403 Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus Dial-up server configuration This scenario is unlikely to be used these days as most mail clients hold off from sending mail when you are offline, but the configuration is still relevant to other situations. When you do not have a constant connection to the Internet, it is a good idea to stop Postfix from attempting to send mail when it is not connected to the Internet. To do this, you need to defer the sending for a later date by telling Postfix that it should defer sending mail via SMTP using the defer_transports parameter. defer_transports = smtp When the machine is connected to the Internet, you then need to tell Postfix to send the mail it has queued. The sendmail command can be used to queue up mails, as follows: sendmail –q When the command has completed, use the mailq command to query whether your mails have been sent. The mailq command also tells you if there are any mails stuck in the queue for any reason. Common problems will be that Postfix cannot communicate with another mail server because of connectivity problems or the local mail cannot be delivered because a user is over quota. To stop your machine from unnecessarily trying to look up host names when processing mail in the queue, you need to turn off address lookups via DNS, so you need to change the default disable_dns_lookups parameter as follows: disable_dns_lookups = yes Usually if you are on a dial-up, you will pass on all of your mail to another, dedicated mail server for further handling, in which case you need to configure a relay host using the relayhost parameter: relayhost = mail.palmcoder.net Now, any mail that is not local to your mail server will be sent via SMTP to the machine mail.palmcoder.net. The relayhost parameter is used in larger sites where the use of department mail servers propagates mail through an organization with a central mail hub. Stopping spam Spam, or UCE (unsolicited commercial email), is the bane of any Internet user’s life, and an administrator is more than aware of how much mail is worthless junk. To combat this, you can use Postfix’s UCE controls to limit the amount of spam that travels through your systems. We have already touched upon the restriction of relaying through your mail server, which is part of the problem of spam. Another way to stop spam is by making sure connections to the mail server are true to the RFC SMTP standard. With this comes the increased risk of false positives. False positives happen when Postfix sees that a non-standard connection is taking place and rejects the mail. This could happen when the sending mail server does not prop- erly conform to the RFC, not because it is malicious, but because it is based on the legacy that mail servers are understanding when it comes to slight errors in the way an SMTP trans- action takes place. Note 26_577395 ch17.qxd 12/15/04 12:39 AM Page 403 404 Part IV ✦ Implementing Network Services in SUSE Linux To be more stringent with what data a connecting machine sends to Postfix, you can restrict their access and the format that data is in with the smtpd_sender_restrictions parameter. Consider the following example: smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit This rejects any mail from a user whose domain does not exist in the Internet domain system. This will stop spammers from trying to use a fictitious domain component in their MAIL FROM: clause. The reject_non_fqdn_sender rejects any mail where the format of the MAIL FROM: does not include a fully qualified domain name (of the form domain.tld). A TLD, or top-level domain, encapsulates the .com, .org, .net, .co.uk, and so on domains and is the defined and controlled domain format for the Internet. An Internet fully qualified domain name (FQDN) is always composed of a domain and a TLD. For example, palmcoder.net is an FQDN. Restricting client connections to a mail server is always tricky because you do not want to produce false positives as it will drastically impact what mail you receive. To help with this, RBL (Real-time Black Hole) servers are in place that list known spammers’ addresses in real time to allow you to rely on rejecting mail connections. This is an extremely useful idea that takes away a large proportion of your spam catching and gives it to a trusted, free service. To enable RBL server lookups, you need to use the reject_rbl_client parameter in the smtpd_client_restrictions. smtpd_client_restrictions = permit_mynetworks, reject_rbl_client relays.ordb.org, reject_unknown_client