Rootless Installation

It’s possible to make Dovecot run under a single system user without requiring root privileges at any point. This shouldn’t be thought of as a security feature, but instead simply as a way for non-admins to run Dovecot in their favorite mail server. It’s also useful if you just wish to test Dovecot without messing up your system.

If you think of this as a good way to achieve security, ask yourself which is worse:

  • A very small possibility to get root privileges through Dovecot.

  • A small possibility without logging in, to get into system as a non-privileged dovecot user, chrooted into an empty directory.

  • A small possibility to get user’s privileges after logging in, but no possibility to read others’ mails since they’re saved with different UIDs (plus you might also be chrooted to your own mailbox).

  • Absolutely zero possibility to get root privileges through Dovecot.

  • A small possibility to get into system as a mail user, possibly even without logging in, and being able to read everyone’s mail (and finally gaining roots by exploiting some just discovered local vulnerability, unless you bothered to set up a special chrooted environment).

Installation

Install somewhere under home directory:

./configure --prefix=$HOME/dovecot
make
make install

Dovecot is then started by running ~/dovecot/sbin/dovecot. The example configuration file exists in ~/dovecot/share/doc/dovecot/example-config/ and needs to be copied to ~/dovecot/etc/dovecot/.

Add capabilities

Modern linux systems support capabilities which allows you to permit selective rights to processes. This allows you to run dovecot rootless without losing chroot and privileged ports.

Use following commands to enable this

setcap cap_net_bind_service+ep ~/dovecot/sbin/dovecot
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/script-login
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/imap-urlauth-login
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/submission-login
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/managesieve-login
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/pop3-login
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/imap-login
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/lmtp
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/anvil

# if you have installed managesieve
setcap cap_sys_chroot+ep ~/dovecot/libexec/dovecot/managesieve-login

Configuration

The important settings to change for rootless installation are:

  • Set usernames and group to the user which dovecot will be run under:

    default_internal_user = user
    default_login_user = user
    default_internal_group = group
    
  • Remove default chrooting from all services, this is optional if you want to use Linux capabilities instead.

    service anvil {
      chroot =
    }
    service imap-login {
      chroot =
    }
    service pop3-login {
      chroot =
    }
    
  • Change listener ports, this is optional if you want to use Linux capabilities instead

    service imap-login {
      inet_listener imap {
        port = 10143
      }
      inet_listener imaps {
        port = 10993
      }
    }
    service pop3-login {
      inet_listener pop3 {
        port = 10110
      }
      inet_listener pop3s {
        port = 10995
      }
    }
    
  • Change logging destination:

    log_path = /home/user/dovecot.log
    
  • Instead of PAM use for example passwd-file:

    passdb {
      driver = passwd-file
      args = /home/user/dovecot/etc/passwd
    }
    userdb {
      driver = passwd
    }
    

    Where the passwd file contains the username and password for your login user:

    user:{PLAIN}pass