SLIDE 1
IMAP Installation, Configuration & Security HARICHARAN - - PowerPoint PPT Presentation
IMAP Installation, Configuration & Security HARICHARAN - - PowerPoint PPT Presentation
IMAP Installation, Configuration & Security HARICHARAN PADMANABAN hari20@siu.edu What is IMAP? IMAP Internet Message Access Protocol or Internet Mail Access Protocol Allows user to perform certain operations on the messages remotely
SLIDE 2
SLIDE 3
Features
Ability to manipulate remote folders other than INBOX. Remote folder management (list/create/delete/rename). Support for folder hierarchies. Ability to set standard and user-defined message status flags. Suitable for accessing non-email data; e.g., NetNews, documents. Server-based searching and selection to minimize data transfer.
SLIDE 4
IMAP vs POP
POP – Only new unread messages are stored unless specified IMAP – All messages are stored until they are deleted POP – Messages stored locally IMAP – Messages stored remotely POP – Best choice if only one account IMAP – Efficient if multiple accounts POP – Easy to configure IMAP – A bit complicated to setup POP – Offers ‘offline’ access too IMAP – Offers ‘online’ and ‘disconnected’ access
SLIDE 5
maildir vs mbox
mailbox - Stores each message into a separate file Message flags are stored into file name Very unlikely to get corrupted in any way Opening files - slow Updating files – quick mbox – single file where all messages are appended Flags stored in message headers Deleting messages are slow Good for read-only mailboxes
SLIDE 6
Authentication Methods
- sasldb – Stores usernames and passwords in file called sasldb.
- LDAP – Lightweight Directory Access Protocol
- PAM – Pluggable authentication module - mechanism to
integrate multiple low-level authentication schemes into a high-level API
- Kerberos – A trusted third party is relied upon to perform
authentication
SLIDE 7
Installation from binary sources
Download gzipped archives from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ tar -zxvf cyrus-sasl-X.X.X.tar.gz cd cyrus-sasl-X.X.X ./configure make make install Download and extract cyrus-imapd-X.X.X.tar.gz useradd -g mail cyrus Cyrus needs a user named ‘cyrus’ and group ‘mail’ Specify the default authentication with ./configure –with-pwcheck_method= PAM | kerberos_v4 | passwd | shadow | sasldb make depend make all CFLAGS=-O make install
SLIDE 8
Software used
Fedora Core 4 Cyrus imapd Cyrus IMAP cyrus-imapd-2.2.12.tar.gz Cyrus SASL cyrus-sasl-2.1.20.tar.gz Berkeley DB db-4.2.52.NC.tar.gz Basic compiler Gcc Email client Mozilla Thunderbird 1.0.6
SLIDE 9
Configuration
Edit /etc/syslog.conf and add the following lines at the bottom: local6.debug /var/adm/imapd.log auth.debug /var/adm/auth.log Create a new file /etc/imapd.conf and write in the contents configdirectory: /var/imap partition-default: /var/spool/imap admins: cyrus root srvtab: /var/imap/srvtab allowanonymouslogin: no sasl_passwd_check: sasldb
SLIDE 10
Create necessary directories
mkdir /var/adm touch /var/adm/imapd.log /var/adm/auth.log mkdir /var/imap /var/spool/imap /var/imap/srvtab chown cyrus /var/imap /var/spool/imap /var/imap/srvtab chgrp mail /var/imap /var/spool/imap /var/imap/srvtab chmod 750 /var/imap /var/spool/imap /var/imap/srvtab su cyrus
Check /etc/services for the following line. If doesn’t exist add this line imap
143/tcp pop3 110/tcp
Configuration (contd.)
SLIDE 11
Create /etc/xinetd.d/imap and add the following lines
# # imap - Plaintext IMAP mail daemon # service imap { socket_type = stream wait = no user = root server = /etc/rc.d/init.d/imapd log_on_success += HOST DURATION log_on_failure += HOST disable = no }
Edit /etc/group and add the user daemon to the mail group. Setup mailboxes for various users as user ‘cyrus’ with commands
cyradm localhost cm user.<username>
Configuration (contd.)
SLIDE 12
Security
Security can enhanced by implementing one of the following techniques
- Using SSL(Secure Sockets Layer) to connect between the remote mail server and the
client unless the connected is encrypted
- Using SSH to forward IMAP connection
SSL
- Mail reader must be configured to connect using SSL
- SSL/TLS provides both Authentication and Encryption
- stunnel can be used to provide SSL connection
- Generate SSL certificates for stunnel and imapd
- Start imapd with stunnel using
/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd
SLIDE 13
Security (contd.)
MAIL READER IMAP SERVER LOGIN <username> Password UNSECURED CONNECTION SSH for authentication and encryption SSH must be installed on the mail server and must be running exposed!
SLIDE 14
Security (contd.)
Use ssh -q -L 3000:localhost:143 Imap_Server.domain.com to use SSH for forwarding IMAP connection LOGIN <username> Password MAIL READER SSH CLIENT IMAP SERVER SSH SERVER
- L --> Given port on host to be forwarded to given host and port on the remote side
- q --> Do in quiet mode
IMAP ON SSH
SLIDE 15
Conclusion
- IMAP is far more superior than POP3
- Installation and configuration is complex
- Proper maintainence of server should be done