Linux Mail Retrieval software

Internet mail is broken down into three basic parts:
  1. MTA or Mail Transfer Agents - sendmail, qmail, etc - Links/Info
  2. Mail Retrieval Software - pop3, imap, etc - Links/Info
  3. Mail User Agent (MUA): E-Mail client - Netscape, Outlook, MUTT, etc - Links/Info

This page covers the Mail Retrieval software which is available for Linux. Two open standards are well supported to transfer mail from the mail server to the client:

  1. POP - Post Office Protocol
  2. IMAP - Internet Message Access Protocol (RFC3501)

The POP3 protocol allows one to connect to a mail server and download the e-mail to the client computer. Mail can then be read, organized and generated "offline". Mail folders and the e-mail itself then reside on the client computer.

IMAP offers support modes for online, offline and disconnected. It allows one to leave e-mail on the server and manage it on the server. The user's folders and organization is server based so that one can travel and use any client workstation to view and manage the e-mail. IMAP is a client-server design which requires more server resources than POP3 but offers the persistant storage and management of the server.

Related YoLinux Tutorials:

°Apache login authentication

°Mail Transfer (Sendmail)

°Mail Clients

°Securing Linux

°Linux Security Tools

°Linux Networking

°Linux Sys Admin

°Internet Gateway

°YoLinux Tutorials Index




Free Information Technology Magazines and Document Downloads
TradePub link image


Linux e-Mail Retrieval Software:

  • POP:
    • Dovecot IMAP/POP: Comes with Fedore Core, Red Hat Enterprise 4, CentOS 4.
    • ipop3d: University of Washington - Stock Red Hat 6-9 POP server (part of IMAP software release)
      There is no formal documentation. Download the Red Hat source RPM (part of imap-2000 source RPM) and review the code for more info.
  • Cyrus: Included with imapd.
  • cucipop [Download] - Very configurable. Better for controlling load and access. - [RPM]
  • qpopper - Qualcomm's POP server - [Download]
  • PWSERVE - Servers for Eudora's Change Password command.
  • GNU pop3d
  • POPular - Uses proxy architecture to distribute among many servers and thus scale to handle a large number of users.
  • TeaPOP - RFC1939 and RFC2449 compliant POP3-server with virtual domain support.
  • IMAP:

    Prerequisites:

    It is assumed that the system has:
    1. Networking requirements configured: IP address, routing, internet connectivity, etc. See the YoLinux networking tutorial for maore information.
    2. DNS MX records defining the mail server. See the YoLinux DNS/bind configuration tutorial
    3. An appropriate MTA mail server installed such as sendmail. See the YoLinux Mail Transfer Agent (MTA) server software and sendmail configuration tutorial.


    POP Configuration:

    Older Red Hat systems came with the University of Washington (WU) release of POP and IMAP. Current Fedora Core, Red Hat Enterprise Linux (4), CentOS (4) Linux distributions are shipped with Dovecot IMAP and POP. Both configurations are covered here:


    Dovecot POP server configuration:
    Required Packages:
    • RPM packages (Red Hat, Fedora, CentOS): dovecot, postgresql-libs
      See YoLinux Systems Administration tutorial on RPM and YUM package management.
    • Debian/Ubuntu: apt-get install dovecot-pop3d

    Dovecot configuration file examples:

    • Red Hat / Fedora: /etc/dovecot.conf
    • Ubuntu 8.04: /etc/dovecot/dovecot.conf

    These examples are for POP retrieval of email using clear text authentication. Authentication in these examples is against the user logins in /etc/passwd. Advanced configurations are possible, authenticating to a SQL database, LDAP or Dovecot authentication. Dovecot can be configured to use chroot, SSL encryption, limit simultaneous connections, set mailbox and file locations, log formats, set custom greetings, ... etc.

