|
Related YoLinux Tutorials:
°Apache login authentication
°Mail Transfer (Sendmail)
°Mail Clients
°Securing Linux
°Linux Security Tools
°Linux Networking
°Linux Sys Admin
°Internet Gateway
°YoLinux Tutorials Index
Free Information Technology Magazines and Document Downloads
|
| Linux e-Mail Retrieval Software: |
- POP:
- Dovecot IMAP/POP: Comes with Fedore Core, Red Hat Enterprise 4, CentOS 4.
- ipop3d: University of Washington - Stock Red Hat 6-9 POP server (part of IMAP software release)
There is no formal documentation.
Download the Red Hat source RPM (part of imap-2000 source RPM)
and review the code for more info.
- Cyrus: Included with imapd.
- cucipop [Download] - Very configurable. Better for controlling load and access.
- [RPM]
- qpopper - Qualcomm's POP server -
[Download]
- PWSERVE - Servers for Eudora's Change Password command.
- GNU pop3d
- POPular
- Uses proxy architecture to distribute among many servers and thus
scale to handle a large number of users.
- TeaPOP - RFC1939 and RFC2449 compliant POP3-server with virtual domain support.
IMAP:
- imap4 - University of Washington
- Cyrus - CMU IMAP server which does not require system user accounts.
Prerequisites:
-
It is assumed that the system has:
- Networking requirements configured: IP address, routing, internet connectivity, etc. See the YoLinux networking tutorial for maore information.
- DNS MX records defining the mail server. See the YoLinux DNS/bind configuration tutorial
- An appropriate MTA mail server installed such as sendmail. See the
YoLinux Mail Transfer Agent (MTA) server software and sendmail configuration tutorial.
Older Red Hat systems came with the University of Washington
(WU) release of POP and IMAP. Current Fedora Core, Red Hat Enterprise
Linux (4), CentOS (4) Linux distributions are shipped with Dovecot IMAP
and POP. Both configurations are covered here:
| Dovecot POP server configuration: |
Required Packages:
- RPM packages (Red Hat, Fedora, CentOS): dovecot, postgresql-libs
See YoLinux Systems Administration tutorial on RPM and YUM package management.
- Debian/Ubuntu: apt-get install dovecot-pop3d
Dovecot configuration file examples:
- Red Hat / Fedora: /etc/dovecot.conf
- Ubuntu 8.04: /etc/dovecot/dovecot.conf
These examples are for POP retrieval of email using clear text authentication. Authentication in these examples is against the user logins in /etc/passwd.
Advanced configurations are possible, authenticating to a SQL database, LDAP or Dovecot authentication.
Dovecot can be configured to use chroot, SSL encryption, limit simultaneous connections, set mailbox and file locations, log formats, set custom greetings, ... etc.
-
Red Hat EL5 / CentOS 5: (dovecot 1.0.7)
protocols = pop3 - Add imap imaps pop3 pop3s to support other protocols
protocol imap {
}
protocol pop3 {
}
auth default {
mechanisms = plain
passdb pam { - Uses PAM configuration in /etc/pam.d/dovecot
}
userdb passwd { - Uses local login/password file /etc/passed
}
user = root - required for pam based authentication
}
dict {
}
plugin {
}
|
Ubuntu 8.04: (dovecot 1.0.10)
protocols = pop3
listen = *
ssl_disable = yes - Set to "no" to use without SSL/TLS certificate and private key
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
# Grant access to these extra groups for mail processes. Typical use would be
# to give "mail" group write access to /var/mail to be able to create dotlocks.
# depricated mail_extra_groups = mail
mail_privileged_group = mail
protocol imap {
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv - Dovecot's default. Can be set to mimic other POP servers
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd { - Uses local login/password file /etc/passed
}
user = root - required for pam based authentication
}
plugin {
}
|
Fedora 3: (dovecot 0.99.13)
protocols = pop3 - Change only this line. Rest of file stays as default (FC3)
imap_listen = [::] - IPV-6 interfaces
pop3_listen = [::]
imaps_listen = [::]
pop3s_listen = [::]
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
login_dir = /var/run/dovecot-login
login = pop3
mbox_locks = fcntl
auth = default
auth_mechanisms = plain
auth_userdb = passwd
auth_passdb = pam
auth_user = root
...
...
|
This configuration will use system logins to authenticate POP.
It will allow one to retrieve mail from the default mail repository on the mail server: /var/mail/user-id
[Potential Pitfall]: Dovecot upgrade where directive mail_extra_groups = mail is depricated. Substitute: mail_privileged_group = mail
[Potential Pitfall]: If using NFS to share mail files, use Dovecot v1.1 or later.
Dovecot was written by a security guru to be unpenetrible by hackers.
Dovecot supports both Unix mbox and Maildir formats.
Start "dovecot" service:
- Red Hat/Fedora/CentOS: service dovecot start
- Debian/Ubuntu: /etc/init.d/dovecot start
See YoLinux tutorial on Linux services and system init process to configure dovecot to start upon system boot.
Links:
| WU-POP server configuration: |
This POP configuration tutorial is specific to the ipopd/imap
University of Washington release which ships with Red Hat 6-9.
