Configuring E-mail over OCMP

This document outlines the installation and configuration of an e-mail service over the opportunistic connection management protocol (OCMP). The e-mail service described in this document utilizes the following open source applications:

• sendmail (compiled with milter support)
• procmail
• uw-imap

It is assumed that these applications are correctly setup and configured. Be careful to remove all entries on the /etc/resolve.conf file on the kiosk controller and terminal. Sendmail and Procmail commonly make DNS lookups if DNS servers are specified. Additional configurations are necessary for sendmail. These configurations are described later in this document.

Over a connected network, the above applications would be sufficient to provide e-mail service, but we require an additional application to bridge the gap between traditional e-mail services and OCMP. omail (Opportunistic Mail) has been designed to satisfy this need. omail consists of the following 3 components:

omail_client_notifier

The omail_client_notifier accepts notifications from OCMP on the client side. The notifier is invoked with the name of the OCMP user and the name of the received file. The notifier decompresses the received file and concatenates it with the local mail file. For example:

./omail_client_notifier eaoliver /var/ocmp/client/eaoliver/mail/download/file

will decompress the downloaded OCMP file and concatenate it with /var/mail/eaoliver. The contents of the file can then be read by the user’s email client. Once the file is concatenated with the user’s mail file it is deleted from the OCMP directory.

omail_proxy_notifier

The omail_proxy_notifier accepts notifications from OCMP on the proxy side. The notifier is invoked with the name of the received file. The notifier decompresses the file and pipes it to sent mail for delivery. For example:

./omail_proxy_notifier /var/ocmp/proxy/eaoliver/mail/download/file

Will decompress the downloaded OCMP file and pipe it to sendmail for delivery over the Internet. Once the file is sent, the notifier deletes it form the OCMP directory.

omaild

The omail daemon is used on both the client and proxy sides of an OCMP deployment.

On the proxy side, the omail daemon periodically checks users’ mail files within the /var/mail/ directory. When the daemon detects a modified file it will compress the mail file and write it to the user’s OCMP mail/upload directory. The mail file is then truncated. It is therefore the responsibility of OCMP to guarantee reliable transport and delivery of the mail message once omaild has processed it.

On the proxy side, omaild is invoked with the following command:

./omaild proxy

The client side component of omaild is implemented as a sendmail mail filter or “milter”. The behaviour of omaild is similar to other email filters such as spamassassis. On each incoming email, sendmail connects to the filter tell it the header of the incoming email, the sender, the recipient, data, etc. The filter may alter or store the data from sendmail and accept, reject or ignore the data.

On startup, omaild connects to a special sendmail port. When a client email application connects to sendmail and begins an SMTP session, sendmail forwards the data to omaild for processing. omaild collects the data, formats it such that it can be piped to sendmail on the proxy side, and writes the formatted data to the an OCMP mail/upload directory. Once omaild has received all of the email data, it notifies sendmail to abort the message and send a success message back to the user. Aborting the message will tell sendmail not to store the message in its outbound message queue for later delivery.

On the client side, omaild is invoked with the following command:

./omaild client

Compiling Sendmail

The sendmail binary on the client side must be compiled with milter support. From the root of the sendmail source tree, add the following line to: devtools/Site/config.site.m4 :

APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER')

For more information on compiling sendmail with milter support, please refer to the following website:

http://www.sendmail.org/documentation

Configuring Sendmail

After installing sendmail, some changes to sendmail’s configurations on both the proxy and client side of the OCMP deployment will be necessary. The following changes should be made within /etc/mail/sendmail.mc. mc files provide a human readable means to modify sendmail configurations. The mc files are never directly read by sendmail. They must first be converted into a highly cryptic format, which sendmail has been designed to parse efficiently.

When the following configuration changes have been made, execute the command:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

and restart the sendmail daemon. If you encounter problems configuring sendmail, sendmail.org has many useful reference documents.

Client

For security reasons, the default sendmail configuration only accepts SMPT connections from a loopback address. You will need to delete the “Addr=127.0.0.1,” part of the following line to enabled connection from addresses other than 127.0.0.1. The default configuration line is:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

It should be changed to:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

It may also be useful to allow sendmail to listen to port 587 for mail from mail user agents that authenticate. This can be enabled by uncommenting the following line from sendmail.mc:

DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

While a sender’s domain is not relevant to mail transport, sendmail typically resolves the sender’s domain to protect from spam. On the client side, it is not possible to perform immediate DNS lookups and therefore cannot validate a sender’s domain. On the client side, the following line must be present in sendmail.mc:

FEATURE(`accept_unresolvable_domains')dnl

The following lines must also be added to allow the omaild milter to connect to sendmail:

INPUT_MAIL_FILTER(`omaildFilter', `S=inet:9801@localhost, T=S:10s;R:10s;E:5m')dnl define(`confINPUT_MAIL_FILTERS', `omaildFilter')dnl

The in the above example, the port may be substituted for a different number. The port that omaild users to connect to sendmail is specified in omail.conf. By default the milter port is 9801.

Sendmail must also be configured to relay e-mail to other domains. By default sendmail does not relay email to other domains since it would allow spammers to proxy their e-mail. However, the client side is assumed to be disconnected and therefore same from Internet spammers. The following line must be added to sendmail.mc to allow clients to send email through sendmail to any host.

FEATURE(promiscuous_relay)

Please note: you will get the following warning from m4 when translating sendmail.mc:

*** WARNING: FEATURE(`promiscuous_relay') configures your system as open relay. Do NOT use it on a server that is connected to the Internet! This message is okay cause this end of the OCMP deployment is not on the Internet.

We also found it necessary to disable DNS service for sendmail by modifying the file /etc/mail/service.switch as follows:

passwd files
#hosts files dns
hosts files
aliases files

Proxy

On the proxy side, we must also accept mail from non-loopback addresses. We must again remove the “Addr=127.0.0.1,” string from:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

to produce:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

Since the proxy is on the Internet, it is able to resolve senders’ domains. Therefore the following line of sendmail.mc:

FEATURE(`accept_unresolvable_domains')dnl

should be changed to:

dnl #FEATURE(`accept_unresolvable_domains')dnl

If omail is running in milter mode, then, like on the client, the following lines must also be added to allow the omaild milter to connect to sendmail:

INPUT_MAIL_FILTER(`omaildFilter', `S=inet:9801@localhost, T=S:10s;R:10s;E:5m')dnl define(`confINPUT_MAIL_FILTERS', `omaildFilter')dnl

The in the above example, the port may be substituted for a different number. The port that omaild users to connect to sendmail is specified in omail.conf. By default the milter port is 9801.

To allow sendmail to forward mail to domains managed by the OCMP proxy, you will need to add the domains to:

/etc/mail/relay-domains

For example, if the proxy is managing mail for regions under: uw.kiosknet.org, add uw.kiosknet.org to the relay-domains file.

In some versionf of sendmail, we found that in the file: /usr/share/sendmail/cf/domain/debian-mta.m4 it was necessary to change the line:

defn(`confDONT_BLAME_SENDMAIL')`,GroupWritableIncludeFile,GroupReadableaDefaultAuthInfoFile')dnl

to:

defn(`confDONT_BLAME_SENDMAIL')`,GroupWritableIncludeFile')dnl

Spammassin should also be configured on the proxy; however, the configuration of spamassassin is outside the scope of this document.

Common problems with Sendmail

Sendmail is highly sensitive to the permissions of the directories that it uses. Following are the required permissions for /var/mail/ and /var/spool

kiosk:/var/mail# ls -al

drwxrwxrwx 4 root root 4096 Jun 26 13:39 .
drwxr-xr-x 19 root root 4096 Jun 25 21:14 ..
drwxrwxr-- 2 root root 4096 Jun 3 08:50 mqueue
drwxrwxr-x 2 smmsp smmsp 4096 Jun 3 08:50 mqueue-client

kiosk:/var/spool# ls -al

drwxr-xr-x 5 root root 4096 Oct 7 2007 .
drwxr-xr-x 19 root root 4096 Jun 25 21:14 ..
lrwxrwxrwx 1 root root 7 Jun 20 16:38 mail -> ../mail
drwx------ 2 root smmsp 4096 Jun 26 13:42 mqueue
drwxrwxr-- 2 smmsp smmsp 4096 Jun 26 13:40 mqueue-client

Compiling and installing omail

omail is compiled with the command:

make

and installed with the command:

make install

Applications are installed within the /usr/bin directory. The omail.conf configuration file will be copied to the /etc/ directory. logrotate and init.d will also be added to support omail. The installation scripts are based upon omail’s default configurations. Changing directory path configurations within omail.conf will require manually changing logrotate’s configurations.

Configuring omail

The following configurations may be changed within omail.conf.

Common settings

OCMP_DIRECTORY_PATH – The path to the OCMP directory API
MAIL_DIRECTORY_PATH – The user mail folder
WRITE_TO_SECURE - Flag indicating if omail should write to the OCMP secure directory API.

Notifier settings

OMAIL_NOTIFIER_LOG – The log file for notifier error reporting

Daemon settings

OMAILD_LOG – The log file for daemon error reporting
POLL_INTERVAL – The number of seconds between mail folder checks
READ_BUFFER_SIZE – The size of the daemon’s internal read buffer in bytes
CREATE_OCMP_USER_DIR – This option governs the detection of new mail files
MILTER_PORT – The port that the omaild users to connect to sendmail
CLIENT_USER - The end point ID of the OCMP machine. By default this value is set to: __CLIENT_USER_UPLOAD__. It is changed to <kiosk_name>.<region_name>.<organization>.kiosknet.org during a KioskNet installation
PROXY_SCAN_MAIL - Flag indicating if the proxy should scan the mail directory for new mail or behave as a milter.

Configuring OCMP

The following lines must be added to the OCMP directory API configuration file, dirapi.conf, on both the client and proxy side of an OCMP deployment:

Application: mail
ProxyCommand: omail_proxy_notifier $FILE
ClientCommand: omail_client_notifier $USER $FILE

Problems

If you experience problems using omail, please contact Earl Oliver (http://blizzard.cs.uwaterloo.ca/eaoliver/)