Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

POP and IMAP Service (Secured with SSL) Installation Instructions

This document describes how to install POP and IMAP service on Penn UNIX servers using University of Washington's popular, open-source IMAP server software securing the connection with Secure Socket Layer (SSL) encryption.

Prerequisites

  1. Install the latest version of OpenSSL from http://www.openssl.org/. Consider the appropriateness of using the "no-mdc-2 no-idea no-rc5" options because these ciphers are still patented.

Obtain and unpack the software

  1. Download the most current imap source distribution, to which this URL always points:

    ftp://ftp.cac.washington.edu/mail/imap.tar.Z

  2. Unpack the imap distribution and move to the directory it creates. The directory name will be "imap-", the release year, a letter if a minor revision, and a distribution status:

    zcat imap.tar.Z | tar xvf - cd imap-2002.RC2

Compile and install the software

  1. Before compiling the software, look at the file 'Makefile' to determine the 3-letter code for your platform type. Use this code with 'make' in step 2. For example, in the case of FreeBSD the code is 'bsf'.

  2. Compile the software with the 3-letter code for your platform. Using the previous example, you would issue this command to allow only kerberized authentication:

    make bsf EXTRADRIVERS= EXTRAAUTHENTICATORS=gss PASSWDTYPE=nul

    To allow traditional authentication in addition to Kerberized authentication, use the following "make" command instead:

    make bsf EXTRADRIVERS= EXTRAAUTHENTICATORS=gss
    

  3. To enable SSL protection, either in conjunction with Kerberos or alone, see docs/SSLBUILD in the distribution and compile with SSL support. One point there is important: Before compiling and installing the IMAP/POP package with SSL/TLS, you must first:

    • Install OpenSSL;

    • Obtain and install a host certificate from a certificate authority such as Thawte (with whom Penn may have a purchasing agreement -- still TBD) and

    • Install the certificate authority certificates found in the SSL distribution directory after building OpenSSL.

    An example of a command to compile with SSL (in this case also allowing Kerberos authentication) is:

    make bsf EXTRADRIVERS= EXTRAAUTHENTICATORS=gss SSLTYPE=nopwd
                  

  4. Install the binaries and manual pages according to the install instructions and local standards. For example:

    cp imapd/imapd /usr/local/sbin/imapd cp src/imapd/imapd.8c /usr/local/man/man8/imapd.8 cp ipopd/ipop3d /usr/local/sbin/ipop3d
    cp src/ipopd/ipopd.8c /usr/local/man/man8/ipop3d.8

    (If also supporting Kerberos authentication, create principals and keytabs for POP and IMAP at this point.)

  5. Make sure the /etc/services has the following entries for POP and IMAP service:

    imap 143/tcp pop3 110/tcp

  6. Insert entries for the servers into /etc/inetd.conf for POP and IMAP:

    imap stream tcp nowait root /usr/local/sbin/imapd imapd pop3 stream tcp nowait root /usr/local/sbin/ipop3d ipop3d

    Note:

    The service name (the first word in the inetd.conf lines) must match the service names specified in the /etc/services file in step 6.

    If your system uses xinetd (http://www.xinetd.org) instead of inetd, consult your documentation for configuration particulars.

    If you use firewalls, tcp-wrappers or other restrictions on access, be sure to modify firewall or tcp-wrappers rules to allow the new services.

  7. Restart 'inetd' using the appropriate procedure for the system. (On most machines, send SIGHUP signal to inetd process.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania