header image
[ # ] Exim & Dovecot
January 14th, 2021 under Linux, Website Status

I finally set up my mail server with POP3 access. I just want to host couple of mail addresses which map to users on the (arch-)linux system. So no fancy virtual users or LDAP.

First, set up exim. The configuration is straight forward. Just read through the entire configuration file. It turns out I needed just some adjustments. First the proper primary_homename must be set.

primary_hostname = ganymede.ch

Since I want to use TLS, the certificate and private key must be set. Don’t generate any self-signed key. This just causes problems because the certificate must always be added as an exception wherever it is used. So, generate a Let’s Encrypt certificate. Point exim to Let’s Encrypt files.

tls_certificate = /etc/letsencrypt/live/ganymede.ch/fullchain.pem
tls_privatekey = /etc/letsencyrpt/live/ganymede.ch/privkey.pem

The Let’s Encrypt files can also be used for an Apache webserver. Apache is typically started with root privileges which it later drops. During this phase, the certificate and private key are read by Apache. So the default permission (mostly exclusively root access) of the Let’s Encrypt folder works just fine for Apache. Exim on the other hand read the certificate and key just when a TLS connection should be established. Hence the exim log shows some TLS Error with a message like system library:fopen:Permission denied. An easy fix for this is to set the owner of the folder /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ to the exim user and group. Clearly, this can cause problems if other users, without root privileges, need access to the files. However, this is not the case in my setup.

Next, I don’t want to allow mail delivery to all local users such as the exim or http user. I just want to whitelist certain users. This can be achieved by modifying the localuser router. Simply add local_parts = lsearch;/etc/mail/accepted_local_users. So the router looks like this:

localuser:
driver = accept
local_parts = lsearch;/etc/mail/accepted_local_users
check_local_user
transport = local_delivery
cannout_route_message = Unknown user

This router only routes if check_local_user succeeds and local_parts can be found in the accepted_local_users file. So, create the file accepted_local_users and write every username which is allowed to receive E-Mails into the file. One username per line.

That’s it… Exim with TLS done.

Let’s look at dovecot for the POP3 access. On archlinux the dovecot configuration is split into many file. The config file need to be copied into the /etc folder (see the archlinux wiki). The main config file is /etc/dovecot/dovecot.conf. There it restricted the supported protocols to pop3

protocols = pop3

This main config file loads all config files from the conf.d subdirectory. Here I rely on the system (PAM) authentication by including auth-system.conf.ext

!include auth-system.conf.ext

Again as with exim, I want only whitelisted users to be able to login and not all system users. To achive this it is possible to use the username_filter. Simply give it the username which are allowed to login.

passdb {
driver = pam
username_filter = my_user my_user2
}

Of course we also want the secure the server with SSL. This is just as easy as before. Simply point dovecot to the Let’s Encrypt certificate and private key in 10-ssl.conf

ssl_cert = </etc/letsencrypt/live/ganymede.ch/fullchain.pem
ssl_key = </etc/letsencrypt/live/ganymede.ch/privkey.pem

Since dovecot is run as root we don’t have any permission issues.

The last thing that needs to be done, is to tell dovecot about the mailbox format and the mailbox locations. In the file 10-mail.conf write

mail_location = mbox:~/mail:INBOX=/var/mail/%u

After that we are all done. You can receive email for the given user and access the mails through pop3 with the system password for that user.

You can also send email from you system (for instance through mail or with php) trough exim to any E-Mail address.