Candidates should be able to install and configure POP and IMAP daemons.
The Courier mail transfer agent (MTA) is an integrated mail/groupware server based on open commodity protocols, such as ESMTP, IMAP, POP3, LDAP, SSL, and HTTP. Courier provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single, consistent, framework. Individual components can be enabled or disabled at will. The Courier mail server now implements basic web-based calendaring and scheduling services integrated in the webmail module.
The Courier mail server uses maildirs as its native mail storage format, but it can also deliver mail to legacy mailbox files as well. Default /etc/courier is the sysconfdir. All courier configuration files are stored here. The mail queue can be found at /var/spool/mqueue.
Information about the configuration for courier can be found at: Courier installation.
The Courier IMAP source is available at http://www.courier-mta.org/imap/download.html but for most populair linux distributions, a RPM package is available. Courier IMAP requires the Courier Authentication Library (courier-authlib) which is a seperate library for authenticating users and the creation of mailboxes.
When compiling from source, keep in mind to do so as a regular user, not as root.
After installation the configuration files are default located in
/usr/lib/courier-imap/etc, where we find the
imapd, imapd-ssl, pop3d
and pop3d-ssl configuration files.
The default configuration files are well commented and should be self-explanatory. Read these default files when preparing for the exam.
Since Courier doesn't deliver mail to root (for security) we need to create system aliases.
Courier comes with /usr/lib/courier/sbin/makealiases to create the
required /usr/lib/courier/etc/aliases.dat. First create, eg. using
vi a file /usr/lib/courier/etc/aliases/system .
An example of /usr/lib/courier/etc/aliases/system :
root : postmaster mailer-daemon: postmaster MAILER-DAEMON: postmaster uucp : postmaster postmaster : admin
In this example the user admin gets all the mail from mailer-daemon
, MAILER-DAEMON, uucp and postmaster.
Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot claims that it is an excellent choice for both small and large installations.
The configuration of Dovecot can be found in /etc/dovecot.conf and
we need to configure several paramaters: authentication, mailbox location, SSL settings
and the configuration as POP3 server.
Dovecot is capable of using several password databases backends like: PAM, BDSAuth, LDAP, passwd,
and SQL databases like MySQL, PostgreSQL and SQLite. The most common way is PAM authentication.
The PAM configuration is usually in /etc/pam.d, default Dovecot uses
dovecot as PAM service name. Here is an example of /etc/pam.d/dovecot:
auth required pam_unix.so nullok account required pam_unix.so
The method used by clients to send the login credentials to the server, is configured via the mechanisms parameter. The simplest authentication mechanism is PLAIN. The client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism, but obviously there's the problem that anyone listening on the network can steal the password. For that reason (and some others) other mechanisms were implemented. SSL/TLS encryption can be used to secure the PLAIN authentication mechanism, since the password is sent over an encrypted stream. Non-plaintext mechanisms have been designed to be safe to use even without SSL/TLS encryption. Because of how they have been designed, they require access to the plaintext password or their own special hashed version of it. This means that it's impossible to use non-plaintext mechanisms with commonly used DES or MD5 password hashes. With success/failure password databases (e.g. PAM) it's not possible to use non-plaintext mechanisms at all, because they only support verifying a known plaintext password. Dovecot supports the following non-plaintext mechanisms: CRAM-MD5, DIGEST-MD5, APOP, NTLM, GSS-SPNEGO, GSSAPI, RPA, ANONYMOUS, OTP and SKEY, EXTERNAL. By default only PLAIN mechanism is enabled. You can change this by modifying dovecot.conf:
auth default {
mechanisms = plain login cram-md5
# ..
}
Using the mail_location parameter in /etc/dovecot.conf
we can configure which mailbox location we want to use.
mail_location = maildir:~/Maildir
or
mail_location = mbox:~/mail:INBOX=/var/mail/%u
In this case email is stored in /var/mail/%u where %u is
converted into the username.
Before Dovecot can use SSL, the SSL certificates need to be created and Dovecot must be configured to use them.
Dovecot includes a script in doc/mkcert.sh to create self-signed SSL certificates:
#!/bin/sh
# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private
CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem
if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi
if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi
if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi
if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
Although Dovecot is primarily designed as IMAP server, it works fine as POP3 server. But it isn't optimized for being that. The POP3 specification requires that sizes are reported exactly and using Maildir the linefeeds are stored as plain LF characters. Simply getting the file size, returns a wrong POP3 message size.
When using MBOX instead of Maildir the index files are updated when a POP3 starts and includes all messages and after the user had deleted all mails, they again get updated to contain zero mails. When using Dovecot as a POP3 server you might want to consider disabling or limiting the use of the index files using the mbox_min_index_size setting.