The IMAP Server imap.ifh.de

There is a new IMAP server imap.ifh.de which is now in a testing phase. It does provide all the features the old IMAP servers on mail.ifh.de and mail1.ifh.de were having. According to limited testing by a few users the server seems to be fully operational.

Main characteristics of the IMAP server

The IMAP server is based on the most recent release of dovecot (1.2beta4 as of March 31, 2009). It has been built with support for the sieve language (new implementation of the language for dovecot, version 0.1.4) and also implements the managesieve protocol as a dovecot addon (version 0.11.3). The following features are compiled in and are configured respectively:

• Authentication using GSSAPI (Kerberos5) or Username/Password in combination with TLS/SSL

• INBOXes are stored in the /var/spool/mail/<username> directories using the Maildir format

• An additional namespace #mbox is available to store mails in mbox format
• readonly gzipped mail folders in mbox format are possible (needs currently admin support to use it)
• Maildir Quota is activated
• Mail folders on the server can only be accessed using IMAP, there is no NFS or AFS access possible.
• Mail is received only from within the ifh.de domain using postfix
• Mail is delivered by default to the INBOXes using dovecot's deliver program
• deliver can use so called sieve filters (RFC 5228) to influence the mail transfer
• The managesieve protocol has been integrated into dovecot to remotely create modify and delete sieve scripts

Using the new IMAP server

The new server gets used by changing the mail routing information from the current maildrop (typically <username>@mail.ifh.de) to <username>@imap.ifh.de on our central mail server mail.ifh.de.

This can only be done by an administrator by changing the information in the file /var/forward/<username>

The following sections describe the use of imap.ifh.de as the primary IMAP mail server

The mail stores

• INBOX By default mail is delivered to the INBOX on imap.ifh.de. The folder format used currently is 'Maildir' which stores individual mails into separate files. That guarantees a much faster delivery and access of mails and does not have the locking problem in conjunction with using AFS. The INBOX is stored on a local file system on imap.ifh.de and is only accessible by IMAP clients.

• Local folders When mail is saved somewhere, all mail clients offer to store mail into local folders. That is typically a subdirectory of the home directory such as ~/mail or ~/Mail. The folder format is the traditional mbox format, which means one file per mail folder. The advantage is local access to the mails, but working with mbox folders is slow and the locking problem exists.

• Folders on the mail server Besides the INBOX users can keep other mail folders on the mail server. Depending on the purpose the mail folders get classified into so called namespaces which are configured by the administrator of the server. There is always a default namespace and optionally others such as #shared, #public, #news or #mbox. How to store mails into folders of the appropriate name space works as follows:

• Default Namespace The client needs to tell to the mail server only the folder name, then mail is stored in the default name space in the folder with the given name. We have configured the default namespace to use the Maildir format as with INBOX. By using folders on the server mails in there are accessible from all mail clients that support IMAP, i.e. basically world wide access after successful authentication.

• mbox Namespace If mails are stored into the #mbox namespace the traditional mbox format is used. Access is faster than for local mbox folders as additional indexing information is stored. The only advantage is that these folders can be gzipped and then take less space on the mail server. Gzipped mbox folders are for obvious reasons read only. To store mails into such folders the folder name has to be prefixed with #mbox/

• public Namespace That is not yet there but will become a place where mails are stored that can be accessed by all authenticated users. Use cases are archives of mailing lists of general interest.

• shared Namespace That will be available in future to allow a group of users to share mails. Use cases are archives of dedicated mailing lists.

Authentication

The recommended way of authenticating is using Kerberos5 by presenting a valid ticket from the DESY.DE or IFH.DE realm. If a computer outside DESY is used then a Kerberos 5 ticket should be obtained before starting your mail reader.

This can be achieved with the command

kinit <username>@DESY.DE or
kinit <username>@IFH.DE

Access to the imap server is always encrypted. This means the TLS or SSL protocol must be used. This also means on the client side (the computer from where you start the mail reader) certificates have to be installed to be able to decrypt the server responses. Please see the mail reader specific sections for details how to do that.

Authentication using username and password is possible as well. Both authentication methods have successfully been tested with alpine and thunderbird, while in Outlook Kerberos5 authentication is not working yet.

Mail Filtering

The IMAP server does have an integrated filter called sieve that is engaged whenever new mail is delivered to the INBOX on imap.ifh.de. The filter language is described in http://www.ietf.org/rfc/rfc5228.txt.

Filters can be created using a web interface and get installed on imap.ifh.de in the location /var/spool/sieve/<username>.sieve. If there is no user defined filter then the global filter default.sieve is engaged:

require "fileinto";
if header :contains "X-Spam-Level" "*****" {
  fileinto "junk";
}

It filters all spam mails into the folder junk on the mail server, i.e.it is not a local folder. More sophisticated mail filters can be created by using the web interface. Using the basic mode (the default) guarantees that syntactically correct filters get created without knowing the sieve language syntax. Advanced users can write their own sieve script. If there is no syntax error a (compiled) .svbin file is generated, otherwise a .sieve.err file is written that contains the error message. As it resides on the mail server, only administrators get access to these files. Therefore usage of the advanced mode is not recommended.

Creation of own filter rules should be simple as the web interface is fairly intuitive. Only the complete removal of own filter scripts is somewhat tricky. It can be achieved selecting "Advanced options", then writing "default" into the "Delete script name" field, selecting the "No" button beneath "Activate Script?" and then click on "Save changes"

Quota

Currently there is a global mail quota limit of 1000 MB configured. That holds true for each user as long as the attribute mailquota (size in Megabytes) in the vamos account information is not set. The mail quota setting and its current usage can be displayed using the command

  check_inbox -h imap.ifh.de

The displayed usage does not precisely reflect the summed up individual mail sizes on disk. If the mail quota for a user has been changed, the mail client has to be restarted, otherwise the changed quota does not become effective.

Delivery to the INBOX takes place even if quota is exceeded (up to a total size of 2000 MB). When Quota is above that limit then mail delivery is temporarily suspended until the INBOX is cleaned up. If that does not take place for 5 days, mail is bounced back as undeliverable. When the user is over quota, moving mails around is no longer possible, only deleting is still possible.

Mail client specific information

Alpine

Installing the certificates (requires root access)

This step is already done on DESY computers

Download chain.txt from the DFN Public Key Infrasrtucture server and copy the file to

• /etc/ssl/certs (SuSE, Debian) or

• /etc/pki/tls/certs (RedHat, Fedora, Scientific Linux, CentOS)

Then change into that directory and issue the command

ln -s chain.txt `openssl x509 -noout -hash -in chain.txt`.0

Configuring alpine by editing .pinerc

add or modify the following lines in .pinerc:

inbox-path={imap.ifh.de/tls}inbox
# the next line is optional and provides access to the junk folder to train the spam filter
junkmail {mail.ifh.de}#shared/junk
# the local folders (mbox format) and the folders on the server (maildir format)
folder-collections=mail/[],Folders on imap.ifh.de {imap.ifh.de}[]
# pressing <TAB> at the last mail in the INBOX checks and opens the next INBOX
feature-list=...,tab-checks-recent
# immediate startup (for non DESY computers required)
rsh-open-timeout=0

Configuring alpine by using the configure screen of alpine

The configure screen can be accessed from the main menu by selecting the setup menu and then select the "(C) Config" screen.

• Search the keyword "Inbox Path" and set the field to {imap.ifh.de/tls}inbox
• Search the option "Tab Checks for Recent Messages" and activate it
• Exit the setup screen by committing the changes, then reenter the setup screen, select "(L) collectionLists"
• Add a new collection (a) and set Nickname to "Folders on imap.ifh.de", Server to "imap.ifh.de"
• Exit the screen and commit the changes

To set rsh-open-timeout=0 you may have to

• Search the option "Expose Hidden Config" and activate it, then leave the configure screen (commit changes)
• Reenter the configuration screen, search "Rsh Open Timeout", change its value to 0, then leave the configure screen by committing this change.

Using alpine

To move or copy local folders or folders from an old IMAP server to the imap.ifh.de server do the following

• select all messages in the old folder by pressing ; a

• copy all messages in the folder to a new destination a s {imap.ifh.de} <foldername>

• remove the delete mark if you want to copy instead of moving the folder a u

• unselect all messages ; a

Thunderbird

Download the following certificates to your home directory:

• DFN root certificate

• DFN PCA certificate

• DESY CA certificate

Start thunderbird and create a new mail account:

• Select in the Edit menu "Account Settings" and add a new (email) account
• Enter your Name and Email address in the appropriate place

• in the next screen select "IMAP " as server type and enter imap.ifh.de as the incoming server name,

• enter mail.ifh.de as the outgoing server name (SMTP)

• enter your user name in the field "Incoming User Name"
• the same name can be entered for the outgoing server (authenticated SMTP) or left blank
• define an arbitrary account name and press the Finish button

Then in the newly created account change some settings:

• in the "Server Settings" select TLS and deselect Use secure authentication

• click on "Advanced..." and unselect "Show only subscribed folders"

To avoid security warnings about certificates that cannot be verified:

• In the Edit Menu select "Preferences" and there go to "Advanced"
• In the "Certificates" Menu select "View Certificates" then "Authorities" and click on "Import"
• Select the three downloaded certificates in the order given above (open it) and check all checkboxes

• Make sure that you do not enter a value for "IMAP server directory". That field is in Edit->Account Settings->Server Settings->Advanced. The value of that field on mail.ifh.de was usually set to "mail".

To have thunderbird look in all folders for new mail:

• Open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General"

• search for the preference mail.check_all_imap_folders_for_new, and change its value to true