Quickstart Guide - Red Hat 9 POP3 Server |
| Home | Protocols | POP3 | |
Do you need to run a POP3 server on a Red Hat Linux host? Red Hat Linux includes the UW-IMAP server package, which includes the ipop3d server. This package is well supported, and enjoys continuing development. Unfortunately, the POP3 server portion of the UW-IMAP server is not well documented. It is easy to setup, though. This setup would probably be suitable for small to medium-sized organizations. You would probably want to look at a different POP3 server for ISP or large enterprise use.
The UW ipop3d server runs from xinetd. Xinetd can be used to provide access control and limits on the POP3 service. The default installation supports the following:
There are two different authentication sources: the /etc/cram-md5.pwd file and PAM. PAM can be used to authenticate from many different sources, including /etc/passwd and /etc/shadow.
For this Quickstart Guide, we are only going to address using PAM, TLS/SSL, and plaintext passwords to authenticate. TLS/SSL is mandatory. In this case, we will only run POP3 over the alternate port, TCP 995. This is also known as the pop3s service. This will support the widest variety of POP3 e-mail clients without exposing usernames and passwords over the network.
The goal of this guide is to get you quickly started with the UW IMAP POP3 server. You can then start testing and modifying the configuration to meet your specific needs. For production use, you would need to consider the following:
Make sure you have the UW-IMAP package installed:
[root@zip root]# rpm -qa | grep imap-20 imap-2001a-18
If it is not installed, obtain the package and install it like this:
[root@zip RPM]# rpm -Uvh imap-2001a-18.i386.rpm Preparing... ########################################### [100%] 1:imap ########################################### [100%]
The following command will give you details about the package and where files will be placed on your system:
[root@zip RPM]# rpm -qil imap-2001a-18 Name : imap Relocations: (not relocateable) Version : 2001a Vendor: Red Hat, Inc. Release : 18 Build Date: Sat 25 Jan 2003 02:02:53 PM CST Install Date: Thu 18 Mar 2004 12:32:46 AM CST Build Host: porky.devel.redhat.com Group : System Environment/Daemons Source RPM: imap-2001a-18.src.rpm Size : 2384948 License: University of Washington Free-Fork License Signature : DSA/SHA1, Mon 24 Feb 2003 02:26:01 PM CST, Key ID 219180cddb42a60e Packager : Red Hat, Inc. URL : http://www.washington.edu/imap/ Summary : Server daemons for IMAP and POP network mail protocols. Description : The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. The POP protocol uses a "post office" machine to collect mail for users and allows users to download their mail to their local machine for reading. The IMAP protocol allows a user to read mail on a remote machine without downloading it to their local machine. Install the imap package if you need a server to support the IMAP or the POP mail access protocols. /etc/pam.d/imap /etc/pam.d/pop /etc/xinetd.d/imap /etc/xinetd.d/imaps /etc/xinetd.d/ipop2 /etc/xinetd.d/ipop3 /etc/xinetd.d/pop3s /usr/sbin/imapd /usr/sbin/ipop2d /usr/sbin/ipop3d /usr/share/doc/imap-2001a /usr/share/doc/imap-2001a/CONFIG /usr/share/doc/imap-2001a/CPYRIGHT /usr/share/doc/imap-2001a/README /usr/share/doc/imap-2001a/README.IMAPS /usr/share/doc/imap-2001a/RELNOTES /usr/share/doc/imap-2001a/SSLBUILD /usr/share/doc/imap-2001a/WARNING /usr/share/doc/imap-2001a/bugs.txt /usr/share/doc/imap-2001a/calendar.txt /usr/share/doc/imap-2001a/commndmt.txt /usr/share/doc/imap-2001a/drivers.txt /usr/share/doc/imap-2001a/formats.txt /usr/share/doc/imap-2001a/imaprc.txt /usr/share/doc/imap-2001a/internal.txt /usr/share/doc/imap-2001a/locking.txt /usr/share/doc/imap-2001a/md5.txt /usr/share/doc/imap-2001a/naming.txt /usr/share/man/man8/imapd.8c.gz /usr/share/man/man8/ipopd.8c.gz
Now read the documentation. Much of it is located in /usr/share/doc/imap-2001a. Additional resources are located here:
Since we are setting up a TLS-enabled POP3 server, we need to make crypto keys and certificates. Without them, TLS/SSL will not work.
For this step, you will have to make a decision. You can get a "real" X.509 certificate signed by a Certificate Authority (CA), or you can create your own enterprise-wide CA and sign it yourself. If you are an ISP, you should buy a "real" certificate. If the POP3 server is only for use by your organization, a private (free) certificate may be good enough.
If you want to create your own CA and sign the POP3 server certificate yourself, follow these directions.
We will now generate the private ipop3d key. The key cannot be password protected, so you must immediately change its permissions to a restrictive mode.
[root@zip root]# cd /root/CA [root@zip CA]# openssl genrsa -out ipop3d.pem 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ...............................................++++++ e is 65537 (0x10001) [root@zip CA]# chmod 0400 ipop3d.pem
Now we can generate our Certificate Signing Request:
[root@zip CA]# openssl req -new -key ipop3d.pem -out ipop3d.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taipei County Locality Name (eg, city) [Newbury]:Nankang Organization Name (eg, company) [My Company Ltd]:VanEmery.Com Organizational Unit Name (eg, section) []:Messaging Division Common Name (eg, your name or your server's hostname) []:zip.vanemery.com <== This MUST be your real FQDN! Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Note: You need to use your server's fully qualified domain name (FQDN) in the Common Name field. If you do not do this, you will have many problems.
