Assignment 3: The core II (IMAP)

Installation and configuration of a secure delivery/receipt mail service (IMAP) [MDA]: Dovecot

Continuing with the development of our secure email service on server-05, it’s now mandatory to develop the mail delivery services through the IMAP protocol, which will allow us to transfer mail from the MTA to the client (MUA). This mail system component is called MDA (Mail Delivery Agent).

More details in references [3][9][10][11]

1. Installation of the IMAP server using Dovecot implementation:

   • Install the Dovecot mail service on server-05

   For mail delivery from server-05 to clients (MUAs), we will use the well-known IMAP protocol. Using IMAP4, mail clients such as Webmail, Outlook, Thunderbird or Evolution could access user mail through mailboxes and deliver it. Also, that protocol can work over SSL, so that the communications can be encrypted between the MUA and MTA.

   We will use the IMAP’s Dovecot implementation. There are others like Courier, etc.

2. Initial configuration: The service’s configuration relies on several files in /etc/dovecot/conf.d. One of the most important ones for the service is /etc/dovecot/10-master.conf, which establishes important aspects concerning the service run instances.\

   • Disable temporally the secure instance for IMAP (imaps), which is enabled by default.

   • Configure Dovecot and Postfix to manage the user mail through Maildir directories, instead of Mailbox files. Maildir is a spool format to store and manage the user’s mail using different files with unique names. The key is to have a file for each user. Inside the Maildir structure, there are 3 directories: tmp, new, and cur, each one with a different role. That directory (Maildir) will be automatically created when users receive the first mail. Note: Remember, postfix could be configured as a MDA using the app procmail to deliver user's mail from the MTA to the user’s maildrop.

3. IMAP checking:

   • Make sure that the mail service is working properly, without errors or warnings. Take a look at the log files and the active network sockets.

   • Use the simple client mail mutt (command line) to read user1’s mail. (1)

     • As root, send to user1 a test mail using mail command.

     • Now_,_ login as user1 on server-05 ($ su -)

     • In $HOME, create a file called .muttrc and add the following lines:\

       set mbox_type=Maildir
       # LOCAL
       set folder="~/Maildir"
       set spoolfile="~/Maildir"
       set mbox="Maildir/"
       set mask="!^\\.[^.]"

     • After that, run mutt

     • You can use the tmux utility. It will make it easier.

4. Security setting for IMAP Dovecot:

   • LDAP user authentication:

     • Now, we want delegate user authentication to the LDAP active directory on server-01 instead of /etc/passwd. This way, only LDAP users will be able to access their mail. Required data:

       1. Authentication method: ldap

       2. URIs: ldaps://server-01.localdomain

       3. dn: cn=admin,dc=localdomain

       4. dnpass: ldap

       5. tls_ca_cert_file: /etc/ssl/certs/CA_server-01.localdomain.cert

       6. tls_require_cert: demand

       7. ldap_version: 3

       8. base: ou=people,dc=localdomain

       9. user_attrs:homeDirectory=home,uidNumber=uid,gidNumber=gid,=mail=maildir:~/Maildir

       10. pass_attrs: uid=user,userPassword=password

       11. default_pass_scheme: SSHA

     • Verifications:

       1. $ telnet server-05 143 (Ctr^D)

       2. $ netstat ...

• SSL communications:

  • Now, we want to secure communications between the MTA and the MUA, using SSL/TLS certificates. Specifically, the goal is to encrypt all mail delivery communications (IMAP). First, we must create the corresponding IMAP service SSL (TLS) certificate, as we did for other services:

    1. Use the CA (self-signed) certificate already created in Lab1 (2)

    2. Generate the IMAP service certificate that you will sign using the CA certificate (private key

       • Generate a IMAP certificate private key:

         1. File name: imaps_server-05.localdomain.key (3)

         2. Key generated by default

       • Generate the IMAP service certificate and sign it using the CA certificate and its private key. Save it as imaps_server-05.localdomain.cert (2)

         1. Sign mode: signed by a CA

         2. Other data (4):

            • Certificate type: X.509 (default)

            • Expiration days: 365 days

            • Country of the subject: ES

            • State: Cantabria

            • Locality: Santander

            • Organization: UC

            • Unit: CSDA

            • "Common name": server-05.localdomain (5)

            • e-mail: sistemas@localdomain

         3. IMPORTANT!!!!: Do not use the next parameters (mutt's bug):

            • tls_www_server

            • encyiption_key

  • After that, configure Dovecot to enable secure IMAP instance (imaps).

  • Verifications:

  • 1. $ telnet server-05 993 (Ctr^D)

    2. $ netstat ...

    3. $ openssl s_client -connect server-05.localdomain:imaps

(1) mutt is a small but very powerful text-based program for reading and sending electronic mail under unix operating systems, including support for color terminals, MIME, OpenPGP, and a threaded sorting mode.

(2) PATH /etc/ssl/certs

(3) PATH /etc/ssl/private. Make sure that the IMAP service user (dovecot) is allowed to read (UNIX permissions) the IMAP certificate private key file.

(4) You can use a template as we used in Lab1: imaps_server-05.localdomain.info

(5) It is very important to use the FQDN and not its IP or another value.