Introduction:

Do you need to run a POP3 server on a Red Hat Linux host? Red Hat Linux includes the UW-IMAP server package, which includes the ipop3d server. This package is well supported, and enjoys continuing development. Unfortunately, the POP3 server portion of the UW-IMAP server is not well documented. It is easy to setup, though. This setup would probably be suitable for small to medium-sized organizations. You would probably want to look at a different POP3 server for ISP or large enterprise use.

The UW ipop3d server runs from xinetd. Xinetd can be used to provide access control and limits on the POP3 service. The default installation supports the following:

There are two different authentication sources:  the /etc/cram-md5.pwd file and PAM. PAM can be used to authenticate from many different sources, including /etc/passwd and /etc/shadow.

For this Quickstart Guide, we are only going to address using PAM, TLS/SSL, and plaintext passwords to authenticate. TLS/SSL is mandatory. In this case, we will only run POP3 over the alternate port, TCP 995. This is also known as the pop3s service. This will support the widest variety of POP3 e-mail clients without exposing usernames and passwords over the network.

Caveats:

The goal of this guide is to get you quickly started with the UW IMAP POP3 server. You can then start testing and modifying the configuration to meet your specific needs. For production use, you would need to consider the following:

Assumptions:



Step 1:  Installing the Software

Make sure you have the UW-IMAP package installed:

[root@zip root]# rpm -qa | grep imap-20
imap-2001a-18

If it is not installed, obtain the package and install it like this:

[root@zip RPM]# rpm -Uvh imap-2001a-18.i386.rpm
Preparing...                ########################################### [100%]
   1:imap                   ########################################### [100%]

The following command will give you details about the package and where files will be placed on your system:

[root@zip RPM]# rpm -qil imap-2001a-18
Name        : imap                         Relocations: (not relocateable)
Version     : 2001a                             Vendor: Red Hat, Inc.
Release     : 18                            Build Date: Sat 25 Jan 2003 02:02:53 PM CST
Install Date: Thu 18 Mar 2004 12:32:46 AM CST      Build Host: porky.devel.redhat.com
Group       : System Environment/Daemons    Source RPM: imap-2001a-18.src.rpm
Size        : 2384948                          License: University of Washington Free-Fork License
Signature   : DSA/SHA1, Mon 24 Feb 2003 02:26:01 PM CST, Key ID 219180cddb42a60e
Packager    : Red Hat, Inc.
URL         : http://www.washington.edu/imap/
Summary     : Server daemons for IMAP and POP network mail protocols.
Description :
The imap package provides server daemons for both the IMAP (Internet
Message Access Protocol) and POP (Post Office Protocol) mail access
protocols. The POP protocol uses a "post office" machine to collect
mail for users and allows users to download their mail to their local
machine for reading. The IMAP protocol allows a user to read mail on a
remote machine without downloading it to their local machine.
 
Install the imap package if you need a server to support the IMAP or
the POP mail access protocols.
/etc/pam.d/imap
/etc/pam.d/pop
/etc/xinetd.d/imap
/etc/xinetd.d/imaps
/etc/xinetd.d/ipop2
/etc/xinetd.d/ipop3
/etc/xinetd.d/pop3s
/usr/sbin/imapd
/usr/sbin/ipop2d
/usr/sbin/ipop3d
/usr/share/doc/imap-2001a
/usr/share/doc/imap-2001a/CONFIG
/usr/share/doc/imap-2001a/CPYRIGHT
/usr/share/doc/imap-2001a/README
/usr/share/doc/imap-2001a/README.IMAPS
/usr/share/doc/imap-2001a/RELNOTES
/usr/share/doc/imap-2001a/SSLBUILD
/usr/share/doc/imap-2001a/WARNING
/usr/share/doc/imap-2001a/bugs.txt
/usr/share/doc/imap-2001a/calendar.txt
/usr/share/doc/imap-2001a/commndmt.txt
/usr/share/doc/imap-2001a/drivers.txt
/usr/share/doc/imap-2001a/formats.txt
/usr/share/doc/imap-2001a/imaprc.txt
/usr/share/doc/imap-2001a/internal.txt
/usr/share/doc/imap-2001a/locking.txt
/usr/share/doc/imap-2001a/md5.txt
/usr/share/doc/imap-2001a/naming.txt
/usr/share/man/man8/imapd.8c.gz
/usr/share/man/man8/ipopd.8c.gz

Now read the documentation. Much of it is located in /usr/share/doc/imap-2001a. Additional resources are located here:


Step 2:  TLS Keys and Certificates

Since we are setting up a TLS-enabled POP3 server, we need to make crypto keys and certificates. Without them, TLS/SSL will not work.

