Directadmin With a Mail Proxy

Posted on May 22, 2025

Mail proxy setup to have a common mail.domain.tld that proxies IMAP and SMTP connections to the appropriate DA servers.

1
2
3
4

mail.server.tld
 ├─da1.server.tld
 ├─da2.server.tld
 └─da3.server.tld

Prepare clean alma9 proxy server:

Alma9 doesn’t come with a dovecot 2.4, so we take it from the dovecot repo. Instructions on how to add the repo for each distribution is described here.

We’ll focus on alma9 though.

Dovecot install

  1. For our case we create /etc/yum.repos.d/dovecot.repo with contents:
1
2
3
4
5
6

[dovecot-2.4-latest]
name=Dovecot 2.4 RHEL $releasever - $basearch
baseurl=http://repo.dovecot.org/ce-2.4-latest/rhel/$releasever/RPMS/$basearch
gpgkey=https://repo.dovecot.org/DOVECOT-REPO-GPG-2.4
gpgcheck=1
enabled=1
  1. Install the packages:
1

yum install dovecot dovecot-submissiond dovecot-imapd dovecot-pop3d dovecot-lmtpd
  1. Normalize the permissions of the *.conf files, as for some reason, repo provided with rather awkward ones.
1

chmod 644 /etc/dovecot/conf.d/*.conf

Configure dovecot backends

  1. Create a destination directory for the proxy passwd structure
1
2

mkdir /etc/dovecot_proxies/
chown dovecot:dovecot /etc/dovecot_proxies/
  1. Modify the /etc/dovecot/conf.d/10-auth.conf file, clear out all the existing authentication methods (pam and passwd) and add the following snippet for each DirectAdmin server:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

passdb da1 {
  username_filter = *@*
  passwd_file_path=/etc/dovecot_proxies/da1.server.tld/%{user | domain}/passwd
  auth_username_format=%{user | username}
  passdb_default_password_scheme=crypt
  driver = passwd-file
  fields {
    starttls=any-cert
    proxy=y
    proxy_always=y
    host=da1.server.tld
    }
}

Note: host= can specify the IP address, to eliminate dns resolve.

  1. Add an rsync cron to sync the passwd files from the da1.server.tld server
1

* * * * *   rsync --usermap=mail:dovecot -a --include "*/" --include="passwd" --exclude="*" --prune-empty-dirs --delete root@da1.server.tld:/etc/virtual/ /etc/dovecot_proxies/da1.server.tld/ > /dev/null 2>&1

  1. Repeat the steps 5-6 for all the DirectAdmin backend servers that you want to have in your proxy setup.

    Note: You should not have duplicate domains between the servers. The first server in dovecot list that has the domain - gets the connection.

Setup SSL for dovecot using letsencrypt

  1. Setup SSL for the dovecot. We’ll use certbot for that reason.
1

yum install certbot
  1. If you do not have any webservice on the proxy server, start certbot with the certonly argument.
1

certbot certonly

Answer the questions, specify the server address that you want to use for mail (it must already point to the server), and you should endup with a success message and path to the certificates:

1
2
3

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.server.tld/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/mail.server.tld/privkey.pem
  1. Modify the /etc/dovecot/conf.d/10-ssl.conf config file with the paths to the cert files:
1
2
3
4

ssl_server {
   cert_file = /etc/letsencrypt/live/mail.server.tld/fullchain.pem
   key_file = /etc/letsencrypt/live/mail.server.tld/privkey.pem
}
  1. Restart dovecot
1

systemct restart dovecot

Setup letsencrypt renewals for the SSL

  1. Create a post deploy hook to restart your dovecot service:

/etc/letsencrypt/renewal-hooks/deploy/dovecot_restart.sh

1
2

#!/bin/bash
systemct restart dovecot > /dev/null 2>&1

Make it executable:

1

chmod +x /etc/letsencrypt/renewal-hooks/deploy/dovecot_restart.sh
  1. start and enable at boot time the systemd certbot timer:
1

systemctl enable --now certbot-renew.timer

Note: to verify timers: systemctl --no-pager -l list-timers --all

Finish

  1. Create mailboxes on DA backends and verify the setup works.

Troubleshooting

  • Q: Failed to read config error in systemctl status dovecot:
1

May 21 12:30:19 mail.domain.tld dovecot[458855]: doveconf: Fatal: Failed to read config: mmap((temp config file>G
  • A: Selinux is enforced. Either add the appropriate rules or disable it with
1
2

setenforce 0
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
  • Q: MD5-CRYPT error
1

May 21 19:21:13 mail-proxy01 dovecot[83119]: auth(nsc@domaint.tld,10.0.1.15,sasl:plain) <1234RKo1ATAmAxA21234123AAAAAAF>: Error: da1: Invalid password in passdb: Weak password scheme 'MD5-CRYPT' used and refused
  • A: MD5-CRYPT as other weak schemes got disabled in dovecot 2.4

Changing password for that mailbox would be sufficient to get a new hash.

Globally, weak schemes can be enabled with auth_allow_weak_schemes setting in dovecot.conf.

1

auth_allow_weak_schemes = yes
  • Q: Process is reached
1

May 23 14:27:28 mail.domain.tld dovecot[5239]: master: Warning: service(imap-login): process_limit (100) reached, client connections are being dropped
  • A: Create a /etc/dovecot/conf.d/10-limits.conf file with contents:
1
2

default_process_limit=4096
default_client_limit=16387
  • Q: Unsupported auth mechanism
1

1 May 21 12:04:22 mail.domain.tld dovecot[5239]: submission-login: Login aborted: Connection closed (tried to use unsupported auth mechanism, 1 attempts in 0 secs) (invalid_mech): user=<>, method=LOGIN, rip=10.0.1.13, lip=10.0.1.15, TLS: Connection closed, session=<VaffCaaadAAAAAAAAAF>
  • A: To enable LOGIN method, add this into dovecot.conf:
1

auth_mechanisms = plain login