Configure courier and courier-authlib
Adapt automatically generated SSL certificate
During package installation, all the needed courier packages have been installed.
Nevertheless, the generated SSL certificates probably do not match your needs. We 'll simply re-generate it.
Edit the files /etc/courier/imapd.cnf and /etc/courier/pop3d.cnf to match your settings :
default_bits = 4096
...
[ req_dn ]
C=BE
ST=Brussels
L=Brussels
O=Courier Mail Server
OU=POP3/IMAP SSL key
CN=Your FQDN server
emailAddress=Your e-mail adress
Re-generate certificates with correct information and with validity time of 10 years
rm -f /etc/courier/*.pem
sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkimapdcert
sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkpop3dcert
dpkg-reconfigure courier-imap-ssl
dpkg-reconfigure courier-pop-ssl
OPTIONAL : If you want to use an official certificate (e.g. Signed by the free service https://www.startssl.com/)
Start generating your private key and your certificate request :
cd /etc/courier
openssl req -new -nodes -config /etc/courier/imapd.cnf -keyout $SERVERNAME.key -out $SERVERNAME.csr
Submit your certificate request file /etc/courier/YOUR_SERVER_NAME.csr to your chosen authority.
When your certificate has been signed by your chosen authority, copy the signed certificate into the file /etc/courier/YOUR_SERVER_NAME.crt
dd if=/dev/urandom of=/usr/lib/courier/imapd.rand count=1 2>/dev/null
/usr/bin/openssl gendh -rand /usr/lib/courier/imapd.rand 2048 > $SERVERNAME.dh
cat $SERVERNAME.key $SERVERNAME.crt $SERVERNAME.dh > $SERVERNAME.pem
rm -f /usr/lib/courier/imapd.rand
chmod 600 $SERVERNAME.pem
cp imapd.pem imapd-orig.pem
cp $SERVERNAME.pem imapd.pem
systemctl restart courier-authdaemon
systemctl restart courier-imap-ssl
cp pop3d.pem pop3d-orig.pem
cp $SERVERNAME.pem pop3d.pem
systemctl restart courier-pop-ssl
OPTIONAL 2 : As we have a official certificate, we can also use it for STARTTLS.
This is not needed and could generate problem (especially if your certificate become expired)
chown vpopmail:vchkpw /var/qmail/control/servercert-orig.pem
cp /var/qmail/control/clientcert.pem /var/qmail/control/clientcert-orig.pem
chown root:qmail /var/qmail/control/clientcert-orig.pem
cat /etc/courier/$SERVERNAME.key /etc/courier/$SERVERNAME.crt > /var/qmail/control/clientcert.pem
chown root:qmail /var/qmail/control/clientcert.pem
cat /etc/courier/$SERVERNAME.key /etc/courier/$SERVERNAME.crt > /var/qmail/control/servercert.pem
chown vpopmail:vchkpw /var/qmail/control/servercert.pem
Configure courier-authlib
Courier-authlib is the authentification library used by all the courier components.
We 'll use the MySQL database used by vpopmail (which already contains the authentification info) instead of vchkpw method used in previous QMR guide (because it's no longer implemented/supported since version 0.60)
Please remember the settings used in step 4, you 'll need to use it again.
As courier-authlib and courier-authlib-mysql have been installed with Debian packages, we only have to configure it
Edit /etc/courier/authdaemonrc and change line 27 to match the following :
Edit /etc/courier/authmysqlrc and adapt variables to match the following (Put the password chosen in step 4)
MYSQL_SERVER localhost
MYSQL_USERNAME vpopmailuser
MYSQL_PASSWORD VPOPMAIL_PASSWORD
MYSQL_DATABASE vpopmail
MYSQL_SELECT_CLAUSE SELECT CONCAT(pw_name, '@', pw_domain) AS username, \
pw_passwd AS cryptpw, \
pw_clear_passwd AS clearpw, \
'89' AS uid, \
'89' AS gid, \
pw_dir AS home, \
'' AS maildir, \
pw_shell AS quota, \
pw_gecos AS fullname, \
'disablewebmail=0,disablepop3=0,disableimap=0' AS options \
FROM vpopmail \
WHERE \
pw_name = '$(local_part)' \
AND \
pw_domain = '$(domain)'; \
Eventually replace 89 by the alternate UID:GID chosen in Part 1
MYSQL_CHPASS_CLAUSE UPDATE vpopmail SET pw_clear_passwd='$(newpass)',pw_passwd='$(newpass_crypt)' WHERE pw_name='$(local_part)' AND pw_domain='$(domain)';Restart the service to take those modifications into account
Users comments