Monday, March 15, 2010

12. Postfix Installing and configuring Courier-Auth Libs, Courier-IMAP and POP3


    The Courier mail transfer agent (MTA) is an integrated mail/groupware server based on open commodity protocols, such as ESMTP, IMAP, POP3, LDAP, SSL, and HTTP. Courier provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single, consistent, framework. Individual components can be enabled or disabled at will. The Courier mail server now implements basic web-based calendaring and scheduling services integrated in the webmail module.
Installing Courier Auth Lib:
    The Courier Authentication Library is a generic authentication API that encapsulates the process of validating account passwords. In addition to reading the traditional account passwords from /etc/passwd, the account information can alternatively be obtained from an LDAP directory; a MySQL or a PostgreSQL database; or a GDBM or a DB file. The Courier authentication library must be installed before building any Courier packages that needs direct access to mailboxes (in other words, all packages except for courier-sox  and courier-analog).
    Here we will download compile and install the courier-authlib source code for authentication daemon. This will provides the backend authentication that is required by both POP3 and IMAP. The source code can be  downloaded from http://www.courier-mta.org/. The courier can be used with Sendmail, Qmail or Postfix. The courier-mta supports the retrieval of mail from Maildir format and it doesn't support the old MBOX format. Authentication mechanism using courier authlib:
    MUA sends the authentication to IMAP/POP3. The IMPA/POP3 hands over the request to courier-auth libs. Now the courier auth libs quires the user database (/etc/passwd, LDAP, MySQL)
MUA -> IMPA/POP3 -> Courier authlib -> userdb
Installing courier auth libs
    Here we are interested in installing the courier IMAP and POP3 servers. to accomplish this initially we have to install the courier-auth libraries.
So download the authlib seperately and install it.
# wget http://sourceforge.net/projects/courier/files/authlib/0.63.0/courier-authlib-0.63.0.tar.bz2/download
# tar -jxvf courier-authlib-0.63.0.tar.bz2
# cd courier-authlib
# su user
$ ./configure
$ make
$ su root
# make install
# make install-configure
    The entire process installs the binaries and configuration files. Binary named "authdaemond" under "/usr/local/sbin" directory is executing as the authlib daemon. This consults the /usr/local/etc/authlib/authdaemonrc configuration file.
Starting the authlib daemon
# /usr/local/sbin/authdaemond start
# ps -ef |grep authdaemond
    Auth daemon is not bounded to any tcp or udp ports. But it is ready to accept any of authentication requests from IMAP or POP3. "If the auth daemon is not running the authentication process in IMAP and POP3 will not work".
Installing courier imap (Installs the IMAP and POP3 service)
    Both the pop3 and imap service is installed with the package courier-imap. 
Download the package from http://www.courier-mta.org/download.php#imap and install the package
# wget https://sourceforge.net/projects/courier/files/imap/4.7.0/courier-imap-4.7.0.tar.bz2/download
# tar -jxvf courier-imap-4.7.0.tar.bz2
# cd courier-imap
# su user
If we need to have the SSL support, we need to have installed the openssl and openssl-devel packages installed.

$ ./configure
$ make
$ su root
# make install
# make install-configure
    These steps finishes courier-imap installaion. "/usr/lib/courier-imap" is the directory location of the courier-imap installation. "/usr/lib/courier-imap" contains binaries, libraries, shared libraries and configuration files.
    Note: The default facility in syslog used by courier-imap is "mail". This can be chaged while compiling the binary

Configuring and Running Courier-POP3
    Now we will configure the Courier-pop3 for retrieval of mail.
Inside "/usr/lib/courier-imap/libexec" directory has the startup script named pop3.rc and pop3-ssl.rc to start  the pop3 and  pop3 ssl services respectively.
Starting the pop3 service
# cd /usr/lib/courier-imap/libexec
# ./pop3.rc start
    This will start the pop3 service and bind to 110. Now check the service runs by the following command
# netstat -ntlp | grep 110
    Now test the retrieval of msg using any MUA from outside using the pop3 protocol. By default courier will retrieve the msgs from user mailbox (Maildir). Usually pop3 retrieves the mails from the "new" directory of Maildir struchure.

Implementing pop3-ssl
    Normal pop3 transmits the msg in clear text format over the wire.In order to implemented the secured transfer of mails (encrypted) we have to run pop3-ssl.To Inorder to accomplish this we have to generate the self  signed certificate or purchase a signed certificate from a trusted certificate authority that our email client trust.

Generating own self signed certificate:
    Courier-mta includes the scripts to generate self signed certificate using openssl.
# cd /usr/lib/courier-imap/etc
    In this directory we have a file called pop3d.cnf which contains the answers to the questions usually asked while attempt to generate the self signed certificate using the script inbuilt in courier-mta
# vim pop3d.cnf
    Change the parameters to suite our enviornment. eg:- Locality, organization, organization unit, host, email address etc Save the file and navigate to the folder which contains the script to generate the certificate.
# cd ../share
# ./mkpop3dcert

# ls pop3.pem
    This will generate the certificate with respect to the pop3d.cnf created before in current location.
Now navigate to libexec folder and start the pop3d-ssl script to start pop3 in secure mode. This will bind the port 995
# cd /usr/lib/courier-imap/libexec
# ./pop3d-ssl.rc start
# netstat -tulpn |grep 995
    Now we can see that the pop3s server started and running on port 995.
Test it in MUA by changing the incoming mail pop3 to use a secure connection (ssl).Now send and receive mails by accepting the certificate.

Making the pop3 and pop3s service available at startup
Make a symbolic link to /etc/init.d.
# ln -s /usr/lib/courier-imap/libexec/pop3d.rc    /etc/init.d/
# ln -s /usr/lib/courier-imap/libexec/pop3d-ssl.rc    /etc/init.d/
# cd /etc/init.d
Now point to the runlevel where to start the script. To start in runlevel 3
# cd /etc/init.d/rc3.d
# ln -s ../pop3d.rc S20pop3d
# ln -s ../pop3d-ssl.rc S20pop3-ssld
    This will create a startup script for the given runlevel. Make sure that we will create a Kill script in same method to kill/stop the service when system changes its runlevel.

Configuring and running Courier-imap service
    The Courier-imap service startup script reside at the same location, where courier-pop3 locates
Starting the imap service
# cd /usr/lib/courier-imap/libexec
# ./impad.rc start
# netstat -ntlp | grep 143
    This will show the imap service running and listening to the port 143
Configuring Courier-imap
    The configuration file is located at "/usr/lib/courier-imap/etc" named "imapd"
# vim /usr/lib/courier-imap/etc/imapd
    All derivatives are self explanatory. This file used to configure the listening address, port and number of daemons to start upon the binary starts etc.
    Test the mail retrievel by configuring the MUA with IMAP. The credentials given is matched by the server with the /etc/passwd by default. And /etc/passwd is the file that tells where the Maildir resides (Courier checks the mails in the  Maildir of users mail directory). IMAP communicates with clear text format by default.

Configuring Courier-imaps
    This enables the communication by encryption with the help of SSL.
# vim /usr/lib/courier-imap/etc/imapd.cnf
    Edit the above file for generate the certificate properly. Change the Country, State, Locality, Organization unit, Common name email address etc. Now generate the certificate
# ./usr/lib/courier-imap/share/mkimapdcert
    This will create a certificate named imapd.pem.
Now start the imapd-ssl service
# ./usr/lib/courier-imap/libexec/imap-ssl.rc start
# netstat -ntlp |grep 993
    Most client that support Imap with ssl will connect default to the port 993. This port is configurable in "courier-imap/etc/imapd-ssl" . Test the configuration by changing the Incoming mail server as imap with ssl. Restart the application and this will prompt to accept the certification for further communication.