Build a Secure Webmail Service Supporting IMAP and SSL
Editors' Note: The following is a chapter from the book Multitool Linux, written by Michael Schwarz, Jeremy Anderson, Peter Curtis and Steven Murphy. The chapter presented here was written by their collaborator, Jose Nazario. Book coauthor Michael Schwarz would like to note, "Jose Nazario wrote this chapter for our book back in late 2000. I'm sure he would want readers to know substantially newer versions of all the software mentioned herein are now available. Feel free to contact the book authors if you have questions. Consult the book's web site for links, updates and errata.
This article describes how you can set up your Linux computer to be a web-based e-mail system for yourself or a group of friends. It will work best, of course, if you are on a dedicated internet connection, like a cable modem or a DSL line at home. This will provide you with a secure method to check your e-mail from remote locations without having to add insecure connection methods that could be used by an attacker. While your friends and coworkers complain about their free web based e-mail system being inaccessible, yours will be humming along.
The combination of software we are using is Apache with mod_ssl and PHP4, and the webmail package we describe below is Aeromail. We chose this combination because it is under active development (as of this writing), easy to install and quite feature rich. We also describe some additional webmail packages at the end of the article and provide several resources for more information.
We assume you haven't installed a web server or the SSL libraries on your system, which we will cover here. While it may seem like a lot of different components, it's really quite simple. Furthermore, your secure web server can be used for other things you may wish to try.
First we need to install the basic connectivity for the mail server, the IMAP server, and secure it to accept only local connections. Secondly, we'll build a powerful web server, one that supports secure socket layer (SSL) connections and the PHP scripting language. After that, the actual software used to display your mail on a web page is quite simple to install.
To begin with, these are the files we have downloaded and their versions:
-rw-r--r-- 1 jose jose 22841 Nov 19 15:18 aeromail-1.40.tar.gz -rw-r--r-- 1 jose jose 2847497 Oct 25 19:14 apache_1.3.14.tar.Z -rw-r--r-- 1 jose jose 1866035 Oct 25 13:27 imap.tar.Z -rw-r--r-- 1 jose jose 748253 Oct 25 19:15 mod_ssl-2.7.1-1.3.14.tar.gz -rw-r--r-- 1 jose jose 2086131 Sep 24 11:46 openssl-0.9.6.tar.gz -rw-r--r-- 1 jose jose 2225976 Nov 5 13:31 php-4.0.3pl1.tar.gz
The versions were chosen because they provide the most features and stability, plus they contain the latest security patches as of this writing. You're definitely encouraged to use at least these versions. The IMAP server we're using is the latest version available.
Now that you've obtained the pieces needed, we'll get to work. Building things shouldn't take too long, approximately one hour on a 300MHz system. The longest waits are, of course, during the compilations. For reference, we will keep all of the archives in one directory, webmail/, as we build them. We install to the default apache directory, /usr/local/apache/htdocs/.
We need to install one package for the computer to handle listening services, one that's not normally installed by a workstation Linux installation. This is the inetd server, which listens for several daemons. On Red Hat 6.2 installations, this is in the RPM inetd-0.16-4.i386.rpm. In earlier Red Hat systems, such as 6.0 or 6.1, this was in the netkit-base-0.10 RPM. On Red Hat 6.2, these steps will install and turn on the inetd daemon:
# rpm -ivh inetd-0.16-4.i386.rpm # /usr/sbin/inetd # /sbin/chkconfig inetd on
IMAP, or the Internet Message Access Protocol, provides a way for a person to access their mail or Usenet newsgroups from a variety of computers. It works by storing the messages on a central server and allowing you to view copies of them. Then, when you delete a message locally, you can synchronize your mailboxes at your local workstation and the server. Also, you can have folders for your mail and full access to them, unlike with POP3.
First, having downloaded and verified the archive, you should unpack it:
$ tar -zxvf imap.tar.Z
Now, we're going to enter the newly formed directory and proceed to build the IMAP server. Because we're using Linux, the process is quite simple:
$ cd imap-2000 $ make slx (make output omitted)
Installing the new IMAP server also is quite easy; we simply drop it in place and it's almost ready to go:
# cd imapd # cp imapd /usr/sbin/imapd
Now we have to tell the computer how to listen for imapd connections and how to handle them. First, we edit the inetd configuration file inetd.conf:
# vi /etc/inetd.conf
Change the line that normally reads:
#imap stream tcp nowait root /usr/sbin/tcpd imapd
to instead read:
imap stream tcp nowait root /usr/sbin/tcpd imapd
By removing the prepending pound sign (#), it's now a directive to inetd and not a comment. Now we have to tell inetd to reread its configuration. We do this by sending the inetd process the HUP signal. First we get the process ID of the inetd process:
# ps -ax | grep inetd 7699 ? S 0:00 inetd
Here 7699 is the process ID of the inetd process. Your process ID will most certainly be different. Now we tell inetd to reread the configuration file:
# kill -HUP 7699
Lastly, we secure our inetd installation against unwanted connections. Unfortunately, a lot of hackers like to break in using the imapd service. However, we will limit connections to this server to only the local machine itself, which means that only our local web server can connect to it. We do this using the TCP wrappers program already installed on your system. We edit two files, first the file that defines who cannot connect and then the file that lists the exceptions to that rule.
# vi /etc/hosts.deny
and add a line for the IMAP daemon:
Now we will edit the file that lists who is allowed to connect:
# vi /etc/hosts.allow
and add at the end of the file the line:
That's it, the first piece of installation is done!
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Devuan Beta Release
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The US Government and Open-Source Software
- The Humble Hacker?
- The Death of RoboVM
- BitTorrent Inc.'s Sync
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- AdaCore's SPARK Pro
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide