Differences

This shows you the differences between two versions of the page.

--- build:imap [2006/03/18 16:03]
206.80.70.194 Removed obsolete Cyrus stuff. (CMB)
+++ build:imap [2008/04/06 23:20] (current)
24.217.108.17
@@ Line 6: / Line 6: @@
 (See [[http://www.xman.org/imap/pieces.shtml | this article]] for a description of all the pieces involved in email delivery.)
 ===== Installation =====
@@ Line 26: / Line 28: @@
 </code>
-TODO: Don't forget to create /etc/courier/pop3d.pem and /etc/courier/imapd.pem SSL certificates.
-TODO: Need to install on Budlight.
-TODO: Hook Postfix to deliver to Maildirs where Courier can pick it up.
-TODO: Test.
+==== Security ====
+The courier installation creates a rather sparse certificate that identifies itself as localhost. It's OK as a start for a default installation but the certificate should be updated to contain the correct values. Here is how to do this:
+First we need to get a good set of values into the imapd.cnf. This assumes that /etc/ssl/openssl.cnf has been modified to contain the default SLUUG values already, if not see [[http://wiki.sluug.org/build/security#ssl ]]
+<code>
+mv /etc/courier/imapd.cnf /etc/courier/imapd.cnf.ORIG
+cp /etc/ssl/openssl.cnf /etc/courier/imapd.cnf
+</code>
+Next we should extend the time for the certificates for 10 years. The default is one year, which means a new certificate has to be created every year. I'm too lazy for that. To do this, edit the certificate creation script.
+<code>
+vi /usr/sbin/mkimapdcert
+</code>
+Look for the values 365 and add a zero to the end so it is 3650 (ten years)
+As a safety measure, the mkimapdcert script checks to see if a certificate already exists and will exit if it finds one. So we need to move the old certificate to the side. This is not necessary if that file is a link to /etc/courier/imapd.pem just delete the link.
+<code>
+mv /usr/lib/courier/imapd.pem /usr/lib/courier/imapd.ORIG
+</code>
+At this point everything should be in place to create a new cert, so run the script, if the openssl.cnf has been previously modified you can just hit enter all the way through to accept the defaults.
+<code>
+/usr/lib/courier/mkimapdcert
+</code>
+Now we have a shiny new certificate that has all the correct values such as bud.sluug.org instead of localhost. Put the cert in place.
+<code>
+mv /etc/courier/imapd.pem /etc/courier/imapd.pem.ORIG
+ln -s /usr/lib/courier/imapd.pem /etc/courier/
+</code>
+Courier only reads the certificate at start up, so we need to bump it.
+<code>
+/etc/init.d/courier-imap-ssl reload
+</code>
+The certificate should be ready to go now. Fire up a mail client and connect to bud.sluug.org and check the certificate that is offered for the correct values, ie bud.sluug.org instead of localhost.
+Here is the same thing for pop3d
+<code>
+vi /usr/lib/courier/mkpop3dcert                          # Change 365 to 3650
+mv /etc/courier/pop3d.cnf /etc/courier/pop3d.cnf.ORIG    # Save the old stuff, in case
+cp /etc/ssl/openssl.cnf /etc/courier/pop3d.cnf           # Get SLUUG default
+ls -l /usr/lib/courier/pop3d.pem                         # See if is a link
+rm /usr/lib/courier/pop3d.pem                            # Script won't run if this file exists
+/usr/lib/courier/mkpop3dcert                             # Run the cert script
+mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.ORIG    # Save the old stuff, in case
+ln -s /usr/lib/courier/pop3d.pem /etc/courier/           # Create link
+ls -l /etc/courier/                                      # Make sure is OK
+/etc/init.d/courier-pop-ssl restart                      # Reload the cert
+</code>
 ===== Configuration =====
-===== TODO =====
+TODO.
-  * Document configuration details.
+===== Startup =====
-  * Make sure IMAP isn't filling up the log files again. It was giving us errors like this, because OpenSSL wasn't configured correctly:
-  Mar  6 15:08:58 budlight cyrus/imapd[8947]: Fatal error: imaps: required OpenSSL options not present
-  Mar  6 15:08:59 budlight cyrus/pop3d[8950]: pop3s: required OpenSSL options not present
-  Mar  6 15:09:01 budlight cyrus/imapd[8951]: imaps: required OpenSSL options not present
-  Mar  6 15:09:02 budlight cyrus/imapd[8951]: Fatal error: imaps: required OpenSSL options not present
-  Mar  6 15:09:04 budlight cyrus/imapd[8954]: imaps: required OpenSSL options not present
-  * Document why we chose Cyrus over Courier IMAP and UW-IMAP.
+TODO.
-  * Review cyrus at <del>thornhill</del> library (do not delete)
-  * Install/configure mailadmin (or just use the command-line cyradm) and smartsieve packages.
-Certificates were made using the ssl-cert packages make-ssl-cert script.  We had to edit the /usr/sbin/make-ssl-cert script and add the -days 3650 to the openssl command that actually creates the certificate, otherwise it defaults to 30 days (have not yet figured this one out).
+===== Testing =====
+TODO.
+===== TODO =====
+  * Document configuration details. Certificates were made using the ssl-cert packages make-ssl-cert script. We had to edit the /usr/sbin/make-ssl-cert script and add the -days 3650 to the openssl command that actually creates the certificate, otherwise it defaults to 30 days (have not yet figured this one out).
+  * Make sure IMAP isn't filling up the log files again.
 ====== Alternative IMAP Servers ======
   * [[http://www.bincimap.org/ | BINC IMAP]] - looks simple yet robust; recommended by Matthew Porter
-  * [[http://www.courier-mta.org/imap/ | Courier IMAP]]
+  * [[http://www.dovecot.org/ | Dovecot]] - new, but in active development; concentrates on security, simplicity, speed, low memory use
   * [[http://www.washington.edu/imap/ | UW-IMAP]] - the original Open Source implementation
+  * [[http://asg.web.cmu.edu/cyrus/imapd/ | Cyrus IMAP]]

SLUUG Wiki

User Tools

Site Tools

Differences

Page Tools