MAIL MANAGEMENT ******************************************** Sections : Intro Postfix Essential Details Aliases Relaying Logging Notes Imap Intro Essential Details SSL Nonsense Client Config Notes References ******************************************** Intro - We use postfix as our mail agent. Postfix talks by the SMTP protocol to receive and send any email sent to the computer, bigbro.biophys.cornell.edu. Postfix runs as a family of related daemons the are constantly listening to the SMTP Port. IMAP is a protocol for remotely reading and modifying mailboxes. We use the UW IMAP daemon via SSL to allow users to read and write to their mail boxes. There are a wide variety of client programs for talking to an IMAP server. IMAP only reads!!! Sending is usually a postfix problem. *************************** Postfix Essential Details - ********************************* Installing - YaST2 NETWORK/DAEMON section. Documentation - /usr/share/doc/packages/postfix Daemon fired up by /etc/rc.d/rc5.d/S11postfix works independently of inetd.conf can give commands like "reload" to get it to check config. should be running at all times. Config /etc/postfix main.cf --> almost everything. master.cf --> tells the postfix daemon family how to get on. try not to touch. Whenever you mangle with setting files get postfix to reload with /etc/rc.d/postfix reload Aliases and Forwarding- ******************************************* Aliases and Forwarding are used to direct mail from one email address to others. Example 1. - Direct mail for postmaster@bigbro to a real person. Example 2. - Direct mail for user lois to her new mail server. Two ways to do it. 1. Alias File 2. Forwarding from user directory. 1. Alias File Located in /etc/aliases Format is just lines like nobody: root adam : finnefro@sas.upenn.edu Each line does a redirect. Once you've finished editting aliases compile with /usr/bin/newaliases This compiles the file /etc/aliases.db Type man aliases for more info. 2. Can also use .forward in user accounts. If you get fancier than this go for, Masquerading, Relocated Table, Virtual Table, Relaying - ****************************************** Relaying allows users from computers other than BIGBRO to forward their mail through bigbro. Only authenticated users should be able to relay mail. Otherwise anyone can make their mail appear to originate from BIGBRO. Thus, there are two problems. 1. Authenticate users wanting to relay mail. 2. Set general mail handling rules to relay properly for both authenticated users and others just sending mail to bigbro. 1. Authenticated SMTP - Look at document smtp_secure1.txt Should be able to do it so each user just authenticates with the same password as they have in /etc/shadow. However, unable to get that to go with the present version. Therefore use SASL authentication scheme. It's painful but it works. Steps. 1. Edit /usr/lib/sasl/smtpd.conf to read pwcheck_method: sasldb 2. Modify postfix to allow SASL users. This is the change to /etc/postfix/main.cf smtpd_sasl_auth_enable=yes smtpd_sasl_security_options = noanonymous, noplaintext smtpd_recipient_restrictions = permit_mynetworks \ permit_sasl_authenticated check_relay_domains 3. Generate sasl users. Passwords stored in /etc/sasldb List users with /usr/sbin/sasldblistusers Create a new user with saslpasswd -c -u twd.biophys.cornell.edu "username" You'll be prompted for the password Note the "-u" option that sets the "domain" This must match the domain set for postfix in /etc/postfix/main.cf usually $myhostname If you list a user it should look like, >user: toombes realm: twd.biophys.cornell.edu mech: DIGEST-MD5 >user: toombes realm: twd.biophys.cornell.edu mech: PLAIN >user: toombes realm: twd.biophys.cornell.edu mech: CRAM-MD5 There's more info in /etc/postfix/sample-auth.conf 2. Sensible relay rules Preventing spamming is known as UCE control Check UCE section of postfix docs. The line smtpd_recipient_restrictions = permit_mynetworks, \ ,permit_sasl_authenticated, check_relay_domains permit_mynetworks --> accept mail for IP numbers $mynetworks. set network as, mynetworks=128.253.36.43/32, 127.0.0.0/8 so just our machine and localhost. permit_sasl_authenticated --> accept mail from anyone authenticated by SASL relay_domains --> A list of IP numbers we trust set in