لطفا منتظر باشید ...
15.1. IMAPAn Introduction
IMAP, fully
documented in RFC 3501, was designed to provide a robust, mobile mail
delivery and access mechanism. For more detail on the protocol and
how it functions on the network layer, or for additional information
on the numerous specification options, please consult the RFC
documentation.
15.1.1. IMAP and POP
POP and
IMAP tend to be grouped together or compared, which is a bit unfair
since they are dissimilar in many ways. POP was created as a simple
mail delivery vehicle, which it does very well. Users connect to the
server and obtain their messages, which are then, ideally, deleted
from the server. IMAP takes an entirely different approach. It acts
as the keeper of the messages and provides a framework in which the
users can efficiently manipulate the stored messages. While
administrators and users can configure POP to store the messages on
the server, it can quickly become inefficient since a POP client will
download all old messages each time the mail is queried. This can get
messy quickly, if the user is receiving any quantity of email. For
users who do not need any kind of portability, or receive little
email, POP is probably an acceptable choice, but those seeking
greater functionality will want to use IMAP.
15.1.2. Which IMAP to Choose?
Once you've decided that
IMAP is for you, there are two primary options. The two main flavors
are Cyrus IMAP and the University of Washington IMAP server. Both
follow the RFC specification for IMAP and have their advantages and
disadvantages. They also use different mailbox formats and therefore
cannot be mixed. One key difference between the two is found in Cyrus
IMAP. It does not use /etc/passwd for its mail
account database, so the administrator does not have to specially add
mail users to the system password file. This is more secure option
for system administrators, because creating accounts on systems can
be construed as a security risk. However, the ease of configuration
and installation of UW IMAP often makes it more appealing. In this
chapter, we'll primarily focus on the two most
common IMAP servers: UW IMAP, because of its popularity and ease of
installation, and Cyrus IMAP, because of its additional security
features.
15.1.2.1 Getting an IMAP client
The UW IMAP, as its name suggests, can be
found at the University of Washington. Their web site, http://www.washington.edu/imap/, contains
various documentation and implementation suggestions, as well as the
link to their software repository FTP site. There are a number of
different versions available in various forms. For simplicity, the UW
IMAP team offers a link a direct link to the most current version:
15.1.2.2 Installing UW-IMAP
Once the server software has been
downloaded and decompressed, it can be installed. However, because of
UW-IMAP's large portability database, it does not
support GNU automake, meaning that there isn't a
configure script. Instead, a
Makefile that relies on user-specified
parameters is used. There are many supported operating systems,
including a number of Linux distributions. Here's a
list of a few of the supported Linuxes distributions:
# ldb Debian LinuxThe lrh version will
# lnx Linux with traditional passwords and crypt( ) in the C library
# (see lnp, sl4, sl5, and slx)
# lnp Linux with Pluggable Authentication Modules (PAM)
# lrh RedHat Linux 7.2
# lsu SuSE Linux
# sl4 Linux using -lshadow to get the crypt( ) function
# sl5 Linux with shadow passwords, no extra libraries
# slx Linux using -lcrypt to get the crypt( ) function
probably work on newer Red Hat versions as well. If your distribution
isn't listed, try one of the matching generic
options. lnp is a good guess for most modern
versions of Linux.If you don't have OpenSSL installed, you will need
to edit a part of the Makefile. Find the section where SSL is being
configured, and look for the following line:
SSLTYPE=nopwdThe
nopwd option needs to be set to
none in order to tell IMAP that you
aren't using OpenSSL.If you have OpenSSL installed but the
installer is still failing, the cause is most likely that it is
looking for OpenSSL in the wrong place. By default, the
Makefile searches a predefined path based on
your build selection at the beginning of the process. For example, if
you have used the lnp option to build IMAP, it is
looking for SSL in the /usr/ssl directory. But
if you're using Gentoo Linux, your SSL directory is
/usr and you will need to search for the SSLPATH
option in the Makefile and correct the path. The same process will
need to be followed for the SSLCERTS option, which should be in the
same area of the Makefile.Having successfully compiled the IMAP
server, you should install it in your inetd.conf
file (or use xinetd, if appropriate). To use
inetd.conf, you need to add the following line:
imap stream tcp nowait root /path/to/imapd imapdNote that you will need to change the actual path to reflect the
location where you installed your imapd binary.Most modern Linux systems have a fairly complete
/etc/services file, but you should verify that
IMAP is present by searching for or, if necessary, adding, the
following line:
imap 143/tcpWhen these steps have been completed, the
imaps 993/tcp
installation can be tested with the netstat. If
you installation is successful, you will see a listener on TCP port
143.
vlager# netstat -auntAs with any service, it may also be necessary to make adjustments to
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
the firewall to allow the new connections.
