Pages

Monday, 18 November 2013

Tugging at the chains 'twixt myself and The Cloud

[Otherwise, less poetically-entitled: Screw you, NSAGoogle. I'll make my own damn webmail, with blackjack and hookers. Thing is, I actually -want- the webmail too. Really.]

2013-11-18: experiments setting up my own webmail server with IMAP and (eventually) OSS webmail client access

Part I: The MTA and IMAP service (dovecot), plus Thunderbird client access [DONE]
Part II: Webmail client for easy access anywhere (TODO)
Part III: End-to-end encryption using clients in (I) and (II), for anyone (TODO.. and non-trivial, I know)

1. Exim4:
   * just install using debian defaults
   * edit /etc/exim4/update-exim4.conf.conf for your smarthost
     (a smarthost is an SMTP server that will relay mail for you; usually
      smtp.<your_isp> -- note many ISPs these days don't allow any outgoing email
      even from their own customers' IP blocks. Complain bitterly to them that they're
      breaking the internet, not that it will do any good... other than some cathartic anger on your part. Then go find another provider, if you can.)

2. Get an IMAP server:
  apt-get install dovecot-imapd dovecot-sqlite dovecot-pop3d

   * Nice! Top of /etc/dovecot/dovecot.conf:
     "If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration"

2.1. Configuring dovecot
  2.1.1 Authentication
   * [Further research here is required. I ended up using the default 'passwd-file'
      accounts rather than 'passwd' account auth which would use PAM to match against
      the system user accounts. It's safer to use 'passwd-file' anyways since that
      means users' email accounts don't have to use their shell accounts.]

  2.1.2 Mailbox setup/privileges
   * My deb system appears to use 'mail' group for /var/mail, so I set
     mail_privileged_group = mail,
     #! mbox_very_dirty_syncs = yes
     #! maildir_very_dirty_syncs = yes
     .. in /etc/dovecot/conf.d/10-mail.conf

  2.1.3 IMAP Compatibility Options
   * Since I like Thunderbird, enable the following IMAP workarounds
     in 20-imap.conf:
     imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags

  2.1.4 SSL setup
   * Consider after getting things going, enabling SSL. Generate a self-signed cert
     using Dovecot's doc/mkcert.sh script (see _SSL_ link)
   ** NOTE SSL is required by default, you have to set disabled_plaintext_auth = no
      otherwise!

    i) Go to http://wiki2.dovecot.org/SSL/CertificateCreation
    ii) Download the two files doc/mkcert.sh (or find in the downloaded dist files),
        and doc/dovecot-openssl.cnf
    iii) Edit dovecot-openssl.cnf to match your site install; also edit mkcert.sh
         itself if you want to lengthen/shorten cert expiry and/or the name of the
         generated cert (default: /etc/ssl/private/dovecot.pem)

  2.1.5 IMAP account (server-side): see http://wiki2.dovecot.org/AuthDatabase/Passwd
    Default appears to be 'passwd-file' which sets up a separate username/pass DB for
    IMAP access. One could set up 'driver = passwd' to use the server's local user
    accounts, but that would also grant shell access (usually). Probably a good idea
    if setting up a public server to use the default.

    i) edit /etc/dovecot/conf.d/auth-passwdfile.conf.ext
       Set scheme=SHA512-CRYPT
    ii) $ doveadm pw -s SHA512-CRYPT -u <username>
    iii) cut and paste the resulting string into /etc/dovecot/users
    iv) edit /etc/dovecot/conf.d/10-auth.conf
        auth_mechanisms = plain login  (? Not required apparently)
        (default install only has 'plain')

3. Get a desktop or web-based mail client. I went through a few here:
  x IlohaMail - obsolete, the whole domain is gone, even though it's still a package in
    Debian repos and written in PHP4. So, no docs. Doesn't support POP-over-SSL or other
    encrypted auth schemes due to its age; too bad, it was easy to install. -REJECTED-
  x <lots of other webmail clients, too complicated to get going> -REJECTED-
  x <RoundCube? Still need to evaluate>
  x <MailPile? Looks promising, actively developed but very incomplete. They are working
     on integrated PGP/GPG support, perhaps a post-Snowden emphasis on e2e-crypto? Hope!>
  x .. or a desktop mail client such as Thunderbird.
      Thunderbird Account Settings:
        Server Settings: Server Type: IMAP Mail Server
                         Server Name: <server hostname>
                         User Name: <username> (without @domain.tld)
                         Security Settings: Connection security: SSL/TLS
                         Authentication method: Normal password (?)
        Outgoing Server (SMTP): Description: (your choice)
                                Server Name: <smtp smarthost server hostname>
                                Port: 25 (** NOTE default is 587, won't work!)
        Sec. and Authentication:
                                Connection security: None
                                Authentication method: No authentication

No comments:

Post a Comment