Installing Courier IMAP under Debian GNU/Linux is a simple procedure.
Install following packages via apt-get. Pulling down courier-imap and courier-imap-ssl should fetch courier-base and the other related files for you.
jasonb@nebula:~$ su - nebula:~# apt-get update nebula:~# apt-get install courier-imap courier-imap-ssl |
During installation, debconf will prompt you to answer some questions regarding the initial configuration of Courier IMAP. For the remainder of this guide, it is assumed you have chosen not to "Create directories for web-based administration". You will also be asked "Path to user's Maildir directory". The default of Maildir is correct.
There is not much you need to change. In fact, you probably do not need to change anything at all. There are a few options you may wish to toy with in /etc/courier/imapd.
You may wish to enable IMAP_CHECK_ALL_FOLDERS if you filter new mail into folders other than your regular inbox. You can enable the IMAP_ENHANCEDIDLE option. Enhanced idle mode notifies all clients immediately when any changes to a folder occur. Ordinarily, a client may not be aware of a change to a folder until it is refreshed. You must install the fam package for it to work, as it relies on the File Access Monitor daemon. You can install the package via the usual method:
nebula:/etc/courier# apt-get install fam |
If you choose not to install fam, you can still use IMAP_ENHANCEDIDLE, but instead Courier IMAP will poll for changes every 60 seconds for folders opened by IMAP clients.
Before going through the process of configuring IMAP clients, let's verify that your setup does indeed work. The default Courier-IMAP configuration should work right out of the box. Telnet to your IMAP server as shown below and issue the commands show and verify the server's response. (imap2 is port 143 if you're curious.)
jasonb@nebula:~$ telnet 127.0.0.1 imap2 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. AB LOGIN "user" "secret" AB OK LOGIN Ok. BC SELECT "Inbox" * FLAGS (\Draft \Answered ... \Recent) * OK [PERMANENTFLAGS (\* \Draft \Answered ... \Seen)] Limited * 13 EXISTS * 0 RECENT * OK [UIDVALIDITY 1026858715] Ok * OK [MYRIGHTS "acdilrsw"] ACL BC OK [READ-WRITE] Ok ZZZZ LOGOUT * BYE Courier-IMAP server shutting down ZZZZ OK LOGOUT completed Connection closed by foreign host. |
I separated each command and server response portion by a couple hard returns to make things more clear. Make sure you substitute your username and password for the dummy values above, and note that the AB, BC, et al. are part of the IMAP protocol and are required, though any sequence of letters will do. (Also, be amused that the actual logout command is indeed ZZZZ LOGOUT -- Someone had a sense of humor.)
The SSL package for Courier IMAP will generate a generic X.509 certificate for you using the mkimapdcert command. If you are going to use a key signed by a certificate authority (CA), such as Thawte Consulting or Verisign, you can safely replace the generated certificate with your own. In either case, you must have a fully qualified domain name assigned to the IP address Courier IMAP will listen on for TLS/SSL to function correctly.
The certificate generated by mkimapdcert is /etc/courier/imapd.pem, owned by the root user and the root group and readable only by said user. The configuration file used to generate the X.509 certificate is /etc/courier/imapd.cnf, which is the file you will want to edit to generate a personalized, inhouse certificate if you do not require one signed by a certificate authority.
nebula:/etc/courier# cat imapd.cnf RANDFILE = /usr/lib/courier/imapd.rand [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=US ST=NY L=New York O=Courier Mail Server OU=Automatically-generated IMAP SSL key CN=localhost emailAddress=postmaster@example.com [ cert_type ] nsCertType = server |
The default imapd.cnf is, in fact, a standard OpenSSL configuration for generating a self signed certificate. Full details are available in the OpenSSL man pages, specifically req(1).
You must change the common name (CN) to that of the fully qualified hostname assigned to the IP address Courier IMAP will be listening on, or you will receive a certificate mismatch error when connecting with an IMAP and SSL compatible mail client. The remaining fields, Country (C), State (ST), Location (L), Organization (O), Organizational Unit (OU), and emailAddress are self explanatory and need not be specific values.
When you are happy with the values you have chosen, run mkimapdcert as root to generate a new X.509 certificate. Make sure you remove the existing imapd.pem first, or no new certificate will be created.
nebula:/etc/courier# mkimapdcert Generating a 2048 bit RSA private key ... subject= /C=US/ST=GA/L=Gainesville/ O=The Vortex/OU=Automatically-generated IMAP SSL key/ CN=host.example.com/emailAddress=user@example.com notBefore=Sep 27 23:35:31 2004 GMT notAfter=Sep 27 23:35:31 2005 GMT MD5 Fingerprint=FA:09:9D:04:A7:04:4A:E9:23:91:09:2A:A7:6C:DF:20 |
You will notice that the generated certificate will expire in one year. If you need more time, you can modify /usr/sbin/mkimapdcert directly, as it is just a shell script. You can increase the number of days to a value you find more reasonable.
nebula:/etc/courier# cat /usr/sbin/mkimapdcert
#! /bin/sh
...
/usr/bin/openssl req -new -x509 -days 365 -nodes \
-config /etc/courier/imapd.cnf -out /usr/lib/courier/imapd.pem
-keyout /usr/lib/courier/imapd.pem || cleanup
...
|
If a year is not enough, select an appropriate value and generate your X.509 certificate.
If you do not wish to allow clients to communicate with Courier IMAP without using encryption, you can require Transport Layer Security (TLS). Edit /etc/courier/imapd-ssl and change IMAP_TLS_REQUIRED to 1. Additionally, if all your clients support TLS, you can disable listening on port 993 and not use SSL.
# Ok, the following settings are new to imapd-ssl: # # Whether or not to start IMAP over SSL on simap port: IMAPDSSLSTART=NO ##NAME: IMAPDSTARTTLS:0 # # Whether or not to implement IMAP STARTTLS extension instead: IMAPDSTARTTLS=YES ##NAME: IMAP_TLS_REQUIRED:1 # # Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. # (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS # is issued). IMAP_TLS_REQUIRED=1 |
The configuration above disables access to port 993 entirely and requires encryption or clients cannot connect to port 143.
If you intend to use a Webmail client with your Courier IMAP configuration, such as SquirrelMail, you may wish to install up-imapproxy. up-imapproxy caches connections between a stateless Webmail client and an IMAP server, so the Webmail client does not actually go through the overhead of logging into the IMAP server for every single transaction. On high volume deployments, it can speed things up a lot. For single user and small deployments, it isn't really necessary.
You can install up-imapproxy via apt-get.
jasonb@nebula:~$ su - nebula:~# apt-get install imapproxy |
You will be asked which host to connect to for access to your real IMAP server. The default of localhost is likely acceptable. Thereafter you will want to edit /etc/imapproxy.conf. You may wish to edit listen_port and listen_address to suit your configuration. You should update your Webmail configuration to reflect the port and host you just configured up-imapproxy to use. Restart the up-imapproxy and enjoy.