    Red Hat EL5 / CentOS 5: (dovecot 1.0.7)
    protocols = pop3         - Add imap imaps pop3 pop3s to support other protocols
    
    protocol imap {
    }
    protocol pop3 {
    }
    auth default {
      mechanisms = plain
      passdb pam {           - Uses PAM configuration in /etc/pam.d/dovecot
      }
      userdb passwd {        -  Uses local login/password file /etc/passed
      }
      user = root            -  required for pam based authentication
    }
    
    dict {
    }
    plugin {
    }
        
    Ubuntu 8.04: (dovecot 1.0.10)
    protocols = pop3
    listen = *
    ssl_disable = yes         - Set to "no" to  use without SSL/TLS certificate and private key
    disable_plaintext_auth = no
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    
    # Grant access to these extra groups for mail processes. Typical use would be
    # to give "mail" group write access to /var/mail to be able to create dotlocks.
    # depricated   mail_extra_groups = mail
    mail_privileged_group = mail
    
    protocol imap {
    }
    protocol pop3 {
      pop3_uidl_format = %08Xu%08Xv  - Dovecot's default. Can be set to mimic other POP servers
    }
    auth default {
      mechanisms = plain
      passdb pam {
      }
      userdb passwd {        -  Uses local login/password file /etc/passed
      }
      user = root            -  required for pam based authentication
    }
    
    plugin {
    }
        

    Fedora 3: (dovecot 0.99.13)
    protocols = pop3          - Change only this line. Rest of file stays as default (FC3)
    imap_listen = [::]        - IPV-6 interfaces
    pop3_listen = [::]
    imaps_listen = [::]
    pop3s_listen = [::]
    ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
    ssl_key_file = /usr/share/ssl/private/dovecot.pem
    login_dir = /var/run/dovecot-login
    login = pop3
    mbox_locks = fcntl
    auth = default
    auth_mechanisms = plain
    auth_userdb = passwd
    auth_passdb = pam
    auth_user = root
    
    ...
    ...
        
    This configuration will use system logins to authenticate POP. It will allow one to retrieve mail from the default mail repository on the mail server: /var/mail/user-id

    [Potential Pitfall]: Dovecot upgrade where directive mail_extra_groups = mail is depricated. Substitute: mail_privileged_group = mail

    [Potential Pitfall]: If using NFS to share mail files, use Dovecot v1.1 or later.

    Dovecot was written by a security guru to be unpenetrible by hackers. Dovecot supports both Unix mbox and Maildir formats.

    Start "dovecot" service:

    • Red Hat/Fedora/CentOS: service dovecot start
    • Debian/Ubuntu: /etc/init.d/dovecot start
    See YoLinux tutorial on Linux services and system init process to configure dovecot to start upon system boot.

    Links:


    WU-POP server configuration:

    This POP configuration tutorial is specific to the ipopd/imap University of Washington release which ships with Red Hat 6-9.

    Typically POP is controlled by the xinetd (Red Hat 7.x) or inet (Red Hat 5.x,6.x) daemon. To activate the POP system, the service must be available as follows:

    • The network port must be defined for POP in the /etc/services file:
      pop3            110/tcp         pop-3           # POP version 3
      pop3 110/udp pop-3
      Note that some ot the other pop servers require that the service be named pop3 and NOT pop-3 as used here by the U of Washingto pop3d server. Both names are defined here.

    • inet/xinetd configuration:
      • xinetd (Red Hat 7.x): The service is defined by the file: /etc/xinetd.d/ipop3.
        To turn the service on:
        • Edit the line and change from the default:
          disable                 = yes
          TO:
          disable                 = no
          OR
        • Execute the command: chkconfig ipop3 on
          This command also restarts the xinetd process.

      • inetd (Red Hat 6.x and older): The service must be defined in the /etc/inetd.conf file:
        pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
        By default, the RedHat installation may have a "#" at the beginning of the line to comment out the definition. Remove the "#" to define the service.

    • Restart the inet daemon to re-read the configuration file and enable the service.
      • xinetd (Red Hat 7.x):
            /etc/rc.d/init.d/xinetd restart

      • inetd (Red Hat 6.x and older):
            /etc/rc.d/init.d/inet restart
    To authenticate, ipop3d requires a system login. See the YoLinux system admin tutorial covering the creation of user accounts.
    If the accounts are e-mail only and you wish to refuse logins, change the assigned shell in the /etc/passwd file to /bin/false or see the YoLinux web server configuration tutorial coverage of basic user security and disabling logins.

