Full dovecot installation

SME Server uses a quite specific dovecot setup, where only the dovecot imap binary is called. The authentication is done via imap-front-auth (which uses cvm-unix), then imap-frontauth calls the imap binary. SSL handling is done using sslio.

I've started this project because dovecot can offer much more than what we're currently using on SME Server. For example:

• Sieve scripts support
• Manage Sieve daemon (which handle sieve scripts updates from the clients)
• Master users (special users which can log with their own credentials as any other user)
• Shared mailboxes, and IMAP ACL
• Extended logging (each mail action can be logged)
• Quota indication

This page explains what the status of the project, and how to test it.

This project is simply a new package called smeserver-dovecot, which is a complete drop-in replacement for the actual e-smith-imap. It requires dovecot 2. All the features which was available with e-smith-imap are also available, plus some extra

Most of the extra features are design to work with SOGo but I'm sure at least some of them can be used with other mail clients (horde ?)

This project is in beta stage. We're using it on about 10 production servers (the biggest one handle about 120 users) since several years now, and we have no issue.

The current package brings the following new features. Some of these features are not enabled on a default installations, but can be enabled really easily

• Quota report: if a user has a quota defined, it'll be available to IMAP clients which support it. (default to enabled). More info on this feature here: http://wiki2.dovecot.org/Quota/FS
• Full text indexing: this feature allows dovecot to create full text indexes, which will make subsequent searches (TEXT and BODY) much, much faster. The downside is that it'll take extra space on the hard drive, and consume more memory and CPU (default is disabled). More info on this feature here: http://wiki2.dovecot.org/Plugins/FTS/Squat
• Master user: if enabled, the admin user will be able to login on the IMAP server as any user. For example, use user1*admin as login, and the admin password as password, and you'll get access to user1 emails. This can be usefull if the admin wants to troobleshoot something in the mailboxe, or need to copy some folder from one mailbox to another. The default config disables this feature. More information here: http://wiki2.dovecot.org/Authentication/MasterUsers
• Shared Mailboxes and IMAP ACL: this feature enables sharing of mail folders between users using IMAP ACL. See http://wiki2.dovecot.org/ACL and http://wiki2.dovecot.org/SharedMailboxes
• Extra logging: The default dovecot log level is appropriate for high trafic installation: only most important actions are logged: daemon startup, config reload, user login and logout. With this feature, you can trace IMAP activity for each user (when mails are opened, deleted, copied, flag changed etc…). See http://wiki2.dovecot.org/Plugins/MailLog
• Sieve scripts and manage sieve daemon: this feature adds sieve scripts support. Sieve is a script language for server side mail processing when mails arrive in your mailbox. With this, you can create filters, reject mails with a custom message, configure a vacation message, forward some mails etc…. These features are often also available on mail clients (Outlook, Thunderbird, Evolution etc…) but the advantage of using sieve is that everything is processed on server side, as soon as the mail arrive in your INBOX, which means everything will work even if your client is not running. See http://wiki2.dovecot.org/Pigeonhole

To install this, you need to configure three repositories: atrpms, atrpms-testing (in which we can find dovecot 2) and our testing repository (which contains smeserver-dovecot)

db yum_repositories set fws-testing repository \
BaseURL http://repo.firewall-services.com/centos-testing/\$releasever \
EnableGroups no GPGCheck yes \
Name "Firewall Services Testing" \
GPGKey http://repo.firewall-services.com/RPM-GPG-KEY \
Visible yes status disabled
 
db yum_repositories set atrpms-testing repository \
BaseURL 'http://dl.atrpms.net/el$releasever-$basearch/atrpms/testing' \
EnableGroups yes \
GPGCheck yes \
GPGKey http://packages.atrpms.net/RPM-GPG-KEY.atrpms \
Name ATrpms \
Visible no \
status disabled \
IncludePkgs 'dovecot-pigeonhole,dovecot-managesieve,dovecot' \
Priority 9
 
/sbin/e-smith/db yum_repositories set atrpms repository \
Name 'atrpms - EL5' \
BaseURL 'http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable' \
EnableGroups no \
GPGCheck yes \
GPGKey http://ATrpms.net/RPM-GPG-KEY.atrpms \
Visible no \
Exclude clamav,spamassassin,libselinux,perl-HTML-Parser,lm_sensors,\
perl-IO-stringy,perl-XML-Parser,razor-agents,libgcrypt,rpm-python,\
libxml2,zlib,gnupg,libxml2-python,yum,module-init-tools,rpm,gettext,\
librpm4,glib2,perl-libwww-perl,perl-Convert-ASN1,beecrypt,fetchmail,\
libacl,libtool-ltdl,popt,libgpg-error,freetype,perl-MIME-tools,mutt,\
gd,perl-TimeDate,librpm4.4,dovecot \
status disabled
signal-event yum-modify

db yum_repositories set atrpms-testing-dovecot repository \
Name 'atrpms testing - EL5 - dovecot' \
BaseURL 'http://dl.atrpms.net/el$releasever-$basearch/atrpms/testing' \
EnableGroups no \
GPGCheck yes \
GPGKey http://ATrpms.net/RPM-GPG-KEY.atrpms \
Visible no \
Priority 8 \
IncludePkgs dovecot-managesieve,dovecot-pigeonhole,dovecot \
status enabled
 
signal-event yum-modify

Then, you can install smeserver-dovecot:

yum --enablerepo=fws-testing --enablerepo=atrpms-testing --enablerepo=atrpms install smeserver-dovecot

