Skip to: Prerequisites | Applications | Installation and Configuration | UW-IMAP | Squirrelmail | stunnel | Mutt | Finished
Introduction
The purpose of this document is to provide detailed, easy-to follow instructions for setting up a uniform, secure, and universally accessible e-mail system. To accomplish this, we'll use the IMAP protocol to maintain our e-mail folder structure on the server, and setup a secure webmail client to allow easy off-site access.
Prerequisites
- SMTP server (such as postfix or sendmail)
- PHP
- OpenSSL
- web server (preferably Apache) configured with SSL and PHP support
- xinetd (required for IMAP and POP3 connections)
Applications
- UW-IMAP - University of Washington IMAP and POP3 server
http://www.washington.edu/imap/ - Squirrelmail - webmail client
http://www.squirrelmail.org/ - *stunnel - TSL/SSL port wrapper
http://www.stunnel.org/ - **console mail client, such as mutt
*optional - may be required to encrypt POP3 and IMAP connections
**optional - provides console e-mail access on the server
Installation and Configuration
Where possible, I strongly recommend installing prepackaged binaries for your distribution.
- For Gentoo, emerge the uw-imap, squirrelmail, and stunnel packages.
- For Red Hat and Debian, install the appropriate RPM or DEB packages.
- See below for configuration details. I've also included information about building from source, in case that's necessary on your server.
UW-IMAP
Build and Install
$ make lnp SSLTYPE=unix SSLDIR=<openssl_basedir>
$ cp ipopd/ipop3d /usr/sbin/
$ cp imapd/imapd /usr/sbin/
Generate and Install your Certificates
$ openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 3650
$ openssl req -new -x509 -nodes -out ipop3d.pem -keyout ipop3d.pem -days 3650
Copy certificates to your ssl certs directory (eg., /usr/ssl/certs/)
Enable Mail Services
$ pop3 110/tcp
$ imap 143/tcp
$ imaps 993/tcp
$ pop3s 995/tcp
Configure xinetd
/etc/xinetd.d/imap:
service imap2
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/imapd
log_on_success += DURATION HOST
log_on_failure += HOST
disable = yes #SET TO NO TO ENABLE UNENCRYPTED IMAP
}
/etc/xinetd.d/imaps:
service imaps
{
<same as above>
disable = no #SET TO YES TO DISABLE ENCRYPTED IMAP
}
/etc/xinetd.d/ipop3:
service pop3
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/ipop3d
log_on_success += USERID
log_on_failure += USERID
disable = yes #SET TO NO TO ENABLE UNENCRYPTED POP3
}
/etc/xinetd.d/ipop3s:
service pop3s
{
<same as above>
disable = no #SET TO YES TO DISABLE ENCRYPTED POP3
}
Restart xinetd.
imapd and pop3d should now be accepting secure connections. If either is not working correctly, see below about stunnel. Also try running imapd and pop3d without ssl. If that doesn't work either, then there's a problem with your UW-IMAP install.
Squirrelmail
install and configure
- Extract archive into a directory under your htdocs folder
- Rename directory to something appropriate (eg., squirrelmail/, webmail/, etc.) and cd to it
chown -R <apache_UID>.<apache_GID> data- apache UID and GID can be found in your httpd.conf file
Be sure to check out the available Squirrelmail Plugins. Plugins can greatly enhance the functionality of Squirrelmail. If there's a particular feature that you wish Squirrelmail had, chances are a plugin has been written to do it.
Run ./configure to customize Squirrelmail to your needs. Be sure to set:
- 2 - IMAP Server - localhost, port 143
- 2 - SMTP Server - probably localhost, port 25
- 2 - Server - uw
- 3 - Default Server Prefix - mail/
- 3 - Trash Folder - Trash
- 3 - Sent Folder - Sent
- 3 - Drafts Folder - Drafts
To login, browse to http://server/<squirrelmail>/, where <squirrelmail> is the name of the folder you extracted it to.
Due to the personal nature of e-mail, I'd also highly recommend that you restrict access to SSL connections only. To do this, add the following to your httpd.conf file and restart apache:
Directory /home/httpd/htdocs/squirrelmail>
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>
RewriteEngine on
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
Change the <Directory> entry to your Squirrelmail directory. Note that this requires at least 128 bit SSL connections. Some older browsers (read IE) may not support this, so depending on your needs you may need to lower it. After this has been added to your httpd.conf file, all unencrypted connections (or those not meeting the key length requirement) will be given a Forbidden error.
stunnel
If you have problems getting either imaps or ipop3s to work correctly, you may need to wrap it with stunnel. I had to wrap ipop3s on my computer, although imaps worked fine as it was.
To install, extract archive and build with:
$ ./configure
$ make
$ make install
To wrap your daemon, edit your xinetd entry like the following:
/etc/xinetd.d/ipop3s:
service pop3s
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/stunnel
server_args = -p /usr/ssl/certs/ipop3d.pem -l /usr/sbin/ipop3d -- ipop3d
log_on_success += USERID
log_on_failure += USERID
disable = no
}
Configure imaps the same way.
Console mail client
If you'd like to be able to read your e-mail while logged in on the server console (whether locally, through SSH, etc.), you'll also need to install a console mail client. I use mutt, and it works fine in conjunction with Mozilla on my desktop and Squirrelmail through the web. Install like normal, but make one modification to your .muttrc file:
set record="~/mail/Sent"
Squirrelmail, Mozilla, etc. will store sent messages in Sent. This option will force mutt to do the same.
pine and other clients should also work fine, but may require some additional configuration.
Finished!
If all went well, you should be done. Fire up your preferred mail client, add a new IMAP account, and point it to your server. It should automatically read in your existing folder structure any mail already there, etc. Squirrelmail and pine/mutt should automatically do the same first time you start it.
Enjoy!