Complete Virtual Mail Server/Courier-IMAP to Database
This article is part of the Complete Virtual Mail Server series, and may require previous parts to have been read or followed.
Courier-IMAP will be used to provide IMAP services.
To use POP3, which is explicitly discouraged, see Complete Virtual Mail Server/POP3.
Installing Courier-IMAP
USE flags
net-mail/courier-imap has a few USE flags that need to be examined. net-libs/courier-authlib is an important dependency as it is responsible for how users authenticate, so it's USE flags are examined as well.
USE flags for net-libs/courier-authlib Courier authentication library
berkdb
|
Add support for sys-libs/db (Berkeley DB for MySQL) |
debug
|
Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces |
gdbm
|
Add support for sys-libs/gdbm (GNU database libraries) |
ldap
|
Add LDAP support (Lightweight Directory Access Protocol) |
mysql
|
Add mySQL Database support |
pam
|
Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip |
postgres
|
Add support for the postgresql database |
sqlite
|
Add support for sqlite - embedded sql database |
static-libs
|
Build static versions of dynamic libraries as well |
Only choose the desired database backends.
libauth*sql.so may only be built if
-vpopmail is set as USE flag and the system does not have vpopmail installed. Vpopmail and libauth*sql.so do not mix.The
fam USE flag is required for the IDLE (e.g. 'push') function to work.Emerge
If the proper USE flags are set, emerging net-mail/courier-imap should pull in net-libs/courier-authlib:
root #emerge --ask net-mail/courier-imapConfiguring courier-authlib
Postgres
Courier-authlib runs as root, so access to the socket will be permitted by default.
Only fields that should be changed are listed here. There are two commented options.
PGSQL_HOST obviously as mentioned before, unix sockets will be used. PGSQL_QUOTA_FIELD is commented for now, as quotas will be enabled at a later stage. The PGSQL-UID_FIELD, PGSQL-GID_FIELD and PGSQL_HOME_FIELD (Note the trailing slash!) are set to static values, noticeable as they are quoted. Thus static values, and not values from a database are used./etc/courier/authlib/authpgsqlrcObtain access to the database##NAME: LOCATION:0
# PGSQL_HOST pgsql.example.com
PGSQL_PORT 5432
PGSQL_USERNAME postfix
PGSQL_PASSWORD $password
##NAME: PGSQL_DATABASE:0
PGSQL_DATABASE postfix
##NAME: PGSQL_USER_TABLE:0
PGSQL_USER_TABLE mailbox
##NAME: PGSQL_CRYPT_PWFIELD:0
PGSQL_CRYPT_PWFIELD password
##NAME: PGSQL_UID_FIELD:0
PGSQL_UID_FIELD '5000'
##NAME: PGSQL_GID_FIELD:0
PGSQL_GID_FIELD '5000'
##NAME: PGSQL_LOGIN_FIELD:0
PGSQL_LOGIN_FIELD local_part
##NAME: PGSQL_HOME_FIELD:0
PGSQL_HOME_FIELD '/var/vmail/'
##NAME: PGSQL_NAME_FIELD:0
PGSQL_NAME_FIELD name
##NAME: PGSQL_MAILDIR_FIELD:0
PGSQL_MAILDIR_FIELD maildir
##NAME: PGSQL_QUOTA_FIELD:0
# PGSQL_QUOTA_FIELD quota
##NAME: PGSQL_WHERE_CLAUSE:0
# Deal only with active mail accounts.
PGSQL_WHERE_CLAUSE active='1'
If logins are used in the syntax of user@domain.com instead of username, the value of PGSQL_LOGIN_FIELD needs to be changed from local_part to username.
To use more advanced authentication, SQL statements the PGSQL_SELECT_CLAUSE can be used. Courier-authlib will ignore any of the previous set parameters for SELECT statements, but will use them for counting the number of accounts or for changing the password and thus when changing the password the username field is still used. If authentication is done against username remember that usernames need to be unique:
/etc/courier/authlib/authpgsqlrcObtain custom access to the databasePGSQL_SELECT_CLAUSE SELECT local_part, password, '', '5000', '5000', \
'/var/vmail/', maildir, quota, name, '' \
FROM mailbox WHERE local_part='$(local_part)' \
AND active='1'
MySQL
Next, reconfigure the authentication to use the mailsql database in courier-imap and postfix. In all of the following examples, replace $password with the password set for the mailsql mysql user:
