Let's set up dovecot to allow users to read mail with IMAP and POP.

## Installation

    $ doas pkg_add dovecot


## Configuration

A single user vmail will receive mail for all virtual users:

    $ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail


/var/vmail will be used to store virtual users' maildir folders. It will be managed by

dovecot, which receives mail via LMTP.

In order to secure our passwords, we need to remove world readable permissions

from /etc/mail and change file ownership:

    $ doas chmod -R o-rx /etc/mail/
    $ doas chown -R _smtpd:_dovecot /etc/mail/


In /etc/dovecot/dovecot.conf, add the following lines at the bottom of the file:

    protocols = imap pop3 lmtp
    listen = 192.168.0.1, 2001:db8::
    service lmtp {
      user = vmail
    }


This tells dovecot to listen to the protocols IMAP, POP3, and LMTP.

**Note**: We don't want to support submission with dovecot.

It also tells dovecot the public IPs you want it to listen on. Finally, the last

block tells dovecot to change to the username vmail to listen for LMTP.

To aid with troubleshooting, you can consider adding these lines:

    auth_verbose=yes
    auth_debug=yes
    auth_debug_passwords=yes
    mail_debug=yes
    auth_verbose_passwords=sha1
    verbose_ssl=yes


In /etc/dovecot/conf.d/10-auth.conf, first comment out auth-system.conf.ext 

    #!include auth-system.conf.ext


This prevents dovecot from using BSD auth.

Then at the bottom of the file, add these lines:

    passdb {
       args = scheme=blf-crypt /etc/mail/passwd
       driver = passwd-file
    }
    userdb {
       args = uid=vmail gid=vmail home=/var/vmail/%25d/%25n
       driver = static
    }


The first block defines our password database to use blowfish (see [blowfish(3)](https://man.openbsd.org/blowfish) and [[encrypt(1)](/https://man.openbsd.org/encrypt)).
The first block defines our password database to use blowfish (see [blowfish(3)](https://man.openbsd.org/blowfish) and [[encrypt(1)](/https://man.openbsd.org/encrypt)).

The second block says that the mail must be read by user ID and group ID vmail, and

that all mail will be in the folders /var/vmail/<domain>/<username>.

In /etc/dovecot/conf.d/10-mail.conf:

    mail_location = maildir:/var/vmail/%25d/%25n/Maildir


This again indicates all mail will be in the folders /var/vmail/<domain>/<username>.

In /etc/dovecot/conf.d/10-ssl.conf, make the changes to these lines:

    ssl = yes
    ...
    ssl_cert = </etc/ssl/example.com.crt
    ssl_key = </etc/ssl/private/example.com.key


You will need to replace example.com with your real domain.

Please read the instructions in the dovecot README in `/usr/local/share/doc/pkg-readmes/dovecot`. That file explains that you must add this [login class](/openbsd/loginconf) to /etc/login.conf:

    dovecot:\
             :openfiles-cur=4096:\
             :openfiles-max=8192:\
             :tc=daemon:


**WARNING**: You must use tabs and not spaces. If you use spaces in /etc/login.conf, the settings will **not** work.

**NOTE**: Allowing more open files than suggested in the README can help if you have many IP addresses.

**WARNING**: If login.conf.db exists, you will need to rebuild it:

    # [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf


But it is best to just remove /etc/login.conf.db since it is not required:

    $ doas rm /etc/login.conf.db


## Starting dovecot

To start dovecot via [rcctl](/openbsd/rcctl):

    $ doas rcctl enable dovecot
    $ doas rcctl start dovecot


## Troubleshooting

Make sure to check /var/log/maillog:

    $ openssl s_client -starttls imap -connect username.coconut.ircnow.org:143


When starting dovecot, you may find it fails:

    $ doas rcctl start dovecot
    dovecot(failed)


When this happens, run the rc.d script with debugging turned on:

    $ doas /etc/rc.d/dovecot -d start
    doing _rc_parse_conf
    doing _rc_quirks
    dovecot_flags empty, using default ><
    doing rc_check
    dovecot
    doing rc_start
    doing _rc_wait start
    doing rc_check
    doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 12: ssl_cert: Can't open file /etc/ssl/dovecotcert.pem: No such file or directory
    doing _rc_rm_runfile
    (failed)


In this case, you can see the error is in line 12 of /etc/dovecot/conf.d/10-ssl.conf . I forgot to write the real path of the cert: `/etc/ssl/example.com.fullchain.pem` (where example.com is replaced with my real domain).

    Jun  9 01:37:35 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)
    Jun  9 01:37:41 jrmu dovecot: auth: Error: passwd-file(jrmu@jrmu.host.oddprotocol.org,125.231.25.80,<aiyNgk/EuHB95xlQ>): stat(/etc/mail/passwd) failed: Permission denied (euid=518(_dovecot) egid=518(_dovecot) missing +x perm: /etc/mail, we're not in group 1003(_mail), dir owned by 95:1003 mode=0750)