This allows connections from mynetworks, rejects mail from spam artists listed in the ordb database, and also rejects mail from unknown clients (clients that do not have an entry in the Internet DNS). This just scratches the surface of what can be done with Postfix but gives you enough to get started configuring your own mail server. The Postfix documentation is some of the best out there and can be found at the Postfix site at www.postfix.org. Qpopper When your MTA is configured, you need to be able to access your mail using a mail client by connecting to an MDA. You have three ways of remotely accessing your mail: ✦ By logging into the server and accessing the mail spool directly ✦ Via Internet Message Access Protocol (IMAP) ✦ Via Post Office Protocol (POP3) We will talk about POP3 and IMAP in this section of the chapter, starting with POP3. POP3 enables you to receive your mail from a server and store it on your local disk. When the mail has been received from the server, it is then deleted from the server. POP3 is a good mail storage option for laptop users as your mail is always local to your machine. Note 26_577395 ch17.qxd 12/15/04 12:39 AM Page 404 405 Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus IMAP takes a different approach by always storing your mail messages on the server. This gives you the added benefit of being able to access all of your mail (including subfolders) wherever you are. If you use POP3, you are able to see all of your mail that you have down- loaded only if you have your laptop or desktop machine that you use to download your POP3 mail with you. One of the best POP3 servers is Qpopper. In addition to being the standard for POP3 retrieval, it is actively maintained and also supports extended authentication methods from the stan- dard cleartext username and passwords. When you have installed Qpopper, you need to enable POP3 access in /etc/inetd.conf. Open /etc/inetd.conf and uncomment the popper line relating to POP3 (see Listing 17-3). Listing 17-3: Enabling Qpopper in inetd # Pop et al # # pop2 stream tcp nowait root /usr/sbin/tcpd ipop2d # pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d # pop3s stream tcp nowait root /usr/sbin/tcpd ipop3d pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper -s # The network process inetd accepts connections from standard ports and passes control over to a specific application. Whereas Postfix listens on port 25 in daemon mode, Qpopper relies on inetd to provide its listening services. Once enabled, start inetd to enable POP3 access to your mail. bible:~ # rcinetd start Starting inetd done Once started, you can test connectivity with Telnet as we discuss in more detail in Chapter 15. Listing 17-4 shows an example. Listing 17-4: Testing the POP3 Server with Telnet bible:~ # telnet localhost 110 Trying 127.0.0.1 Connected to localhost. Escape character is ‘^]’. +OK ready <2282.1088970620@bible> user justin +OK Password required for justin. pass password +OK justin has 1 visible message (0 hidden) in 544 octets. Note 26_577395 ch17.qxd 12/15/04 12:39 AM Page 405 406 Part IV ✦ Implementing Network Services in SUSE Linux As you can see, the user justin has one unread mail that is 544 octets in length. You can pass other parameters to Qpopper to extend its functionality. For example, if you want to allow your users to enter their usernames in uppercase or mixed case format, you can add -c to the Qpopper command line in inetd.conf to enable this. Another common parameter is -R to disable reverse name lookups (so that the host name and not the IP address is stored in the system log). If you want to store your Qpopper options in a configuration file instead of specifying them on the command line through inetd.conf, you need to call Qpopper with the -f parameter (to set the configuration file): # Pop et al # # pop2 stream tcp nowait root /usr/sbin/tcpd ipop2d # pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d # pop3s stream tcp nowait root /usr/sbin/tcpd ipop3d pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper –f /etc/qpopper.conf # If you want to set the parameters discussed previously in the qpopper.conf configuration, you have to use a full text representation of the parameters: set statistics set downcase-user set reverse-lookup=false Qpopper has many options that you can enable on the command line in /etc/inetd.conf or by specifying a configuration file on the command line containing parameters. For more information on what you can do with Qpopper, take a look at the popper(8) man page. Fetchmail In certain situations, you may need to “pull” your email from a POP or IMAP server to your local mail server. The fetchmail program was designed to contact an MDA and fetch the mail and then pass it through your local SMTP server for delivery. For fetchmail to successfully run, you need to know the address of your MDA server, the username, password, and the protocol to use (POP3/IMAP). The fetchmail program then connects to the MUA and transports the messages to your SMTP server for further processing. When you run fetchmail with the required options, it delivers mail to the user you are running the command as. justin@bible:~> fetchmail mail.bible.suse.com -p pop3 Enter password for justin@mail.bible.suse.com: 1 message for justin at mail.bible.suse.com (720 octets). reading message justin@mail.bible.suse.com:1 of 1 (720 octets) flushed In the example, the user is currently logged in as justin, so the mail will be delivered via SMTP to the user justin@localhost. 26_577395 ch17.qxd 12/15/04 12:39 AM Page 406 407 Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus In the fetchmail run in the previous example, we told fetchmail the server ( mail.bible.suse.com) and the protocol (-p pop3). The fetchmail program is clever enough to know that we also need a password, so it asks us for it. When a message has been “flushed,” it is delivered through SMTP. If you are using a dial-up Postfix configuration, you can use fetchmail to automatically download your POP mail through SMTP to your mail server. Some Internet service providers (ISPs) routinely poll a static IP address that you have been assigned and automatically have your mail delivered through SMTP, but these services usually cost more money and are few and far between. Cyrus IMAPD POP3 is a good mail delivery agent for most situations, but if you like your mail controlled from a central server, with access to all your mail and folders from a remote site regardless of whether your mail is stored locally, then IMAP is the answer. IMAP is a connection-based protocol. What that means is that you need a connection to the server to read your mail. Some MUAs allow you to “offline” your mail locally for reading while not connected, but at the end of the day, the server holds the up-to-date representation of your mail. There are two main contenders in the Unix IMAP server space, University of Washington and Cyrus IMAPD. Both IMAP servers are extremely good at what they do, and we have chosen Cyrus as our focus because it is the IMAP server of choice by SUSE (it is the IMAP server used in OpenExchange). The Cyrus IMAP server is extremely scalable and is capable of handling thousands of mail accounts. If more scalability is needed, you can use a Murder of Cyrus (a cluster of Cyrus servers) to provide a distributed IMAP server farm. To use Cyrus, you need to add a system user (in our case, we will use justin) to the Cyrus database. All authentication is still handled through the user’s system password, but the Cyrus database needs to provide a namespace for the user, including folders and access control lists. Configuring the Cyrus user When Cyrus has been installed through YaST, a few administrative tasks need to take place before you can log in as a user. First, we need to talk about how Cyrus works and interacts with the system. The Cyrus IMAP process is controlled by the user cyrus. With most daemon pro- cesses, the user that “owns” the process is usually a placeholder to run the daemon and nothing else. In the case of Cyrus, the cyrus system user plays an important part by not only running the IMAPD process, but also being the user that IMAP administration is conducted under. With this in mind, you need to set a password for the cyrus user. To do this, as root, run the passwd command for the cyrus user: bible:~ # passwd cyrus Changing password for cyrus. New password: Re-enter new password: Password changed Once set, you need to start the cyrus and saslauthd services. 