dovecot の初期設定と POP/IMAP での認証確認
続いて dovecot の設定を行う。
dovecot.conf と dovecot-sql.confの設定
とりあえず確認のため SSL は無効・平文も可にして設定してみる。
$ sudo vi dovecot.conf --- dovecot.conf.orig 2011-03-29 09:04:42.406699982 +0900 +++ dovecot.conf 2011-03-29 09:17:24.822237204 +0900 @@ -22,6 +22,7 @@ # Protocols we want to be serving: imap imaps pop3 pop3s managesieve # If you only want to use dovecot-auth, you can set this to "none". # セキュア以外のテスト用にimapとpopを使えるようにしておく。 # 最終的にsaslauthdでrimapを使う場合、imapは残さないとだめ。 #protocols = imap imaps +protocols = imap pop3 imaps pop3s # A space separated list of IP or host addresses where to listen in for # connections. "*" listens in all IPv4 interfaces. "[::]" listens in all IPv6 @@ -50,6 +51,7 @@ # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. #検証用にプレインテキスト認証を有効にしておく。 # 検証が終了したら無効にしてしまって構わない。 #disable_plaintext_auth = yes +disable_plaintext_auth = no # Should all IMAP and POP3 processes be killed when Dovecot master process # shuts down. Setting this to "no" means that Dovecot can be upgraded without @@ -91,13 +93,16 @@ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> #検証用にsslを無効にしておく。 #検証が終わったら有効にしておく。 #ssl = yes +ssl = no # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf # SSL用のファイル。 -ssl_cert_file = /etc/ssl/dovecot/server.pem -ssl_key_file = /etc/ssl/dovecot/server.key +#ssl_cert_file = /etc/ssl/dovecot/server.pem +#ssl_key_file = /etc/ssl/dovecot/server.key +ssl_cert_file = /usr/local/etc/ssl/server/niboshi.kakitsubata-ayame.net/mail.pem +ssl_key_file = /usr/local/etc/ssl/server/niboshi.kakitsubata-ayame.net/newkey.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -225,7 +230,8 @@ # # <doc/wiki/MailLocation.txt> # # /var/vmail/%domain%/%user%/Maildir 形式で保存しているため、このように指定する。 # -mail_location = maildir:~/.maildir +#mail_location = maildir:~/.maildir +mail_location = maildir:/var/vmail/%d/%n # If you need to set multiple mailbox locations or want to change default # namespace settings, you can do it by defining namespace sections. @@ -302,6 +308,8 @@ # or names. <doc/wiki/UserIds.txt> #mail_uid = #mail_gid = #メール配信用のユーザ(vmail)のuid/gidを指定する。 +mail_uid = 501 +mail_gid = 501 # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. @@ -381,6 +389,8 @@ # be done even if first_valid_uid is set to 0. #first_valid_uid = 500 #last_valid_uid = 0 #メール配信用のユーザ(vmail)のuidの範囲を指定する。 +first_valid_uid = 501 +last_valid_uid = 501 # Valid GID range for users, defaults to non-root/wheel. Users having # non-valid GID as primary group ID aren't allowed to log in. If user @@ -388,6 +398,8 @@ # not set. #first_valid_gid = 1 #last_valid_gid = 0 #メール配信用のユーザ(vmail)のgidの範囲を指定する。 +first_valid_gid = 501 +last_valid_gid = 501 # Maximum number of running mail processes. When this limit is reached, # new users aren't allowed to log in. @@ -879,7 +893,8 @@ # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey # gss-spnego # NOTE: See also disable_plaintext_auth setting. #平文認証 (後ほどSSLで通信暗号化) を設定する - mechanisms = plain + #mechanisms = plain + mechanisms = login plain # # Password database is used to verify user's password (and nothing more). @@ -912,7 +927,7 @@ # database (passwd usually), you can use static userdb. # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt> # pam は無効。 - passdb pam { + #passdb pam { # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>] # [cache_key=<key>] [<service name>] # @@ -945,7 +960,7 @@ # args = session=yes %Ls # args = cache_key=%u dovecot #args = dovecot - } + #} # System users (NSS, /etc/passwd, or similiar) # In many systems nowadays this uses Name Service Switch, which is @@ -991,6 +1006,9 @@ # Path for SQL configuration file, see doc/dovecot-sql-example.conf #args = /etc/dovecot-sql.conf #} # MySQLで認証するために記述したファイルをここで指定する。 + passdb sql { + args = /etc/dovecot/dovecot-sql.conf + } # LDAP database <doc/wiki/AuthDatabase.LDAP.txt> #passdb ldap { @@ -1020,18 +1038,20 @@ # <doc/wiki/UserDatabase.Prefetch.txt> #userdb prefetch { #} # DB用プリフェッチ + userdb prefetch { + } # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this # uses Name Service Switch, which is configured in /etc/nsswitch.conf. # <doc/wiki/AuthDatabase.Passwd.txt> #システムユーザのメールもバーチャル配信するため無効化しておく - userdb passwd { + #userdb passwd { # [blocking=yes] - By default the lookups are done in the main dovecot-auth # process. This setting causes the lookups to be done in auth worker # proceses. Useful with remote NSS lookups that may block. # NOTE: Be sure to use this setting with nss_ldap or users might get # logged in as each others! #args = - } + #} # passwd-like file with specified location # <doc/wiki/AuthDatabase.PasswdFile.txt> @@ -1069,6 +1089,9 @@ # Path for SQL configuration file, see doc/dovecot-sql-example.conf #args = /etc/dovecot-sql.conf #} # MySQLで認証するために記述したファイルをここで指定する。 + userdb sql { + args = /etc/dovecot/dovecot-sql.conf + } # LDAP database <doc/wiki/AuthDatabase.LDAP.txt> #userdb ldap { @@ -1086,7 +1109,8 @@ # authentication with BSDs internally accesses shadow files, which also # requires roots. Note that this user is NOT used to access mails. # That user is specified by userdb above. # DB参照を行うシステムユーザ。何でもいい。 - user = root + #user = root + user = nobody # Directory where to chroot the process. Most authentication backends don't # work if this is set, and there's no point chrooting if auth_user is root. @@ -1124,6 +1148,20 @@ #mode = 0660 #} #} # 実ファイルからメールを拾い上げるための設定と # SMTP認証用にpostfixから認証を行えるようにする設定 + socket listen { + master { + path = /var/run/dovecot/auth-master + mode = 0600 + user = vmail + group = vmail + } + client { + path = /var/spool/postfix/private/auth + mode = 0660 + user = postfix + group = postfix + } + } } # If you wish to use another authentication server than dovecot-auth, you can
$ sudo vi dovecot-sql.conf --- dovecot-sql.conf.orig 2011-03-29 09:02:52.436067716 +0900 +++ dovecot-sql.conf 2011-03-29 08:26:46.828505152 +0900 @@ -26,7 +26,7 @@ # ); # Database driver: mysql, pgsql, sqlite # MySQLを使う。 -#driver = +driver = mysql # Database connection string. This is driver-specific setting. # @@ -60,14 +60,14 @@ # connect = host=sql.example.com dbname=virtual user=virtual password=blarg # connect = /etc/dovecot/authdb.sqlite # # MySQLのDB参照専用ユーザを設定する。 -#connect = +connect = host=/var/run/mysqld/mysqld.sock user=postfix password=authpass dbname=postfix # Default password scheme. # # List of supported schemes is in # http://wiki.dovecot.org/Authentication/PasswordSchemes # # DBに格納してあるパスワードの暗号化方式を指定する。 # この設定は postfixadmin で設定したものと一緒にする。 -#default_pass_scheme = MD5 +default_pass_scheme = MD5 # passdb query to retrieve the password. It can return fields: # password - The user's password. This field must be returned. @@ -119,6 +119,9 @@ #user_query = \ # SELECT home, uid, gid \ # FROM users WHERE username = '%n' AND domain = '%d' # DB参照用クエリー +user_query = \ + SELECT CONCAT('/var/vmail/', maildir) AS home, CONCAT('*:bytes=', quota) AS quota_rule \ + FROM mailbox WHERE username = '%u' AND active = 1 # If you wish to avoid two SQL lookups (passdb + userdb), you can use # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll @@ -128,3 +131,8 @@ # SELECT userid AS user, password, \ # home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \ # FROM users WHERE userid = '%u' # DB参照用クエリー +password_query = \ + SELECT CONCAT('/var/vmail/', maildir) AS userdb_home, \ + username as user, password, \ + CONCAT('*:bytes=', quota) AS userdb_quota_rule \ + FROM mailbox WHERE username = '%u' AND active = 1
起動と受信確認
ここまで設定したら dovecot を起動。
$ sudo /etc/init.d/dovecot start
その後適当なメールソフトで受信して先ほど postfix の試験で送ったメールが受信できることを確認する。またわざとパスワードを間違えたりして試験してみるのも良い。
受信できたら次の設定にすすむ。
受信できないときは
- dovecot のログはメールログに書きだされる。 metalog を使っているなら /var/log/mail/current に全て書きだされる。
- syslog_facility = の値を変更することで別の syslog に書きだされる。
- log_path / info_log_path を指定するとそのファイルに書きだされる。
- mail_debug = yes を指定すると詳細なログが書きだされる。
- netstat -an --tcp でポートが待受状態になっているか確認する。
- パスワードが誤っていないか確認する。
- メールソフトを起動している PC のファイアウォールでブロックしていないか確認する。
SSL 用の設定
SSL 用の設定を行う。先程の dovecot.conf を SSL で認証するように書き換える。
--- dovecot.conf.notls 2011-03-29 11:04:48.243637792 +0900 +++ dovecot.conf 2011-03-29 11:09:57.761949212 +0900 @@ -22,7 +22,7 @@ # Protocols we want to be serving: imap imaps pop3 pop3s managesieve # If you only want to use dovecot-auth, you can set this to "none". #protocols = imap imaps # SMTP-AUTHでrimapを使う場合、imapも残す。 # 自分の環境の場合imapsだけあれば十分だが一応pop3sも。 -protocols = imap pop3 imaps pop3s +protocols = imaps pop3s # A space separated list of IP or host addresses where to listen in for # connections. "*" listens in all IPv4 interfaces. "[::]" listens in all IPv6 @@ -50,8 +50,8 @@ # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. -#disable_plaintext_auth = yes -disable_plaintext_auth = no +disable_plaintext_auth = yes +#disable_plaintext_auth = no # Should all IMAP and POP3 processes be killed when Dovecot master process # shuts down. Setting this to "no" means that Dovecot can be upgraded without @@ -92,8 +92,8 @@ #ssl_listen = # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> -#ssl = yes -ssl = no +ssl = yes +#ssl = no # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but
その後 dovecot を再起動し、
$ sudo /etc/init.d/dovecot start
先程と同様にメールクライアントを使用したテストを行う。
問題がなければ次の設定に進む。
接続できないときは
基本的には接続できるはずであるが、証明書の問題やポートの問題で
- 目次