2023-03-15
As you may know, there are two kinds of email systems: Outlook and everything else. The non-Outlook-based email world consists mainly of three kinds of software: MDAs, MUAs, and anti-spam/antivirus. Dovecot is the glue between your MDA and your MUA.
MDAs are the mail delivery agents, such as SendMail, PostFix, OpenSMTPD, and more. An MDA usually speaks SMTP (the "Simple Mail Transfer Protocol") and is in charge of sending mail out to the internet, receiving incoming emails from other MDAs elsewhere on the internet, and saving incoming messages to disk or otherwise making them available so you can read them.
MUAs are the Mail User Agents, which usually run on end-user systems (desktops, mobile) and use either IMAP ("Internet Mail Access Protocol") or the older Post Office Protocol (POP) to download messages from a server where the MDA has stored them, to the desktop or mobile device where you read them. MUAs also handle composing emails and sending them up to the mail server. Well-known desktop MUAs include Thunderbird and Apple Mail; on Android, Gmail and K9 Mail. Web-based MUAs - such as SquirrelMail - provide, or run in, a web server, usually on the same machine as the MDA. The original GMail works this way, and Outlook also has a web face.
The third group, anti-spam and antivirus software, is similar to desktop antivirus software but aimed at cooperating with the MUAs, MDAs, or both. These aim to prevent malicious messages from wasting your time and computing resources.
Sys Admin Make Mail Move
For the typical case of mail clients, if you're the server administrator, you need to support IMAP and maybe POP. Some MDAs have IMAP/POP support built in. However, many developers (myself included) consider that doing so makes the MDA too big and complicated. Any software directly accessible from the internet ought to be small enough that one programmer can audit the source code for security errors. Hence the need for a separate download (IMAP) server.
I run a small server for our use, with half a dozen users. The operating system is OpenBSD, but Unix or Linux could run the same software. OpenBSD ships with its own MDA, opensmtpd. OpenSMTPD fits our "small enough for one developer to code review" rather better than the larger sendmail and postfix packages. For some years, I ran various POP and IMAP servers to support various MUA mail clients. After a while, I consolidated a bit: the last POP user switched to IMAP. Most non-sysadmin users won't care what you use as long as it works. Concentrating on one protocol simplifies things.
I had installed two IMAP packages, Courier-Imap and UW-Imap, though obviously, only one was used at a time. Both suffer from over-engineering, complex configuration, multiple packages needed for authentication/encryption, and strange messages.
One of those strange messages got me to look around for other software.
Feb 21 21:07:16 darwinsys imapd[1810]: Autologout user=david@androidcookbook.com host=static-ip-cr18163255231.cable.net.co [181.63.255.231]
Was I hacked? No
I run several websites on the same server machine, including androidcookbook.com, the support and contribution site for O'Reilly's Android Cookbook. The web server there is written using the Java Enterprise tools that we cover in Learning Tree course 936, {course:936}.
And there is no user named david.
So perhaps hackers had found a way to log in to my IMAP server (unlikely). Or, the server was reporting "logout" for people that had started but not completed a login (more likely). At that point, late at night, I didn't care which. So I shut down all IMAP support for the night, posted a message to anyone using the system (nobody was), and went to bed.
Dovecot
A Google search on "Courier UW-Imap" led me to a three-way comparison that included Dovecot, and the chase was on! Somehow I had previously assumed that Dovecot was an MUA instead of an IMAP server. So I installed Dovecot on my backup server and started configuring it. All this installation takes on OpenBSD is a command like sudo pkg_add dovecot. The configuration is actually relatively simple, though you have to tailor things a bit. The configuration consists of a dozen small files in a subdirectory (/etc/dovecot/conf.d). You can include or exclude these into the "main" control file, /etc/dovecot/dovecot.conf. There's even a tool that reminds you of all the changes you've made, doveconf.
About an hour in, I had a working configuration, so I cloned that onto the production server, installed the dovecot package there, too, started it up, and kept an eye on the logs. Like most IMAP servers, Dovecot normally listens on both TCP port 143 for non-SSL-encrypted connections and port 993 for SSL'd IMAP. The only minor hitch is that I didn't yet find a way to stop it listening on the non-SSL port, but that's easy to block with the pf firewall. Sure enough, users downloaded mail via IMAP without changing their desktop or mobile configuration. And, now I was getting decent "rejection" messages for the hackers who try to log in, such as this one:
Feb 22 13:37:45 darwinsys dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<office@androidcookbook.com>, method=PLAIN, rip=83.218.109.4, lip=69.172.254.175, TLS, session=<yLopeOSCL4dT2m0E>
There's no "office" account here either, but at least now I get the correct messages.
And I have a more straightforward configuration. There's only one installed package (Dovecot) to update to keep my IMAP software simple, sane and secure. Since the system I use has good package management tools, that part's easy too. And that's why Dovecot is my new best friend of email software.
This piece was originally posted on Nov 12, 2019, and has been refreshed with updated styling.