Univention integrated Dovecot as new default IMAP/POP3 mail server in UCS. This article gives a first overview about this integration.

Why Dovecot as default IMAP/POP3 server in UCS?
Dovecot IMAP Server LogoDovecot has a focus on security, stability and performance, while complying with established standards. Similarly to Postfix Dovecot starts a couple of separate processes for different tasks. The processes can be run with different owner and group permissions to limit the impact of a security incident.

Dovecot supports several backend storage formats: mbox, Maildir and dbox. In each case it uses indices to increase access performance. Their self healing and self optimizing features reduce tedious administrative intervention and simplify backups.

One of Dovecot’s design paradigms is, that multiple processes may want to access the same mailbox. To that effect it is well prepared to deal with files on network storages. It’s also ideally suited for larger projects and possible future extensions of the integration into UCS. E.g. Dovecot offers a load balancer for clustered setups. This helps administrators scaling the service horizontally as well as vertically.

Speaking of scaling: Dovecot scales impressively: It saves resources in small setups but also sizes up to serve enterprises with several million users.

Dovecot is one of the few fully standard compliant IMAP servers. That said, its behavior can be adjusted to be compatible to non-standard IMAP clients.

UCS Integration of Dovecot

Univention integrates Dovecot version 2.2.13 in UCS 4.0. From now on new installations of UCS 4.0-2 will run Dovecot instead on Cyrus. Existing UCS systems with Cyrus will not be affected.
Installation of Dovecot in UCS is as simple as opening the Univention App Center and choosing the UCS “Mailserver” app for installation. In case Cyrus is preferred please see the instructions in the specific section below. If emails need to be collected from external mail server, installation of the application “Fetchmail” may be useful as well.

Administration of Dovecot via Univention Management Console

General IMAP mail folder settings in UCS with DovecotAdministrators use the familiar web interface of the Univention Management Console (UMC) to add, modify or delete users, domains, groups and global IMAP folders. After installing the “Mailserver” app, the UMC module “Mail” needs to be opened to configure the desired mail domains in the section “Domain”. These can of course be different from the the name of the UCS domain.

A mail account is created by assigning a primary email address to a user. Additional addresses (aliases) may be added in the advanced settings of the user object. Mail quota and the mail home server can be configured there as well.

Advanced mail settings in UCS with DovecotSo, what’s this mail home server about? In case there are several IMAP servers in the UCS domain users can be assigned to specific “home servers”. The user’s emails are stored on that server only. Any UCS mail server can accept email for that user though and it’s delivered internally to the home server.
Home servers can be used to achieve a simple form of load balancing or in spatially distributed organizations to store the mails close to the user.

Email addresses can also be assigned to user groups via the advanced settings of the UMC group module. An email sent to this address will get received by all members of the group. This is pretty useful for teams and saves the trouble of error prone maintenance of address lists.

Dovecot also supports global IMAP folders (shared folders) with access control lists (ACLs). Optionally an email address can be assigned to them as well. The global IMAP folders are configured in the UMC module “Mail” as well.

Details about the administration of Dovecot in UCS

Dovecot is ready to use directly after installation. The services for email retrieval via IMAP (ports 143, 993) and POP3 (ports 110, 995) are running as well as the service for management of Sieve filter scripts (ManageSieve, port 4190). Unencrypted communication has been disabled on all ports.

Three additional services are running for Postfix: First the Dovecot implementation of SASL listens for for authentication requests. Then an additional socket receives new emails via LMTP for storage in the Dovecot backend. And finally the service for checking mail quota is accepting requests on localhost (port 12340), so Postfix can check this during an SMTP session before accepting new email.

Dovecot’s default storage format is Maildir++. It’s a back and forward compatible extension of the Maildir standard supporting quota and subfolders. The format is well suited for fast backups, storage on NFS and promises excellent performance on small to medium installations.

