The IMAP Server imap.ifh.de

At the Zeuthen site mail for users is stored on the IMAP server imap.ifh.de. There are no other IMAP servers on site. IMAP is the protocol for accessing the mail stored on that server.L -s

For sending and receiving mail another protocol, SMTP, is used. Consequently we have chosen the name smtp.ifh.de for the SMTP server, which is also known as outgoing mail server. The name mail.ifh.de is an alias for smtp.ifh.de.

The name mail.ifh.de should however not be used for the SMTP server, as the SSL certificate for the SMTP server is issued for smtp.ifh.de and not mail.ifh.de. This is important for delivering mail using TLS or SMTP Auth.

Information on that topic is contained in the talks on email given on Oct. 6 2009 and is still mostly valid: deutsche and english version

Quick links

• Configuring alpine

• Installing certificates for alpine on Linux computers

• Configuring Thunderbird (similar procedures for other graphical mail clients)

• Configuring MacOSX Mail

• Installing certificates for mail clients

• Mail filtering using the manage.pl or squirrelmail web interfaces

• Configure your mail reader for sending mail

• Further information concerning Email in Zeuthen

Main characteristics of the IMAP server

The IMAP server is based on a recent release of dovecot (2.1.10 as of November 13, 2012). It has been built with support for the sieve language (mail filtering for dovecot, version 0.3.3) and also implements the managesieve protocol to manipulate sieve scripts (see below). The following features are compiled in and are configured respectively:

• Authentication using GSSAPI (Kerberos5) or Username/Password in combination with TLS/SSL

• INBOXes are stored in the /var/spool/mail/<username> directories using the mdbox format

• An additional hidden namespace #mbox is available to store mails in mbox format
• readonly gzipped mail folders in mbox format are possible (needs currently admin support to use it)
• Mail Quota is activated

• Mail folders on the server can only be accessed using IMAP, there is no AFS access possible.

• Mail is delivered by default to the INBOXes using dovecot's deliver program
• deliver is using sieve filters (RFC 5228) to influence the mail transfer. A default filter is active.

Using the imap.ifh.de IMAP server

The following sections describe the use of imap.ifh.de as the primary IMAP mail server. Users reading their mail elsewhere are not affected.

The mail stores

• INBOX By default mail is delivered to the INBOX on imap.ifh.de. The folder format used currently is 'mdbox'. That guarantees a fast access of mails and efficient storage of the mail contents. The INBOX is stored on a local file system on imap.ifh.de and is only accessible by IMAP clients.

• Local folders When mail is saved somewhere, all mail clients offer to store mail into local folders. That is typically a subdirectory of the home directory such as ~/mail or ~/Mail. The folder format is the traditional mbox format, which means one file per mail folder. The advantage is local access to the mails, but working with mbox folders is slow and the locking problem exists, if the local folders are in AFS space.

• Folders on the mail server Besides the INBOX users can keep other mail folders on the mail server. Depending on the purpose the mail folders get classified into so called namespaces which are configured by the administrator of the server. There is always a default namespace and currently another (hidden) one named #mbox. How to store mails into folders of the appropriate name space works as follows:

• Default Namespace The client needs to tell to the mail server only the folder name, then mail is stored in the default name space in the folder with the given name. We have configured the default namespace to use the mdbox format as with INBOX. By using folders on the server mails in there are accessible from all mail clients that support IMAP, i.e. basically world wide access after successful authentication.

• mbox Namespace If mails are stored into the #mbox namespace the traditional mbox format is used. Access is faster than for local mbox folders as additional indexing information is stored. One advantage is that these folders can be gzipped and then take less space on the mail server. Another benefit is that concurrent access is possible again without locking problems. Gzipped mbox folders are for obvious reasons read only. To store mails into such folders the folder name has to be prefixed with #mbox/

Authentication

The recommended way of authenticating is using Kerberos5 by presenting a valid ticket from the IFH.DE or DESY.DE realm. If a computer outside DESY is used then a Kerberos 5 ticket should be obtained before starting your mail reader.

Under Linux/Unix this can be achieved with the command

kinit <username>@IFH.DE

On Windows systems the Network identity manager from MIT Kerberos for Windows has to be used (do not request Keberos4 tickets). Some Clients do need additional configuration options before K5 Auth is working (see below).

Access to the imap server is always encrypted. This means the TLS or SSL protocol must be used. This also means on the client side (the computer from where you start the mail reader) certificates have to be installed to be able to decrypt the server responses. Please see the mail reader specific sections for details how to do that.

Authentication using username and password is possible as well. Both authentication methods have successfully been tested with alpine, thunderbird and many more mail clients. In Outlook Kerberos5 authentication is not working yet.

Mail Filtering

The IMAP server does have an integrated filter called sieve that is engaged whenever new mail is delivered to the INBOX on imap.ifh.de. The filter language is described in http://www.ietf.org/rfc/rfc5228.txt.

Filters can be created or modified only from computers belonging to the DESY (Zeuthen) domain. An interface to manage mail filters is the manage.pl web interface. Filters get installed on imap.ifh.de in the location /var/spool/sieve/<username>.sieve and are not directly accessible to users.

