Complete Virtual Mail Server/Courier-IMAP and Authentication Services

Introduction
Courier-IMAP will be used to provide both IMAP and POP3services. To start with, only a basic services will be supplied after which it will be extended with SSL and SMTP authentication. Many will be interested in IMAP as POP3 is not being used as much anymore. This is quite understandable as IMAP has great advantages.

The major difference between POP3 and IMAP would be that IMAP keeps messages on the server, whereas with POP3 the client retrieves the messages and are then gone from the server. Having the messages kept on server allows for several clients to actively work with the same mailbox from different locations. The most basic example would be webmail and a desktop client, both accessing the same mailbox at the same time. Also in general, webmail clients strongly favor IMAP. The price this comes with of course, is primarily disk space and processing power on your server. With disk space being as cheap as it is these days, 32Gb set aside pure for e-mail offers a lot of space for mails, for hardly any cost. And if processing power is an issue, which are generally used by server-side based searches, they could be disabled.

This chapter will mainly focus on IMAP, but will include POP3 for completeness sake. Some research into the two protocols may be required if the choice is not so certain.

Basic Installation
Both and  should have been pulled in already from the postfix emerge earlier. If for whatever reason this was not the case, emerge them both.

Configuration
Since there is no basic way to test courier-imap, changing the configuration to get credentials from the database is required. Courier-imap itself cannot authenticate itself, its only purpose is to serve mail to a client from a maildir, just as postfix's only purpose is to deliver and relay mail. This is where courier-authlib comes in. It allows for courier-imap to talk to other authentication systems, one (or rather two) being postgreSQL (and MySQL).

This is all about teaching authlib how to get the information from our backend database, may it be PostgreSQL or MySQL.

Using PostgreSQL
Since courier-imap will also be running on the same server as the database, a local unix socket will be used. Using a unix socket means omitting the PGSQL_HOSTvariable. Thus if a remote database server is used, fill it in here.

If logins via user@domain.com instead of user, the value of PGSQL_LOGIN_FIELD needs to be changed from local_part to username.

To use more advanced authentication SQL statement the PGSQL_SELECT_CLAUSE can be used. Courier-authlib will ignore any of the set parameters for SELECT statements, but will use them for counting the number of accounts or for changing the password and thus when changing the password the username field is still used. If authentication is done against username remember that usernames need to be unique.

Courier-authlib now needs to be linked to the postgres authentication module using the authmodulelist parameter in. Only authpgsql should be tried and used.

Using MySQL
Courier-authlib now needs to be linked to the mysql authentication module using the authmodulelist parameter in. Only authmysql should be tried and used.

File permissions
Finally, permissions must be set correctly, as the files contain sensitive password information.

Starting courier-authlib
To test courier-authlib it must be running.

You may also consider adding courier-authlib to the default run-level.

Testing courier-authlib
Courier-authlib includes a simple testing utility. At its least it requires a valid username as parameter. Don't hesitate to for details. The man page is short but concise.

Then perform several tests. The better your testing at this stage, the less problems hard to track down further down the line.

Secure authentication
Thunderbird amongst other mail clients offers the option to Use secure authentication. This would allow the mail client to authenticate using CRAM-MD5 or Kerberos. Since all communication happens over a SSL/TLS encrypted connection, sending plain text passwords isn't an issue whatsoever. It could however be an alternative or addition, especially if no encryption is being used between the client and the host.

Configuration
POP3 and IMAP configuration files are separate, and need both be edited. If POP3 may not ever be started, not even on accident leave this set to NO. A user may be able to remove all messages that where supposed to be stored on the server for imap usage, then incorrectly configure his mail client and purge the server of his mailbox this way.

Make sure that advanced features such as SORT, QUOTA and IDLE are enabled in the IMAP_CAPABILITY variable.

Testing
To test anything, courier-imap and courier-pop3d should be started.

Once started, telnet should be used to identify initial problems. Once logging in with telnet works a mail client can be used.

Now that imap and pop3 are working properly, change the DEBUG_LOGIN level to 0 in.

After initial testing has completed, shutdown courier-imap and courier-pop3.

If webmail is being offered on the same host, courier-imap should be added to the startup runlevels. Webmail as mentioned earlier strongly favors imap and when offered locally, the speed penality from using ssl secured imap is not worth it as passwords only travel internally through the system. If webmail is being offered on a remote host use imap-ssl only, unless the network in between is really trusted, which almost never is.

If SSL services are not required on either pop3 or imap skip to Generating Passwords otherwise continue on how to add SSL certificates to the imap and pop3 server.

SSL Support
Offering IMAP over SSL is a really good idea. Using a CACert.org certificate is an even better idea. Even if the CACert.org certificates are not yet included with thunderbird and firefox yet, it can make life a lot easier by only having to include that root certificate in the users browser and mail-client. Otherwise inclusion of pop3, imap, https etc certificates is needed. Skipping over the Self signed section is recommended.

Self signed
Courier-IMAP comes with two easy scripts to generate selfsigned SSL certificates, and. These scripts parse and  respectively. It may be an idea to first use self signed certificates and then swap those out for signed certificates as it can make testing a little bit easier. If self-signed certificates are a must, edit the aforementioned files, otherwise the defaults will suffice.

Note that the two generated certificates are named and. If self signed certificates are insisted upon do not change the default paths in the config files pointing to these files in the next section, configuring courier-imap.

CACert.org signed
CACert.org offers a simple script to assist with generating SSL certificates. The csr script should be downloaded and executed. In this example, the mail server will be called imap but will have aliases configured in dns for mail, pop, pop3, pop3s, imaps and foo. More can be added of course as fit. Note that foo was added because that is the name of the system offering the imap service. It is not named foo because the postfix or web or any other server is named foo.

The Certificate request needs to be entered into the CACert website. Under Server Certificates is a New link which opens a edit box to put in the above certificate request. Make sure that the radio button is set to Sign by class 3 root certificate. Copy paste the certificate signing request into the memo field and hit submit. The generated certificate will come up and will also be mailed to the email address bound to the cacert.org account.

Then as stated by the script copy paste the key into the recommended file.

To get courier-imap-ssl to work with certificate created, they all need to be concatenated with some glue on bottom. The final file will be named. Firstly the file needs to contain the RSA Private key from.

Then the certificate needs to be added.

And lastly DH parameters need to be added.

This should yield a file looking somewhat like this.

Configuring certificates
The final step is to tell courier-imap to use these certificates. In this example both pop3d-ssl and imapd-ssl use the same certificate. This is not needed and if imapd-ssl and pop3d-ssl would be run on different servers, not desired though possible.

Lastly restart the services and continue to testing to verify everything still works.

If everything works as desired add courier-imap-ssl to the startup scripts. Optionally if really desired add pop3d and pop3d-ssl.

Testing SSL
Testing becomes more difficult, as telnet can not be used anymore. The best option is to start up a mail-client such as thunderbird, configure a normal connection first to verify everything works, which should as telnet worked properly before and then enable the SSL option for the account and see it still working. The default imap-ssl port is 993.

Generating Passwords
As the passwords that are stored are crypted some way to encrypt them is required. One way of doing this is to use the postfixadmin front end for it. However since there are situations where postfixadmin is not desireable or available a simple snipet of php code can suffice. Unfortunatly even though courier-authlib supports functionality to change the users password, this cannot be used through IMAP and thus manually keeping passwords up to date is needed. The quickest solution, is to have a simple webform which will generate passwords for the user.

Save this file somewhere on a webserver where php scripts can be executed.