Build a Secure Webmail Service Supporting IMAP and SSL
Editors' Note: The following is a chapter from the book Multitool Linux, written by Michael Schwarz, Jeremy Anderson, Peter Curtis and Steven Murphy. The chapter presented here was written by their collaborator, Jose Nazario. Book coauthor Michael Schwarz would like to note, "Jose Nazario wrote this chapter for our book back in late 2000. I'm sure he would want readers to know substantially newer versions of all the software mentioned herein are now available. Feel free to contact the book authors if you have questions. Consult the book's web site for links, updates and errata.
This article describes how you can set up your Linux computer to be a web-based e-mail system for yourself or a group of friends. It will work best, of course, if you are on a dedicated internet connection, like a cable modem or a DSL line at home. This will provide you with a secure method to check your e-mail from remote locations without having to add insecure connection methods that could be used by an attacker. While your friends and coworkers complain about their free web based e-mail system being inaccessible, yours will be humming along.
The combination of software we are using is Apache with mod_ssl and PHP4, and the webmail package we describe below is Aeromail. We chose this combination because it is under active development (as of this writing), easy to install and quite feature rich. We also describe some additional webmail packages at the end of the article and provide several resources for more information.
We assume you haven't installed a web server or the SSL libraries on your system, which we will cover here. While it may seem like a lot of different components, it's really quite simple. Furthermore, your secure web server can be used for other things you may wish to try.
First we need to install the basic connectivity for the mail server, the IMAP server, and secure it to accept only local connections. Secondly, we'll build a powerful web server, one that supports secure socket layer (SSL) connections and the PHP scripting language. After that, the actual software used to display your mail on a web page is quite simple to install.
To begin with, these are the files we have downloaded and their versions:
-rw-r--r-- 1 jose jose 22841 Nov 19 15:18 aeromail-1.40.tar.gz -rw-r--r-- 1 jose jose 2847497 Oct 25 19:14 apache_1.3.14.tar.Z -rw-r--r-- 1 jose jose 1866035 Oct 25 13:27 imap.tar.Z -rw-r--r-- 1 jose jose 748253 Oct 25 19:15 mod_ssl-2.7.1-1.3.14.tar.gz -rw-r--r-- 1 jose jose 2086131 Sep 24 11:46 openssl-0.9.6.tar.gz -rw-r--r-- 1 jose jose 2225976 Nov 5 13:31 php-4.0.3pl1.tar.gz
The versions were chosen because they provide the most features and stability, plus they contain the latest security patches as of this writing. You're definitely encouraged to use at least these versions. The IMAP server we're using is the latest version available.
Now that you've obtained the pieces needed, we'll get to work. Building things shouldn't take too long, approximately one hour on a 300MHz system. The longest waits are, of course, during the compilations. For reference, we will keep all of the archives in one directory, webmail/, as we build them. We install to the default apache directory, /usr/local/apache/htdocs/.
We need to install one package for the computer to handle listening services, one that's not normally installed by a workstation Linux installation. This is the inetd server, which listens for several daemons. On Red Hat 6.2 installations, this is in the RPM inetd-0.16-4.i386.rpm. In earlier Red Hat systems, such as 6.0 or 6.1, this was in the netkit-base-0.10 RPM. On Red Hat 6.2, these steps will install and turn on the inetd daemon:
# rpm -ivh inetd-0.16-4.i386.rpm # /usr/sbin/inetd # /sbin/chkconfig inetd on
IMAP, or the Internet Message Access Protocol, provides a way for a person to access their mail or Usenet newsgroups from a variety of computers. It works by storing the messages on a central server and allowing you to view copies of them. Then, when you delete a message locally, you can synchronize your mailboxes at your local workstation and the server. Also, you can have folders for your mail and full access to them, unlike with POP3.
First, having downloaded and verified the archive, you should unpack it:
$ tar -zxvf imap.tar.Z
Now, we're going to enter the newly formed directory and proceed to build the IMAP server. Because we're using Linux, the process is quite simple:
$ cd imap-2000 $ make slx (make output omitted)
Installing the new IMAP server also is quite easy; we simply drop it in place and it's almost ready to go:
# cd imapd # cp imapd /usr/sbin/imapd
Now we have to tell the computer how to listen for imapd connections and how to handle them. First, we edit the inetd configuration file inetd.conf:
# vi /etc/inetd.conf
Change the line that normally reads:
#imap stream tcp nowait root /usr/sbin/tcpd imapd
to instead read:
imap stream tcp nowait root /usr/sbin/tcpd imapd
By removing the prepending pound sign (#), it's now a directive to inetd and not a comment. Now we have to tell inetd to reread its configuration. We do this by sending the inetd process the HUP signal. First we get the process ID of the inetd process:
# ps -ax | grep inetd 7699 ? S 0:00 inetd
Here 7699 is the process ID of the inetd process. Your process ID will most certainly be different. Now we tell inetd to reread the configuration file:
# kill -HUP 7699
Lastly, we secure our inetd installation against unwanted connections. Unfortunately, a lot of hackers like to break in using the imapd service. However, we will limit connections to this server to only the local machine itself, which means that only our local web server can connect to it. We do this using the TCP wrappers program already installed on your system. We edit two files, first the file that defines who cannot connect and then the file that lists the exceptions to that rule.
# vi /etc/hosts.deny
and add a line for the IMAP daemon:
Now we will edit the file that lists who is allowed to connect:
# vi /etc/hosts.allow
and add at the end of the file the line:
That's it, the first piece of installation is done!