User Tools

Site Tools


build:imap

Courier IMAP

We chose Courier IMAP as our mail access agent (MAA) because it is easy to configure and maintain. It supports the IMAP4 and POP3 protocols, allowing mail user agents (MUAs) to get their email from the mail server. As the name suggests, IMAP is the primary protocol. IMAP has many advantages over POP; chief among them is support for folders, and keeping the emails on the server.

We (Jeff Muse and Craig Buchek mainly) chose Courier IMAP, as it's much easier to configure and maintain than Cyrus. Plus, there's good documentation on setting it up to work with Postfix at http://workaround.org/articles/ispmail-sarge and other sites.

(See this article for a description of all the pieces involved in email delivery.)

Installation

We need to install several pieces of the Courier email system. First, some pre-requisites:

apt-get install libfam0c102 courier-base courier-ssl courier-authdaemon

When asked if you want to use configuration directories, answer Yes.

Install the IMAP pieces, and the POP pieces:

apt-get install courier-imap courier-imap-ssl
apt-get install courier-pop courier-pop-ssl

Install the recommended packages and documentation:

apt-get install courier-doc

Security

The courier installation creates a rather sparse certificate that identifies itself as localhost. It's OK as a start for a default installation but the certificate should be updated to contain the correct values. Here is how to do this:

First we need to get a good set of values into the imapd.cnf. This assumes that /etc/ssl/openssl.cnf has been modified to contain the default SLUUG values already, if not see http://wiki.sluug.org/build/security#ssl

mv /etc/courier/imapd.cnf /etc/courier/imapd.cnf.ORIG
cp /etc/ssl/openssl.cnf /etc/courier/imapd.cnf

Next we should extend the time for the certificates for 10 years. The default is one year, which means a new certificate has to be created every year. I'm too lazy for that. To do this, edit the certificate creation script.

vi /usr/sbin/mkimapdcert

Look for the values 365 and add a zero to the end so it is 3650 (ten years)

As a safety measure, the mkimapdcert script checks to see if a certificate already exists and will exit if it finds one. So we need to move the old certificate to the side. This is not necessary if that file is a link to /etc/courier/imapd.pem just delete the link.

mv /usr/lib/courier/imapd.pem /usr/lib/courier/imapd.ORIG

At this point everything should be in place to create a new cert, so run the script, if the openssl.cnf has been previously modified you can just hit enter all the way through to accept the defaults.

/usr/lib/courier/mkimapdcert

Now we have a shiny new certificate that has all the correct values such as bud.sluug.org instead of localhost. Put the cert in place.

mv /etc/courier/imapd.pem /etc/courier/imapd.pem.ORIG
ln -s /usr/lib/courier/imapd.pem /etc/courier/

Courier only reads the certificate at start up, so we need to bump it.

/etc/init.d/courier-imap-ssl reload

The certificate should be ready to go now. Fire up a mail client and connect to bud.sluug.org and check the certificate that is offered for the correct values, ie bud.sluug.org instead of localhost.

Here is the same thing for pop3d

vi /usr/lib/courier/mkpop3dcert                          # Change 365 to 3650
mv /etc/courier/pop3d.cnf /etc/courier/pop3d.cnf.ORIG    # Save the old stuff, in case
cp /etc/ssl/openssl.cnf /etc/courier/pop3d.cnf           # Get SLUUG default
ls -l /usr/lib/courier/pop3d.pem                         # See if is a link
rm /usr/lib/courier/pop3d.pem                            # Script won't run if this file exists
/usr/lib/courier/mkpop3dcert                             # Run the cert script
mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.ORIG    # Save the old stuff, in case
ln -s /usr/lib/courier/pop3d.pem /etc/courier/           # Create link
ls -l /etc/courier/                                      # Make sure is OK
/etc/init.d/courier-pop-ssl restart                      # Reload the cert

Configuration

TODO.

Startup

TODO.

Testing

TODO.

TODO

  • Document configuration details. Certificates were made using the ssl-cert packages make-ssl-cert script. We had to edit the /usr/sbin/make-ssl-cert script and add the -days 3650 to the openssl command that actually creates the certificate, otherwise it defaults to 30 days (have not yet figured this one out).
  • Make sure IMAP isn't filling up the log files again.

Alternative IMAP Servers

  • BINC IMAP - looks simple yet robust; recommended by Matthew Porter
  • Dovecot - new, but in active development; concentrates on security, simplicity, speed, low memory use
  • UW-IMAP - the original Open Source implementation
build/imap.txt · Last modified: 2008/04/06 23:20 by 24.217.108.17