Exim4 with Courier IMAP using Maildirs

Posted by Tom Willett Tue, 26 Sep 2006 19:21:00 GMT

This howto lists how to install Exim4 with Courier IMAP using Maildirs on the Basic Debian Server.

Install Exim4

To install

apt-get install exim4

When you run the install you will be presented with some configuration screens, if you already have exim installed with the current version you will not be presented with these screens in that case run

dpkg-reconfigure exim4-config

Here are the answers we are assuming

Do you want to split up the configuration file ==> Yes
General type of mail configuration ==> Internet site
System mail name ==> fqdn
IP-addresses to listen on ==>127.0.0.1:your ip
Other destinations ==> domain name TLD
Domains to relay for ==> 
Machines to relay for ==> you network e.g. 194.22.232.0/24
Keep number of DNS-queries minimal ==> No

Configuring Exim4 for Maildir Delivery

Edit /etc/exim4/update-exim4.conf.conf and add the option dc_localdelivery=maildir_home to the end of the file.

Now restart Exim4

/etc/init.d/exim4 reload

Now to test send yourself a message

echo "Test" | mail -s "Test Message" youremailaddress

This does two things: it tests that exim it configured properly and also creates teh Maildir directory in your home directory. To verify that it works:

tail /var/log/exim4/maillog 

2006-09-12 14:23:05 1GNCuX-0000UZ-I3 <= root@somehost.someplace.net U=root P=local S=838
2006-09-12 14:23:05 1GNCuX-0000UZ-I3 => /var/mail/mail  R=local_user T=address_file
2006-09-12 14:23:05 1GNCuX-0000UZ-I3 Completed

It Works!

Configuring New Mail Notification

If you'd like to continue to receive the notification "You have new mail.", you need to modify several files.

First, /etc/login.defs. You will want to locate the QMAIL_DIR and MAIL_FILE environment variables and uncomment them. Then, comment out the MAIL_DIR environment variable. The value of MAIL_FILE will be appended to the user's home directory, such that the MAIL environment variable becomes defined as MAIL=$HOME/$MAIL_FILE, which is what you want. An example follows.

QMAIL_DIR    Maildir/
#MAIL_DIR    /var/mail
MAIL_FILE    Maildir/

Second, modify your /etc/pam.d/login to receive new mail notifications when you login on the console. Your /etc/pam.d/login with the correction options for pam_mail.so should look like the example below.

session    optional   pam_mail.so standard noenv dir=~/Maildir

Last, you need to make a similar modification to /etc/pam.d/ssh so you receive new mail notifications when you login via ssh. In order for the MAIL environment variable to be set correctly, you must ensure that the noenv is not passed to pam_mail.so.

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard dir=~/Maildir # [1]

Now you can enjoy mail notifications whenever you login to your mail server.

Configuring TLS and Authentication

Exim4 supports TLS for verifying the authenticity of host and client, encryption of the whole SMTP transaction, and a variety of user authentication schemes. The two most common scenarios, using authentication on the server to allow users to initiate a session from a remote network with TLS as the transport and authenticating with a smarthost over TLS are discussed. Many, many other possibi lities exist.

Using TLS and Authentication Tokens on the Server

While not strictly necessary for authentication, I consider using TLS a prerequisite for enabling the usage of authentication tokens, the classic user login and password in this instance. Thus, let's configure TLS support for Exim4 first, then configure an authentication scheme.

To enable TLS, we will need a X.509 certification. If you already have a paid for certificate, simply copy the appropriate files to /etc/exim4/exim.crt and /etc/exim4/exim.key respectively. Otherwise, let's make a pair now.

The hostname ought to match your mail hosts fully qualified hostname, but may not. It's only fatal if you bail on a certification verification failure, which is not the default.