UCS store user mailboxes below /var/spool/dovecot/private//. In Dovecot terminology this corresponds to the “mail home”. The “mail directory”, or “mail_location” setting refers to the directory “Maildir” below the “mail home” – this is where the Maildir directory tree starts. Below the “mail home” there is an additional directory called “sieve”. This contains Sieve filter scripts that have been uploaded by UCS or by the user. A link in the “mail home” points to the script that is currently active.

Creating and Subscribing Special-Use-Folders

Dovecot is very efficient at its data management. When creating an email account, Dovecot doesn’t create any folder structures for it by default.

Dovecot creates folders automatically on first access if they don’t exist yet in the file system. The access happens via IMAP by the user’s email client or via LMTP during delivery of new email by Postfix. During delivery the active Sieve script is executed automatically.

Since a Sieve filter script against spam is generated automatically on UCS mail servers, Dovecot creates at least the root folder of the folder structure for each new user mailbox. Many users are used to finding a couple of typical folders in a new account. To show up in email clients the user must already be subscribed for them. For that purpose there is a family of UCR variables mail/dovecot/mailboxes/auto/NAME=VALUE, which configure automatic generation and subscription of folders. A VALUE of create causes automatic creation of folder NAME. A VALUE of subscribe additionally causes automatic subscription. Setting VALUE to no disables any default action (surprise..).

E.g. automatic creation and subscription of a Trash folder can be configured like this:
# ucr set mail/dovecot/mailboxes/auto/Trash=subscribe
# doveadm reload

Additionally folders can be marked with a “special-use” attribute according to RFC 6154. This attribute signals the purpose of a folder to mail clients. Valid values are: "\All", "\Archive", "\Drafts", "\Flagged", "\Junk", "\Sent" and "\Trash". These values can be configured for each mail folder via UCR. After installation of Dovecot these variables are already set to default values for the usual folders (Drafts, Junk, Spam, Sent, Trash). Possibly the folder “Sent” has a different name, e.g. depending on local language. In that case a different folder name can be marked as such:
# ucr set "mail/dovecot/mailboxes/special/Gesendete Objekte=\Sent"

And for automatic subscription of the folder:
# ucr set "mail/dovecot/mailboxes/auto/Gesendete Objekte=subscribe"

To activate the changes the Dovecot configuration needs to be reloaded:
# doveadm reload

Set and monitor Quota for Dovecot

Email quota limits enforced by Dovecot can be configured on a per user basis. The advanced settings of a user object in UMC specify the email quota in MB. Adjusted settings apply directly. UMC’s multi edit mode is useful to adjust settings for multiple users.

Mailbox sizes of individual or all users can be displayed with the following commands:
# doveadm quota get -u
# doveadm quota get -A
To avoid users getting surprised by sudden quota limit enforcement, warning messages can be sent at certain levels of mailbox size. The threshold value which triggers a message can be configured along with an email subject and message body.

UCS defaults are configured such that a warning message is sent at 80% and 95%:
mail/dovecot/quota/warning/subject=”Quota-Warning”
mail/dovecot/quota/warning/text/80=”Your mailbox has filled up to over $PERCENT%.”
mail/dovecot/quota/warning/text/95=”Attention: Your mailbox has already filled up to over $PERCENT%.”

The string $PERCENT gets replaced by the exceeded value in the email.

E.g. you can configure the following german equivalents:
# ucs set "mail/dovecot/quota/warning/subject=Quota Warnung" \
"mail/dovecot/quota/warning/text/80=Ihr Postfach ist zu über $PERCENT% gefüllt." \
"mail/dovecot/quota/warning/text/95=Achtung: Ihr Postfach ist bereits zu über $PERCENT% gefüllt. Bitte löschen Sie einige Nachrichten oder wenden Sie sich an den Administrator."

Dovecot Backend

New messages for users who exceeded their quota limit could cause backscatter or clog up the queues of the mail server. That’s why mails addressed to full mailboxes should be refused directly during reception. That way it doesn’t cause backscatter later on, which could negatively impact the reputation of a mail server.

