Instalação de um servidor email com suporte para protocolo IMAPS.

server:~# aptitude install dovecot-imapd

Toda a configuração é guardada no ficheiro /etc/dovecot/dovecot.conf.

Após a instalação do dovecot, é necessário indicar quais os protocolos que se pretendem activar no ficheiro de configuração. Neste caso, os protocolos IMAP e IMAPS:

# [...]
# 
# Protocols we want to be serving: imap imaps pop3 pop3s managesieve
# If you only want to use dovecot-auth, you can set this to "none".
#protocols = imap imaps
protocols = imap imaps

# [...]

O servidor de email dovecot só aceita ligações encriptadas via TLS (Transport Layer Security) ou SSL (Secure Sockets Layer). Ambos necessitam de certificados digitais.

Os certificados SSL para o dovecot são gerados automaticamente durante a instalação. No entanto, podemos utilizar os nosso próprios 3.5.1 Certificados Ssl Auto-Assinados previamente gerados:

# [...]
# 
##
## SSL settings
##

# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =

# Disable SSL/TLS support.
#ssl_disable = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root.
#ssl_cert_file = /etc/ssl/certs/dovecot.pem
#ssl_key_file = /etc/ssl/private/dovecot.pem

ssl_cert_file = /etc/ssl/certs/server.crt
ssl_key_file = /etc/ssl/private/server.key.insecure

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter.
#ssl_key_password =

# [...]

A localização das caixas de correio também deve ser indicada, para evitar ambiguidades. Neste caso estão numa sub-directoria na directoria home de cada utilizador chamada “Maildir”:

# [...]
# 
##
## Mailbox locations and namespaces
##

# Location for users' mailboxes. This is the same as the old default_mail_env
# setting. The default is empty, which means that Dovecot tries to find the
# mailboxes automatically. This won't work if the user doesn't have any mail
# yet, so you should explicitly tell Dovecot the full location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See /usr/share/doc/dovecot-common/wiki/Variables.txt for full list. Some
# examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
#mail_location =
mail_location = maildir:~/Maildir

# [...]

A arborescência Maildir deverá ser criada sob a home de cada utilizador. Para isso deve ser usado o comando maildirmake.dovecot por cada utilizador já criado.

O comando abaixo muda a identidade do utilizador corrente para um utilizador “fribeiro” e cria a arborescência Maildir na home desse utilizador. Este comando deve ser repetido para cada utilizador já existente:

server:~# su - fribeiro -c 'maildirmake.dovecot ~/Maildir'

Esta arborescência deve também ser criada sob a directoria /etc/skel. O conteúdo de /etc/skel é utilizado como modelo para a directoria home dos utilizadores a serem criados futuramente. Assim, quando forem criados novos utilizadores, a arborescência Maildir será criada automaticamente:

server:~# maildirmake.dovecot /etc/skel/Maildir

Finalmente, reiniciar o servidor:

server:~# /etc/init.d/dovecot restart

Verificar o serviço imap para endereços locais:

server:~# telnet 127.0.0.1 imap
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
  * OK Dovecot ready.
a001 login fribeiro password
a001 OK Logged in.
a002 examine inbox
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS ()] Read-only mailbox.
  * 0 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1229984951] UIDs valid
  * OK [UIDNEXT 1] Predicted next UID
a002 OK [READ-ONLY] Select completed.
a003 logout
  * BYE Logging out
a003 OK Logout completed.
Connection closed by foreign host.

A partir de outro sistema, verificar que são recusadas as ligações IMAP simples sem TLS por serem consideradas inseguras, uma vez que enviam as passwords em texto simples:

C:\> telnet 192.168.1.100 imap
  * OK Dovecot ready.
001 login fribeiro password
  * BAD [ALERT] Plaintext authentication is disabled, but your client sent password in plaintext anyway. If anyone was listening, the password was exposed.
001 NO Plaintext authentication disabled.

