IMAP Installation, Configuration & Security HARICHARAN - PowerPoint PPT Presentation

IMAP Installation, Configuration & Security HARICHARAN PADMANABAN hari20@siu.edu

What is IMAP? IMAP – Internet Message Access Protocol or Internet Mail Access Protocol Allows user to perform certain operations on the messages remotely Uses Port 143

Features Ability to manipulate remote folders other than INBOX. Remote folder management (list/create/delete/rename). Support for folder hierarchies. Ability to set standard and user-defined message status flags. Suitable for accessing non-email data; e.g., NetNews, documents. Server-based searching and selection to minimize data transfer.

IMAP vs POP POP – Only new unread messages are stored unless specified IMAP – All messages are stored until they are deleted POP – Messages stored locally IMAP – Messages stored remotely POP – Best choice if only one account IMAP – Efficient if multiple accounts POP – Easy to configure IMAP – A bit complicated to setup POP – Offers ‘offline’ access too IMAP – Offers ‘online’ and ‘disconnected’ access

maildir vs mbox mailbox - Stores each message into a separate file Message flags are stored into file name Very unlikely to get corrupted in any way Opening files - slow Updating files – quick mbox – single file where all messages are appended Flags stored in message headers Deleting messages are slow Good for read-only mailboxes

Authentication Methods ● sasldb – Stores usernames and passwords in file called sasldb. ● LDAP – Lightweight Directory Access Protocol ● PAM – Pluggable authentication module - mechanism to integrate multiple low-level authentication schemes into a high-level API ● Kerberos – A trusted third party is relied upon to perform authentication

Installation from binary sources Download gzipped archives from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ tar -zxvf cyrus-sasl-X.X.X.tar.gz cd cyrus-sasl-X.X.X ./configure make make install Download and extract cyrus-imapd-X.X.X.tar.gz useradd -g mail cyrus Cyrus needs a user named ‘cyrus’ and group ‘mail’ Specify the default authentication with ./configure –with-pwcheck_method= PAM | kerberos_v4 | passwd | shadow | sasldb make depend make all CFLAGS=-O make install

Software used Fedora Core 4 Cyrus imapd Cyrus IMAP cyrus-imapd-2.2.12.tar.gz Cyrus SASL cyrus-sasl-2.1.20.tar.gz Berkeley DB db-4.2.52.NC.tar.gz Basic compiler Gcc Email client Mozilla Thunderbird 1.0.6

Configuration Edit /etc/syslog.conf and add the following lines at the bottom: local6.debug /var/adm/imapd.log auth.debug /var/adm/auth.log Create a new file /etc/imapd.conf and write in the contents configdirectory: /var/imap partition-default: /var/spool/imap admins: cyrus root srvtab: /var/imap/srvtab allowanonymouslogin: no sasl_passwd_check: sasldb

Configuration (contd.) Create necessary directories mkdir /var/adm touch /var/adm/imapd.log /var/adm/auth.log mkdir /var/imap /var/spool/imap /var/imap/srvtab chown cyrus /var/imap /var/spool/imap /var/imap/srvtab chgrp mail /var/imap /var/spool/imap /var/imap/srvtab chmod 750 /var/imap /var/spool/imap /var/imap/srvtab su cyrus Check /etc/services for the following line. If doesn’t exist add this line imap 143/tcp pop3 110/tcp

Configuration (contd.) Create /etc/xinetd.d/imap and add the following lines # # imap - Plaintext IMAP mail daemon # service imap { socket_type = stream wait = no user = root server = /etc/rc.d/init.d/imapd log_on_success += HOST DURATION log_on_failure += HOST disable = no } Edit /etc/group and add the user daemon to the mail group. Setup mailboxes for various users as user ‘cyrus’ with commands cyradm localhost cm user.<username>

Security Security can enhanced by implementing one of the following techniques ● Using SSL(Secure Sockets Layer) to connect between the remote mail server and the client unless the connected is encrypted ● Using SSH to forward IMAP connection SSL ● Mail reader must be configured to connect using SSL ● SSL/TLS provides both Authentication and Encryption stunnel can be used to provide SSL connection ● ● Generate SSL certificates for stunnel and imapd ● Start imapd with stunnel using /usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd

Security (contd.) SSH for authentication and encryption SSH must be installed on the mail server and must be running UNSECURED CONNECTION MAIL IMAP LOGIN <username> Password READER SERVER exposed!

Security (contd.) Use ssh -q -L 3000:localhost:143 Imap_Server.domain.com to use SSH for forwarding IMAP connection -L --> Given port on host to be forwarded to given host and port on the remote side -q --> Do in quiet mode MAIL IMAP READER SERVER IMAP ON SSH SSH SSH LOGIN <username> Password CLIENT SERVER

Conclusion ● IMAP is far more superior than POP3 ● Installation and configuration is complex ● Proper maintainence of server should be done – eg. Compressing and archiving old messages