Categories
Exim exim4 IMAP ldap Linux ssl Uncategorized

Hooking WP7 to exim4 and dovecot with SSL

Okay, so I go this new phone which allows me to access my gmail and hotmail accounts – I have a lot of e-mails. Part of the problem with my frazzled brain is that I setup a lot of different e-mails

Setting up Dovecot

Dovecot was remarkably simple to setup and get the authentication working. A quick follow of these instructions got the SSL connection to my phone working. I was even able to reuse my self-signed certificate which I use for other services on the same CNAME.

Setting up Exim SSL

Exim has two levels here. One is TLS/SSL setup and other is authentication. I first started with SSL to encrypt the content and authentication information. Seems obvious doesn’t it?

My system is a Ubuntu(Debian) system using the single file configuration. I find this far easier to manage.

This is where I ran into my first issue. A follow of these instructions did not fully enable the  connection with the phone.  The Exim log indicated repeated problems with the TLS connection. Not so easy after all.

Reasearch indicates that some e-mail clients are unable to use the new STARTTLS syntax and instead used a immediate jump into SSL. I would be miffed if that was the case with the Windows Phone client. I set about trying it anyway.

Exim has the setting

 tls_on_connect_ports = 465 

This initiates the SSL connection from the start. This did not work either giving other errors. It appeared that my SSL certificates were not compatible with Exim – even though they worked fine with dovecot. (see above)

However even after I used the certificate generation tool

 exim-gencert 

I still received the same errors. This was beyond my meagre skills. So I moved on, perhaps another day I will find the answer.

Setting up Exim Auth

This part of the setup was very much easier, but sorting out the Debian single file setup was a bit of fun. Not really.

As I use LDAP for authentication and mapping of the virtual e-mail addresses the basic Exim – Debian setup was required to be changed. Below is what I used and is pretty self explanatory.

plain: 
 driver = plaintext
 public_name = PLAIN
 server_condition = ${if ldapauth{user="uid=${quote_ldap_dn:$2},PEOPLE_BASEDN" pass=${quote:$3} \
 ldap://localhost/} {yes}{no}}
 server_set_id = $2

login:
 driver = plaintext
 public_name = LOGIN
 server_prompts = Username:: : Password::
 server_condition = ${if and{ {!eq{}{$1} }\
 {ldapauth{user="uid=${quote_ldap_dn:$1},PEOPLE_BASEDN" pass=${quote:$2} \
 ldap://localhost/} }} \
 {yes}{no}}
 server_set_id = $1 

Note that the PLAIN authenticator does not have prompts and that the userid is $2, because $1 is and unique ID passed through, but often not used. As well there is no empty check for userid – like there is with the LOGIN. This seemed to cause errors.

Summary

I can now read and send e-mails from my phone which is great. While the send cannot use SSL for now, this is something I hope to find an answer for.

One last issue is that the phone client likes to store outgoing e-mails in the Sent Items folder and trash in Deleted Items. This is not the standard setup that Outlook and client use so I will show you how to fix that in my next post.

Categories
dovecot e-mail errors file permissions IMAP shared folders

Finally think I’ve got Dovecot sorted (I think!)

In the last blog I wrote on – at some length I might add – about setting up public shared folders in Dovecot and about just how hard that is! There are some annoyances with Dovecot, but that’s the evolution of something free (the old “you get what you pay for” line). I haven’t tried Dovecot 2.0 yet. Perhaps in 18 months when the next LTS of Ubuntu is available I’ll get there.

After getting the basics of the configuration working I set out to start using and testing the setup. What I found initially is that Dovecot will use the root folder permissions as the permissions for manipulating files. This is particularily problematic when sharing folders as typically you need to enable group permissions. Eg:


rwx----- user mail .
rwxrwx-- user Pubmail .

In the dovecot error log, or just in mail.err, you’ll see plenty of informative error messages about fchown, dotlock etc.. and in there will be information about the group being used Eg:


dovecot: IMAP(infocss): fchown(/home/infocss/Mail/subscriptions.lock, -1, 8(mail)) failed: Operation not permitted (egid=513(Domain Users), group based on /home/infocss/Mail)

In this case you can see that it used the permissions of the group to perform the operation and this failed. That group doesn’t have the permissions – from Dovecot – to perform that operation.

The only way I have found to “fix” this is to allow additional groups to have privileged permissions within Dovecot. This is in addition to the group permissions you need on the files – though I must add that I haven’t tried reducing the file permissions. I’m afraid of breaking something that works!

To do this you need to modify a line in the config file, as described in the Dovecot Wiki.


...
mail_access_groups = Group1,Group2
...

The wiki, while telling you that you can have multiple groups here, doesn’t tell you whether the line is comma delimiter or space delimited. It is comma delimited.

That should get your public shared boxes working. Though I still wonder how this setup will work with use shared boxes. I still had tremendous problems with that.

