Project:Infrastructure/Developer E-Mail

From Gentoo Wiki
Jump to: navigation, search

This document describes what you, as a Gentoo Developer, can expect from our e-mail system, and provides configuration details you require.

Gentoo Developer E-mail Possibilities

Introduction

This document describes the various options for checking your gentoo.org email address. You can opt for having the e-mails forwarded to a specific e-mail address, or let them stay on the dev.gentoo.org server to which you can connect using your favorite e-mail client with POP3S or IMAPS (the secure implementations of POP3 and IMAP respectively).

Forwarding E-mails

If you want to have your e-mails forwarded to another e-mail address, you should log on to dev.gentoo.org and put the e-mail address in ~/.forward . Logging on to dev.gentoo.org is similar to cvs.gentoo.org: you'll be using the same keys.

CodeForwarding e-mails to another e-mail address

$ ssh  username@dev.gentoo.org
username@woodpecker username $ echo new.e-mail@address.com > ~/.forward
username@woodpecker username $ exit

If you at some point want to change the e-mail address to which the e-mails should be forwarded, change the content of the ~/.forward file to the new e-mail address.

Note
If you use a forward please make sure that it is reliable. If the queue on dev.gentoo.org starts to grow due to bouncing e-mail Infra will be forced to remove you forward. All e-mail will then be delivered locally until you fix it.

Using the mailbox on dev.gentoo.org

If you want to use the mailbox on dev.gentoo.org, you must make sure that there is no .forward in your home directory. Doing this requires access to dev.gentoo.org (duh). Accessing dev.gentoo.org is no different than accessing cvs.gentoo.org: you'll be using the same keys.

CodeRemoving ~/.forward

$ ssh -l username dev.gentoo.org 'rm ~/.forward'

There are some things you must know about your mailbox on dev.gentoo.org:

  • You can only access it using POP3S or IMAPS (see the following chapter).
  • There are some local e-mail clients installed on dev.gentoo.org ( mutt and alpine to be exact). Only use those if you know how to use them :)
  • The password to access the mailbox is the same password you can set on dev.gentoo.org using passwd.

Using dev.gentoo.org for your e-mails

Note
2014/04/12 onwards, we use DigiCert as the Certificate Authority for all of the following SSL certificates.
Note
2009/06/29-2014/04/12, we used CACert as the Certificate Authority for all of the following SSL certificates.
Note
Prior to 2011/12/, Gentoo Infrastructure only supported the pure SSL variants of the protocols, which provided a complete SSL wrapper around the POP3 or IMAP protocols. While POP3S and IMAPS is still supported, we encourage users to migrate to using STARTTLS instead, as it is easier to debug by being able to see the initial plaintext on tcpdump. Users behind aggressive firewalls that conduct deep-packet inspection to block based on plaintext headers should still use the pure SSL variants.

Accessing dev.gentoo.org using POP3 & STARTTLS or POP3S

POP3 is a pull-protocol, meaning that e-mails are pulled from the server to your local disk.

To set up your favorite e-mail client for POP3 & STARTTLS or POP3S, use the following settings:

  • POP3 server : dev.gentoo.org
  • Use SSL : yes
  • Account : your username
  • Password : your dev.gentoo.org password
Warning
POP3 without SSL/TLS is not supported! It is insecure because it transmits the password in plain text, which is a Bad Thing (TM).

For instance, if you are using fetchmail to fetch your e-mails, your .fetchmailrc should read something like this:

Codefetchmailrc

poll dev.gentoo.org proto pop3 
    user username 
	pass password 
	nokeep sslcertck
	sslfingerprint "8B:13:D4:2E:74:08:47:F5:BC:BD:AD:6E:A1:54:AD:E7" # MD5
	sslcertfile /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
	sslproto TLS1
Note
The above will have fetchmail using POP3 with STARTTLS. If you need POP3S instead, add the keyword ssl before the sslcertck keyword.

If you are using sylpheed for your e-mails, create a new account and make sure that the Receive tab uses POP3 and the SSL tab has the Use SSL for POP3 connection selected.

If you are using mutt , you're smart enough to figure this one out yourself.

Codedev.gentoo.org POP3 SSL fingerprints

MD5 = 8B:13:D4:2E:74:08:47:F5:BC:BD:AD:6E:A1:54:AD:E7
SHA1 = F3:BB:77:8E:31:45:C7:EF:7F:F9:A9:7C:F6:68:B9:00:FC:E4:75:4C
MDC2 = CC:A5:F1:89:8D:E8:20:47:FE:46:BB:CC:08:C4:2E:B5
SHA256 = EC:E4:98:55:8B:04:FA:74:28:3F:C3:0F:33:F3:FD:DB:E3:22:CD:2C:14:D3:85:8A:66:80:81:DC:9C:68:19:A4
SHA512 = 7F:37:E9:6E:A8:CF:C9:CE:93:47:EC:3C:3D:29:87:C4:9A:9C:F5:F7:41:0A:E9:B4:89:C7:EF:D5:F4:97:CB:AF:5A:28:C4:32:00:8C:26:8E:44:AB:F8:94:81:2A:A4:83:98:3E:AC:BF:5B:D6:68:26:06:FA:14:83:E7:56:2B:A4

Accessing dev.gentoo.org using IMAP & STARTTLS or IMAPS

IMAP is a push-protocol, meaning that e-mails stay on the remote server and you can manage seperate mailboxes on that server.