Alternatively the squirrelmail web mail interface can be used to create filter rules. After login go to the "Filters" page. Also squirrelmail is only accessible within DESY.

When creating a sieve filter with one of the graphical interfaces meta data are generated to allow further manipulation of the filter rules. These meta data are not compatible between the two web interfaces. Therefore creating a rule with one interface and changing it with another one is not possible.

If there is no user defined filter then the global filter default.sieve is engaged:

require "fileinto";
if header :contains "X-Spam-Level" "*****" {
  fileinto "junk";
}

It filters all spam mails into the folder junk on the mail server, i.e.it is not a local folder. More sophisticated mail filters can be created by using the web interface. Using the basic mode (the default) guarantees that syntactically correct filters get created without knowing the sieve language syntax. Advanced users can write their own sieve script. If there is no syntax error a (compiled) .svbin file is generated, otherwise a .sieve.err file is written that contains the error message. As it resides on the mail server, only administrators get access to these files. Therefore usage of the advanced mode is not recommended.

Creation of own filter rules should be simple as the web interfaces are fairly intuitive. The complete removal of own filter scripts using the manage.pl web interface is somewhat tricky. It can be achieved selecting "Advanced options", then writing "default" into the "Delete script name" field, selecting the "No" button beneath "Activate Script?" and then click on "Save changes"

See also mail filter.

Vacation/Absence message

This is most comfortably done using the squirrelmail web mail interface discussed above. After logging in and having clicked the Filters menu you can add new mail filter rules. It is important to define a first rule to filter away spam in order to not generate vacation messages for spam mails. This is done by having a Condition Message Header X-Spam-Level contains ***** AND an action Move to Folder junk. Save the rule by pressing the 'Add new Rule' button. Then create another rule with the condition 'Always' or if you want to be more specific e.g. with a condition Message Header 'From' or Message Body contains <some string> and an Action Vacation/Autoresponder. Please make sure to fill in all addresses for which you receive mail (separated by comma) in the action field.

After having saved this rule you can disable it until you really need it or in order to store it for later use. Please note that the order of rules is important and that the spam filter should always be the first rule.

Quota

Currently there is a global mail quota limit of 1000 MB configured. This is existing for safety reasons only and can be increased for individual users on request. The mail quota setting and its current usage can be displayed using the command

  check_inbox -h imap.ifh.de

The displayed usage does not precisely reflect the summed up individual mail sizes on disk. If the mail quota for a user has been changed, the mail client has to be restarted, otherwise the changed quota does not become effective.

Delivery to the INBOX takes place even if quota is exceeded (up to a total size of 2000 MB) but saving to folders would then not be possible. When the quota limit is exceeded and the INBOX size is above 1GB then mail delivery is temporarily suspended until the INBOX is cleaned up. If that does not take place for 5 days, mail is bounced back as undeliverable. When the user is over quota, moving mails around is no longer possible, only deleting is still possible.

Mail client specific information

Alpine

On Linux: Installing the certificates (requires root access)

This step is already done on DESY computers

Download chain.txt from the DFN Public Key Infrasrtucture server and copy the file to

• /etc/ssl/certs (SuSE) or
• /usr/lib/ssl/certs (Debian, Ubuntu) or

• /etc/pki/tls/certs (RedHat, Fedora, Scientific Linux, CentOS)

Then change into the directory containing the certs directory, i.e. /etc/ssl, /usr/lib/ssl and /etc/pki/tls respectively. If there is already a file or a symlink with the name cert.pem then remove it or move it out of the way. You have to create a symlink cert.pem-> certs/chain.txt by executing

ln -s certs/chain.txt cert.pem

If the file cert.pem is already existing and does not point to a file containing all the certificates required for verification of the mail server certificate the certs directory is searched for the individual required certificates which can be downloaded from

• DFN PCA certificate

• DESY CA certificate

For each of the downloaded files the following commands have to be issued (make sure you are in the certs directory), otherwise the certificates will not be found:

openssl x509 -inform der -in downloaded_file.crt -out downloaded_file.pem
ln -s downloaded_file.pem `openssl x509 -noout -hash -in downloaded_file.pem`.0

Configuring alpine by editing .pinerc

(this has been done already on DESY Zeuthen computers running SL5/6)

add or modify the following lines in .pinerc:

inbox-path={
}inbox
# the folders on the server (maildir format) and the local folders (mbox format)
folder-collections=Folders on imap.ifh.de {imap.ifh.de}[], mail/[]

# immediate startup (for non DESY computers required)
rsh-open-timeout=0

# the next lines are optional...
# pressing <TAB> at the last mail in the INBOX checks and opens the next INBOX
feature-list=...,tab-checks-recent

Configuring alpine by using the configure screen of alpine

The configure screen can be accessed from the main menu by selecting the setup menu and then select the "(C) Config" screen.

