As you may know, there are two kinds of email systems: Outlook, and everything else. The non-Outlook-based email world consists mainly of three kinds of software: MDAs, MUAs, and anti-spam/antivirus. Dovecot is the glue between your MDA and your MUA.[gview file=”https://blog.learningtree.com/wp-content/uploads/pdf/dovecot-email-flow.pdf”]
MDAs are the mail delivery agents, such as SendMail, PostFix, OpenSMTPD, and more. An MDA normally speaks SMTP (the “Simple Mail Transfer Protocol”) and is in charge of sending mail out to the internet, receiving incoming emails from other MDAs elsewhere on the internet, and saving incoming messages to disk or otherwise making them available so you can read them.
MUAs are the Mail User Agents, which usually run on end-user systems (desktops, mobile) and use either IMAP (“Internet Mail Access Protocol”) or the older Post Office Protocol (POP) to download messages, from a server where the MDA has stored them, to the desktop or mobile device where you read them. MUAs also handle composing emails and sending them up to the mail server. Well-known desktop MUAs include Thunderbird and Apple Mail; on Android, GMail and K9 Mail. Web-based MUAs – such as SquirrelMail – either provide, or run in, a web server, usually on the same machine as the MDA. The original GMail works this way, and Outlook has a web face as well.
The third group, anti-spam and anti-virus software, is similar to desktop anti-virus software, but aimed at cooperating with the MUAs or MDAs, or both. These aim to prevent malicious messages from wasting your time and computing resources.
For the common case of mail clients, if you’re the server administrator, you need to support IMAP and maybe POP. Some MDAs have IMAP/POP support built in. However many developers (myself included) consider that doing so makes the MDA too big and complicated. Any piece of software that is directly accessible from the internet ought to be small enough that one programmer can audit the source code for security errors. Hence the need for a separate download (IMAP) server.
I run a small server for our own use, with half a dozen users. The operating system is OpenBSD, but any Unix or Linux could run the same software. OpenBSD ships with its own MDA, opensmtpd. OpenSMTPD fits our “small enough for one developer to code review” rather better than the larger sendmail and postfix packages. For some years I ran a variety of POP and IMAP servers to support various MUA mail clients. After a while I consolidated a bit: the last POP user switched over to IMAP. Most non-sysadmin users won’t care what you use as long as it works. Concentrating on one protocol simplifies things.
At the time I had installed two IMAP packages, Courier-Imap and UW-Imap, though obviously only one was in use at a time. Both suffer from over-engineering, complex configuration, multiple packages needed for authentication/encryption, and strange messages.
It was one of those strange messages that got me to look around for other software.
Feb 21 21:07:16 darwinsys imapd: Autologout email@example.com host=static-ip-cr18163255231.cable.net.co [188.8.131.52]
On the same server machine I run several websites, including androidcookbook.com, the support and contribution site for O’Reilly’s Android Cookbook. The web server there is written using the Java Enterprise tools that we cover in Learning Tree Course 936.
And there is no user named david.
So perhaps hackers had found a way to login to my IMAP server (unlikely). Or, the server was reporting “logout” for people that had started but not completed a login (more likely). At that point, late at night, I didn’t care which. I shut down all IMAP support for the night, posted a message to anyone using the system (nobody was), and went to bed.
A Google search on “Courier UW-Imap” led me to a three-way comparison that included Dovecot, and the chase was on! Somehow I had previously gotten the impression that Dovecot was a MUA instead of an IMAP server. I installed Dovecot on my backup server, and started configuring it. All that this installation takes on OpenBSD is a command like sudo pkg_add dovecot. The configuration is actually fairly simple, though you have to tailor things a bit. The configuration consists of a dozen small files in a subdirectory (/etc/dovecot/conf.d). You can include into or exclude these into the “main” control file, /etc/dovecot/dovecot.conf. There’s even a tool that reminds you of all the changes you’ve made, doveconf.
About an hour in I had a working configuration, so I cloned that onto the production server, installed the dovecot package there too, started it up, and kept an eye on the logs. Like most IMAP servers, Dovecot normally listens on both TCP port 143 for non-SSL-encrypted connections, and port 993 for SSL’d IMAP. The only minor hitch is that I didn’t yet find a way to stop it listening on the non-SSL port, but that’s easy to block with the pf firewall. Sure enough, users were downloading mail via IMAP with no change to their desktop or mobile configuration. And, now I was getting decent “rejection” messages for the hackers who try to login, such as this one:
Feb 22 13:37:45 darwinsys dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<firstname.lastname@example.org>, method=PLAIN, rip=184.108.40.206, lip=220.127.116.11, TLS, session=<yLopeOSCL4dT2m0E>
There’s no “office” account here either, but at least now I get correct messages.
And I have a simpler configuration. There’s only one installed package (dovecot) to update to keep my IMAP software simple, sane and secure. Since the system I use has good package management tools, that part’s easy too. And that’s why Dovecot is my new best friend of email software.