MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
May
Sun Mon Tue Wed Thu Fri Sat
       
4
2008
Months
May


Sun, May 04, 2008 11:11 pm

Configuring Dovecot

I needed to provide POP3 email service on a CentOS system. The default POP server under Red Hat Enterprise Linux is /usr/lib/cyrus-imapd/pop3d and is provided by the cyrus-imapd package. But that package was not installed on the system. Another IMAP and POP3 package available for CentOS systems is Dovecot, which provies an open source IMAP and POP3 server for Linux/UNIX-like systems. I checked to see if dovecot was installed with rpm -qi dovecot. It was. I then checked on whether it was active. It was not.

# chkconfig --list dovecot
dovecot         0:off   1:off   2:off   3:off   4:off   5:off   6:off

I turned it on so that it would be operational after the next reboot with chkconfig dovecot on.

# chkconfig dovecot on
[root@frostdragon ~]# chkconfig --list dovecot
dovecot         0:off   1:off   2:on    3:on    4:on    5:on    6:off

I then started the service with service dovecot start.

# service dovecot start
Starting Dovecot Imap:                                     [  OK  ]

I could then see that the system was listening on the imap, imaps, pop3, and pop3s ports.

# netstat -a | grep imap
tcp        0      0 *:imaps                     *:*                         LISTEN
tcp        0      0 *:imap                      *:*                         LISTEN
[root@frostdragon archive]# netstat -a | grep pop3
tcp        0      0 *:pop3s                     *:*                         LISTEN
tcp        0      0 *:pop3                      *:*                         LISTEN

Dovecot can be configured to handle mailboxes for system users, i.e. for accounts on the system or for virtual users. Since the majority of people who would be using the server for email would have no need to log into the system and since I wanted to be able to have john@example.com and john@anotherexample.com, I chose to configure Dovecot for virtual users.

The Dovecot Wiki has this to say about usernames and domains:

Usernames and domains

Dovecot doesn't care much about domains in usernames. IMAP and POP3 protocols currently have no concept of "domain", so the username is just something that shows up in your logs and maybe in some configuration, but they have no direct functionality.

So although Dovecot makes it easier to handle "user@domain" style usernames (eg. %n and %d variables), nothing breaks if you use for example "domain%user" style usernames instead. However some authentication mechanisms do have an explicit support for realms (pretty much the same as domains). If those mechanisms are used, the username is changed to be "user@realm".

And of course there's no need to have domains at all in the usernames.

I followed the instructions in Simple Virtual User Installation. I didn't need to create a dovecot user, since one already existed in /etc/passwd. I did need to create a vmail user account and group, which is used to access the mail for all users.

# grep dovecot /etc/passwd
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
# useradd -u 103 -c Dovecot vmail

The above useradd command created the vmail user and group and automatically created a /home/vmail directory owned by vmail:vmail, under which the email for all users is stored. [Note: you may want to use a UID greater than 500 rather than 103 as in the example above to avoid the problem noted below where the dovecot configuration file by default only permits a UID greater than 500]

I created /var/log/dovecot.log and /var/log/dovecot-info.log and changed the owner and group for those files to vmail.

# touch /var/log/dovecot.log /var/log/dovecot-info.log
# chown vmail /var/log/dove*; chgrp vmail /var/log/dove*;

I then edited /etc/dovecot.conf and changed the settings for the log files.

Original

# Use this logfile instead of syslog(). /dev/stderr can be used if you want to
# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
#log_path =

# For informational messages, use this logfile instead of the default
#info_log_path =

Modified

# Use this logfile instead of syslog(). /dev/stderr can be used if you want to
# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
log_path =  /var/log/dovecot.log

# For informational messages, use this logfile 
info_log_path = /var/log/dovecot-info.log

The default line in /etc/dovecot.conf for plaintext authentication is as follows:

#disable_plaintext_auth = no

Since disable_plaintext_auth has a default value of "no", I didn't have to uncomment that line.

