Gentoo E-mail System for developers

Gentoo E-mail System for developers Sven Vermeulen Kurt Lieber Lance Albertson Daniel Ostrow Mike Doty Ned Ludd Robin H. Johnson This document describes what you, as a Gentoo Developer, can expect from our e-mail system, and provides configuration details you require. 1.12 2011-12-03 Gentoo Developer E-mail Possibilities

Introduction

This document describes the various options for checking your gentoo.org email address. You can opt for having the e-mails forwarded to a specific e-mail address, or let them stay on the dev.gentoo.org server to which you can connect using your favorite e-mail client with POP3S or IMAPS (the secure implementations of POP3 and IMAP respectively).

Forwarding E-mails

If you want to have your e-mails forwarded to another e-mail address, you should log on to dev.gentoo.org and put the e-mail address in ~/.forward. Logging on to dev.gentoo.org is similar to cvs.gentoo.org: you'll be using the same keys.

$ ssh  username@dev.gentoo.org
username@woodpecker username $ echo new.e-mail@address.com > ~/.forward
username@woodpecker username $ exit

If you at some point want to change the e-mail address to which the e-mails should be forwarded, change the content of the ~/.forward file to the new e-mail address.

If you use a forward please make sure that it is reliable. If the queue on dev.gentoo.org starts to grow due to bouncing e-mail Infra will be forced to remove you forward. All e-mail will then be delivered locally until you fix it.

Using the mailbox on dev.gentoo.org

If you want to use the mailbox on dev.gentoo.org, you must make sure that there is no .forward in your home directory. Doing this requires access to dev.gentoo.org (duh). Accessing dev.gentoo.org is no different than accessing cvs.gentoo.org: you'll be using the same keys.

$ ssh -l username dev.gentoo.org 'rm ~/.forward'

There are some things you must know about your mailbox on dev.gentoo.org:

You can only access it using POP3S or IMAPS (see the following chapter).
There are some local e-mail clients installed on dev.gentoo.org (mutt and pine to be exact). Only use those if you know how to use them :)
The password to access the mailbox is the same password you can set on dev.gentoo.org using passwd.

Using dev.gentoo.org for your e-mails

As of 2009/06/29, we use CACert as the Certificate Authority for all of the following SSL certificates. Prior to 2011/12/, Gentoo Infrastructure only supported the pure SSL variants of the protocols, which provided a complete SSL wrapper around the POP3 or IMAP protocols. While POP3S and IMAPS is still supported, we encourage users to migrate to using STARTTLS instead, as it is easier to debug by being able to see the initial plaintext on tcpdump. Users behind aggressive firewalls that conduct deep-packet inspection to block based on plaintext headers should still use the pure SSL variants.

Accessing dev.gentoo.org using POP3 & STARTTLS or POP3S

POP3 is a pull-protocol, meaning that e-mails are pulled from the server to your local disk.

To set up your favorite e-mail client for POP3 & STARTTLS or POP3S, use the following settings:

POP3 server: dev.gentoo.org
Use SSL: yes
Account: your username
Password: your dev.gentoo.org password

POP3 without SSL/TLS is not supported! It is insecure because it transmits the password in plain text, which is a Bad Thing (TM).

For instance, if you are using fetchmail to fetch your e-mails, your .fetchmailrc should read something like this:

poll dev.gentoo.org proto pop3 
    user username 
	pass password 
	nokeep sslcertck
	sslfingerprint "34:D0:1D:0D:08:0A:39:D1:A7:46:E4:E9:4F:33:FF:58"
	sslcertfile /usr/share/ca-certificates/cacert.org/cacert.org.crt
	sslproto TLS1

The above will have fetchmail using POP3 with STARTTLS. If you need POP3S instead, add the keyword ssl before the sslcertck keyword.

If you are using sylpheed for your e-mails, create a new account and make sure that the Receive tab uses POP3 and the SSL tab has the Use SSL for POP3 connection selected.

If you are using mutt, you're smart enough to figure this one out yourself.

MD5    = 34:D0:1D:0D:08:0A:39:D1:A7:46:E4:E9:4F:33:FF:58
SHA1   = C7:79:6B:C9:D5:C8:02:D6:D4:72:EA:7C:DB:F3:BD:29:A3:F5:FF:72
SHA256 = F2:7E:E0:B7:D4:CE:43:6A:BF:42:12:51:5B:95:84:7E:0E:10:70:AD:F6:11:90:B6:72:9C:3E:59:BB:1B:FA:A4

Accessing dev.gentoo.org using IMAP & STARTTLS or IMAPS

IMAP is a push-protocol, meaning that e-mails stay on the remote server and you can manage seperate mailboxes on that server.

