project: d.r.e.a.m

This documentation is no longer maintained. It may be out of date, or simply wrong. I will leave it online, as long as it think it may still be useful.

In most of my installations, courier imap has been replaced by bincimap. Thus, this document is no longer maintained. This document was valid when used with courier-imap 1.7.1, and should work with newer versions.

courier & daemontools mini HOWTO

Thanks to Reto Schuettel, he showed me that newer versions of courier-imap need a file called AUTHUSER in the ./env/ directory with the content "/tmp" to run correctly.

The courier-imap package (made by inter7) is one of the most popular IMAP4 / POP3 Servers that support Maildir-style Mailspools. It supports more than one authentication method's ( enables you to use system & virtualusers on the same POP3/IMAP4 Service ). Altough, their startup system was far to complicated for me. I wanted to run this service under daemontools, using tcpserver and not couriertcpd. Plain POP3 and IMAP4 worked with some minimal runscripts, but SSL was far more difficult.

Requirements for this setup:

recent version of daemontools
recent version of ucspi-tcp
recent version of courier-imap
a perl interpreter (SSL, only during installation)

plain pop3 and imap4

I won't go into details about installing any of the required software above.
Setting up plain pop3 and imap4 is pretty simple, because you don't need to generate ssl certificates.

Create needed directories:

# mkdir -p /var/qmail/supervise/courier-{imap,pop3}/log

Create the following runfiles:

/var/qmail/supervise/courier-imap/run

# cat <<'EOF' >/var/qmail/supervise/courier-imap/run
#!/bin/sh
exec envdir ./env/ 
tcpserver -v -R -H -l `hostname --fqdn` 0 143 \
/usr/sbin/imaplogin \
/usr/lib/courier-imap/authlib/authdaemon \
/usr/sbin/courier-imapd Maildir 2>&1
EOF
# mkdir /var/qmail/supervise/courier-imap/env/
# echo /tmp > /var/qmail/supervise/courier-imap/env/AUTHUSER

/var/qmail/supervise/courier-imap/log/run

# cat <<'EOF' >/var/qmail/supervise/courier-imap/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill multilog t s10000000 /var/log/qmail/imap
EOF

/var/qmail/supervise/courier-pop3/run

# cat <<'EOF' >/var/qmail/supervise/courier-pop3/run
#!/bin/sh
exec tcpserver -v -R -H -l `hostname --fqdn` 0 110 \
/usr/sbin/pop3login \
/usr/lib/courier-imap/authlib/authdaemon \
/usr/sbin/courier-pop3d Maildir 2>&1
EOF

/var/qmail/supervise/courier-pop3/log/run

# cat <<'EOF' >/var/qmail/supervise/courier-pop3/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill multilog t s10000000 /var/log/qmail/pop3
EOF

finally, symlink /etc/courier-{imap,pop3} to /service
Please note, that you need authdaemon running, to authenticate system users.
I found no way running it under daemontools, so please start it as you did before.
I just put /usr/lib/courier-imap/authlib/authdaemond start in /etc/conf.d/local.start (Your OS surely has a similar file)

Test your Installation

$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Hello there.
user valid-user
+OK Password required.
pass valid-password
+OK logged in.

SSL secured pop3 and imap4

This one needed a bit more of work, because couriertls expected some enviroment variables to be set

Get envconv and install it to /usr/local/sbin, chmod 755 it.

Create needed directories:

# mkdir -p /var/qmail/supervise/courier-{imaps,pop3s}/{env,log}

create OpenSSL certificate

you need to create a certificate for courier-imap, we will use CA.pl from the OpenSSL package

create CA-nodes.pl, to create non-encrypted keys, which you need because nobody could get asked for the password