26_577395 ch17.qxd 12/15/04 12:39 AM Page 407 408 Part IV ✦ Implementing Network Services in SUSE Linux The saslauthd service is the Cyrus SASL authentication daemon. SASL is a general-purpose authentication mechanism that can be used both in a client and server environment. Cyrus IMAP relies on the SASL library to provide authentication services. Adding users to Cyrus When those services are started, you need to add users to the Cyrus database to provide mail services for them. We will take the user justin (who must exist in the system) as an example. To add a user to the Cyrus system, become the cyrus user and connect to the Cyrus IMAP server with the cyradm command (Cyrus administration tool): bible:~ # su - cyrus cyrus@bible:~> cyradm localhost IMAP Password: localhost> Once connected, you can use the cm (create mailbox) command to create the user justin’s inbox: localhost> cm user.justin localhost> lm user.justin (\HasNoChildren) localhost> Here you have told Cyrus to create the mailbox user.justin. This may seem odd, but it is a standard way to configure Cyrus for user mailboxes. Cyrus works on a hierarchical mailbox structure, not only for the users, but also for system mailboxes. These system mailboxes could be mailboxes that are shared between many users for bulletins, for example. Creating a shared mailbox If you want to create a mailbox that is shared between certain users, use the cm command to create the mailbox and also set the access control list (ACL) for users on the mailbox. For example, if you have three users, justin, roger, and aimee, on the system, and you want them to be able to store and view messages in this folder, but not to be able to delete any, you can look up the access control codes in Table 17-1 and set the ACL on that folder using the sam command (set ACL on folder). If you ever need to find out what Cyrus commands you can use, type help in the Cyrus command shell. Table 17-1: Cyrus ACL Settings ACL Code Description L List the folder —that is, be able to view the folder in a folder list r Read contents of folder s Set the seen flag on a message in the folder w Write to the folder —that is, store a message in the folder Note Note 26_577395 ch17.qxd 12/15/04 12:39 AM Page 408 409 Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus ACL Code Description i Insert or append a message to the folder p Send a mail to the folder c Create (subfolder) or delete the folder d Delete a message in the folder a Administrative rights on the folder, set ACLs To set an ACL on the folder, you need three pieces of information: the user you wish to set the ACL for, the mailbox, and the ACL settings themselves. Consider the example in Listing 17-5. Listing 17-5: Setting ACLs on a Shared Mailbox localhost> sam share aimee lrwsip localhost> sam share roger lrwsip localhost> sam share justin lrwsip localhost> lam share roger lrswip justin lrswip anyone lrs aimee lrswip Here, we have allowed the users justin, roger, and aimee to list the folder, read the con- tents of the folder, set the seen flag on a message, store a message in the folder, and also send a message directly to the folder. We have not allowed them to delete any messages in the folder, so all is as we originally wanted. Once set, the ACLs come into effect immediately. Copying mails to the shared folder will work, but deleting them will not. This allows you as the administrator to set up a non-volatile, non-destructive mail store for a group of users with fine-grained access controls. Integrating Cyrus and Postfix So now that you know how Cyrus works, you need to set up Postfix to use Cyrus to store the user’s mail. In /etc/postfix/main.cf, we need to set the mailbox_transport to use the service cyrus. The service cyrus is preconfigured in /etc/postfix/master.cf. This file contains definitions for SMTP services as well as any user-defined services that can be used in param- eters such as mailbox_transport. So you edit /etc/postfix/main.cf and change the mailbox_transport as follows: mailbox_transport = cyrus When /etc/postfix/main.cf is edited, restart Postfix with rcpostfix. To make sure Postfix or any other service (such as inetd, or cyrus in this chapter) starts when you boot the system, use chkconfig -a servicename. Tip 26_577395 ch17.qxd 12/15/04 12:39 AM Page 409 410 Part IV ✦ Implementing Network Services in SUSE Linux Any mail sent to users will now be delivered to their mailbox using the cyrus service. The cyrus service calls the Cyrus deliver command to take the mail message and deliver it to the defined user’s IMAP mailbox for his or her retrieval instead of the local mail spool. Setting an alias for root’s mail in Cyrus One thing that you need to consider when using Cyrus in this type of environment is that any mail to a user that is not in the Cyrus database will be rejected by Cyrus. This is especially true for the root user. It is not a good idea to store the root user mail in Cyrus, so most people configure an alias for root’s mail to be delivered to a non-administrative user. Here we config- ure root’s mail to be delivered to the user justin: 1. Open the file /etc/aliases and add and entry for the root user: root: justin This tells Postfix that any mail for root should actually be delivered to the user justin. 