April 6, 2006

Set up a secure IMAP/POP3 server with Dovecot

Author: Manolis Tzanidakis

Internet Message Access Protocol (IMAP) servers such as Courier-IMAP and Cyrus IMAP may work well, but they’re complicated to install and configure. I'll show you how to set up your mail server quickly and securely using Dovecot, an open source IMAP and Post Office Protocol version 3 (POP3) server for Unix-like operating systems.

Security is Dovecot's top priority. Timo Sirainen, the program's author, uses secure coding practices to avoid common problems and pitfalls. Dovecot maintains the index files of the mailbox constantly, making the application fast, lightweight, and memory-efficient. Sirainen claims that each connection uses only around 100KB of swappable memory.

Although it's still in the pre-1.0 version stage, Dovecot is more stable than some other popular servers. I've been using Dovecot on production systems for more than eight months without having a single crash or losing any email. The project licenses most parts under the GNU Lesser General Public License (LGPL) 2.1.

Dovecot offers binary packages for most Linux distributions and the BSDs; check the prebuilt binaries list. If there isn't one for your favorite OS you can compile the program easily from source with this simple code:

su -c 'make install'

You can find more information about the installation procedure in the INSTALL file included in the source distribution.

You can link Dovecot with OpenSSL for complete Transport Layer Security (TLS) and Secure Sockets Layer (SSL) support, which IMAPS and POP3S services require.

Authenticating usernames and passwords

Dovecot supports many ways of storing username and password information for both system and virtual users. Besides regular Unix system accounts stored in /etc/passwd, you can store user information in a SQL database or with Lightweight Directory Access Protocol (LDAP) either directly or via pluggable authentication modules (PAM) and vpopmail. Newer versions (currently in beta phase) also support multiple authentication databases, allowing you to have both system and virtual users at the same time.

You can complete authentication in one of two ways. In the first, the PLAIN mechanism, which all available clients support, mail clients send the password to the server totally unencrypted. In the second, Dovecot uses either CRAM-MD5 or DIGEST-MD5 to offer encryption with the MD5 algorithm. Not all clients support these authentication mechanisms, which offer some form of password protection but require you to store the password in a special form or in plain-text files. If you must use PLAIN authentication, you should provide only SSL-encrypted IMAPS or POP3S service to prevent malicious users from eavesdropping on your passwords.

Dovecot supports both the traditional Unix mbox format and the newer Maildir, allowing easy transition from other servers. The documentation provides detailed instructions on how to migrate from other servers. Dovecot doesn't depend on a specific Simple Mail Transfer Protocol (SMTP) server; you can use it with Postfix, Sendmail, qmail, and Exim.

Configuration is fairly easy; you need to worry only about setting the authentication mechanism and the mail storage to the format of your choice. The default configuration file, /etc/dovecot.conf, includes detailed explanations in comments. You can also find documentation about setting up the program on the wiki. Join the mailing list and ask for help if you have any problems; the community is quite active.

Dovecot uses multiple file-locking mechanisms, including dotlock, fcntl, and flock, so it's safe to use with mailboxes it shares via NFS. It also supports IMAP and POP3 session proxying. These two features offer flexibility in large-scale installations with many clustered servers and lots of concurrently connected users.

I've been using Dovecot on several production systems running Linux and OpenBSD for some time now. It's easy to configure and requires virtually no maintenance. The project is being developed actively, and more exciting features are in the works; in fact, some are available already in 1.0 test releases. If you're about to set up a new mail server or you're not satisfied with your current configuration, check out Dovecot.


  • Enterprise Applications
Click Here!