Project VOLANS: Setting up University of Washinton's IMAP server with SSL

:: Setting up University of Washinton's IMAP server with SSL on RedHat 9.0 ::
HOME

Setting up University of Washinton's IMAP server with SSL on Redhat 9.0

RedHat 9.0 comes with an installed version of UW's IMAP server. If you are not sure, execute rpm -qil imap and see if there is any output as below:

papers@mia:~/public_html/WWW> rpm -qil imap
Name        : imap                         Relocations: (not relocateable)
Version     : 2001a                             Vendor: Red Hat, Inc.
Release     : 18                            Build Date: Sat 25 Jan 2003 12:02:53 AM CST
Install Date: Mon 28 Apr 2003 03:52:16 PM CDT      Build Host: porky.devel.redhat.com
Group       : System Environment/Daemons    Source RPM: imap-2001a-18.src.rpm
Size        : 2384948                          License: University of Washington Free-Fork License
Signature   : DSA/SHA1, Mon 24 Feb 2003 12:26:01 AM CST, Key ID 219180cddb42a60e
Packager    : Red Hat, Inc. 
URL         : http://www.washington.edu/imap/
Summary     : Server daemons for IMAP and POP network mail protocols.
Description :
--SNIP--

If you don't get the above output then consider compiling it from the source, which can be downloaded from UW-IMAP website. I followed the follwing steps:

1. Edit the Makefile (imap-2004b/Makefile) so that "SSLTYPE=unix". This allows both SSL and Plain text authentication.
2. make lrh. 
3. cp imap-2004b/imapd/imapd /usr/sbin
4. put the following lines in /etc/pam.d/imap
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth

5. put the following lines in /etc/xinetd.d/imaps
# default: off
# description: The IMAPS service allows remote users to access their mail \
#              using an IMAP client with SSL support such as Netscape \
#              Communicator or fetchmail.
service imaps
{
        disable = no
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/imapd
        log_on_success  += HOST DURATION
        log_on_failure  += HOST
}

6. service xinetd restart

For this to work, you need to get a signed certificate from a valid Certification Authority. Steps to create your own CA are given here. You will also find steps the user must follow to generate his own certificate and get it signed from the CA.
From here onwards, i am assuming that u have generated your private key (testkey.pem) and received a signed certificate from the CA (testcert.cert).

Remember that your private key must not be encrypted using a password.

Rename testkey.pem to impad.pem, and append the contents of testcert.cert to imapd.pem. The followin commands can be used for this.

#>mv testkey.pem imapd.pem
#>cat testcert.cert >> imapd.pem

The imapd.pem file should look like this.

[papers@mia certs]# cat imapd.pem 
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDDOuybkZS3rWC/q+xHv3NSM5aa6b19Ce5VMuMWjV5N/upA9nsE
uUk3lRoe41CjzmA18e2ViqFz+0ZEqPcR6vuwU8IFEDhR4U9lVWB2W6aN6qcwm7hb
--SNIP--
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDJDCCAgygAwIBAgIBDTANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy
dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth
cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB
FhRzaGFzaGFua0BldmwudWljLmVkdTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0wMzA3MTQyMTUwNTFaFw0wNTA2MTMyMTUwNTFaMHQx
--SNIP--
-----END CERTIFICATE-----

Now copy the imapd.pem file to /usr/share/ssl/certs. Initially I did not know the location of this file. But then i tried telnet'ting to the imapds port and checked the error message in /var/log/messages . To find the port use:

papers@mia:~/public_html/WWW> egrep "imap" /etc/services
imap            143/tcp         imap2           # Interim Mail Access Proto v2
imap            143/udp         imap2
imap3           220/tcp                         # Interactive Mail Access
imap3           220/udp                         # Protocol v3
imaps           993/tcp                         # IMAP over SSL
imaps           993/udp                         # IMAP over SSL

Just make sure that the imapd.pem file has the right permission as below:

[papers@mia certs]# ls -al
total 524
-rw-------    1 root     root         2038 Jul 14 17:18 imapd.pem
lrwxrwxrwx    1 root     root            9 Jul 14 17:54 ipop3d.pem -> imapd.pem

NOTE how i have created a link for ipop3d.pem. This is used for enabling the secure pop3 service.

Now just update your server information in Outlook Express. For this follow the following steps:

Open Accounts window by clicking on Tools-->Accounts in OE.
Now select the server you want to convert to imaps (or pop3s) and click on Properties.
Finally Click on Advance Tab and enable the This Server Requires Secure connection (SSL) option.

Thats it!!! Now just refresh the mails and you will get secure emails.