This documentation is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA.

=========================================================================

Welcome to Binc IMAP! This is the documentation for v1.2.13final.

Here is a quick guide on how to setup IMAP on your system.

Note that this is not the full documentation for Binc IMAP. You will
find more about the server by viewing the man pages and reading
through the bundled documentation under /usr/local/share/doc.

You can also check out the project home page's FAQ and the Life With
Binc IMAP community documentation site:

http://www.lifewithbincimap.org/

For hints on how to set up different clients with Binc, please visit
the following page:

http://www.lifewithbincimap.org/index.php/Main/IMAPClientsWithBinc

+=======================================================================+
|                                                                       |
|   The following library is required for Binc IMAP to support SSL:     |
|                                                                       |
|                 OpenSSL  - http://www.openssl.org/                    |
|                                                                       |
+=======================================================================+

For instructions on compiling from the tarball, please scroll down.

If you do not plan to modify the original source code, it will suffice
to grab one of the precompiled binary RPM packages from:

http://www.bincimap.org/dl/RPMS

NOTE: These are RedHat/SuSe packages. There are packages available for
Mandrake, Debian and FreeBSD among other distributions. Search for
"Binc IMAP" or "bincimap" on the respective distributions' web sites
to learn more.

If you can't find a precompiled binary that matches your system, you
can grab a source RPM from here:

http://www.bincimap.org/dl/SRPMS

To create RPM packages for your system, you can run the following
command as root:

rpmbuild --rebuild bincimap-a.b.c-d.src.rpm

At the end of the input, you will see where your binary package has
been generated. If the rebuild fails, the package is easy to
build from the tarball.

=========================================================================

Here's how to set up the service when building from the tarball.  Note
that if you experience any problems in this section, do not hesitate
to post your problems to the Binc IMAP mailing list.

----------------------
1) Compile the service
----------------------

./configure
make
make install    # Note: You may need to use "sudo make install"

        Add --enable-static to ./configure to build a static binary
        (a binary that does not depend on the shared libraries on
        the machine it's built on).

        If you want to place the binaries and configuration files in
        a different place from what's default, use the --prefix and
        --sysconfdir arguments to configure.

        To set the location of the log directories (with multilog),
        set --localstatedir. This will also be the location of the
	run scripts (daemontools & xinetd).

        If you want smaller binaries, run "make install-strip" instead
        of "make install".

        To create a self signed SSL certificate, run "make testcert". Read
        more on SSL certificates in README.SSL.

        "make install" will create the following files:

        /usr/local/bin/bincimap-up
        /usr/local/bin/bincimapd
        /usr/local/bin/checkpassword.pl
        /usr/local/bin/tomaildir++
        /usr/local/bin/toimapdir

        /usr/local/share/doc/bincimap-manual.dvi
        /usr/local/share/doc/bincimap-manual.ps

        /usr/local/etc/bincimap.conf
        /usr/local/etc/xinetd/imap
        /usr/local/etc/xinetd/imaps

        /usr/local/var/service/imap/run
        /usr/local/var/service/imap/log/run
        /usr/local/var/service/imaps/run
        /usr/local/var/service/imaps/log/run

        /usr/local/var/log/bincimap
        /usr/local/var/log/bincimap-ssl

--------------------------------
2) Apply necessary configuration
--------------------------------

        Edit the destination bincimap.conf file, which by default is
        installed under /usr/local/etc/bincimap.conf. Check each
        individual setting.

         * Note the location of your server's SSL PEM-encoded
           certificate. If you do not have one, you can run "make testcert"
           to create a test certificate.
         * Note the default path to users' mail depot, relative to the
           users' home directories. If the depot directory is ~/Maildir,
           set path = "Maildir". If the depot is the current directory,
           set path = ".". Remember that if you're using
           IMAPdir, the depot needs to have a mailbox called INBOX.
         * Use the man pages bundled with the distribution, under
           the man/ directory.

        You can read more about this in the bundled FAQ under the
        doc/ directory.

        If using daemontools' supervise, tcpserver and multilog,
        create multilog directores.

mkdir -p /usr/local/var/log/bincimap{,-ssl}
chown nobody.nobody /usr/local/var/log/bincimap{,-ssl}

        xinetd users will be more familiar with using syslog.

----------------------------
3) Install the service files
----------------------------

        With xinetd:

        Edit /usr/local/etc/xinetd/bincimap and
        /usr/local/etc/xinetd/bincimaps and check that the locations
        of configuration files and binaries are correct.

