IPv6 only IMAP server

Because why not.

I have an IPv6 only virtual machine hosted at Mythic Beasts. Sadly, I don’t have much time to play with it these days, so I’m retiring it next month. Meanwhile, I’ve got something working which I thought ought to be possible but failed at the last time I tried…

I participate in the minority sport of hosting my own e-mail. That means I run an IMAP server which mail clients can view and search messages using. For myself, I have native IPv6 on my home internet connection, but when I’m out and about, my mobile phone is still IPv4 only, and most of my relatives who I host mail for are v4 only too. Mythic and others have blogged at length on hosting websites behind their IPv4-to-IPv6 reverse proxy, but can it handle IMAP?

$ nc -vv proxy.mythic-beasts.com 993                                 (01/04 17:06)
DNS fwd/rev mismatch: proxy.mythic-beasts.com != rproxy46-hex-a.mythic-beasts.com
DNS fwd/rev mismatch: proxy.mythic-beasts.com != rproxy46-sov-a.mythic-beasts.com
proxy.mythic-beasts.com [46.235.225.189] 993 (imaps) open

The fact that they’ve got it listening on the standard port for IMAP over SSL is encouraging. Let’s give it a go…

Prerequisites

In addition to your IPv6 only VM, you’ll need a domain and you’ll need to point some DNS. The examples below assume you’ve CNAMEd imap6.example.com to proxy.mythic-beasts.com.

Part 1: Install and configure Dovecot

Couldn’t be easier if we’re using Debian:

# apt-get install dovecot-imapd

Configuring Dovecot to properly store mail is beyond the scope of this article, so we’ll just do some minimal setup.

Part 2: SSL

It’s 2017, and SSL certificates are free. So let’s get some.

# apt-get install dehydrated apache2 dehydrated-apache2

The Apache server is only necessary because I’m taking the path of least resistance to getting SSL certificates from letsencrypt, which involves them verifying control over the domains using HTTP based challenges. You could set up Mythic’s DNS API to eliminate the need for this.

Once you’ve done this, edit /etc/dehydrated/domains.txt to include your domain (e.g. imap6.example.com) and add /etc/dehydrated/conf.d/config.sh containing CONTACT_EMAIL=”you@example.com”.

Having done this, you can run “dehydrated -c”. I’d recommend not running it as root, which means fixing the directory permissions when it falls over the first time. All that sorted, we should now have a directory /var/lib/dehydrated/certs/imap6.example.com/. That means we can go ahead and edit /etc/dovecot/conf.d/11-ssl.conf to read:

ssl = required
ssl_cert = </var/lib/dehydrated/certs/imap6.example.com/fullchain.pem
ssl_key = </var/lib/dehydrated/certs/imap6.example.com/privkey.pem

While you’re there, you should set port=0 on the non-SSL IMAP listener in 10-master.conf, to stop it listening on non-SSL ports.

All that sorted, we can restart Dovecot:

# service dovecot restart

And now we can jump over to a client machine and try it out:

$ ncat --ssl -v imap6.example.com 993
Ncat: Version 6.47 ( http://nmap.org/ncat )
Ncat: SSL connection to 2a00:1098:0:82:1000:3b:1:1:993.
Ncat: SHA-1 fingerprint: 2FB3 9166 A7B7 6552 6215 963C 43D0 824E A02F 9FB3
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.

Assuming all is well, you’ll see the OK response from Dovecot, and when you hit Ctrl-C, you’ll get a line logged in /var/log/syslog on the server complaining about how your client hung up.

At this point, you should be able to try it with a real mail client, e.g. Thunderbird. And you’ll notice that everything in the garden is lovely, except that the logs show all connections coming from Mythic’s proxy, rather than their true source IPs.

Part 3: Proper IP addresses in the logs

Mythic’s proxy supports the PROXY protocol to enable this, but does Dovecot? As it turns out, they added support in 2.2.19, but Debian stable has 2.2.13. Backports to the rescue:

# apt-get install -t jessie-backports dovecot-imapd

Now we need to turn on PROXY support for imap6.example.com using the Mythic control panel. Having done that, I was very impressed with Dovecot – the logging in /var/log/syslog walked me through fixing each mistake I made, starting with needing to configure Dovecot for PROXY:

Edit /etc/dovecot/conf.d/10-master.conf and add haproxy = yes to the imaps listener. The defaults are sensibly secure: to avoid clients spoofing IP addresses, you must provide a whitelist of clients allowed to speak to listeners with haproxy support turned on. That means setting haproxy_trusted_networks in the same file. You can find the necessary IPv6 addresses to space-separate on this page.

Having done that and restarted Dovecot, I moved my laptop over to my guest wifi network (where there is no IPv6), and restarted Thunderbird…

$ grep dovecot /var/log/syslog
Apr  1 17:17:55 test-box dovecot: imap-login: Login: user=<david>, method=PLAIN, rip=192.0.2.1, lip=93.93.129.174, mpid=1234, TLS, session=<...>

Result! The IP quoted as “rip” (remote IP) is the IPv4 one I’m running Thunderbird on. Interestingly, Dovecot has chosen to log the IPv4 of Mythic’s proxy as the local IP (lip).