The knowledge areas are Courier IMAP and Courier POP configuration and also Dovecot configuration. The following is a partial list of the used files, terms and utilities:
/etc/courier/* |
dovecot.conf |
The Courier mail transfer agent (MTA) is an integrated mail/groupware server based on open commodity protocols, such as ESMTP, IMAP, POP3, LDAP, SSL, and HTTP. Courier provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single, consistent, framework. Individual components can be enabled or disabled at will. The Courier mail server now implements basic web-based calendaring and scheduling services integrated in the webmail module.
The Courier IMAP source is available at http://www.courier-mta.org/imap/download.html
but most populair linux distributions a RPM package is avaiable. Courier IMAP
requires the Courier Authentication Library (courier-authlib)
which is a seperate library for authenticing users and the creation of mailboxes.
When compiling from source, keep in mind to do so as a regular user, not a root.
After installation the configuration files are default located in
/usr/lib/courier-imap/etc, where we find the
imapd, imapd-ssl, pop3d
and pop3d-ssl configuration files.
The default configuration files are well commented and should be self-explanatory. Read these default files when preparing for the exam.
Since Courier doesn't deliver mail to root (for security) we need to create system aliases.
Courier comes with /usr/lib/courier/sbin/makealiases to create the
required usr/lib/courier/etc/aliases.dat. First create, eg. using
vi a file /usr/lib/courier/etc/aliases/system .
An example of /usr/lib/courier/etc/aliases/system :
root : postmaster mailer-daemon: postmaster MAILER-DAEMON: postmaster uucp : postmaster postmaster : admin
In this example the user admin gets all the mail from mailer-daemon
, MAILER-DAEMON, uucp and postmaster.
Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot clams that it is an excellent choice for both small and large installations.
The configuration of Dovecot can be found in /etc/dovecot.conf and
we need to configure several paramaters: authentication, mailbox location, SSL settings
and the configuration as POP3 server.
Dovecot is capable of using several password databases backends like: PAM, BDSAuth, LDAP, passwd,
and SQL databases like MySQL, PostgreSQL and SQLite. The most common way is PAM authentication.
The PAM configuration is usually in /etc/pam.d, default Dovecot uses
dovecot as PAM service name. Here is an example of /etc/pam.d/dovecot:
auth required pam_unix.so nullok account required pam_unix.so
The method used by clients to send the logincredentials to the server is configured via the mechanisms parameter. The simplest authentication mechanism is PLAIN. The client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism, but obviously there's the problem that anyone listening on the network can steal the password. For that reason (and some others) other mechanisms were implemented. SSL/TLS encryption can be used to secure the PLAIN authentication mechanism, since the password is sent over an encrypted stream. Non-plaintext mechanisms have been designed to be safe to use even without SSL/TLS encryption. Because of how they have been designed, they require access to the plaintext password or their own special hashed version of it. This means that it's impossible to use non-plaintext mechanisms with commonly used DES or MD5 password hashes. With success/failure password databases (e.g. PAM) it's not possible to use non-plaintext mechanisms at all, because they only support verifying a known plaintext password. Dovecot supports the following non-plaintext mechanisms: CRAM-MD5, DIGEST-MD5, APOP, NTLM, GSS-SPNEGO, GSSAPI, RPA, ANONYMOUS, OTP and SKEY, EXTERNAL. By default only PLAIN mechanism is enabled. You can change this by modifying dovecot.conf:
auth default {
mechanisms = plain login cram-md5
# ..
}
Using the mail_location parameter in /etc/dovecot.conf
we can configure which mailbox location we want to use.
mail_location = maildir:~/Maildir
or
mail_location = mbox:~/mail:INBOX=/var/mail/%u
In this case email is stored in /var/mail/%u where %u is
converted into the username.
Before Dovecot can use SSL the SSL certicates needs to be created and Dovecot must be configured to use them.
Dovecot includes a script in doc/mkcert.sh to create self-signed
SSL certificates:
#!/bin/sh
# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private
CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem
if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi
if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi
if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi
if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
Although Dovecot is primarily designed as IMAP server, it works fine as POP3 server. But it isn't optimized for being that. The POP3 specification requires that sizes are reported exactly and using Maildir the linefeeds are stored as plain LF characters. Simply getting the file size returns a wrong POP3 message size.
When using MBOX instead of Maildir the index files are updated when a POP3 starts and includes all
messages and anfter the user had deleted all mails, they again get updated to contain zero mails.
When using Dovecot as a POP3 server you might want to consider disabling or limiting the use
of the index files using the mbox_min_index_size setting.