Scope of this article

The server i’m setting up will receive e-mail from my mail-accounts at big hosting companies like gmail, yahoo, gmx and so on. Incoming mails will be stored on the server. I can read my mails online using the browser interface squirrelmail provides or I can connect to the server with a mail client (e.g. thunderbird, apple mail) using the imap protocol. Mails are sent over the mail account at the big provider again. This is a handy system if you are one or just a few users who want to store all mail in a central place reachable from all your devices. It is not suitable if you want to run a proper mail server with its own domain name.

I am setting up a fetchmail server for the third time now. First two have been on local network, the third now will run on a virtual server with proper IP address and domain name. Again, I had to recognize that i forgot most of the configuration details.

This article is most of all a memory hook for myself, but probably be useful for others as well. You’re welcome to comment on this article if you wish. Please be aware, that I’m lacking the capacity for extensive support for troubles you’re running into when following this guidelines.

System requirements

• Debian GNU/linux 6.x
• exim4
• Dovecot
• Squirrelmail
• I-spell and wordlist packages for your language, in my case: iswiss and wswiss
• fetchmail
• exim4 SMTP server

Install the above using the debian package installer (apt-get, aptitude or whatever else)

Setting up the parts of the whole system

System configuration

Set up the users you need mailboxes for with adduser.
Create mail folder in user folder an create .procmailrc in each user folder.
.procmailrc example:

MAILDIR=$HOME/mail/
LOGFILE=/var/log/procmail.log
VERBOSE=yes

:0
* ^TO_mythtv-users@mythtv.org
mythtv

:0
USER_NAME

The listing above contains a filter that sorts all mails with a TO address  of „mythtv-users@mythtv.org“ into the folder „mythtv“. Handy for newsletter mails. The second filter just drops all mail to the users mail folder.

File permissions: Set user to mailbox user and chmod 640 .procmailrc.

Create the dovecot user with dovecot group (should be done already by installation script).

Create mail group without any users (should be done already by installation script).

Enter login credentials for your Mail ISP in /etc/exim4/passwd.client (the template file includes a description how to do this).

Dovecot setup

Set /etc/hostname and /etc/hosts correctly. Delete existing dovecot.pem in /etc/ssl/private and /etc/ssl/certs and rerun dovecot configuration:

dpkg-reconfigure dovecot-common

Go to /etc/dovecot and edit configuration files:

cd /etc/dovecot

editor dovecot.conf

Set following lines. The listing below just declares changes to the default dovecot.conf:

protocols = imap imaps pop3 pop3s
ssl = yes
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
disable_plaintext_auth = yes
shutdown_clients = yes
protocol imap {
        ssl_listen = *:993
}
login_chroot = yes
login_user = dovecot
login_process_per_connection = yes
login_processes_count = 1
login_max_processes_count = 16
login_greeting = mail server ready.
mail_location = mbox:/home/%u/mail:INBOX=/home/%u/mail/inbox
auth_process_size = 256

I’m setting up a mail server with few users. therefore only one process is listening for connections and only 16 login processes are allowed to be running simultaneously.

Squirrelmail setup

Configuration file in /etc/squirrelmail.

apache.conf:

Set alias, will be the path on your web server directly after the domain name

config.php:

set variables $org_name, $org_logo, $org_logo_width, $org_logo_height, $org_title, $squirrelmail_default_language, $imapPort

In my case:

$org_name      = "Gäss Mail";
 $org_logo      = SM_PATH . 'images/signet-gaess_web_gsp.gif';
 $org_logo_width  = '264';
 $org_logo_height = '100';
 $org_title     = "Gäss Webmail";
 $squirrelmail_default_language = 'de_DE';
 $imapPort               = 993;

Start configuration script

squirrelmail-configure

Set following entries:

D. Set pre-defined settings for specific IMAP servers
dovecot
2.  Server Settings
A.  Update IMAP Settings
7.  Secure IMAP (TLS)      : true

Save and quit

Exim4

Run the debian config scriot for exim with:

dpkg-reconfigure exim4-config

Choose smarthost with fetchmail from the presets. Configure all questions. Important: You will have to set exim to use „Maildir in home folders“ and not „mbox in /var/mail“. The point is somewath irritating, because our setting will save mails in mbox-format but in the users‘ home folders.

You must use port 25 for sending mail to the smarthost and not e.g port 465 as you probably would from your mail client on the desktop.

Set the address exim4 is listening on for incoming SMTP to the localhost (127.0.0.1).  Don’t allow relay for any address.

Fetchmail

Fetchmail gets our mail from mail providers out there in the web and stores them in local mailboxes

create /etc/fetchmailrc:

set postmaster "POSTMASTER_USER"

set bouncemail

set properties ""

poll pop.gmx.net protocol POP3 uidl

user "MAIL_ADDRESS" password "PASSWORD" is "LOCAL_USERNAME"

poll ANOTHER_MAILSERVER proto POP3 uidl

user "MAIL_USER_ONLY" password "PASSWORD" is "LOCAL_USERNAME"

options ssl sslfingerprint "FINGERPRINT_HERE"

# sslcertck sslcertpath /usr/local/fetchmail/certs

append „keep“ to each poll-section if you want to leave mails on the server.  fetchmailrc contains passwords and should be only readable by fetchmail:

chown fetchmail fetchmailrc

chmod 600 fetchmailrc

Set /etc/default/fetchmail to have fetchmail daemon running:

START_DAEMON=yes

If a server uses a self signed certificate, you may use the fingerprint statement as shown in my example. Getting a POP3-servers‘ fingerprint is quite easy, given you know what to do (and what i keep forgetting every time). so here’s the recipe:
Get the servers public key.

openssl s_client -connect SERVER_NAME:PORT

Save all information between „—Begin certificate“ and „—End certificate“ including these lines into a file. then calculate fingerprint:

openssl x509 -fingerprint -md5 -in PATH_TO_FILE

Please note that this actions don’t protect you from a man in the middle attack, where a fake server pretends to be your partner. To be sure of a servers identitiy, you would need to get the fingerprint on another way than the one you’re using to connect with the mail server.

Apache configuration

add a symlink to squirrelmail config file from /etc/apache2/conf.d, like:

 ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf

 Exim4 SMTP server

Create certificates for server, store them.

The directory needs to be readable for exim. On Debian systems, this means it has to belong to group Debian-exim.

You cannot store your exim ssl-keys in /etc/ssl/private. Store them e.g in /etc/exim4 and set chown to root:Debian-exim chmod 440.

edit /etc/exim4/conf.d/main/03_exim4-config_tlsoptions:

MAIN_TLS_CERTIFICATE = /etc/exim4/NAME.crt MAIN_TLS_PRIVATEKEY = /etc/exim4/NAME.key

Create your local macro file /etc/exim4/conf.d/main/00_localmacros_SERVERNAME or any other name starting with 00.
Set it to:

MAIN_TLS_ENABLE = true
daemon_smtp_ports = smtp : 587

Go to /etc/exim4/conf.d/auth/30_exim4-config_examples and set:

cram_md5:
  driver = cram_md5
  public_name = CRAM-MD5
# config server behaviour if clients want to authenticate
  server_secret = ${lookup{$auth1}lsearch{/etc/exim4/FILENAME}{$value}fail}
  server_set_id = $auth1

Create the file /etc/exim4/FILENAME and set account credentials like USERNAME:PASSWORD each on one line.

Now, your server should provide cram_md5 login (encrypted password in thunderbird) and STARTTLS on ports 25 and 587.