Postfix and Dovecot are configured on UCS servers such that Postfix asks Dovecot directly during the SMTP session if there is reason to reject the incoming email. That’s why Dovecot runs the “service for checking mail quota” mentioned above (“quota-status service”). By default this only answers queries on the loopback interface – so it can only be accessed by service like Postfix running locally on the same system.

In cases where a Postfix service running on an external system shall use the quota-status service, it needs to also bind to an external interface and the firewall rules need to be adjusted:
# ucr set mail/dovecot/quota-status/ip =0.0.0.0 \
mail/dovecot/quota-status/port =12340 \
security/packetfilter/package/univention-mail-dovecot/tcp/12340/all="ACCEPT" \
security/packetfilter/package/univention-mail-dovecot/tcp/12340/all/en="quota-status"
# /etc/init.d/univention-firewall restart
# doveadm reload

Activating Configuration Changes

After changing configuration files Dovecot needs to be asked to reload them:
# doveadm reload

Users currently logged in usually are not affected by configuration changes, since only the master process picks up the new configuration. Established connections are handled by separate processes, so they remain unaffected. The following command may be run to check which users currently are logged in and which processes serve them:
# doveadm who
To terminate established user connections the following command may be used:
# doveadm kick
Wildcards like '?' und '*' zu can be used here, e.g. »doveadm kick ‘*@example.org’«
This usually has no negative impact on IMAP clients. They simply reconnect after some time.

Certain configuration changes only get activated by a restart of the whole Dovecot server processes. E.g. changes in the caching of authentication require this. In such cases the Dovecot service can be restarted using the UMC Module “System services” or by running
# /etc/init.d/dovecot restart

Migration from Cyrus to Dovecot

Automatic migration from Cyrus to Dovecot is not supported by the UCS mail stack. A forthcoming article in the Univention Support Database (SDB) will outline the procedure for some scenarios.

Installation of the Mailserver App with Cyrus
Even though Dovecot has been integrated as standard IMAP server for UCS the previous default IMAP server Cyrus has not been deprecated yet. Cyrus continues to be available and installable to provide IMAP and POP3 services.
The following command may be used to install the Univention mail server with Cyrus:
# univention-install univention-mail-server univention-mail-cyrus
More information about the Cyrus installation and integration can be found in the documentation of the Cyrus mail server.

Microsoft Outlook with Dovecot and UCS

The UCS default configuration supports standard compliant POP3 and IMAP clients like Mozilla Thunderbird, K9-Mail, Horde and OX App Suite. UCS also automatically activates workarounds required for the POP3 implementation of Microsoft Outlook.

Since Microsoft Outlook doesn’t support STARTTLS, it is necessary to activate “SSL” in the advanced settings of that mail account in Microsoft Outlook (for IMAP that’s Port 993, for POP3 it’s Port 995). Alternatively the mandatory transport encryption can be disabled in the Dovecot server by setting mail/dovecot/ssl/disable_plaintext_auth=no in UCR. Please note that this is deprecated due to security considerations since passwords get transferred in plain text otherwise.

Performance / Scaling

UCS pre-configures Dovecot for a maximum of 400 simultaneous IMAP and POP3 connections each. As common to other IMAP servers, a setup with this configuration may impose considerably tighter limits on the number of simultaneous users. This depends on the behavior of the mail client: some mobile clients e.g. don’t close unused connections correctly and some webmail clients open multiple connections per user.
The primary purpose of the connection limits is to counter denial of service attacks which might create excessive numbers of processes or network connections.