        Note the location of your checkpassword authenticator in
        particular, and use the man pages to find what options you need
        to pass.

        You may also want to symlink them to /etc/xinetd.d instead
        of copying the files.

ln -s /usr/local/etc/xinetd/bincimap /etc/xinetd.d/imap
ln -s /usr/local/etc/xinetd/bincimaps /etc/xinetd.d/imaps
service xinetd restart

        With daemontools' supervise:

        Edit /usr/local/etc/service/bincimap/run,
        /usr/local/etc/service/bincimap/log/run,
        /usr/local/etc/service/bincimaps/run and
        /usr/local/etc/service/bincimaps/log/run and
        check that the locations are correct.
        Note the location of your authenticator in particular.

        Then copy or symlink the service files in place.

ln -s /usr/local/etc/service/bincimap /service/imap
ln -s /usr/local/etc/service/bincimaps /service/imaps

----------------------------
4) Securing your service
----------------------------

        - It's a good thing to not allow users to pass their passwords
          over a plain text connection. Require that your users enable
          SSL by setting this option in your Authentication section
          in bincimap.conf:

            allow plain auth in non ssl = "no"

        - Binc IMAP allows users to retry a login if the password they
          submit is wrong. To make it harder for malicious users to
          brute force passwords, Binc IMAP allows you to make it sleep
          for a certain number of seconds after a failed password. You
          can set this to 0, for no penalty, but this is a recommended
          value:

            auth penalty = 4

        - The bincimap-up stub channels input to and output from the
          main IMAP server. It does this in what we call a "chroot
          jail". Make sure you set the path to an empty directory on
          your server, preferable one in which a certain unprivileged
          user has no rights:

            Security {
                jail path = "/usr/local/bin",
                jail user = "nobody",
                jail group = "nobody"
            }

Happy IMAPing! With these settings your copy of Binc IMAP should be
operational.  For more information, please check out the man pages and
FAQ.
                                                   Andy :-)

=========================================================================
Tell us what you think about this server! Post any problems, remarks
or comments to:

The Binc IMAP mailing list <binc@bincimap.org>
The Binc IMAP Developers' mailing list <binc-dev@bincimap.org>

Author: Andreas Aardal Hanssen <andreas-binc@bincimap.org>

This documentation is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA.

=========================================================================

Quick guide to SSL certificates with Binc IMAP.

Table of contents:

0. Introduction
1. To generate a private key and certificate request
2. To generate a private key and self-signed certificate
3. To generate a private key and CA signed certificate, acting as
   one's own CA.

For more information, check out the project home page's FAQ and
the Life With Binc IMAP community documentation site:

http://www.lifewithbincimap.org/

=========================================================================

0. Introduction
---------------

The are two ways to enable SSL on Binc IMAP. One is to use an SSL
tunnel (http://www.stunnel.org/), the other is to use Binc IMAP's
native SSL support. If you compiled Binc with SSL support, the latter
is much easier to set up.

To use SSL with Binc IMAP, you need a private key and a certificate.

A private key is a random string of bits that is secret to your host.
If this key is compromised, your SSL server will no longer provide
significant security for your users.

The certificate is among the first things the server sends to a
client. The client uses this certificate to make certain that it is
communicating with the correct host. To do this, it needs to check the
certificate with a trusted third party certificate, known as a CA
certificate.

There are in general two types of certificates:

- CA signed certificates
- Self signed certificates

CAs, or Certificate Authorities, are used by clients to verify the
authenticity of a certificate. If you want an official CA to verify
your certificate, you need to send a "certificate request".  Usually
for a certain price, a signed certificate is returned to you. If you
do not wish to use an official CA, you can act as your own CA and
create your own CA signed certificates.

A certificate is not valid unless it is signed. If it is self signed,
the clients can not verify its identity. In that sense, a self signed
certificate is only useful in a test environment. The client can not
identify the server if the server uses a self-signed certificate.

The general idea is:

* If you are testing an SSL enabled server, generate a self-signed
test certificate.

* If you want to provide an SSL enabled service on a closed network,
create a CA certificate and a signed host certificate, then install
the CA certificate on all clients on the network.

* If you want to provide an SSL enabled service on an open network
such as the Internet, use an official CA to sign your certificate.

1. To generate a private key and certificate request
----------------------------------------------------

Quick hit: "make cert".

