Chapter 19. Mail Servers
Red Hat Enterprise Linux offers many advanced applications to serve and access email. This chapter describes modern email protocols in use today, and some of the programs designed to send and receive email.
19.1. Email Protocols
Today, email is delivered using a client/server architecture. An email message is created using a mail client program. This program then sends the message to a server. The server then forwards the message to the recipient's email server, where the message is then supplied to the recipient's email client.
To enable this process, a variety of standard network protocols allow different machines, often running different operating systems and using different email programs, to send and receive email.
The following protocols discussed are the most commonly used in the transfer of email.
19.1.1. Mail Transport Protocols
Mail delivery from a client application to the server, and from an originating server to the destination server, is handled by the Simple Mail Transfer Protocol (SMTP).
19.1.1.1. SMTP
The primary purpose of SMTP is to transfer email between mail servers. However, it is critical for email clients as well. To send email, the client sends the message to an outgoing mail server, which in turn contacts the destination mail server for delivery. For this reason, it is necessary to specify an SMTP server when configuring an email client.
Under Red Hat Enterprise Linux, a user can configure an SMTP server on the local machine to handle mail delivery. However, it is also possible to configure remote SMTP servers for outgoing mail.
One important point to make about the SMTP protocol is that it does not require authentication. This allows anyone on the Internet to send email to anyone else or even to large groups of people. It is this characteristic of SMTP that makes junk email or spam possible. Imposing relay restrictions limits random users on the Internet from sending email through your SMTP server, to other servers on the internet. Servers that do not impose such restrictions are called open relay servers.
Red Hat Enterprise Linux provides the Postfix and Sendmail SMTP programs.
19.1.2. Mail Access Protocols
There are two primary protocols used by email client applications to retrieve email from mail servers: the Post Office Protocol (POP) and the Internet Message Access Protocol (IMAP).
19.1.2.1. POP
The default POP server under Red Hat Enterprise Linux is Dovecot and is provided by the dovecot package.
Note
In order to use Dovecot, first ensure the dovecot package is installed on your system by running, as
root
:
~]# yum install dovecot
For more information on installing packages with Yum, see Section 8.2.4, “Installing Packages”.
When using a
POP
server, email messages are downloaded by email client applications. By default, most POP
email clients are automatically configured to delete the message on the email server after it has been successfully transferred, however this setting usually can be changed.
POP
is fully compatible with important Internet messaging standards, such as Multipurpose Internet Mail Extensions (MIME), which allow for email attachments.
POP
works best for users who have one system on which to read email. It also works well for users who do not have a persistent connection to the Internet or the network containing the mail server. Unfortunately for those with slow network connections, POP
requires client programs upon authentication to download the entire content of each message. This can take a long time if any messages have large attachments.
The most current version of the standard
POP
protocol is POP3
.
There are, however, a variety of lesser-used
POP
protocol variants:
- APOP —
POP3
withMD5
authentication. An encoded hash of the user's password is sent from the email client to the server rather than sending an unencrypted password. - KPOP —
POP3
with Kerberos authentication. - RPOP —
POP3
withRPOP
authentication. This uses a per-user ID, similar to a password, to authenticate POP requests. However, this ID is not encrypted, soRPOP
is no more secure than standardPOP
.
For added security, it is possible to use Secure Socket Layer (SSL) encryption for client authentication and data transfer sessions. This can be enabled by using the
pop3s
service, or by using the stunnel
application. For more information on securing email communication, see Section 19.5.1, “Securing Communication”.
19.1.2.2. IMAP
The default
IMAP
server under Red Hat Enterprise Linux is Dovecot and is provided by the dovecot package. See Section 19.1.2.1, “POP” for information on how to install Dovecot.
When using an
IMAP
mail server, email messages remain on the server where users can read or delete them. IMAP
also allows client applications to create, rename, or delete mail directories on the server to organize and store email.
IMAP
is particularly useful for users who access their email using multiple machines. The protocol is also convenient for users connecting to the mail server via a slow connection, because only the email header information is downloaded for messages until opened, saving bandwidth. The user also has the ability to delete messages without viewing or downloading them.
For convenience,
IMAP
client applications are capable of caching copies of messages locally, so the user can browse previously read messages when not directly connected to the IMAP
server.
IMAP
, like POP
, is fully compatible with important Internet messaging standards, such as MIME, which allow for email attachments.
For added security, it is possible to use
SSL
encryption for client authentication and data transfer sessions. This can be enabled by using the imaps
service, or by using the stunnel
program. For more information on securing email communication, see Section 19.5.1, “Securing Communication”.
Other free, as well as commercial, IMAP clients and servers are available, many of which extend the IMAP protocol and provide additional functionality.
19.1.2.3. Dovecot
The
imap-login
and pop3-login
processes which implement the IMAP
and POP3
protocols are spawned by the master dovecot
daemon included in the dovecot package. The use of IMAP
and POP
is configured through the /etc/dovecot/dovecot.conf
configuration file; by default dovecot
runs IMAP
and POP3
together with their secure versions using SSL
. To configure dovecot
to use POP
, complete the following steps:
- Edit the
/etc/dovecot/dovecot.conf
configuration file to make sure theprotocols
variable is uncommented (remove the hash sign (#
) at the beginning of the line) and contains thepop3
argument. For example:protocols = imap pop3 lmtp
When theprotocols
variable is left commented out,dovecot
will use the default values as described above. - Make the change operational for the current session by running the following command:
~]#
service dovecot restart
- Make the change operational after the next reboot by running the command:
~]#
chkconfig dovecot on
Note
Please note thatdovecot
only reports that it started theIMAP
server, but also starts thePOP3
server.
Unlike
SMTP
, both IMAP
and POP3
require connecting clients to authenticate using a user name and password. By default, passwords for both protocols are passed over the network unencrypted.
To configure
SSL
on dovecot
:
- Edit the
/etc/dovecot/conf.d/10-ssl.conf
configuration to make sure thessl_cipher_list
variable is uncommented, and append:!SSLv3
:ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3
These values ensure thatdovecot
avoids SSL versions 2 and also 3, which are both known to be insecure. This is due to the vulnerability described in POODLE: SSLv3 vulnerability (CVE-2014-3566). See Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot for details. - Edit the
/etc/pki/dovecot/dovecot-openssl.cnf
configuration file as you prefer. However, in a typical installation, this file does not require modification. - Rename, move or delete the files
/etc/pki/dovecot/certs/dovecot.pem
and/etc/pki/dovecot/private/dovecot.pem
. - Execute the
/usr/libexec/dovecot/mkcert.sh
script which creates thedovecot
self signed certificates. These certificates are copied in the/etc/pki/dovecot/certs
and/etc/pki/dovecot/private
directories. To implement the changes, restartdovecot
:~]#
service dovecot restart
More details on
dovecot
can be found online at http://www.dovecot.org.