/etc/courier/authlib/authmysqlrcConfiguring authenticationMYSQL_SERVER localhost
MYSQL_USERNAME mailsql
MYSQL_PASSWORD $password
MYSQL_DATABASE mailsql
MYSQL_USER_TABLE users
## (Make sure the following line is commented out since we're storing plaintext.)
#MYSQL_CRYPT_PWFIELD crypt
MYSQL_CLEAR_PWFIELD clear
MYSQL_UID_FIELD uid
MYSQL_GID_FIELD gid
MYSQL_LOGIN_FIELD email
MYSQL_HOME_FIELD homedir
MYSQL_NAME_FIELD name
MYSQL_MAILDIR_FIELD maildir
Reload the necessary services:
root #rc-service courier-authlib restart
root #rc-service saslauthd restartConfiguring authdaemon
Authdaemon is actually responsible for doing the authentication. Here authdaemon is configured to use the right database backend. Portage actually does set the authmodulelist variable properly. Verify this in the configuration file. Also enable debugging here as this will help with any potential issues later.
PostgreSQL
/etc/courier/authlib/authdaemonrcVerify authentication modules##NAME: authmodulelist:2
authmodulelist="authpgsql "
##NAME: DEBUG_LOGIN:0
DEBUG_LOGIN=1
Obviously if more or other authmodules are desired, these should be listed here as well.
MySQL
/etc/courier/authlib/authdaemonrcVerify authentication modules##NAME: authmodulelist:2
authmodulelist="authmysql authpam"
##NAME: DEBUG_LOGIN:0
DEBUG_LOGIN=1
Access permissions
Permissions must be set correctly, as the files can contain sensitive password information:
root #chmod 660 /etc/courier/authlib/auth*rcroot #chown mail:mail /etc/courier/authlib/auth*rcTesting courier-authlib
Courier-authlib includes a simple testing utility. It requires a valid username as parameter. Don't hesitate to check out the authtest manual page for more information. It is short but concise.
To perform some basic tests start the authlib daemon:
root #/etc/init.d/courier-authlib startRun authtest with the testuser:
root #authtest testuserAuthentication succeeded.
Authenticated: testuser (uid 5000, gid 5000)
Home Directory: /var/vmail
Maildir: example.com/testuser/
Quota: (none)
Encrypted Password: $1$16117118$ajxN3QRilmP5zLVHjTkE31
Cleartext Password: (none)
Options: (none)
Configuring IMAP
IMAP has a few capabilities that can be enabled:
SORTto allow server side searching through messages.IDLEto allow 'push' like connections.
/etc/courier-imap/imapdEnable imapd and some options##NAME: IMAP_CAPABILITY:1
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
##NAME: IMAP_CHECK_ALL_FOLDERS:0
IMAP_CHECK_ALL_FOLDERS=1
##NAME: IMAP_ENHANCEDIDLE:0
IMAP_ENHANCEDIDLE=1
##NAME: IMAP_EMPTYTRASH:0
IMAP_EMPTYTRASH=Trash:40,Junk:7
##NAME: IMAPDSTART:0
IMAPDSTART=YES
##NAME: MAILDIRPATH:0
MAILDIR=.maildir
MAILDIRPATH=.maildir
The
MAILDIRPATH section contains some dupes, make sure it is properly set and cleaned up.Some clients need a minimum DH parameter length of 2048 bits (such as those using >=dev-libs/nss-3.19.1). Generate one with:
root #DH_BITS=2048 mkdhparamsNext ensure Courier is using it:
/etc/courier-imap/imapd-sslEnsure Courier is using our dhparams.pemTLS_DHPARAMS=/usr/share/dhparams.pem
Testing IMAP
Courier-imapd should be started:
root #/etc/init.d/courier-imapd startOnce started, telnet could be used to identify initial problems. Once logging in with telnet works, a mail client can be used:
user $telnet foo.example.com 143Trying 127.0.0.1... Connected to foo.example.com. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information. 1 LOGIN testuser secret 1 OK LOGIN Ok. 1 LOGOUT * BYE Courier-IMAP server shutting down 1 OK LOGOUT completed Connection closed by foreign host.
If testing works properly, add courier-imap to the default runlevel:
root #rc-update add courier-imapd defaultWrapping things up
Turn off debugging if this stage works properly.
/etc/courier/authlib/authdaemonrcDisable debugging##NAME: DEBUG_LOGIN:0
DEBUG_LOGIN=0