To set up your favorite e-mail client for IMAP & STARTTLS or IMAPS, use the following settings:

  • IMAP server : dev.gentoo.org
  • Use SSL : yes
  • Account : your username
  • Password : your dev.gentoo.org password
Warning
IMAP without SSL/TLS is not supported! It is insecure because it uses static authentication, which is a Bad Thing (TM).
Note
Your *.gentoo.org LDAP password is the same as the one used on all Gentoo infrastructure you have access to. If you don't know your password anymore, ask infra to reset your password.

For instance, if you are using fetchmail to fetch your e-mails, your .fetchmailrc should read something like this:

Codefetchmailrc

poll dev.gentoo.org proto imap
    user username
	pass password
	nokeep sslcertck
	sslfingerprint "8B:13:D4:2E:74:08:47:F5:BC:BD:AD:6E:A1:54:AD:E7" # MD5
	sslcertfile /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
	sslproto TLS1
Note
The above will have fetchmail using IMAP with STARTTLS. If you need IMAPS instead, add the keyword ssl before the sslcertck keyword.

If you are using mutt , you're smart enough to figure this one out yourself.

Codedev.gentoo.org IMAP SSL fingerprints

MD5 = 8B:13:D4:2E:74:08:47:F5:BC:BD:AD:6E:A1:54:AD:E7
SHA1 = F3:BB:77:8E:31:45:C7:EF:7F:F9:A9:7C:F6:68:B9:00:FC:E4:75:4C
MDC2 = CC:A5:F1:89:8D:E8:20:47:FE:46:BB:CC:08:C4:2E:B5
SHA256 = EC:E4:98:55:8B:04:FA:74:28:3F:C3:0F:33:F3:FD:DB:E3:22:CD:2C:14:D3:85:8A:66:80:81:DC:9C:68:19:A4
SHA512 = 7F:37:E9:6E:A8:CF:C9:CE:93:47:EC:3C:3D:29:87:C4:9A:9C:F5:F7:41:0A:E9:B4:89:C7:EF:D5:F4:97:CB:AF:5A:28:C4:32:00:8C:26:8E:44:AB:F8:94:81:2A:A4:83:98:3E:AC:BF:5B:D6:68:26:06:FA:14:83:E7:56:2B:A4

Using dev.gentoo.org as a mail relay server

If you would like to reduce the SRF spam scoring against your email, or do not wish to use your ISP's relay, you may relay your email through dev.gentoo.org.

Note
For devs unable to use port 25 to send mail, dev.gentoo.org also accepts inbound SMTP connections on TCP port 587.

Now setup your e-mail client to use dev.gentoo.org as the SMTP server. Select yes when asked if the server uses authentication. Also enable STARTTLS . If you get the choice, select plain as the hash-method. Use your username and your LDAP password for authentication. The certificate is also signed by DigiCert as of 2014/04/12.

Codedev.gentoo.org SMTP SSL fingerprints

MD5 = AC:63:3E:C1:82:A4:D1:3B:D6:1E:70:15:26:B7:E5:55
SHA1 = 32:27:1E:2D:BE:26:4F:AD:F1:7A:97:F4:BF:B7:FE:D1:EB:29:5E:63
MDC2 = 9A:8E:15:B7:21:48:A2:E3:E7:72:4D:08:3A:BE:88:01
SHA256 = 68:5C:89:F6:86:72:E9:16:B4:CD:73:6B:1E:72:9B:F3:98:D8:A5:EB:25:74:48:7F:64:EA:FE:1D:3E:8C:00:B0
SHA512 = C2:A2:46:C4:2C:46:DB:B2:BE:92:A9:A7:4F:41:CA:C9:7B:7E:78:D4:20:5F:A3:5E:A2:79:24:30:21:56:76:05:C9:B6:9A:F0:BA:39:37:90:79:4A:E0:06:04:56:67:61:90:14:51:04:C6:02:03:75:85:82:EA:E8:D0:78:12:57

Setting up procmail rules for Spam Checking

All email coming into dev.gentoo.org is scanned for spam and viruses. Viruses are automatically deleted so there is no need to check for them yourself. To check for spam use something like the following procmail recipe.