/usr/share/doc/exim4-base/examples/exim-gencert

Next, let Exim4 know about your new certificate. Edit (create) /etc/exim4/conf.d/main/00_local_settings and include the line:

MAIN_TLS_ENABLE = true

Now update the exim4 config and restart exim

update-exim4.conf;/etc/init.d/exim4 restart

To verify TLS has been successfully configured, let's install an excellent diagnostic tool named swaks. With swaks, you can interrogate your mail server in ways you never imagined!

apt-get install swaks libnet-ssleay-perl

It's easy to verify whether TLS is working or not.

swaks -a -tls -q HELO -s localhost -au emailname -ap '<>'

=== Trying localhost:25...
=== Connected to localhost.
<-  220 somehost.somehost.net ESMTP Exim 4.50 Wed, 13 Sep 2006 10:56:06 -0400
 -> EHLO somehost.somehost.net
<-  250-somehost.somehost.net Hello localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA
 ~> EHLO somehost.somehost.net
<~  250-somehost.somehost.net Hello localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-PIPELINING
<~  250-AUTH PLAIN
<~  250 HELP
 ~> QUIT
<~  221 somehost.somehost.net closing connection

Above, we connect to our Exim4 daemon locally, start an authentication session, and force TLS. A username and an empty password are supplied to avoid any command line prompts from swaks. The result, above, shows initiating TLS succeeded. Next, we'll add support for an authentication scheme.

With Exim4 you can use a variety of authentication schemes and token backing stores. For a few users with shell access, and thus an entry in /etc/passwd, the easiest to configure is SASL. Once installed, it will use PAM to handle password authentication.

apt-get install sasl2-bin

To allow the saslauthd daemon to run at start, we need to edit /etc/default/saslauthd and uncomment START.

Now, let's start the daemon.

/etc/init.d/saslauthd start

With SASL's daemon running, now we can uncomment the configuration stanza in /etc/exim4/conf.d/auth/30_exim4-config_examples listed below that enables support for authentication via saslauthd using the PLAIN authentication scheme. Not all clients necessarily support LOGIN, though you may wish to uncomment LOGIN, too. Most mail clients consider authentication schemes in the order they're presented to the client.

# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
 plain_saslauthd_server:
   driver = plaintext
   public_name = PLAIN
   server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
   server_set_id = $2
   server_prompts = :
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif

As indicated above, once you've uncommented the plain_saslauthd_server, it's necessary to add the user that Exim4 runs as to the sasl group so it can speak with saslauthd.

adduser Debian-exim sasl

Adding user `Debian-exim' to group `sasl'...
Done.

Now update the exim4 config and restart exim

update-exim4.conf;/etc/init.d/exim4 restart

Let's test our new server configuration again with swaks, actually performing authentication by specifying a valid username and password before closing the connection after successful authentication.

swaks -a -tls -q AUTH -s localhost -au username

Password: passwd

=== Trying localhost:25...
=== Connected to localhost.
<-  220 somehost.somenetwork.net ESMTP Exim 4.50 Wed, 13 Sep 2006 11:02:00 -0400
 -> EHLO somehost.somenetwork.net
<-  250-somehost.somenetwork.net Hello localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA
 ~> EHLO somehost.somenetwork.net
<~  250-somehost.somenetwork.net Hello localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-PIPELINING
<~  250-AUTH PLAIN
<~  250 HELP
 ~> AUTH PLAIN AHRvbXcAdGlnMzM3
<~  235 Authentication succeeded
 ~> QUIT
<~  221 somehost.somenetwork.net closing connection

If everything has been configured correctly, as demonstrated above with swaks, we notice AUTH PLAIN is available and selected. Further, the password prompted for on the command line is used to successfully authenticate with Exim4. Now relaying will be permitted for any user after successful authentication and the exchange will take place over TLS.

Configuring Exim4 to authenticate itself using SMTP authentication is quite easy. You merely need to populate /etc/exim4/passwd.c lient with a hostname, username, password triplet. The password is specified in plain text, so ensure the file is not world readable .

### CONFDIR/passwd.client
#
# Format:
#targetmailserver.example:login:password
#
# default entry:
### *:bar:foo

someplace.net:username:passwd

As indicated above, someplace.net is the hostname of the SMTP server we wish to authenticate with over TLS using either the LOGIN, PLAIN, or CRAM-MD5 authentication. The username and password follow, all separated by colons.

By default on Debian GNU/Linux Sarge, Exim4 will disallow SMTP-AUTH via either LOGIN or PLAIN if TLS has not been successfully negotiated. You can disable this behavior by setting AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS in /etc/exim4/exim4.conf.template, but don't do that.

Sending a test message and looking in /var/log/exim4/mainlog should indicate successful authentication and sending of the message.

echo "test" | mail -s "test" someuser@someplace.net;tail -f /var/log/exim4/mainlog

2006-09-13 11:07:54 1GNWLC-0004rG-9c <= root@somehost.somenetwork.net U=root P=local S=320
2006-09-13 11:07:54 1GNWLC-0004rG-9c => someuser@someplace.net R=dnslookup T=remote_smtp H=mail.someplace.net [122.13.36.34] X=TLS-1
.0:RSA_AES_256_CBC_SHA:32
2006-09-13 11:07:54 1GNWLC-0004rG-9c Completed
...

Installing and Configuring Courier IMAP

Install following packages via apt-get. Pulling down courier-imap and courier-imap-ssl should fetch courier-base and the other related files for you.

apt-get install courier-imap courier-imap-ssl

During installation, debconf will prompt you to answer some questions regarding the initial configuration of Courier IMAP. For the remainder of this guide, it is assumed you have chosen not to "Create directories for web-based administration". You will also be asked "Path to user's Maildir directory". The default of Maildir is correct.

Configuring Courier IMAP

There is not much you need to change. In fact, you probably do not need to change anything at all. There are a few options you may wish to toy with in /etc/courier/imapd.

You may wish to enable IMAP_CHECK_ALL_FOLDERS if you filter new mail into folders other than your regular inbox. You can enable the IMAP_ENHANCEDIDLE option. Enhanced idle mode notifies all clients immediately when any changes to a folder occur. Ordinarily, a client may not be aware of a change to a folder until it is refreshed. You must install the fam package for it to work, as it relies on the File Access Monitor daemon. You can install the package via the usual method:

apt-get install fam

If you choose not to install fam, you can still use IMAP_ENHANCEDIDLE, but instead Courier IMAP will poll for changes every 60 seconds for folders opened by IMAP clients.

Testing your Courier IMAP setup

Before going through the process of configuring IMAP clients, let's verify that your setup does indeed work. The default Courier-IMAP configuration should work right out of the box. Telnet to your IMAP server as shown below and issue the commands show and verify the server's response. (imap2 is port 143 if you're curious.)

telnet 127.0.0.1 imap2

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
  THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE
  ACL ACL2=UNION STARTTLS] Courier-IMAP ready.
  Copyright 1998-2004 Double Precision, Inc.  See COPYING for distribution information.
AB LOGIN "user" "secret"
AB OK LOGIN Ok.
BC SELECT "Inbox"
* FLAGS (\Draft \Answered ... \Recent)
* OK [PERMANENTFLAGS (\* \Draft \Answered ... \Seen)] Limited
* 13 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1026858715] Ok
* OK [MYRIGHTS "acdilrsw"] ACL
BC OK [READ-WRITE] Ok
ZZZZ LOGOUT
* BYE Courier-IMAP server shutting down
ZZZZ OK LOGOUT completed
Connection closed by foreign host.

Make sure you substitute your username and password for the dummy values above, and note that the AB, BC, et al. are part of the IMAP protocol and are required, though any sequence of letters will do. (Also, be amused that the actual logout command is indeed ZZZZ LOGOUT -- Someone had a sense of humor.)

