Explorercreate account

Learn Linux Series (#9) - e-mail server (Dovecot)

View this thread on: d.buzz | hive.blog | peakd.com | ecency.com
utopian-io·@vitusc·
0.000 HBD
Learn Linux Series (#9) - e-mail server (Dovecot)
Learn Linux Series (#9) - e-mail server (Dovecot)
https://steemitimages.com/0x0/https://habrastorage.org/getpro/habr/post_images/9e3/d19/948/9e3d19948ac4132613bf784ef7c7d229.png

#### What Will I Learn?
- What is Dovecot
- How to install Dovecot
- How to configure Dovecot
- Creating certificates and keys
- How to add Dovecot to autostart
- Reading e-mails from the console

#### Requirements
- Linux system installed
- Basic knowledge of terminal operation
- Average knowledge of linux commands
- Motivation when something goes wrong

#### Difficulty
- Intermediate
<br><br>

https://www.8px.pl/assets/dovecotLogo-604x270.png

- What is Dovecot<br><br>
**Dovecot** is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory.<br>
Dovecot supports:<br>
1) IMAP, POP3, IPv6, SSL and TLS protocols;
2) mbox boxes and Maildir;
3) simultaneous access to mailboxes by other programs (thus it can work on NFS resources or clustered file systems);
4) authentication mechanisms: PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5, APOP, NTLM, GSS-SPNEGO, GSSAPI, RPA, OPT, SKEY;
5) many databases storing credentials, e.g. PAM, system passwd files, LDAP, SQL databases (MySQL, PostgreSQL, SQLite) and others;
6) mechanism of plugins that extend functionality (eg Quota, ACLs).<br>
**Dovecot** has been designed and programmed especially with regard to safety issues. In order to support this thesis, the author offers a **1000€** prize for the person who will be the first to demonstrate a remotely exploitable security gap in Dovecot giving access to someone else's box without knowing the password . Timo Sirainen submitted the offer on January 22, 2006 and so far - despite finding various security-related errors in the program - the conditions of the competition were not met.
<br><br>
- How to install and configure Dovecot
<br>

First, we install Dovecot and openssl (if this package has not been installed before, because we will use it to encrypt connection data, etc.).
``` language
zypper in dovecot21 openssl
```
it is worth to create a backup copy of the configuration file:
``` language
cd /etc/dovecot
cp dovecot.conf dovecot.conf.backup
```
We create the initial configuration file by pattern:
``` language
doveconf -n > dovecot.conf-new
mv dovecot.conf-new dovecot.conf (do not create a file right away dovecot.conf: doveconf -n > dovecot.conf, because there will be errors regarding the lack of SSL certificates).

```
We edit the file (vi /etc/dovecot/dovecot.conf) and set / add the following options:
mail_location = maildir:~/Maildir #location of mailboxes
With this setting of *mail_location*, we delete or comment on the entire namespace inbox section (marked in black, because in this case we will not need it):
``` language
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = Drafts
  }
  mailbox Junk {
    special_use = Junk
  }
  mailbox Sent {
    special_use = Sent
  }
  mailbox "Sent Messages" {
    special_use = Sent
  }
  mailbox Trash {
    special_use = Trash
  }
  prefix =
}
```
*login_greeting* = My POP3 / IMAP server #information presented by dovecot after logging in (establishing the session) POP3<br>
*listen* = * # listen on all network interfaces<br>
*protocols* = "imap pop3" # serviced mail protocols<br>
*ssl* = yes # enable ssl encryption<br>
*ssl_cert* = # path to the certificate - do not forget about the beginning of the entry with the majority sign "<" otherwise you will see the following warnings in the logs: "Can not load ssl_cert: There is no valid PEM certificate. (You probably forgot '<' from ssl_cert = </ etc / dovecot / ssl / certyfikat.pem) "<br>
*ssl_key* = # path to the key - note do not forget the beginning of the entry with the majority sign "<"<br>
*disable_plaintext_auth* = yes # disable logging in with plain text (plain text - unencrypted).
<br><br>
Save the above configuration. Now, we will create a certificate and a key to which the above-mentioned configuration indicates.
``` language
mkdir /etc/dovecot/ssl
cd /etc/dovecot/ssl
openssl req -new -x509 -nodes -out certificate.pem -keyout key.pem -days 365
```
Enter your domain details, in particular pay attention to the option
"Common Name", which is intended to indicate the name of your domain.
``` language
Country Name (2 letter code) [AU]: EN # country
State or Province Name (full name) [Some-State]: Texas # province
Locality Name (eg, city) []: Glasgow # city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Utopian-io # name of our company
Organizational Unit Name (eg, section) []: Programming # section / department of the company
Common Name (e.g. server FQDN or YOUR name) []: utopian.io # domain name
Email Address []: vitusc@utopian.io # e-mail address for contacts regarding the certificate
```
We check the correctness of key generation with the command:
``` language
openssl rsa -in klucz.pem -check
```
``` language
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----

[...]

-----END RSA PRIVATE KEY-----
```
If you see such a message, we acknowledge that the key has been generated correctly.<br>
Now check the certificate information:
``` language
openssl x509 -noout -text -in certyfikat.pem
```
the message should appear:
``` language
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16436464367657346376 (0xcf48ed216ab49e87)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=EN, ST=Texas, L=Glasgow, O=Utopian-io, OU=Programing, CN=utopian.io/emailAddress=vitusc@utopian.io
        Validity
            Not Before: Mar  20 15:54:17 2018 GMT
            Not After : Mar  19 15:54:17 2022 GMT
        Subject: C=EN, ST=Texas, L=Glasgow, O=Utopian-io, OU=Programing, CN=utopian.io/emailAddress=vitusc@utopian.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                [...]
            X509v3 Authority Key Identifier:
                [...]

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         [...]
```
It looks like everything is OK. So we start Dovecot and add it to autostart:
``` language
service dovecot start
service dovecot status
chkconfig dovecot on
```
Let's try to send a message using SMTP
``` language
telnet localhost 25
```
Trying ::1...
Connected to localhost.
Escape character is '^]'.

``` language
ehlo utopian.io
```
250-mail.utopian.io
250-PIPELINING
250-SIZE
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
``` language
mail from: vitusc@utopian.io
```
250 2.1.0 Ok
``` language
rcpt to: test@utopian.io
```
250 2.1.5 Ok
``` language
data
```
354 End data with.<br>
Subject: Shipping test #enter<br>
We're testing sending #enter messages<br>
. # remember to put a full stop at the end of the message<br>
250 2.0.0 Ok: queued as 2E23E1C0F15 #Announcement added to the delivery queue with ID 2E23E1C0F15
``` language
quit
```
221 2.0.0 Bye<br>
Connection closed by foreign host.
<br><br>
- In that case, let's try to read this email from the console:
``` language
openssl s_client -connect localhost:995
```
[...] +OK Dovecot ready.
``` language
user test
```
+OK
``` language
pass test
```
+OK Logged in.
``` language
stat
```
+OK 1 486
``` language
list
```
+OK 1 messages:<br>
1 486<br>
.TEST TEST TEST!
``` language
retr 1 # shows the content of the ID 1 message
```
``` language
+OK 486 octets
Return-Path:
X-Original-To: test@utopian.io
Delivered-To: test@utopian.io
Received: from utopian.io (localhost [IPv6:::1])
        by mail.utopian.io with ESMTP id 2E23E1C0F15
        for ; Mon,  3 Aug 2015 12:57:13 +0200 (CEST)
Subject: Shipping test
Message-Id: <20150803105723.2E23E1C0F15@mail.utopian.io>
Date: Mon,  3 Aug 2015 12:57:13 +0200 (CEST)
From: vitusc@utopian.io


.TEST TEST TEST!
```
``` language
quit
```
+OK Logging out.
closed



<br><br><br><br>
#### Curriculum
- [Part 1 - TCP/IP Computer Adaptation](https://utopian.io/utopian-io/@vitusc/learn-linux-series-1-tcp-ip-computer-adaptation)
- [Part 2 - Proftpd management and configuration](https://utopian.io/utopian-io/@vitusc/learn-linux-series-2-proftpd-management-and-configuration)
- [Part 3 - Introduction to programming](https://utopian.io/utopian-io/@vitusc/learn-linux-series-3-introduction-to-programming)
- [Part 4 - e-mail server (Postfix)](https://utopian.io/utopian-io/@vitusc/learn-linux-series-4-e-mail-server-postfix)
- [Part 5 - e-mail server (Exim)](https://utopian.io/utopian-io/@vitusc/learn-linux-series-5-e-mail-server-exim)
- [Part 6 - Attack Detection System Snort](https://utopian.io/utopian-io/@vitusc/learn-linux-series-6-attack-detection-system-snort)
- [Part 7 - Defense against port scans PortSentry](https://utopian.io/utopian-io/@vitusc/learn-linux-series-7-defense-against-port-scans-portsentry)
- [Part 8 - Intrusion detection system TripWire](https://utopian.io/utopian-io/@vitusc/learn-linux-series-8-intrusion-detection-system-tripwire)

<br /><hr/><em>Posted on <a href="https://utopian.io/utopian-io/@vitusc/learn-linux-series-9-e-mail-server-dovecot">Utopian.io -  Rewarding Open Source Contributors</a></em><hr/>
👍 , , , , , , ,
properties (23)vote details (7)