Courier mail server on Debian

Intro

We will see how to install the courier-mta mail server with the IMAP connector. We will also see how to secure it with SSL encryption.

Configuration

• OS : debian wheezy 7.8
• courier-mta : 0.68
• courier-imap : 4.10

Installing

root@host:~# apt-get install gamin courier-mta-ssl courier-imap-ssl courier-mta

Note : Gamin is needed to the IDLE activation

Setting

authentication

We set up the authentication type in the /etc/courier/authdaemonrc file :

authmodulelist="authuserdb"

Here the authentication data will be put inside a BerkeleyDB format file.

vmail user

In order to avoid to create one system user account for each mail user we will use a generic user : vmail. It will be the owner of every mail accounts.

root@host:~# useradd -u 7200 -m -s /bin/bash vmail
root@host:~# passwd vmail

Or :

root@host:~# useradd -u 7200 --system -s /bin/bash vmail

Now we can create a folder wherein we will put every identifications informations for every users of our domain.

root@host:~# mkdir /etc/courier/userdb ; chmod 700 /etc/courier/userdb

Add user1

root@host:~# userdb -f /etc/courier/userdb/domain1 user1@domain1 \
  set home=/home/vmail/domain1/user1 uid=7200 gid=7200

Set Password

root@host:~# userdbpw -md5 | userdb -f /etc/courier/userdb/domain1 user1@domain1 set systempw
root@host:~# userdbpw -hmac-sha1 | \
  userdb -f /etc/courier/userdb/domain1 user1@domain1 set hmac-sha1pw

Set Maildir

Now we have to create the Maildir folder for the user.
For example inside /data/vmail.

root@host:~# chown vmail:vmail /data/vmail/

Define rights /data/vmail/domain :

• data : root:root : 755
• vmail : vmail:vmail : 750
• domain : vmail:vmail : 755

As vmail user, we create the user Maildir folder :

root@host:~# su -s /bin/bash - vmail
$ mkdir -p /data/vmail/domain/user1 && maildirmake /data/vmail/domain1/user1/Maildir

Users database

Log in as root and define rights :

root@host:~# chmod 700 /etc/courier/userdb && chmod 600 /etc/courier/userdb/*
root@host:~# makeuserdb

We can do a authentication test :

root@host:~# /etc/init.d/courier-authdaemon restart
root@host:~# authtest user1@domain

Aliases

We can set aliases by editing the /etc/courier/aliases/domain file :

virtual_address@domaine:      physical_address@domaine

Once set, we build it :

root@host:~# makealiases

Or to check if everything is fine (won't build, just check) :

root@host:~# makealiases -chk

To show active aliases :

root@host:~# makealiases -dump

Localdomain and hosteddomains setting

root@host:~# echo localhost > /etc/courier/locals
root@host:~# echo mon.serveur.domain.com >> /etc/courier/locals

root@host:~# mkdir /etc/courier/hosteddomains
root@host:~# touch /etc/courier/hosteddomains/domain.com
root@host:~# echo domain.com > /etc/courier/hosteddomains/domain.com
root@host:~# makehosteddomains

root@host:~# mkdir /etc/courier/esmtpacceptmailfor.dir/
root@host:~# echo domain.com > /etc/courier/esmtpacceptmailfor.dir/domain.com
root@host:~# makeacceptmailfor

Set a SMTP relay

If we have to pass via a smtp relay (for example the one from our internet service provider), we can announce it by editing /etc/courier/esmtproutes

: smtp.domain.com

We can precise the tcp port :

: smtp.domaine.com,445

And if it need an authentication we will have to edit /etc/courier/esmtpauthclient :

smtp.domain.com,445 username mdp

Set SMTP SSL

/etc/courier/esmtpd

PATH=/usr/bin:/bin:/usr/bin:/usr/local/bin 
SHELL=/bin/bash 
ULIMIT=32768 
BOFHCHECKDNS=1 
BOFHNOEXPN=1 
BOFHNOVRFY=1 
TARPIT=1 
NOADDMSGID=1 
NOADDDATE=0 
ESMTP_LOG_DIALOG=0 
AUTH_REQUIRED=0 
COURIERTLS=/usr/bin/couriertls 
TLS_KX_LIST=ALL 
TLS_COMPRESSION=ALL 
TLS_CERTS=X509 
TLS_CERTFILE=/etc/courier/esmtpd.pem 
TLS_TRUSTCERTS=/etc/ssl/certs 
TLS_VERIFYPEER=NONE 
AILUSER=daemon 
AILGROUP=daemon 
PORT=smtp 
BLACKLISTS="" 
ACCESSFILE=${sysconfdir}/smtpaccess 
AXDAEMONS=100 
AXPERC=10 
AXPERIP=10 
PIDFILE=/var/run/courier/esmtpd.pid 
TCPDOPTS="-noidentlookup -stderrlogger=/usr/sbin/courierlogger" 
ESMTPAUTH="PLAIN LOGIN CRAM-MD5" 
ESMTPAUTH_WEBADMIN="LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256" 
ESMTPAUTH_TLS="PLAIN LOGIN CRAM-MD5" 
ESMTPAUTH_TLS_WEBADMIN="PLAIN LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256" 
ESMTPDSTART=YES

TLSv1 mode

TLS_PROTOCOL="TLS1"
TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"

Enable SMTP authentication

Edit /etc/courier/esmtpd

ESMTPAUTH="LOGIN"

Enable IDLE

Setting the IMAP_ENHANCEDIDLE to 1 in /etc/courier/imapd enables realtime concurrent folder status updates. When relatime folder status updates are enabled all IMAP mail clients that have the same folder open will be immediately notified of any changes to the folder's contents.

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_USELOCKS=1
IMAP_ENHANCEDIDLE=1

Mail Size Limit

Edit /etc/courier/sizelimit (example for 50M) :

echo "52428800" > /etc/courier/sizelimit

Catch-all

Catch-all is an address which receive every mails for users which doesn't exist or which haven't been created. To courier-mta, catch-all is the address alias@.

root@host:~# sudo su -s /bin/sh - vmail
root@host:~# echo "./Maildir" >  domain/alias/.courier-default 

imap ssl

Edit /etc/courier/imapd-ssl :

SSLPORT=993 
SSLADDRESS=0 
SSLPIDFILE=/var/run/courier/imapd-ssl.pid 
SSLLOGGEROPTS="-name=imapd-ssl" 
IMAPDSSLSTART=YES 
IMAPDSTARTTLS=YES 
IMAP_TLS_REQUIRED=0 
COURIERTLS=/usr/bin/couriertls 
TLS_KX_LIST=ALL 
TLS_COMPRESSION=ALL 
TLS_CERTS=X509 
TLS_CERTFILE=/etc/courier/imapd.pem 
TLS_TRUSTCERTS=/etc/ssl/certs 
TLS_VERIFYPEER=NONE 
TLS_CACHEFILE=/var/lib/courier/couriersslcache 
TLS_CACHESIZE=524288 
AILDIRPATH=Maildir

Enable TLSv1 mode

TLS_PROTOCOL="TLS1"
TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"

Create your own certificates

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650  -in server.csr -signkey server.key -out server.crt
openssl dhparam -out dh.param 4096
cat server.key server.crt dh.param > esmtpd.pem
cp esmtpd.pem /etc/courier/
cp esmtpd.pem /etc/courier/imapd.pem
cp server.crt /etc/ssl/certs/
cp server.key /etc/ssl/private/

Use Let's Encrypt certificates

Once you get your Let's Encrypt certificates you only have to concatenate private public and intermediate certificates

cat privkey.pem cert.pem chain.pem > /etc/courier/esmtpd.pem
cat privkey.pem cert.pem chain.pem > /etc/courier/imapd.pem

Debug

Sending e-mail test via command line

root@host:~# echo -e "To: user2@domain2\nFrom: user1@domain1" | /usr/sbin/sendmail

Authentication test from the server :

root@host:~# authtest -s imap utilisateur mdp

Authentication test from client

POP3

root@host:~# telnet x.x.x.x 110
user USERNAME
pass PASSWORD
stat
quit

IMAP

root@host:~# telnet x.x.x.x 143
a login USERNAME PASSWORD
a examine inbox
a logout

POP3 over SSL

root@host:~# openssl s_client -connect x.x.x.x:995
user USERNAME
pass PASSWORD
stat
quit

IMAP over SSL

root@host:~# openssl s_client -connect x.x.x.x:993
a login USERNAME PASSWORD
a examine inbox
a logout

SMTP Tests

With S: for server response and C: for client.

Without authentication

root@host:~# telnet x.x.x.x 25
S: 220 domaine.com SMTP Ready  
C: EHLO domaine.com
S: 250 domaine.com
C: MAIL FROM:<test@domaine.com>

S: 250 OK  
C: RCPT TO:<user1@domaine.com>

C: DATA

C: Subject: Test
C: Test  
C: .  

