It has been a while since the last big update of my email server configuration. For years it has been running solid as a rock based on Exim/Dovecot with a LDAP-backed configuration.
You may ask: Why change a running system?
One of the things that bugged me for months, was the fact that I am using self-signed certificates on that server. That means that all email clients have been set to accept ANY SSL certificate without further checks (at least manual pinning or something would be great). So any evil hacker in a public WiFi network could use SSL interception to get my username and password. To eliminate this risk, replacing the self-signed certificate with ones signed by a well-know CA (I’d never call them trustworthy!) would probably be enough, but who really wants such a simple solution?
So additionally to replacing the self-signed certificates, I decided to add some extra security by implementing application-specific passwords. Google user’s may already now how they work, for all others here comes a little introduction: Application-specific passwords allow users to create unique passwords for each application that is interacting with your email server. That means that regular user passwords, that are often used for other services as well, must neither be stored in email clients nor will they ever get transferred via SMTP, IMAP or POP3. The whole setup could even be hardened more, by creating a whole new username-password combination for each application, but that seems to be a little over the top to me.
As I also wanted to easily support multiple email domains in the future, I completely moved away from the LDAP backend, that was a partly replication of my LDAP database I use at home for authentication the accounts of my family, to a MySQL-backed setup. To reduce complexity and be more flexible in the future, I also made Dovecot my MDA (LMTP) and authentication service (SASL).
One thing that I also had to solve was the problem that no tools exist to allow users the management of their application-specific passwords. As I am using Roundcube Webbmail for years now and still more than happy with it, I decided to use Roundcube as the one and only tool that I provide users for managing their email settings, including the application-specific passwords. A corresponding plugin was therefore developed by me and has been published on GitHub in the meanwhile. Access to Roundcube is possible only with the normal user passwords BUT requires the use of one-time-passwords created with Google Authenticator (or compatible).
Now you know what I did and why I did it. I know that you now want to know how I actually implemented that setup, but unfortunately you must be patient. I’ll reproduce the setup in a brand new LXC container in order to provide a series of blog posts with precise information how to set this up on your own within the next two weeks. So stay tuned!