Differences

This shows you the differences between two versions of the page.

--- build:imap [2005/11/04 18:53]
10.42.69.101
+++ build:imap [2008/04/06 23:20] (current)
24.217.108.17
@@ Line 3: / Line 3: @@
 We chose [[http://www.courier-mta.org/imap/ | Courier IMAP]] as our mail access agent (MAA) because it is easy to configure and maintain. It supports the IMAP4 and POP3 protocols, allowing mail user agents (MUAs) to get their email from the mail server. As the name suggests, IMAP is the primary protocol. IMAP has many advantages over POP; chief among them is support for folders, and keeping the emails on the server.
-TODO: Jeff Muse and Craig Buchek think we should move to Courier IMAP, as it's much easier to configure and maintain. Plus, there's good documentation on setting it up to work with Postfix at [[http://workaround.org/articles/ispmail-sarge]].
+We (Jeff Muse and Craig Buchek mainly) chose Courier IMAP, as it's much easier to configure and maintain than Cyrus. Plus, there's good documentation on setting it up to work with Postfix at [[http://workaround.org/articles/ispmail-sarge]] and other sites.
 (See [[http://www.xman.org/imap/pieces.shtml | this article]] for a description of all the pieces involved in email delivery.)
 ===== Installation =====
@@ Line 26: / Line 28: @@
 </code>
-TODO: Don't forget to create /etc/courier/pop3d.pem and /etc/courier/imapd.pem SSL certificates.
-TODO: Need to install on Budlight.
-TODO: Hook Postfix to deliver to Maildirs where Courier can pick it up.
-TODO: Test.
-====== Cyrus IMAP (OLD) ======
-We chose [[http://asg.web.cmu.edu/cyrus/imapd/ | Cyrus IMAP]] as our mail access agent (MAA). It supports the IMAP4, POP3, and KPOP protocols, allowing mail user agents (MUAs) to get their email from the mail server. As the name suggests, IMAP is the primary protocol. IMAP has many advantages over POP; chief among them is support for folders, and keeping the emails on the server.
-TODO: Jeff Muse and Craig Buchek think we should move to Courier IMAP, as it's much easier to configure and maintain. Plus, there's good documentation on setting it up to work with Postfix at [[http://workaround.org/articles/ispmail-sarge]].
-(See [[http://www.xman.org/imap/pieces.shtml | this article]] for a description of all the pieces involved in email delivery.)
-===== Installation =====
-We are using Cyrus IMAP version 2.1.17, thus you need to install the following packages:
+==== Security ====
+The courier installation creates a rather sparse certificate that identifies itself as localhost. It's OK as a start for a default installation but the certificate should be updated to contain the correct values. Here is how to do this:
-  * cyrus21-imapd
+First we need to get a good set of values into the imapd.cnf. This assumes that /etc/ssl/openssl.cnf has been modified to contain the default SLUUG values already, if not see [[http://wiki.sluug.org/build/security#ssl ]]
-  * cyrus21-pop3d
+<code>
-  * cyrus21-admin
+mv /etc/courier/imapd.cnf /etc/courier/imapd.cnf.ORIG
-  * cyrus21-client
+cp /etc/ssl/openssl.cnf /etc/courier/imapd.cnf
-  * cyrus21-common
+</code>
-  * cyrus21-doc (optional, but highly recommended)
-To manage user accounts, install the mailadmin package (you can get the Debianized version from the Sudora private repository, or download the tarball and manually install from the [[http://mailadmin.sf.net/ | mailadmin site]]).  This program requires PostgreSQL, PHP (php4-imap with register_global on in /etc/php4/apache/php.ini) and apache-ssl (highly recommended for security purposes).
+Next we should extend the time for the certificates for 10 years. The default is one year, which means a new certificate has to be created every year. I'm too lazy for that. To do this, edit the certificate creation script.
+<code>
+vi /usr/sbin/mkimapdcert
+</code>
-Certificates were made using the ssl-cert packages make-ssl-cert script.  We had to edit the /usr/sbin/make-ssl-cert script and add the -days 3650 to the openssl command that actually creates the certificate, otherwise it defaults to 30 days (have not yet figured this one out).
+Look for the values 365 and add a zero to the end so it is 3650 (ten years)
-Sieve is a server side mail filtering capability (similiar to procmail) that Cyrus implements.  The smartsieve package will need to be installed to allow the user to manage their sieve rules via a web interface.  Sieve is only usable when you retrieve your e-mail via IMAP, since POP3 does not support sub-folders.
+As a safety measure, the mkimapdcert script checks to see if a certificate already exists and will exit if it finds one. So we need to move the old certificate to the side. This is not necessary if that file is a link to /etc/courier/imapd.pem just delete the link.
+<code>
+mv /usr/lib/courier/imapd.pem /usr/lib/courier/imapd.ORIG
+</code>
+At this point everything should be in place to create a new cert, so run the script, if the openssl.cnf has been previously modified you can just hit enter all the way through to accept the defaults.
+<code>
+/usr/lib/courier/mkimapdcert
+</code>
+Now we have a shiny new certificate that has all the correct values such as bud.sluug.org instead of localhost. Put the cert in place.
+<code>
+mv /etc/courier/imapd.pem /etc/courier/imapd.pem.ORIG
+ln -s /usr/lib/courier/imapd.pem /etc/courier/
+</code>
+Courier only reads the certificate at start up, so we need to bump it.
+<code>
+/etc/init.d/courier-imap-ssl reload
+</code>
+The certificate should be ready to go now. Fire up a mail client and connect to bud.sluug.org and check the certificate that is offered for the correct values, ie bud.sluug.org instead of localhost.
+Here is the same thing for pop3d
+<code>
+vi /usr/lib/courier/mkpop3dcert                          # Change 365 to 3650
+mv /etc/courier/pop3d.cnf /etc/courier/pop3d.cnf.ORIG    # Save the old stuff, in case
+cp /etc/ssl/openssl.cnf /etc/courier/pop3d.cnf           # Get SLUUG default
+ls -l /usr/lib/courier/pop3d.pem                         # See if is a link
+rm /usr/lib/courier/pop3d.pem                            # Script won't run if this file exists
+/usr/lib/courier/mkpop3dcert                             # Run the cert script
+mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.ORIG    # Save the old stuff, in case
+ln -s /usr/lib/courier/pop3d.pem /etc/courier/           # Create link
+ls -l /etc/courier/                                      # Make sure is OK
+/etc/init.d/courier-pop-ssl restart                      # Reload the cert
+</code>
 ===== Configuration =====
-===== TODO =====
+TODO.
-  * Document configuration details.
+===== Startup =====
-  * Make sure IMAP isn't filling up the log files again. It was giving us errors like this, because OpenSSL wasn't configured correctly:
-  Mar  6 15:08:58 budlight cyrus/imapd[8947]: Fatal error: imaps: required OpenSSL options not present
-  Mar  6 15:08:59 budlight cyrus/pop3d[8950]: pop3s: required OpenSSL options not present
-  Mar  6 15:09:01 budlight cyrus/imapd[8951]: imaps: required OpenSSL options not present
-  Mar  6 15:09:02 budlight cyrus/imapd[8951]: Fatal error: imaps: required OpenSSL options not present
-  Mar  6 15:09:04 budlight cyrus/imapd[8954]: imaps: required OpenSSL options not present
-  * Document why we chose Cyrus over Courier IMAP and UW-IMAP.
+TODO.
-  * Review cyrus at <del>thornhill</del> library (do not delete)
-  * Install/configure mailadmin (or just use the command-line cyradm) and smartsieve packages.
+===== Testing =====
+TODO.
+===== TODO =====
+  * Document configuration details. Certificates were made using the ssl-cert packages make-ssl-cert script. We had to edit the /usr/sbin/make-ssl-cert script and add the -days 3650 to the openssl command that actually creates the certificate, otherwise it defaults to 30 days (have not yet figured this one out).
+  * Make sure IMAP isn't filling up the log files again.
 ====== Alternative IMAP Servers ======
   * [[http://www.bincimap.org/ | BINC IMAP]] - looks simple yet robust; recommended by Matthew Porter
-  * [[http://www.courier-mta.org/imap/ | Courier IMAP]]
+  * [[http://www.dovecot.org/ | Dovecot]] - new, but in active development; concentrates on security, simplicity, speed, low memory use
   * [[http://www.washington.edu/imap/ | UW-IMAP]] - the original Open Source implementation
+  * [[http://asg.web.cmu.edu/cyrus/imapd/ | Cyrus IMAP]]

SLUUG Wiki

User Tools

Site Tools

Differences

Page Tools