This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.
Differences between revisions 1 and 17 (spanning 16 versions)
Revision 1 as of 2003-08-24 23:08:40
Size: 20118
Editor: ip68-100-111-121
Comment:
Revision 17 as of 2003-08-27 03:40:01
Size: 18233
Editor: ip68-100-111-121
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
This describes how to install and configure Dovecot with LDAP authentication.
This is not the definitive guide to installing Dovecot or OpenLDAP. I am
not an expert on IMAP, e-mail, LDAP, or Unix. As I was writing this, I
discovered unexpected quirks in OpenLDAP that caused my configuration to
do things I hadn't intended. I succeeded in installing Dovecot only with
help from Timo, and I made a number of mistakes in the process. There may
be mistakes in this document. It is, however, based on a working
configuration.


Software

FreeBSD 4.8
openldap-2.1.22
dovecot-0.99.10


Environment
= Software =

 * FreeBSD 4.8
 * openldap-2.1.22
 * dovecot-0.99.10

= Environment =
Line 21: Line 10:
the FBSD box; i.e. there is a mail account for ole_wobble in the LDAP the FBSD box; e.g. there is a mail account for ole_wobble in the LDAP
Line 28: Line 17:
{{{
Line 29: Line 19:
 drwx--x--x 3 postoffice mail - 1024 Aug 23 04:15 ole_wobble   drwx--x--x 3 postoffice mail - 1024 Aug 23 04:15 ole_wobble
}}}
Line 42: Line 33:
OpenLDAP

The OpenLDAP instructions are *extremely* sketchy and are intended only
= OpenLDAP =

The OpenLDAP instructions are ''extremely'' sketchy and are intended only
Line 49: Line 40:
If you are going to use CRYPT password hashing as the default in OpenLDAP
(this is compatible with Dovecot), then you will need to add the
--enable-crypt option to the CONFIGRE_ARGS variable in the Makefile so
that OpenLDAP will compile with CRYPT support. If you don't do this,
OpenLDAP may actually work for a while, but then one day you'll restart
the server and OpenLDAP will refuse to run until you remove the CRYPT
setting from slapd.comf, which means the user passwords won't work.
Line 51: Line 50:
{{{
Line 52: Line 52:
}}}
Line 56: Line 57:
attempts were unsuccessful. The FreeBSD port includes Pearl scripts that
run tests to ensure that the installation succeeded. Even though the
installation passed the tests, it couldn't be configured to work
properly. You may need to install a few times before you get a
usable installation of
OpenLDAP.

Go to /usr/local/etc/rc.d, and copy slapd.sh.sample to slapd.sh. (Yes,  that's the startup file for the slap daemon.) Open the file in a text
editor. Ignore the line that says
attempts were unsuccessful. The FreeBSD port includes Pearl scripts
that
run tests to ensure that the installation succeeded. Even though
the
installation passed the tests, it couldn't be configured to work
properly. On my third attempt, OpenLDAP worked but attempts to limit
access to specified attributes caused OpenLDAP to refuse access to all
attributes. On my fourth attempt, OpenLDAP ignored any attempts to limit
access to specified attributes. You may need to install a few times before
you get a usable installation of OpenLDAP
.

Go to /usr/local/etc/rc.d, and copy slapd.sh.sample to slapd.sh. (Yes,
Virginia, there is a
slap daemon.) Open the file in a text editor. Ignore
the line that says
{{{
Line 66: Line 71:
}}}
Line 67: Line 73:
{{{
Line 68: Line 75:
}}}
Line 71: Line 79:
{{{
Line 72: Line 81:
}}}
Line 75: Line 85:
{{{
Line 78: Line 89:
}}}
Line 80: Line 92:
{{{
Line 81: Line 94:
}}}
Line 86: Line 100:
{{{
Line 111: Line 125:
  sn: Olson
Line 121: Line 136:
  sn: Olson
Line 125: Line 141:
  }}}
Line 130: Line 146:
ldapadd, you must retain the blank lines between the entries. ldapadd, you must retain the blank lines above the lines that begin  with "dn: ", but remove any other blank lines.
Line 147: Line 164:
 ldapadd -W -D cn=Manager,dc=krig,dc=net \
 