I created a directory for the dovecot password file with mkdir /etc/dovecot and then set up a password file in /etc/dovecot/passwd. I changed the protection on the file with chmod 600 /etc/dovecot/passwd, so that only root would have access, since I don't want others with accounts on the system to be able to read the contents of the file. I created entries in the passwd file with entries like the following:

jdoe@example.com:{PLAIN}HerPassword

I then modified the checkpassword section of /etc/dovecot.conf

Original

  # checkpassword executable authentication
  # NOTE: You will probably want to use "userdb prefetch" with this.
  # http://wiki.dovecot.org/PasswordDatabase/CheckPassword
  #passdb checkpassword {
    # Path for checkpassword binary
    #args =
  #}

Modified

  # passwd-like file with specified location
  # http://wiki.dovecot.org/AuthDatabase/PasswdFile
  passdb passwd-file {
    # Path for passwd-file
    args = /etc/dovecot/passwd
  }

I then restarted dovecot with service dovecot restart. I then tested dovecot by using telnet to connect to port 110, the pop3 port, on the system. I could connect to port 110, but didn't get any response to the user and pass commands. I looked in /var/log/dovecot and saw the following errors recorded:

dovecot: May 04 13:35:26 Error: Temporary failure in creating login processes, slowing down for now
dovecot: May 04 13:35:26 Error: imap-login: imap-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory
dovecot: May 04 13:35:26 Error: imap-login: imap-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory
dovecot: May 04 13:35:26 Error: pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory
dovecot: May 04 13:35:26 Error: pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory
dovecot: May 04 13:35:26 Error: pop3-login: pop3-login: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory
dovecot: May 04 13:35:26 Error: child 30454 (login) returned error 127
dovecot: May 04 13:35:26 Error: child 30455 (login) returned error 127

At Redhat Dovecot error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory, I found a suggestion to edit /etc/dovecot.conf and modify the login_processes_size line so that it is login_process_size = 64. The writer states on that webpage that "This error is not related to shared libraries. You need to set maximum process size in megabytes. If you don't use login_process_per_connection you might need to grow this."

When I looked in /etc/dovecot.conf, I saw the following line:

#login_process_size = 32

I removed the "#" and changed the line to login_process_size = 64 . I then restarted dovecot with service dovecot restart. I no longer saw the error messages in the /var/log/dovecot.log file.

When I again checked email for accounts by using telnet 127.0.0.1 110, I was able to check an account, jsmith, listed in /etc/passwd, but not the jdoe@example.com account listed in the /etc/dovecot/passwd file I created.

# telnet 127.0.0.1 110
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK Dovecot ready.
user jdoe@example.com
+OK
pass HerPassword
-ERR [IN-USE] Internal login failure. Refer to server log for more information.
Connection closed by foreign host.
[root@frostdragon log]# telnet 127.0.0.1 110
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK Dovecot ready.
user jsmith
+OK
pass HisPassword
+OK Logged in.
stat
+OK 0 0
quit
+OK Logging out.
Connection closed by foreign host.

When I looked in /etc/dovecot.conf, I saw dovecot: May 04 14:03:20 Error: auth(default): userdb(jdoe@example.com,::ffff:127.0.0.1): user not found from userdb.

I then realized I also needed to modify the "userdb static" section of /etc/dovecot.conf. I made the following changes:

Original

  # static settings generated from template
  # http://wiki.dovecot.org/UserDatabase/Static
  #userdb static {
    # Template for the fields. Can return anything a userdb could normally
    # return. For example:
    #
    #  args = uid=500 gid=500 home=/var/mail/%u
    #
    #args =
  #}

Modified

  # static settings generated from template
  # http://wiki.dovecot.org/UserDatabase/Static
  userdb static {
    # Template for the fields. Can return anything a userdb could normally
    # return. For example:
    #
    #  args = uid=500 gid=500 home=/var/mail/%u
    #
    args = uid=vmail gid=vmail home=/home/vmail/%u
  }

I then restarted dovecot with service dovecot restart. But I still couldn't check email for the virtual user account jdoe@example.com. In the /var/log/dovecot.log file, I saw dovecot: May 04 14:34:19 Error: Logins with UID 103 (user jdoe@example.com) not permitted (see first_valid_uid in config file)

When I checkd the /etc/dovecot.conf, I found the following:

# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0

I then realized, since I created the vmail account with a UID of 103, that the dovecot configuration file was preventing a login for it, because it was less than 500. I could have changed the first_valid_uid value in dovecot.conf, but I decided to delete the vmail account and its associated home directory and then recreate it with a UID greater than 500. I then restarted dovecot

# userdel vmail
# rm -rf /home/vmail
# useradd -u 502 -c "Dovecot Virtual Users" vmail 
# service dovecot restart

I was then able to check email for both user accounts on the system and virtual user accounts. I saw that dovecot created a /home/vmail/jdoe@example.com directory under /home/vmail.