You also need to mount the filesystem where /home/e-smith/files/users is stored with the acl option (it will be usually / or /home/e-smith/files if you used the sme multipart install option). To do so, just edit the file /etc/fstab, and add acl after the usrquota,grpquota, for example:

#------------------------------------------------------------
# BE CAREFUL WHEN MODIFYING THIS FILE! It is updated automatically
# by the SME server software. A few entries are updated during
# the template processing of the file and white space is removed,
# but otherwise changes to the file are preserved.
# For more information, see http://www.e-smith.org/custom/ and
# the template fragments in /etc/e-smith/templates/etc/fstab/.
# 
# copyright (C) 2002 Mitel Networks Corporation
#------------------------------------------------------------
/dev/main/root          /                       ext3    usrquota,grpquota        1 1
/dev/md1                /boot                   ext3    defaults        1 2
/dev/main/tmp           /tmp                    ext3    usrquota,grpquota        1 2
/dev/main/files         /home/e-smith/files     ext3    usrquota,grpquota,acl        1 2
/dev/main/var           /var                    ext3    usrquota,grpquota        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/main/swap          swap                    swap    defaults        0 0

This should already be the case if you have installed the smeserver-shared-folders contrib.

Now, you can restart your server

signal-event post-upgrade
signal-event reboot

With smeserver-dovecot installed, 4 services in the configuration DB are used

• imap and imaps are used to be backward compatible with e-smith-imap (and are used to control the TCPPort of the service, and if it's accessible from local network or from the internet)
  • There's a new prop for the imap service: AllowPlainText. It can be enabled or disabled (default to enabled for backward compatibility), and if set to disabled, dovecot will still listen on port 143, but will only accept TLS connexions, even from the local networks
• dovecot is now the main service entry in the configuration DB. It's used to control various optional features of dovecot
• sieve is used to control the managesieve service. Set the status of this service to disabled if you don't want to use the managesieve service

Here are the differents DB key to configure dovecot:

• AdminIsMaster (enabled|disabled, default is disabled): if enabled, the admin user will be a master user, and will be able to login as any user. To do so use user1*admin as login and the admin password to log as user1
• FullTextIndexing (enabled|disabled, default is disabled): will turn on or off the full text indexing. When this option is enabled, a first search in an IMAP folder will trigger indexation. Next searches will be much faster. Read this page before enabling this option
• LogActions (enabled|disabled, default is disabled): will turn on or off extra logging (flag change, move, copy etc…). !! Warning !!: enabling this can generate a huge amount of logs
• Quotas (enabled|disabled, default is enabled): will report the actual used space and the remaining one if the user has a quota limit
• SharedMailbox (enabled|disabled, default is disabled): will turn on or off shared mailbox and IMAP ACL support

After you've configured the prop like you want, just run

signal-event email-update

To apply the new settings

When Sieve is enabled, dovecot-lda is used to deliver mail in mailboxes (so it can apply sieve scripts) instead of qmail. Dovecot-lda is more ressources intensives than qmail, so you may have performance penalty when users receive a lot of mails (for example, when you use the Bcc qpsmtpd's plugin to copy every mail in one mailbox). You can selectivly disable dovecot-lda for some users, for example, to disable dovecot-lda for user maillog:

db accounts setprop maillog Sieve disabled
signal-event email-update

This will let qmail handle mail delivery for this user.

ShareMailbox is an important feature for us (and our customers).

To enable it:

db configuration setprop dovecot SharedMailbox enabled
signal-event email-update

When this feature is enabled, a special group named sharedmailbox (automatically created during install) will have:

• x permission on each user home (/home/e-smith/files/users/username) in order to access the Maildir folder (but it won't have any permission to read something else, like the home sub-folder)
• Full read / write access to the Maildir for everyone

This special group is empty (no member), so this has limited impact on the security of the server. Just be sure to never add any user in this group. (It's a system group, and won't appear in the server-manager, so you cannot add members easily).

When a user access its mailbox through the IMAP server, dovecot spawn a new process with the standard user privileges, plus the sharedmailbox group. So basically a user is member of this special group only through dovecot. This configuration allows shared mailbox at the filesystem level. Effective permissions between differents users are enforced by IMAP ACL extension. You need a client which support this (tested with SOGo and Thunderbird using this extension ).

Once enabled, you can grant different access level (read, post, delete, change flags, create sub folders etc.) to other users, or group of users on your IMAP folders.

To enable all these features with SOGo, you need to modify it's configuration. Here're the configuration to change (you need to create a custom template) in /home/sogo/GNUstep/Defaults/.GNUstepDefaults:

    SOGoSieveServer = "sieve://localhost:4190";
    SOGoVacationEnabled = YES;
    SOGoForwardEnabled = YES;
    SOGoSieveScriptsEnabled = YES;

Here's the snippet I've added in the template to conditionnally enable all this:

{
    if (($sieve{'status'} || 'disabled') eq 'enabled'){
        my $sieveport = $sieve{'TCPPort'} || '4190';
        $OUT .=<<"HERE";
        SOGoSieveServer = "sieve://localhost:$sieveport";
        SOGoVacationEnabled = YES;
        SOGoForwardEnabled = YES;
        SOGoSieveScriptsEnabled = YES;
HERE
    }
}

Then, just expand /home/sogo/GNUstep/Defaults/.GNUstepDefaults and restart SOGo, now you should have access to all these extra features

Here're some screenshots of SOGo showing some of these features: