhobbs.co.uk ESMTP Postfix (Ubuntu)                                                    
quit                                                                                         
221 2.0.0 Bye

There are a couple more changes we want to make here: first, tell Postfix to only advertise SASL authentication over encrypted connections (so that you don’t accidentally send your password in the clear). Open /etc/postfix/main.cf and add this line:

smtpd_tls_auth_only = yes
sudo service postfix reload

Now connect to port 25 and you shouldn’t see AUTH advertised:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 samhobbs.co.uk ESMTP Postfix (Debian/GNU)
ehlo samhobbs.co.uk
250-samhobbs.co.uk
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Lastly, we want to override the smtp_recipient_restrictions for port 465 so that it doesn't accept incoming messages from unauthenticated users.

At first, I didn't make this change and I noticed that some spam emails were coming in on port 465 and bypassing my spam filter, which I configured to scan all incoming email on port 25, but not 465 because I only expected it to be used for outgoing email. We can do this by overriding the smtp_recipient_restrictions list for port 465 in /etc/postfix/master.cf. Open master.cf and find the smtps line. Add a new recipient restrictions list option like this:

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

Now reload postfix:

sudo service postfix reload

Perfect! Postfix configuration is now complete.

Testing IMAP

There are two main protocols for fetching mail: POP and IMAP. The main difference between them is what they do with emails when they collect them: a POP client will fetch email from your server and remove it from the server when it’s done. This is inconvenient if you want to connect with two or more devices (like a phone and a computer) and have complete copies of all your emails on both. IMAP, on the other hand, makes a copy of the emails on the server and leaves the originals there. For this reason, I think IMAP is much more useful than POP and I didn’t even bother to set up POP on my server. We can now test the IMAP server with Telnet in a similar way to SMTP & SASL testing earlier. This time, we’ll be using port 143, the standard port for IMAP. The stages are:

  1. establish a connection with telnet localhost 143
  2. log in with a login "USERNAME" "PASSWORD"" (not base64 encoded this time)
  3. select inbox to see messages inside b select inbox
  4. logout with c logout

In case you're wondering, the "a b c" thing is done because a client can send multiple commands to the server at once, and they might not come back in the same order depending on what they are. So, the responses have the same letter as the commands they are responding to so that the client doesn't get muddled.

Here’s an example, using the testmail user we created earlier:

telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login "testmail" "test1234"
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in
b select inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1385217480] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
* OK [NOMODSEQ] No permanent modsequences
b OK [READ-WRITE] Select completed.
c logout
* BYE Logging out
c OK Logout completed.
Connection closed by foreign host.

Adding TLS support

Now that we know IMAP is working, we need to enable IMAPS (imap with SSL/TLS). The standard port for this is 993.

Many other tutorials that were written for older versions of dovecot will tell you to do this in different ways that won’t work, I tried 3 different methods before I ended up with a working one.

First, edit /etc/dovecot/conf.d/10-master.conf, find the “service imap-login” block and uncomment the port and SSL lines so that it looks like this:

service imap-login {
  inet_listener imap {
    port = 143
  } 
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

Edit 14/10/2015: the default dovecot configuration files changed recently after Jessie became the new stable distribution of Debian, which caused some users problems; TLS on port 993 used to be enabled by default but now it isn't. We need to re-enable it.

In /etc/dovecot/conf.d/10-ssl.conf, find ssl = no and change it to:

ssl = yes

There have been some security vulnerabilities discovered in older versions of the SSL protocol in recent times. SSLv2 is disabled by default, but it doesn't harm to explicitly disable it again. SSLv3 is vulnerable to an attack called POODLE, so we will disable it too. In the same file, find the ssl_protocols parameter line, uncomment it and add !SSLv3 to the end, like this:

ssl_protocols = !SSLv2 !SSLv3

Edit 02/09/2017: if you're using Debian Stretch or later, or one of its derivatives, then you will need to edit that line to match the following. The SSLv2 option is no longer recognised as an option for ssl_protocols because it has been removed entirely:

ssl_protocols = !SSLv3

For some bizarre reason, the Dovecot package for Raspberry Pi (and possibly newer versions of Ubuntu) does not create a self-signed certificate during installation like it used to. So, we have to create one manually. If you look in /usr/share/dovecot/ you will find the script that used to be used to generate the certificate; we can use it ourselves to simplify the process.

