March 10, 2009
At times it may seem like overkill to have your own webmail set-up. But if you are uncomfortable with others peering at your mail and then thrusting ads in front of your face, this is the way to go.
Of course, one can always argue, if you have nothing to hide, why are you bothered about others reading your mail? To that I would answer, I like my privacy.
Setting up Squirrelmail is not difficult - you have standards-compliant world-class software for every single step. Most of what I have written below is taken from this guide.
I used Postfix, a mail transfer agent written by well-known free software hacker Wietse Venema. It is not the default on Debian but can be easily installed.
Other software used: Dovecot is a pop3 and imap server; SquirrelMail is a webmail package and SASL is used for secure authentication
On Debian, you can install software pretty easily:
apt-get install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules
Answer the installation questions for postfix and remember that you can always add more options manually. The main configuration file for postfix is /etc/postfix/main.cf and all you have to do after adding options is to restart the service:
postfix reload
Next install dovecot:
apt-get install dovecot-imapd dovecot-pop3d dovecot-common
Edit the dovecot configuration file:
# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
Now, create a user to test the pop3 mail with outlook:
# adduser user_name
Restart Dovecot using the following command:
# /etc/init.d/dovecot restart
Test mail from the command line as under (bold lines are mine, the rest are responses from the server):
sam@zizyphus:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 zizyphus.gnubies.com ESMTP Exim 4.69 Thu, 11 Dec 2008 23:12:45 +1100
HELO zizyphus.gnubies.com
250 zizyphus.gnubies.com Hello sam at localhost [127.0.0.1]
MAIL From:xxx@gnubies.com
250 OK
RCPT To:xxx@gnubies.com
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Hello there. This is a test message
.
250 OK id=1LAkQT-0000sj-8v
QUIT
221 zizyphus.gnubies.com closing connection
Connection closed by foreign host
SASL Configuration + TLS (Simple authentication security layer with transport layer security) is used mainly to authenticate users before sending email to an external server, thus restricting access. If you allow everyone to relay, then you would be a prime candidate for spam senders.
SMTP authentication is set using postfix and dovecot.
Edit the postfix configuration file /etc/postfix/main.cf and enter the few lines to enable authentication of users
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = yourdomain.com
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
Postfix runs in a chroot jail so it can't communicate with saslauthd.
# rm -r /var/run/saslauthd/
# mkdir -p /var/spool/postfix/var/run/saslauthd
# ln -s /var/spool/postfix/var/run/saslauthd /var/run
# chgrp sasl /var/spool/postfix/var/run/saslauthd
# adduser postfix sasl
On the Dovecot side one has to specify the dovecot authentication daemon socket:
Edit /etc/dovecot/dovecot.conf
Look for the line that starts with auth default, before that insert the lines below:
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Restart components of the mail server:
# /etc/init.d/saslauthd restart
# /etc/init.d/postfix restart
# /etc/init.d/dovecot restart
First install apache2 with php support
# apt-get install apache2
# apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi
# apt-get install squirrelmail
The SquirrelMail configuration file is located in /etc/squirrelmail/.
# /usr/sbin/squirrelmail-configure
Edit the apache configuration file /etc/apache2/apache2.conf and insert the following line
Include /etc/squirrelmail/apache.conf
Restart the webserver using the following command
# /etc/init.d/apache2 restart
Access your webmail using the following link
https://yourdomain or server ip/squirrelmail
You need to generate a certificate and a key:
mod-ssl-makecert
Add the following to the apache.conf file for SquirrelMail:
vim /etc/squirrelmail/apache.conf
Add the following:
#<VirtualHost ex.ter.nal.ip:443#>
#<IfModule mod_ssl.c#>
DocumentRoot /usr/share/squirrelmail
ServerName #<your_fqdn#>
SSLEngine on
SSLCertificateFile /etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache/ssl.key/server.key
#</IfModule#>
#</VirtualHost#>
You need to add the following in the apache ports.conf file:
Listen: ex.ter.nal.ip:80
Listen: ex.ter.nal.ip: 443
Restart apache:
# /etc/init.d/apache2 restart
Then test and see if apache is listening on port 443:
netstat -na | less
Or you can use this command:
openssl s_connect -client # <your_server_ip:443# >
You can log into your Squirrelmail by going to https://your.fqdn/squirrelmail
Contact me (remove the nospam before emailing).