To generate a private key and a certificate request, the following
openssl command can be used:

openssl req -newkey rsa:1024 -keyout bincimap.key -nodes -days 365 -out bincimap.crq

Inside bincimap.crq is a certificate request in PEM encoding, which
basically means the certificate is base64 encoded and enclosed in a
start string that says "BEGIN CERTIFICATE REQUEST" and an end string
that says "END CERTIFICATE REQUEST".

Submit this request file to a CA such as Thawte
(http://www.thawte.com/) or Verisign (http://www.verisign.com/). When
you receive the signed certificate from them, store this in a file
called bincimap.crt.

The file contains the PEM encoded certificate, and it is enclosed in
a start string that says "BEGIN CERTIFICATE" and an end string that
says "END CERTIFICATE".

Copy the contents of both these files into a file called
"bincimap.pem" and place this file at a location that is read-only for
the bincimap-up process (typically root).

Then edit bincimap.conf, go to the SSL section and set the path of
this file in the "pem file" option.

You're now ready to use Binc IMAP with SSL.

2. To generate a private key and self-signed certificate
--------------------------------------------------------

Quick hit: "make testcert".

To generate a private key and a self-signed certificate, the following
openssl command can be used:

openssl req -newkey rsa:1024 -keyout bincimap.key -x509 -nodes -days 365 -out bincimap.crt

Copy the contents of the generated bincimap.key and bincimap.crt files
into a file called "bincimap.pem" and place this file at a location
that is read-only for the bincimap-up process (typically root).

Then edit bincimap.conf, go to the SSL section and set the path of
this file in the "pem file" option.

You're now ready to test Binc IMAP with SSL.

3. To generate a private key and CA signed certificate, acting as
   one's own CA.
------------------------------------------------------------------

Look up the guides on LifeWithBincIMAP.org:

http://lifewithbincimap.org/index.php/Main/DoItYourselfCertificateAuthority
http://lifewithbincimap.org/index.php/Main/SettingUpYourOwnSSLCertificationAuthority

You're now ready to use Binc IMAP with SSL.

Happy IMAPing!
                                                   Andy :-)

=========================================================================
Tell us what you think about this server! Post any problems, remarks
or comments to:

The Binc IMAP mailing list <lists-bincimap@infeline.org>

Author: Andreas Aardal Hanssen <andreas-binc at bincimap.org>

This documentation is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA.

=========================================================================

Welcome to Binc IMAP! This is the documentation for v@VERSION@.

Here is a quick guide on how to setup IMAP on your system.

Note that this is not the full documentation for Binc IMAP. You will
find more about the server by viewing the man pages and reading
through the bundled documentation under @datadir@/doc.

You can also check out the project home page's FAQ and the Life With
Binc IMAP community documentation site:

http://www.lifewithbincimap.org/

For hints on how to set up different clients with Binc, please visit
the following page:

http://www.lifewithbincimap.org/index.php/Main/IMAPClientsWithBinc

+=======================================================================+
|                                                                       |
|   The following library is required for Binc IMAP to support SSL:     |
|                                                                       |
|                 OpenSSL  - http://www.openssl.org/                    |
|                                                                       |
+=======================================================================+

For instructions on compiling from the tarball, please scroll down.

If you do not plan to modify the original source code, it will suffice
to grab one of the precompiled binary RPM packages from:

http://www.bincimap.org/dl/RPMS

NOTE: These are RedHat/SuSe packages. There are packages available for
Mandrake, Debian and FreeBSD among other distributions. Search for
"Binc IMAP" or "bincimap" on the respective distributions' web sites
to learn more.

If you can't find a precompiled binary that matches your system, you
can grab a source RPM from here:

http://www.bincimap.org/dl/SRPMS

To create RPM packages for your system, you can run the following
command as root:

rpmbuild --rebuild bincimap-a.b.c-d.src.rpm

At the end of the input, you will see where your binary package has
been generated. If the rebuild fails, the package is easy to
build from the tarball.

=========================================================================

Here's how to set up the service when building from the tarball.  Note
that if you experience any problems in this section, do not hesitate
to post your problems to the Binc IMAP mailing list.

----------------------
1) Compile the service
----------------------

./configure
make
make install    # Note: You may need to use "sudo make install"

        Add --enable-static to ./configure to build a static binary
        (a binary that does not depend on the shared libraries on
        the machine it's built on).

        If you want to place the binaries and configuration files in
        a different place from what's default, use the --prefix and
        --sysconfdir arguments to configure.

