Contents
The IMAP Server imap.ifh.de
At the Zeuthen site mail for users is stored on the IMAP server imap.ifh.de. There are no other IMAP servers on site. IMAP is the protocol for accessing the mail stored on that server.
For sending and receiving mail another protocol, SMTP, is used. Consequently we have chosen the name smtp.ifh.de for the SMTP server, which is also known as outgoing mail server. Until February 2010 the SMTP server was on a different machine mail.ifh.de, which is now an alias for smtp.ifh.de.
The name mail.ifh.de should however not be used for the SMTP server, as the SSL certificate for the SMTP server is issued for smtp.ifh.de and not mail.ifh.de. This is important for delivering mail using TLS or SMTP Auth.
Information on that topic is contained in the talks on email given on Oct. 6 2009: deutsche and english version
Quick links
Installing certificates for alpine/pine/mulberry on Linux computers
Configuring Thunderbird (similar procedures for other graphical mail clients)
Mail filtering using the manage.pl or squirrelmail web interfaces
Further information concerning Email in Zeuthen (some info is outdated)
Main characteristics of the IMAP server
The IMAP server is based on a recent release of dovecot (1.2.10 as of January 26, 2010). It has been built with support for the sieve language (new implementation of the language for dovecot, version 0.1.15) and also implements the managesieve protocol as a dovecot addon (version 0.11.11). The following features are compiled in and are configured respectively:
- Authentication using GSSAPI (Kerberos5) or Username/Password in combination with TLS/SSL
INBOXes are stored in the /var/spool/mail/<username> directories using the Maildir format
- An additional hidden namespace #mbox is available to store mails in mbox format
- readonly gzipped mail folders in mbox format are possible (needs currently admin support to use it)
- Maildir Quota is activated
Mail folders on the server can only be accessed using IMAP, there is no AFS access possible.
- Mail is received only from within the ifh.de domain using postfix
- Mail is delivered by default to the INBOXes using dovecot's deliver program
- deliver is using sieve filters (RFC 5228) to influence the mail transfer. A default filter is active.
- The managesieve protocol has been integrated into dovecot to remotely create modify and delete sieve scripts
Using the imap.ifh.de IMAP server
The following sections describe the use of imap.ifh.de as the primary IMAP mail server. Users reading their mail elsewhere are not affected.
The mail stores
INBOX By default mail is delivered to the INBOX on imap.ifh.de. The folder format used currently is 'Maildir' which stores individual mails into separate files. That guarantees a much faster delivery and access of mails and does not have the locking problem in conjunction with using AFS. The INBOX is stored on a local file system on imap.ifh.de and is only accessible by IMAP clients.
Local folders When mail is saved somewhere, all mail clients offer to store mail into local folders. That is typically a subdirectory of the home directory such as ~/mail or ~/Mail. The folder format is the traditional mbox format, which means one file per mail folder. The advantage is local access to the mails, but working with mbox folders is slow and the locking problem exists, if the local folders are in AFS space.
Folders on the mail server Besides the INBOX users can keep other mail folders on the mail server. Depending on the purpose the mail folders get classified into so called namespaces which are configured by the administrator of the server. There is always a default namespace and currently another (hidden) one named #mbox. How to store mails into folders of the appropriate name space works as follows:
Default Namespace The client needs to tell to the mail server only the folder name, then mail is stored in the default name space in the folder with the given name. We have configured the default namespace to use the Maildir format as with INBOX. By using folders on the server mails in there are accessible from all mail clients that support IMAP, i.e. basically world wide access after successful authentication.
mbox Namespace If mails are stored into the #mbox namespace the traditional mbox format is used. Access is faster than for local mbox folders as additional indexing information is stored. One advantage is that these folders can be gzipped and then take less space on the mail server. Another benefit is that concurrent access is possible again without locking problems. Gzipped mbox folders are for obvious reasons read only. To store mails into such folders the folder name has to be prefixed with #mbox/
Authentication
The recommended way of authenticating is using Kerberos5 by presenting a valid ticket from the IFH.DE or DESY.DE realm. If a computer outside DESY is used then a Kerberos 5 ticket should be obtained before starting your mail reader.
Under Linux/Unix this can be achieved with the command
kinit <username>@IFH.DE
On Windows systems the Network identity manager from MIT Kerberos for Windows has to be used (do not request Keberos4 tickets). Some Clients do need additional configuration options before K5 Auth is working (see below).
Access to the imap server is always encrypted. This means the TLS or SSL protocol must be used. This also means on the client side (the computer from where you start the mail reader) certificates have to be installed to be able to decrypt the server responses. Please see the mail reader specific sections for details how to do that.
Authentication using username and password is possible as well. Both authentication methods have successfully been tested with alpine, thunderbird and many more mail clients. In Outlook Kerberos5 authentication is not working yet.
Mail Filtering
The IMAP server does have an integrated filter called sieve that is engaged whenever new mail is delivered to the INBOX on imap.ifh.de. The filter language is described in http://www.ietf.org/rfc/rfc5228.txt.
Filters can be created or modified only from computers belonging to the DESY (Zeuthen) domain. An interface to manage mail filters is the manage.pl web interface. Filters get installed on imap.ifh.de in the location /var/spool/sieve/<username>.sieve and are not directly accessible to users.
Alternatively the squirrelmail web mail interface can be used to create filter rules. After login go to the "Filters" page. Also squirrelmail is only accessible within DESY.
When creating a sieve filter with one of the graphical interfaces meta data are generated to allow further manipulation of the filter rules. These meta data are not compatible between the two web interfaces. Therefore creating a rule with one interface and changing it with another one is not possible.
If there is no user defined filter then the global filter default.sieve is engaged:
require "fileinto";
if header :contains "X-Spam-Level" "*****" {
fileinto "junk";
}It filters all spam mails into the folder junk on the mail server, i.e.it is not a local folder. More sophisticated mail filters can be created by using the web interface. Using the basic mode (the default) guarantees that syntactically correct filters get created without knowing the sieve language syntax. Advanced users can write their own sieve script. If there is no syntax error a (compiled) .svbin file is generated, otherwise a .sieve.err file is written that contains the error message. As it resides on the mail server, only administrators get access to these files. Therefore usage of the advanced mode is not recommended.
Creation of own filter rules should be simple as the web interfaces are fairly intuitive. The complete removal of own filter scripts using the manage.pl web interface is somewhat tricky. It can be achieved selecting "Advanced options", then writing "default" into the "Delete script name" field, selecting the "No" button beneath "Activate Script?" and then click on "Save changes"
A separate page discussing the mail filter is under construction.
Quota
Currently there is a global mail quota limit of 1000 MB configured. That holds true for each user as long as the attribute mailquota (size in Megabytes) in the vamos account information is not set. The mail quota setting and its current usage can be displayed using the command
check_inbox -h imap.ifh.de
The displayed usage does not precisely reflect the summed up individual mail sizes on disk. If the mail quota for a user has been changed, the mail client has to be restarted, otherwise the changed quota does not become effective.
Delivery to the INBOX takes place even if quota is exceeded (up to a total size of 2000 MB) but saving to folders would then not be possible. When the quota limit is exceeded and the INBOX size is above 1GB then mail delivery is temporarily suspended until the INBOX is cleaned up. If that does not take place for 5 days, mail is bounced back as undeliverable. When the user is over quota, moving mails around is no longer possible, only deleting is still possible.
Mail client specific information
Alpine and Pine
On Linux: Installing the certificates (requires root access)
This step is already done on DESY computers
|
Notice!Download chain.txt from the DFN Public Key Infrasrtucture server and copy the file to
- /etc/ssl/certs (SuSE) or
- /usr/lib/ssl/certs (Debian, Ubuntu) or
/etc/pki/tls/certs (RedHat, Fedora, Scientific Linux, CentOS)
Then change into the directory containing the certs directory, i.e. /etc/ssl, /usr/lib/ssl and /etc/pki/tls respectively. If there is already a file or a symlink with the name cert.pem then remove it or move it out of the way. You have to create a symlink cert.pem-> certs/chain.txt by executing
ln -s certs/chain.txt cert.pem
If the file cert.pem is already existing and does not point to a file containing all the certificates required for verification of the mail server certificate the certs directory is searched for the individual required certificates which can be downloaded from
DFN root certificate (this is no longer required, WF 7/2010)
For each of the downloaded files the following commands have to be issued (make sure you are in the certs directory), otherwise the certificates will not be found:
openssl x509 -inform der -in downloaded_file.crt -out downloaded_file.pem ln -s downloaded_file.pem `openssl x509 -noout -hash -in downloaded_file.pem`.0
Configuring alpine by editing .pinerc
(this has been done already on DESY Zeuthen computers running SL5)
add or modify the following lines in .pinerc:
inbox-path={imap.ifh.de/tls}inbox
# the folders on the server (maildir format) and the local folders (mbox format)
folder-collections=Folders on imap.ifh.de {imap.ifh.de}[], mail/[]
# immediate startup (for non DESY computers required)
rsh-open-timeout=0
# the next lines are optional...
# pressing <TAB> at the last mail in the INBOX checks and opens the next INBOX
feature-list=...,tab-checks-recent
Configuring alpine by using the configure screen of alpine
The configure screen can be accessed from the main menu by selecting the setup menu and then select the "(C) Config" screen.
- Search the keyword "Inbox Path" and set the field to {imap.ifh.de/tls}inbox
- Search the option "Tab Checks for Recent Messages" and activate it
- Exit the setup screen by committing the changes, then reenter the setup screen, select "(L) collectionLists"
- Add a new collection (a) and set Nickname to "Folders on imap.ifh.de", Server to "imap.ifh.de"
- Exit the screen and commit the changes
To set rsh-open-timeout=0 you may have to
- Search the option "Expose Hidden Config" and activate it, then leave the configure screen (commit changes)
- Reenter the configuration screen, search "Rsh Open Timeout", change its value to 0, then leave the configure screen by committing this change.
Using alpine
To move or copy local folders or folders from another IMAP server to the imap.ifh.de server do the following
select all messages in the original folder by pressing ; a
copy all messages in the folder to a new destination a s {imap.ifh.de} <foldername>
remove the delete mark if you want to copy instead of moving the folder a u
unselect all messages ; a
Thunderbird
(please do also have a look into the Vortrag im technischen Seminar if you have a german version of thunderbird)
|
Download the following certificates to your home directory:
DFN root certificate (no longer required, WF 7/2010)
Start thunderbird and create a new mail account:
- Select in the Edit menu "Account Settings" and add a new (email) account
- Enter your Name and Email address in the appropriate place
in the next screen select "IMAP " as server type and enter imap.ifh.de as the incoming server name,
enter smtp.ifh.de as the outgoing server name (SMTP)
- enter your user name in the field "Incoming User Name"
- the same name can be entered for the outgoing server (authenticated SMTP) or left blank
- define an arbitrary account name and press the Finish button
Then in the newly created account change some settings:
in the "Server Settings" select TLS
If you want to authenticate using Kerberos (you can obtain a ticket using kinit (Linux) or the network identity manager (Windows)) the option Use secure authentication has to be selected
- On windows clients open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General" and set network.auth-use-sspi to "false".
Otherwise you have to deselect Use secure authentication
- click on "Advanced..." and unselect "Show only subscribed folders"
To avoid security warnings about certificates that cannot be verified:
- In the Edit Menu select "Preferences" and there go to "Advanced"
- In the "Certificates" Menu select "View Certificates" then "Authorities" and click on "Import"
- Select the three downloaded certificates in the order given above (open it) and check all checkboxes
Make sure that you do not enter a value for "IMAP server directory". That field is in Edit->Account Settings->Server Settings->Advanced. The value of that field on mail.ifh.de was usually set to "mail".
To have thunderbird look in all folders for new mail:
- Open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General"
search for the preference mail.check_all_imap_folders_for_new, and change its value to true
MacOSX Mail
The configuration is similar to what is described under Thunderbird above. Kerberos authentication may work depending on the software installed. Make sure that
- certificates are being downloaded to avoid security warnings (visiting the links using a web browser should be sufficient)
- IMAP is configured using SSL and port 143, not 993
- the field for the mail directory on the server remains empty (home directory on the server is used)
Mulberry
Mulberry can be downloaded from http://www.mulberrymail.com/
On Windows and MacOSX it seems to be sufficient to download once the three certificates (see above) using a web browser and accept the certificates (select the check boxes that will appear when downloading).
On Linux computers not maintained by DESY certificates have to be downloaded to the certs directory (see above) and made available to openssl. This requires root access. Then a symlink to the certs directory has to be installed. This can be achieved by the commands:
su - root # become root cd /etc/pki/tls/certs # for SuSE and Debian use /etc/ssl/certs wget https://pki.pca.dfn.de/desy-ca/pub/cacert/g_rootcert.crt wget https://pki.pca.dfn.de/desy-ca/pub/cacert/g_intermediatecacert.crt wget https://pki.pca.dfn.de/desy-ca/pub/cacert/g_cacert.crt openssl x509 -inform der -in g_rootcert.crt -out g_rootcert.pem ln -s g_rootcert.pem `openssl x509 -noout -hash -in g_rootcert.pem`.0 openssl x509 -inform der -in g_intermediatecacert.crt -out g_intermediatecacert.pem ln -s g_intermediatecacert.pem `openssl x509 -noout -hash -in g_intermediatecacert.pem`.0 openssl x509 -inform der -in g_cacert.crt -out g_cacert.pem ln -s g_cacert.pem `openssl x509 -noout -hash -in g_cacert.pem`.0 exit # become ordinary user mv ~/.mulberry/Authorities ~/.mulberry/Authorities.orig ln -s /etc/pki/tls/certs ~/.mulberry/Authorities
The remaining configuration is again similar to what was said for Thunderbird.
- IMAP needs plain text and secure authentication using TLSv1 on imap.ifh.de
- SMTP needs plain text and secure authentication using TLSv1 on smtp.ifh.de
These settings can be reached with the radio box labeled "advanced"
It is strongly recommended to deselect the checkbox "Use tabbed display" in the menu "Window" -> "Options..." -> Email. Otherwise each visited folder stays open until the program is finished or the folder is explicitely closed. Trying to open more than 5 folders is currently not allowed (blocked by the mail server).
Sending mail
The instructions here do not belong to the IMAP server information, an SMTP server is responsible for sending mail. On DESY computers everything is already configured. On other computers within the DESY network the smtp.ifh.de server can be configured as outgoing mail server. If the computer is not in the DESY network, then smtp.ifh.de can only be used together with authenticated SMTP.
If you followed the instructions concerning certificates the infrastructure to use that should already be in place. You have to configure your mail client to use smtp.ifh.de as the outgoing mail server, use your (UNIX) username (and password) for authentication and use an encrypted connection (TLS, not SSL) on port 25. For thunderbird that is done on config screens, for pine/alpine the line
smtp.ifh.de/user=your_account_name
enables authenticated smtp.
Some ISPs do block outgouig traffic on port 25 and sending mail using that port will fail. Therefore on smtp.ifh.de port 587 is open as well for mail submission (service "submission"). Older clients require the use of port 465 when using TLS with SMTP, this port can also be used on smtp.ifh.de.