# cd /usr/lib/ssl/misc/
# cp CA.pl CA-nodes.pl
# cat <<'EOF' | patch -p0
*** CA-nodes.pl	Wed May 22 19:15:42 2002
--- CA-nodes.pl	Wed May 22 19:13:58 2002
***************
*** 58,69 ****
  	    exit 0;
  	} elsif (/^-newcert$/) {
  	    # create a certificate
! 	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
  	    $RET=$?;
  	    print "Certificate (and private key) is in newreq.pem\n"
  	} elsif (/^-newreq$/) {
  	    # create a certificate request
! 	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
  	    $RET=$?;
  	    print "Request (and private key) is in newreq.pem\n";
  	} elsif (/^-newca$/) {
--- 58,69 ----
  	    exit 0;
  	} elsif (/^-newcert$/) {
  	    # create a certificate
! 	    system ("$REQ -nodes -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
  	    $RET=$?;
  	    print "Certificate (and private key) is in newreq.pem\n"
  	} elsif (/^-newreq$/) {
  	    # create a certificate request
! 	    system ("$REQ -nodes -new -keyout newreq.pem -out newreq.pem $DAYS");
  	    $RET=$?;
  	    print "Request (and private key) is in newreq.pem\n";
  	} elsif (/^-newca$/) {
EOF

run ./CA.pl -newca, to create a new CA, if you don't already have one
run ./CA-nodes.pl -newreq, to create a new certificate request.
The "Common Name" Field should be your Servers Hostname
run ./CA.pl -sign to sign and verify the certificate request created above
merge the two newly created files, using the following commands:
```
# cat newreq.pem newcert.pem >> courier.pem
```
Open courier.pem using $EDITOR, and delete from
-----BEGIN CERTIFICATE REQUEST-----
just before
-----BEGIN CERTIFICATE-----
and make sure that there's exactly one empty line between
-----END RSA PRIVATE KEY-----
and
-----BEGIN CERTIFICATE-----

copy courier.pem to /etc/courier-imap/, and give it secure permissions

# cp courier.pem /etc/courier-imap/
# chown root.root /etc/courier-imap/courier.pem
# chmod 400 /etc/courier-imap/courier.pem

Create the following runfiles:

/var/qmail/supervise/courier-imaps/run

# cat <<'EOF' >/var/qmail/supervise/courier-imaps/run
#!/bin/sh
exec /command/envdir ./env \
tcpserver -v -R -H -l `hostname --fqdn` 0 993 \
/usr/sbin/couriertls -server -tcpd \
/usr/sbin/imaplogin \
/usr/lib/courier-imap/authlib/authdaemon \
/usr/sbin/courier-imapd Maildir 2>&1
EOF
# chmod 755 /var/qmail/supervise/courier-imap/run

/var/qmail/supervise/courier-imaps/log/run

# cat <<'EOF' >/var/qmail/supervise/courier-imaps/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill multilog t s10000000 /var/log/qmail/imaps
# chmod 755 /var/qmail/supervise/courier-imaps/log/run

/var/qmail/supervise/courier-pop3s/run

# cat <<'EOF' >/var/qmail/supervise/courier-pop3s/run
#!/bin/sh
exec /command/envdir ./env/ \
tcpserver -v -R -H -l `hostname --fqdn` 0 995 \
/usr/sbin/couriertls -server -tcpd \
/usr/sbin/pop3login \
/usr/lib/courier-imap/authlib/authdaemon \
/usr/sbin/courier-pop3d Maildir 2>&1
EOF
# chmod 755 /var/qmail/supervise/courier-pop3s/run

/var/qmail/supervise/courier-pop3s/log/run

# cat <<'EOF' >/var/qmail/supervise/courier-pop3s/log/run
#!/bin/sh
exec /usr/local/bin/setuidgid qmaill multilog t s10000000 /var/log/qmail/pop3s
EOF
# chmod 755 /var/qmail/supervise/courier-pop3s/log/run

Create the Configuration:

# cd /var/qmail/supervise/courier-imaps/env/ 
# /usr/local/sbin/envconv < /etc/courier-imap/imapd-ssl
# echo /etc/courier-imap/courier.pem > TLS_CERTFILE
# cd /var/qmail/supervise/courier-pop3s/env/
# /usr/local/sbin/envconv < /etc/courier-imap/pop3d-ssl
# echo /etc/courier-imap/courier.pem > TLS_CERTFILE
# echo /tmp > AUTHUSER

finally, symlink /etc/courier-{imaps,pop3s} to /service

test if everything works:

# stunnel -c -f -r localhost:995
+OK Hello there.
user valid-user
+OK Password required.
pass valid-password
+OK logged in.

If you have any questions or suggestions don't hesitate to contact me.

This document public domain.