[SWLUG] Personal IMAP Server

[Dave Cridland]

On Fri Mar 31 12:55:24 2006, Julian Hall wrote:
> Dave Cridland wrote:
> 
> > If anyone actually wants to know how to setup their mail with a
> > little personal IMAP server, let me know and I'll post something 
> to
> > the list about it.
> >
> > Dave.
> 
> I'd like to know please Dave :)

Damn. :-)

Okay... One violent whistle-stop tour of setting up a personal IMAP 
server.

Prerequisites:

1) You need to know how your email gets to you now, as well as what 
your options are. In a perfect world, you're looking at being able to 
accept an SMTP feed, but for personal mail that's probably overkill. 
POP3, on the other hand, is technically less good, but it's cheap, 
available everywhere, and solves the problem of you having to keep a 
box running 24/7. It's possible, and sometimes sensible, to use IMAP 
in this role too, piking up mail from IMAP and redelivering it to 
IMAP.

2) You need to know how to find reasonable packages of software for 
your Linux distribution, how to edit files, run commands, switch 
users, etc. In other words, you need basic administrator survival 
skills.

Overview:

1) Decide on how your mail can and should get to you. In general, I'd 
use POP3 for a single user, and go to SMTP for a domain. Since this 
is for a personal IMAP server, I'll assume a single POP3, and skip 
this step.

2) Setup authentication - that means SASL. All mail protocols (as 
well as others) conveniently use SASL, which is a kind of PAM for 
protocols. Like PAM, there's a single de-facto standard in the 
open-source world, Cyrus SASL.

3) Setup an MSA - that's the thing that's replaced the "outgoing mail 
server". An MSA runs Submission, which is a variant on ESMTP with 
different options. I'm going to use Postfix here, because it's pretty 
easy to configure, fast enough and light enough to run on cheap 
hardware, and the skills are useful enough to scale to, well, fairly 
huge.

4) Setup IMAP itself. I'm going to recommend Cyrus IMAP, for a number 
of reasons. Firstly, it's the second fastest IMAP server in the 
world, which is useful in massive sites, but also useful on cheap 
hardware. (Look for the Isode benchmarks for more comparisons). Cyrus 
IMAP is also easy to configure, contrary to popular belief.

5) Get mail into IMAP. For this, we'll use Fetchmail.

In depth:

2) Install the Cyrus SASL package. For some distributions, the 
library, tools, and mechanisms are all in seperate packages - you 
want the plain and MD5 based mechanisms.

Don't bother with any saslauthd package, if there is one, we won't be 
using that. Cyrus SASL can integrate with almost any pre-existing 
authentication system you have, including Kerberos and PAM, but it 
can also provide its own authentication credential store (ie, 
password list), which, whilst less secure if you machine is hacked, 
also allows you to use a different password for mail-like activity. 
Given that mail clients are generally fairly poor with keeping your 
password a secret, this is a useful property. It's also useful if 
you're an ISP, and don't want to give "real" system accounts out to 
customers.

Instead, create two users - one will be administrative to the IMAP 
server, one will be day-to-day. These do need to be different, 
because the IMAP server will behave differently for administrative 
users, ignoring certain settings and potentially breaking some IMAP 
clients.

Do this by using "saslpasswd -c <username>". Do not choose "root", or 
"cyrus", as either name, if possible.

3) Install Postfix. You may need to install a TLS and SASL enabled 
package if your distribution has different packages for these - 
"stock" postfix didn't support either for some time, and I believe 
doesn't support both now. (Debian has a postfix-tls, for instance).

Edit the file /etc/postfix/master.cf

Add the lines:

submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject

I put them under the smtp line. There is *usually* a commented out 
submission line, but this technically doesn't do submission.

My line does:

Run a ESMTP process on port 587. Reject any ETRN commands, and accept 
mail only from authenticated clients.

Edit /etc/main/postfix.cf

Add the lines:

smtpd_tls_cert_file = /etc/ssl/certs/turner.pem
smtpd_tls_key_file = /etc/ssl/private/turner.key
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
# Above does server-side TLS on both MTA and MSA ports, via the 
STARTTLS method.
# You'll need to create the certificates, follow HOWTOs elsewhere for 
this.
# If you don't want to for now, leave out those four lines, or 
comment them out with #
smtp_tls_loglevel = 2
smtp_use_tls = yes
# Client side TLS, so relayed messages are TLS protected if possible.
smtpd_sasl_auth_enable = yes
# Enable SASL.
inet_protocols = ipv4 ipv6
# Enable IPv6.

Also add these lines - you may find existing definitions, comment out 
any you find:
local_recipient_maps =
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
# Deliver to Cyrus.

The last line includes a path to a UNIX socket - we'll only know if 
that's right later.

Reload postfix (postfix reload, or /etc/init.d/postfix reload), 
which'll restart processes that need it, etc.

You'll note that we haven't configured SASL at all here. That's 
because the default Cyrus SASL behaviour is to look *everywhere* for 
a password. You ought to double-check that we really are doing this, 
though - delete any files within /usr/lib/sasl/ that look related to 
mail. (Like postfix.conf, smtp.conf, usually).

4) Install Cyrus IMAP. Typically as a package, although packages for 
Cyrus are always out of date. As it happens, newer versions are 
faster, but on one user you won't notice this, and have support for 
lots more extensions, but unless you have a client that takes 
advantage of them - and there is currently only one I know of - then 
this makes no difference. So packages are fine.

After installation, remove any lines beginning "sasl_" from 
/etc/imapd.conf

Add (or change) the following:
altnamespace: yes
# This can make certain really poor clients work better, in 
particular some Microsoft IMAP clients.
admins: xxx
# You picked an administrative user earlier. Put it instead of xxx.

Restart Cyrus IMAP (and different distributions call the init script 
in different ways).

Now you need to provision each account - assuming a username of "foo" 
that will be receiving mail, and a username of "admin" which is the 
administrative user, do the following (comments after the # on each 
line):

telnet localhost 143 # Connect locally to the IMAP server. Doing this 
remotely is NOT secure.
. LOGIN admin adminpassword # This'll say OK at you. Replace admin 
and adminpassword.
. CREATE user.foo # This'll say OK too. Change foo here.
. LOGOUT # This'll say BYE, then OK, then close the connection.

There's a cyradm tool for doing this which is safe remotely, but it's 
essentially a lightweight skin over IMAP, with a help facility. It 
can, however, do TLS and secure authentication.

5) Getting email.

First, install fetchmail, and any additional package as may exist to 
make things happen in daemon mode.

If you're upstream account is POP3, then figure out which the master 
fetchmailrc is. Optionally, use /root/.fetchmailrc if there doesn't 
appear to be one (usually /etc/fetchmailrc)

Example options are:

set no bouncemail
set no spambounce
set properties ""
set daemon 90
poll mail.btinternet.com with proto POP3 and options uidl
	user 'davecridland at btinternet.com' there with password 'froob' is
	'dwd' here options flush lmtp fetchall and smtphost 
/var/run/cyrus/socket/lmtp

This'll pick up email every 90 seconds. Add "keep" to the options 
(the ones including flush) to test. This is delivering email via LMTP 
direct into Cyrus - it's not touching postfix for this at all.

6) And finally:

Let me know if some of this is a bit vague. It probably is, it's the 
first time I've written it down. There's also probably wrong bits. 
There's certainly missing detail. Feel free to stick it on a Wiki 
page somewhere, and refine it, but stick my name to it somewhere.

Dave.
-- 
           You see things; and you say "Why?"
   But I dream things that never were; and I say "Why not?"
    - George Bernard Shaw