POP3/IMAP

UNIX ADMINISTRATION WORKSHOP

Objectives
1. Definitions of IMAP, POP3, Exim, Courierauthlib, etc 2. Reconfigure Exim for Maildir delivery 3. Install Courier-authlib 4. Configure and start courier-authlib 5. Test courier-authlib

Objectives
6. Install courier-imap 7. Configure and start courier-imap Test POP3 and IMAP 8. POP3 and IMAP over SSL

IMAP
IMAP is an Internet Message Access Protocol. It is a method of accessing electronic mail messages that are kept on a possibly shared mail server. In other words, it permits a "client" email program to access remote message stores as if they were local. For example, email stored on an IMAP server can be manipulated from a desktop computer at home, a workstation at the office, and a notebook computer while travelling, without the need to transfer messages or files back and forth between these computers. IMAP uses TCP/IP port 143.

POP
Short for Post Office Protocol, a protocol used to retrieve e-mail from a mail server. Most e-mail applications (sometimes called an e-mail client) use the POP protocol, although some can use the newer IMAP (Internet Message Access Protocol). There are two versions of POP. The first, called POP2, became a standard in the mid-80's and requires SMTP to send messages. The newer version, POP3, can be used with or without SMTP. POP3 uses TCP/IP port 110.

POP3 vs IMAP
With IMAP, all your mail stays on the server in multiple folders, some of which you have created. This enables you to connect to any computer and see all your mail and mail folders. In general, IMAP is great if you have a dedicated connection to the Internet or you like to check your mail from various locations. With POP3 you only have one folder, the Inbox folder. When you open your mailbox, new mail is moved from the host server and saved on your computer. If you want to be able to see your old mail messages, you have to go back to the computer where you last opened your mail. With POP3 "leave mail on server" only your email messages are on the server, but with IMAP your email folders are also on the server.

Exim
Exim is an open source mail transfer agent (MTA), which is a program responsible for receiving, routing, and delivering e-mail messages (this type of program is sometimes referred to as an Internet mailer, or a mail server program). MTAs receive e-mail messages and recipient addresses from local users and remote hosts, perform alias creation and forwarding functions, and deliver the messages to their destinations. Exim was developed at the University of Cambridge for the use of Unix systems connected over the Internet. The software can be installed in place of sendmail, the most common MTA for UNIX and Linux systems. In comparison to sendmail, Exim is said to feature more straightforward configuration and task management.

Courier-authlib
Courier is a mail system which includes a number of packages. It has its own MTA. We are interested in only the following components IMAP/POP3 servers and sqwebmail The courier packages now share a single authentication library, courier-authlib. This package is responsible for looking up usernames and passwords

Secure Sockets Layer (SSL)

Secure Sockets Layer - The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: 1. to validate the identity of a Web site 2. and to create an encrypted connection for sending credit card and other personal data. Look for a lock icon at the bottom of your browser when you order merchandise on the Web. If the lock is closed, you are on a secure SSL.

Maildir
Maildir is a widely-used format for storing e-mail that does not require application-level file locking to maintain message integrity as messages are added, moved and deleted. Each message is kept in a separate file with a unique name. All changes are made using atomic filesystem operations so that the filesystem handles file locking concurrency issues. A Maildir is a directory (often named Maildir) with three subdirectories named tmp, new, and cur.

Reconfigure Exim for mail delivery

We will configure Exim to deliver all local in Maildir format. /home/Maildir/new/cur/tmp Messages are written into tmp, moved to new when delivery is complete and moved to cur when read. Messages have a unique filename based on the hostname and time of day

Reconfigure Exim for mail delivery

Edit /usr/local/etc/exim/configure Find the local_delivery transport and modify it as follows: local_delivery: driver = appendfile directory = $home/Maildir maildir_format maildir_use_size_file #file = /var/mail/$local_part delivery_date_add envelope_to_add return_path_add group = mail #user = $local_part mode = 0660 no_mode_fail_narrower

Reconfigure Exim for mail delivery ..

Optionally you could add further parameters to this transport which let you impose quotas on your users, for example to limit all users to 10 megabytes of storage each: maildir_tag = ,S=$message_size quota_size_regex = ,S=(\d+) quota = 10M quota_warn_threshold = 90%

Install Courier-authlib
# cd /usr/ports/security/courier-authlib/ # make When prompted for options on the screen, press the down arrow to highlight the option: [X] AUTH_USERDB Userdb support Press <TAB> to highlight OK, and then <ENTER> to continue. # make install # make clean (optional step - deletes temporary files in 'work' subdir) Total compile time on your machines will be between 10 and 15 minutes.

Configure and start courier-authlib

Remember to HUP your exim daemon. Now test out your new configuration by delivering to some local account on your machine: $ /usr/local/sbin/exim -bt localuser [email protected] router = localuser, transport = local_delivery $ /usr/local/sbin/exim localuser

Configure and start courier-authlib

Here is a test . $ cd /home/localuser/Maildir $ ls cur new tmp $ ls new 102078119.7969. PCN.ws.linuxchix.or.ke,S=426 $ cat new/* Return-path: <root@ PCN.ws.linuxchix.or.ke > ... Here is a test

Test courier-authlib
courier-authlib runs a pool of authentication daemons which perform the actual work; courier-imap and sqwebmail communicate with these daemons via a socket. So the next thing we need to do is to start the daemons. First you need to edit /etc/rc.conf: # vi /etc/rc.conf add the following line: courier_authdaemond_enable="YES" Courier-authlib itself has a single configuration file, /usr/local/etc/authlib/authdaemonrc. For the purposes of this exercise, we will turn on authentication debugging. # cd /usr/local/etc/authlib # vi authdaemonrc change this line: DEBUG_LOGIN=0 to: DEBUG_LOGIN=1

Test courier-authlib
To save resources, you can also configure the authdaemond process not to try any authentication mechanisms which you know you don't need. For example, if all your authentication is only via PAM for Unix system passwords, then you can remove all the others. Save the original line so that your changes look like this: #authmodulelist="authuserdb authvckpw authpam authldap authmysql authpgsql" authmodulelist="authpam" Now we are ready to start the authentication daemons: # /usr/local/etc/rc.d/courier-authdaemond start
Starting courier_authdaemond. # ps auxwww | grep authdaemond ps shows one courierlogger process, and six authdaemond processes (one master, five workers). If you didn't see "Starting courier_authdaemond" then you made a typing error.