2. When /etc/aliases is edited, run the postalias command: bible:~ # postalias /etc/aliases 3. You then need to reload Postfix’s databases to commit the new alias. Choosing a Mail Client When your mail server is configured, you need to be able to read your email. You will find many mail clients available, the most popular being mutt, pine, kmail, and evolution. We briefly describe the benefits of all of the systems and where they are most commonly used. The command-line clients If you have only command-line access to your mail, you will probably want to use mail or mutt. mail The mail command is the most basic mail client of all and is used to send mail and receive it using the command line. If you want to send mail with the mail command, just enter mail and the person you wish to send mail to. bible:~ # mail justin@wileybible.com Subject: Hello there This is a test . EOT Here, we have been asked for the subject of the mail, and we are then ready to type our mail message. Notice that at no point during this transaction are we given guidance on what to do. This is stereotypical Unix commands at their best! 26_577395 ch17.qxd 12/15/04 12:39 AM Page 410 411 Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus When the message has been entered, you then need to enter a period on a line by itself and then press Enter/Return. This will then send the mail to the recipient specified. To read mail with the mail command, just enter mail at the command line and press Enter/Return. You are then presented with a list of mails in your mailbox that you can read. To read a mes- sage, just enter the number of the mail you wish to read: bible:~ # mail mailx version nail 10.6 11/15/03. Type ? for help. “/var/mail/justin”: 1 message 1 new >N 1 justin@wileybible.com Thu Sep 30 11:30 14/452 “Hello there” & Pressing 1 and Return will then show you the mail message you just sent. mail is installed by default on most Unix systems and can be used as a last resort to read your mail. It is also good because you can use the mail command to send mail through a shell script if you have a list of email addresses you need to send something to (but not for spam). mutt mutt is a more feature-filled command-line mail client that can display your mail in a format- ted list and also employs mail message threading. It is a lot more interactive than mail, but can be used on the command line as your daily mail client. If you wish to use mutt, install it through the YaST package manager. The graphical mail clients For Linux users, the choice of mail client usually boils down to the desktop product they use. KDE comes with the kmail client, whereas Gnome comes with the Evolution mail client. Both are quite different beasts. kmail kmail is a very nice, well-rounded mail client that can connect to POP, IMAP, and also local mail spools to read your mail. You can set up mail rules to send mail to specific folders based on certain parameters and can also connect to mail servers over SSL. Evolution Evolution is more of an “Outlook for Linux” application in that it incorporates not only mail, but calendaring, address book, and tasks under the same roof. Whereas with kmail you use separate applications for this functionality, Evolution has them built in. Recently, Ximian open sourced their Connector product, which also allows you to connect your Ximian Evolution client to a Microsoft Exchange 2000/2003 server and access your cal- endars and so on. Note 26_577395 ch17.qxd 12/15/04 12:39 AM Page 411 412 Part IV ✦ Implementing Network Services in SUSE Linux Mail Systems on Linux Mail on Linux is a funny thing; there are many ways to provide mail services on any Unix in general, from using sendmail or Postfix as an MTA to Qpopper or Cyrus as an MDA, all the way to choosing from among numerous MUAs for reading your mail. At the end of the day, it is up to you how you want to configure mail on your system. We’ve given you enough infor- mation to proceed, and you will quickly find the variety of choices available will allow you to implement a solution that fits your situation. ✦✦✦ 26_577395 ch17.qxd 12/15/04 12:39 AM Page 412 [...]... Figures 18- 5 and 18- 6 A package containing LinNeighborhood is included as a separately installable package on DVD 1 or CD 5 of a SUSE 9. 