No entanto, as ligações IMAPS deverão ser aceites a partir de qualquer sistema:

laptop:~# openssl s_client -connect 192.168.1.100:imaps
CONNECTED(00000003)
depth=0 /C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
verify return:1
---
Certificate chain
 0 s:/C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
   i:/C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBzCCAXACCQDAzUbBgnqkrjANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJQ
VDERMA8GA1UECBMIUG9ydHVnYWwxETAPBgNVBAoTCEhvbWUgTGFuMRMwEQYDVQQD
FAoqLmhvbWUubGFuMB4XDTA4MTIyMjE0MTcwNloXDTA5MTIyMjE0MTcwNlowSDEL
MAkGA1UEBhMCUFQxETAPBgNVBAgTCFBvcnR1Z2FsMREwDwYDVQQKEwhIb21lIExh
bjETMBEGA1UEAxQKKi5ob21lLmxhbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAxHWCCvncvzAZ2RWtxfplPKqvlfyn2Jt/3zIk/377n1b/gwR2At7emCaevF/p
+7wtlMhq7dg33TdUnlu5Kgrx/KpCbPcebl6zE3XKpBBeANQRbcByRDvzFx9I2r+U
xP1uz18O2nSaC4P2SiiEmL1+bKELadcRGqOqAeUqJqJVN/ECAwEAATANBgkqhkiG
9w0BAQUFAAOBgQC7pEfD5QA+xQwcPNQ23Kjj8Ml9h6uOL4havGuKNEiVOrXipwpR
jZwwOy77M1jiL3vdi08k46KdGp9CEeYH9AupGwXyZIyGGM601kyy2r5BTv9cQ5nT
PPbuzHWkdQGb9UaWA4Ptw+FbFx0LTLotGtLF2Os9ewpcjKkweVV5Whh7Ig==
-----END CERTIFICATE-----
subject=/C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
issuer=/C=PT/ST=Portugal/O=Home Lan/CN=*.home.lan
---
No client certificate CA names sent
---
SSL handshake has read 1087 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1BEEFD13C0860123429EB05ED711962E9F43447DBBE355F57A2B85977E384182
    Session-ID-ctx:
    Master-Key: AF0F4679E33890F4E99EEDA47BD3BFE72C3DAF273C461DAA1C35DA9293E58A3D9E76902044B3331E64589E2D37170F19
    Key-Arg   : None
    Start Time: 1229986067
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
  * OK Dovecot ready.
a001 login fribeiro password
a001 OK Logged in.
a002 examine inbox
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS ()] Read-only mailbox.
  * 0 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1229984951] UIDs valid
  * OK [UIDNEXT 1] Predicted next UID
a002 OK [READ-ONLY] Select completed.
a003 logout
  * BYE Logging out
a003 OK Logout completed.
read:errno=0

Como verificação final poderá ser criada uma conta num cliente email, como o Thunderbird: deverá ser seleccionado protocolo IMAP, a ligação requer TLS (porta 143) ou SSL (porta 993) e o endereço será o do servidor (192.168.1.100 ou mail.home.lan, se tiver sido configurado um 3.1.3 Servidor DNS Local para a rede local).

Se for configurado o acesso sem TLS ou SSL, o acesso será negado:

• Dovecot (*http://www.dovecot.org/)
• Wikipedia: Imap (*http://en.wikipedia.org/wiki/Imap)
• Wikipedia: Imap (*http://pt.wikipedia.org/wiki/Imap)
• OpenSSL (*http://www.openssl.org/)
• Wikipedia: OpenSSL (*http://pt.wikipedia.org/wiki/Openssl)
• Wikipedia: TLS (http://pt.wikipedia.org/wiki/Tls)
• Wikipedia: TLS (*http://en.wikipedia.org/wiki/Transport_Layer_Security)
• Securing Debian Manual, 5.6 Securing the mail service (*http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s5.6)