• Search the keyword "Inbox Path" and set the field to {imap.ifh.de/tls}inbox

• Search the option "Tab Checks for Recent Messages" and activate it
• Exit the setup screen by committing the changes, then reenter the setup screen, select "(L) collectionLists"
• Add a new collection (a) and set Nickname to "Folders on imap.ifh.de", Server to "imap.ifh.de"
• Exit the screen and commit the changes

To set rsh-open-timeout=0 you may have to

• Search the option "Expose Hidden Config" and activate it, then leave the configure screen (commit changes)
• Reenter the configuration screen, search "Rsh Open Timeout", change its value to 0, then leave the configure screen by committing this change.

Using alpine

To move or copy local folders or folders from another IMAP server to the imap.ifh.de server do the following

• select all messages in the original folder by pressing ; a

• copy all messages in the folder to a new destination a s {imap.ifh.de} <foldername>

• remove the delete mark if you want to copy instead of moving the folder a u

• unselect all messages ; a

Thunderbird

(please do also have a look into the Vortrag im technischen Seminar if you have a german version of thunderbird)

Download the following certificates to your home directory:

• DFN PCA certificate

• DESY CA certificate

Start thunderbird and create a new mail account:

• Select in the Edit menu "Account Settings" and add a new (email) account
• Enter your Name and an arbitrary Email address ending with @ifh.de in the appropriate place. This guarantees that thunderbird will automatically configure the imap and smtp servers to be used properly.

When the server configuration has been automatically found, please then change the email address to your officiall address firstname.lastname@desy.de . If you entered the desy.de address in the first place then proceed as follows:

• in the next screen select "IMAP " as server type and enter imap.ifh.de as the incoming server name,

• enter smtp.ifh.de as the outgoing server name (SMTP)

• enter your user name in the field "Incoming User Name"
• the same name can be entered for the outgoing server (authenticated SMTP) or left blank
• define an arbitrary account name and press the Finish button

Then in the newly created account change some settings:

• in the "Server Settings" select TLS

• If you want to authenticate using Kerberos (you can obtain a ticket using kinit (Linux) or the network identity manager (Windows)) the option Use secure authentication has to be selected

• On windows clients open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General" and set network.auth-use-sspi to "false".

• Otherwise you have to deselect Use secure authentication

• click on "Advanced..." and unselect "Show only subscribed folders"

To avoid security warnings about certificates that cannot be verified:

• In the Edit Menu select "Preferences" and there go to "Advanced"
• In the "Certificates" Menu select "View Certificates" then "Authorities" and click on "Import"
• Select the three downloaded certificates in the order given above (open it) and check all checkboxes

• Make sure that you do not enter a value for "IMAP server directory". That field is in Edit->Account Settings->Server Settings->Advanced. The value of that field on mail.ifh.de was usually set to "mail".

To have thunderbird look in all folders for new mail:

• Open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General"

• search for the preference mail.check_all_imap_folders_for_new, and change its value to true

Please disable the offline storage of emails in the AFS home directory:

• Go to "Edit" - "Account Settings" - "Synchronization & Storage" and uncheck "Keep messages for this account on this computer"

MacOSX Mail

The configuration is similar to what is described under Thunderbird above. Kerberos authentication may work depending on the software installed. Make sure that

• certificates are being downloaded to avoid security warnings (visiting the links using a web browser should be sufficient)
• IMAP is configured using TLS (SSL) and port 143, not 993
• the field for the mail directory on the server remains empty (home directory on the server is used)

Certificates

On Windows and MacOSX it seems to be sufficient to download once the two certificates (see above) using a web browser and accept the certificates (select the check boxes that will appear when downloading).

On Linux computers not maintained by DESY certificates have to be downloaded to the certs directory (see above) and made available to openssl. This requires root access. Then a symlink to the certs directory has to be installed. This can be achieved by the commands:

su - root # become root
cd /etc/pki/tls/certs # for SuSE and Debian use /etc/ssl/certs
wget
wget
openssl x509 -inform der -in g_intermediatecacert.crt -out g_intermediatecacert.pem
ln -s g_intermediatecacert.pem `openssl x509 -noout -hash -in g_intermediatecacert.pem`.0
openssl x509 -inform der -in g_cacert.crt -out g_cacert.pem
ln -s g_cacert.pem `openssl x509 -noout -hash -in g_cacert.pem`.0
exit # become ordinary user

Sending mail

The instructions here do not belong to the IMAP server information, an SMTP server is responsible for sending mail. On DESY computers everything is already configured. On other computers within the DESY network the smtp.ifh.de server can be configured as outgoing mail server. If the computer is not in the DESY network, then smtp.ifh.de can only be used together with authenticated SMTP.

If you followed the instructions concerning certificates the infrastructure to use that should already be in place. You have to configure your mail client to use smtp.ifh.de as the outgoing mail server, use your (UNIX) username (and password) for authentication and use an encrypted connection (TLS, not SSL) on port 25. For thunderbird that is done on config screens, for pine/alpine the line

enables authenticated smtp.

Some ISPs do block outgouig traffic on port 25 and sending mail using that port will fail. Therefore on smtp.ifh.de port 587 is open as well for mail submission (service "submission"). Older clients require the use of port 465 when using TLS with SMTP, this port can also be used on smtp.ifh.de.