Configuration of Mail Readers for the DESY Mail Servers in Zeuthen

General Remarks

The centrally installed mail clients on Linux/UNIX and Windows are usually preconfigured to use the correct settings. As users can override these settings and recommended settings may change it is a good advice to check whether your personal mail settings are in agreement with the values given below

Incoming Mail

Incoming mail is accessed using the

• IMAP protocol on the server (see also a detailed description)

  imap.ifh.de on port 143 (or in conjunction with SSL port 993)

Authentication can be done using

• GSSAPI (Kerberos5) or by

  Plain authentication giving the (AFS) username and password

Outgoing Mail

All outgoing mail is sent to a mail server using the SMTP protocol. The

• smtp.ifh.de (mail.ifh.de, mailz2.desy.de) mail server can be used from within the DESY network without further authentication. Sending mail over this server from outside DESY is only possible using authenticated SMTP.

• For DESY internal traffic there is a second SMTP server mail1.ifh.de (mailz.desy.de).

SMTP Authentication

• is not required but it can be used. It has to be used if mail from a remote host (e.g. from a notebook on a conference) needs to be sent via our mail server to a recipient outside DESY. This is called relaying and normally not allowed. Make sure to use the host name smtp.ifh.de and have the required certificates installed. The authentication can be done using

  GSSAPI (Kerberos5) or by

  Plain authentication giving the (AFS) username and password

If you followed the instructions concerning certificates the infrastructure to use that should already be in place. You have to configure your mail client to use smtp.ifh.de as the outgoing mail server, use your (UNIX) username (and password) for authentication and use an encrypted connection (TLS, not SSL) on port 25. For thunderbird that is done on config screens, for pine/alpine the line

 smtp-server=smtp.ifh.de/user=<accountname>

enables authenticated smtp.

If password authentication is chosen,

• TLS (on port 25) and not SSL must be used. That uses SSL encryption.

Several sites do block outgouig traffic on port 25 and sending mail using that port will fail. In this case sending mail using DESY Zeuthen mail servers would not be possible even when using authenticated SMTP. Therefore on smtp.ifh.de port 587 is open as well for mail submission (service "submission"). Older clients require the use of port 465 when using TLS with SMTP, this port can also be used on smtp.ifh.de.

Address Books

The centrally managed address books are using the LDAP protocol. To use it the name of a server and at least the search base have to be given. The following address books are useful (access is limited to DESY and to some High Energy Physics Institutes):

For backward compatibility the search base o=DESY Zeuthen on ldap.ifh.de is also a mirror of the official address book on ldap.desy.de.

Your Mail Address

In all mails the preferred email address Firstname.Lastname@desy.de should be used.

Please note that the default on some unmaintained systems is accountname@hostname.ifh.de which does not work. Mail clients allow you to override that default From: address to use the form given above.

Mail client specific information

Alpine

On Linux: Installing the certificates (requires root access)

This step is already done on DESY computers

Download chain.txt from the DFN Public Key Infrasrtucture server and copy the file to

• /etc/ssl/certs (SuSE) or
• /usr/lib/ssl/certs (Debian, Ubuntu) or

• /etc/pki/tls/certs (RedHat, Fedora, Scientific Linux, CentOS)

Then change into the directory containing the certs directory, i.e. /etc/ssl, /usr/lib/ssl and /etc/pki/tls respectively. If there is already a file or a symlink with the name cert.pem then remove it or move it out of the way. You have to create a symlink cert.pem-> certs/chain.txt by executing

ln -s certs/chain.txt cert.pem

If the file cert.pem is already existing and does not point to a file containing all the certificates required for verification of the mail server certificate the certs directory is searched for the individual required certificates which can be downloaded from

• DFN PCA certificate

• DESY CA certificate

For each of the downloaded files the following commands have to be issued (make sure you are in the certs directory), otherwise the certificates will not be found:

openssl x509 -inform der -in downloaded_file.crt -out downloaded_file.pem
ln -s downloaded_file.pem `openssl x509 -noout -hash -in downloaded_file.pem`.0

Configuring alpine by editing .pinerc

(this has been done already on DESY Zeuthen computers running SL5/6)

add or modify the following lines in .pinerc:

inbox-path={
}inbox
# the folders on the server (mdbox format) and the local folders (mbox format)
folder-collections=Folders on imap.ifh.de {imap.ifh.de}[], mail/[]

# immediate startup (for non DESY computers required)
rsh-open-timeout=0

# the next lines are optional...
# pressing <TAB> at the last mail in the INBOX checks and opens the next INBOX
feature-list=...,tab-checks-recent

Configuring alpine by using the configure screen of alpine

The configure screen can be accessed from the main menu by selecting the setup menu and then select the "(C) Config" screen.

• Search the keyword "Inbox Path" and set the field to {imap.ifh.de/tls}inbox

• Search the option "Tab Checks for Recent Messages" and activate it
• Exit the setup screen by committing the changes, then reenter the setup screen, select "(L) collectionLists"
• Add a new collection (a) and set Nickname to "Folders on imap.ifh.de", Server to "imap.ifh.de"
• Exit the screen and commit the changes

To set rsh-open-timeout=0 you may have to

• Search the option "Expose Hidden Config" and activate it, then leave the configure screen (commit changes)
• Reenter the configuration screen, search "Rsh Open Timeout", change its value to 0, then leave the configure screen by committing this change.

Using alpine

To move or copy local folders or folders from another IMAP server to the imap.ifh.de server do the following

• select all messages in the original folder by pressing ; a

• copy all messages in the folder to a new destination a s {imap.ifh.de} <foldername>

• remove the delete mark if you want to copy instead of moving the folder a u

• unselect all messages ; a

Thunderbird

(please do also have a look into the Vortrag im technischen Seminar if you have a german version of thunderbird)

Download the following certificates to your home directory:

• DFN PCA certificate

• DESY CA certificate

Start thunderbird and create a new mail account:

• Select in the Edit menu "Account Settings" and add a new (email) account

• Enter your Name and an arbitrary Email address ending with @ifh.de in the appropriate place. This guarantees that thunderbird will automatically configure the imap and smtp servers to be used properly.

When the server configuration has been automatically found, please change the email address to your officiall address firstname.lastname@desy.de . If you entered the desy.de address in the first place then proceed as follows:

• in the next screen select "IMAP " as server type and enter imap.ifh.de as the incoming server name,

• enter smtp.ifh.de as the outgoing server name (SMTP)

• enter your user name in the field "Incoming User Name"
• the same name can be entered for the outgoing server (authenticated SMTP) or left blank
• define an arbitrary account name and press the Finish button

Then in the newly created account change some settings:

• in the "Server Settings" select TLS

• If you want to authenticate using Kerberos (you can obtain a ticket using kinit (Linux) or the network identity manager (Windows)) the option Use secure authentication has to be selected

• On windows clients open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General" and set network.auth-use-sspi to "false".

• Otherwise you have to deselect Use secure authentication

• click on "Advanced..." and unselect "Show only subscribed folders"

To avoid security warnings about certificates that cannot be verified:

• In the Edit Menu select "Preferences" and there go to "Advanced"
• In the "Certificates" Menu select "View Certificates" then "Authorities" and click on "Import"
• Select the three downloaded certificates in the order given above (open it) and check all checkboxes

• Make sure that you do not enter a value for "IMAP server directory". That field is in Edit->Account Settings->Server Settings->Advanced. The value of that field on mail.ifh.de was usually set to "mail".

To have thunderbird look in all folders for new mail:

• Open the Config Editor in "Edit" - "Preferences" - "Advanced" - "General"

• search for the preference mail.check_all_imap_folders_for_new, and change its value to true

Please disable the offline storage of emails in the AFS home directory:

• Go to "Edit" - "Account Settings" - "Synchronization & Storage" and uncheck "Keep messages for this account on this computer"

MacOSX Mail

The configuration is similar to what is described under Thunderbird above. Kerberos authentication may work depending on the software installed. Make sure that

• certificates are being downloaded to avoid security warnings (visiting the links using a web browser should be sufficient)
• IMAP is configured using TLS (SSL) and port 143, not 993
• the field for the mail directory on the server remains empty (home directory on the server is used)

Certificates

On Windows and MacOSX it seems to be sufficient to download once the two certificates (see above) using a web browser and accept the certificates (select the check boxes that will appear when downloading).

On Linux computers not maintained by DESY certificates have to be downloaded to the certs directory (see above) and made available to openssl. This requires root access. Then a symlink to the certs directory has to be installed. This can be achieved by the commands:

su - root # become root
cd /etc/pki/tls/certs # for SuSE and Debian use /etc/ssl/certs
wget
wget
openssl x509 -inform der -in g_intermediatecacert.crt -out g_intermediatecacert.pem
ln -s g_intermediatecacert.pem `openssl x509 -noout -hash -in g_intermediatecacert.pem`.0
openssl x509 -inform der -in g_cacert.crt -out g_cacert.pem
ln -s g_cacert.pem `openssl x509 -noout -hash -in g_cacert.pem`.0
exit # become ordinary user