Typically POP is controlled by the xinetd (Red Hat 7.x) or inet (Red Hat 5.x,6.x) daemon. To activate
the POP system, the service must be available as follows:
- The network port must be defined for POP in the /etc/services file:
-
pop3 110/tcp pop-3 # POP version 3
pop3 110/udp pop-3
|
Note that some ot the other pop servers require that the service be named
pop3
and NOT pop-3 as used here by the U of Washingto pop3d server.
Both names are defined here.
- inet/xinetd configuration:
- xinetd (Red Hat 7.x): The service is defined by the file: /etc/xinetd.d/ipop3.
To turn the service on:
- Edit the line and change from the default:
-
TO:
-
OR
- Execute the command: chkconfig ipop3 on
This command also restarts the xinetd process.
- inetd (Red Hat 6.x and older): The service must be defined in the /etc/inetd.conf file:
-
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
|
By default, the RedHat installation may have a "#" at the beginning of the
line to comment out the definition. Remove the "#" to define the service.
- Restart the inet daemon to re-read the configuration file and enable the service.
To authenticate, ipop3d requires a system login.
See the YoLinux system admin tutorial covering the creation of user accounts.
If the accounts are e-mail only and you wish to refuse logins,
change the assigned shell in the /etc/passwd file to
/bin/false or see the
YoLinux web server configuration tutorial coverage of basic user security and disabling logins.
By default the user login and password are the same as the system login and
password. This configuration is generally a bad idea
as all the text
is transfered over the network in clear text (not encrypted)
The idea gets even worse when you think that this basic configuration uses
system login and passwords which match the pop3 login and password.
The login (mailtest) and password (supersecret) are clearly visible.
Check out the tcp stream captured below:
-
Alternate Authentication - APOP: Using a CRAM-MD5 data file.
This method is much better and I highly recommend this method.
-
Taking the following steps to create the CRAM-MD5 authentication database file:
- touch /etc/cram-md5.pwd
- chmod 0600 /etc/cram-md5.pwd : Password are held in the file as plain ascii text, thus protect file from unauthorized viewers.
- Add to the file a user entry of the form: user-id <TAB> password
Lines begining with the character '#' are considered comments.
For each user in the /etc/cram-md5.pwd file, there must also be an
entry in the /etc/passwd file.
The password used by ipop3d will be the password held in this CRAM-MD5 data
file and not the system login password.
While they can be the same I recomend that the user have no system login
password assigned but assign an ipop3 password in the file
/etc/cram-md5.pwd.
Also note the following EtherReal packet sniffing session
listening in on the exchange between Netscape Messenger and ipop3d
(U Washington). The authentication of login and password are NOT clear text!!
Notes:
- A system user must still be added for every e-mail user. (Use the useradd command.)
- The mere presence of the file /etc/cram-md5.pwd and its contents
turns on this APOP authentication feature.
Nothing else needs to be configured for ipop3d to enter this mode.
- No browser settings in Netscape Communicator/Messenger
are required to invoke CRAM-MD5 authentication. It is strictly a server
configuration which is negotiated with the client.
- Once in this authentication mode the browser will assume encryption.
I ran a test where I deleted the /etc/cram-md5.pwd file and packet
sniffed the tcp stream for a regular system user. The login/password
exchange was still encrypted!
I then pointed my browser to my ISP which uses
clear text and the authentication sceme reverted to clear text and
stayed in this mode when going back to the regular user on my server.
The only way to get the system to invoke the encryption mode was to revert
back to using CRAM-MD5 authentication.
Links:
WU-IMAP configuration: (Red Hat 6-9)
Typically IMAP are controlled by the inet daemon. To activate
the IMAP system, the service must be available as follows:
- The network port must be defined in the /etc/services file:
-
imap2 143/tcp imap # Interim Mail Access Proto v2
imap2 143/udp imap
|
- inet / xinetd configuration:
- xinetd (Red Hat 7.x): The service is defined by the file: /etc/xinetd.d/imap. To turn the service on, edit the line and change from the default:
-
TO:
-
- inetd (Red Hat 6.x and older): The service must be defined in the /etc/inetd.conf file:
-
imap stream tcp nowait root /usr/sbin/tcpd imapd
|
By default, the RedHat installation may have a "#" at the beginning of the
line to comment out the definition. Remove the "#" to define the service.
- Restart the inet daemon to re-read the configuration file and enable the service.
The Red Hat 7.1 installation will place documentation in the directory /usr/share/doc/imap-2000/.
- Mail recieved by the MTA sendmail, is held in the directory/file: /var/spool/mail/system-user-id
All mail is held in a single file in "Mail Box" format.
- RSA private key and certificate: /usr/share/ssl/certs/imapd.pem
- RFC 1939 - POP V3 - Post Office Protocol
- RFC 2449 - POP3 Extension Mechanism
- RFC 1957 - POP3 - Observations on Implementations
- RFC 3501 - IMAP - Internet Message Access Protocol - Version 4rev1
- RFC 1733 - Distributed Electronic Mail Models in IMAP4
- RFC 2180 - IMAP4 Multi-Accessed Mailbox Practice.
 Books: |
-
 |
"IMAP"
by Dianna Mullet, Kevin Mullet
ISBN #059600012X, O'Reilly & Associates
|
|
|
|
