[Otherwise, less poetically-entitled:
Screw you, NSAGoogle. I'll make my own damn webmail, with blackjack and hookers. Thing is, I actually -want- the webmail too. Really.]
2013-11-18: experiments setting up my own webmail server with IMAP and (eventually) OSS webmail client access
Part I: The MTA and IMAP service (
dovecot), plus
Thunderbird client access [DONE]
Part II: Webmail client for easy access anywhere (TODO)
Part III: End-to-end encryption using clients in (I) and (II), for anyone (TODO.. and non-trivial, I know)
1. Exim4:
* just install using debian defaults
* edit /etc/exim4/update-exim4.conf.conf for your smarthost
(a smarthost is an SMTP server that will relay mail for you; usually
smtp.<your_isp> -- note many ISPs these days don't allow any outgoing email
even from their own customers' IP blocks. Complain bitterly to them that they're
breaking the internet, not that it will do any good... other than some cathartic anger on your part. Then go find another provider, if you can.)
2. Get an IMAP server:
apt-get install dovecot-imapd dovecot-sqlite dovecot-pop3d
* Nice! Top of /etc/dovecot/dovecot.conf:
"If you're in a hurry, see
http://wiki2.dovecot.org/QuickConfiguration"
2.1. Configuring dovecot
2.1.1 Authentication
* [Further research here is required. I ended up using the default 'passwd-file'
accounts rather than 'passwd' account auth which would use PAM to match against
the system user accounts. It's safer to use 'passwd-file' anyways since that
means users' email accounts don't have to use their shell accounts.]
2.1.2 Mailbox setup/privileges
* My deb system appears to use 'mail' group for /var/mail, so I set
mail_privileged_group = mail,
#! mbox_very_dirty_syncs = yes
#! maildir_very_dirty_syncs = yes
.. in /etc/dovecot/conf.d/10-mail.conf
2.1.3 IMAP Compatibility Options
* Since I like Thunderbird, enable the following IMAP workarounds
in 20-imap.conf:
imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags
2.1.4 SSL setup
* Consider after getting things going, enabling SSL. Generate a self-signed cert
using Dovecot's doc/mkcert.sh script (see _SSL_ link)
** NOTE SSL is required by default, you have to set disabled_plaintext_auth = no
otherwise!
i) Go to http://wiki2.dovecot.org/SSL/CertificateCreation
ii) Download the two files doc/mkcert.sh (or find in the downloaded dist files),
and doc/dovecot-openssl.cnf
iii) Edit dovecot-openssl.cnf to match your site install; also edit mkcert.sh
itself if you want to lengthen/shorten cert expiry and/or the name of the
generated cert (default: /etc/ssl/private/dovecot.pem)
2.1.5 IMAP account (server-side): see http://wiki2.dovecot.org/AuthDatabase/Passwd
Default appears to be 'passwd-file' which sets up a separate username/pass DB for
IMAP access. One could set up 'driver = passwd' to use the server's local user
accounts, but that would also grant shell access (usually). Probably a good idea
if setting up a public server to use the default.
i) edit /etc/dovecot/conf.d/auth-passwdfile.conf.ext
Set scheme=SHA512-CRYPT
ii) $ doveadm pw -s SHA512-CRYPT -u <username>
iii) cut and paste the resulting string into /etc/dovecot/users
iv) edit /etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login (? Not required apparently)
(default install only has 'plain')
3. Get a desktop or web-based mail client. I went through a few here:
x IlohaMail - obsolete, the whole domain is gone, even though it's still a package in
Debian repos and written in PHP4. So, no docs. Doesn't support POP-over-SSL or other
encrypted auth schemes due to its age; too bad, it was easy to install. -REJECTED-
x <lots of other webmail clients, too complicated to get going> -REJECTED-
x <RoundCube? Still need to evaluate>
x <MailPile? Looks promising, actively developed but very incomplete. They are working
on integrated PGP/GPG support, perhaps a post-Snowden emphasis on e2e-crypto? Hope!>
x .. or a desktop mail client such as Thunderbird.
Thunderbird Account Settings:
Server Settings: Server Type: IMAP Mail Server
Server Name: <server hostname>
User Name: <username> (without @domain.tld)
Security Settings: Connection security: SSL/TLS
Authentication method: Normal password (?)
Outgoing Server (SMTP): Description: (your choice)
Server Name: <smtp smarthost server hostname>
Port: 25 (** NOTE default is 587, won't work!)
Sec. and Authentication:
Connection security: None
Authentication method: No authentication