For this step, you will have to make a decision. You can get a "real" X.509 certificate signed by a Certificate Authority (CA), or you can create your own enterprise-wide CA and sign it yourself. If you are an ISP, you should buy a "real" certificate. If the POP3 server is only for use by your organization, a private (free) certificate may be good enough.

If you want to create your own CA and sign the POP3 server certificate yourself, follow these directions.

We will now generate the private ipop3d key. The key cannot be password protected, so you must immediately change its permissions to a restrictive mode.

[root@zip root]# cd /root/CA
[root@zip CA]# openssl genrsa -out ipop3d.pem 1024
Generating RSA private key, 1024 bit long modulus
...++++++
...............................................++++++
e is 65537 (0x10001)
[root@zip CA]# chmod 0400 ipop3d.pem

Now we can generate our Certificate Signing Request:

[root@zip CA]# openssl req -new -key ipop3d.pem -out ipop3d.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taipei County
Locality Name (eg, city) [Newbury]:Nankang
Organization Name (eg, company) [My Company Ltd]:VanEmery.Com
Organizational Unit Name (eg, section) []:Messaging Division
Common Name (eg, your name or your server's hostname) []:zip.vanemery.com <== This MUST be your real FQDN!
Email Address []:certmaster@vanemery.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note:  You need to use your server's fully qualified domain name (FQDN) in the Common Name field. If you do not do this, you will have many problems.

Now, you will need to send your Certificate Signing Request (ipop3d.csr) to a CA like Verisign, or you can sign it yourself with your own CA key. If you are going to do it yourself, then follow these steps:

[CA]# openssl x509 -req -in ipop3d.csr -out ipop3d-cert.pem -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
Signature ok
subject=/C=TW/ST=Taipei County/L=Nankang/O=VanEmery.Com/OU=Messaging Division/CN=zip.vanemery.com/
Getting CA Private Key
Enter pass phrase for my-ca.key:

[root@zip CA]# chmod 0400 ipop3*
[root@zip CA]# ls -l ipop3*
-r--------    1 root     root         1229 Mar 13 01:12 ipop3d-cert.pem
-r--------    1 root     root          757 Mar 13 01:06 ipop3d.csr
-r--------    1 root     root          887 Mar 13 01:04 ipop3d.pem

To view the completed certficate:

[root@zip CA]# openssl x509 -in ipop3d-cert.pem -text -noout

Now, we have to combine the new POP3 server certificate (wherever it came from) with the POP3 server private key that you generated earlier. You will also need to move it to the proper location:

[root@zip CA]# cat ipop3d-cert.pem >> ipop3d.pem

[root@zip CA]# cp -v ipop3d.pem /usr/share/ssl/certs
`ipop3d.pem' -> `/usr/share/ssl/certs/ipop3d.pem'

You should check the permissions one last time. The file should be owned by root:root with mode 0400.

Caution!

Now that you are finished, you need to make backups of all the certificates and keys. CDs and floppies are good for this purpose. You may want to make paper copies, too. The certs and keys should then be locked up in a safe place.


Step 3:  Configure Xinetd

Since the POP3 server runs from xinetd, you will need to make some configuration changes and then restart/start xinetd. First, we will need to edit the pop3s configuration file:

[root@zip root]# cd /etc/xinetd.d
[root@zip xinetd.d]# ls -l *pop3*
-rw-r--r--    1 root     root          359 Jan 25  2003 ipop3
-rw-r--r--    1 root     root          335 Jan 25  2003 pop3s

[root@zip xinetd.d]# vi pop3s

Edit the /etc/xinetd.d/pop3s config file until it looks like this:


# default: off
# description: The POP3S service allows remote users to access their mail \
#              using an POP3 client with SSL support such as fetchmail.
service pop3s
{
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/ipop3d
        log_on_success  += HOST DURATION
        log_on_failure  += HOST
        instances               = 150
        cps                     = 70 30
        disable                 = no
}

The extra settings for "instances" and "cps" are performance limits. I raised them from the defaults, but these can be tweaked as you see fit. See man xinetd.conf for details. Defaults are located in the /etc/xinetd.conf config file.

Now start (or restart) xinetd:

[root@zip xinetd.d]# /etc/init.d/xinetd restart
Stopping xinetd:                                           [FAILED]
Starting xinetd:                                           [  OK  ]


Step 4:  Configure Xinetd to Start Automatically

If you want xinetd to start automatically after system boot, use the chkconfig utility like this:

[root@zip xinetd.d]# chkconfig xinetd off
[root@zip xinetd.d]# chkconfig --level 345 xinetd on
[root@zip xinetd.d]# chkconfig --list xinetd
xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off


Step 5:  Test POP3 server functionality:

Make sure that your server is listening on TCP port 995 (pop3s):

[root@zip xinetd.d]# netstat -tnap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      14483/xinetd

Add a Linux account for a test user. For this example, I added an account with username="perry" and password="mason21". If this user does not need shell access, you can give the account the /sbin/nologin shell. It may also be a good idea to keep POP3-only user accounts in a specific range of UIDs and GIDs, like 2000-2999.

Now, use the openssl s_client utility to test the server. One you connect, you can issue POP3 commands and view the responses:

[root@zip root]# openssl s_client -connect zip.vanemery.com:995
CONNECTED(00000003)

---
No client certificate CA names sent
---
SSL handshake has read 1026 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Start Time: 1079677170
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK POP3 zip.vanemery.com v2001.78rh server ready
CAPA
+OK Capability list follows:
TOP
LOGIN-DELAY 180
UIDL
USER
SASL PLAIN LOGIN
.
USER perry
+OK User name accepted, password please
PASS mason21
+OK Mailbox open, 15 messages
STAT
+OK 15 13537
NOOP
+OK No-op to you too!
QUIT
+OK Sayonara
read:errno=0

You will now want to test your TLS-enabled POP3 server from another host on your network. Make an account with the proper username, password, and server hostname/IP address. Then you will need to configure the mail client for TLS/SSL connections to port 995 and the USER, AUTH LOGIN, or AUTH PLAIN authentication methods. All three of these methods normally pass the password in the clear, but in this case the traffic will be encrypted. While you are testing, you will also probably want to configure the mail client to leave the messages on the server.

When your client connects for the first time, you may get a warning if you signed your own certificates. This can usually be handled by viewing the certificate and then clicking a button that causes the e-mail client to trust the certificate. Now, you should be able to view your e-mail.

If you need to perform any debugging, running s_client and issuing the commands manually is a good method. Another good method is configuring and using fetchmail with the -vv option, which gives you a detailed account of what is happening during POP3 sessions.

Log Files

When testing, you will also want to look at your logs. Relevant logfiles are located here:


Step 6:  Use the POP3 Server

Enjoy!





Notes:

  1. Quotas - In order to control the size of user mail spools, the mail spools should be in a separate partition of your filesystem. Quotas should be enabled, and each POP3 user should have a quota entry. Also, the MTA (Postfix, in my case) should be configured with a limit for inbound e-mail size. The quota only affects new mail being dumped into the spool. If there isn't enough space left in the spool, the sender will get an error message from the MTA stating that the mail could not be delivered due to the disk quota being exceeded.
  2. Logging - Most mail-related log entries go into the /var/log/maillog logfile, which is automatially rotated.
  3. Permissions - As an added precaution, I changed the mode of the pop3 server executables so that only root can run them. This can be done with chmod 0750 /usr/sbin/ipop* . Of course, the permissions on the config files are also important.
  4. POP3 user accounts with the /sbin/nologin shell assigned to them will be able to retrieve their mail, but will not be able to login to the server and use a command shell. Just make sure that the account has not expired, and it is not locked.
  5. PAM config - Since PAM is used in this setup, the PAM config can be modified by editing the /etc/pam.d/pop and/or /etc/pam.d/system-auth files. PAM is very flexible. You could configure your TLS-POP3 clients to authenticate via Kerberos 5, MySQL, or RADIUS with the appropriate PAM configuration and modules. I have successfully tested this method with Kerberos 5.
  6. Client Configuration - If you roll this out as a production server, you will definitely want to publish a "POP3 Client Configuration Guide" that shows your users the proper configuration settings.

Caution!

With the default UW-IMAP package, port 110 (pop3s) will allow both STLS (encrypted) and plaintext authentication with the same username/password combination. Even though most of your users may configure their e-mail clients to use STLS, other users may misconfigure their clients and use plaintext without TLS. This could result in a user's shell account being compromised. It also gives a false sense of security. Either run all encrypted passwords, or no encrypted passwords...but not both! One solution to this problem (if you want to run STLS and TLS on port 995 simultaneously), is to compile and install the UW-IMAP package from source and use the appropriate configure options. There are options to disallow plaintext authentication methods if the connection is not encrypted.

If you have to run unencrypted passwords, I suggest that you use the /etc/cram-md5.pwd file and disallow shell access for your POP3 users.






| Home | Protocols | POP3 |