        To set the location of the log directories (with multilog),
        set --localstatedir. This will also be the location of the
	run scripts (daemontools & xinetd).

        If you want smaller binaries, run "make install-strip" instead
        of "make install".

        To create a self signed SSL certificate, run "make testcert". Read
        more on SSL certificates in README.SSL.

        "make install" will create the following files:

        @bindir@/bincimap-up
        @bindir@/bincimapd
        @bindir@/checkpassword.pl
        @bindir@/tomaildir++
        @bindir@/toimapdir

        @datadir@/doc/bincimap-manual.dvi
        @datadir@/doc/bincimap-manual.ps

        @sysconfdir@/bincimap.conf
        @sysconfdir@/xinetd/imap
        @sysconfdir@/xinetd/imaps

        @localstatedir@/service/imap/run
        @localstatedir@/service/imap/log/run
        @localstatedir@/service/imaps/run
        @localstatedir@/service/imaps/log/run

        @localstatedir@/log/bincimap
        @localstatedir@/log/bincimap-ssl

--------------------------------
2) Apply necessary configuration
--------------------------------

        Edit the destination bincimap.conf file, which by default is
        installed under @sysconfdir@/bincimap.conf. Check each
        individual setting.

         * Note the location of your server's SSL PEM-encoded
           certificate. If you do not have one, you can run "make testcert"
           to create a test certificate.
         * Note the default path to users' mail depot, relative to the
           users' home directories. If the depot directory is ~/Maildir,
           set path = "Maildir". If the depot is the current directory,
           set path = ".". Remember that if you're using
           IMAPdir, the depot needs to have a mailbox called INBOX.
         * Use the man pages bundled with the distribution, under
           the man/ directory.

        You can read more about this in the bundled FAQ under the
        doc/ directory.

        If using daemontools' supervise, tcpserver and multilog,
        create multilog directores.

mkdir -p @localstatedir@/log/bincimap{,-ssl}
chown nobody.nobody @localstatedir@/log/bincimap{,-ssl}

        xinetd users will be more familiar with using syslog.

----------------------------
3) Install the service files
----------------------------

        With xinetd:

        Edit @sysconfdir@/xinetd/bincimap and
        @sysconfdir@/xinetd/bincimaps and check that the locations
        of configuration files and binaries are correct.

        Note the location of your checkpassword authenticator in
        particular, and use the man pages to find what options you need
        to pass.

        You may also want to symlink them to /etc/xinetd.d instead
        of copying the files.

ln -s @sysconfdir@/xinetd/bincimap /etc/xinetd.d/imap
ln -s @sysconfdir@/xinetd/bincimaps /etc/xinetd.d/imaps
service xinetd restart

        With daemontools' supervise:

        Edit @sysconfdir@/service/bincimap/run,
        @sysconfdir@/service/bincimap/log/run,
        @sysconfdir@/service/bincimaps/run and
        @sysconfdir@/service/bincimaps/log/run and
        check that the locations are correct.
        Note the location of your authenticator in particular.

        Then copy or symlink the service files in place.

ln -s @sysconfdir@/service/bincimap /service/imap
ln -s @sysconfdir@/service/bincimaps /service/imaps

----------------------------
4) Securing your service
----------------------------

        - It's a good thing to not allow users to pass their passwords
          over a plain text connection. Require that your users enable
          SSL by setting this option in your Authentication section
          in bincimap.conf:

            allow plain auth in non ssl = "no"

        - Binc IMAP allows users to retry a login if the password they
          submit is wrong. To make it harder for malicious users to
          brute force passwords, Binc IMAP allows you to make it sleep
          for a certain number of seconds after a failed password. You
          can set this to 0, for no penalty, but this is a recommended
          value:

            auth penalty = 4

        - The bincimap-up stub channels input to and output from the
          main IMAP server. It does this in what we call a "chroot
          jail". Make sure you set the path to an empty directory on
          your server, preferable one in which a certain unprivileged
          user has no rights:

            Security {
                jail path = "@bindir@",
                jail user = "nobody",
                jail group = "nobody"
            }

Happy IMAPing! With these settings your copy of Binc IMAP should be
operational.  For more information, please check out the man pages and
FAQ.
                                                   Andy :-)

=========================================================================
Tell us what you think about this server! Post any problems, remarks
or comments to:

The Binc IMAP mailing list <binc@bincimap.org>
The Binc IMAP Developers' mailing list <binc-dev@bincimap.org>

Author: Andreas Aardal Hanssen <andreas-binc@bincimap.org>