Skip to content

Server configuration: Courier

Jump to bottom Edit New page
Udera edited this page Aug 16, 2016 · 3 revisions

The Courier mail transfer agent (MTA) is an integrated mail/groupware server based on open commodity protocols, such as ESMTP, IMAP, POP3, LDAP, SSL, and HTTP. It is modular: its individual components, such as SMTP, POP3 or IMAP servers, can be installed and used independently from each other. In fact, this very manual was written with Courier IMAP only in mind, so it might be incomplete (but you are very welcome to improve it in that case, or to remove this note otherwise!).

Installation

If Courier is your server of choice, make sure to install it with MySQL and SSL/TLS support. For example, on Debian and Ubuntu systems, the following command will install Courier with support for IMAP and POP3 protocols, MySQL authentication and SSL/TLS encryption:

apt-get install courier-imap-ssl courier-pop-ssl courier-authlib-mysql courier-authdaemon

Configuration

Once Courier is installed, you have to edit some of its configuration files. On Debian and Ubuntu these files reside in /etc/courier, but your distribution maintainers might put them elsewhere.

First, open the authdaemonrc file for editing. Make sure the authmodulelist setting is set to "authmysql" as follows:

authmodulelist="authmysql"

Next, open the file called authmysqlrc and update the following settings:

MYSQL_SERVER localhost
MYSQL_USERNAME vexim
MYSQL_PASSWORD **CHANGE**
MYSQL_SOCKET /tmp/mysql.sock
# Debian: /var/run/mysqld/mysqld.sock
MYSQL_PORT 3306
MYSQL_OPT 0
MYSQL_DATABASE vexim
MYSQL_USER_TABLE users
MYSQL_CRYPT_PWFIELD crypt
MYSQL_UID_FIELD uid
MYSQL_GID_FIELD gid
MYSQL_LOGIN_FIELD username
MYSQL_HOME_FIELD pop
MYSQL_NAME_FIELD realname
# The following are optional
MYSQL_CHARACTER_SET utf8
MYSQL_MAILDIR_FIELD smtp
MYSQL_QUOTA_FIELD CONCAT(quota*1024*1024,"S")

Now restart all Courier daemons. For example, on Debian, you can do this:

for i in /etc/init.d/courier-*; do $i restart; done

Connection via SSL

It's highly recommended to use encrypted connection to retrieve your mails. You can use a self-signed certificate which you need to import at the first use or you get a official certificate. We suppose you have your private keyfile example.com.key and your (public) certificate example.com.crt. You need to put the certificate and the key into one file imapd.pem:

cat /etc/ssl.key/example.com.key /etc/ssl.crt/example.com.crt >> /etc/courier/imapd.pem

Make sure that the certificate is only accessible for root:

chown root.root /etc/courier/imapd.pem
chmod 400 /etc/courier/imapd.pem

Make sure that the line TLS_CERTFILE=/etc/courier/imapd.pem is uncommented in /etc/courier/imap-ssl. It is worth checking further parameters in this file. The DH-parameter is 1024 or lower, in which case build a new one (at least 1024 bit): openssl dhparam -out dhparams.pem 2048 You can enforce an encrypted connection: IMAP_TLS_REQUIRED=1

For POP3, the procedure is similar, and the certfile pop3d.pem is identical to imapd.pem. If you want, you may specify the same certfile in both config files.

Now we must disable the unsecure SSLv2 and SSLv3: edit /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl:

TLS_PROTOCOL="TLS1_1:TLS1"
TLS_STARTTLS_PROTOCOL="TLS1_1:TLS1"

After making changes, don't forget to restart courier-*.

Add a custom footer
Add a custom sidebar
Clone this wiki locally