15.1.2.3 IMAP configuration
One of the great joys of UW IMAP is that
once it is installed, it is almost always fully functional. The
default options, including the use of standard
/etc/passwd authentication and the Unix mailbox
format, are considered acceptable by most administrators. If you need
more flexibility or features, UW IMAP offers extended configuration
options such as anonymous logins, IMAP alert messages, alternate
mailbox formats, and the possibility of shared mailboxes, which
we'll take a look at in the next section.
15.1.2.4 Advanced UW IMAP configuration options
There are a number of additional
options that can be added to a UW IMAP server, based on your
requirements. One feature that may be useful is the potential to
allow anonymous logins. This can be used as a way to provide
information to users without creating specific accounts for them.
This has been used at universities as a method of distributing
information, or providing read-only access to discussion lists. To
enable this functionality, the only step required is to place a file
in your /etc directory called
anonymous.newsgroups. Once this has been
completed, anonymous users will have access to commonly shared
mailboxes.Another potentially useful feature is the
ability to create an alert message for IMAP users. When enabled, this
feature will generate an alert message for any user logging in to
check their mail. As the message is displayed every time a user
checks their mail, it should be used only in emergency situations. It
would not be a good place to put a banner or disclaimer. To create
the alert message, you need to create a file called
imapd.alert. The contents consist of your
message.
15.1.2.5 Using alternate mailbox formats
The default mailbox format configured
by UW IMAP was selected because it provides the greatest flexibility
and compatibility. While these are two definite advantages, they come
at a cost of performance. The mbx format supported by UW IMAP
provides better capabilities for shared mailboxes, since it supports
simultaneous reading and writing.
15.1.2.6 Configuring IMAP to use OpenSSL
IMAP provides many useful conveniences
required by users when dealing with their email, but lacks one very
important featureencryption. For this reason, IMAP-SSL was
developed. When it is installed, an IMAP user with compatible client
software can enjoy all the functions of IMAP without worrying about
eavesdropping. In order to install IMAP with SSL support, you will
first need to make sure that your IMAP server is properly installed
and functioning. You will also need a functional OpenSSL
installation. Most Linux distributions are shipped with OpenSSL, but
if for some reason your distribution does not have it, please consult
the Apache chapter in this book for more information on building
OpenSSL.To begin the configuration process, create
digital certificates for your IMAP server to use. This can be done
with the OpenSSL command-line utility. A sample certificate can be
created as follows:
vlager# cd /path/to/ssl/certsWhen creating this certificate, make sure
vlager# openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 365
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
..............++++++
..................................................++++++
writing new private key to 'imapd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
.
.
Common Name (eg, YOUR name) [ ]: mail.virtualbrewery.com
Email Address [ ]:
vlager # ls -l
total 4
-rw-r--r-- 1 root root 1925 Nov 17 19:08 imapd.pem
vlager #
that you've entered the domain name of your mail
server in the common name field. If this is not set, or is set
improperly, you will at best get error messages when clients try to
connect, and at worst have a broken server.
There is a good chance
that your IMAP server will need to be recompiled and configured to
use OpenSSL. Fortunately, this is a fairly easy process. If you are
using Red Hat, SuSE, or any of the other mentioned distributions,
substitute them in the command line; otherwise, the following
command-line options will work for most other Linux distributions:
vlager# make lnp PASSWDTYPE=pam SSLTYPE=nopwdIf
you receive errors regarding OpenSSL, you may need to adjust the path
settings. You can do this by making changes to the
SSLDIR, SSLLIB, and
SSLINCLUDE path options found in the
Makefile. For most users, this will not be
necessary.After compiling the new IMAP server, copy
it from the build directory to the location on your system where your
other daemon files are located. Since IMAP-SSL uses a different port
from the standard IMAP, you will need to make a change to your
inetd.conf file.
imaps stream tcp nowait root /path/to/imapd imapdIf
you're using xinetd, you will
need to create a file in your /etc/xinetd.d
directory, which looks like this:
service imapsIt is also important, at this point, to make certain that you have an
{
socket_type = stream
wait = no
user = root
server = /path/to/imapd
log_on_success += DURATION USERID
log_on_failure += USERID
disable = no
}
imaps entry in your
/etc/services file.
vlager # cat /etc/services |grep imapsYou can now test your server from any
imaps 993/tcp # IMAP over SSL
imaps 993/udp # IMAP over SSL
vlager #
number of clients. Make certain that you've
specified in the client configuration that you will be using SSL. In
a number of clients, upon connection, you will receive a message
asking you if you wish to trust the certificate. This message will
appear only if you've generated your own
certificate, as we did in the above example. Some administrators,
especially if the server is being used for production use, will
likely want to purchase a certificate to avoid this.
