5.1.1 Servidor IMAP/IMAPS

Instalação de um servidor email com suporte para protocolo IMAPS.

root@server:~# aptitude install dovecot-imapd

Toda a configuração é guardada no ficheiro /etc/dovecot/dovecot.conf.

Após a instalação do dovecot, é necessário indicar quais os protocolos que se pretendem activar no ficheiro de configuração. Neste caso, os protocolos IMAP e IMAPS:

/etc/dovecot/dovecot.conf

# [...]

# Protocols we want to be serving: imap imaps pop3 pop3s managesieve
# If you only want to use dovecot-auth, you can set this to "none".
#protocols = imap imaps
protocols = imap imaps

# [...]

O servidor de email dovecot só aceita ligações encriptadas via TLS (Transport Layer Security) ou SSL (Secure Sockets Layer). Ambos necessitam de certificados digitais.

Os certificados SSL para o dovecot são gerados automaticamente durante a instalação. No entanto, podemos utilizar os nosso próprios Certificados Ssl Auto-Assinados previamente gerados:

/etc/dovecot/dovecot.conf

# [...]

##
## SSL settings
##

# IP or host address where to listen in for SSL connections. Remember to also
# add imaps and/or pop3s to protocols setting. Defaults to same as "listen"
# setting if not specified.
#ssl_listen =

# SSL/TLS support: yes, no, required. </usr/share/doc/dovecot-common/wiki/SSL.txt>
#ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root.
#ssl_cert_file = /etc/ssl/certs/dovecot.pem
#ssl_key_file = /etc/ssl/private/dovecot.pem

ssl_cert_file = /etc/ssl/certs/server.crt
ssl_key_file = /etc/ssl/private/server.key.insecure

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using !include_try <path>.
#ssl_key_password =

# [...]

A localização das caixas de correio também deve ser indicada, para evitar ambiguidades. Neste caso estão numa sub-directoria na directoria home de cada utilizador chamada “Maildir”:

/etc/dovecot/dovecot.conf

# [...]

##
## Mailbox locations and namespaces
##

# Location for users' mailboxes. This is the same as the old default_mail_env
# setting. The default is empty, which means that Dovecot tries to find the
# mailboxes automatically. This won't work if the user doesn't have any mail
# yet, so you should explicitly tell Dovecot the full location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See </usr/share/doc/dovecot-common/wiki/Variables.txt> for full list.
# Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# </usr/share/doc/dovecot-common/wiki/MailLocation.txt>
#
#mail_location =
mail_location = maildir:~/Maildir

# [...]

A arborescência Maildir deverá ser criada sob a home de cada utilizador. Para isso deve ser usado o comando maildirmake.dovecot por cada utilizador já criado.

O comando abaixo muda a identidade do utilizador corrente para um utilizador “fribeiro” e cria a arborescência Maildir na home desse utilizador. Este comando deve ser repetido para cada utilizador já existente:

root@server:~# su - fribeiro -c 'maildirmake.dovecot ~/Maildir'

Esta arborescência deve também ser criada sob a directoria /etc/skel. O conteúdo de /etc/skel é utilizado como modelo para a directoria home dos utilizadores a serem criados futuramente. Assim, quando forem criados novos utilizadores, a arborescência Maildir será criada automaticamente:

root@server:~# maildirmake.dovecot /etc/skel/Maildir

Finalmente, reiniciar o servidor:

root@server:~# /etc/init.d/dovecot restart

Verificar o serviço imap para endereços locais:

root@server:~# telnet 127.0.0.1 imap
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Dovecot ready.
a001 login fribeiro password
a001 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
a002 examine inbox
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS ()] Read-only mailbox.
  * 0 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1291979249] UIDs valid
  * OK [UIDNEXT 1] Predicted next UID
  * OK [HIGHESTMODSEQ 1] Highest
a002 OK [READ-ONLY] Select completed.
a003 logout
  * BYE Logging out
a003 OK Logout completed.
Connection closed by foreign host.

A partir de outro sistema, verificar que são recusadas as ligações IMAP simples sem TLS por serem consideradas inseguras, uma vez que enviam as passwords em texto simples:

fribeiro@laptop:~$ telnet 192.168.1.100 imap
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS LOGINDISABLED] Dovecot ready.
a001 login fribeiro password
  * BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
a001 NO [CLIENTBUG] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
a002 logout
  * BYE Logging out
a002 OK Logout completed.
Connection closed by foreign host.

