Blame
Date:
Mon Jan 23 05:00:25 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
03
2023-01-22
jrmu
author=forero
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=comment out
06
2023-01-22
jrmu
ctime=1621334182
07
2023-01-22
jrmu
host=181.53.13.19
08
2023-01-22
jrmu
name=Dovecot.Install
09
2023-01-22
jrmu
rev=16
10
2023-01-22
jrmu
targets=Openbsd.Loginconf,Openbsd.Rcctl
11
2023-01-22
jrmu
text=Let's set up dovecot to allow users to read mail with IMAP and POP.%0a%0a!! Installation%0a%0a[@%0a$ doas pkg_add dovecot%0a@]%0a%0a!! Configuration%0a%0aA single user vmail will receive mail for all virtual users:%0a[@%0a$ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail%0a@]%0a%0a/var/vmail will be used to store virtual users' maildir folders. It will be managed by%0adovecot, which receives mail via LMTP.%0a%0aIn order to secure our passwords, we need to remove world readable permissions%0afrom /etc/mail and change file ownership:%0a%0a[@%0a$ doas chmod -R o-rx /etc/mail/%0a$ doas chown -R _smtpd:_dovecot /etc/mail/%0a@]%0a%0aIn /etc/dovecot/dovecot.conf, add the following lines at the bottom of the file:%0a%0a[@%0aprotocols = imap pop3 lmtp%0alisten = 192.168.0.1, 2001:db8::%0aservice lmtp {%0a user = vmail%0a}%0a@]%0a%0aThis tells dovecot to listen to the protocols IMAP, POP3, and LMTP.%0a'''Note''': We don't want to support submission with dovecot.%0a%0aIt also tells dovecot the public IPs you want it to listen on. Finally, the last%0ablock tells dovecot to change to the username vmail to listen for LMTP.%0a%0aTo aid with troubleshooting, you can consider adding these lines:%0a%0a[@%0aauth_verbose=yes%0aauth_debug=yes%0aauth_debug_passwords=yes%0amail_debug=yes%0aauth_verbose_passwords=sha1%0averbose_ssl=yes%0a@]%0a%0aIn /etc/dovecot/conf.d/10-auth.conf, first comment out auth-system.conf.ext %0a%0a[@%0a#!include auth-system.conf.ext%0a@]%0a%0aThis prevents dovecot from using BSD auth.%0a%0aThen at the bottom of the file, add these lines:%0a%0a[@%0apassdb {%0a args = scheme=blf-crypt /etc/mail/passwd%0a driver = passwd-file%0a}%0a%0auserdb {%0a args = uid=vmail gid=vmail home=/var/vmail/%25d/%25n%0a driver = static%0a}%0a@]%0a%0aThe first block defines our password database to use blowfish (see [[https://man.openbsd.org/blowfish|blowfish(3)]] and [[https://man.openbsd.org/encrypt|encrypt(1)]]).%0a%0aThe second block says that the mail must be read by user ID and group ID vmail, and%0athat all mail will be in the folders /var/vmail/%3cdomain>/%3cusername>.%0a%0aIn /etc/dovecot/conf.d/10-mail.conf:%0a%0a[@%0amail_location = maildir:/var/vmail/%25d/%25n/Maildir%0a@]%0a%0aThis again indicates all mail will be in the folders /var/vmail/%3cdomain>/%3cusername>.%0a%0aIn /etc/dovecot/conf.d/10-ssl.conf, make the changes to these lines:%0a%0a[@%0assl = yes%0a...%0assl_cert = %3c/etc/ssl/example.com.fullchain.pem%0assl_key = %3c/etc/ssl/private/example.com.key%0a@]%0a%0aYou will need to replace example.com with your real domain.%0a%0aPlease read the instructions in the dovecot README in @@/usr/local/share/doc/pkg-readmes/dovecot@@. That file explains that you must add this [[openbsd/loginconf|login class]] to /etc/login.conf:%0a%0a[@%0adovecot:\%0a :openfiles-cur=4096:\%0a :openfiles-max=8192:\%0a :tc=daemon:%0a@]%0a%0a'''WARNING''': You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will '''not''' work.%0a%0a'''NOTE''': Allowing more open files than suggested in the README can help if you have many IP addresses.%0a%0a'''WARNING''': If login.conf.db exists, you will need to rebuild it:%0a%0a[@%0a# [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf%0a@]%0a%0aBut it is best to just remove /etc/login.conf.db since it is not required:%0a%0a[@%0a$ doas rm /etc/login.conf.db%0a@]%0a%0a!! Starting dovecot%0a%0aTo start dovecot via [[openbsd/rcctl|rcctl]]:%0a%0a[@%0a$ doas rcctl enable dovecot%0a$ doas rcctl start dovecot%0a@]%0a%0a!! Troubleshooting%0a%0aMake sure to check /var/log/maillog:%0a%0a[@%0a$ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143%0a@]%0a%0aWhen starting dovecot, you may find it fails:%0a%0a[@%0a$ doas rcctl start dovecot%0adovecot(failed)%0a@]%0a%0aWhen this happens, run the rc.d script with debugging turned on:%0a%0a[@%0a$ doas /etc/rc.d/dovecot -d start%0adoing _rc_parse_conf%0adoing _rc_quirks%0adovecot_flags empty, using default >%3c%0adoing rc_check%0adovecot%0adoing rc_start%0adoing _rc_wait start%0adoing rc_check%0adoveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory%0adoing _rc_rm_runfile%0a(failed)%0a@]%0a%0aIn this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: @@/etc/ssl/example.com.fullchain.pem@@ (where example.com is replaced with my real domain).%0a%0a[@%0aJun 9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,%3caiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)%0aJun 9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,%3caiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)%0a@]%0a
12
2023-01-22
jrmu
time=1643492127
13
2023-01-22
jrmu
author:1643492127=forero
14
2023-01-22
jrmu
csum:1643492127=comment out
15
2023-01-22
jrmu
diff:1643492127:1638102641:=46,50c46,50%0a%3c auth_verbose=yes%0a%3c auth_debug=yes%0a%3c auth_debug_passwords=yes%0a%3c mail_debug=yes%0a%3c auth_verbose_passwords=sha1%0a---%0a> #auth_verbose=yes%0a> #auth_debug=yes%0a> #auth_debug_passwords=yes%0a> #mail_debug=yes%0a> #auth_verbose_passwords=sha1%0a
16
2023-01-22
jrmu
host:1643492127=181.53.13.19
17
2023-01-22
jrmu
author:1638102641=Hawk
18
2023-01-22
jrmu
diff:1638102641:1629674123:=123,131d122%0a%3c @]%0a%3c %0a%3c !! Starting dovecot%0a%3c %0a%3c To start dovecot via [[openbsd/rcctl|rcctl]]:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable dovecot%0a%3c $ doas rcctl start dovecot%0a
19
2023-01-22
jrmu
host:1638102641=2001:8a0:6813:4501:18d4:42f5:d6fb:184f
20
2023-01-22
jrmu
author:1629674123=mkf
21
2023-01-22
jrmu
diff:1629674123:1629671676:=12c12%0a%3c [@%0a---%0a> %0a14d13%0a%3c @]%0a
22
2023-01-22
jrmu
host:1629674123=198.251.81.133
23
2023-01-22
jrmu
author:1629671676=mkf
24
2023-01-22
jrmu
diff:1629671676:1625144041:=158d157%0a%3c [@%0a161c160%0a%3c @]%0a---%0a> %0a
25
2023-01-22
jrmu
host:1629671676=198.251.81.133
26
2023-01-22
jrmu
author:1625144041=jrmu
27
2023-01-22
jrmu
diff:1625144041:1624173605:=10,16d9%0a%3c %0a%3c A single user vmail will receive mail for all virtual users:%0a%3c %0a%3c $ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail%0a%3c %0a%3c /var/vmail will be used to store virtual users' maildir folders. It will be managed by%0a%3c dovecot, which receives mail via LMTP.%0a
28
2023-01-22
jrmu
host:1625144041=125.224.28.174
29
2023-01-22
jrmu
author:1624173605=jrmu
30
2023-01-22
jrmu
diff:1624173605:1623221713:=11,13c11,13%0a%3c In order to secure our passwords, we need to remove world readable permissions%0a%3c from /etc/mail and change file ownership:%0a%3c %0a---%0a> In order to allow dovecot to read /etc/mail/passwd (which is owned by _mail), we need%0a> to add _dovecot to the _mail group:%0a> %0a15,16c15%0a%3c $ doas chmod -R o-rx /etc/mail/%0a%3c $ doas chown -R _smtpd:_dovecot /etc/mail/%0a---%0a> $ doas usermod -G _mail _dovecot%0a
31
2023-01-22
jrmu
host:1624173605=38.81.163.143
32
2023-01-22
jrmu
author:1623221713=jrmu
33
2023-01-22
jrmu
diff:1623221713:1623220959:=149,152d148%0a%3c %0a%3c Jun 9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,%3caiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)%0a%3c Jun 9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,%3caiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)%0a%3c %0a
34
2023-01-22
jrmu
host:1623221713=38.81.163.143
35
2023-01-22
jrmu
author:1623220959=jrmu
36
2023-01-22
jrmu
diff:1623220959:1623220200:=124,148d123%0a%3c When starting dovecot, you may find it fails:%0a%3c %0a%3c [@%0a%3c $ doas rcctl start dovecot%0a%3c dovecot(failed)%0a%3c @]%0a%3c %0a%3c When this happens, run the rc.d script with debugging turned on:%0a%3c %0a%3c [@%0a%3c $ doas /etc/rc.d/dovecot -d start%0a%3c doing _rc_parse_conf%0a%3c doing _rc_quirks%0a%3c dovecot_flags empty, using default >%3c%0a%3c doing rc_check%0a%3c dovecot%0a%3c doing rc_start%0a%3c doing _rc_wait start%0a%3c doing rc_check%0a%3c doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory%0a%3c doing _rc_rm_runfile%0a%3c (failed)%0a%3c @]%0a%3c %0a%3c In this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: @@/etc/ssl/example.com.fullchain.pem@@ (where example.com is replaced with my real domain).%0a
37
2023-01-22
jrmu
host:1623220959=38.81.163.143
38
2023-01-22
jrmu
author:1623220200=jrmu
39
2023-01-22
jrmu
diff:1623220200:1623219060:=113c113%0a%3c $ doas rm /etc/login.conf.db%0a---%0a> # rm /etc/login.conf.db%0a118,119d117%0a%3c Make sure to check /var/log/maillog:%0a%3c %0a123d120%0a%3c %0a
40
2023-01-22
jrmu
host:1623220200=38.81.163.143
41
2023-01-22
jrmu
author:1623219060=jrmu
42
2023-01-22
jrmu
diff:1623219060:1623217016:=67,71c67,68%0a%3c The first block defines our password database to use blowfish (see [[https://man.openbsd.org/blowfish|blowfish(3)]] and [[https://man.openbsd.org/encrypt|encrypt(1)]]).%0a%3c %0a%3c The second block says that the mail must be read by user ID and group ID vmail, and%0a%3c that all mail will be in the folders /var/vmail/%3cdomain>/%3cusername>.%0a%3c %0a---%0a> and add the new passdb/userdb conf settings.%0a> %0a78,81c75,76%0a%3c This again indicates all mail will be in the folders /var/vmail/%3cdomain>/%3cusername>.%0a%3c %0a%3c In /etc/dovecot/conf.d/10-ssl.conf, make the changes to these lines:%0a%3c %0a---%0a> In /etc/dovecot/conf.d/10-ssl.conf, I make these changes:%0a> %0a83c78%0a%3c ssl = yes%0a---%0a> ssl = required %0a85,86c80,82%0a%3c ssl_cert = %3c/etc/ssl/example.com.fullchain.pem%0a%3c ssl_key = %3c/etc/ssl/private/example.com.key%0a---%0a> ssl_cert = %3c/etc/ssl/ircnow.org.fullchain.pem%0a> ssl_key = %3c/etc/ssl/private/ircnow.org.key%0a> %0a89,92c85%0a%3c You will need to replace example.com with your real domain.%0a%3c %0a%3c Please read the instructions in the dovecot README in @@/usr/local/share/doc/pkg-readmes/dovecot@@. That file explains that you must add this [[openbsd/loginconf|login class]] to /etc/login.conf:%0a%3c %0a---%0a> As hinted in the instructions in the dovecot README in /usr/local/share/doc/pkg-readmes/dovecot, you want to add to /etc/login.conf:%0a104,105c97,98%0a%3c '''WARNING''': If login.conf.db exists, you will need to rebuild it:%0a%3c %0a---%0a> Then rebuild login.conf.db:%0a> %0a108,113d100%0a%3c @]%0a%3c %0a%3c But it is best to just remove /etc/login.conf.db since it is not required:%0a%3c %0a%3c [@%0a%3c # rm /etc/login.conf.db%0a
43
2023-01-22
jrmu
host:1623219060=38.81.163.143
44
2023-01-22
jrmu
author:1623217016=jrmu
45
2023-01-22
jrmu
diff:1623217016:1622990602:=28,33c28,30%0a%3c This tells dovecot to listen to the protocols IMAP, POP3, and LMTP.%0a%3c '''Note''': We don't want to support submission with dovecot.%0a%3c %0a%3c It also tells dovecot the public IPs you want it to listen on. Finally, the last%0a%3c block tells dovecot to change to the username vmail to listen for LMTP.%0a%3c %0a---%0a> We don't want to support submission with dovecot. We only want to listen on our%0a> public IPv4 and IPv6 addresses. We want to provide lmtp with user vmail.%0a> %0a45,46c42,43%0a%3c In /etc/dovecot/conf.d/10-auth.conf, first comment out auth-system.conf.ext %0a%3c %0a---%0a> In /etc/dovecot/conf.d/10-auth.conf, I make these changes:%0a> %0a49,55d45%0a%3c @]%0a%3c %0a%3c This prevents dovecot from using BSD auth.%0a%3c %0a%3c Then at the bottom of the file, add these lines:%0a%3c %0a%3c [@%0a67c57%0a%3c and add the new passdb/userdb conf settings.%0a---%0a> Comment out auth-system.conf.ext and add the new passdb/userdb conf settings.%0a
46
2023-01-22
jrmu
host:1623217016=38.81.163.143
47
2023-01-22
jrmu
author:1622990602=mkf
48
2023-01-22
jrmu
csum:1622990602=ssl_dh_parameters_length is not required anymore
49
2023-01-22
jrmu
diff:1622990602:1622797748:=72c72%0a%3c %0a---%0a> ssl_dh_parameters_length = 2048%0a
50
2023-01-22
jrmu
host:1622990602=188.226.131.252
51
2023-01-22
jrmu
author:1622797748=jrmu
52
2023-01-22
jrmu
diff:1622797748:1622797722:=12,13c12,13%0a%3c to add _dovecot to the _mail group:%0a%3c %0a---%0a> to add dovecot to the _mail group:%0a> %0a15c15%0a%3c $ doas usermod -G _mail _dovecot%0a---%0a> $ doas usermod -G _mail dovecot%0a
53
2023-01-22
jrmu
host:1622797748=38.81.163.143
54
2023-01-22
jrmu
author:1622797722=jrmu
55
2023-01-22
jrmu
diff:1622797722:1622719537:=10,16d9%0a%3c %0a%3c In order to allow dovecot to read /etc/mail/passwd (which is owned by _mail), we need%0a%3c to add dovecot to the _mail group:%0a%3c %0a%3c [@%0a%3c $ doas usermod -G _mail dovecot%0a%3c @]%0a
56
2023-01-22
jrmu
host:1622797722=38.81.163.143
57
2023-01-22
jrmu
author:1622719537=jrmu
58
2023-01-22
jrmu
