[PLUG] Roundcube as an alternative...
Brian P. Martin
plugng3 at martinconsulting.com
Tue Apr 11 16:37:21 UTC 2017
On 04/11/2017 07:21 AM, plug-request at lists.pdxlinux.org wrote:
> Frustrated with Horde Webmail, I switched to RoundCube. Unfortunately,
> I am using in the clear port 25 smtp and in the clear port 143 imap.
> Can't figure out how to configure postfix and dovecot otherwise. Horde
> will probably work with in the clear imap and in the clear smtp, but
> this isn't acceptable if I access email remotely over the Internet.
You can certainly configure Postfix and RoundCube to use secure ports.
You probably need to leave port 25 open for inbound mail from other
organizations (unless this is a send-only mail server), but you don't
need tu use port 25 for to accept submission of outbound mail from you,
even if you're on the road at the time. Most sites configure port 587
for "submission" of outbound e-mail, and it's configured to require
encryption and a login. This is done in Postfix, as Dovecot doesn't get
involved in outbound mail except possibly for authentication. There's
more than one way to do it, but here's one implementation. I don't do
these all that often, but I think the basics are all here. Others can
chime in to correct anything I've missed.
1) Add the following to master.cf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_reject_unlisted_sender=yes
-o
smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
2) Add the following to main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
3) Make any necessary adjustments to your firewall for port 587.
4) Add the necessary pieces to Dovecot to allow Postfix to authenticate
through it. See below. Or, use some other authentication mechanism to
check passwords.
That will take care of the sending side of things. You can also
configure Dovecot to accept encrypted IMAP (aka IMAP/S) connections,
typically on port 993, so you can pick up your mail securely. I find
the following items in my Dovecot configuration that are relevant.
Different distributions structure Dovecot configuration files
differently (some have everything in one file, others break things out
into separate files in various ways), but as long as all the pieces are
accounted for you should be fine. Again, others are encouraged to
correct me on anything I missed.
service imap-login {
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service imap-login {
inet_listener imap {
port = 0
}
}
ssl = yes
ssl_cert =
</usr/local/etc/ssl/mail.example.com/mail.example.com.crt # Insert
your path and file name here
ssl_key =
</usr/local/etc/ssl/mail.example.com/mail.example.com.key # Ditto
ssl_ca = </usr/local/etc/ssl/ca-cert # Ditto
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
protocol imap {
}
Interestingly, as I review this, I don't see references to 993. The
imap-login port = 0 turns off 143, su apparently 993 is on by default
(possibly because SSL is present).
You'll need to update RoundCube to connect using the new 587 and 993
ports once they're available, and you'll want SSL to access RoundCube to
protect your login credentials for RoundCube.
That should get you started. Let me know if you have problems or need
more detail. We can take this off-list if you think that's appropriate.
-B.
--
--------------------
Brian P. Martin, Chief Consultant
Martin Consulting Services, Inc.
Phone: 503-617-4500
E-mail: Brian at MartinConsulting.com
More information about the PLUG
mailing list