Configuration of Dovecot as a IMAP proxy for Zimbra (especially Zimbra MTA)

Dovecot-and-Zimbra-MTA.md

Dovecot as an IMAP Proxy for Zimbra (Zimbra - MTA)

When using Dovecot as an IMAP proxy (e.g. for handling client certificate authentication) it is important to disable to IMAP pipelinging with :

proxy_nopipelining=y

The nginx in the Zimbra MTA seems not be able to handle 'Capability' checks and the 'Login' command when sticked together at proxy login step (pipelineing).

Tested and debugged with Zimbra 8.0.7 Network Edition

imap-proxy-zimbra-mta-dovecot.conf

#############################
## General
#############################

# Protocols we want to be serving: pop imap
protocols = pop3 imap 

# Base directory where to store runtime data.
base_dir = /var/run/dovecot/

#############################
## Logging
#############################

# Prefix for each line written to log file.
log_timestamp = "%Y-%m-%d %H:%M:%S "

# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
syslog_facility = mail

#############################
## SSL settings
#############################

# SSL/TLS settings
# forcing ssl disabled
# ssl = yes

# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). 
disable_plaintext_auth = no 

# SSL certificate ... preferred permissions: root:root 0444
ssl_cert = </etc/pki/tls/certs/dovecot.crt

# SSL certificate key ... preferred permissions: root:root 0400
ssl_key  = </etc/pki/tls/private/dovecot.key

# With the settings below if a client connects which doesn't present a 
# certificate signed by one of the CAs in the ssl_ca_file, Dovecot won't 
# let the user log in. 
## fusioned certificated and CRL file
ssl_ca = </etc/pki/tls/mixed_ca/mixed_ca_fusion.pem

# verify client cert
ssl_verify_client_cert = yes

# Which field from certificate to use for username. commonName and 
# x500UniqueIdentifier are the usual choices. 
# Username of Requestor in special field
ssl_cert_username_field = 2.5.4.5 # object identifier  

# Check the depth of a SSL certificate chain. The given value is the maximum
# allowed depth. Default is 9.
ssl_verify_depth = 9

# take sha1 as fingerprint algo
ssl_cert_md_algorithm = sha1

# take only this high ciphers
ssl_cipher_list = HIGH:!ADH-AES128-SHA:!ADH-AES256-SHA:!ADH-DES-CBC3-SHA:!DES-CBC3-MD5:!DES-CBC3-SHA:!DHE-DSS-AES128-SHA:!DHE-DSS-AES256-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-MD5:!KRB5-DES-CBC3-SHA:!LOW:!SSLv2:!EXP:!aNULL

#############################
## Services inkl. Tuning
#############################

## using MAILDIR instead of MBOX
mail_location = maildir:~/Maildir

namespace {
  inbox = yes
  location = 
  prefix = 
  separator = /
  type = private
}

####################
# anvil
####################
service anvil {
  client_limit = 1200
  # process limit must be 1
  process_limit = 1
}

####################
# auth
####################
service auth {
  client_limit = 1200
  # process limit must be 1
  process_limit = 1
}

####################
# pop3 configuration
####################
service pop3-login {
  inet_listener pop3 {
    address = 192.168.0.246 
    port = 110

  }
  inet_listener pop3s {
    address = 192.168.0.246
    port = 995
  }

  service_count = 1 

  # To avoid startup latency for new client connections, set process_min_avail to higher
  # than zero. That many idling processes are always kept around waiting for new 
  # connections.
  # process_min_avail should be set to be at least the number of CPU cores in the system, 
  # so that all of them will be used.
  process_min_avail = 8

  # Otherwise new processes are created only once an existing one's connection count 
  # reaches client_limit 
  client_limit = 1024

  # Max. number of POP3 processes (connections)
  process_limit = 512

  # Default VSZ (virtual memory size) limit for service processes. This is mainly
  # intended to catch and kill processes that leak memory before they eat up
  # everything.
  # vsz_limit should be increased to avoid out of memory errors, especially if you're 
  # using SSL/TLS.
  vsz_limit = 2048 M
}

protocol pop3 {
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}

####################
# imap configuration
####################

service imap-login {  
  inet_listener imap {
    # disable imap without ssl
    address = 192.168.0.246
    port = 143
  }
  inet_listener imaps {
    address = 192.168.0.246
    port = 993
  }

  service_count = 1

  # To avoid startup latency for new client connections, set process_min_avail to higher
  # than zero. That many idling processes are always kept around waiting for new
  # connections.
  # process_min_avail should be set to be at least the number of CPU cores in the system,
  # so that all of them will be used.
  process_min_avail = 8

  # Otherwise new processes are created only once an existing one's connection count
  # reaches client_limit
  client_limit = 1024

  # Max. number of IMAP processes (connections)
  process_limit = 512

  # Default VSZ (virtual memory size) limit for service processes. This is mainly
  # intended to catch and kill processes that leak memory before they eat up
  # everything.
  # vsz_limit should be increased to avoid out of memory errors, especially if you're
  # using SSL/TLS.  
  vsz_limit = 2048 M
}

protocol imap {
  imap_client_workarounds = "delay-newmail "
}

#############################
## Authentication
#############################

passdb {
  args = proxy=y proxy_nopipelining=y host=zimbra-mta.example.com nopassword=y nodelay=y nologin=y
  driver = static
}

userdb {
  args = static uid=5000 gid=5000 home=/dev/null
  driver = static
}

#############################
## Debug
#############################

auth_verbose = yes
auth_debug = yes
mail_debug = yes
verbose_ssl = yes

# vim: ft=conf