Now, you will need to send your Certificate Signing Request (ipop3d.csr) to a CA like Verisign, or you can sign it yourself with your own CA key. If you are going to do it yourself, then follow these steps:
[CA]# openssl x509 -req -in ipop3d.csr -out ipop3d-cert.pem -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650 Signature ok subject=/C=TW/ST=Taipei County/L=Nankang/O=VanEmery.Com/OU=Messaging Division/CN=zip.vanemery.com/ Getting CA Private Key Enter pass phrase for my-ca.key: [root@zip CA]# chmod 0400 ipop3* [root@zip CA]# ls -l ipop3* -r-------- 1 root root 1229 Mar 13 01:12 ipop3d-cert.pem -r-------- 1 root root 757 Mar 13 01:06 ipop3d.csr -r-------- 1 root root 887 Mar 13 01:04 ipop3d.pem
To view the completed certficate:
[root@zip CA]# openssl x509 -in ipop3d-cert.pem -text -noout
Now, we have to combine the new POP3 server certificate (wherever it came from) with the POP3 server private key that you generated earlier. You will also need to move it to the proper location:
[root@zip CA]# cat ipop3d-cert.pem >> ipop3d.pem [root@zip CA]# cp -v ipop3d.pem /usr/share/ssl/certs `ipop3d.pem' -> `/usr/share/ssl/certs/ipop3d.pem'
You should check the permissions one last time. The file should be owned by root:root with mode 0400.
Caution!
Now that you are finished, you need to make backups of all the
certificates and keys. CDs and floppies are good for this purpose. You may want to make paper copies, too.
The certs and keys should then be locked up in a safe place.
Since the POP3 server runs from xinetd, you will need to make some configuration changes and then restart/start xinetd. First, we will need to edit the pop3s configuration file:
[root@zip root]# cd /etc/xinetd.d [root@zip xinetd.d]# ls -l *pop3* -rw-r--r-- 1 root root 359 Jan 25 2003 ipop3 -rw-r--r-- 1 root root 335 Jan 25 2003 pop3s [root@zip xinetd.d]# vi pop3s
Edit the /etc/xinetd.d/pop3s config file until it looks like this:
# default: off
# description: The POP3S service allows remote users to access their mail \
# using an POP3 client with SSL support such as fetchmail.
service pop3s
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/ipop3d
log_on_success += HOST DURATION
log_on_failure += HOST
instances = 150
cps = 70 30
disable = no
}
The extra settings for "instances" and "cps" are performance limits. I raised them from the defaults, but these can be tweaked as you see fit. See man xinetd.conf for details. Defaults are located in the /etc/xinetd.conf config file.
Now start (or restart) xinetd:
[root@zip xinetd.d]# /etc/init.d/xinetd restart Stopping xinetd: [FAILED] Starting xinetd: [ OK ]
If you want xinetd to start automatically after system boot, use the chkconfig utility like this:
[root@zip xinetd.d]# chkconfig xinetd off [root@zip xinetd.d]# chkconfig --level 345 xinetd on [root@zip xinetd.d]# chkconfig --list xinetd xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Make sure that your server is listening on TCP port 995 (pop3s):
[root@zip xinetd.d]# netstat -tnap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 14483/xinetd
Add a Linux account for a test user. For this example, I added an account with username="perry" and password="mason21". If this user does not need shell access, you can give the account the /sbin/nologin shell. It may also be a good idea to keep POP3-only user accounts in a specific range of UIDs and GIDs, like 2000-2999.
Now, use the openssl s_client utility to test the server. One you connect, you can issue POP3 commands and view the responses:
[root@zip root]# openssl s_client -connect zip.vanemery.com:995
CONNECTED(00000003)
---
No client certificate CA names sent
---
SSL handshake has read 1026 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Start Time: 1079677170
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK POP3 zip.vanemery.com v2001.78rh server ready
CAPA
+OK Capability list follows:
TOP
LOGIN-DELAY 180
UIDL
USER
SASL PLAIN LOGIN
.
USER perry
+OK User name accepted, password please
PASS mason21
+OK Mailbox open, 15 messages
STAT
+OK 15 13537
NOOP
+OK No-op to you too!
QUIT
+OK Sayonara
read:errno=0
You will now want to test your TLS-enabled POP3 server from another host on your network. Make an account with the proper username, password, and server hostname/IP address. Then you will need to configure the mail client for TLS/SSL connections to port 995 and the USER, AUTH LOGIN, or AUTH PLAIN authentication methods. All three of these methods normally pass the password in the clear, but in this case the traffic will be encrypted. While you are testing, you will also probably want to configure the mail client to leave the messages on the server.
When your client connects for the first time, you may get a warning if you signed your own certificates. This can usually be handled by viewing the certificate and then clicking a button that causes the e-mail client to trust the certificate. Now, you should be able to view your e-mail.
If you need to perform any debugging, running s_client and issuing the commands manually is a good method. Another good method is configuring and using fetchmail with the -vv option, which gives you a detailed account of what is happening during POP3 sessions.
When testing, you will also want to look at your logs. Relevant logfiles are located here:
Enjoy!
Caution!
With the default UW-IMAP package, port 110 (pop3s) will allow both
STLS (encrypted) and plaintext authentication with the same username/password combination. Even though
most of your users may configure their e-mail clients to use STLS, other users may misconfigure their
clients and use plaintext without TLS. This could result in a user's shell account being compromised. It
also gives a false sense of security. Either run all encrypted passwords, or no encrypted passwords...but
not both! One solution to this problem (if you want to run STLS and TLS on port 995 simultaneously), is to
compile and install the UW-IMAP package from source and use the appropriate configure options.
There are options to disallow plaintext authentication methods if the connection is not encrypted.
If you have to run unencrypted passwords, I suggest that you use the /etc/cram-md5.pwd file and disallow shell access for your POP3 users.