IMAP:
- imap4 - University of Washington
- Cyrus - CMU IMAP server which
does not require system user accounts.
Prerequisites:
-
It is assumed that the system has:
- Networking requirements configured: IP address, routing, internet connectivity, etc. See the YoLinux networking tutorial for maore information.
- DNS MX records defining the mail server. See the YoLinux DNS/bind configuration tutorial
- An appropriate MTA mail server installed such as sendmail. See the
YoLinux Mail Transfer Agent (MTA) server software and sendmail configuration tutorial.
Older Red Hat systems came with the University of Washington
(WU) release of POP and IMAP. Current Fedora Core, Red Hat Enterprise
Linux (4), CentOS (4) Linux distributions are shipped with Dovecot IMAP
and POP. Both configurations are covered here:
| Dovecot POP server configuration: |
Required RPM packages: dovecot, postgresql-libs
See YoLinux Systems Administration tutorial on RPM and YUM package management.
Dovecot configuration file: /etc/dovecot.conf
-
protocols = pop3 - Change only this line. Rest of file stays as default (FC3)
imap_listen = [::]
pop3_listen = [::]
imaps_listen = [::]
pop3s_listen = [::]
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
login_dir = /var/run/dovecot-login
login = pop3
mbox_locks = fcntl
auth = default
auth_mechanisms = plain
auth_userdb = passwd
auth_passdb = pam
auth_user = root
|
This configuration will use system logins to authenticate POP.
It will allow one to retrieve mail from the default mail repository on the mail server: /var/mail/user-id
[Potential Pitfall]: Dovecot upgrade where directive mail_extra_groups = mail is depricated. Substitute: mail_privileged_group = mail
Dovecot was written by a security guru to be unpenetrible by hackers.
Dovecot supports both Unix mbox and Maildir formats.
Start "dovecot" service: service dovecot start
See YoLinux tutorial on Linux services and system init process to configure dovecot to start upon system boot.
Links:
| WU-POP server configuration: |
This POP configuration tutorial is specific to the ipopd/imap
University of Washington release which ships with Red Hat 6-9.
Typically POP is controlled by the xinetd (Red Hat 7.x) or inet (Red Hat 5.x,6.x) daemon. To activate
the POP system, the service must be available as follows:
- The network port must be defined for POP in the /etc/services file:
-
pop3 110/tcp pop-3 # POP version 3
pop3 110/udp pop-3
|
Note that some ot the other pop servers require that the service be named
pop3
and NOT pop-3 as used here by the U of Washingto pop3d server.
Both names are defined here.
- inet/xinetd configuration:
- xinetd (Red Hat 7.x): The service is defined by the file: /etc/xinetd.d/ipop3.
To turn the service on:
- Edit the line and change from the default:
-
TO:
-
OR
- Execute the command: chkconfig ipop3 on
This command also restarts the xinetd process.
- inetd (Red Hat 6.x and older): The service must be defined in the /etc/inetd.conf file:
-
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
|
By default, the RedHat installation may have a "#" at the beginning of the
line to comment out the definition. Remove the "#" to define the service.
- Restart the inet daemon to re-read the configuration file and enable the service.
To authenticate, ipop3d requires a system login.
See the YoLinux system admin tutorial covering the creation of user accounts.
If the accounts are e-mail only and you wish to refuse logins,
change the assigned shell in the /etc/passwd file to
/bin/false or see the
YoLinux web site configuration tutorial coverage of basic user security and disabling logins.
By default the user login and password are the same as the system login and
password. This configuration is generally a bad idea
as all the text
is transfered over the network in clear text (not encrypted)
The idea gets even worse when you think that this basic configuration uses
system login and passwords which match the pop3 login and password.
The login (mailtest) and password (supersecret) are clearly visible.
Check out the tcp stream captured below:
-
Alternate Authentication - APOP: Using a CRAM-MD5 data file.
This method is much better and I highly recommend this method.
-
Taking the following steps to create the CRAM-MD5 authentication database file:
- touch /etc/cram-md5.pwd
- chmod 0600 /etc/cram-md5.pwd : Password are held in the file as plain ascii text, thus protect file from unauthorized viewers.
- Add to the file a user entry of the form: user-id <TAB> password
Lines begining with the character '#' are considered comments.
For each user in the /etc/cram-md5.pwd file, there must also be an
entry in the /etc/passwd file.
The password used by ipop3d will be the password held in this CRAM-MD5 data
file and not the system login password.
While they can be the same I recomend that the user have no system login
password assigned but assign an ipop3 password in the file
/etc/cram-md5.pwd.
Also note the following EtherReal packet sniffing session
listening in on the exchange between Netscape Messenger and ipop3d
(U Washington). The authentication of login and password are NOT clear text!!
Notes:
- A system user must still be added for every e-mail user. (Use the useradd command.)
- The mere presence of the file /etc/cram-md5.pwd and its contents
turns on this APOP authentication feature.
Nothing else needs to be configured for ipop3d to enter this mode.
- No browser settings in Netscape Communicator/Messenger
are required to invoke CRAM-MD5 authentication. It is strictly a server
configuration which is negotiated with the client.
- Once in this authentication mode the browser will assume encryption.
I ran a test where I deleted the /etc/cram-md5.pwd file and packet
sniffed the tcp stream for a regular system user. The login/password
exchange was still encrypted!
I then pointed my browser to my ISP which uses
clear text and the authentication sceme reverted to clear text and
stayed in this mode when going back to the regular user on my server.
The only way to get the system to invoke the encryption mode was to revert
back to using CRAM-MD5 authentication.
Links:
WU-IMAP configuration: (Red Hat 6-9)
Typically IMAP are controlled by the inet daemon. To activate
the IMAP system, the service must be available as follows:
- The network port must be defined in the /etc/services file:
-
imap2 143/tcp imap # Interim Mail Access Proto v2
imap2 143/udp imap
|
- inet / xinetd configuration:
- xinetd (Red Hat 7.x): The service is defined by the file: /etc/xinetd.d/imap. To turn the service on, edit the line and change from the default:
-
TO:
-
- inetd (Red Hat 6.x and older): The service must be defined in the /etc/inetd.conf file:
-
imap stream tcp nowait root /usr/sbin/tcpd imapd
|
By default, the RedHat installation may have a "#" at the beginning of the
line to comment out the definition. Remove the "#" to define the service.
- Restart the inet daemon to re-read the configuration file and enable the service.
The Red Hat 7.1 installation will place documentation in the directory /usr/share/doc/imap-2000/.
- Mail recieved by the MTA sendmail, is held in the directory/file: /var/spool/mail/system-user-id
All mail is held in a single file in "Mail Box" format.
- RSA private key and certificate: /usr/share/ssl/certs/imapd.pem
- RFC 1939 - POP V3 - Post Office Protocol
- RFC 2449 - POP3 Extension Mechanism
- RFC 1957 - POP3 - Observations on Implementations
- RFC 2060 - IMAP - Internet Message Access Protocol - Version 4rev1
- RFC 1733 - Distributed Electronic Mail Models in IMAP4
- RFC 2180 - IMAP4 Multi-Accessed Mailbox Practice.
 Books: |
-
 |
"IMAP"
by Dianna Mullet, Kevin Mullet
ISBN #059600012X, O'Reilly & Associates
|
|
