Tabela de Conteúdos
Página desactualizada Esta página contém uma versão anterior deste guia que pode estar desatualizada. Para a consultar a versão mais recente clique aqui.
5.1.1 Servidor IMAP/IMAPS
Objectivo
Instalação de um servidor email com suporte para protocolo IMAPS.
Instalação
server:~# apt-get install dovecot-imapd
Configuração
Toda a configuração é guardada no ficheiro /etc/dovecot/dovecot.conf.
A instalação do dovecot, por omissão, não define qualquer serviço. É necessário indicar quais os protocolos que se pretendem activar no ficheiro de configuração:
# [...] # Protocols we want to be serving: imap imaps pop3 pop3s # If you only want to use dovecot-auth, you can set this to "none". #protocols = imap imaps protocols = imap imaps # [...]
O servidor de email dovecot só aceita ligações encriptadas via TLS (Transport Layer Security) ou SSL (Secure Sockets Layer). ambos necessitam de certificados digitais.
Os certificados SSL para o dovecot são gerados automaticamente durante a instalação. No entanto, podemos utilizar os nosso próprios 3.5.1 Certificados Ssl Auto-Assinados, gerados previamente:
# [...] ## ## SSL settings ## # IP or host address where to listen in for SSL connections. Defaults # to above if not specified. #ssl_listen = ssl_listen = * # Disable SSL/TLS support. #ssl_disable = no # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. #ssl_cert_file = /etc/ssl/certs/dovecot.pem #ssl_key_file = /etc/ssl/private/dovecot.pem ssl_cert_file = /etc/ssl/certs/server.crt ssl_key_file = /etc/ssl/private/server.key.insecure # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password = # [...]
A localização das caixas de correio também deve ser indicada, para evitar ambiguidades. Neste caso estão numa sub-directoria na directoria home de cada utilizador chamada “Maildir”:
# [...] ## ## Mailbox locations and namespaces ## # Location for users' mailboxes. This is the same as the old default_mail_env # setting. The default is empty, which means that Dovecot tries to find the # mailboxes automatically. This won't work if the user doesn't have any mail # yet, so you should explicitly tell Dovecot the full location. # # If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) # isn't enough. You'll also need to tell Dovecot where the other mailboxes are # and where Dovecot can place its index files. This is called the "root mail # directory", and it must be the first path given in the mail_location setting. # # There are a few special variables you can use, eg.: # # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if there's no domain # %h - home directory # # See /usr/share/doc/dovecot-common/variables.txt for full list. Some examples: # # mail_location = maildir:~/Maildir # mail_location = mbox:~/mail:INBOX=/var/mail/%u # mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n # # http://wiki.dovecot.org/MailLocation # #mail_location = mail_location = maildir:~/Maildir # [...]
A arborescência Maildir deverá ser criada sob a home de cada utilizador. Para isso deve ser usado o comando maildirmake.dovecot por cada utilizador já criado.
O comando abaixo muda a identidade do utilizador corrente para um utilizador “fribeiro” e cria a arborescência Maildir na home desse utilizador. Este comando deve ser repetido para cada utilizador já existente:
server:~# su - fribeiro -c 'maildirmake.dovecot ~/Maildir'
Esta arborescência deve também ser criada sob a directoria /etc/skel. O conteúdo de /etc/skel é utilizado como modelo para a directoria home dos utilizadores a serem criados futuramente. Assim, quando forem criados novos utilizadores, a arborescência Maildir será criada automaticamente:
server:~# maildirmake.dovecot /etc/skel/Maildir
Finalmente, reiniciar o servidor:
server:~# /etc/init.d/dovecot restart
Verificação
Verificar o serviço imap para endereços locais:
server:~# telnet 127.0.0.1 imap Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. * OK Dovecot ready. a001 login fribeiro password a001 OK Logged in. a002 examine inbox * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS ()] Read-only mailbox. * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1177572334] UIDs valid * OK [UIDNEXT 1] Predicted next UID a002 OK [READ-ONLY] Select completed. a003 logout * BYE Logging out a003 OK Logout completed. Connection closed by foreign host.
A partir de outro sistema, verificar que são recusadas as ligações IMAP sem TLS (inseguras):
C:\> telnet 192.168.1.100 imap * OK Dovecot ready. 001 login fribeiro password * BAD [ALERT] Plaintext authentication is disabled, but your client sent password in plaintext anyway. If anyone was listening, the password was exposed. 001 NO Plaintext authentication disabled.
