We chose Courier IMAP as our mail access agent (MAA) because it is easy to configure and maintain. It supports the IMAP4 and POP3 protocols, allowing mail user agents (MUAs) to get their email from the mail server. As the name suggests, IMAP is the primary protocol. IMAP has many advantages over POP; chief among them is support for folders, and keeping the emails on the server.
We (Jeff Muse and Craig Buchek mainly) chose Courier IMAP, as it's much easier to configure and maintain than Cyrus. Plus, there's good documentation on setting it up to work with Postfix at http://workaround.org/articles/ispmail-sarge and other sites.
(See this article for a description of all the pieces involved in email delivery.)
We need to install several pieces of the Courier email system. First, some pre-requisites:
apt-get install libfam0c102 courier-base courier-ssl courier-authdaemon
When asked if you want to use configuration directories, answer Yes.
Install the IMAP pieces, and the POP pieces:
apt-get install courier-imap courier-imap-ssl apt-get install courier-pop courier-pop-ssl
Install the recommended packages and documentation:
apt-get install courier-doc
The courier installation creates a rather sparse certificate that identifies itself as localhost. It's OK as a start for a default installation but the certificate should be updated to contain the correct values. Here is how to do this:
First we need to get a good set of values into the imapd.cnf. This assumes that /etc/ssl/openssl.cnf has been modified to contain the default SLUUG values already, if not see http://wiki.sluug.org/build/security#ssl
mv /etc/courier/imapd.cnf /etc/courier/imapd.cnf.ORIG cp /etc/ssl/openssl.cnf /etc/courier/imapd.cnf
Next we should extend the time for the certificates for 10 years. The default is one year, which means a new certificate has to be created every year. I'm too lazy for that. To do this, edit the certificate creation script.
Look for the values 365 and add a zero to the end so it is 3650 (ten years)
As a safety measure, the mkimapdcert script checks to see if a certificate already exists and will exit if it finds one. So we need to move the old certificate to the side. This is not necessary if that file is a link to /etc/courier/imapd.pem just delete the link.
mv /usr/lib/courier/imapd.pem /usr/lib/courier/imapd.ORIG
At this point everything should be in place to create a new cert, so run the script, if the openssl.cnf has been previously modified you can just hit enter all the way through to accept the defaults.
Now we have a shiny new certificate that has all the correct values such as bud.sluug.org instead of localhost. Put the cert in place.
mv /etc/courier/imapd.pem /etc/courier/imapd.pem.ORIG ln -s /usr/lib/courier/imapd.pem /etc/courier/
Courier only reads the certificate at start up, so we need to bump it.
The certificate should be ready to go now. Fire up a mail client and connect to bud.sluug.org and check the certificate that is offered for the correct values, ie bud.sluug.org instead of localhost.
Here is the same thing for pop3d
vi /usr/lib/courier/mkpop3dcert # Change 365 to 3650 mv /etc/courier/pop3d.cnf /etc/courier/pop3d.cnf.ORIG # Save the old stuff, in case cp /etc/ssl/openssl.cnf /etc/courier/pop3d.cnf # Get SLUUG default ls -l /usr/lib/courier/pop3d.pem # See if is a link rm /usr/lib/courier/pop3d.pem # Script won't run if this file exists /usr/lib/courier/mkpop3dcert # Run the cert script mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.ORIG # Save the old stuff, in case ln -s /usr/lib/courier/pop3d.pem /etc/courier/ # Create link ls -l /etc/courier/ # Make sure is OK /etc/init.d/courier-pop-ssl restart # Reload the cert