What is this?
This is a short HOWTO on installing a webmail and IMAP server package that
work with QMail's maildir
format.
Why the need for this document? Because there is scattered information
across the net on how to do this, but nothing really from the beginning to
the end, and that includes installing Apache, getting SSL to work, checking
IMAP, and checking the web server portion.
Sections
Other websites
Quick gotchas
Installing Apache and SSL
Courier IMAP
SqWebmail
Apache and the Apache2 docs in particular the SSL FAQ
The SQWebMail info and download page
The Courier IMAP info and download page
- I would install a completely new instance of Apache from source, or an
RPM if you're comfortable with that. RPMs give me the heebie geebies when
I know I'm going to muck around with it later on. Don't try and mess
around with installing Apache2 over Apache1.x or a newer version of
SQWebmail over an older. You'll pay the price in debugging a half put
together system, like I've done.
- sqwebmail and IMAP should use the same authdaemond to authenicated.
Except that they don't share the same socket file. I've used just the
IMAP one and then linked the SQWebmail one back to it. Do a "find /usr
-type s" to show you where they both are under a /var/authdaemond
directory.
- use the openssl debugging tools to show you that the two
certificate/key files that you have are the same and that you're really
connecting to an encrypted SSL port
- up the MAXDAEMONS in the IMAP config or else you'll wonder why it
worked in the morning and then it doesn't when 30 people are in the
office.
- use Perl's Mail::IMAPClient and links / wget to quickly test out
connectivity
The docs for this are pretty straight forward, but here's a walkthrough:
- make sure your openssl libraries
are up todate, especially after the slapper worm outbreak
- delete / move all existing files in /usr/local/apache . Save them for
later if you want
- Create a www user in group www
- get the latest Apache source from a mirror. Get the
httpd-2.0.40.tar.gz file in this case.
- unpack it with a "tar -xvzf httpd-2.0.40.tar.gz" and cd into the new
directory
- Configure your compile like this: "./configure --enable-ssl
--prefix=/usr/local/apache"
Wait several minutes for it to make the Makefile. Then type "make" and wait some more. Then "make install" to install it
During the waiting periods make the certificate and server key for
your site: go into some directory like "/usr/lib/openssl" and make a
directory "certs" follow the instructions on the SSL FAQ page, repeated
here for brevity:
| Do this |
To get this |
| openssl genrsa -des3 -out server.key 1024 |
RSA private key |
| openssl rsa -in server.key -out server.key.unsecure |
unencrypted version (avoid keystrokes) |
| openssl req -new -key server.key -out server.csr |
generate certificate request |
| openssl genrsa -des3 -out ca.key 1024 |
RSA private key |
| openssl req -new -x509 -days 365 -key ca.key -out ca.crt |
self signed CA cert |
| ./sign.sh server.csr (get that here) |
sign your request, gives you server.crt |
| openssl x509 -noout -modulus -in server.crt | openssl md5 |
check these two match |
| openssl rsa -noout -modulus -in server.key | openssl md5 |
hash should be the same |
Finally we're done with that portion. The two files you want to keep are
those last two, the server.crt and server.key. The server.key.unsecure one
is handy if you don't want to do some tricks to get https to start up
automatically, but it is dangerous as anyone could impersonate your faked
indentity with it.
With Apache installed in /usr/local/apache now we're going to setup
httpd.conf, ssl.conf and place the two keys where they should go.
Edit the httpd.conf and look for @@DIRECTIVE@@ labels. The main ones you
want to change are:
"ServerName myservername.com" "DocumentRoot /usr/local/apache" and the
"" directives. Samples to come.
Put the server.key.unsecure file in the ./conf/ssl.key directory, the
server.crtin the ./conf/ssl.cnf directory. Reference those in the ssl.conf
file like so:
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key.unsecure
That's it! Now try and start with "/usr/local/apache/bin/apachectl startssl"
Do a "lsof -n -i:80,443" to see if anything started up. If you see something
on port 443 debug it with a "openssl s_client -connect 192.168.0.10:443
-state -debug" If you see "
Now that Apache is done let's move on to IMAP:
How to install Courier IMAP
This is pretty easy, download the source and do a "./configure
--without-authpgsql" to just go against the /etc/passwd file. "make ; make
install" will install it for you. Oh you have to do the configure and first
make as a non-root user.
Take the imapd.rc file and put it in /etc/rc.d/init.d. Edit it and look for
the MAXDAEMONS line, it comes from /usr/lib/courier-imap/etc/imapd file. Up
that quite a bit as 40 connections goes quickly, especially if you spawn more
than one process per connection
Start up the program with a "./imapd.rc start" and do a "lsof -n -i:imap" to
see if it is running. If it is, then take this
program, edit it to put in your IMAP server, username, and password.
Now for the final part, download and untar. Do a "./configure
--prefix=/usr/local/apache --enable-ssl --without-authpgsql" and then a
"make" Next see if everything is kosher with a "mkdir /tmp/sqwebmail ; make
install DESTDIR=/tmp/sqwebmail" and you'll see the directory structure in
that directory. If it looks fine do a "make intall"
Now for the tricky part of making the authdaemon socket connection be the
same between both programs. Do a "find /usr -type s" to find both of them.
cd to the directory above on the sqwebmail side. Remove the authdaemon
directory and create a sym link to the courierimap one.
Now go to "https://192.168.0.10" and see if you get the "click on this link"
that goes to the cgi-bin.