To set up your favorite e-mail client for IMAP & STARTTLS or IMAPS, use the following settings:

IMAP server: dev.gentoo.org
Use SSL: yes
Account: your username
Password: your dev.gentoo.org password

IMAP without SSL/TLS is not supported! It is insecure because it uses static authentication, which is a Bad Thing (TM). Your *.gentoo.org LDAP password is the same as the one used on all Gentoo infrastructure you have access to. If you don't know your password anymore, ask infra to reset your password.

For instance, if you are using fetchmail to fetch your e-mails, your .fetchmailrc should read something like this:

poll dev.gentoo.org proto imap
    user username
	pass password
	nokeep sslcertck
	sslfingerprint "34:D0:1D:0D:08:0A:39:D1:A7:46:E4:E9:4F:33:FF:58"
	sslcertfile /usr/share/ca-certificates/cacert.org/cacert.org.crt
	sslproto TLS1

The above will have fetchmail using IMAP with STARTTLS. If you need IMAPS instead, add the keyword ssl before the sslcertck keyword.

If you are using mutt, you're smart enough to figure this one out yourself.

MD5    = 34:D0:1D:0D:08:0A:39:D1:A7:46:E4:E9:4F:33:FF:58
SHA1   = C7:79:6B:C9:D5:C8:02:D6:D4:72:EA:7C:DB:F3:BD:29:A3:F5:FF:72
SHA256 = F2:7E:E0:B7:D4:CE:43:6A:BF:42:12:51:5B:95:84:7E:0E:10:70:AD:F6:11:90:B6:72:9C:3E:59:BB:1B:FA:A4

Using dev.gentoo.org as a mail relay server

If you would like to reduce the SRF spam scoring against your email, or do not wish to use your ISP's relay, you may relay your email through dev.gentoo.org.

For devs unable to use port 25 to send mail, dev.gentoo.org also accepts inbound SMTP connections on TCP port 587.

Now setup your e-mail client to use dev.gentoo.org as the SMTP server. Select yes when asked if the server uses authentication. Also enable STARTTLS. If you get the choice, select plain as the hash-method. Use your username and your LDAP password for authentication. The certificate is also signed by CACert as of 2010/05/25.

MD5    = B5:E9:21:AF:8C:97:03:A3:2D:B4:73:80:19:8C:9B:82
SHA1   = E1:B3:FC:AD:DF:D3:A4:72:8B:2D:BB:3E:2F:90:91:15:49:39:61:F9
SHA256 = 2B:98:39:5D:21:D5:79:F1:87:ED:F8:9D:72:48:FB:F3:8C:BC:32:BC:B3:3A:DE:94:35:5E:74:13:13:AB:6C:98

Setting up procmail rules for Spam Checking

All email coming into dev.gentoo.org is scanned for spam and viruses. Viruses are automatically deleted so there is no need to check for them yourself. To check for spam use something like the following procmail recipie.

 :0:
 * ^X-Spam-Status: Yes
 .maildir/.spam/

If you wish to check your spam based on spam level a recipie like the following can be used (adjust the number of '\*' to the level that fits you best, the more stars the greater the possibilty that what you are filtering is spam).

 :0:
 * ^X-Spam-Level: \*\*\*
 .maildir/.spam/

Mail placed into ~/.maildir/.spam is auto cleaned every 14 days. If you wish to save your potential spam for an extended period of time please place it in another directory. The usage of ~/.maildir/.spam is strongly encouraged.

Frequently Asked and/or Anticipated Questions

What happens when dev.gentoo.org goes down?

When dev.gentoo.org goes down, e-mails will stay in the mailqueue on mail.gentoo.org and will be delivered whenever dev.gentoo.org is up again.

Can I use procmail on dev.gentoo.org?

Yes you can. You need to create a ~/.forward file thought with the following content:

| /usr/bin/procmail

Can I use sieve/managesieve on dev.gentoo.org?

You need to create a ~/.forward file thought with the following content:

| "/usr/libexec/dovecot/deliver"

Using the dovecot LDA also improves the performance/speed for IMAP and POP3.

Can I use SpamAssassin on dev.gentoo.org?

Spam is automatically marked for you. There is no need to run your mail through any additional filters just check for the appropriate headers.

Why don't you set up a system-wide (spam|virus) filter?

Due to the rapid spread of e-mail bourne viruses we have had to filter all of these despite the risk of loosing legitimate e-mail. Spam filtering is not 100% accurate so although we tag all e-mail with Spam level headers we do not filter it. We leave that option to the developers to do so if they choose.

How can I exempt myself from Sender Address Verification?

By default all @gentoo.org users get Sender Address Verification enabled for them for free. We recognize that there are times when this is less than ideal and put a system in place for you to exempt yourself from it. You can simply touch ~/.permissive and wait about an hour for the recipient_filtering to be rechecked. Note however that when you opt for permissive mode that no spam or virus filtering is done for your account.

Are my e-mails or the contents of my home directory backed up regularly?

No, it's the responsibility of the individual to back up their own important files and mail.

How can I copy over files from/to dev.gentoo.org?

Use scp.