At this point, though I could login to the POP3 port, port 110, and get dovecot to accept the userid and password for a virtual user, sendmail would return a "user unknow" message, if I tried to send email to a virtual user, because sendmail knew nothing about the dovecot virtual users. So using the instructions in Dovecot LDA with Sendmail as a starting point, I took the steps below.

I created the file /usr/share/sendmail-cf/mailer/dovecot.m4 and put the lines below in it:

######################*****##############
###   DOVECOT Mailer specification                              ###
##################*****##################
Mdovecot,   P=/usr/local/libexec/dovecot/deliver, F=DFMPhnu9,
                 S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP/HdrFromSMTP,
                 T=DNS/RFC822/X-Unix,
                 A=deliver -d $u

In /etc/mail/sendmail.mc, I had the following two lines:

MAILER(smtp)dnl
MAILER(procmail)dnl

I added MAILER(dovecot)dnl after those two lines. I then regenerated the sendmail.cf file using the m4 command.

# m4 /etc/mail/sendmail.mc > /etc/mailsendmail.cf

Unfortunately, that did not resolve the issue with virtual users. I still haven't been able to get that working.

References:

  1. Chapter 23. Email
    CentOS
  2. Basic Configuration
    Dovecot Wiki
  3. Virtual Users
    Dovecot Wiki
  4. Simple Virtual User Installation
    Dovecot Wiki
  5. Passwd-file
    Dovecot Wiki
  6. Redhat Dovecot error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory
    nixCraft Insight Into Linux Admin Work
  7. Dovecot LDA with Sendmail
    Dovecot Wiki

[/network/email/dovecot] permanent link

Sun, May 04, 2008 6:39 pm

Adding a New VIP Service to a NetScreen Firewall

To add a new Virtual IP (VIP) service to a NetScreen firewall, such as the NetScreen-5GT, through the Web management user interface (WebUI) for the firewall, take the following steps:
  1. Login into the firewall using a web browser.
  2. Click on Network.
  3. Click on Interfaces.
  4. For the Untrust interface, click on Edit.
  5. In the Properties line at the top of the webpage, you will see VIP. Click on VIP.
  6. If you see an Add/Modify VIP Entry field with no VIP services listed beneath it, select "Same as the untrusted interface IP address" and click on Add, otherwise proceed to the next step.
  7. Click on the New VIP Service button
  8. The Virtual IP field should show the IP address for the Untrust interface. Put the appropriate value in the Virtual Port field, e.g. 110 for POP3. Select the appropriate service for the Map to Service field, e.g "POP3(110)" for POP3. For the Map to IP value, put in the IP address for the internal server for which you want to provide access to this service, e.g. 192.168.10.24, if that was the IP address for the POP3 server behind the firewall.
  9. Click on the OK button.

Once the VIP service is configured, you need to set up a new firewall rule, aka policy, to permit traffic from the outside of the firewall through to the inside for this new service.

To do so, take the following steps:

  1. Click on Policies at the left side of the webpage.
  2. For the From field, select "Untrust" and select "Trust" for the To field.
  3. Click on the New button.
  4. On the next webpage, put a name of your choosing in the Name field, e.g. POP3 for a POP3 service. You don't need to change the Source Address, but for the Destination Address, select "VIP(untrust)" from Address Book Entry for the Desinstion Address. For Service, you can select "POP3" for this example.
  5. If you want logging turned on for this policy, check Logging.
  6. If you want "counting" turned on for this policy, click on the Advanced button and then check the Counting checkbox then click on the OK button.

[/security/firewalls/netscreen] permanent link

Sun, May 04, 2008 5:07 pm

Configuring Sendmail to Handle Email for Multiple Domains

If you need sendmail to handle email for alternate domain names, you can add those domain names to /etc/mail/local-host-names. E.g., suppose the server on which sendmail is running is someexample.com. Sendmail will accept email addresses to someone@someexample.com, but would reject email for someone@example.com. But, if you want sendmail to also handle email for example.com addresses, e.g. you are going to have the server act as an Mail exchanger (MX) server for example.com, you would add example.com to /etc/local-host-names:
# local-host-names - include all aliases for your machine here.
example.com

Then create the local-host-names.db file with makemap hash /etc/mail/local-host-names < /etc/mail/local-host-names . When you restart sendmail, which you can do with /etc/init.d/sendmail restart, sendmail will then accept email for example.com addresses.

Be aware that if you have an account jsmith which previously would receive email addressed to jsmith@someexample.com, that email addressed to jsmith@example.com will now go there as well.

[/network/email/sendmail] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo