Configuring a POP3 Server with Qpopper
| You can take your POP3 server configuration to several different levels. You can simply install the server and let everyone use it; you can run it in standalone mode, which avoids having to run inetd if you don't want to; you can enable "server mode," which enhances performance, depending on your circumstances; and you can enable encrypted sessions through TLS/SSL. These latter options are not mutually exclusive. We'll be looking at each of them in turn. Basic Qpopper Installation and ConfigurationGetting the POP3 service up and running without concerning yourself too much about performance or security is a simple matter. Go to the qpopper directory in the ports collection (/usr/ports/qpopper) and then build and install it from there, as described in Chapter 16. Alternatively, you can install the qpopper package using Sysinstall or the package tools. Next, you need to enable the POP3 service in the inetd super-server. You do that by adding a line to /etc/inetd.conf. Open up the inetd.conf file in a text editor and find the lines regarding POP3, as shown. Add or uncomment the pop3 service using the following syntax: # example entry for the optional pop3 server # #pop3 stream tcp nowait root /usr/local/libexec/popper popper pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -sNote For legacy purposes, there's also a port that's simply called popper. It is actually Qpopper in an earlier form, and it's generally deprecated by this point. The one you want to use is qpopper. Now, restart inetd by using the /etc/rc.d/inetd script: # killall -HUP inetdYou can check to see whether the POP3 service is available now by connecting to port 110 on your machine via Telnet (type QUIT to exit the session):
If you get this response from the server, congratulationsyou have a working POP3 server. Enabling Standalone ModeCertain security and configuration settings turn off the inetd super-server; for instance, if you chose not to enable inetd during your system installation, the following line would have been added to your /etc/rc.conf, thus preventing inetd from being run at all: inetd_enable="NO" On a security-conscious system, you don't want to have to reenable inetd just so you can run POP3 services. This is what Qpopper's standalone mode is for. It isn't an option available by default, but a quick tweak to the makefile makes it pretty easy. In /usr/ports/mail/qpopper, edit Makefile and alter CONFIGURE_ARGS to add the --enable-standalone option: CONFIGURE_ARGS= --enable-apop=${PREFIX}/etc/qpopper/pop.auth \ --enable-nonauth-file=/etc/ftpusers \ --with-apopuid=pop --without-gdbm \ --enable-keep-temp-drop \ --enable-standaloneNow, run make and make install to build a version of Qpopper that runs in standalone mode. It will still be installed in /usr/local/libexec, though. Don't move it from this location because this will make deinstallation more difficult later. You'll need to start up the standalone Qpopper process from a script during system boot; this can be done by creating a startup script in /usr/local/etc/rc.d called, for example, qpopper.sh, as you saw in Chapter 14, "System Configuration and Startup Scripts." Make sure that Qpopper isn't enabled in inetd if you do this! Enabling Server ModeIf your system only has users who access their mailboxes through POP3where none of the users have shell access or run shell-based, server-side mail programsyou might choose to enable server mode for Qpopper. Server mode allows Qpopper to run in a streamlined fashion. Instead of copying the mail spool file to a temporary duplicate, locking it, making changes, keeping track of mail that arrives during the session, and merging the locked session spool back to its original location, the server can work directly from the mailbox file itself. Be aware, however, that server mode can be dangerous, particularly if you have users who access their mail spool files through other methods, such as shell-based mail clients or mail programs using IMAP. For that reason, you should use server mode only if your system serves mail exclusively to remote users through POP3, and if it's under enough load for you to consider this performance-boosting measure to be necessary. You can enable server mode in a number of ways. The easiest is to use the -S switch on the command invocation line, whether in inetd.conf or on the command line if you're using standalone mode: pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s -SThis will put Qpopper into server mode for all users at all times. You can do it per user, though, or per group, if you prefer. Group control is best done through a configuration file. To make Qpopper use a config file, create one in /usr/local/etc/qpopper (calling it, for example, qpopper.conf) and then indicate it on the command line in inetd.conf with the -f option:
Now, in the qpopper.conf file, specify the name of a group to include or exclude from server mode using the group-server-mode or group-no-server-mode keywords. The following example turns server mode on for members of group1 and group2, and off for members of group3: set group-server-mode=group1 set group-server-mode=group2 set group-no-server-mode=group3 You can also use this technique on a per-user basis. You may choose to configure Qpopper this way if different users on your system want to interact with Qpopper differentlyif some want to use it in server mode and others don't. To do so, you need to add the -u switch to the command invocation line (to enable per-user configuration files). Then, each user to whom the mode should apply needs to have a file in his or her directory called .qpopper.options, which contains the line set server-mode. Alternatively, if you don't want each user to be able to modify his or her .qpopper.options file, use the -U switch instead of -u, and place a corresponding per-user file in /var/mail called .user.qpopper.options (where user is the username in question). This allows you to turn on server mode on an individual basis. Don't use the -S global server mode switch if you do it this way! This will only confuse the program as to whether you mean it to set server mode globally or per user. Enabling SSL EncryptionThe Secure Sockets Layer (SSL) is a set of libraries included in FreeBSD that encrypt traffic on a given service so that even if the packets carrying that service's traffic are captured by an eavesdropper, they can't be descrambled without the proper encryption keys. SSL is most frequently used on web traffic, as you'll see in Chapter 30; however, its use is not limited to HTTP and can be very beneficial on services such as POP3. By default, Qpopper will build with implicit TLS/SSL support. However, to take advantage of it, you need to create and install security certificates using the OpenSSL library built into FreeBSD. First, create a directory for your certificates: # mkdir -p -m665 /etc/mail/certs # chown root:mail /etc/mail/certs # chmod 660 /etc/mail/certs Next, use the openssl command to generate a certificate request. This will require you to enter several accurate pieces of information about your organization. (In the example shown here, "..." represents the long interactive session that results in a certificate request file.) Afterward, make sure the permissions on the private key file (cert.pem) only allow root to view it: # openssl req -new -nodes -out req.pem -keyout /etc/mail/certs/cert.pem ... # chmod 600 /etc/mail/certs/cert.pem # chown root:0 /etc/mail/certs/cert.pem After this is done, you'll need to register the certificate with a Certifying Authority (CA), such as VeriSign, and submit the certificate request in req.pem to the CA. Then you'll get back a signed certificate. Concatenate this onto the end of cert.pem: # cat signed_req.pem >> /etc/mail/certs/cert.pemAlternatively, simply replace the old cert.pem with the new signed_req.pem. Now, add TLS/SSL support to the config file at /usr/local/etc/qpopper/qpopper.conf, restart the server (if it's running in standalone mode), and SSL encryption is yours. Any client that supports SSL will now be able to negotiate a secure connection if configured to do so. The following lines are what should be added to the qpopper.conf file: set tls-support = stls set tls-server-cert-file = /etc/mail/certs/cert.pem Sometimes registering a certificate with a third-party authority is not feasible. If you want, you can emulate a Certifying Authority yourself to create a self-signed certificate that you can use to make sure the system works. However, SSL-enabled clients won't trust this certificate and will require the user to manually approve it before continuing. First, create the test CA's private key (making sure to remember the passphrase you enter) and then create the CA certificate: # openssl genrsa -des3 -out ca.key 1024 ... # openssl req -new -x509 -days 365 -key ca.key -out ca.crt Now, you can self-sign the certificate request you created earlier (req.pem):
This should allow you to run an SSL-enabled Qpopper server so as to test its functionality. Make sure to get the real CA-signed certificate at some point! For More InformationAlthough Qpopper is no longer supported by Qualcomm, its official website is still available at http://www.eudora.com/products/unsupported/qpopper/. It has a lot of useful information, including a PDF document (in the Documentation section) that definitively describes all the possible configuration options of Qpopper. It's written from a Linux viewpoint, so many of the pathnames quoted in the documentation are slightly different from your installation. Even more information, particularly on the use of configuration files, can be found in the man qpopper page. |
.example.com> 