    By default the user login and password are the same as the system login and password. This configuration is generally a bad idea as all the text is transfered over the network in clear text (not encrypted) The idea gets even worse when you think that this basic configuration uses system login and passwords which match the pop3 login and password. The login (mailtest) and password (supersecret) are clearly visible. Check out the tcp stream captured below:

    Alternate Authentication - APOP: Using a CRAM-MD5 data file.

    This method is much better and I highly recommend this method.
    Taking the following steps to create the CRAM-MD5 authentication database file:
    1. touch /etc/cram-md5.pwd
    2. chmod 0600 /etc/cram-md5.pwd : Password are held in the file as plain ascii text, thus protect file from unauthorized viewers.
    3. Add to the file a user entry of the form: user-id <TAB> password
      Lines begining with the character '#' are considered comments.

    For each user in the /etc/cram-md5.pwd file, there must also be an entry in the /etc/passwd file. The password used by ipop3d will be the password held in this CRAM-MD5 data file and not the system login password. While they can be the same I recomend that the user have no system login password assigned but assign an ipop3 password in the file /etc/cram-md5.pwd. Also note the following EtherReal packet sniffing session listening in on the exchange between Netscape Messenger and ipop3d (U Washington). The authentication of login and password are NOT clear text!!

    Notes:
    • A system user must still be added for every e-mail user. (Use the useradd command.)
    • The mere presence of the file /etc/cram-md5.pwd and its contents turns on this APOP authentication feature. Nothing else needs to be configured for ipop3d to enter this mode.
    • No browser settings in Netscape Communicator/Messenger are required to invoke CRAM-MD5 authentication. It is strictly a server configuration which is negotiated with the client.
    • Once in this authentication mode the browser will assume encryption. I ran a test where I deleted the /etc/cram-md5.pwd file and packet sniffed the tcp stream for a regular system user. The login/password exchange was still encrypted! I then pointed my browser to my ISP which uses clear text and the authentication sceme reverted to clear text and stayed in this mode when going back to the regular user on my server. The only way to get the system to invoke the encryption mode was to revert back to using CRAM-MD5 authentication.
    Links:


    IMAP Configuration:

    WU-IMAP configuration: (Red Hat 6-9)

    Typically IMAP are controlled by the inet daemon. To activate the IMAP system, the service must be available as follows:

    • The network port must be defined in the /etc/services file:
      imap2           143/tcp         imap            # Interim Mail Access Proto v2
      imap2 143/udp imap
    • inet / xinetd configuration:
      • xinetd (Red Hat 7.x): The service is defined by the file: /etc/xinetd.d/imap. To turn the service on, edit the line and change from the default:
        disable                 = yes
        TO:
        disable                 = no

      • inetd (Red Hat 6.x and older): The service must be defined in the /etc/inetd.conf file:
            imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd
        By default, the RedHat installation may have a "#" at the beginning of the line to comment out the definition. Remove the "#" to define the service.

    • Restart the inet daemon to re-read the configuration file and enable the service.
      • xinetd (Red Hat 7.x):
            /etc/rc.d/init.d/xinetd restart

      • inetd (Red Hat 6.x and older):
            /etc/rc.d/init.d/inet restart
    The Red Hat 7.1 installation will place documentation in the directory /usr/share/doc/imap-2000/.


    Notes:

    • Mail recieved by the MTA sendmail, is held in the directory/file: /var/spool/mail/system-user-id
      All mail is held in a single file in "Mail Box" format.
    • RSA private key and certificate: /usr/share/ssl/certs/imapd.pem


    Links:


    RFC's:

    • RFC 1939 - POP V3 - Post Office Protocol
    • RFC 2449 - POP3 Extension Mechanism
    • RFC 1957 - POP3 - Observations on Implementations

    • RFC 3501 - IMAP - Internet Message Access Protocol - Version 4rev1
    • RFC 1733 - Distributed Electronic Mail Models in IMAP4
    • RFC 2180 - IMAP4 Multi-Accessed Mailbox Practice.


    Books:

    "IMAP"
    by Dianna Mullet, Kevin Mullet
    ISBN #059600012X, O'Reilly & Associates

    Amazon.com

  •    

        Bookmark and Share


    Advertisements




    Copyright © 2001, 2009 by Greg Ippolito