Chapter 14. Mail Servers
14.1. Email Protocols
14.1.1. Mail Transport Protocols
14.1.2. Mail Access Protocols
yum install dovecot
POPserver, email messages are downloaded by email client applications. By default, most
POPemail clients are automatically configured to delete the message on the email server after it has been successfully transferred, however this setting usually can be changed.
POPis fully compatible with important Internet messaging standards, such as Multipurpose Internet Mail Extensions (MIME), which allow for email attachments.
POPworks best for users who have one system on which to read email. It also works well for users who do not have a persistent connection to the Internet or the network containing the mail server. Unfortunately for those with slow network connections,
POPrequires client programs upon authentication to download the entire content of each message. This can take a long time if any messages have large attachments.
- APOP —
MD5authentication. An encoded hash of the user's password is sent from the email client to the server rather than sending an unencrypted password.
- KPOP —
POP3with Kerberos authentication.
- RPOP —
RPOPauthentication. This uses a per-user ID, similar to a password, to authenticate POP requests. However, this ID is not encrypted, so
RPOPis no more secure than standard
pop3sservice, or by using the
stunnelapplication. For more information on securing email communication, see Section 14.5.1, “Securing Communication”.
IMAPserver under Red Hat Enterprise Linux is Dovecot and is provided by the dovecot package. See Section 18.104.22.168, “POP” for information on how to install Dovecot.
IMAPmail server, email messages remain on the server where users can read or delete them.
IMAPalso allows client applications to create, rename, or delete mail directories on the server to organize and store email.
IMAPis particularly useful for users who access their email using multiple machines. The protocol is also convenient for users connecting to the mail server via a slow connection, because only the email header information is downloaded for messages until opened, saving bandwidth. The user also has the ability to delete messages without viewing or downloading them.
IMAPclient applications are capable of caching copies of messages locally, so the user can browse previously read messages when not directly connected to the
POP, is fully compatible with important Internet messaging standards, such as MIME, which allow for email attachments.
SSLencryption for client authentication and data transfer sessions. This can be enabled by using the
imapsservice, or by using the
stunnelprogram. For more information on securing email communication, see Section 14.5.1, “Securing Communication”.
pop3-loginprocesses which implement the
POP3protocols are spawned by the master
dovecotdaemon included in the dovecot package. The use of
POPis configured through the
/etc/dovecot/dovecot.confconfiguration file; by default
POP3together with their secure versions using
SSL. To configure
POP, complete the following steps:
- Edit the
/etc/dovecot/dovecot.confconfiguration file to make sure the
protocolsvariable is uncommented (remove the hash sign (
#) at the beginning of the line) and contains the
pop3argument. For example:
protocols = imap pop3 lmtpWhen the
protocolsvariable is left commented out,
dovecotwill use the default values as described above.
- Make the change operational for the current session by running the following command as
systemctl restart dovecot
- Make the change operational after the next reboot by running the command:
systemctl enable dovecotCreated symlink from /etc/systemd/system/multi-user.target.wants/dovecot.service to /usr/lib/systemd/system/dovecot.service.
NotePlease note that
dovecotonly reports that it started the
IMAPserver, but also starts the
POP3require connecting clients to authenticate using a user name and password. By default, passwords for both protocols are passed over the network unencrypted.
- Edit the
/etc/dovecot/conf.d/10-ssl.confconfiguration to make sure the
ssl_protocolsvariable is uncommented and contains the
ssl_protocols = !SSLv2 !SSLv3These values ensure that
dovecotavoids SSL versions 2 and also 3, which are both known to be insecure. This is due to the vulnerability described in POODLE: SSLv3 vulnerability (CVE-2014-3566). See Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot for details.
- Edit the
/etc/pki/dovecot/dovecot-openssl.cnfconfiguration file as you prefer. However, in a typical installation, this file does not require modification.
- Rename, move or delete the files
- Execute the
/usr/libexec/dovecot/mkcert.shscript which creates the
dovecotself signed certificates. These certificates are copied in the
/etc/pki/dovecot/privatedirectories. To implement the changes, restart
dovecotby issuing the following command as
systemctl restart dovecot
dovecotcan be found online at http://www.dovecot.org.