1 Professional distribution set You can see information about the contents of this package at www .suse. de/en/private/products /suse_ linux/ prof/ packages_professional/linneighborhood.html 4 19 420 Part IV ✦ Implementing Network Services in SUSE Linux Figure 18- 7: Browsing... Services in SUSE Linux 1 Start YaST as explained earlier in this chapter in the section “Configuring a Samba Client.” Click the Hardware icon in the left pane, and select the printer icon from the right pane The screen shown in Figure 18- 8 displays Figure 18- 8: The initial printer configuration dialog in YaST Chapter 18 ✦ Setting Up Windows Interoperability with Samba 2 When the dialog shown Figure 18- 8 displays,... diagnose problems with the values that you specified 437 4 38 Part IV ✦ Implementing Network Services in SUSE Linux Figure 18- 19: Samba servers Shared Directories dialog in YaST Samba Client and Server Packages SUSE Linux comes with a large number of Samba-related packages You can use YaST to add packages manually after completing your initial SUSE Linux installation or to query your system to determine... the Samba- and SMB-related packages provided with SUSE 9. 1 Professional; we also discuss which of these packages are installed by the different installation types and package sets you can select when installing SUSE Linux Samba-related packages in SUSE 9. 1 SUSE 9. 1 Professional provides the following Samba-related packages: ✦ gnome-vfs — (Version 1.0.5 -80 1) Provides Samba/SMB support for the Nautilus... Implementing Network Services in SUSE Linux wvh @linux: ~> apropos samba net (8) - Tool for administration of Samba and remote CIFS servers smb.conf (5) - The configuration file for the Samba suite cupsaddsmb (8) - export printers to samba for windows clients lmhosts (5) - The Samba NetBIOS hosts file wvh @linux: ~> apropos SMB smbspool (8) - send a print file to an SMB printer fs (5) - Linux filesystem types:... button to begin creating a new printer definition The dialog shown in Figure 18 -9 displays Figure 18 -9: Specifying the printer type in YaST 423 424 Part IV ✦ Implementing Network Services in SUSE Linux 3 Select the Print via SMB Network Server option and click the Next button The dialog shown in Figure 18- 10 displays Figure 18- 10: Defining a Samba or Windows printer in YaST 4 Enter the name of the workgroup... specify when connecting to resources on the Samba server that you are defining Figure 18- 15 shows the Samba Server Role screen with the values for the sample domain and server setup used throughout in this chapter and shown in Figures 18- 5, 18- 6, and 18- 7 4 29 430 Part IV ✦ Implementing Network Services in SUSE Linux Figure 18- 15: Samba server configuration screen showing sample values 6 By default, your... has always been the networking protocol associated with Unix and Linux systems Samba was originally developed by Andrew Tridgell (“tridge”), who initially began development of what would later become Samba on DEC and Sun workstations in 199 1 He began work on porting Samba (then just known as NetBIOS for Unix or smbserver) in 199 2 In 199 4, J.R Conlin and Dave Fenwick started an SMB-related newsgroup,... the YaST dialog displays immediately, as shown in Figure 18- 1 Figure 18- 1: YaST main screen Note If you start YaST as any other user, the KDE su dialog shown in Figure 18- 2 displays Enter your system’s root password, and the system will start YaST for you as the root user 415 416 Part IV ✦ Implementing Network Services in SUSE Linux Figure 18- 2: KDE su dialog To configure and start a Samba client,... share that exports all Linux user home directories If you define additional shared resources using the Advanced dialog available by clicking the Advanced button shown previously in Figure 18- 18, an smb.conf section will be created for each additional resource Figure 18- 19 shows the Shared Directories dialog that enables you to create additional Samba shared resource sections The SUSE Administration Guide . as. justin @bible: ~> fetchmail mail .bible .suse. com -p pop3 Enter password for justin@mail .bible .suse. com: 1 message for justin at mail .bible .suse. com (720 octets). reading message justin@mail .bible .suse. com:1. Testing the POP3 Server with Telnet bible: ~ # telnet localhost 110 Trying 127.0.0.1 Connected to localhost. Escape character is ‘^]’. +OK ready <2 282 .1 08 897 0620 @bible& gt; user justin +OK Password. cal- endars and so on. Note 26_577 395 ch17.qxd 12/15/04 12: 39 AM Page 411 412 Part IV ✦ Implementing Network Services in SUSE Linux Mail Systems on Linux Mail on Linux is a funny thing; there are