KNOW HOW MAIL PROTOCOL
Multiple Personalities
IMAP
IMAP
IMAP
MIKE BRODBELT
I ve been using electronic mail for some years now, and, like many other Linux users, I have more
than one email address. Currently, I have about six accounts that I actively use, and several dozen
other addresses that deliver to me. I used to use my email to manage my work  these days
managing my email has become my work, along with managing mail for my network.
For anyone who has a requirement to access required is to configure a new IMAP client with the
multiple separate mail accounts that reside on IMAP account details.
different machines, access to email becomes An IMAP client can easily be configured to view
problematic. Many mail systems use the tried and multiple mailboxes in physically separate servers.
tested POP3 protocol. POP3 client applications Multiple IMAP clients can be used by each user.
download the mail from the server, and store it on This makes implementing a Web mail solution for
the client computer. Most clients store mail in their roaming users a simple task.
own format, making it inaccessible to other mail IMAP maintains message status flags on the
programs, and most machines which run POP3 server for read, answered, etc.
clients are desktops, which are rarely on 24/7, IMAP allows shared folders. This makes it easier
further reducing access to the mail once it has been to implement generic email accounts for an
downloaded. organisation, and then allow multiple users to
The IMAP protocol attempts to remedy some of access those accounts.
these problems. The strength of IMAP (Internet Many implementations also allow server side
Message Access Protocol) lies in online and filtering of mail. This can be an extremely useful
disconnected operation. Unlike POP3, mail is not feature when users are accessing their mailboxes
copied from the server and then deleted. Instead, through different email clients.
IMAP clients manipulate the mail on the server, and
permit access to remote, server hosted mailboxes as
Software
though they were local resources.
An IMAP mail system has a number of There are a number of IMAP servers available,
immediate advantages for users: but this discussion is limited to those which fall
As all mail is stored on the server, changing mail under some sort of open-source license. IMAP offers
client becomes the work of seconds. All that is a number of extensions to the basic protocol, and
different servers implement different subsets of this
functionality.
As of this writing, the IMAP capabilities defined are:
Detailed information about any of these can be
gleaned from the appropriate RFC, but those likely
ACL [RFC2086]
to be of most interest are ACL (access control list)
IDLE [RFC2177]
support, which offers fine grained control over user
LITERAL+ [RFC2088]
access to mailboxes, QUOTA support, which permits
LOGIN-REFERRALS [RFC2221]
mailbox level quotas independent of any disk quota
MAILBOX-REFERRALS [RFC2193]
scheme in use, and STARTTLS, which allows IMAP
NAMESPACE [RFC2342]
over SSL secured connections.
QUOTA [RFC2087]
The three main open-source IMAP servers in use
UIDPLUS [RFC2359]
are:
STARTTLS [RFC2595]
Courier IMAP
LOGINDISABLED [RFC2595]
(http://www.inter7.com/courierimap/), University of
ID [RFC2971]
Washington (UW) IMAP
68 LINUX MAGAZINE 10 · 2001
MAIL PROTOCOL KNOW HOW
(http://www.washington.edu/imap/), and Cyrus authentication multiplexer  it can be compiled to
(http://asg.web.cmu.edu/cyrus/imapd/). These use a number of authentication methods, and it
servers all offer slightly different feature sets, and hides the details of these authentication methods
which is best will depend entirely on the demands from the application using them. A site may have a
of the user base it is expected to serve. number of applications that use SASL, and these
The choice of IMAP server may well be dictated applications need only be written to authenticate
by the MTA (Mail Transfer Agent) in use, as both the via SASL. The SASL library can be built to BOX 1
MTA and the IMAP server must understand a authenticate via Kerberos, GSSAPI, CRAM-MD5,
common mailbox format. The UW server offers no DIGEST-MD5, and others. SASL provides the option configdirectory:
support for maildir, and has no plans to do so at the of storing authentication information within a /var/imap
time of writing. The Courier server was specifically Berkeley database on disk, for those who do not partition-default:
written to allow IMAP access to maildir format have a Kerberos or similar infrastructure in place. If /var/spool/imap
mailboxes, and so users of Qmail (which uses maildir) this is to be used, it is important that the SASL admins: cyrus
will find Courier to be their only choice of IMAP library and the applications using SASL be compiled sendmail:
server at this time. The Cyrus server supports only its with the same version of libdb. SASL will happily /usr/sbin/sendmail
own format, but provides with the distribution a local compile with the version included with glibc on
delivery agent that can understand this format, so most systems, but Cyrus IMAP will not, and requires
integrating it into most MTA s should be possible. The Berkeley DB.