-f /usr/local/etc/openldap/wibble.ldif
Don't include the backslash; it just indicates that the two lines are
actually one line.
{{{
ldapadd -W -D "cn=Manager,dc=krig,dc=net" -f /usr/local/etc/openldap/wibble.ldif
}}}
Line 155: Line 170:
{{{
Line 158: Line 174:
}}}
Line 165: Line 182:
 $ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" \
   
"uid=dovecot,ou=accounts,dc=wibble,dc=net"
{{{
$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "uid=dovecot,ou=accounts,dc=wibble,dc=net"
}}}
Line 168: Line 186:
 $ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" \
   
"uid=ole_wobble,ou=accounts,dc=wibble,dc=net"
{{{
$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "uid=ole_wobble,ou=accounts,dc=wibble,dc=net"
}}}
Line 174: Line 193:
 $ ldapsearch -LLL -W -D "cn=Manager,dc=krig,dc=net" -b \
   
"dc=krig,dc=net" "(objectclass=*)"


Installing Dovecot
{{{
$ ldapsearch -LLL -W -D "cn=Manager,dc=krig,dc=net" -b "dc=krig,dc=net" "(objectclass=*)"
}}}

= Installing Dovecot =
Line 187: Line 206:
{{{
Line 188: Line 208:
}}}
Line 189: Line 210:
{{{
Line 190: Line 212:
}}}
Line 191: Line 214:
{{{
Line 192: Line 216:
}}}
Line 194: Line 219:
{{{
Line 195: Line 221:
}}}
Line 218: Line 245:
{{{
Line 219: Line 247:
}}}
Line 232: Line 261:
{{{
Line 233: Line 263:
}}}
Line 236: Line 267:


Configure Dovecot
= Configure Dovecot =
== dovecot-ldap.conf ==
Line 248: Line 277:
{{{
Line 249: Line 279:
}}}
Line 252: Line 283:
----
{{{
Line 254: Line 286:
}}}
Line 256: Line 289:
----
{{{
Line 258: Line 292:
}}}
Line 260: Line 295:
----
{{{
Line 262: Line 298:
}}}
Line 263: Line 300:
----
{{{
Line 265: Line 303:
}}}
Line 268: Line 307:
----
{{{
Line 270: Line 310:
}}}
Line 272: Line 313:
----
{{{
Line 274: Line 316:
}}}
Line 278: Line 321:
----
{{{
Line 280: Line 324:
}}}
Line 294: Line 339:
{{{
Line 295: Line 341:
}}}
Line 297: Line 344:
----
{{{
Line 299: Line 347:
}}}
Line 301: Line 350:
----
{{{
Line 303: Line 353:
}}}
Line 304: Line 355:
----
{{{
Line 306: Line 358:
}}}
Line 308: Line 361:
----
{{{
Line 310: Line 364:
}}}
Line 312: Line 367:
----
{{{
Line 314: Line 370:
}}}
Line 319: Line 376:
----
{{{
Line 321: Line 379:
}}}
== dovecot.conf ==
Line 324: Line 383:
{{{
Line 326: Line 385:
}}}
Line 327: Line 387:
----
{{{
Line 329: Line 390:
}}}
Line 330: Line 392:
----
{{{
Line 332: Line 395:
}}}
Line 339: Line 403:
 imap_listen = <hostname>:143 {{{
imap_listen = wibblemailhost:143
}}}
Line 341: Line 407:
 imap_listen = <internal IP address>:143
{{{
 imap_listen = 192.168.15.23:143
}}}
----
{{{
Line 344: Line 413:
If you have this set to yes, you can ignore the SSL setting that follow }}}
If you have this set to yes, you can ignore the SSL settings that follow
Line 346: Line 416:
----
{{{
Line 353: Line 424:
}}}
Line 354: Line 426:
  ----
{{{
Line 357: Line 430:
}}}
Line 359: Line 433:
----
{{{
Line 362: Line 437:
}}}
Line 363: Line 439:
----
{{{
Line 365: Line 442:
}}}
Line 366: Line 444:
----
{{{
Line 368: Line 447:
}}}
Line 369: Line 449:
{{{
Line 370: Line 451:
}}}
Line 374: Line 456:
----
{{{
Line 376: Line 459:
}}}
Line 379: Line 463:
----
{{{
Line 381: Line 466:
}}}
Line 384: Line 470:
----
{{{
Line 386: Line 473:
Another performance tweak that doesn't matter to me, but may matter
to you. "yes" is supposed to be faster.
}}}
"yes" is supposed to be faster. See the comments in the config file for the tradeoffs.
----
{{{
Line 390: Line 478:
}}}
Line 392: Line 481:
----
{{{
Line 395: Line 485:
}}}
Line 396: Line 487:
----
{{{
Line 398: Line 490:
}}}
Line 399: Line 492:
----
{{{
Line 402: Line 496:
}}}
Line 404: Line 499:
{{{
Line 406: Line 502:
}}}
Line 408: Line 505:
----
{{{
Line 410: Line 508:
}}}
Line 411: Line 510:
----
{{{
Line 413: Line 513:
}}}
Line 415: Line 516:
{{{
Line 416: Line 518:
}}}
----
{{{
Line 418: Line 522:
}}}
Line 420: Line 525:


