Debian trixieにアップデートしたときにdovecotも2.4.1にアップグレードされたのですが、設定が2.3から大幅にかわり、そのままでは動かないので再設定が必要になりました。その時の設定メモです。
旧設定はこちら
Dovecot
# 2.4.1-4 (7d8c0e5759): /etc/dovecot/dovecot.conf
# Pigeonhole version 2.4.1-4 (0a86619f)
# OS: Linux 6.12.57+deb13-amd64 i686 Debian 13.2 overlay
# Hostname: debian-mailserver
# 4 default setting changes since version 2.4.0
dovecot_config_version = 2.4.0
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
dovecot_storage_version = 2.4.0
listen = *, ::
log_debug = category=mail
mail_driver = maildir
mail_home = /var/vmail/${user|domain}/${user|username}
mail_inbox_path = /var/vmail/${user|domain}/${user|username}
mail_path = /var/vmail
protocols = imap lmtp
ssl = required
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
passdb passwd-file {
default_password_scheme = SHA512-CRYPT
passwd_file_path = /etc/dovecot/imap.passwd
}
userdb static {
fields {
gid:default = vmail
home:default = /var/vmail/${user|domain}/${user|username}
uid:default = vmail
}
}
namespace inbox {
inbox = yes
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service auth {
user = $SET:default_internal_user
unix_listener /var/spool/postfix/private/auth {
mode = 0600
user = postfix
group = postfix
}
}
service auth-worker {
user = $SET:default_internal_user
}
service dict {
unix_listener dict {
}
}
ssl_server {
cert_file = /etc/acme/hottunalabs.net/fullchain.cer
dh_file = /etc/acme/ssl-dhparams.pem
key_file = /etc/acme/hottunalabs.net/hottunalabs.net.key
}
local_name hottunalabs.net {
ssl_server {
cert_file = /etc/acme/hottunalabs.net/fullchain.cer
key_file = /etc/acme/hottunalabs.net/hottunalabs.net.key
}
}
local_name hottunalabs.mydns.org {
ssl_server {
cert_file = /etc/acme/hottunalabs.net/fullchain.cer
key_file = /etc/acme/hottunalabs.net/hottunalabs.net.key
}
dovecot_config_version = 2.4.0
dovecot_storage_version = 2.4.0
protocols = imap lmtp
!include_try /usr/share/dovecot/protocols.d/*.protocol
listen = *, ::
!include conf.d/*.conf
!include_try local.confauth_mechanisms = plain login
!include auth-passwdfile.conf.ext
mail_driver = maildir
mail_path = /var/vmail
mail_home = /var/vmail/${user|domain}/${user|username}
mail_inbox_path = /var/vmail/${user|domain}/${user|username}
namespace inbox {
inbox = yes
}
protocol !indexer-worker {
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0600
user = postfix
group = postfix
}
user = $SET:default_internal_user
}
service auth-worker {
user = $SET:default_internal_user
}
service dict {
unix_listener dict {
}
}ssl = required
ssl_server_cert_file = /etc/acme/hottunalabs.net/fullchain.cer
ssl_server_key_file = /etc/acme/hottunalabs.net/hottunalabs.net.key
ssl_server_dh_file = /etc/acme/ssl-dhparams.pem
local_name hottunalabs.net {
ssl_server_cert_file = /etc/acme/hottunalabs.net/fullchain.cer
ssl_server_key_file = /etc/acme/hottunalabs.net/hottunalabs.net.key
}
local_name hottuna.server-on.net {
ssl_server_cert_file = /etc/acme/hottunalabs.net/fullchain.cer
ssl_server_key_file = /etc/acme/hottunalabs.net/hottunalabs.net.key
}
ssl_min_protocol = TLSv1.2
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
protocol lda {
}protocol imap {
}protocol lmtp {
}passdb passwd-file {
default_password_scheme = SHA512-CRYPT
passwd_file_path = /etc/dovecot/imap.passwd
}
userdb static {
fields {
uid:default = vmail
gid:default = vmail
home:default = /var/vmail/${user|domain}/${user|username}
}
}opendkim
旧版ではinet socketでしたが今回はunix domain socketに変更します。
Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
OversignHeaders From
Domain hottunalabs.net
Selector myselector
KeyFile /etc/dkimkeys/myselector.private
UserID opendkim
UMask 002
Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
TrustAnchorFile /usr/share/dns/root.keysudo mkdir /etc/dkimkeys
sudo chown root: /etc/dkimkeys
sudo chmod 700 /etc/dkimkeys
cd /etc/dkimkeys
sudo opendkim-genkey -r -s myselector -d <my domain name>
groupadd dkimsocket
usermod --append --groups dkimsocket postfix
usermod --gid dkimsocket opendkim
usermod --append --groups opendkim opendkim
usermod --append --groups opendkim postfixmyselector.txtができるのその内容をDNSサーバーに設定します。
myselector._domainkey IN TXT "v=DKIM1; p=...................."openDMARC
PidFile /run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
Socket local:/var/spool/postfix/opendmarc/opendmarc.sock
Syslog true
UMask 0002
UserID opendmarcsudo mkdir -p /var/spool/postfix/opendmarc
sudo chown opendmarc:opendmarc /var/spool/postfix/opendmarc -R
sudo chmod 750 /var/spool/postfix/opendmarc/ -R
sudo adduser postfix opendmarcPostfix
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
compatibility_level = 3.6
sendmail_path = /usr/sbin/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
inet_interfaces = all
inet_protocols = ipv4
message_size_limit = 10485760
setgid_group = postdrop
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
myhostname = mx.hottunalabs.net
mydomain = hottunalabs.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, mail-debian, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8, 10.0.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
smtp_sender_dependent_authentication = yes
smtpd_tls_chain_files = /etc/acme/hottunalabs.net/hottunalabs.net.key, /etc/acme/hottunalabs.net/fullchain.cer
tls_server_sni_maps = hash:/etc/postfix/ssl_map
smtpd_tls_security_level=may
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
cyrus_sasl_config_path = /etc/postfix/sasl
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_tls_auth_only = yes
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, hash:/etc/postfix/reject_sender
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_destination,
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
recipient_delimiter = +
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = $mydomain
virtual_alias_domains = hottunalabs.mydns.org
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock
non_smtpd_milters = $smtpd_milterssmtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o smtpd_sasl_auth_enable=yes
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}hottunalabs.net /etc/acme/hottunalabs.net/hottunalabs.net.key /etc/acme/hottunalabs.net/fullchain.cer
hottuna.server-on.net /etc/acme/hottunalabs.net/hottunalabs.net.key /etc/acme/hottunalabs.net/fullchain.cerpostmaster root
webmaster root
# Person who should get root's mail
root myname
info@hottunalabs.net myname
myname@mydns.org myname\@hottunalabs.net
myname@hottunalabs.net myname\@hottunalabs.netsudo touch reject_sender
sudo postmap reject_sender
sudo postmap ssl_map
sudo postmap virtual_aliases参考
- https://doc.dovecot.org/main/installation/upgrade/2.3-to-2.4.html
- https://z-issue.com/wp/dovecot-2-3-to-2-4-update-problems/
- https://wiki.archlinux.org/title/OpenDKIM
- https://wiki.gentoo.org/wiki/OpenDKIM
