In common with many other older protocols IMAP traffic is sent in clear text, with potential for anyone to eavesdrop or steal passwords. Like other modern IMAP servers Dovecot provides methods of enhancing security; you can either use secure authentication methods such as cram-md5 or encrypt the whole session using SSL. I've configured my Fedora Core 5 server to use SSL.
By default on FC5 Dovecot allows the following protocols:
imap imaps pop3 pop3s
To only allow imaps we must set:
protocols = imaps
in /etc/dovecot.conf
The server also comes with a dummy "localhost.localdomain" x509 certificate in /etc/pki/dovecot which should be replaced by at your own self-certified certificate (or even better one signed by a CA). There is a script provided ( /usr/share/doc/dovecot-1.0/examples/mkcert.sh ) to automate the process, but first a two files must be modified. Since mkcert.sh has not been written specifically for FC5 we must change the locations in the script so that they look like:
#!/bin/sh
# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.
OPENSSL=${OPENSSL-openssl}
#SSLDIR=${SSLDIR-/etc/ssl}
SSLDIR=${SSLDIR-/etc/pki/dovecot}
OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf}
CERTFILE=$SSLDIR/certs/dovecot.pem
KEYFILE=$SSLDIR/private/dovecot.pem
Of course, these values should match what is in /etc/dovecot.conf, but the above is good for a default install. Next, update the contents of /etc/pki/dovecot/dovecot-openssl.cnf to reflect the local country code, organisation and common name (something other than localhost.localdomain!). Now all that is reuired is to run "mkcert.sh" then run a "service dovecot restart", following which any mail clients will need to be configured for SSL.
Monday, August 28, 2006
Friday, August 11, 2006
CUPS Browsing
The CUPS print software ships with the browse support (or rather the broadcast component of the server) disabled. Once enabled, all clients should be able to detect and browse all printers on the server. There are basically three possible configurations (in /etc/cups/cupsd.conf) for broadcast:
BrowseAddress aaa.bbb.ccc.ddd
BrowseAddress @LOCAL
BrowseAddress @IF(name)
The first will specify a broadcast address such as 192.168.0.255. The second will broadcast to all local nets, whilst ignoring LANS such as point-to-point (dial-up) etc. The last limits broadcasts to an interface, so "BrowseAddress @IF(eth0)" only broadcasts on device eth0.
By default the server will allow incoming packets from any address, so if you wish to restrict access you can use either of the "BrowseAllow" or "BrowseDeny" directives as in:
BrowseDeny badhost.example.net (requires "HostNameLookups On")
BrowseDeny 192.168.1.10
BrowseDeny @IF(eth1)
BrowseAddress aaa.bbb.ccc.ddd
BrowseAddress @LOCAL
BrowseAddress @IF(name)
The first will specify a broadcast address such as 192.168.0.255. The second will broadcast to all local nets, whilst ignoring LANS such as point-to-point (dial-up) etc. The last limits broadcasts to an interface, so "BrowseAddress @IF(eth0)" only broadcasts on device eth0.
By default the server will allow incoming packets from any address, so if you wish to restrict access you can use either of the "BrowseAllow" or "BrowseDeny" directives as in:
BrowseDeny badhost.example.net (requires "HostNameLookups On")
BrowseDeny 192.168.1.10
BrowseDeny @IF(eth1)
Friday, August 04, 2006
Solaris and man page troubles
After a fresh install of Solaris I was unable to use "man -k" as I was getting:
/usr/share/man/windex: No such file or directory
The solution is to run "catman -w" and all is well.
/usr/share/man/windex: No such file or directory
The solution is to run "catman -w" and all is well.
Subscribe to:
Posts (Atom)