Guide updated on 29th of February 2016

Configure courier and courier-authlib


Adapt automatically generated SSL certificate

During package installation, all the needed courier packages have been installed.

Nevertheless, the generated SSL certificates probably do not match your needs. We 'll simply re-generate it.

Edit the files /etc/courier/imapd.cnf and /etc/courier/pop3d.cnf to match your settings :

[ req ]
default_bits = 4096
...
[ req_dn ]
C=BE
ST=Brussels
L=Brussels
O=Courier Mail Server
OU=POP3/IMAP SSL key
CN=Your FQDN server
emailAddress=Your e-mail adress

Re-generate certificates with correct information and with validity time of 10 years

rm -f /usr/lib/courier/*.pem
rm -f /etc/courier/*.pem

sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkimapdcert
sed -i 's/-days 365/-days 3650/' /usr/lib/courier/mkpop3dcert

dpkg-reconfigure courier-imap-ssl
dpkg-reconfigure courier-pop-ssl

OPTIONAL : If you want to use an official certificate (e.g. Signed by the free service https://www.startssl.com/)

Start generating your private key and your certificate request :

SERVERNAME=`hostname`
cd /etc/courier
openssl req -new -nodes -config /etc/courier/imapd.cnf -keyout $SERVERNAME.key -out $SERVERNAME.csr

Submit your certificate request file /etc/courier/YOUR_SERVER_NAME.csr to your chosen authority.

When your certificate has been signed by your chosen authority, copy the signed certificate into the file /etc/courier/YOUR_SERVER_NAME.crt

cd /etc/courier
dd if=/dev/urandom of=/usr/lib/courier/imapd.rand count=1 2>/dev/null
/usr/bin/openssl gendh -rand /usr/lib/courier/imapd.rand 2048 > $SERVERNAME.dh
cat $SERVERNAME.key $SERVERNAME.crt $SERVERNAME.dh > $SERVERNAME.pem
rm -f /usr/lib/courier/imapd.rand
chmod 600 $SERVERNAME.pem

cp imapd.pem imapd-orig.pem
cp $SERVERNAME.pem imapd.pem
systemctl restart courier-authdaemon
systemctl restart courier-imap-ssl

cp pop3d.pem pop3d-orig.pem
cp $SERVERNAME.pem pop3d.pem
systemctl restart courier-pop-ssl

OPTIONAL 2 : As we have a official certificate, we can also use it for STARTTLS.

This is not needed and could generate problem (especially if your certificate become expired)

cp /var/qmail/control/servercert.pem /var/qmail/control/servercert-orig.pem
chown vpopmail:vchkpw /var/qmail/control/servercert-orig.pem
cp /var/qmail/control/clientcert.pem /var/qmail/control/clientcert-orig.pem
chown root:qmail /var/qmail/control/clientcert-orig.pem
cat /etc/courier/$SERVERNAME.key /etc/courier/$SERVERNAME.crt > /var/qmail/control/clientcert.pem
chown root:qmail /var/qmail/control/clientcert.pem
cat /etc/courier/$SERVERNAME.key /etc/courier/$SERVERNAME.crt > /var/qmail/control/servercert.pem
chown vpopmail:vchkpw /var/qmail/control/servercert.pem

Configure courier-authlib

Courier-authlib is the authentification library used by all the courier components.

We 'll use the MySQL database used by vpopmail (which already contains the authentification info) instead of vchkpw method used in previous QMR guide (because it's no longer implemented/supported since version 0.60)

Please remember the settings used in step 4, you 'll need to use it again.

As courier-authlib and courier-authlib-mysql have been installed with Debian packages, we only have to configure it

Edit /etc/courier/authdaemonrc and change line 27 to match the following :

authmodulelist="authmysql"

Edit /etc/courier/authmysqlrc and adapt variables to match the following (Put the password chosen in step 4)

MYSQL_SERVER        localhost
MYSQL_USERNAME       vpopmailuser
MYSQL_PASSWORD       VPOPMAIL_PASSWORD

MYSQL_DATABASE        vpopmail

MYSQL_SELECT_CLAUSE    SELECT CONCAT(pw_name, '@', pw_domain) AS username,    \
            pw_passwd AS cryptpw,                    \
            pw_clear_passwd AS clearpw,                \
            '89' AS uid,                        \
            '89' AS gid,                        \
            pw_dir AS home,                        \
            '' AS maildir,                        \
            pw_shell AS quota,                        \
            pw_gecos AS fullname,                    \
            'disablewebmail=0,disablepop3=0,disableimap=0' AS options    \
            FROM vpopmail                        \
            WHERE                            \
            pw_name = '$(local_part)'                \
            AND                            \
            pw_domain = '$(domain)';                \

Eventually replace 89 by the alternate UID:GID chosen in Part 1

MYSQL_CHPASS_CLAUSE UPDATE vpopmail SET pw_clear_passwd='$(newpass)',pw_passwd='$(newpass_crypt)' WHERE pw_name='$(local_part)' AND pw_domain='$(domain)';

Restart the service to take those modifications into account

systemctl restart courier-authdaemon

Install simscan


Users comments