MUAs (aka mail clients)

Mutt

In your .muttrc file:
 set folder=imap://<imap host>
 set imap_user="<account name>"
 set imap_pass="<imap password>"
 set spoolfile=imap://<imap host>/inbox

Eudora

For some reason, when using mbox files, Eudora looks for a file named
"inbox" (all lower case) to use as the IMAP inbox. If you name it
"Inbox", Eudora won't be able to find it.

For equally obscure reasons, Eudora lists all IMAP mailboxes under the
Dominant personality.


Eudora 4.2.

Go to Special->Settings->Getting Started. Enter information in all the
text boxes. Go to "Hosts". The Mail host name should have carried over.
Fill in the SMTP host name.

Go to "Checking Mail" Click on IMAP. Click on "Check mail every X minutes"
and type in 15 (or whatever). Whenever Eudora checks the server for new
mail, a window pops up in the middle of what you are doing and announces
that you have or don't have new mail. This can get extremely irritating, so
you may not want to check this. Leave "IMAP Mailbox Location Prefix" blank.
Click on "Use minimal headers", "Use background threading", and "Save
password". Unselect "Send on check".

Go to "Sending Mail" and fill in any missing information. Go to
"Personality Extras" and click on "Use a trash mailbox on the IMAP
server". The first time you delete an e-mail, you should get a message
asking you to select a trash mailbox from the Mailbox menu. Go to
Mailbox->Dominant and select Trash.


Eudora 5.1.
Go to Tools->Options->Getting Started. Enter information in all the text
boxes. Go to "Checking Mail". The IMAP server name and your account name
should have carried over. Click on "Remember Password".

Go to "Incoming Mail". Click on IMAP at the top. Leave "IMAP Mailbox
Location Prefix" blank. The documentation says you need something there,
but you don't. Select "Minimal Headers Only". Under "When I delete a
message:", click on "Move it to:". Click on the Trash button, and
select the Trash box under Dominant. If there is no Trash box under
Dominant, then go to Tools->Mailboxes. In the Mailbox window, right
click on Dominant, and click on "Refresh Mailbox List". If you've
added a Trash file in your /var/mail directory, the Trash mailbox
will show up under Dominant. Try the Trash button again, and select
the Dominant Trash mailbox.

Go to "Sending Mail". Click on "Immediate Send". Unselect "Send on
check". You don't have to do that, but I find that "Send on check"
results in mail being sent before I'm ready to send it.