In the last post I pondered about the ACL and how group will work there. Dovecot only really recognises a user’s primary group but not supplementary ones. The “workaround” to this, and to get ACLs really working is to use Post Login Scripting. This is thankfully explained here.

I haven’t tried this. Presumably the script can be put in an appropriate place – /usr/local/bin ??

The guys at Chameeya now have full access to the info e-mail box to answer and respond to customer enquiries.

Categories
dovecot e-mail IMAP Linux permissions shared folders

Shared folders in dovecot (aka how to hide useful information)

Along with the installation of squirrelmail in the office it became inconvenient for people to monitor the public e-mail addresses of the business. You know the info@companyname.com and support@companyname.com through the web interface. The user would have to log out and then in with the shared account – annoying.

In most IMAP systems where is a way to implement shared folders so user’s can stored documents or monitor public e-mail accounts. For example you have a public support or sales account and you’d like the entire team or company access to these e-mails.

I use dovecot IMAP server v 1.2.9 which came with Ubuntu 10.04. The latest version is 2.0 but Ubuntu 10.04 is not using it yet. These instructions may apply to 1.2+ but you’d be best going to the dovecot wiki instead. As well I tried the shared folders setup but I had all sorts of permissions issues and one issue with the shared dict file which I could not resolve so I gave up. I assume it is a bug.

Firstly I am sharing a user’s account e-mail and as stated above. This would have been the right way to do this, but I could not get it work.

First make a backup of the dovecot.conf file



cd /etc/dovecot
cp dovecot.conf dovecot.conf.bak

Then open the dovecot.conf file using your favorite editor and scroll down to find the following section



# REMEMBER: If you add any namespaces, the default namespace must be added
# explicitly, ie. mail_location does nothing unless you have a namespace
# without a location setting. Default namespace is simply done by having a
# namespace with empty prefix.
#namespace private {
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =

This is the default in dovecot, there is no namespaces at all. To implement a public (or shared) namespace, you will NEED to implement the private namespace. To do this uncomment the appropriate lines so that the following are set:



namespace private {
separator = /
prefix =
inbox = yes
subscriptions = yes
}

Don’t worry about the commented lines. Leave them in there, these are the only lines you need to change.

Now you need to add in the public namespace for the public folders to sit underneath. Note that I couldn’t get this work directly to a e-mail folder. I’ll get into what I did below along with the messy filesystem permissions and ACLs.



namespace public {
separator = /
prefix = Public/
location = maildir:/var/mail/Public
subscriptions = no
hidden = no
list = children
}

So this is a public namespace, the choices are private, shared and public. The separator, for subscriptions and e-mail clients is ‘/’ which is the most common. In the subscriptions list the prefix for this mail boxes is ‘Public’. The public folder is located at /var/mail/Public. The subscriptions are handled by the ‘parent’ namespace ie: the user’s subscription list. This is probably what you want. And the Public folder is only listed if there are folders underneath being shared. Note that the actual path /var/mail/Public is just a container for the maildir folders underneath. The wiki for dovecot give more information on your choices here.

Then you’ll need to add in two more lines to enable the ACL which will allow you to restrict/enable access to the shared mailboxes to the specific users you want.



protocol imap {
...
mail_plugins = acl imap_acl
}
...
plugin {
...
acl = vfile
}

Now things are setup in the imap server, but don’t restart it yet! Now we need to get the filesystem and acl files right.

I then create the folder and shared subfolders.



cd /var/mail
mkdir Public
chgrp mail Public
touch dovecot-acl

I then symlink in the maildir folder I want users to have access to. I did this because the account already existed and I didn’t want to effect any symlinks in the system pointing (and delivering e-mail) to this folder.



ln -s infobox ./Public/.info

Now I need to give users access the Public folder – but not yet the subfolders. The wiki misses some important points here. Firstly you need to allow users to read/list the public folder. I do this by editing the dovecot-acl file and allowing anyone read access



cd Public
nano dovecot-acl

add the following line



anyone lr

You need the put the same file in the maildir folders (not the cur/new/tmp folders) and any subfolders you want users to access. The wiki gives good explanation of what goes in the acl mine looked like



user=me keilrswtx
owner akxeilprwts

I could not get the group option working. Though I think if you read this then usage of the mail_access_groups flag may fix it. I haven’t tried it.

Now the last bit is to give the correct file permissions for access. I did this with file system acl (using setfacl and getfacl). I won’t get into the details here as they are well documented in many places.

This is what I did.



cd /var/mail/Public
chmod o+rx .
setfacl -dm g:GRP:rwx .info
cd .info
setfacl -dm g:GRP:rwx cur
setfacl -dm g:GRP:rwx new
setfacl -dm g:GRP:rwx tmp
setfacl -m g:GRP:rw cur/*
setfacl -m g:GRP:rw new/*
setfacl -m g:GRP:rw tmp/*

Now I can restart the dovecot server



service dovecot restart

Using my e-mail client I can see and subscribe to the public folders and read the e-mails.

Job done!