Managing remote e-mail delivery (211.3)

Candidates should be able to install and configure POP and IMAP daemons.

Key Knowledge Areas

Courier IMAP and Courier POP configuration

Dovecot configuration

Terms and Utilities:

  • /etc/courier/

  • dovecot.conf

Courier IMAP and POP configuration

The Courier mail transfer agent (MTA) is an integrated mail/groupware server based on open commodity protocols, such as ESMTP, IMAP, POP3, LDAP, SSL, and HTTP. Courier provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single, consistent framework. Individual components can be enabled or disabled at will. The Courier mail server now implements basic web-based calendaring and scheduling services integrated in the webmail module.

The Courier mail server uses maildirs as its native mail storage format, but it can also deliver mail to legacy mailbox files as well. By default /etc/courier is the sysconfdir. All courier configuration files are stored here. The mail queue can be found at /var/spool/mqueue.

Information about the configuration for Courier can be found at: Courier installation.

Installation

The Courier IMAP source is available at http://www.courier-mta.org/imap/download.html but for most populair linux distributions, a RPM or binary package is available. Courier IMAP requires the Courier Authentication Library (courier-authlib) which is a separate library for authenticating users and the creation of mailboxes.

Note

When compiling from source, keep in mind to do so as a regular user, not as root.

Configuration

After installation the configuration files are default located in /usr/lib/courier-imap/etc, where we find the imapd, imapd-ssl, pop3d and pop3d-ssl configuration files.

The default configuration files are well commented and should be self-explanatory. Read these default files when preparing for the exam.

System aliases

Since Courier doesn't deliver mail to root (for security reasons) we need to create system aliases. Courier comes with /usr/lib/courier/sbin/makealiases to create the required /usr/lib/courier/etc/aliases.dat. First create, e.g., by using vi, a file /usr/lib/courier/etc/aliases/system.

An example of /usr/lib/courier/etc/aliases/system:

	root         : postmaster
	mailer-daemon: postmaster
	MAILER-DAEMON: postmaster
	uucp         : postmaster
	postmaster   : admin
				

In this example the user admin gets all the mail from mailer-daemon, MAILER-DAEMON, uucp and postmaster.

Dovecot

Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot claims that it is an excellent choice for both small and large installations.

The configuration of Dovecot can be found in /etc/dovecot.conf and we need to configure several parameters: authentication, mailbox location, SSL settings and the configuration as POP3 server.

Authentication

Dovecot is capable of using several password database backends like: PAM, BDSAuth, LDAP, passwd, and SQL databases like MySQL, PostgreSQL and SQLite. The most common way is PAM authentication. The PAM configuration is usually located in /etc/pam.d. By default Dovecot uses dovecot as PAM service name.

Here is an example of /etc/pam.d/dovecot:

	auth    required        pam_unix.so nullok
	account required        pam_unix.so
				

The method used by clients to send the login credentials to the server, is configured via the mechanisms parameter. The simplest authentication mechanism is PLAIN. The client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism, but obviously there's the problem that anyone listening on the network can steal the password. For that reason (and some others) other mechanisms were implemented.

SSL/TLS encryption can be used to secure the PLAIN authentication mechanism, since the password is sent over an encrypted stream. Non-plaintext mechanisms have been designed to be safe to use even without SSL/TLS encryption. Because of how they have been designed, they require access to the plaintext password or their own special hashed version of it. This means that it's impossible to use non-plaintext mechanisms with commonly used DES or MD5 password hashes. With success/failure password databases (e.g. PAM) it's not possible to use non-plaintext mechanisms at all, because they only support verifying a known plaintext password.

Dovecot supports the following non-plaintext mechanisms: CRAM-MD5, DIGEST-MD5, APOP, NTLM, GSS-SPNEGO, GSSAPI, RPA, ANONYMOUS, OTP and SKEY, EXTERNAL. By default only the PLAIN mechanism is enabled. You can change this by modifying /etc/dovecot.conf:

	auth default {
		mechanisms = plain login cram-md5
		# ..
	}
				

Mailbox location

Using the mail_location parameter in /etc/dovecot.conf we can configure which mailbox location we want to use:

	mail_location = maildir:~/Maildir
				

or

	mail_location = mbox:~/mail:INBOX=/var/mail/%u
				

In this case email is stored in /var/mail/%u where %u is converted into the username.

SSL

Before Dovecot can use SSL, the SSL certificates need to be created and Dovecot must be configured to use them.

Dovecot includes a script mkcert.sh to create self-signed SSL certificates:

	#!/bin/sh

	# Generates a self-signed certificate.
	# Edit dovecot-openssl.cnf before running this.

	OPENSSL=${OPENSSL-openssl}
	SSLDIR=${SSLDIR-/etc/ssl}
	OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

	CERTDIR=$SSLDIR/certs
	KEYDIR=$SSLDIR/private

	CERTFILE=$CERTDIR/dovecot.pem
	KEYFILE=$KEYDIR/dovecot.pem

	if [ ! -d $CERTDIR ]; then
	  echo "$SSLDIR/certs directory doesn't exist"
	  exit 1
	fi

	if [ ! -d $KEYDIR ]; then
	  echo "$SSLDIR/private directory doesn't exist"
	  exit 1
	fi

	if [ -f $CERTFILE ]; then
	  echo "$CERTFILE already exists, won't overwrite"
	  exit 1
	fi

	if [ -f $KEYFILE ]; then
	  echo "$KEYFILE already exists, won't overwrite"
	  exit 1
	fi

	$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
	chmod 0600 $KEYFILE
	echo 
	$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
				

POP3 server

Although Dovecot is primarily designed as IMAP server, it works fine as POP3 server but it isn't optimized for being that. The POP3 specification requires that sizes are reported exactly and using Maildir the linefeeds are stored as plain LF characters. Simply getting the file size therefore returns a wrong POP3 message size.

When using mbox instead of Maildir, the index files are updated when a POP3 starts and includes all messages. After the user has deleted all mails, the index files again get updated to contain zero mails. When using Dovecot as a POP3 server, you might want to consider disabling or limiting the use of the index files using the mbox_min_index_size setting.

Copyright Snow B.V. The Netherlands