Jail Dovecot on FreeBSD
There are many software packages designed to archive email, but it’s pretty simple to just run a full IMAP server on local hardware and move messages to the archive using an email client. Because IMAP is a standard email protocol, the archive will be accessible to any device on the network running practically any email client one might want to use.
Installation
On FreeBSD, Dovecot is commonly used
and it can be jailed using iocage
as follows.
First, list the iocage releases and create a new jail named imap.
$ su
Password:
# iocage list -r
+---------------+
| Bases fetched |
+===============+
| 13.2-RELEASE |
+---------------+
# iocage create -n "imap" -r 13.2-RELEASE --thickjail vnet="on" allow_raw_sockets="1" boot="on" bpf="yes" dhcp="on"
imap successfully created!
No default gateway found for ipv6.
* Starting imap
+ Started OK
+ Using devfs_ruleset: 1000 (iocage generated default)
+ Configuring VNET OK
+ Using IP options: vnet
+ Starting services OK
+ Executing poststart OK
+ DHCP Address: 192.168.1.165/24
Next, enter the jail’s console to find and install the latest dovecot
package.
Note the installation notes printed at the bottom of the output.
# iocage console imap
[...]
Welcome to FreeBSD!
[...]
root@imap:~ # hostname
imap
root@imap:~ # pkg search dovecot
[...]
dovecot-2.3.21_2 Secure, fast and powerful IMAP and POP3 server
[...]
root@imap:~ # pkg install -y dovecot
[...]
New packages to be INSTALLED:
dovecot: 2.3.21_2
liblz4: 1.9.4,1
zstd: 1.5.5
[...]
You must create the configuration files yourself. Copy them over
to /usr/local/etc/dovecot and edit them as desired:
cp -R /usr/local/etc/dovecot/example-config/* \
/usr/local/etc/dovecot
The default configuration includes IMAP and POP3 services, will
authenticate users agains the system's passwd file, and will use
the default /var/mail/$USER mbox files.
Next, enable dovecot in /etc/rc.conf:
dovecot_enable="YES"
[...]
Basic Configuration
As explained in the installation notes, the default configuration will authenticate users against the system’s passwd file. Create a new user account in the jail to receive the email archive and assign it a temporary password.
The section after this one explains how to configure Dovecot using plaintext authentication, so the chosen password will be sent over the LAN in the clear until the configuration is properly secured. Consider using a temporary password for the initial configuration and change it to a better one after securing the connection. In any case, avoid reusing existing passwords.
root@imap:~ # pw useradd -n ccammack -m
root@imap:~ # passwd ccammack
Changing local password for ccammack
New Password:
Retype New Password:
Next, follow the installation notes to copy the example configuration files to /usr/local/etc/dovecot
and add dovecot_enable="YES"
to /etc/rc.conf
.
root@imap:~ # cp -R /usr/local/etc/dovecot/example-config/* /usr/local/etc/dovecot
root@imap:~ # sysrc dovecot_enable=YES
dovecot_enable: -> YES
root@imap:~ # cat /etc/rc.conf
[...]
dovecot_enable="YES"
Use doveconf
to display the current version and configuration settings,
then change into the configuration directory.
root@imap:~ # doveconf | head -1
# 2.3.21 (47349e2482): /usr/local/etc/dovecot/dovecot.conf
root@imap:~ # cd /usr/local/etc/dovecot/conf.d
root@imap:/usr/local/etc/dovecot/conf.d #
The installation notes indicate that Dovecot will store the email for each user in
an mbox file named /var/mail/$USER
by default
if the mail_location
variable is not defined.
root@imap:/usr/local/etc/dovecot/conf.d # doveconf mail_location
mail_location =
root@imap:/usr/local/etc/dovecot/conf.d # grep ^mail_location *
10-mail.conf:mail_location =
Dovecot also supports the
Maildir++ directory layout,
which is a much better option for storage.
Set mail_location = maildir:~/Maildir
in the 10-mail.conf
file
to store email in a per-user ~/Maildir
directory.
root@imap:/usr/local/etc/dovecot/conf.d # ee 10-mail.conf
[...]
root@imap:/usr/local/etc/dovecot/conf.d # grep ^mail_location *
10-mail.conf:mail_location = maildir:~/Maildir
Configure Plaintext IMAP Connections
Check the protocols
configuration variable and note that the default list includes imap
, which is the traditional unencrypted protocol.
root@imap:/usr/local/etc/dovecot/conf.d # doveconf protocols
protocols = imap pop3 lmtp
To verify that the unencrypted imap
protocol uses port 143 by default, check the configuration values for inet_listener imap
.
root@imap:/usr/local/etc/dovecot/conf.d # doveconf -a | grep -A7 "inet_listener imap"
inet_listener imap {
address =
haproxy = no
port = 143
reuse_port = no
ssl = no
}
[...]
