Mail Configuration D1398603839 Astevie # #READING MAIL # #To read mail on Plan 9, you currently need a Plan 9 system that runs #an SMTP server and spools your messages; attempting to read messages #from a mounted Unix or NFS file system will not work, as Plan 9 uses #different mechanisms to lock mailboxes. # #There are a few ways around this, though; upas/fs (see upasfs(4)) #can present POP3 and IMAP4 accounts as well as normal mail files. To #use it, start upas/fs with the -f option specifying the "virtual" #mail file to use. For example, # #! upas/fs -f/pop/your.host # #Other access methods (instead of "pop") include apop, poptls, and #apoptls, imap, and imaps. If you use POP via SSL on port 995, you #should use "pops" instead of "poptls". # #The appropriate Factotum key to be used is for example: # #! ; auth/factotum -g 'proto=pass dom=pop.gmx.de service=pop user=$your_username !password?' # #for POP3. # #To use the TLS-enabled access methods to a Plan 9 mail server #(poptls, apoptls, and imaps) you need to generate a certificate and #key for your mail server and tell the factotum of the server about #that key: # #You can also use the [using ssl] page, for detailed instructions. #! Login to a unix box with openssl installed (or install /n/sources/contrib/fgb/openssl.tgz) and generate the cert: #! unix$ openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out cert.pem #! #! Logout and copy the files back to your mail server #! ; cp /n/unix/.../cert.pem /sys/lib/tls/imap.pem #! ; cp /n/unix/.../key.pem /sys/lib/tls/key.pem #! #(I think the plan9 tools do a much better job with this, e.g. for #tlssrv, what is needed: #! auth/rsagen -t 'service=tls role=client owner=*' > /sys/lib/tls/key #! auth/rsa2x509 'C=FR CN=*.fakedom.dom' key | auth/pemencode CERTIFICATE > /sys/lib/tls/cert #where FR is a two digit country code, and fakedom.dom is the fully #qualified domainname.) #! #! Tell your factotum about the new key... #! ; ramfs #! ; cd /tmp #! ; auth/secstore -g factotum #! ; auth/secretpem /sys/lib/tls/key.pem >> factotum #! ; auth/secstore -p factotum #! You may also write factotum to /mnt/factotum/ctl #! Exit this shell to destory the /tmp ramfs that has your keys in. #! # #Then you must add your mail server's fingerprint to #/sys/lib/tls/mail. # #If you are connecting to a third party mail server which is already #set up for TLS authentication, you only need to teach Plan 9 about #the fingerprint of its certificate. # #The easiest way to get the fingerprint is to run # #! ; upas/fs -f /imaps/your.host # #(instead of imaps you may be using poptls or apoptls) and look at #the error message, something like # #! upas/fs pop3: server certificate 22471E10D5C1E41768048EF5567B27F532F33 not recognized #! upas/fs: opening mailbox: bad server certificate # #To add this certificate type: # #! ; echo 'x509 sha1=22471E10D5C1E41768048EF5567B27F532F33' > /sys/lib/tls/mail # #If you are going to run an SMTP server, you should edit the files #/mail/lib/smtpd.conf and /mail/lib/blocked to configure it. In #addition, you should ensure that /mail/tmp exists and is world #writeable (0777) if you want to receive emails larger than 64k. # #Looking in the other direction, Plan 9 comes with POP3 and IMAP4 #servers. # #SENDING MAIL # #To send mail from Plan 9, you need to configure the outgoing mailer; #its main configuration file is /mail/lib/rewrite, which is supplied #as an empty file. The manual rewrite(6) is worth reading. You'll #want to start by copying either rewrite.gateway or rewrite.direct #from the same directory and editing it to suit. Setting the smtp= #attribute in your network database (file /lib/ndb/local) is all that #is necessary to use rewrite.gateway, which sends all mail containing #an @ sign to your local mail gateway. Mail to unqualified names #(names without @somewhere) will still be delivered to local #mailboxes. If you would like all mail to unqualified names to have a #default domain added, start with rewrite.direct and edit to suit. # #The last rule in the rewrite files calls /mail/lib/qmail, which both #queues the message and starts a daemon to try to deliver the #messages currently in the queue (see qer(8) for more details). On #systems not always connected to the internet, you may wish to use #/mail/lib/justqmail instead, which only queues the message, and does #not start a delivery daemon. When you are connected to the internet #or your mail gateway, you can run /mail/lib/kickqueue to have the #daemon try to send mail. # #If things aren't going right, look in /sys/log (mail smtp smtp.fail #runq) are of interest. # #/mail/lib/remotemail, which actually delivers mail via SMTP, #contains a default domain name used for unqualified outgoing mail; #you will want to change it from yourdomain.dom to something more #appropriate. If your SMTP-Server uses SMTP-AUTH to authenticate, add #the "-a" flag to the upas/smtp-command (see smtp(8)). Also, note #that you need to add your login information to factotum(4): # #! ; auth/factotum -g 'proto=pass service=smtp user=$your_username server=$the_addr_of_your_smtpserver !password?' # #Each local user has a mail directory /mail/box/$user; among other #things, it usually contains a mailbox and a headers file #/mail/box/$user/headers; the contents of the latter are included in #all outgoing messages from that user. To add a ``full name'' field #to your outgoing mail, add # #! From: "Glenda" # #If you wish to dynamically change your source domain (eg for #laptops) the upasname environment variable can be set before #executing the mail command; This ignores From: names set in #/mail/box/$user/headers. EG # #! upasname=janet@machine.dom mail fred@machine.edu # #SMTP TLS AUTH # #Like the situation described above, you need to get the servers #certificate fingerprint and add it to the list of authorised #fingerprints, for smtp this time. # #Try to send email to the server: # #! ;upas/smtp -d -a -h mymachine.dom net!smtp.myserver.dom account-on-server dest-user@sest-system.dom # #this will probably fail with: # #! 220 2.0.0 Ready to start TLS #! Wed Dec 1 13:52:01 GMT 2004 connect to net!smtp.server.dom: #! 220 2.0.0 Ready to start TLS #! errors Permanent Failure #! QUIT #! exits Permanent Failure # #now check /sys/log/smtp for the fingerprint # #! ; tail -1 /sys/log/smtp #! felix Dec 1 14:17:56 remote cert. has bad thumbprint: x509 sha1=CE3C0D3BDA4B44A353C59EA665B7F8C109714341 server=smtp.server.dom # #and install this fingerprint for smtp # #! echo 'x509 sha1=CE3C0D3BDA4B44A353C59EA665B7F8C109714341' >> /sys/lib/tls/smtp # #PROBLEMS # #Some SMTP servers refuse to accept mail from clients that don't #supply fully qualified domain names when authenticating (HELO or #EHLO messages) - an anti-spam measure. # #This name is generated from either the site enviroment var, or if #that is not set, by appending the sending machines domain to its #system name. The domain is picked up from the dom= attribute from #/lib/ndb/local. # #SEE ALSO # #[Upas - A Simpler Approach to Network Mail by David L. Presotto | #http://doc.cat-v.org/bell_labs/upas_mail_system/] - The original #paper describing Upas. # #/n/sources/contrib/maht/rc/warlock_mail - "Mail Warlock", an #interactive script for configuring your outgoing email. See [sources #repository] for connecting to sources, or #[http://plan9.bell-labs.com/sources/contrib/maht/rc/warlock_mail]. #