diff:1622719537:1621334182:=1,4c1,2%0a%3c Let's set up dovecot to allow users to read mail with IMAP and POP.%0a%3c %0a%3c !! Installation%0a%3c %0a---%0a> Here is how I set up dovecot.%0a> %0a9,12c7,8%0a%3c !! Configuration%0a%3c %0a%3c In /etc/dovecot/dovecot.conf, add the following lines at the bottom of the file:%0a%3c %0a---%0a> In /etc/dovecot/dovecot.conf, add these lines at the very bottom:%0a> %0a14,15d9%0a%3c protocols = imap pop3 lmtp%0a%3c listen = 192.168.0.1, 2001:db8::%0a18a13,19%0a> %0a> #auth_verbose=yes%0a> #auth_debug=yes%0a> #auth_debug_passwords=yes%0a> #mail_debug=yes%0a> #auth_verbose_passwords=sha1%0a> verbose_ssl=yes%0a21,33c22,25%0a%3c We don't want to support submission with dovecot. We only want to listen on our%0a%3c public IPv4 and IPv6 addresses. We want to provide lmtp with user vmail.%0a%3c %0a%3c To aid with troubleshooting, you can consider adding these lines:%0a%3c %0a%3c [@%0a%3c #auth_verbose=yes%0a%3c #auth_debug=yes%0a%3c #auth_debug_passwords=yes%0a%3c #mail_debug=yes%0a%3c #auth_verbose_passwords=sha1%0a%3c verbose_ssl=yes%0a%3c @]%0a---%0a> You can turn on debugging, verbose ssl, and so forth as you need to help troubleshoot.%0a> %0a> In /etc/dovecot/conf.d/10-auth.conf, I make these changes:%0a> %0a
59
2023-01-22
jrmu
host:1622719537=38.81.163.143
60
2023-01-22
jrmu
author:1621334182=jrmu
61
2023-01-22
jrmu
diff:1621334182:1621334182:=1,79d0%0a%3c Here is how I set up dovecot.%0a%3c %0a%3c [@%0a%3c $ doas pkg_add dovecot%0a%3c @]%0a%3c %0a%3c In /etc/dovecot/dovecot.conf, add these lines at the very bottom:%0a%3c %0a%3c [@%0a%3c service lmtp {%0a%3c user = vmail%0a%3c }%0a%3c %0a%3c #auth_verbose=yes%0a%3c #auth_debug=yes%0a%3c #auth_debug_passwords=yes%0a%3c #mail_debug=yes%0a%3c #auth_verbose_passwords=sha1%0a%3c verbose_ssl=yes%0a%3c @]%0a%3c %0a%3c You can turn on debugging, verbose ssl, and so forth as you need to help troubleshoot.%0a%3c %0a%3c In /etc/dovecot/conf.d/10-auth.conf, I make these changes:%0a%3c %0a%3c [@%0a%3c #!include auth-system.conf.ext%0a%3c passdb {%0a%3c args = scheme=blf-crypt /etc/mail/passwd%0a%3c driver = passwd-file%0a%3c }%0a%3c %0a%3c userdb {%0a%3c args = uid=vmail gid=vmail home=/var/vmail/%25d/%25n%0a%3c driver = static%0a%3c }%0a%3c @]%0a%3c %0a%3c Comment out auth-system.conf.ext and add the new passdb/userdb conf settings.%0a%3c %0a%3c In /etc/dovecot/conf.d/10-mail.conf:%0a%3c %0a%3c [@%0a%3c mail_location = maildir:/var/vmail/%25d/%25n/Maildir%0a%3c @]%0a%3c %0a%3c In /etc/dovecot/conf.d/10-ssl.conf, I make these changes:%0a%3c %0a%3c [@%0a%3c ssl = required %0a%3c ...%0a%3c ssl_cert = %3c/etc/ssl/ircnow.org.fullchain.pem%0a%3c ssl_key = %3c/etc/ssl/private/ircnow.org.key%0a%3c ssl_dh_parameters_length = 2048%0a%3c @]%0a%3c %0a%3c As hinted in the instructions in the dovecot README in /usr/local/share/doc/pkg-readmes/dovecot, you want to add to /etc/login.conf:%0a%3c [@%0a%3c dovecot:\%0a%3c :openfiles-cur=4096:\%0a%3c :openfiles-max=8192:\%0a%3c :tc=daemon:%0a%3c @]%0a%3c %0a%3c '''WARNING''': You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will '''not''' work.%0a%3c %0a%3c '''NOTE''': Allowing more open files than suggested in the README can help if you have many IP addresses.%0a%3c %0a%3c Then rebuild login.conf.db:%0a%3c %0a%3c [@%0a%3c # [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c [@%0a%3c $ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143%0a%3c @]%0a
62
2023-01-22
jrmu
host:1621334182=38.81.163.143
IRCNow