The default configuration values look reasonable, so try starting the dovecot
service.
root@imap:/usr/local/etc/dovecot/conf.d # service dovecot start
Starting dovecot.
doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/certs/dovecot.pem: No such file or directory
/usr/local/etc/rc.d/dovecot: WARNING: failed to start dovecot
The default configuration is looking for the ssl-cert
file on line 12 (and also the ssl_key
file on line 13), but they don’t exist.
The Dovecot documentation indicates that
[b]inary installations ususally create the certificate automatically when installing Dovecot, but that dosen’t seem to be the case on FreeBSD.
For the moment, disable the need for those missing files by editing 10-ssl.conf
to comment out the lines for ssl_cert
and ssl_key
on lines 12 and 13.
root@imap:/usr/local/etc/dovecot/conf.d # ee 10-ssl.conf
[...]
root@imap:/usr/local/etc/dovecot/conf.d # grep dovecot.pem 10-ssl.conf
#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_key = </etc/ssl/private/dovecot.pem
Also make sure Dovecot is configured to use only plain text authentication
by checking the configuration values for auth_mechanisms
and disable_plaintext_auth
,
which appears in the file 10-auth.conf
.
root@imap:/usr/local/etc/dovecot/conf.d # doveconf auth_mechanisms
auth_mechanisms = plain
root@imap:/usr/local/etc/dovecot/conf.d # doveconf disable_plaintext_auth
disable_plaintext_auth = yes
root@imap:/usr/local/etc/dovecot/conf.d # grep ^disable_plaintext_auth *
10-auth.conf:disable_plaintext_auth = yes
In my case, I had to edit 10-auth.conf
and set disable_plaintext_auth = no
to allow plain text authentication.
root@imap:/usr/local/etc/dovecot/conf.d # ee 10-auth.conf
[...]
root@imap:/usr/local/etc/dovecot/conf.d # grep ^disable_plaintext_auth *
10-auth.conf:disable_plaintext_auth = no
Try starting dovecot
again, successfully this time.
root@imap:/usr/local/etc/dovecot/conf.d # service dovecot start
Starting dovecot.
Test Plaintext Connection
From another machine on the network, ping
the IMAP server and make sure it answers.
C:\Users\ccammack
λ ping imap.ccammack.com
Pinging imap.ccammack.com [192.168.1.165] with 32 bytes of data:
Reply from 192.168.1.165: bytes=32 time<1ms TTL=64
Reply from 192.168.1.165: bytes=32 time<1ms TTL=64
Reply from 192.168.1.165: bytes=32 time<1ms TTL=64
Reply from 192.168.1.165: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.1.165:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Next, try to log into the server using curl
.
C:\Users\ccammack
λ curl -v --url "imap://imap.ccammack.com/" --user "ccammack"
Enter host password for user 'ccammack':
* Trying 192.168.1.165:143...
* Connected to imap.ccammack.com (192.168.1.165) port 143 (#0)
< * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot ready.
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN
< A001 OK Pre-login capabilities listed, post-login capabilities have more.
> A002 AUTHENTICATE PLAIN AGNjYW1tYWNrAHBhc3N3b3Jk
< * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE
< A002 OK Logged in
> A003 LIST "" *
< * LIST (\HasNoChildren) "." INBOX
* LIST (\HasNoChildren) "." INBOX
< A003 OK List completed (0.001 + 0.000 + 0.001 secs).
* Connection #0 to host imap.ccammack.com left intact
On the server, check the Dovecot log for errors using tail /var/log/maillog
.
root@imap:/usr/local/etc/dovecot/conf.d # tail /var/log/maillog
[...]
May 19 14:37:05 imap dovecot[77310]: imap-login: Login: user=<ccammack>, method=PLAIN, rip=192.168.1.100, lip=192.168.1.165, mpid=77326, session=<d+Ub39IYemjAqAFk>
May 19 14:37:05 imap dovecot[77310]: imap(ccammack)<77326><d+Ub39IYemjAqAFk>: Disconnected: Logged out in=27 out=576 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
If the connection works, it should now be possible to add the IMAP server to an email client and move messages to it over the LAN.