The script is located at /usr/share/dovecot/mkcert.sh and looks like this:

#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=/etc/dovecot
KEYDIR=/etc/dovecot/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
  echo "$SSLDIR/certs directory doesn't exist"
  exit 1
fi

if [ ! -d $KEYDIR ]; then
  echo "$SSLDIR/private directory doesn't exist"
  exit 1
fi

if [ -f $CERTFILE ]; then
  echo "$CERTFILE already exists, won't overwrite"
  exit 1
fi

if [ -f $KEYFILE ]; then
  echo "$KEYFILE already exists, won't overwrite"
  exit 1
fi

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo 
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

If you were going to use this certificate for any significant length of time, it would be worth editing the parameters in the config file it uses (/usr/share/dovecot/dovecot-openssl.cnf) to set the proper common name and contact details on the certificate. However, I suggest you leave the defaults as they are, use this certificate just for testing, and then come back later and generate a new cert when everything is working (more on that later).

You must be in the same folder as the configuration file when you run the script, or it will not find the config and the certificate generation will fail. The following two commands will change to the right folder and then execute the script:

cd /usr/share/dovecot
sudo ./mkcert.sh

You should see a message "writing new private key to '/etc/dovecot/private/dovecot.pem'" and then some details about the certificate.

Next, find the following two lines in /etc/dovecot/conf.d/10-ssl.conf and uncomment them:

#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem

Now reload dovecot to apply the changes:

sudo service dovecot reload

Since IMAPS is a connection over SSL/TLS, we can’t use Telnet to test it. Instead, we use openssl to create a secure connection. There are two versions of the command, one will show you LOADS of information about the certificate used to encrypt the connection, and the other will suppress this info. I recommend trying the long version out of interest, but both will work the same for the test:

For full information:

openssl s_client -connect localhost:993

For minimal information:

openssl s_client -connect localhost:993 -quiet

I won’t print the output of the first command, because it’s ridiculously long. Here’s an example of the second, including a login test:

admin@samhobbs /etc/dovecot/conf.d $ openssl s_client -connect localhost:993 -quiet
depth=0 O = Dovecot mail server, OU = samhobbs, CN = samhobbs, emailAddress = root@samhobbs.co.uk
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = samhobbs, CN = samhobbs, emailAddress = root@samhobbs.co.uk
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a login "testmail" "test1234"
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE] Logged in
b logout
* BYE Logging out
b OK Logout completed.
Connection closed by foreign host.

Good stuff: SSL/TLS is working on port 993, and you can log in successfully.

Note that by default Dovecot uses a “snakeoil” self-signed certificate. SSL/TLS certificates are used for two purposes: encryption and verification. The “snakeoil” certificate will encrypt your content but it won’t verify that you’re talking to your server – you could be talking to someone imitating your server (anyone can create a self-signed certificate claiming to be any website).

If you’d like to get your certificate signed without forking out loads of money to a cert signing authority, I’d recommend CAcert. I've written a tutorial explaining how to generate your own cert and get it signed here. If you opt for a commercial certificate, you can use the CAcert tutorial to generate the certificate and then this tutorial will explain the differences in the installation/configuration of commercial certificates once you have it signed.

If you're testing a proper certificate, use this command to tell openssl where the trusted root certificates are stored:

openssl s_client -connect localhost:993 -quiet -CApath /etc/ssl/certs

Tidying up and enabling WAN access

Before opening the ports on your router to the world, it’s a good idea to delete that test user because the password is so easy to guess.

sudo userdel testmail

Also, if you still use the "pi" login, for goodness' sake change the password from "raspberry"! You can do this using the passwd command when logged in as pi:

passwd

Or you can achieve the same thing when logged in as another user by using sudo to gain root privileges:

sudo passwd pi

Now you can open a few ports on your router’s firewall. Make sure your Pi has a static LAN IP address and then forward these ports from WAN to its LAN IP address:

  • Port 25 for SMTP (used for receiving emails)
  • Port 465 for secure SMTP (used for sending emails after SASL authentication)
  • Port 993 for IMAPS (used to receive emails on your phone/tablet/computer)

Here’s an example on my router, running OpenWrt:

openwrt-port-forwards-raspberry-pi-email-server.png

Setting up IMAP Email Clients

I’m now going to run through setting up IMAP email clients quickly, using K9 Mail on Android and Thunderbird on GNU/Linux as examples. The setup for Thunderbird on Windows and Mac OSX should be very similar.

The basics are this:

  • Select an IMAP connection
  • Your login is your username only (omit @yourdomain.com), and you password is…your password!
  • For incoming emails: select use SSL/TLS always and the program should automatically select port 993
  • For outgoing emails: select SSL/TLS always. The program may suggest port 587, but you want port 465

K9 Mail

Open K9 Mail and select add new account. Type in your account information (you@yourdomain.com and password) and then select manual setup. Select IMAP and then enter your information as follows…

Incoming email:

K9 Incoming Email Settings

Outgoing email:

K9 Outgoing Email Settings

Thunderbird

Open Thunderbird, and then click Account Actions –> Add Mail Account.

Fill in your password and email address, which is your username followed by your fully qualified domain name (FQDN), i.e. username@yourdomain.com:

Thunderbird Step 1: Mail Account Setup

Thunderbird will try to auto-detect settings and fail. Don’t worry, this is normal. Select “manual config”:

 Thunderbird Step 2: TB will try to autodetect settings, and fail. Select “Manual Config"

Now edit the settings as appropriate. I had to remove a period (.) from in front of my “server hostname”, and edit the SSL and Authentication settings. If you select “SSL/TLS” for both incoming and outgoing, ports 993 and 465 are automatically selected:

Thunderbird Step 3: Edit the settings so that they match these (but change them to match your username and domain name!)

Now try emailing yourself from your external email address, and see if your email gets through. If you are having problems, be sure to check you’ve set up an MX record as well as a DNS A record.

Stuck in spam filters?

A few people have contacted me recently to say that their email server is working fine but their emails are getting sent to Gmail's spam folder.

If you are experiencing problems like this (or even if you're not), try setting up an SPF and/or PTR record as explained in my DNS basics tutorial.

You might also want to check if your domain name or IP address are on any blacklists. There's a handy website called MX toolbox that lets you do this (choose blacklist check from the dropdown menu).

Almost done…

Good news! If you’ve reached this far and everything is working, then you’re almost done. The next step (Webmail with Squirrelmail) is optional but by far the easiest of the three steps.

If you’ve hit a rut, please post a comment and I’ll try and help you out.

If not… continue to Raspberry Pi Email Server Part 3: Squirrelmail

Type: 

Comments

Hi Sam,

Neither myself or none of my users can send attachments larger than 2MB. I've checked postfix main.cf and ensured the message_size_limit=10240000 which is 10MB.

In a previous post you also told me to make changes in the php.ini file, but I cannot find such a file. Searching google they suggest the /etc directory, but also nothing there...

Any ideas?

Regards,

Jo

Hi Sam,

Sorry, my brain is not functioning again...It was the 'old' I'm inside my LAN and can't use the domain name...have to use ip from inside...

Once I realised that it was fine.

Hopefully I'll be able to move to Plusnet or someone where I can access the hosts file...

Thanks anyway for your reply.

Regards,

Jo

Hi Sam,
Yesterday I sent you a mail. I find out the problem and fix it. I miss to set up a right instruction-"mail_location = maildir:~/Maildir." It's why this time I re-settup it will make permission request to me. I refer to all the guest replies and get the solution. This places are so nice to leave feedbacks to track possible matters. Really appreciate to you. But, I am still not sure to setup "visudo" properly. Now, I make the same privilege as root. Is it just this? Do you have a "visudo" for reference? Thank you very much.

I was getting authentication failures after the AUTH PLAIN xxxx statement after 'ehlo' when using the hash for testmail and test1234. After creating the user testmail and getting the failure I rebooted and double checked everything (I think) but to no avail. When I created the hash for my other users it worked fine. However, when I changed testmail's password to Test1234567 it worked fine. I wondered if some newer password requirements might have been at work as my other users had relatively strong passwords. I'm new to this and could easily be overlooking something but I wanted to share my solution. Thanks for the tutorials!