main.cf Logging - ********************************* logging seems to go to /var/log/mail mostly. Usually fairly informative. Logs all relaying and messages sent. Notes - ********************************** check FILTER_README, LINUX_README, basic.html Starting Postfix on a system that did have sendmail running can be messy. A reboot is not a bad idea. Postfix calls the C library routines gethostbyname() and gethostbyaddr() in order to find out the SMTP client hostname. These library routines use several system configuration files in order to satisfy the request. They may in fact end up calling the DNS for reasons that are not under control by Postfix. Depending on your system, these controlling files can be named /etc/nsswitch.conf, /etc/svcorder, /etc/host.conf or otherwise. Those files specify whether the C library routines will use local /etc/hosts before or after DNS. ************************* Imap Intro - IMAP is just a protocol, like POP, that allows you to access email remotely. IMAP differs from POP in that it allows you to delete and move messages in multiple mail folders. A server running IMAP has a daemon listening to TCP port 143 (port 993 for SSL IMAP). External users connect to the daemon and authenticate a session. Then they may read mail, delete mail, copy mail or make new mailboxes. (NB. IMAP only works on the mailbox. It does not SEND mail. That's postfix/sendmail's job. Also, IMAP isn't great with mailer specific files. ) There are two flavours of IMAP - Cyrus and UW. Cyrus IMAP keeps everyone's mail within a single database. The IMAP daemon runs as user Cyrus and external users connect to it to access the database. Only Cyrus may read the database. It's very secure, but requires all mail be put into the database and then left to Cyrus. UW IMAP functions much more like the old POP daemons used to (indeed, you get a free POP daemon with UW IMAP). Mail is still kept in whatever format you like (mailbox, mbox, etc.) and can be accessed by multiple means. The UW IMAP server listens to port 143, authenticates you and then allows you to read/create/edit your email willy-nilly. It isn't very secure, and it isn't very efficient, but it's commonly used as a good way to transfer to cyrus. We're running UW IMAP via STUNNEL for security. STUNNEL acts like a pipe sending decrypted info to IMAP and encrypted info out. Essential details - We're running the UW IMAP server as SuSE supplies it - imap-2000c-110.rpm. There are no config files. If you want to change the configuration you compile it in. Daemon at - /usr/sbin/imapd Documentation - /usr/src/packages/SOURCES/imap-2000c IMAP is piped through STUNNEL to allow SSL capability. We use version openssl-0.9.6b-34 and stunnel-3.14-94. The certificate for STUNNEL is in, See SSL NONSENSE section for how to make a new certificate. Daemon - /usr/sbin/stunnel Documentation - /usr/share/doc/packages/stunnel Certificate - /etc/stunnel/stunnel.pem You can run IMAP as stand alone or via tcp-wrappers. The former is recommended, but I can't get IMAP to listen to the files /etc/hosts.allow and /etc/hosts.deny Instead, IMAP runs through tcp-wrappers with the line, imaps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/stunnel -l /usr/sbin/imapd imapd in /etc/inetd.conf That is, IMAP is on port imaps (993) via tcp-wrappers using STUNNEL to pipe the SSL through to imapd. If you want an non-SSL IMAP there's a commented out line for IMAP on #imap stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd Thus, access to IMAP is regulated by the files /etc/hosts.allow and /etc/hosts.deny. The service is known as imapd for tcp-wrappers. Files - /etc/inetd.conf /etc/hosts.allow /etc/hosts.deny Logging - Log info for imapd appears in /var/log/mail Log info for stunnel appears in /var/log/secure. SSL Nonsense - Because we're running one daemon through another things can get complicated. You can run imapd without stunnel to check the imapd part is working. Can run imapd in foreground. Let's assume you've got that part working. Stunnel is best studied in the foreground running from the command line. Remove all references to imap and stunnel from inetd first. stunnel -f -d 993 -D 7 -l /usr/sbin/imapd -- imapd The -d 993 tells it to listen to the imaps port. The -f option keeps stunnel in the foreground The -D 7 tells it to give maximum debugging info. A critical thing with stunnel is the SSL certificate. Generate the certificate with the command, /usr/bin/openssl req -new -x509 -nodes -days 999 -out stemp.pem -keyout stemp.pem This will prompt you for various details to generate an SSL certificate. The critical one, for Eudora at least, is to set the "common name" = domain server. Thus, if your email config is to the server 128.254.46.43 you must make this your common name. Otherwise Eudora will through a fit and that's that. Other mail programs don't seem to be as picky. Anyway, once you've made a valid cert, rename it as /etc/stunnel/stunnel.pem and do a chmod 600 as root. The main thing is to read error messages carefully. There's lots of helpful advice on the web. Clients - ************************** Unix Pine as a Client Get moderately modern version of pine in rpm form. (4.30 fine) Edit /home/USERNAME/.pinerc smtp-server = 128.253.36.43/user=toombes inbox-path = {128.253.36.43/user=toombes/ssl/novalidate-cert}INBOX folder-collections={128.253.36.43/user=toombes/ssl/novalidate-cert}mail/[] This is for IP of 128.253.36.43 Using username of toombes both for IMAP and for sending via SMTP. Don't have to do that. ssl forces it to use the Secure Socket Layer rather than the newer transparent socket layer (TSL). novalidate-cert gets it calm about us not doing SSL properly. inbox is the INBOX folder-collections are your MAIL FOLDERS ************************** **************************************** PC Pine as a Client. Downloaded pnk444.zip from UW PINE webpage. Good info within PC-PINE itself for config. Just edit .pinerc Editted and changed # Over-rides your full name from Unix password file. Required for PC-Pine. personal-name=Gil Toombes # Your login/e-mail user name user-id=toombes # Sets domain part of From: and local addresses in outgoing mail. user-domain=twd.biophys.cornell.edu # List of SMTP servers for sending mail. If blank: Unix Pine uses sendmail. smtp-server=128.253.36.43 # NNTP server for posting news. Also sets news-collections for news reading. nntp-server= # Path of (local or remote) INBOX, e.g. ={mail.somewhere.edu}inbox # Normal Unix default is the local INBOX (usually /usr/spool/mail/$USER). inbox-path={128.253.36.43/user=toombes/ssl/novalidate-cert}INBOX # List of directories where saved-message folders may be. First one is # the default for Saves. Example: Main {host1}mail/[], Desktop mail\[] # Syntax: optnl-label {optnl-imap-hostname}optnl-directory-path[] folder-collections="Mail on 128.253.36.43" {128.253.36.43/user=toombes/ssl/novalidate-cert}mail/[] **************************************** *********************************** Eudora Got files using BEAR ACCESS at Cornell. Using version 5.1 of Eudora. Supposed to have some stability problems. Setup is all via windows junk Using the left-most window pick out "Personalities" Set dominant as what you want. Right click to edit properties of dominant personality. Generic Properties Login Name : Your Name SMTP Server : IP Number of Server Default Domain : twd.biophys.cornell.edu Secure Sockets When Sending : Never Incoming Mail Server : 128.253.36.43 Config : IMAP IMAP Prefix : /home/toombes/mail Authentication Style : Cram-MD5 Secure Sockets When Sending - Required, Alternate Port Note very picky about Certificates. When you first try to connect will reject self-signed certificate. This is when you must go to the "last SSL session" on personality and approve the Cert. ************************************ ************************************ Outlook Easy. But, you need plain text authentication allowed for SMTP. ************************************ Notes - Do we want to bind stunnel IPs so it doesn't look like localhost is logging in all the time to imapd. Can we do something about address folders so they're transportable. ************************* References "Managing IMAP" - Oreilly Press and Cornell Library. /etc/postfix --> Has example config files for different scenarios. smtp_secure1.txt -> Good description of secure SMTP. Configuring_PC_Pine.html --> University of Oxford notes on how to set up PC PINE Mail_Admin.pdf --> Linux mail administrator Howto. ssl_imap1.html ssl_imap2.html --> Directions for how to impliment SSL and IMAP including creating a certificate.