Configuration of Mail Readers for the DESY Mail Servers in Zeuthen

General Remarks

The centrally installed mail clients on Linux/UNIX and Windows are usually preconfigured to use the correct settings. As users can override these settings and recommended settings may change it is a good advice to check whether your personal mail settings are in agreement with the values given below

Incoming Mail

Incoming mail is accessed using the

• IMAP protocol on the server

  imap.ifh.de on port 143 (or in conjunction with SSL port 993)

Authentication can be done using

• GSSAPI (Kerberos5) or by

  Plain authentication giving the (AFS) username and password

If password authentication is chosen,

• TLS (on port 143) or SSL (on port 993) must be used.

Outgoing Mail

All outgoing mail is sent using the

• SMTP protocol and one of the mail servers

  smtp.ifh.de (mail.ifh.de, mailz2.desy.de) or mail1.ifh.de (mailz.desy.de) port 25 must be used as all other outgoing mail traffic (e.g. sent from a notebook to a remote provider) is blocked. The use of smtp.ifh.de is preferred, as mail1.ifh.de is seen only from inside DESY and cannot be used to send mail from outside.

SMTP Authentication

• is not required but it can be used. It has to be used if mail from a remote host (e.g. from a notebook on a conference) needs to be sent via our mail server to a recipient outside DESY. This is called relaying and normally not allowed. Make sure to use the host name smtp.ifh.de and have the required certificates installed (described on the page Mail Server imap.ifh.de) The authentication can be done using

  GSSAPI (Kerberos5) or by

  Plain authentication giving the (AFS) username and password

If password authentication is chosen,

• TLS (on port 25) must be used. That uses SSL encryption.

Several sites do block outgoing traffic on port 25, therefore even when using authenticated SMTP sending mail using DESY Zeuthen mail servers would not be possible. Therefore we do provide two additional ports for sending mail: port 587 (submission) and port 465 (smtps). If port 25 is not working at external sites, you can give these ports a try.

Address Books

The centrally managed address books are using the LDAP protocol. To use it the name of a server and at least the search base have to be given. The following address books are useful (access is limited to DESY and to some High Energy Physics Institutes):

For backward compatibility the search base o=DESY Zeuthen on ldap.ifh.de is also a mirror of the official address book on ldap.desy.de.

Your Mail Address

In all mails the preferred email address Firstname.Lastname@desy.de should be used.

Please note that the default on some unmaintained systems is accountname@hostname.ifh.de which does not work. Mail clients allow you to override that default From: address to use the form given above.

Mail client specific information

Alpine

On Linux: Installing the certificates (requires root access)

This step is already done on DESY computers

Download chain.txt from the DFN Public Key Infrasrtucture server and copy the file to

• /etc/ssl/certs (SuSE) or
• /usr/lib/ssl/certs (Debian, Ubuntu) or

• /etc/pki/tls/certs (RedHat, Fedora, Scientific Linux, CentOS)

Then change into the directory containing the certs directory, i.e. /etc/ssl, /usr/lib/ssl and /etc/pki/tls respectively. If there is already a file or a symlink with the name cert.pem then remove it or move it out of the way. You have to create a symlink cert.pem-> certs/chain.txt by executing

ln -s certs/chain.txt cert.pem

If the file cert.pem is already existing and does not point to a file containing all the certificates required for verification of the mail server certificate the certs directory is searched for the individual required certificates which can be downloaded from

• DFN PCA certificate

• DESY CA certificate

For each of the downloaded files the following commands have to be issued (make sure you are in the certs directory), otherwise the certificates will not be found:

openssl x509 -inform der -in downloaded_file.crt -out downloaded_file.pem
ln -s downloaded_file.pem `openssl x509 -noout -hash -in downloaded_file.pem`.0

Configuring alpine by editing .pinerc

(this has been done already on DESY Zeuthen computers running SL5/6)

add or modify the following lines in .pinerc:

inbox-path={
}inbox
# the folders on the server (mdbox format) and the local folders (mbox format)
folder-collections=Folders on imap.ifh.de {imap.ifh.de}[], mail/[]

# immediate startup (for non DESY computers required)
rsh-open-timeout=0

# the next lines are optional...
# pressing <TAB> at the last mail in the INBOX checks and opens the next INBOX
feature-list=...,tab-checks-recent

Configuring alpine by using the configure screen of alpine

The configure screen can be accessed from the main menu by selecting the setup menu and then select the "(C) Config" screen.

