I have for some time wanted to get hold of my private emails through my Nokia E90's embedded email client. I used to use the web interface but that sux on a E90. Instead I wanted to look for a way to use the actual email client on the phone. The email client supports POP3 and IMAP which are fine if you're not traversing a public network (aka The Internet). The two protocols are transmitting username and password in cleartext, and whatever email you read will also be move to the phone in cleartext. I don't want that!!
As a happy OpenVPN user I would have loved to see a Symbian client, that would have made it very easy for me, but that doesn't exist
Luckily the two protocols also has a SSL/TLS wrapped implementation (IMAPS and POP3S) which accomplishes the privacy part of my wishes. The only catch is that this requires certificates. Personally I like certificates very much, they offer a lot of security (correctly implemented of course) and can be used in so many places. This is not shared among many other people though For that reason I'll try to make it an easy ride as possible.
Word of caution: Don't use this as an enterprise solution, only for your private mail. If you loss your device all material on it will be accessible and in cleartext!!
I've chosen to use Dovecot as IMAP server and Postfix as my MTA. I'll get back to the Postfix part later.
You could choose to use any other IMAP server only the configuration would be different. Dovecot also has a sasl interface which Postfix can utilize making sending mail even easier.
First lets start out by creating a self-signed certificate for dovecot:
openssl req -x509 -days 3650 -newkey rsa:1024 -keyout dovecot.key -nodes -out dovecot.crt
This command creates a self-signed certificate valid for 10 year. The private key (unencrypted) is in the file “dovecot.key” and the certificate is in “dovecot.crt”.
Now for the certificates for Postfix:
openssl genrsa 1024 > smtpd.key openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
This will create a certificate for Postfix and a CA certificate lasting again 10 years.
For all the certificates it is vital that the common name (CN) is the name of the server you're connecting to. That is if you use a DNS name that is what you type, if you use an IP address that will be your common name.
Now edit dovecot.conf and insert the following to use your newly created certificates:
ssl_cert_file = /etc/dovecot/ssl/dovecot.crt ssl_key_file = /etc/dovecot/ssl/dovecot.key
I've found out that my 3G provider doesn't allow 993/tcp through so I cannot get access from my phone. You change the port with this setting:
ssl_listen = *:5011
As we want to use SASL through Dovecot you need to insert this:
socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } }
This will enable a SASL interface for Postfix. We need SASL to be able to send mail from the phone. We only allow the Postfix user/daemon to access this interface, but if you like you can remove that restriction and allow other programs access. By using Dovecot as authenticator we can reuse our IMAP user credentials.
Now just reload Dovecot:
sudo invoke-rc.d dovecot restart
First we need to TLS enable Postfix. Insert the following in main.cf:
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
We want to be able to relay mail external but not become an open relay (oooh no to many of them already!!). The problem is that the phone is not coming from a known network (mynetworks), so we have authenticate against Postfix before allowing relaying.
This is accomplished by inserting “permit_sasl_authenticated” into “smtpd_recipient_restrictions”:
smtpd_recipient_restrictions = ... ... permit_sasl_authenticated permit_mynetworks ....
To finish up the TLS configuration insert these lines:
smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
And the final part, to get Postfix to look into dovecot as an SASL authenticator:
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
To get it all working bounce Postfix:
sudo invoke-rc.d postfix restart
Now all you need to do is point the mail client to your mail server with IMAPS (IMAP with SSL/TLS) and login.
For outgoing mail you point the phone again to the same server and enable authentication. Login is the same as the incoming mail configuration.
The first time you connect the phone complains that the certificate is not trusted. Check the info in the certificate and make sure it corresponds to the info you put in when you created them and accept permanently.
Now you should be able to send and receive mail from you phone.