Creating an X.509 Certificate for TLS Connections

The SSL package for Courier IMAP will generate a generic X.509 certificate for you using the mkimapdcert command. If you are going to use a key signed by a certificate authority (CA), such as Thawte Consulting or Verisign, you can safely replace the generated certificate with your own. In either case, you must have a fully qualified domain name assigned to the IP address Courier IMAP will listen on for TLS/SSL to function correctly.

The certificate generated by mkimapdcert is /etc/courier/imapd.pem, owned by the root user and the root group and readable only by said user. The configuration file used to generate the X.509 certificate is /etc/courier/imapd.cnf, which is the file you will want to edit to generate a personalized, inhouse certificate if you do not require one signed by a certificate authority. 

RANDFILE = /usr/lib/courier/imapd.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=US
ST=NY
L=New York
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key
CN=localhost
emailAddress=postmaster@example.com

[ cert_type ]
nsCertType = server

The default imapd.cnf is, in fact, a standard OpenSSL configuration for generating a self signed certificate. Full details are available in the OpenSSL man pages, specifically req(1).

You must change the common name (CN) to that of the fully qualified hostname assigned to the IP address Courier IMAP will be listening on, or you will receive a certificate mismatch error when connecting with an IMAP and SSL compatible mail client. The remaining fields, Country (C), State (ST), Location (L), Organization (O), Organizational Unit (OU), and emailAddress are self explanatory and need not be specific values.

When you are happy with the values you have chosen, run mkimapdcert as root to generate a new X.509 certificate. This will create a certificate (imapd.pem) in /usr/lib/courier/. You have to remove the existing imapd.pem first, or no new certificate will be created.

rm /usr/lib/courier/imapd.pem
mkimapdcert

Generating a 2048 bit RSA private key
...
subject= /C=US/ST=GA/L=Gainesville/
  O=The Vortex/OU=Automatically-generated IMAP SSL key/
  CN=host.example.com/emailAddress=user@example.com
notBefore=Sep 27 23:35:31 2004 GMT
notAfter=Sep 27 23:35:31 2005 GMT
MD5 Fingerprint=FA:09:9D:04:A7:04:4A:E9:23:91:09:2A:A7:6C:DF:20

You will notice that the generated certificate will expire in one year. If you need more time, you can modify /usr/sbin/mkimapdcert directly, as it is just a shell script. You can increase the number of days to a value you find more reasonable.

#! /bin/sh
...
/usr/bin/openssl req -new -x509 -days 365 -nodes \
        -config /etc/courier/imapd.cnf -out /usr/lib/courier/imapd.pem
  -keyout /usr/lib/courier/imapd.pem || cleanup
...

If a year is not enough, select an appropriate value and generate your X.509 certificate.

Preventing Unencrypted Communications

If you do not wish to allow clients to communicate with Courier IMAP without using encryption, you can require Transport Layer Security (TLS). Edit /etc/courier/imapd-ssl and change IMAP_TLS_REQUIRED to 1. Additionally, if all your clients support TLS, you can disable listening on port 993 and not use SSL.

 
# Ok, the following settings are new to imapd-ssl:
#
#  Whether or not to start IMAP over SSL on simap port:

IMAPDSSLSTART=NO

##NAME: IMAPDSTARTTLS:0
#
#  Whether or not to implement IMAP STARTTLS extension instead:

IMAPDSTARTTLS=YES

##NAME: IMAP_TLS_REQUIRED:1
#
# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS
# is issued).

IMAP_TLS_REQUIRED=1

The configuration above disables access to port 993 entirely and requires encryption or clients cannot connect to port 143.

Restart courier and exim4

/etc/init.d/courier-authdaemon restart
/etc/init.d/courier-imap restart
/etc/init.d/courier-imap-ssl restart
/etc/init.d/exim4 restart

Now there is only one issue left -- each user must have the Maildir created in their home directory. This can be accomplished by send each one an email or using maildirmake on each home directory. You can also add the Maildir to the new user skeleton by

maildirmake /etc/skel/Maildir

That should do it.

Comments

Leave a comment

Comments