Using the Courier-IMAP server

If you are in need of a Linux IMAP server, never fear! Courier-IMAP server is a simple to use, stable, and scalable mail server. Come on in and let Vincent Danen show you how Linux and IMAP can work together.

If you need to migrate to an IMAP mail setup and you want to use Linux as your server’s OS, never fear. Linux has a number of options available. In this Daily Drill Down, I will show you how to install, configure, and use the Courier-IMAP server.

Most people on the Internet use the Post Office Protocol 3 (POP3) for receiving e-mail messages. POP3 is a means of fetching your e-mail messages from a remote server by downloading them into your particular e-mail client. After doing so, you may read, reply, delete, or further manipulate your e-mail messages.

For most people, POP3 works extremely well. It's simple to use, is supported by virtually every mail server out there, and every e-mail client can use it. However, for some people, POP3 is a less than desirable solution to reading e-mail messages.

Imagine for a moment that you have your company e-mail address, which you typically read from the office. With this, you can use POP3 quite nicely if you only read mail from the office. If, however, you do work from home or on the road, you are unable to read your messages until you return to the office, regardless of whether or not you have access to the Internet at home or on the road.

You could, of course, download your e-mail at home and leave the messages on the server so you can also retrieve the messages at work. This is probably a likely scenario for many people. The drawback here is that you will end up looking at messages at least twice, if not more. It also increases the amount of space used on both your work and home system by forcing you to download two copies of each message. In the long run, this can be become confusing.

There is another protocol for reading e-mail messages that is quite popular. This protocol is IMAP, or Interactive Mail Access Protocol. IMAP works quite differently from POP3 in that it allows you to log in to the remote server and remain on the remote server to read your messages. Where POP3 forces you to download messages to your local client, with IMAP you read messages on the server itself. When you read a message on an IMAP server, it is marked read; when you delete a message, it is deleted. To the user who accesses mail from work and home, this means you only need access to the IMAP server from either location. You’ll also need to use a mail client that supports IMAP.

Because of this feature, IMAP is quickly gaining popularity. It makes managing e-mail from various locations much easier—at home, work, or on the road.

There are a few popular open source IMAP servers, but in this Daily Drill Down, I will take a look at the Courier-IMAP server by Double Precision Inc. It is one of the few IMAP servers that was written with Qmail in mind. It natively supports the Qmail Maildir method of mail storage. This means if you want to use Qmail, you can take advantage of the speed and reliability found in the Maildir storage format. Some IMAP servers that do not support the Qmail Maildir format require you to use an inferior mail server or force Qmail to deliver to traditional UNIX mail spool files (which removes one of the benefits of using Qmail in the first place).

Installing Courier-IMAP
To download the Courier-IMAP package, visit the Courier-IMAP download page. The current version of Courier-IMAP (as of this writing) is 1.3.7, so the file you will be downloading is courier-imap-1.3.7.tar.gz. Save this file to your /usr/local/src directory.

One thing that makes Courier-IMAP interesting to build and configure is that you cannot perform the actual compilation as the root user. You will have to do this as an unprivileged user. So, let's assume for a moment that your username is joe. As root, you would execute the following:
cd /usr/local/src
tar xvzf courier-imap-1.3.7.tar.gz
chown -R joe.joe courier-imap-1.3.7

This unarchives the courier-imap-1.3.7.tar.gz file. The created subdirectory, courier-imap-1.3.7/ must be owned by the user who will be doing the compilation; in this instance, the user joe. If you unarchive the package as root and do not change the ownership of the files and directories, the user will not be able to complete the configuration or build process.

As the user joe, you would then perform the following steps to configure and compile Courier-IMAP:
su – joe
cd /usr/local/rc/courier-imap-1.3.7
./configure --prefix=/usr/local
make check

The first command su'd you to the user joe. Then, you run the configure script in the courier-imap-1.3.7/ directory. In this instance, you tell Courier-IMAP to use the /usr/local directory tree and to keep it separate from the rest of the system. If you want to integrate Courier-IMAP into the system like the rest of the programs installed, you can use the --prefix=/usr switch instead. Finally, you compile Courier-IMAP, and then run some tests to make sure it is built correctly.

The next step is to exit the su session to become root again. You must install Courier-IMAP into the directory tree specified with the --prefix option you passed to configure. Type exit at the command line to exit the su session, and then execute the following commands as root:
make install
make install-configure

The first command installs all of the required binaries. The second command installs all of the configuration programs. If you use SysVstyle initscripts, you can copy the file courier-imap.sysvinit from the source directory to your /etc/rc.d/init.d directory. The command below will allow you to start and stop Courier-IMAP as you boot or shut down the system.
install -m755 courier-imap.sysvinit /etc/rc.d/init.d/courier-imap

On a Red Hat, Linux-Mandrake, or other Linux distribution that uses the chkconfig tool, you can enable Courier-IMAP to start on boot by executing:
chkconfig --level 345 courier-imap on

After doing so, Courier-IMAP is installed and ready to be configured.

Configuring Courier-IMAP
The first thing you need to do is decide whether or not Courier-IMAP will also handle your POP3 duties. Because Qmail also comes with a POP3 server, you can take your pick as to which POP3 server to use. Courier-IMAP, unlike Qmail, can do POP3 over SSL natively. If you want to use Qmail's POP3 server, simply do not enable Courier-IMAP's POP3 server. If you want to use Courier-IMAP's POP3 server, then you need to disable Qmail's POP3 server.

To disable the POP3 server that comes with Qmail, change to your service directory for Qmail, which will typically be done with the command cd/var/qmail/supervise. You should have a few subdirectories here, like qmail-pop3d/, qmail-smtpd/, qmail-send/, and possibly qmail-qmqpd/. The first thing you need to do is stop Qmail. If you have the SysV initscript for Qmail, you can do so by executing:
/etc/rc.d/init.d/qmail stop

Then, perform the following commands as root:
cd /var/qmail/supervise
mv qmail-pop3d .qmail-pop3d
chmod -t .qmail-pop3d

By moving qmail-pop3d/ to .qmail-pop3d/, you are effectively hiding the POP3 configuration information from supervise, the daemon that runs the Qmail servers. This allows you to disable the POP3 server without removing the configuration information, in case you want to switch back to it later. You can start Qmail again by using this command:
/etc/rc.d/init.d/qmail start

You're now ready to configure Courier-IMAP. Change to the /usr/local/etc directory with the command cd /usr/local/etc, which is where you will find the Courier-IMAP configuration files. In this directory, you will see a number of files. The ones you will need right now are: imapd, imapd-ssl, pop3d, and pop3d-ssl. These files determine what parameters each server (IMAP, IMAP-SSL, POP3, and POP3-SSL, respectively) will have. If you wish to use the SSL-enabled services, you must have OpenSSL installed with the development libraries. For most RPM-based distributions, this means you will need the Openssl and Openssl-level RPMs installed.

Each of these four files also determines whether or not a given service will be started. At the end of the imapd and pop3d files are keywords that tell the Courier-IMAP starting script whether or not to initiate the service. In the imapd file, at the very end, is a line that looks like this:

If you wish to enable the IMAP service, you must change the NO to YES. Likewise for the pop3d file, except the keyword is POP3DSTART instead. The SSL-enabled services have similar keywords, but they are not found at the end of the file. For imapd-ssl, the keyword is IMAPDSSLSTART and for pop3d-ssl, the keyword is POP3DSSLSTART. Change these to YES if you wish to start the services.

Before you can start Courier-IMAP, however, you will have to perform one more step. Because Courier-IMAP can use more than simple PAM authentication, you must ensure that it uses the proper form of authentication. One fault in Courier-IMAP is that if you have the MySQL development files installed, it will assume you use MySQL for authentication. The same goes for OpenLDAP. If you use normal PAM authentication (which I will assume you do), you will need to correct this assumption. For example, on my Linux-Mandrake 8.0 system (on which I run MySQL but not OpenLDAP), the Courier-IMAP installer assumes I will authenticate against MySQL, which is not what I want it to do.

To fix this, you must change to /usr/local/libexec/authlib. This is where the authentication files for Courier-IMAP reside. In this directory, you will find a few files: authdaemon, authdaemond, authdaemond.plain, and possibly authdaemond.mysql and authdaemond.ldap, as well. By default, MySQL authentication has the highest priority, then LDAP authentication, and finally PAM (or plain) authentication. Since you want to use PAM authentication, you must delete the authdaemond files corresponding to MySQL and LDAP by issuing:
rm authdaemond.{mysql,ldap}

This will remove both files from the system. After doing so, when you start Courier-IMAP, it will use basic PAM authentication, which Qmail also uses, unless you have applied the MySQL or LDAP authentication patches. In that case, you will want to remove the authentication files that correspond to the authentication types you do not want to use.

Now, you can start Courier-IMAP. If you installed the SysV initscript (as described above), you can do so using:
/etc/rc.d/init.d/courier-imap start

You will see it echo to the screen the components that started. If you do not use SysV initscripts, you will need to start Courier-IMAP by using the /usr/local/libexec/authlib/authdaemond script. To start Courier-IMAP this way, use this command:
/usr/local/libexec/authlib/authdaemond start

To stop Courier-IMAP this way, use this command:
/usr/local/libexec/authlib/authdaemond stop

If you do not use SysV initscripts, to start Courier-IMAP, you will want to add the command above to a /etc/rc.d/rc.local or similar file that will start it on each boot.

There are other options that you can set in the configuration files found in /usr/local/etc that allow you to fine-tune your server. If you use all services, the four files you’ll need are imapd, imapd-ssl, pop3d, and pop3d-ssl. Go through each configuration file and change the options to suit your needs.

To view a few of the options that you might consider changing, open the imapd file with your favorite text editor. There are a few keywords that you may want to change. (I'll briefly explain a few of the more common ones, but there are others that you can change as well.) These keywords are also present in the other configuration files.

This tells the server to bind to all IP addresses. You can specify particular addresses that the server will listen to here. For the SSL-enabled servers, this keyword is SSLADDRESS.

This tells the server the maximum number of servers that can be started. In this case, once 40 concurrent connections are established, all others will be rejected until a server is freed.

This tells the server the maximum number of connections that are allowed from a single IP address. By setting this to four, a single person can open four IMAP or POP3 connections, but if they attempt to open a fifth they will be rejected.

The MAXDAEMONS and MAXPERIP options can only be configured for the non-SSL server, as the SSL-enabled server will also use the values found in the non-SSL configurations. This means you cannot define one value for SSL-enabled IMAP and another for unencrypted IMAP.

All of the other configuration options do not necessarily need to be changed, as they work quite well using the default values. The configuration files are heavily commented, so they should be pretty straightforward to configure.

Generating the SSL certificates
If you plan to use IMAP over SSL or POP3 over SSL, you will need to generate SSL certificates for either service. If you use the SysV initscript, Courier-IMAP will do this automatically the first time you start the service. If you do not use the initscript, you will have to do this manually by executing:

This generates a file called imapd.pem in the /usr/local/share directory. Likewise, you would do the same for POP3 over SSL by executing mkpop3dcert, which creates the certificate file pop3d.pem.

To modify the information placed into the certificate, edit the /usr/local/etc/imapd.cnf and pop3d.cnf files. (This is the information placed into the IMAP and POP3 SSL certificates.) The layout is fairly straightforward, but there is a section worth explaining—the req_dn section. The following is a snippet of the default imapd.cnf file:
[ req_dn ]
L=New York
O=Courier Mail Server
OU=Automatically-generated IMAP SSL key

The keywords have specific meaning to the SSL certificate. The C keyword stands for country. ST refers to your state, while L is for your location (or city). The O keyword is for your organization name, and OU is for the organization's unit name (or department). The CN keyword defines your common name, which is usually the domain name to which the certificate belongs. The emailAddress keyword is for the administrator's e-mail address. So, you might use the following as an example:
[ req_dn ]
O=Fictional Company Inc.
OU=Education Dept.

If you already generated or had generated for you an SSL certificate prior to changing these defaults, then you can remove the .pem files in /usr/local/share and rerun the certificate creation commands.

Because of the increasing popularity in the IMAP protocol, and because of the ease-of-use it provides, having an IMAP server alongside your POP3 and SMTP servers can have a definite impact on how business is conducted by your employees. E-mail has become an integral part of the Internet and the lives of those using it. For most, POP3 works well, but for others, IMAP is a definite time-saver and is just simply too convenient to pass up.

As you can see, setting up an IMAP server to work in conjunction with your existing mail servers is simple. While Courier-IMAP is not the only open source IMAP server available for the Linux platform, it is simple to use, and simple to setup. It's also one of the few that works out of the box with the Qmail MTA.


Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.


Editor's Picks