Test courier-authlib
You can test the authentication system by itself; the "authtest" command sends requests down the authentication socket, and displays the responses which come back. Test using any Unix login account which already exists on your system. # authtest brian -- find an account called 'brian' # authtest brian foo -- check 'brian' has password 'foo' # authenumerate -- list all accounts Try it also with a non-existent username, and with both the right password and a wrong password for an account, to confirm that passwords are being validated properly. Because we enabled login debugging, you should find that each authentication request generates detailled information in /var/log/debug.log showing how the request is passed to each module in turn. Have a look in this file to confirm: # less /var/log/debug.log

Install courier-imap
Using ports, building courier-imap is straightforward: # cd /usr/ports/mail/courier-imap # make [When prompted for options on the screen, press <TAB> to highlight OK, and then <ENTER> to continue.] # make install # make clean (optional step) Compilation will take 10 to 15 minutes on your machines.

Configure and start courier-imap

You can choose to run POP3, IMAP, or both. There is a configuration file for each one: /usr/local/etc/courier-imap/pop3d /usr/local/etc/courier-imap/imapd The default configuration is acceptable in most cases. However for a large server you may wish to increase the maximum number of concurrent connections from the default of 40, if you have fairly powerful hardware: # cd /usr/local/etc/courier-imap # vi pop3d ... MAXDAEMONS=300 ... # vi imapd ... MAXDAEMONS=300

Configure and start courier-imap

Then, you need to enable the daemon(s) which you wish to run in /etc/rc.conf # vi /etc/rc.conf add the following line(s): courier_imap_pop3d_enable="YES" courier_imap_imapd_enable="YES" And then run the startup script(s): # /usr/local/etc/rc.d/courier-imap-pop3d.sh start Starting courier_imap_pop3d. # /usr/local/etc/rc.d/courier-imap-imapd.sh start Starting courier_imap_imapd.

Test POP3 and IMAP

Test using telnet: POP3 and IMAP are both text-based layer 7 protocols and you can drive them by hand. # telnet localhost 110 Connected to localhost.ws.afnog.org Escape character is '^]'. +OK Hello there. user username +OK Password required. pass password +OK logged in. stat +OK 26 49857 retr 1 +OK 1073 octets follow. ... message . quit +OK Bye-bye. Connection closed by foreign host.

Test POP3 and IMAP ..

# telnet localhost 143 Connected to localhost.ws.afnog.org. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distribution information. a login username password a OK LOGIN Ok. a examine inbox * FLAGS (\Answered \Flagged \Deleted \Seen \Recent) * OK [PERMANENTFLAGS ()] No permanent flags permitted * 26 EXISTS * 0 RECENT * OK [UIDVALIDITY 989061119] Ok * OK [READ-ONLY] Ok a logout * BYE Courier-IMAP server shutting down a OK LOGOUT completed Connection closed by foreign host.

Test POP3 and IMAP ..

NOTE: The daemons will fail to login if the mail directory does not exist, although current versions do now provide an error message. Hence you need to have delivered at least one message to the user, to create their mailbox, before they can login (or use the 'maildirmake' command to create it). Look for logging messages in /var/log/maillog and /var/log/debug.log.

POP3 and IMAP over SSL

If you wish, you can choose to allow pop3 over SSL (port 995) and imap over SSL (port 993). The advantage is that, for clients which support it, the traffic is encrypted. The disadvantage is higher CPU load on your server for the encryption of data. To run SSL you will need a certificate. For testing purposes you can use a 'selfsigned' certificate. The pop3d.cnf and imapd.cnf files contain the parameters for the Snakeoil certificate. You may edit this for you environment, but note that it is not proper certificate signed by a recognised CA. Run the following scripts which will generate them for you: # cd /usr/local/etc/courier-imap # cp pop3d.cnf.dist pop3d.cnf # cp imapd.cnf.dist imapd.cnf # mkpop3dcert # mkimapdcert Next, enable the SSL daemons in /etc/rc.conf: # vi /etc/rc.conf courier_imap_pop3d_ssl_enable="YES" # pop3 over ssl, port 995 courier_imap_imapd_ssl_enable="YES" # imap over ssl, port 993

POP3 and IMAP over SSL

Then you start the servers: # /usr/local/etc/rc.d/courier-imap-pop3d-ssl.sh start Starting courier_imap_pop3d_ssl. # /usr/local/etc/rc.d/courier-imap-imapd-ssl.sh start Starting courier_imap_imapd_ssl. You can't use a regular telnet to test it, because all your communication needs to be encrypted, but openssl has an SSL client you can use to make an encrypted connection for testing: # openssl s_client -connect localhost:993 # openssl s_client -connect localhost:995 See the previous exercise for the commands to use with each connection. If you were running the service commercially you might want to consider a certificate signed by a recognised CA, rather than using a self-signed certificate.