Category: Tech

Dovecot Cheat Sheet

Just a collection of often-used commands with the IMAP server Dovecot, that will grow over time. It is not a complete Dovecot set-up guide.

Dovecot Add Users

This works only when using the Dovecot-internal user database. In my case, this is the file /etc/dovecot/users. Add the following helper script and save it as /usr/local/bin/dovecot_add_user.sh. Change the variable DOVECOT_PWD_FILE or the password hashing scheme SHA512-CRYPT if required. It needs to match the configuration in /etc/dovecot/conf.d/auth-passwdfile.conf.ext. 

#!/bin/bash
# Helper script to add new users to Dovecot internal user database.
DOVECOT_PWD_FILE="/etc/dovecot/users"

[ $# > 0 ] || exit 1

echo $1:$(doveadm pw -s SHA512-CRYPT) | tee -a $DOVECOT_PWD_FILE

Set the executable bit:

chmod 755 /usr/local/bin/dovecot_add_user.sh

Add a new user like this:

dovecot_add_user.sh newuser@example.com

Allow Access to Shared Folder

Any steps to initially set up shared folders (in the shared/user@example.com/ namespace) are omitted.

The example below uses the following users:

  • owner@example.com – This user has permissions to grant access to the mailbox.
  • assistant@example.com – This user is granted access to the mailbox.
  • shared/user@example.com/INBOX – The mailbox that the assistant is granted access to. 
doveadm acl set -u owner@example.com shared/user@example.com/INBOX user=assistant@example.com lookup read write write-seen insert

With the permissions above, the assistant cannot delete mails, but can mark them as seen and answered. See man doveadm-acl for details.

Display Access to Shared Folder

This displays the access granted for a particular mailbox. 

doveadm acl rights -u owner@example.com shared/user@example.com/INBOX

Revoke Access to Shared Folder

This deletes an ACL on a particular mailbox. Afterwards the user assistant@example.com has no longer access to the specified mailbox. 

doveadm acl delete -u owner@example.com shared/user@example.com/INBOX assistant@example.com

Remove Corrupted Message File

With sdbox mailbox format, if the logs indicate that a certain file is corrupted and cannot be read, here is how to get rid of this message:

doveadm expunge -u user@example.com MAILBOX INBOX UID 35835

35835 in the example above is the ID of the corrupted file as seen in the logs. It is prefixed by u. like u.35835.

Linux: Restrict User/Group to Access the Internet only via VPN using Pyroman

On Linux, if you need to have a user or an application running with a dedicated user access the internet only if a VPN connection is active, you can do that relatively simply with a few firewall rules. One way is to use plain iptables statements. On Ubuntu, I’m using a iptables wrapper called Pyroman. 

sudo apt-get install pyroman

In the example below, I am assuming that the system does currently not have any iptables rules in place. So, we are allowing any inbound and outbound traffic and are just restricting what matches the rule. So, in file /etc/pyroman/00_iptables-defaults.py we are commenting out the DROP defaults and replace them with ACCEPT lines. 

# /etc/pyroman/00_iptables-defaults.py
# add_chain("INPUT",                     default="DROP")
add_chain("INPUT",                     default="ACCEPT")
# add_chain("OUTPUT",                    default="DROP")
add_chain("OUTPUT",                    default="ACCEPT")

Then connect to your VPN and see what network device it uses. 

ip link

Also know the user or group name you wish to restrict. Then create a file in the /etc/pyroman/ directory with a name that makes sense to you. In my example, I call it 05_deluge.py. 

# /etc/pyroman/05_deluge.py
iptables(Firewall.output, "-p tcp -m owner --gid-owner debian-deluged ! -o tun0 -j %s" % Firewall.reject)
iptables(Firewall.output, "-p udp -m owner --gid-owner debian-deluged ! -o tun0 -j %s" % Firewall.reject)

In the example above, I am applying the rule on the group with the name debian-deluged. Change it to your use case. Also change the device from tun0 to whatever device your VPN creates.

Here is another example using Nordvpn. Its client creates a device called nordlynx.

  • --uid-owner – Match a user ID.
  • --gid-owner – Match a group ID.

Now just make sure, Pyroman is enabled with every system boot:

sudo systemctl enable pyroman

Test it before relying on it! If you are using deluged, the same service as in my example, note that it needs a restart whenever the VPN connection is established:

sudo systemctl restart deluged.service

This could be automated at some point, I guess.