Go to "Miscellaneous" (last). Click on "Empty trash when exiting".
Or if you're one of those people who use the trash as a To-Do box,
don't click on "Empty trash when exiting".

Software

  • FreeBSD 4.8
  • openldap-2.1.22
  • dovecot-0.99.10

Environment

This sets up mail accounts for people who don't have accounts on the FBSD box; e.g. there is a mail account for ole_wobble in the LDAP registry, but no matching account in the Unix passwd file. However, each mail account does require its own directory in /var/mail; e.g. for user Ole Wobble Olson, you need the directory /var/mail/ole_wobble. There is a Unix account named postoffice which handles all administrative tasks and owns the directories and files set up for mail accounts in /var/mail. The group for files in /var/mail is mail. Using ole_wobble as an example:

        # ls -l /var/mail | grep ole_wobble
        drwx--x--x  3 postoffice  mail  - 1024 Aug 23 04:15 ole_wobble

Mail storage is mbox, but these instructions should work fine with Maildir directories. The UID number for the postoffice account is 3000 and the GID number is 8. Change the ID numbers to match your system.

In each user directory in /var/mail, I create three files: inbox, outbox, and Trash. These are needed for the MUAs (mail clients) we use. Eudora requires the inbox to be "inbox", all lower case; mutt requires the outbox to be "outbox", all lower case, and Eudora uses a trash box named "Trash".

If you want to use raw logging, you will need to add a directory named "dovecot.rawlog" to /home/postoffice.

OpenLDAP

The OpenLDAP instructions are extremely sketchy and are intended only to supplement the instructions at the OpenLDAP web site. They give information specific to a Dovecot setup that is missing from the OpenLDAP manual.

If you are going to use CRYPT password hashing as the default in OpenLDAP (this is compatible with Dovecot), then you will need to add the --enable-crypt option to the CONFIGRE_ARGS variable in the Makefile so that OpenLDAP will compile with CRYPT support. If you don't do this, OpenLDAP may actually work for a while, but then one day you'll restart the server and OpenLDAP will refuse to run until you remove the CRYPT setting from slapd.comf, which means the user passwords won't work.

If you have portupgrade installed, the simplest way to install OpenLDAP is by using the portinstall tool.

        # portinstall openldap21

The instructions for configuring OpenLDAP, including a Quick Install Guide, are at

OpenLDAP appears to be difficult to install properly. My first two attempts were unsuccessful. The FreeBSD port includes Pearl scripts that run tests to ensure that the installation succeeded. Even though the installation passed the tests, it couldn't be configured to work properly. On my third attempt, OpenLDAP worked but attempts to limit access to specified attributes caused OpenLDAP to refuse access to all attributes. On my fourth attempt, OpenLDAP ignored any attempts to limit access to specified attributes. You may need to install a few times before you get a usable installation of OpenLDAP.

Go to /usr/local/etc/rc.d, and copy slapd.sh.sample to slapd.sh. (Yes, Virginia, there is a slap daemon.) Open the file in a text editor. Ignore the line that says

        # Uncomment one of the following: 

Comment out the line that says

        slapd_args="-u ldap -g ldap"

Save your changes and close the text editor.

Go to the directory containing the OpenLDAP configuration files.

        # cd /usr/local/etc/openldap

Make a copy of slapd.conf.default and name it slapd.conf. Open slapd.conf in a text editor. You will need the the following lines to reference the schemas you need:

        include         /usr/local/etc/openldap/schema/core.schema
        include         /usr/local/etc/openldap/schema/cosine.schema
        include         /usr/local/etc/openldap/schema/nis.schema

The following line will set the default password hashing method to the CRYPT algorithm, which is compatible with Dovecot:

        password-hash {CRYPT}

The Quick Install Guide at the OpenLDAP explains how to set up an administrator with global rights on the LDAP registry, and how to add entries. Here is a data hierarchy in ldif format that can be used to provide Dovecot mail accounts. You should be able to copy it into an ldif file, modify it for your own use, and install it all at once.