UW server supports several mailbox formats, so if The Berkeley DB package can be downloaded
access to mail via Elm or any other mail client that from http://www.sleepycat.com. I installed it
reads the mailbox directly is required, then UW will be in /usr/local/BerkeleyDB.3.2/ and then configured
the server of choice. SASL to use it:
If the choice of server has not already been
# export LIBRARY_PATH=/usr/local/BerkeleyDBU
made by the above paragraph, other features may
.3.2/lib/
be important. The Cyrus server allows you to run it
# export C_INCLUDE_PATH=/usr/local/BerkeleyU
as a black-box system. Cyrus users need neither
DB.3.2/include/
shell access to the IMAP server, nor an account in # export LDFLAGS=-R/usr/local/BerkeleyDBU
.3.2/lib/
/etc/passwd. Users of UW or Courier servers need
# ./configure --prefix=/usr --disable-gssapiU
accounts in /etc/passwd to receive mail. Cyrus
--disable-krb-4U
implements the IMAP ACL and QUOTA extensions,
--with-pam=yes --with-dblib=berkeley --with-U
UW relies on OS level disk quotas, and thus can
rc4=/usr/local/ssl/
generate hard bounces for over-quota situations.
For my purposes, I chose to use the Cyrus server. This configuration was for a test system with no
Cyrus is a feature rich server, and supports several Kerberos or GSSAPI authentication, with OpenSSL
features, which I consider important. It implements 0.9.6. OpenSSL should be compiled to generate a
the IMAP ACL and QUOTA extensions, which give it shared library. This compiles a SASL library with
great administrative flexibility. It has full support for support for anonymous, CRAM-MD5, DIGEST-MD5,
several encrypted authentication methods, via the and PLAIN authentication methods. Any application
Cyrus-SASL library (see below), and it supports compiled against the SASL library will now be able to IMAP client IMP
IMAP over SSL.
Compiling and installing the
Cyrus server
There are binary distributions of Cyrus available
in rpm or deb format, and installing one of these
may well represent the simplest way to get the
Cyrus server installed. Nevertheless, I chose to
compile the server from source as this provides far
more flexibility that a precompiled distribution, and,
with a package as complex and powerful as Cyrus,
the time invested in customising the setup for your
needs is time well spent.
While Cyrus is an excellent package, the
documentation left much to be desired. The first
problem to be faced in attempting to compile Cyrus
was the Cyrus SASL (Simple Authentication and
Security Layer) library.
Recent versions of Cyrus (version 2 or greater)
require the Cyrus SASL authentication library to be
installed before the IMAP server. SASL is an
10 · 2001 LINUX MAGAZINE 69
KNOW HOW MAIL PROTOCOL
offer any of these authentication methods Finally, the master process must be configured.
to client applications. This can provide The Cyrus distribution comes with a number of
significant additional security  PINE and sample configurations in the master/conf directory.
Mutt both support CRAM-MD5 Choose the appropriate one, and copy it to
authentication, which obviated the need to /etc/cyrus.conf, and uncomment the entries required.
send authentication credentials in the clear. To test connections to the IMAP server, start the
The SASL architecture allows more master process and try to telnet to the server on the
authentication methods to be plugged-in to IMAP port:
SASL as they are developed.
$ telnet bifrost 143
Once the SASL library is installed, Cyrus
Trying 192.168.1.4...
can be compiled relatively easily, though it
Connected to bifrost.altair.nexus.
Mutt as the client is important to remember to add a user account for Escape character is  ^] .
* OK bifrost.altair.nexus Cyrus IMAP4U
Cyrus to run under to /etc/passwd before compiling
v2.0.11 server ready
the server. The version I used was 2.0.11, and it was
configured as follows:
If you see a greeting message like that above,
# ./configure --prefix=/usr --sysconfdir=/etc U
your server is running. Add a user and password to
--localstatedir=/var U
your SASL secrets file using the saslpasswd utility
--with-openssl=/usr/local/ssl/ --with-sasl=/U
usr/lib/sasl/ U (this won t be necessary if you already have an
--without-krb --with-dbdir=/usr/local/BerkeleyU
authentication framework like Kerberos in place).
DB.3.2/
You can then test connections for this user with the
imtest script from the Cyrus distribution:
To make Cyrus compile correctly, I had to make
# /usr/bin/imtest -m login -a imapuser bifrost
two small alterations. I added a symbolic link from
C: C01 CAPABILITY
/share to /usr/share (without this the compile_et
S: * OK bifrost.altair.nexus Cyrus IMAP4U
program caused the compile to fail), and I also had v2.0.11 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTAU
to copy the ssl shared libraries from /usr/local/ssl/lib
LITERAL+ NAMESPACE UIDPLUS IDU
to /usr/lib before the compilation found them.
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORTU
THREAD=ORDER
EDSUBJECT THREAD=REFERENCES IDLE AUTH=DIGESTU
Configuring and testing the
-MD5 AUTH=CRAM-MD5
Cyrus server
S: C01 OK Completed
Password:
C: L01 LOGIN imapuser {9}
After installation, there are several steps
+ go ahead
necessary to get you new IMAP server up and
C:
running. First, create your /etc/imapd.conf file. This L01 OK User logged in
Authenticated.
is a simple configuration file, and a basic setup
Security strength factor: 0
should look something like the file in Box 1. For a
. logout
full description of the fields in this file, see the
* BYE LOGOUT received
imapd.conf(5) man page.