I've followed your great instructions, first time I've ever managed to get Dovecot to work at all!

However, I have a problem setting up OS/X mail clients to use the result.

First off, even when set to “External (TLS Client Certificate)" I am seeing:

Apr 6 09:13:10 nightowl dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.1.36, lip=82.152.120.34, mpid=3044, TLS, session=

OK, it seems to log in, but why method=PLAIN? Incidentally, it only works if I select the “Automatically detect and maintain account settings” option.

More of a problem is inability to actually sync with mail on the server - the client alway says "no new mail".

I *think* this is an "IMAP path prefix" problem, but having tried all the likely options (/, maildir, ~maildir, INBOX) I'm getting nothing.

Should I swap the dovecot mail_location from maildir:~Maildir to (say) mbox:~/mail:INBOX=/var/mail/%u

- I think the latter is what the pre-existing PoP server used (mbox files in /var/mail).

Hi Keith,

Glad you've made some progress. You can't log in with a client certificate because we haven't issued any client certificates! That's when the client sends a cert to the server to authenticate instead of using a username/pw.

We are expecting your client to log in with AUTH PLAIN or LOGIN. AUTH PLAIN is similar to what we did for testing Postfix with the base64 encoded username and pw in one string; LOGIN is when the username and password are sent separately. Either is fine, since the pw is sent within a TLS encrypted session.

No, you should leave mail_location as we set it otherwise Dovecot won't look for mail in your ~/Maildir.

Might be a dumb question, but is there supposed to be any mail in the mailbox? Have you sent a test email from an external email server? What do the logs show when your server receives this message?

I don't know what you mean about imap path prefix, can you explain? You shouldn't have to change any of the Dovecot settings just so that one specific email client can connect to the server - is it a client side configuration option?

Sam

Yes, I thought the login issue was certificate-related. No worries.

There certainly is mail delivered to my $home/Maildir/new directory. I'm migrating from a simple PoP setup using popa3d, so swapping Postfix main and master.cf, restarting postfix, stopping popa3d and starting dovecot. All works fine: outbound mail from the client application is correct, and inbound mail is delivered to the above directory.

Incidentally, it doesn't seem to matter if I use 143 or 993 for IMAP. Both work.

BTW, Dovecot now has the dovecot.pem certs pre-installed, no need to use your mkcert.sh

"IMAP Path Prefix" is a setting in the OS/X mail client. There are a slew of suggestions on what it should be, but of course all of them are concerned with setting up to use the likes of Gmail, etc. I actually have a GMail account set up, and that has no path prefix, but of course who knows how Google's IMAP is set up?

Of course, it's actually Postfix that would need to be changed - the default config doesn't specify a home_mailbox setting, and it delivers to /var/mail/. Your setup changes this to home-mailbox = Maildir/

I guess Dovecot would need to point to the same place if I changed this.

Actually, that's an easy test, as I already have delivery going to /var/mail in the existing postfix setup.

Hmm, I now get:

Apr 6 13:35:24 nightowl dovecot: imap(koborn): Error: file_dotlock_create(/var/mail/koborn) failed: Permission denied (euid=1002(koborn) egid=1005(koborn) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) (set mail_privileged_group=mail)

*That* is easier to understand and fix!

This now works as far as I can see, and syncs with both OS/X mail and an Android phone account (I am agnostic ;-)

However, this means there is no way to sync anything other than Inbox as far as I can see.

"imap path prefix" is an OS/X mail client setting.

I removed the maildir setting in main.cf - without this it defaults to mbox format in /var/mail.

Set dovecot to use

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Dovecot gives this on client sync:

Apr 6 13:35:24 nightowl dovecot: imap(koborn): Error: file_dotlock_create(/var/mail/koborn) failed: Permission denied (euid=1002(koborn) egid=1005(koborn) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) (set mail_privileged_group=mail)

in 10-mail.conf set

mail_privileged_group = mail

Set the client up to use Password auth over SSL on 465 for outbound - it insists on using "auto detect" and sets this.

Inbound the same, on 993

I now get sync of the /var/mail/ file, and also I have auto-generated a ~/mail directory with things like Sent and Trash populated - syncing these is a client setting.

This now seems to work, and also works from an Android phone over 4G, so sending from outside my network.

So not sure why OS/X Mail doesn't understand the Maildir format.

Hi Sam,

After following your tutorial step by step, I am now in this position. I got my mail server configured following your way. It seems that everything is correct, but I just could not get it online. When I try email client, it says "server not found'. I guess it is the domain problem. Here below are details about my situation:

1. I connect the internet via router. So on my router, there is WAN and LAN. I set static IP address for my Raspberry PI, but it is like 192.168.1.100.

2. On my DNS provider, I set A record to IP address shown on WAN like 123.114.25.8. I also set MX record and CNAME record for IMAP.mydomain.com, SMPT. mydomain.com

3. I used "dig" and found that mydomain.com MX is set as "mydomain.com MX 10 mydomain.com"

But I still could not connect to my server from outside my internal network. Pls kindly let me know what to do on this.

Thank you.
DEREK

Hi Derek,

Did you forward ports 25, 993 and 465 on the router to the static IP address of your raspi?

Your router's firewall may be blocking the incoming connections.

Sam

Hi, i have a problem with telnet. It writes:
root@email:/etc/dovecot/conf.d# telnet localhost 465
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
Can you help me? (PS:Im sorry for my bad english)

mkcert.sh and dovecot-openssl.cnf were both missing after following above steps. I was able to connect to mail server but could not secure IMAP

Hi,

I have the same problem as Darren. Running

PRETTY_NAME="Raspbian GNU/Linux 7 (wheezy)"
NAME="Raspbian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"

not able to find mkcert.sh;

/usr/share/dovecot $ ls -al
total 48
drwxr-xr-x 4 root root 4096 Mar 18 22:04 .
drwxr-xr-x 182 root root 4096 Apr 13 21:03 ..
drwxr-xr-x 2 root root 4096 Mar 18 22:04 conf.d
-rw-r--r-- 1 root root 4180 Jun 9 2014 dovecot.conf
-rw-r--r-- 1 root root 410 Jun 9 2014 dovecot-db.conf.ext
-rw-r--r-- 1 root root 782 Jun 9 2014 dovecot-dict-sql.conf.ext
-rw-r--r-- 1 root root 5192 Jun 9 2014 dovecot-ldap.conf.ext
-rw-r--r-- 1 root root 5348 Jun 9 2014 dovecot-sql.conf.ext
drwxr-xr-x 2 root root 4096 Mar 18 22:11 protocols.d

Thanks for a great tutorial!

Hey,

Looks like they "fixed" the packaging.

If you have the cert already, you don't need to create one, so skip that part.

Sam

Hi Sam,

I wanted to change the LAN IP address of the mail server. The only place that I know where this is visible is in postfix/main.cf However, if I change this (and the NAT entries, of course) mail does not work. Where else is the IP address of the mail server used?

Thanks....John

Hi sam ,
First I would thank you so much for the great job you did . By the way I wrote an article on my own blog (tmlinux.com) ... in french about you for thankingyou.
Now my problem
Try to sent from my own public to my local one and in worked well
The opposite way round (using thunderbrid) from the local to the public the mail went in thunderbird to sent message but . It never arrived and my doamin name is now black listed (checked using MX toolbox)
I am disapointed.....
Thank you again for your great job.

Thanks for your kind comments and for writing about the tutorial on your site.

Did you follow the links in the blacklist check? If you do, you'll see that the Spamhaus PBL is not a blacklist, it is a list of dynamic IP addresses/IPs that are meant for consumers that shouldn't be running mail servers. You'll probably have to get a static IP to get off that.

I don't know why you're on the other blacklist, seems unlikely that it's because of something you did since you set up the server, more likely something that a previous user of the IP did (especially if it's dynamic)! You could request delisting but if the IP is dynamic there's not much point because you could be assigned a new one at any time.

Sam

Hi Sam

Thank you for your quick and good answer. I requested to be delisted on the "Protected Sky" black list. The point I don't understand is that my ISP (Free in France) assigned me a static ip adress . I Have it for years. As far as I know it did not change.
For Spmahaus PBL, in there PBL advisory they say
"Important: If you are using any normal email software (such as Outlook, Entourage, Thunderbird, Apple Mail, etc.) and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email program settings. "
DidI set up something wrong . I don't know. By the way i requested to be delisted from them as well .

I am waiting for this to be propagated . But i want to be sure that there are no config problem .
By the way , I 'll follow your tutorial to have a "correct " Open certificate" : https://samhobbs.co.uk/2014/04/ssl-certificate-signing-cacert-raspberry-... .

I'll keep you informed

You're welcome.

Weird, if you have a static IP you shouldn't be on the PBL, maybe worth asking your ISP about it - they may have registered the IP range in a way that means there shouldn't be email servers on it?

The SMTP authentication they are talking about in that Spamhaus article is client to server, for people using email clients to communicate with a server outside their LAN. Some servers used to allow mail submission (client to server, not server to server) on port 25, but it's generally not done any more (we use ports 465 or 587 instead). Basically, the explanation was not written for server owners, and you can ignore it.

I guess it's possible that spam has been sent from your server, if you have a compromised account (e.g. "pi", "raspberry" account still active with default password?). Worth checking /var/log/mail.log to see how much mail has gone out.

Let me know what happens with the de-listing, maybe they can tell you when/why you were added!

Sam

Thank you again for your time
Pi password was changed as soon as I installed the Raspberry PI
I have been delisted but i still have problems sending mails from the Rpi mail server

I check /var/log/mail.log
and there are no activity before installing my mail server yesterday but
Mail.log is Huge but it was all tests done by the tutorial.....
and
i have a lot of lines like
"Apr 14 00:45:35 raspberrypi postfix/smtp[12018]: connect to mta7.am0.yahoodns.net[98.138.112.34]:25: Connection timed out"

I think i am the spammer ; I stopped the postfix service for now.
I you would be kind enough to have a look at the log file . and may be give me some advices .
here is the odt version : http://www.cjoint.com/c/FDootZdhzn7
here is the rtf version : http://www.cjoint.com/c/FDoovsuJ7y7

I tried with yahoo , gmail and my business address none received any mail.
Thank you again

Hello Sam
Sorry to distburg you again. I tried the whole day to find out where my error comes from withour success.
Could you please have a quick look at the log files sent in my previous post to tell me if you understand why I am not able to send mail and why the server keeps trying sending those mails
Thank you very much

Hey, apologies for not replying sooner, I've been really busy.

I think the connection timeout is probably caused by your ISP blocking outbound email on port 25.

If you telnet to me on port 25 from your LAN, does it connect or do you get a timeout?

Looks like you're able to send mail locally between accounts on the server, is that right?

Sam

Hello Sam so sorry to disturb you again .
I installed from scratch the server again following your 2 tuto (part 1 and part 2) .
Then i tryed to send a mail from external address to my server . it worked well.
But then try to send a mail from Thunderbrid connected to the pi email server to my yahoo mail.
It never arrived .
I looked at
tail /var/log/mail.log
got the following answer
Do you have an Idea?

