This shall outline the steps that are neccesary to build up a production ready installation of the
Courier Mailserver Suite. Courier provides services for the following protocols used in every day Email communication:
Courier is already available in the Debian package repositories so i will not go futher into details on how to build the binaries from the sources. Further I will only cover authentication against LDAP because the whole Installation should fit into a
SingleSignOn environment. That implies that each user that will have access to a mailbox is also a user in terms of POSIX on the server. If this is not what you want, then you should
not continue to read this article!
Installation
To set up a basic installation of Courier under Debian a minimum set of packages has to be installed.
aptitude install courier-base courier-imap courier-ldap courier-maildrop courier-mta courier-authdaemon courier-authlib courier-authlib-ldap courier-authlib-userdb courier-imap-ssl courier-mta-ssl
This will place the configuration for Courier under
/etc/courier/.
Authentication
I've choosen
PAM as my primary mechanism of authentication. Please see
SingleSignOn for instructions on how to configure PAM for LDAP authentication.
Courier uses a separate realm for each of its services.
Both
esmtp and
imap contain only
include statements which refer to the
common realms.
/etc/pam.d/esmtp
Open
/etc/pam.d/esmtp in the editor of your choice and modify it in a way that it looks like this:
# PAM configuration file for Courier SMTP daemon
@include common-auth
@include common-account
@include common-password
@include common-session
/etc/pam.d/imap
Open
/etc/pam.d/imap in the editor of your choice and modify it in a way that it looks like this:
# PAM configuration file for Courier IMAP daemon
@include common-auth
@include common-account
@include common-password
@include common-session
Courier Authentication Daemon
Now PAM can be set as the authentication mechanism for the Courier authentication daemon which will handle all of the stuff related to authentication.
In /etc/courier/authdaemonrc some settings have to be modified:
authmodulelist="authpam"
authmodulelistorig="authpam"
Courier Daemon
/etc/courier/courierd
| Key |
Value |
Description |
DSNTOAUTHADDR |
0 |
|
DYNAMICDELIVERIES |
1 |
|
DEFAULTDELIVERY |
"| /usr/bin/maildrop" |
|
MAILDROPDEFAULT |
./Maildir |
|
ESMTP_CORK |
1 |
|
ESMTP_BLOCKBACKSCATTER |
smtp/dsn |
|
ESMTP_USE_STARTTLS |
1 |
|
ESMTP_TLS_VERIFY_DOMAIN |
0 |
|
TLS_PROTOCOL |
SSL23 |
|
TLS_TRUSTCERTS |
/etc/ssl/certs |
|
TLS_VERIFYPEER |
NONE |
|
Maildrop
SMTP
Almost the entire configuration for the SMTP service is found in the file
/etc/courier/esmtpd. Open it with your editor to set some necessary options. The syntax is always
<Key>=<Value>.
| Option |
Value |
Description |
BOFHCHECKDNS |
1 |
Enable checks for bad return address (e.g. domain with no MX record). |
BOFHNOEXPN |
1 |
Do not perform server-side expansion of mailing lists. Could be abused by spammers. |
BOFHNOVRFY |
1 |
No server-side verification of addresses without an actual email. |
NOADDMSGID |
0 |
Automatically add message IDs if they are missing. |
NOADDDATE |
0 |
Automatically add message date if its missing. |
TLS_PROTOCOL |
TLS1 |
Set this to TLS1 to prevent OpenSSL? from droping connections when STARTTLS is used on remote SMTP servers. |
ESMTPAUTH |
LOGIN |
Only try authentication with weak password obfuscation because LDAP will need this for its bind. Use TLS to prevent the passwords from being sniffed by an attacker! |
ESMTPAUTH_TLS |
"PLAIN LOGIN" |
Allow plaintext login with TLs active. |
ESMTPDSTART |
YES |
Leave all the other Options untouched except if there is a specific need to change it.
There are some other files that do affect the behavior of SMTP handling. One of them is
/etc/courier/esmtpgreeting which contains the message sent to the client on initial connect.
For me this is set to:
uni.fladi.at ESMTP - Courier Mail Server
IMAP
Similar to the SMTP configuration, IMAP is configured through the file
/etc/courier/imapd. Open it with your editor to set some necessary options. The syntax is always
<Key>=<Value>.
| Option |
Value |
Description |
ADDRESS |
0 |
Bind this service to every interface on this server. |
PORT |
143 |
Use the standard IMAP port for TCP traffic. |
IMAP_KEYWORDS |
1 |
Enable custom keywords for IMAP. |
IMAP_ACL |
1 |
Enable ACLs for IMAP. |
IMAP_DISABLETHREADSORT |
0 |
Don't disable server-side thread sorting. This can cost some performance, so its also safe to turn it off in doubt. |
IMAP_CHECK_ALL_FOLDERS |
1 |
Since new mail will get sorted into various folders, it's useful to check all folders of a mailbox. |
IMAP_USELOCKS |
1 |
Use locks as they make lif easier when using shared folders in IMAP. |
IMAP_ENHANCEDIDLE |
1 |
Debian packages are compiled with FAM/Gamin so use this feature (requires IMAP_USELOCKS=1). |
IMAP_TRASHFOLDERNAME |
Trash |
This is already the default setting but it can be changed to an other value. |
IMAP_MOVE_EXPUNGE_TO_TRASH |
1 |
Enables server-side move to trash on deletion. |
IMAPDSTART |
YES |
The Sys-V-Init script uses this value to determine if the IMAP service should be starten or not. |
MAILDIRPATH |
Maildir |
Set the default maildir path which will be used by maildrop later on when delivering local mail. |
BOFH
/etc/courier/bofh
opt BOFHBADMIME=accept
opt BOFHCHECKHELO=0
opt BOFHSPFHELO=pass,none,softfail,neutral,unknown,error
opt BOFHSPFMAILFROM=pass,none,softfail,neutral,unknown
opt BOFHSPFFROM=all
opt BOFHSPFHARDERROR=fail,softfail
opt BOFHSPFTRUSTME=1
Main
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.