• Search the keyword "Inbox Path" and set the field to {imap.ifh.de/tls}inbox

• Search the option "Tab Checks for Recent Messages" and activate it
• Exit the setup screen by committing the changes, then reenter the setup screen, select "(L) collectionLists"
• Add a new collection (a) and set Nickname to "Folders on imap.ifh.de", Server to "imap.ifh.de"
• Exit the screen and commit the changes

To set rsh-open-timeout=0 you may have to

• Search the option "Expose Hidden Config" and activate it, then leave the configure screen (commit changes)
• Reenter the configuration screen, search "Rsh Open Timeout", change its value to 0, then leave the configure screen by committing this change.

Using alpine

To move or copy local folders or folders from another IMAP server to the imap.ifh.de server do the following

• select all messages in the original folder by pressing ; a

• copy all messages in the folder to a new destination a s {imap.ifh.de} <foldername>

• remove the delete mark if you want to copy instead of moving the folder a u

• unselect all messages ; a

Thunderbird

(please do also have a look into the Vortrag im technischen Seminar if you have a german version of thunderbird)

Download the following certificates to your home directory:

• DFN PCA certificate

• DESY CA certificate

Start thunderbird and create a new mail account:

• Select in the Edit menu "Account Settings" and add a new (email) account

• Enter your Name and an arbitrary Email address ending with @ifh.de in the appropriate place. This guarantees that thunderbird will automatically configure the imap and smtp servers to be used properly.

When the server configuration has been automatically found, please change the email address to your officiall address firstname.lastname@desy.de . If you entered the desy.de address in the first place then proceed as follows:

• in the next screen select "IMAP " as server type and enter imap.ifh.de as the incoming server name,

• enter smtp.ifh.de as the outgoing server name (SMTP)

• enter your user name in the field "Incoming User Name"
• the same name can be entered for the outgoing server (authenticated SMTP) or left blank
• define an arbitrary account name and press the Finish button

Then in the newly created account change some settings:

• in the "Server Settings" select TLS

• If you want to authenticate using Kerberos (you can obtain a ticket using kinit (Linux) or the network identity manager (Windows)) the option Use secure authentication has to be selected

• On windows clients open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General" and set network.auth-use-sspi to "false".

• Otherwise you have to deselect Use secure authentication

• click on "Advanced..." and unselect "Show only subscribed folders"

To avoid security warnings about certificates that cannot be verified:

• In the Edit Menu select "Preferences" and there go to "Advanced"
• In the "Certificates" Menu select "View Certificates" then "Authorities" and click on "Import"
• Select the three downloaded certificates in the order given above (open it) and check all checkboxes

• Make sure that you do not enter a value for "IMAP server directory". That field is in Edit->Account Settings->Server Settings->Advanced. The value of that field on mail.ifh.de was usually set to "mail".

To have thunderbird look in all folders for new mail:

• Open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General"

• search for the preference mail.check_all_imap_folders_for_new, and change its value to true

Please disable the offline storage of emails in the AFS home directory:

• Go to "Edit" - "Account Settings" - "Synchronization & Storage" and uncheck "Keep messages for this account on this computer"

MacOSX Mail

The configuration is similar to what is described under Thunderbird above. Kerberos authentication may work depending on the software installed. Make sure that

• certificates are being downloaded to avoid security warnings (visiting the links using a web browser should be sufficient)
• IMAP is configured using TLS (SSL) and port 143, not 993
• the field for the mail directory on the server remains empty (home directory on the server is used)

Certificates

On Windows and MacOSX it seems to be sufficient to download once the two certificates (see above) using a web browser and accept the certificates (select the check boxes that will appear when downloading).

On Linux computers not maintained by DESY certificates have to be downloaded to the certs directory (see above) and made available to openssl. This requires root access. Then a symlink to the certs directory has to be installed. This can be achieved by the commands:

su - root # become root
cd /etc/pki/tls/certs # for SuSE and Debian use /etc/ssl/certs
wget
wget
openssl x509 -inform der -in g_intermediatecacert.crt -out g_intermediatecacert.pem
ln -s g_intermediatecacert.pem `openssl x509 -noout -hash -in g_intermediatecacert.pem`.0
openssl x509 -inform der -in g_cacert.crt -out g_cacert.pem
ln -s g_cacert.pem `openssl x509 -noout -hash -in g_cacert.pem`.0
exit # become ordinary user