No entanto, as ligações IMAPS deverão ser aceites a partir de qualquer sistema:
laptop:~# openssl s_client -connect 192.168.1.100:imaps CONNECTED(00000003) depth=0 /O=Dovecot mail server/OU=server./CN=server.home.lan/emailAddress=root@server.home.lan verify error:num=18:self signed certificate verify return:1 depth=0 /O=Dovecot mail server/OU=server./CN=server.home.lan/emailAddress=root@server.home.lan verify return:1 --- Certificate chain 0 s:/O=Dovecot mail server/OU=server./CN=server.home.lan/emailAddress=root@server.home.lan i:/O=Dovecot mail server/OU=server./CN=server.home.lan/emailAddress=root@server.home.lan --- Server certificate -----BEGIN CERTIFICATE----- MIIDMTCCApqgAwIBAgIJANiD/UyaohkrMA0GCSqGSIb3DQEBBQUAMG8xHDAaBgNV BAoTE0RvdmVjb3QgbWFpbCBzZXJ2ZXIxEDAOBgNVBAsTB3NlcnZlci4xGDAWBgNV BAMTD3NlcnZlci5ob21lLmxhbjEjMCEGCSqGSIb3DQEJARYUcm9vdEBzZXJ2ZXIu aG9tZS5sYW4wHhcNMDcwNDI2MDQ1NzI1WhcNMDgwNDI1MDQ1NzI1WjBvMRwwGgYD VQQKExNEb3ZlY290IG1haWwgc2VydmVyMRAwDgYDVQQLEwdzZXJ2ZXIuMRgwFgYD VQQDEw9zZXJ2ZXIuaG9tZS5sYW4xIzAhBgkqhkiG9w0BCQEWFHJvb3RAc2VydmVy LmhvbWUubGFuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvcRnoc3RK1Vpv 4LSmaI+0krPxFBAR7Jru6H5aljS7P9Pz7QVRn6g3dHv32HozHQeryim6gQ/JfCWY I2AHQdOpFN4fVMommvzjG4eqIBooIO/MEBjj/DB/Yh1odI/3gk1jIXDtvca4l9Li pTV2aV+7TB8mAObUz0AtNqKtzv+LMQIDAQABo4HUMIHRMB0GA1UdDgQWBBTPy29B FuAqODNb8bnKss15aSJ2FjCBoQYDVR0jBIGZMIGWgBTPy29BFuAqODNb8bnKss15 aSJ2FqFzpHEwbzEcMBoGA1UEChMTRG92ZWNvdCBtYWlsIHNlcnZlcjEQMA4GA1UE CxMHc2VydmVyLjEYMBYGA1UEAxMPc2VydmVyLmhvbWUubGFuMSMwIQYJKoZIhvcN AQkBFhRyb290QHNlcnZlci5ob21lLmxhboIJANiD/UyaohkrMAwGA1UdEwQFMAMB Af8wDQYJKoZIhvcNAQEFBQADgYEAhqdszeGBbYfdLg2vYahCS9yVb2XYNKIn0+vW 1RPk9EItpM/TSLPXfB/251eN2TZ/BH3kIUffpFrsa3ScWdmNehjtT2RfU397VID0 iN9MPLRKASJ3mTfoe6F9G8PSK7FaIsaHie1SbDElSXV4NTiAzDxX/tJeuoY04WrA ynP6ERU= -----END CERTIFICATE----- subject=/O=Dovecot mail server/OU=server./CN=server.home.lan/emailAddress=root@server.home.lan issuer=/O=Dovecot mail server/OU=server./CN=server.home.lan/emailAddress=root@server.home.lan --- No client certificate CA names sent --- SSL handshake has read 1385 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 04E9ED98CB2DC6DF5F46C3E0E2B42601DD37C8463F6D954A8F50E581822967AC Session-ID-ctx: Master-Key: 05CCEBC41F9828E38B0886586B39B27585C4C6C811BC43174031A933BFC5F75835BAB9E77BEEA2B747A34C3820CB3536 Key-Arg : None Start Time: 1177572743 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- * OK Dovecot ready. a001 login fribeiro password a001 OK Logged in. a002 examine inbox * FLAGS (\Answered \Flagged \Deleted \Seen \Draft) * OK [PERMANENTFLAGS ()] Read-only mailbox. * 0 EXISTS * 0 RECENT * OK [UIDVALIDITY 1177572334] UIDs valid * OK [UIDNEXT 1] Predicted next UID a002 OK [READ-ONLY] Select completed. a003 logout * BYE Logging out a003 OK Logout completed. read:errno=0
Configuração clientes
Como verificação final poderá ser criada uma conta num cliente email, como o Thunderbird: deverá ser seleccionado protocolo IMAP, a ligação requer TLS (porta 143) ou SSL (porta 993) e o endereço será o do servidor (192.168.1.100 ou mail.home.lan, se tiver sido configurado um 3.1.3 Servidor DNS Local para a rede local.
Se for configurado o acesso sem TLS ou SSL, o acesso será negado:
Links relacionados
- Dovecot (*http://www.dovecot.org/)
- Wikipedia: Imap (*http://en.wikipedia.org/wiki/Imap)
- Wikipedia: Imap (*http://pt.wikipedia.org/wiki/Imap)
- OpenSSL (*http://www.openssl.org/)
- Wikipedia: OpenSSL (*http://pt.wikipedia.org/wiki/Openssl)
- Wikipedia: TLS (http://pt.wikipedia.org/wiki/Tls)
- Wikipedia: TLS (*http://en.wikipedia.org/wiki/Transport_Layer_Security)
- Securing Debian Manual, 5.6 Securing the mail service (*http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s5.6)