        dn: dc=wibble,dc=net
                objectClass: top
                objectClass: dcObject
                objectClass: organization
                o: Wibble Corp.
                dc: wibble
                description: Wibble, with Ole Wobble and Ole Wubble

        dn: ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectClass: organizationalUnit
                ou: accounts

        dn: uid=dovecot,ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectclass: person
                uid: dovecot
                sn: dovecot

        dn: uid=ole_wobble,ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectclass: person
                objectClass: posixAccount
                cn: Ole Wobble Olson
                sn: Olson
                uid: ole_wobble
                uidNumber: 3000
                gidNumber: 8
                homeDirectory: /usr/home/postoffice

        dn: uid=ole_wubble,ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectclass: person
                objectClass: posixAccount
                cn: Ole Wubble Olson
                sn: Olson
                uid: ole_wubble
                uidNumber: 3000
                gidNumber: 8
                homeDirectory: /usr/home/postoffice

The expression "dc=wibble,dc=net" should match the suffix setting in slap.conf.

If you plan to install this by copying it to a file and running ldapadd, you must retain the blank lines above the lines that begin with "dn: ", but remove any other blank lines.

The uidNumber is set to the uid number of the postoffice account. The gidNumber is set to the gid number of the mail group. The homeDirectory is set to the home directory of the postoffice account. This allows the raw log function to write to that directory. If you don't include the homeDirectory attribute, you will have to apply a patch to Dovecot. The patch is described below, in the Installing Dovecot section. The use of the posixAccount object class requires that you use the uid, cn, uidNumber, gidNumber, and homeDirectory attributes (and therefore shouldn't need the patch).

The home directory is always set to the home directory of the postoffice account. This allows writing raw logs to the postoffice home directory.

To insert the entries above, save them in a file named wibble.ldif. Run ldapadd from the command line:

        ldapadd -W -D "cn=Manager,dc=krig,dc=net" -f /usr/local/etc/openldap/wibble.ldif

Returning to slap.conf, the following will give dovecot read access to the entries in the ou=accounts section, but no write access and no access to other parts of the registry.

        access to dn.children="ou=accounts,dc=wibble,dc=net"
                by dn="uid=dovecot,ou=accounts,dc=wibble,dc=net" read
                by anonymous auth

This is enough to allow Dovecot to authenticate mail users and itself.

The final step in setting up your LDAP registry is to add the passwords. Every account in the ou=accounts section will need one. Assuming that you've slavishly imitated the example in the Quick Install Guide at the OpenLDAP site and called your LDAP administrator "Manager", you can add passwords from the command line with

$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "uid=dovecot,ou=accounts,dc=wibble,dc=net" 

for the dovecot user and

$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "uid=ole_wobble,ou=accounts,dc=wibble,dc=net" 

for mail accounts. The -S option prompts you for the new password, and the -W option prompts you for the LDAP Manager password.

You can view the finished registry with

$ ldapsearch -LLL -W -D "cn=Manager,dc=krig,dc=net" -b "dc=krig,dc=net" "(objectclass=*)"

Installing Dovecot

Again, the simplest approach is the portinstall tool. If you don't include homeDirectory info with your all your LDAP entries, you will need a patch. Download the patch from

To apply the patch, go to /usr/ports/mail/dovecot. If you've previously installed dovecot and still have the work directory, you need to remove it.

        # make distclean

Then you need to recreate the work directory.

        # make patch

Go to the directory containing the file you need to patch.

        # cd /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth

Copy auth-no-homedir.patch (the patch file you downloaded) to this directory. Now run patch.

        # patch -p0 < auth-no-homedir.patch

If you get no error messages, you can proceed with the installation. If you do get error messages, you will need to apply the patch by hand. Open auth-no-homedir.patch in a text viewer. The file you need to patch is listed in the first line of auth-no-homedir.patch. Open that file in a text editor in another ttyv or xterm.