No entanto, as ligações IMAPS deverão ser aceites a partir de qualquer sistema:

fribeiro@laptop:~# openssl s_client -connect 192.168.1.100:imaps
CONNECTED(00000003)
depth=0 /C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
verify return:1
---
Certificate chain
 0 s:/C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
   i:/C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBzCCAXACCQCBpikwVIulPjANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJQ
VDERMA8GA1UECBMIUG9ydHVnYWwxETAPBgNVBAoTCEhvbWUgTGFuMRMwEQYDVQQD
FAoqLmhvbWUubGFuMB4XDTEwMTEwNTEyMDkxNFoXDTExMTEwNTEyMDkxNFowSDEL
MAkGA1UEBhMCUFQxETAPBgNVBAgTCFBvcnR1Z2FsMREwDwYDVQQKEwhIb21lIExh
bjETMBEGA1UEAxQKKi5ob21lLmxhbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAwvRP1cWKzoUPPtSUVK+G/HFgaoToc50Ir3gmBbhlycXPJvRbVwfF2+wBXdoS
pNzJdmi6iA0cwaiy2BiUpH4WCk+nZGrGyJDUafxOdaUt8G/64lmSeUedBf3sSoQ6
9iR+fq85uTCJkbe2ZXgkfYZ/djnnkX9BnA7fD7szWbv6StMCAwEAATANBgkqhkiG
9w0BAQUFAAOBgQCLnbmCLs8jwnwG8zL1a8BWxarjitmLbqwXgo+qXtzu0qeFrZJ2
f42bk9M3I83SeQUKTGvK9Mj7CXmorKEsDv18F6rzQO9x2UInrwXYN9BcMVg5YHsf
HQkwhzgWXZNWJT0drFgNKsugvug7dE1UWVFJgafXwACQIFOaLkqpLdznDw==
-----END CERTIFICATE-----
subject=/C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
issuer=/C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
---
No client certificate CA names sent
---
SSL handshake has read 1094 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: CF0CD4E5B509B27A41516D693EE5C8BF874FD19444FF2D28F5EAB078A5038324
    Session-ID-ctx:
    Master-Key: 98478963F48B5C45438DE5312A266B9C3E23BF0FC1E75CEF7FC633B363CE131266BAB17513E1357AB3074900F5D057CC
    Key-Arg   : None
    Start Time: 1291980431
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
a001 login fribeiro password
a001 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
a002 examine inbox
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS ()] Read-only mailbox.
  * 0 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1291979249] UIDs valid
  * OK [UIDNEXT 1] Predicted next UID
  * OK [HIGHESTMODSEQ 1] Highest
a002 OK [READ-ONLY] Select completed.
a003 logout
  * BYE Logging out
a003 OK Logout completed.
closed

Como verificação final poderá ser criada uma conta num cliente email, como o Thunderbird: deverá ser seleccionado protocolo IMAP, a ligação requer TLS (porta 143) ou SSL (porta 993) e o endereço será o do servidor (192.168.1.100 ou mail.home.lan, se tiver sido configurado um Servidor DNS para a rede local).

Se for configurado o acesso sem TLS ou SSL, o acesso será negado:

Dado que os certificados são auto-assinados, os clientes email alertarão para o facto de não conhecerem a autoridade de certificação.

Uma verificação deverá indicar que o certificado utilizado é realmente o que pretendemos:

Uma vez verificadoo certificado, este poderá ser acrescentado à lista de excepções de segurança.

• Dovecot (http://www.dovecot.org/)
• Wikipedia: Imap (http://pt.wikipedia.org/wiki/Imap)
• Wikipedia: Imap (http://en.wikipedia.org/wiki/Imap)
• OpenSSL (http://www.openssl.org/)
• Wikipedia: OpenSSL (http://pt.wikipedia.org/wiki/Openssl)
• Wikipedia: TLS (http://pt.wikipedia.org/wiki/Tls)
• Wikipedia: TLS (http://en.wikipedia.org/wiki/Transport_Layer_Security)
• Securing Debian Manual, 5.6 Securing the mail service (http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s5.6)