S: 250 OK  
C: QUIT  
R: 221 domaine.com closing transmission

With authentication

To test SMTP authentication we will use : auth login then we will give a base64 login and the password.

root@host:~# echo user@shebangthedolphins.net | base64
dXNlckBzaGViYW5ndGhlZG9scGhpbnMubmV0Cg==

root@host:~# echo P@ssw0rd | base64
UEBzc3cwcmQK

root@host:~# telnet x.x.x.x 25
S: 220 domaine.com SMTP Ready  
C: EHLO domaine.com
S: 250 domaine.com

C: AUTH LOGIN
S: 334 VXNlcm5hbWU6
C: dXNlckBzaGViYW5ndGhlZG9scGhpbnMubmV0Cg==

S: 334 UGFzc3dvcmQ6
C: UEBzc3cwcmQK

S: 235 2.7.0 

C: MAIL FROM:<test@domaine.com>

S: 250 OK  
C: RCPT TO:<user1@domaine.com>

C: DATA

C: Subject: Test
C: Test  
C: .  

S: 250 OK  
C: QUIT  
R: 221 domaine.com closing transmission

Authorize mails relay

We can enable mails relaying, to do so we have to edit this file (don't forget the tab key):

cat /etc/courier/smtpaccess/domain
IP_allowed<tab>allow,RELAYCLIENT

Then we launch the following command :

root@host:~# makesmtpaccess

root@host:~# /etc/init.d/courier-mta restart

root@host:~# /etc/init.d/courier-mta-ssl restart

Move mails by date

Here the command that I use to move emails by date. Example to move 2012 sent mails to .Sent.2012 folder.

for i in $(grep "Date:.*2012" * | awk -F: '{print $1":"$2}'); do mv "$i" ../../.Sent.2012/cur/; echo "$i"; done

Errors

Corrupted message

CORRUPTED MESSAGE                                                                                                                   

This is the Courier Mail Server 0.68 on mailserver.

I received the following message for delivery to your address.  This message
contains several internal formatting errors.  This is often caused by
viruses that attempt to infect remote systems.  Instead of blocking
this message, I converted it to a safe, text-only attachment that can be
safely read with a text editor.

This sometimes also happens when the sender's mail software has a bug
that creates improperly-formatted messages.  Although these kinds of
formatting errors may often be ignored by other mail servers, this
server detects and intercepts improperly-coded messages in order to
prevent viruses from taking advantage of bugs in E-mail programs:

-----------------------------------------------------------------------------
This message contains improperly-formatted binary content, or attachment.

See <URL:ftp://ftp.isi.edu/in-notes/rfc2045.txt> for more information.
-----------------------------------------------------------------------------

Resolution : create /etc/courier/bofh file and add :

opt BOFHBADMIME=accept

Accept capital letters for e-mails addresses

touch /etc/courier/locallowercase

Blocked accounts

If a mailbox is not correctly created (Maildir folder not created, bad uid/gid, maildrop errors, etc), courier won't delivery mails for the account during some time. The address will be blacklisted for backscatter (see : man courier)
This errors "456 Address temporarily unavailable" and "502 ESMTP command error" will be sent and appear in log file.

To list blocked addresses :

root@host:~# courier show all

To unlock an address :

root@host:~# courier clear user@domain.com

To unlock every addresses :

root@host:~# courier clear all

No route to host

courieresmtp: id=00000000008002CF.0000000050C99F63.00003ECE,from=<>,addr=<adresse@domaine> No route to host

It means that the default gateway refuse to route the smtp traffic. We have to precise manually the smtp server inside /etc/courier/esmtproutes file, for example with orange :

: smtp.orange.fr

Then we restart service :

root@host:~# /etc/init.d/courier-mta restart

Maximum connection limit reached for ::ffff:192.168.X.X

In /etc/courier/imapd

MAXDAEMONS=300
AXPERIP=60

513 Relaying denied

root@host:~# mkdir /etc/courier/esmtpacceptmailfor.dir/
root@host:~# echo domain1 > /etc/courier/esmtpacceptmailfor.dir/domain1
root@host:~# makeacceptmailfor

Why e-mails take time to be sent

We edit the following line in the /etc/courier/esmtpd file

TCPDOPTS="-nodnslookup -noidentlookup"

Useful commands

• Display the mail queue :

root@host:~# mailq

• Display mail spool :

root@host:~# ls -Rhl /var/lib/courier/msgs/

• Remove mail from queue :

root@host:~# cancelmsg msgid

• Remove all mails from queue :

root@host:~# cancelmsg $(mailq | grep 00 | tr -s " " | awk '{ print $2 }')

References

• Wiki Arch Linux :

• Other :