The path file contains two contiguous lines, the first beginning with a "-" and the second beginning with a "+". The first is the line you will delete from the file to be patched, and the second is the line that will replace it; i.e. subtract the "-" line and add the "+" line. Immediately surrounding the two lines are the context lines; three above and three below. Search for the line in the file to be patched that matches the "-" line *and* has the same context lines above and below. When you find this line, delete it and replace it with the "+" line in the patch file. (Do not include the "+" marker.) Double check that you have deleted only what needs to be deleted and added only what needs to be added. Save the file and close the text editor and text viewer. Delete auth-no-homedir.patch.

Once you have successfully run patch or patched by hand, return to /usr/ports/mail/dovecot. Open the Makefile in a text editor. Find the line that begins with "CONFIGURE_ARGS+=". If you don't have the following two arguments, add them.

        --with-rawlog --with-ldap

Raw logging isn't necessary, but it can be useful. You have to have the --with-ldap argument to enable Dovecot to work with LDAP.

If you remove support for alternative authentication methods (PAM, PGSQL, etc), you should leave support for passwd. When I was debugging my configuration, I found it helpful to switch between passwd and LDAP authentication. If my setup worked with passwd and not with LDAP, then I knew that I needed to look at Dovecot's LDAP configuration, or at OpenLDAP.

Save your changes to Makefile, and close the editor.

Now you're ready to install.

        # make install

If make completes and registers Dovecot without giving error messages, then your installation was successful.

Configure Dovecot

dovecot-ldap.conf

To start Dovecot automatically when you boot, go to /usr/local/etc/rc.d and copy dovecot.sh.sample to dovecot.sh.

Go to /usr/local/share/doc/dovecot and copy dovecot-ldap.conf to the /usr/local/etc directory. Go to the /usr/local/etc directory and open dovecot-ldap.conf in a text editor.

The first setting is

        hosts = localhost

If Dovecot and OpenLDAP are running on the same machine, then this is fine. If you have OpenLDAP running on a different machine, you will need to set this to the name of the LDAP machine.


        dn = uid=dovecot,ou=accounts,dc=wibble,dc=net

This is set to the Distinguished Name that identifies the Dovecot entry in your LDAP registry.


        dnpass = flop

Set this to the password you assigned dovecot using the ldappasswd command.


        ldap_version = 3

'Nuff said.


        base = ou=accounts,dc=wibble,dc=net

This tells Dovecot where to search in your LDAP registry. Dovecot will search for passwords and UIDs in the entries that fall below ou=accounts in the data hierarchy.


        deref = never

If you are referencing and dereferencing aliases, then you know a lot more about LDAP than I do.


        scope = subtree

This tells Dovecot to search all entries that fall below the base entry. If it were set to "onelevel", Dovecot would search only entries one level below the base entry. If it were set to "base", Dovecot would search only the base entry.


        user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber

From an e-mail that Timo sent to the list:

  • The first uid is the virtual user name that you log in with. For

    example user@domain.com. The second uid is the system user id which is used to lookup groups from /etc/groups file...You really don't want to have it if you have only virtual users. Two commas mean simply that the value in the middle of them doesn't exist. That'd be the MAIL environment which you can use to override config file's default_mail_env. By default it doesn't exist in LDAP so it's empty.

If you have set up your LDAP registry so that it doesn't supply homeDirectory, uidNumber, and gidNumber (which means that you've applied the homeDirectory patch, you're not using raw logging, you've set default values for uid and gid in this config file, and your LDAP entries don't use the posixAccount object class), you can try the following:

        user_attrs = uid,,,uid,,

I haven't tried it, so I can't promise that it works. If you change the default setting, don't remove any of the commas.


        user_filter = (&(objectClass=posixAccount)(uid=%u))

Specifies which class to search in a given entry, and to find the uid that matches the user name passed by the mail client.