Apr 16 21:24:55 raspberrypi postfix/anvil[31755]: statistics: max connection rate 2/60s for (smtp:192.168.0.254) at Apr 16 21:14:55
Apr 16 21:24:55 raspberrypi postfix/anvil[31755]: statistics: max connection count 1 for (smtp:192.168.0.254) at Apr 16 21:14:55
Apr 16 21:24:55 raspberrypi postfix/anvil[31755]: statistics: max cache size 1 at Apr 16 21:14:55
Apr 16 21:25:24 raspberrypi postfix/smtps/smtpd[31859]: connect from unknown[192.168.0.254]
Apr 16 21:25:24 raspberrypi postfix/smtps/smtpd[31859]: BFE10614F9: client=unknown[192.168.0.254], sasl_method=PLAIN, sasl_username=myuser
Apr 16 21:25:24 raspberrypi postfix/cleanup[31868]: BFE10614F9: message-id=<43989c96-0392-ae40-9aba-5da10dc87ae2@tmlinux.com>
Apr 16 21:25:24 raspberrypi postfix/qmgr[30972]: BFE10614F9: from=, size=3470, nrcpt=1 (queue active)
Apr 16 21:25:24 raspberrypi postfix/smtps/smtpd[31859]: disconnect from unknown[192.168.0.254]
Apr 16 21:25:25 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.0.254, lip=192.168.0.206, mpid=31877, TLS, session=
Apr 16 21:25:35 raspberrypi dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.0.254, lip=192.168.0.206, mpid=31885, TLS, session=< Tlssessioncrypto +>
Apr 16 21:25:55 raspberrypi postfix/smtp[31869]: connect to mta6.am0.yahoodns.net[66.196.118.36]:25: Connection timed out
Apr 16 21:26:25 raspberrypi postfix/smtp[31869]: connect to mta5.am0.yahoodns.net[98.136.217.203]:25: Connection timed out
Apr 16 21:26:55 raspberrypi postfix/smtp[31869]: connect to mta6.am0.yahoodns.net[98.136.216.26]:25: Connection timed out
Apr 16 21:27:25 raspberrypi postfix/smtp[31869]: connect to mta7.am0.yahoodns.net[98.138.112.35]:25: Connection timed out
Apr 16 21:27:55 raspberrypi postfix/smtp[31869]: connect to mta7.am0.yahoodns.net[98.136.216.26]:25: Connection timed out
Apr 16 21:27:55 raspberrypi postfix/smtp[31869]: BFE10614F9: to=, relay=none, delay=150, delays=0.11/0.03/150/0, dsn=4.4.1, status=deferred (connect to mta7.am0.yahoodns.net[98.136.216.26]:25: Connection timed out)
Apr 16 21:28:45 raspberrypi postfix/anvil[31755]: statistics: max connection rate 1/60s for (smtps:192.168.0.254) at Apr 16 21:25:24
Apr 16 21:28:45 raspberrypi postfix/anvil[31755]: statistics: max connection count 1 for (smtps:192.168.0.254) at Apr 16 21:25:24
Apr 16 21:28:45 raspberrypi postfix/anvil[31755]: statistics: max cache size 1 at Apr 16 21:25:24
Apr 16 21:36:37 raspberrypi postfix/qmgr[30972]: BFE10614F9: from=, size=3470, nrcpt=1 (queue active)
Apr 16 21:37:07 raspberrypi postfix/smtp[31939]: connect to mta6.am0.yahoodns.net[63.250.192.45]:25: Connection timed out
Apr 16 21:37:37 raspberrypi postfix/smtp[31939]: connect to mta6.am0.yahoodns.net[98.136.216.26]:25: Connection timed out
Apr 16 21:38:07 raspberrypi postfix/smtp[31939]: connect to mta7.am0.yahoodns.net[66.196.118.240]:25: Connection timed out
Apr 16 21:38:37 raspberrypi postfix/smtp[31939]: connect to mta5.am0.yahoodns.net[98.138.112.33]:25: Connection timed out
Apr 16 21:39:07 raspberrypi postfix/smtp[31939]: connect to mta6.am0.yahoodns.net[63.250.192.46]:25: Connection timed out
Apr 16 21:39:07 raspberrypi postfix/smtp[31939]: BFE10614F9: to=, relay=none, delay=823, delays=673/0.04/150/0, dsn=4.4.1, status=deferred (connect to mta6.am0.yahoodns.net[63.250.192.46]:25: Connection timed out)

Now we the open port from my ISP it wrok as a charmed.
A few thing i would share with you Maybe to update your tutorials
1) To avoid even more to be flagged as a spammer : it would be a good idea to Install and Configure DKIM
2) an adress to do a mail and reputaion check : Mail Checker

Your tutorials are of the best today.
Thank you again so much

Hey,

Glad you got everything working.

Thanks for the suggestions, I've been meaning to configure DKIM myself, I'll check it out and write an extra section when I have time.

Sam

Hello, thank you for such a detailed guide! I am missing this /usr/share/dovecot/dovecot-openssl.cnf

and

./mkcert.sh

in /usr/share/dovecot

May be those were removed with a recent version?

Thanks,
Frank

Pages

Add new comment