In case the limit is reached, Dovecot logs a message into /var/log/dovecot.info:
master: Warning: service(imap-login): process_limit (400) reached, client connections are being dropped

The command doveadm who may be used at any time to check the number of connections per user and source IP. The option "-1" shows each connection on a separate line. This may be used to count the number of open connections:
# doveadm who -1 | wc -l

To change the Limit, the UCR variables prefixed with mail/dovecot/limits/* can be adjusted. Due to the complex interaction of these variables the adjustment process is only semi-automatic. The purpose of those variables is described in the Dovecot documentation in section “Service configuration“. E.g. to raise the maximum number of simultaneous POP3 and IMAP connections to 3000, the following command may be used:
# ucr set mail/dovecot/limits/default_client_limit=3000 \
mail/dovecot/limits/default_process_limit=3000
# doveadm reload

The aforementioned complex interaction of different limits in Dovecot can cause warning messages indicating possible inconsistencies. These will be logged to /var/log/dovecot.info:
config: Warning: service auth { client_limit=2000 } is lower than required under max. load (15000)
config: Warning: service anvil { client_limit=1603 } is lower than required under max. load (12003)

After each adjustment this log file should be checked for these or similar messages to be able to adjust the limits to achieve the desired effect.

Please note that an adjusted value of the Linux kernel ulimit for the maximum number of open files files and connections per process is only applied after a restart of the Dovecot service, which may be initiated by running:
# /etc/init.d/dovecot restart

High-Performance Mode

The UCS default configuration runs Dovecot in “High-security mode”. Each connection is served by a separate login process. Login processes are responsible for authentication and serve as SSL proxy between user and IMAP process. In case the security of an individual login process gets compromised (e.g. due to a security issue in Dovecot or OpenSSL), the impact is limited to the password and emails of the user served by this process.
This security comes at the price of running at least two processes per user and connection.

Installations with some 10.000s of users thus may hit resource boundaries. In this case Dovecot can be run in “High-performance mode” which allows login processes to serve more than one connection. This may be configured by setting mail/dovecot/limits/imap-login/service_count=0 in UCR.
In this case an example setting of client_limit=1000 and process_limit=100 would only start 100 login processes but these serve up to 1000 connections each – serving up to 100.000 connections in total.
The price: In case a login process gets compromised, an attacker might access the login credentials and email of all users currently served by that process.

To distribute the load of login processes evenly on all CPU cores, The UCR variable mail/dovecot/limits/imap-login/process_min_avail should be set to the number of CPU cores available to the system.

Relevant Dovecot documentation:

http://wiki2.dovecot.org/PerformanceTuning
http://wiki2.dovecot.org/LoginProcess
http://wiki2.dovecot.org/Services

Auth caching

Authentication of users against LDAP is CPU intense. To reduce the load on the LDAP server and increase the login performance for users, login data gets cached.

The lifetime of positive and negative cache entries and the size of the cache can be adjusted via the UCR variables mail/dovecot/auth/cache_*.

Statistics about cache efficiency may be obtained by sending a signal to the main authentication process:
# kill -s SIGUSR2 It is important to send this signal only to the correct process, to avoid accidental termination of the whole IMAP server. The relevant process is called "dovecot/auth" without trailing "-w".

A cache can have an unwanted effect, e.g. in case the password of a user is changed and should be in effect immediately. In this case Dovecot can be told to flush caches immediately:
# doveadm auth cache flush

Logging

Dovecot writes log files for monitoring. By default messages get sent to syslog which sorts them according to the log level: /var/log/dovecot.err, dovecot.warn or dovecot.info. /var/log/dovecot.log contains all messages regardless of the log level, including “debug” and the file dovecot.lmtp contains only messages from the LMTP service.

UCR variables affecting the logging are mail/dovecot/logging/*. The control where what shall be logged at higher than error level.

Changes in the configuration of logging targets (log_path, info_log_path, debug_log_path, syslog_facility) may be checked for effectiveness by running the “dovecot log” command:
# doveadm log test
# doveadm log find

Use UCS Core Edition for Free!

Download now

Daniel Tröder is Open Source Software Engineer. Currently, he is intensively taking care of the further development of the UCS mail stack.

What's your opinion? Leave a comment!

Your email address will not be published. Required fields are marked *