        pass_attrs = uid,userPassword

Which attributes to use when matching passwords.


        pass_filter = (&(objectClass=posixAccount)(uid=%u))

Specifies which class to search in a given entry, and to find the uid that matches the user name passed by the mail client.


        default_pass_scheme = CRYPT

If you leave this commented out, Dovecot will automatically detect that OpenLDAP is using CRYPT.


        user_global_uid = 3000

This provides a default UID number for LDAP entries that lack the uidNumber attribute. If you use the posixAccount object class in your LDAP registry, you can't enter data for an account without providing a uidNumber and gidNumber, so this and the next setting aren't necessary.


        user_global_gid = 8

dovecot.conf

While still in /usr/local/etc, open dovecot.conf in a text editor.

        base_dir = /var/dovecot/

This was created for you during installation.


        protocols = imap

You can add other protocols if you want. This setup only uses IMAP.


        imap_listen = *:143

You don't need to specify port 143; I just like to be specific. According to the documentation, * causes Dovecot to listen on all available IP4 interfaces. If your IMAP box is also your Internet gateway, and you're not offering mail services externally, then you probably don't want that. You can specify your LAN interface and Dovecot will continue to listen at localhost. If your host name isn't exposed externally, then you can use

        imap_listen = wibblemailhost:143

Otherwise use

        imap_listen = 192.168.15.23:143


        ssl_disable = yes

If you have this set to yes, you can ignore the SSL settings that follow in dovecot.conf.


        login_dir = /var/dovecot/login
        login_chroot = yes
        login = imap
        login_executable = /usr/local/libexec/dovecot/imap-login
        login_user = dovecot
        verbose_proctitle = yes

The above are all part of the default conf file.


        first_valid_uid = 3000
        last_valid_uid = 3000

If you are assigning the postoffice UID number to all mail accounts, you can restrict access to only that UID number.


        first_valid_gid = 8
        last_valid_gid = 8

Since all mail accounts are assigned the mail group's number...


        valid_chroot_dirs = /var/mail

Another default conf file setting.


        default_mail_env = mbox:/var/mail/%u

or

        default_mail_env = maildir:/var/mail/%u

This tells Dovecot where the mail for a given account is located. Dovecot replaces "%u" with the account name. For the two user accounts in the ldif data hierarchy given above, "%u" would expand to ole_wobble and ole_wubble.


        client_workarounds = oe6-fetch-no-newmail outlook-idle

We don't use Outlook or Outlook Express. However, someone may decide to use an MS mail client in the future, and leaving this in place does no harm.


        mail_save_crlf = yes

My IMAP box really doesn't work very hard, so I don't think it matters how this is set. If your mail server gets hammered regularly, you may want to play with this and see if it makes a difference in speed.


        maildir_copy_with_hardlinks = yes

"yes" is supposed to be faster. See the comments in the config file for the tradeoffs.


        mbox_locks = fcntl

I also tried flock and dotlock, and they work FBSD. This is the preferred setting, if it works on your system.


        imap_executable = /usr/local/libexec/dovecot/imap
        auth = default

More default conf file settings.


        auth_mechanisms = plain

"plain" seems more likely to work under more circumstances.


        auth_userdb = ldap /usr/local/etc/dovecot-ldap.conf
        auth_passdb = ldap /usr/local/etc/dovecot-ldap.conf

If you need to switch to passwd authentication for testing, change this to

        auth_userdb = passwd
        auth_passdb = passwd /etc/master.passwd

The comments in dovecot.conf make it look like there's supposed to be a colon in there, but this is the correct form.


        auth_executable = /usr/local/libexec/dovecot/dovecot-auth

More default conf file settings.


        auth_user = dovecot-auth

If you need to switch to passwd authentication for testing, change this to

        auth_user = root


        auth_verbose = yes

If you have to debug your configuration, you'll want as much information as possible.

None: HowTo/DovecotOpenLdap (last edited 2009-06-20 22:15:41 by PascalVolk)