|
Size: 12424
Comment:
|
Size: 9781
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 40: | Line 40: |
| is not required but it can be used. It has to be used if mail from a remote host (e.g. from a notebook on a conference) needs to be sent via our mail server to a recipient outside DESY. This is called relaying and normally not allowed. Make sure to use the host name '''smtp.ifh.de''' and have the required [[#certificates|certificates]] installed. | is not required but it can be used. It has to be used if mail from a remote host (e.g. from a notebook on a conference) needs to be sent via our mail server to a recipient outside DESY. This is called relaying and normally not allowed. Make sure to use the host name '''smtp.ifh.de''' and have the required [[#certificates|Telekom CA certificate]] installed. For recent operating systems that should have been done already. |
| Line 47: | Line 47: |
If you followed the instructions concerning certificates the infrastructure to use that should already be in place. You have to configure your mail client to use smtp.ifh.de as the outgoing mail server, use your (UNIX) username (and password) for authentication and use an encrypted connection ('''TLS''', not SSL) on '''port 25'''. For thunderbird that is done on config screens, for pine/alpine the line |
You have to configure your mail client to use smtp.ifh.de as the outgoing mail server, use your (UNIX) username (and password) for authentication and use an encrypted connection ('''TLS''', not SSL) on '''port 25'''. For thunderbird that is done on config screens, for pine/alpine the line |
| Line 77: | Line 76: |
| ===== On Linux: Installing the certificates (requires root access) ===== This step is '''already done on DESY computers''' ||<#CCFFFF> <!> '''Notice!'''<<BR>>The following procedure needs to be followed if you get warnings concerning certificates || |
===== On Linux: (only if a self signed certificate has been reported) ===== This step is '''usually not required''' ||<#CCFFFF> <!> '''Notice!'''<<BR>>The following procedure needs to be followed only if you get warnings concerning certificates || |
| Line 81: | Line 80: |
Download [[https://pki.pca.dfn.de/desy-ca/pub/cacert/chain.txt|chain.txt]] from the DFN Public Key Infrasrtucture server and copy the file to |
Download [[http://www.telesec.de/downloads/DT-Root-CA-2.cer|the Telekom root CA]] and copy the file to |
| Line 90: | Line 86: |
| Then change into the directory containing the certs directory, i.e. /etc/ssl, /usr/lib/ssl and /etc/pki/tls respectively. If there is already a file or a symlink with the name cert.pem then remove it or move it out of the way. You have to create a symlink cert.pem-> certs/chain.txt by executing | For the downloaded file the following command has to be issued (make sure you are in the certs directory), otherwise the certificate will not be found: |
| Line 93: | Line 89: |
| ln -s certs/chain.txt cert.pem }}} If the file cert.pem is already existing and does not point to a file containing all the certificates required for verification of the mail server certificate the certs directory is searched for the individual required certificates which can be downloaded from * [[https://pki.pca.dfn.de/desy-ca/pub/cacert/g_intermediatecacert.crt|DFN PCA certificate]] * [[https://pki.pca.dfn.de/desy-ca/pub/cacert/g_cacert.crt|DESY CA certificate]] For each of the downloaded files the following commands have to be issued (make sure you are in the certs directory), otherwise the certificates will not be found: {{{ openssl x509 -inform der -in downloaded_file.crt -out downloaded_file.pem ln -s downloaded_file.pem `openssl x509 -noout -hash -in downloaded_file.pem`.0 |
ln -s downloaded_file `openssl x509 -noout -hash -in downloaded_file`.0 |
| Line 150: | Line 135: |
| ||<#CCFFFF> <!> '''Notice!'''<<BR>>The following procedure needs to be followed to avoid certificate warnings || Download the following certificates to your home directory: * [[https://pki.pca.dfn.de/desy-ca/pub/cacert/g_intermediatecacert.crt|DFN PCA certificate]] * [[https://pki.pca.dfn.de/desy-ca/pub/cacert/g_cacert.crt|DESY CA certificate]] |
||<#CCFFFF> <!> '''Notice!'''<<BR>>In case of certificate warnings please consult the section on certificates above (under topic alpine)|| |
| Line 178: | Line 155: |
To '''avoid security warnings''' about certificates that cannot be verified: * In the Edit Menu select "Preferences" and there go to "Advanced" * In the "Certificates" Menu select "View Certificates" then "Authorities" and click on "Import" * Select the three downloaded certificates in the order given above (open it) and check all checkboxes |
* Do not select password encryption, we are encrypting the connection to the server, which also ensures that the password information is transferred safely. |
| Line 201: | Line 173: |
| * certificates are being downloaded to avoid security warnings (visiting the links using a web browser should be sufficient) | |
| Line 204: | Line 175: |
<<Anchor(cert)>> ==== Certificates ==== On Windows and MacOSX it seems to be sufficient to download once the two certificates ([[#certificates|see above]]) using a web browser and accept the certificates (select the check boxes that will appear when downloading). On Linux computers not maintained by DESY certificates have to be downloaded to the certs directory ([[#certificates|see above]]) and made available to openssl. This requires root access. Then a symlink to the certs directory has to be installed. This can be achieved by the commands: {{{ su - root # become root cd /etc/pki/tls/certs # for SuSE and Debian use /etc/ssl/certs wget https://pki.pca.dfn.de/desy-ca/pub/cacert/g_intermediatecacert.crt wget https://pki.pca.dfn.de/desy-ca/pub/cacert/g_cacert.crt openssl x509 -inform der -in g_intermediatecacert.crt -out g_intermediatecacert.pem ln -s g_intermediatecacert.pem `openssl x509 -noout -hash -in g_intermediatecacert.pem`.0 openssl x509 -inform der -in g_cacert.crt -out g_cacert.pem ln -s g_cacert.pem `openssl x509 -noout -hash -in g_cacert.pem`.0 exit # become ordinary user }}} |
Contents
Configuration of Mail Readers for the DESY Mail Servers in Zeuthen
General Remarks
The centrally installed mail clients on Linux/UNIX and Windows are usually preconfigured to use the correct settings. As users can override these settings and recommended settings may change it is a good advice to check whether your personal mail settings are in agreement with the values given below
Your Mail Address
In all mails the preferred email address Firstname.Lastname@desy.de should be used.
Please note that the default on some unmaintained systems is accountname@hostname.ifh.de which does not work. Mail clients allow you to override that default From: address to use the form given above.
Incoming Mail
Incoming mail is accessed using the
IMAP protocol on the server (see also a detailed description)
imap.ifh.de on port 143 (or in conjunction with SSL port 993)
Authentication can be done using
GSSAPI (Kerberos5) or by
Plain authentication giving the (AFS) username and password
Outgoing Mail
All outgoing mail is sent to a mail server using the SMTP protocol. The
smtp.ifh.de (mail.ifh.de, mailz2.desy.de) mail server can be used from within the DESY network without further authentication. Sending mail over this server from outside DESY is only possible using authenticated SMTP.
For DESY internal traffic there is a second SMTP server mail1.ifh.de (mailz.desy.de).
SMTP Authentication
is not required but it can be used. It has to be used if mail from a remote host (e.g. from a notebook on a conference) needs to be sent via our mail server to a recipient outside DESY. This is called relaying and normally not allowed. Make sure to use the host name smtp.ifh.de and have the required Telekom CA certificate installed. For recent operating systems that should have been done already. The authentication can be done using
GSSAPI (Kerberos5) or by
Plain authentication giving the (AFS) username and password
You have to configure your mail client to use smtp.ifh.de as the outgoing mail server, use your (UNIX) username (and password) for authentication and use an encrypted connection (TLS, not SSL) on port 25. For thunderbird that is done on config screens, for pine/alpine the line
smtp-server=smtp.ifh.de/user=<accountname>
enables authenticated smtp.
If password authentication is chosen,
TLS (on port 25) and not SSL must be used. That uses SSL encryption.
Several sites do block outgouig traffic on port 25 and sending mail using that port will fail. In this case sending mail using DESY Zeuthen mail servers would not be possible even when using authenticated SMTP. Therefore on smtp.ifh.de port 587 is open as well for mail submission (service "submission"). Older clients require the use of port 465 when using TLS with SMTP, this port can also be used on smtp.ifh.de.
Address Books
The centrally managed address books are using the LDAP protocol. To use it the name of a server and at least the search base have to be given. The following address books are useful (access is limited to DESY and to some High Energy Physics Institutes):
server name |
search base |
remarks |
ldap.desy.de |
o=DESY,c=de |
the official address book |
ldap.ifh.de |
o=DESY,c=de |
mirror of ldap.desy.de |
ldap.cern.ch |
o=CERN,c=ch |
the CERN address book |
For backward compatibility the search base o=DESY Zeuthen on ldap.ifh.de is also a mirror of the official address book on ldap.desy.de.
Mail client specific information
Alpine
On Linux: (only if a self signed certificate has been reported)
This step is usually not required
|
Download the Telekom root CA and copy the file to
- /etc/ssl/certs (SuSE) or
- /usr/lib/ssl/certs (Debian, Ubuntu) or
/etc/pki/tls/certs (RedHat, Fedora, Scientific Linux, CentOS)
For the downloaded file the following command has to be issued (make sure you are in the certs directory), otherwise the certificate will not be found:
ln -s downloaded_file `openssl x509 -noout -hash -in downloaded_file`.0
Configuring alpine by editing .pinerc
(this has been done already on DESY Zeuthen computers running SL5/6)
add or modify the following lines in .pinerc:
inbox-path={
}inbox
# the folders on the server (mdbox format) and the local folders (mbox format)
folder-collections=Folders on imap.ifh.de {imap.ifh.de}[], mail/[]
# immediate startup (for non DESY computers required)
rsh-open-timeout=0
# the next lines are optional...
# pressing <TAB> at the last mail in the INBOX checks and opens the next INBOX
feature-list=...,tab-checks-recent
Configuring alpine by using the configure screen of alpine
The configure screen can be accessed from the main menu by selecting the setup menu and then select the "(C) Config" screen.
Search the keyword "Inbox Path" and set the field to {imap.ifh.de/tls}inbox
- Search the option "Tab Checks for Recent Messages" and activate it
- Exit the setup screen by committing the changes, then reenter the setup screen, select "(L) collectionLists"
- Add a new collection (a) and set Nickname to "Folders on imap.ifh.de", Server to "imap.ifh.de"
- Exit the screen and commit the changes
To set rsh-open-timeout=0 you may have to
- Search the option "Expose Hidden Config" and activate it, then leave the configure screen (commit changes)
- Reenter the configuration screen, search "Rsh Open Timeout", change its value to 0, then leave the configure screen by committing this change.
Using alpine
To move or copy local folders or folders from another IMAP server to the imap.ifh.de server do the following
select all messages in the original folder by pressing ; a
copy all messages in the folder to a new destination a s {imap.ifh.de} <foldername>
remove the delete mark if you want to copy instead of moving the folder a u
unselect all messages ; a
Thunderbird
(please do also have a look into the Vortrag im technischen Seminar if you have a german version of thunderbird)
|
Start thunderbird and create a new mail account:
- Select in the Edit menu "Account Settings" and add a new (email) account
Enter your Name and an arbitrary Email address ending with @ifh.de in the appropriate place. This guarantees that thunderbird will automatically configure the imap and smtp servers to be used properly.
When the server configuration has been automatically found, please change the email address to your officiall address firstname.lastname@desy.de . If you entered the desy.de address in the first place then proceed as follows:
in the next screen select "IMAP " as server type and enter imap.ifh.de as the incoming server name,
enter smtp.ifh.de as the outgoing server name (SMTP)
enter your Linux/Windows account name in the field "Incoming User Name"
- the same name can be entered for the outgoing server (authenticated SMTP) or left blank
- Enter a name for the thunderbird account and press the Finish button
Then in the newly created account change some settings:
in the "Server Settings" menu select STARTTLS (or TLS/SSL)
If you want to authenticate using Kerberos the option Kerberos/GSSAPI has to be selected. In addition on Windows open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General" and set network.auth-use-sspi to "false".
- click on "Advanced..." and unselect "Show only subscribed folders"
- Do not select password encryption, we are encrypting the connection to the server, which also ensures that the password information is transferred safely.
Make sure that you do not enter a value for "IMAP server directory". That field is in Edit->Account Settings->Server Settings->Advanced. The value of that field on mail.ifh.de was usually set to "mail".
To have thunderbird look in all folders for new mail:
- Open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General"
search for the preference mail.check_all_imap_folders_for_new, and change its value to true
Please disable the offline storage of emails in the AFS home directory:
Go to "Edit" - "Account Settings" - "Synchronization & Storage" and uncheck "Keep messages for this account on this computer"
MacOSX Mail
The configuration is similar to what is described under Thunderbird above. Kerberos authentication may work depending on the software installed. Make sure that
- IMAP is configured using TLS (SSL) and port 143, not 993
- the field for the mail directory on the server remains empty (home directory on the server is used)