Build a Secure Webmail Service Supporting IMAP and SSL

 in
An excerpt from the book Multitool Linux explaining how to implement effective and easy-to-use webmail.

Editors' Note: The following is a chapter from the book Multitool Linux, written by Michael Schwarz, Jeremy Anderson, Peter Curtis and Steven Murphy. The chapter presented here was written by their collaborator, Jose Nazario. Book coauthor Michael Schwarz would like to note, "Jose Nazario wrote this chapter for our book back in late 2000. I'm sure he would want readers to know substantially newer versions of all the software mentioned herein are now available. Feel free to contact the book authors if you have questions. Consult the book's web site for links, updates and errata.

This article describes how you can set up your Linux computer to be a web-based e-mail system for yourself or a group of friends. It will work best, of course, if you are on a dedicated internet connection, like a cable modem or a DSL line at home. This will provide you with a secure method to check your e-mail from remote locations without having to add insecure connection methods that could be used by an attacker. While your friends and coworkers complain about their free web based e-mail system being inaccessible, yours will be humming along.

The combination of software we are using is Apache with mod_ssl and PHP4, and the webmail package we describe below is Aeromail. We chose this combination because it is under active development (as of this writing), easy to install and quite feature rich. We also describe some additional webmail packages at the end of the article and provide several resources for more information.

We assume you haven't installed a web server or the SSL libraries on your system, which we will cover here. While it may seem like a lot of different components, it's really quite simple. Furthermore, your secure web server can be used for other things you may wish to try.

First we need to install the basic connectivity for the mail server, the IMAP server, and secure it to accept only local connections. Secondly, we'll build a powerful web server, one that supports secure socket layer (SSL) connections and the PHP scripting language. After that, the actual software used to display your mail on a web page is quite simple to install.

To begin with, these are the files we have downloaded and their versions:

-rw-r--r--   1 jose  jose    22841 Nov 19 15:18 aeromail-1.40.tar.gz
-rw-r--r--   1 jose  jose  2847497 Oct 25 19:14 apache_1.3.14.tar.Z
-rw-r--r--   1 jose  jose  1866035 Oct 25 13:27 imap.tar.Z
-rw-r--r--   1 jose  jose   748253 Oct 25 19:15 mod_ssl-2.7.1-1.3.14.tar.gz
-rw-r--r--   1 jose  jose  2086131 Sep 24 11:46 openssl-0.9.6.tar.gz
-rw-r--r--   1 jose  jose  2225976 Nov  5 13:31 php-4.0.3pl1.tar.gz

The versions were chosen because they provide the most features and stability, plus they contain the latest security patches as of this writing. You're definitely encouraged to use at least these versions. The IMAP server we're using is the latest version available.

Now that you've obtained the pieces needed, we'll get to work. Building things shouldn't take too long, approximately one hour on a 300MHz system. The longest waits are, of course, during the compilations. For reference, we will keep all of the archives in one directory, webmail/, as we build them. We install to the default apache directory, /usr/local/apache/htdocs/.

System Preparation

We need to install one package for the computer to handle listening services, one that's not normally installed by a workstation Linux installation. This is the inetd server, which listens for several daemons. On Red Hat 6.2 installations, this is in the RPM inetd-0.16-4.i386.rpm. In earlier Red Hat systems, such as 6.0 or 6.1, this was in the netkit-base-0.10 RPM. On Red Hat 6.2, these steps will install and turn on the inetd daemon:

# rpm -ivh inetd-0.16-4.i386.rpm
# /usr/sbin/inetd
# /sbin/chkconfig inetd on
Building the IMAP Server

IMAP, or the Internet Message Access Protocol, provides a way for a person to access their mail or Usenet newsgroups from a variety of computers. It works by storing the messages on a central server and allowing you to view copies of them. Then, when you delete a message locally, you can synchronize your mailboxes at your local workstation and the server. Also, you can have folders for your mail and full access to them, unlike with POP3.

First, having downloaded and verified the archive, you should unpack it:

$ tar -zxvf imap.tar.Z

Now, we're going to enter the newly formed directory and proceed to build the IMAP server. Because we're using Linux, the process is quite simple:

$ cd imap-2000
$ make slx
 (make output omitted)

Installing the new IMAP server also is quite easy; we simply drop it in place and it's almost ready to go:

# cd imapd
# cp imapd /usr/sbin/imapd

Now we have to tell the computer how to listen for imapd connections and how to handle them. First, we edit the inetd configuration file inetd.conf:

# vi /etc/inetd.conf

Change the line that normally reads:

#imap stream tcp nowait root /usr/sbin/tcpd imapd

to instead read:

imap stream tcp nowait root /usr/sbin/tcpd imapd

By removing the prepending pound sign (#), it's now a directive to inetd and not a comment. Now we have to tell inetd to reread its configuration. We do this by sending the inetd process the HUP signal. First we get the process ID of the inetd process:

# ps -ax | grep inetd
         7699 ?        S      0:00 inetd

Here 7699 is the process ID of the inetd process. Your process ID will most certainly be different. Now we tell inetd to reread the configuration file:

# kill -HUP 7699

Lastly, we secure our inetd installation against unwanted connections. Unfortunately, a lot of hackers like to break in using the imapd service. However, we will limit connections to this server to only the local machine itself, which means that only our local web server can connect to it. We do this using the TCP wrappers program already installed on your system. We edit two files, first the file that defines who cannot connect and then the file that lists the exceptions to that rule.

# vi /etc/hosts.deny

and add a line for the IMAP daemon:

imapd: ALL

Now we will edit the file that lists who is allowed to connect:

# vi /etc/hosts.allow

and add at the end of the file the line:

imapd: 127.0.0.1

That's it, the first piece of installation is done!

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Build a Secure Webmail Service Supporting IMAP and SSL

Anonymous's picture

To anyone who uses it: DO NOT use Apache 1.3.14, PHP 4.0.3pl1, mod_ssl 2.7.1 and OpenSSL 0.9.6 like it says! They are insecure! Use these versions:

Apache 1.3.27

PHP 4.0.6 + file_uploads patch (http://www.php.net/get_download.php?df=rfc1867.c.diff-4.0.6.gz)

mod_ssl 2.8.12

OpenSSL 0.9.6g

Re: Build a Secure Webmail Service Supporting IMAP and SSL

jnazario's picture

obviously this was written in late 2000. a lot of things have changed since then: php4, new apache and mod_ssl versions, new aeromail. these instructions will definitely require some modifications to accomodate those changes. furthermore, redhat (and some others) have moved to xinetd from inetd. you'll have to learn how to adjust the entry for imapd for xinetd, but thats fairly easy.

good luck, and i am glad so many of you have found this useful. like mike said, we're really happy with the book. it's one of those great things that just says, "well, now what? i have a linux box. what can i do with it?" it was fun to write, and gives us a tremendous sense of satisfaction. we hope you enjoy the rest of the material.

Re: Build a Secure Webmail Service Supporting IMAP and SSL

Anonymous's picture

Excellent Article.

A few friends and I have been maintaining a Linux Mail FAQ that might be of interest to people who found this article informative.

I'll go ahead and link this article in there. Mail systems are too much fun not to share info on. :)

Re: Build a Secure Webmail Service Supporting IMAP and SSL

Anonymous's picture

i need some more tutorials over this

and i also has got one problem also that i am unable to get proper installation of redhat linux 8 from the cd's .

mail me at arpan_iiit@yahoo.com

Re: Build a Secure Webmail Service Supporting IMAP and SSL

Anonymous's picture

btw, you can check some other installation toasters e.g Bills Toaster based on qmail http://www.shupp.org/toaster/

Here's a list of features you'll get:

Qmail SMTP Mail Server with SMTP-AUTH (Plain, CRAM-MD5), TLS (SSL) support, and optional Virus Scanner.

POP3 Server with APOP and SSL support

IMAP Server with TLS (SSL) support

WebMail Server

Quota Support (usage viewable by webmail)

Autoresponder

Mailing Lists

Web-Based Email Administration

Shameless self-promotion

evilpenguin's picture

Hi. I'm one of the co-authors of the book this article came from. If you like what you see here, may I humbly suggest you check out our book, Multitool Linux, from Addison-Wesley? This chapter is fairly representative of the kind of things we cover in our book. Linux Journal will be publishing a couple more chapters of our book in the coming weeks. I hope you will find them all useful and informative. I also hope you will consider buying our book, but if not, at least the articles were of use to you!

We thank you all for your kind comments!

Re: Build a Secure Webmail Service Supporting IMAP and SSL

Anonymous's picture

Great Stuff!!!!!!

Re: Build a Secure Webmail Service Supporting IMAP and SSL

Anonymous's picture

Just my luck. This article is put up just 5 days after I implement SquirrelMail over SSL to check my home server mail from work. But still great article guys!

Re: Build a Secure Webmail Service Supporting IMAP and SSL

Anonymous's picture

Bravo!

I've been looking for clean and simple webmail software for a long time. Not only did the software mentioned here completely meet my requirements, the installation steps presented worked 100%.

Thank you, Linux Journal!

Another great mail package...

Anonymous's picture

is Courier Mail:

http://www.courier-mta.org/

I've been running it for half a year now for our small company, and it's rock solid. A great thing about Courier is that it's one package containing all the components (the MTA, POP3, IMAP, Webmail etc..), which takes away the hassle of getting seperate packages to work together.

/Anders

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState