Universal E-Mail Access

Last Modified: Mon, 03/05/2007 - 18:20

Introduction

The purpose of this document is to provide detailed, easy-to follow instructions for setting up a uniform, secure, and universally accessible e-mail system.  To accomplish this, we'll use the IMAP protocol to maintain our e-mail folder structure on the server, and setup a secure webmail client to allow easy off-site access.

Return to top

Prerequisites

Return to top

Applications

*optional - may be required to encrypt POP3 and IMAP connections
**optional - provides console e-mail access on the server

Return to top

Installation and Configuration

Where possible, I strongly recommend installing prepackaged binaries for your distribution.

  • For Gentoo, emerge the uw-imap, squirrelmail, and stunnel packages.
  • For Red Hat and Debian, install the appropriate RPM or DEB packages.
  • See below for configuration details.  I've also included information about building from source, in case that's necessary on your server.

Return to top

UW-IMAP

Build and Install

$ make lnp SSLTYPE=unix SSLDIR=<openssl_basedir>
$ cp ipopd/ipop3d /usr/sbin/
$ cp imapd/imapd /usr/sbin/

Generate and Install your Certificates

$ openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 3650
$ openssl req -new -x509 -nodes -out ipop3d.pem -keyout ipop3d.pem -days 3650

Copy certificates to your ssl certs directory (eg., /usr/ssl/certs/)

Enable Mail Services

$ pop3   110/tcp
$ imap   143/tcp
$ imaps  993/tcp
$ pop3s  995/tcp

Configure xinetd

/etc/xinetd.d/imap:
service imap2
{
   socket_type = stream
   wait = no
   user = root
   server = /usr/sbin/imapd
   log_on_success += DURATION HOST
   log_on_failure += HOST
   disable = yes  #SET TO NO TO ENABLE UNENCRYPTED IMAP
}
/etc/xinetd.d/imaps:
service imaps
{
   <same as above>
   disable = no    #SET TO YES TO DISABLE ENCRYPTED IMAP
}
/etc/xinetd.d/ipop3:
service pop3
{
   socket_type = stream
   wait = no
   user = root
   server = /usr/sbin/ipop3d
   log_on_success += USERID
   log_on_failure += USERID
   disable = yes  #SET TO NO TO ENABLE UNENCRYPTED POP3
}
/etc/xinetd.d/ipop3s:
service pop3s
{
   <same as above>
   disable = no  #SET TO YES TO DISABLE ENCRYPTED POP3
}

Restart xinetd.

imapd and pop3d should now be accepting secure connections.  If either is not working correctly, see below about stunnel.  Also try running imapd and pop3d without ssl.  If that doesn't work either, then there's a problem with your UW-IMAP install.

Return to top

Squirrelmail

install and configure

  • Extract archive into a directory under your htdocs folder
  • Rename directory to something appropriate (eg., squirrelmail/, webmail/, etc.) and cd to it
  • chown -R <apache_UID>.<apache_GID> data
    • apache UID and GID can be found in your httpd.conf file
Tip:  Squirrelmail Plugins

Be sure to check out the available Squirrelmail Plugins.  Plugins can greatly enhance the functionality of Squirrelmail.  If there's a particular feature that you wish Squirrelmail had, chances are a plugin has been written to do it.

Run ./configure to customize Squirrelmail to your needs.  Be sure to set:

  • 2 - IMAP Server - localhost, port 143
  • 2 - SMTP Server - probably localhost, port 25
  • 2 - Server - uw
  • 3 - Default Server Prefix - mail/
  • 3 - Trash Folder - Trash
  • 3 - Sent Folder - Sent
  • 3 - Drafts Folder - Drafts

To login, browse to http://server/<squirrelmail>/, where <squirrelmail> is the name of the folder you extracted it to.

Due to the personal nature of e-mail, I'd also highly recommend that you restrict access to SSL connections only.  To do this, add the following to your httpd.conf file and restart apache:

Directory /home/httpd/htdocs/squirrelmail>
   SSLRequireSSL
   SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>
RewriteEngine on
RewriteRule  ^/(.*):SSL$  https://%{SERVER_NAME}/$1 [R,L]
RewriteRule  ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1  [R,L]

Change the <Directory> entry to your Squirrelmail directory.  Note that this requires at least 128 bit SSL connections.  Some older browsers (read IE) may not support this, so depending on your needs you may need to lower it.  After this has been added to your httpd.conf file, all unencrypted connections (or those not meeting the key length requirement) will be given a Forbidden error.

Return to top

stunnel

If you have problems getting either imaps or ipop3s to work correctly, you may need to wrap it with stunnel.  I had to wrap ipop3s on my computer, although imaps worked fine as it was.

To install, extract archive and build with:

$ ./configure
$ make
$ make install

To wrap your daemon, edit your xinetd entry like the following:

/etc/xinetd.d/ipop3s:
service pop3s
{
   socket_type = stream
   protocol = tcp
   wait = no
   user = root
   server = /usr/sbin/stunnel
   server_args = -p /usr/ssl/certs/ipop3d.pem -l /usr/sbin/ipop3d -- ipop3d
   log_on_success += USERID
   log_on_failure += USERID
   disable = no
}

Configure imaps the same way.

Return to top

Console mail client

If you'd like to be able to read your e-mail while logged in on the server console (whether locally, through SSH, etc.), you'll also need to install a console mail client.  I use mutt, and it works fine in conjunction with Mozilla on my desktop and Squirrelmail through the web.  Install like normal, but make one modification to your .muttrc file:

set record="~/mail/Sent"

Squirrelmail, Mozilla, etc. will store sent messages in Sent.  This option will force mutt to do the same.

pine and other clients should also work fine, but may require some additional configuration.

Return to top

Finished!

If all went well, you should be done.  Fire up your preferred mail client, add a new IMAP account, and point it to your server.  It should automatically read in your existing folder structure any mail already there, etc.  Squirrelmail and pine/mutt should automatically do the same first time you start it.

Enjoy!

Return to top