. OK Completed
Next, create the  configdirectory specified in Connection closed.
the imapd.conf file. Ensure this is owned by the Cyrus
BOX 2
user and group (by default, cyrus:mail), and change At this stage, you have a working IMAP server
its permissions to 750. Do the same for the installed. You now need to add user mailboxes. This
pop3 110/tcp
 partition-default directory. Then, run the is done with a Perl program called Cyradm, which is
imap 143/tcp
tools/mkimap script from the Cyrus distribution, as installed as part of the Cyrus distribution. This
imsp 406/tcp
the Cyrus user - this will create the Cyrus directories should be run as the Cyrus user, and allows a
acap 674/tcp
under those you just created. On Linux file systems number of administrative operations:
imaps 993/tcp
(ext2 - this does not apply to ReiserFS, XFS, or similar),
pop3s 995/tcp
$ cyradm bifrost.altair.nexus
it s important to use the  chattr +S command to set
kpop 1109/tcp
Please enter your password:
these directories and their contents for synchronous
sieve 2000/tcp bifrost.altair.nexus> ?
authenticate, login, auth authenticateU
updates. The ext2 filesystem can be prone to mailbox
lmtp 2003/tcp
to server
corruption under certain circumstances without this
fud 4201/udp
chdir, cd change currentU
attribute set. Using synchronous updates forces the
directory
operating system to flush changes to these
createmailbox, cm, create create mailbox
deleteaclmailbox, dam,U
directories to the disk immediately, and generates a
deleteacl remove ACLsU
performance overhead. For a large system, it may be
from mailbox
preferable to use a journaling filesystem to obviate
deletemailbox, delete, dm delete mailbox
the need for this.
disconnect, disc disconnectU
from current server
Ensure that your /etc/services file contains all the
exit, quit exit cyradm
entries in Box 2.
70 LINUX MAGAZINE 10 · 2001
MAIL PROTOCOL KNOW HOW
system. Installing and configuring it correctly is not
help, ? show commands
listacl, lam, listaclmailbox list ACLs onU a simple process, but once set up, it provides a
mailbox
vastly superior alternative to the traditional POP3
listmailbox, lm list mailboxes
mailbox setup. Most mail clients can be configured
listquota, lq list quotasU
to use multiple IMAP accounts, so for users with
on specified root
many mailboxes IMAP simplifies mail handling
listquotaroot, lqr, lqm show quotaU
roots and quotas for mailbox immensely. All your mail accounts can be handled
renamemailbox, rename, renm rename (andU
from anywhere with an IMAP client. Several IMAP
optionally relocate) mailbox
Web mail clients exist, these can vastly simplify life
server, servername, connect show currentU
for roaming users, who can then access their mail
server or connect to server
from anywhere with an Internet connection.
setaclmailbox, setacl, sam set ACLs onU
mailbox Examples of these are Squirrel Mail
setquota, sq set quota onU
(http://www.squirrelmail.org) and IMP
mailbox or resource
(http://www.horde.org/imp/2.2).
version, ver, info displayU
Both of these require additional configuration
version info of current server
work, as they are PHP based. Squirrel Mail uses its
Each user should have a mailbox created. For own implementation of the IMAP protocol, and,
the imapuser test user, create a mailbox called for this reason is probably easier to set up than
user.imapuser through Cyradm. This will become IMP, which requires an external library distributed
the INBOX for that user. All other mailboxes will be with the UW IMAP server. The screenshots show
subordinate to this one, and are best created via a three IMAP clients in use  Netscape, Mutt, and
mail client. IMP. All three are using different forms of BOX 3
To complete the installation, you need to encrypted authentication, and are viewing the
IMAP over SSL
arrange for the Cyrus master process to start when same mailbox.
the system boots, and also configure your MTA to
Enabling SSL support in
$ openssl req -new -x509 -nodes -out /var/U
deliver mail into the Cyrus mailstore. Cyrus provides
Cyrus can be simply
imap/server.pem U
a local delivery agent and the MTA must be
achieved by creating a
-keyout /var/imap/server.pem -days 365
configured to call for local mail. The Cyrus
self signed X509
documentation provides information on how to Then, uncomment the imaps service definition
certificate and private
achieve this with sendmail. For other MTA s, in /etc/cyrus.conf, and add the following lines to
key pair with OpenSSL:
different procedures will be required. /etc/imapd.conf:
tls_cert_file: /var/imap/server.pem
Conclusion tls_key_file: /var/imap/server.pem
It should be clear from the above that a Cyrus After restarting the imap server, SSL support will
installation provides a powerful and flexible mail be enabled. %
Mail server settings for Netscape
10 · 2001 LINUX MAGAZINE 71


Wyszukiwarka

Podobne podstrony:
2001 07 Gimp Workshop Photograph Reprocessing
2001 07 Apple Ibook and Powerbook with Linux
function imap mail copy
function imap mail compose
function imap mail
function imap mail compose
function imap mail move
function imap mail move
function imap mail copy
function imap mail
function imap mail move
function imap mail copy
2001 07 Szkoła konstruktorów klasa II
2001 07 Burn
2001 07 Procmail Email Delivery

więcej podobnych podstron