Code~/.procmailrc

 :0:
 * ^X-Spam-Status: Yes
 .maildir/.spam/

If you wish to check your spam based on spam level a recipe like the following can be used (adjust the number of '\*' to the level that fits you best, the more stars the greater the possibilty that what you are filtering is spam).

Code~/.procmailrc

 :0:
 * ^X-Spam-Level: \*\*\*
 .maildir/.spam/
Note
Mail placed into ~/.maildir/.spam is auto cleaned every 14 days. If you wish to save your potential spam for an extended period of time please place it in another directory. The usage of ~/.maildir/.spam is strongly encouraged.

Setting up procmail for Reply-To handling

This section is written on request of many Gentoo developers to cover how to modify the Reply-To header in an email for consistency across all of the Gentoo mailing lists. For reasons not mentioned here, there is an inconsistency between the gentoo-core private mailing list, and the rest of the Gentoo mailing lists.

Removing Reply-To

Users who have a MUA that supports a Reply-To-List function will likely want to remove the munged Reply-To headers. This allows them to use their mail client how it was intended, with the Reply button replying to the Author. If your mail client has a Reply-To-List function, you can use the following recipe snippet in your .procmailrc file to remove the Reply-To headers.

CodeRemove Reply-To header

# This removes those Reply-To: headers
:0 fhw
* ^List-Id:.*gentoo.org.
| formail -I "Reply-To:"

This scans the message headers for any Gentoo list and removes any Reply-To header that it finds.

Adding Reply-To

Some of the most popular mail clients in use do not support a Reply-To-List function. This causes problems for the users of these clients and has resulted in Reply-To munging being used to reduce complexity for these users. Since only the gentoo-core mailing list does not use Reply-To munging, the following rule only touches that list.

CodeAdd Reply-To header

# This adds a Reply-To: header
:0 fhw
* ^List-Id:.*gentoo-core\.gentoo\.org
|formail -I "Reply-To: gentoo-core@lists.gentoo.org"

This scans for the gentoo-core list and adds a Reply-To header pointing to the list.

Sender Policy Framework

Gentoo uses the Sender Policy Framework, or SPF, to filter forged @gentoo.org email, so it's important to configure your mail client or server correctly so it doesn't get filtered. The most important thing is that MAIL FROM: and your body From: needs to match and that you can't forge return-path. If you obey these rules you shouldn't have problems with SPF filtering your emails.

Below are some configurations for a few common clients and mailers.

SSMTP

To forward all mail through mail.gentoo.org configure /etc/ssmtp/ssmtp.conf as follows:

CodeEditing ssmtp.conf

mailhub=mail.gentoo.org:25
AuthUser=username (Replace with your username)
AuthPass=password (Replace with your ~/.asmtp password)
AuthMethod=CRAM-MD5
UseTLS=YES
useSTARTTLS=YES

Mutt

You can set your envelope from address in ~/muttrc as follows:

CodeEditing muttrc

envelope_from_address who@example.com
use_envelope_from true

Qmail

You can forward all your email through mail.gentoo.org using the /var/qmail/control/smtproutes file:

CodeEditing smtproutes

:mail.gentoo.org USERNAME PASSWORD (Replace with your username/password)

MSMTP

You can do per-account forwarding using msmtp . Configure ~/.msmtp as follows:

CodeEditing .msmtp

account default
host mail.yourisp.com
user johnsmith (Replace with your username)
password spork (Replace with your password)
tls

Next, configure your mail user agent to use msmtp for sending email. A sample mutt configuration follows:

CodeUsing msmtp with mutt

send2-hook . 'set sendmail="/path/to/msmtp"'
send2-hook '~f gmx' 'set sendmail="/path/to/msmtp -a gmx"'
macro index ,g '<enter-command>set sendmail="/path/to/msmtp -a gmx"<enter>' 'choose gmx smtp profile'

Other user agents

For Thunderbird, Evolution and other MUAs (mail user agents), you can use ssmtp or another mail transfer agent (MTA) as described above to forward your mail through mail.gentoo.org.

Frequently Asked and/or Anticipated Questions

What happens when dev.gentoo.org goes down?

When dev.gentoo.org goes down, e-mails will stay in the mailqueue on mail.gentoo.org and will be delivered whenever dev.gentoo.org is up again.

Can I use procmail on dev.gentoo.org?

Yes you can. You need to create a ~/.forward file thought with the following content:

Code~/.forward for procmail usage

| /usr/bin/procmail

Can I use sieve/managesieve on dev.gentoo.org?

You need to create a ~/.forward file thought with the following content:

Code~/.forward for sieve/managesieve usage

| "/usr/libexec/dovecot/deliver"
		
Note
Using the dovecot LDA also improves the performance/speed for IMAP and POP3.

Can I use SpamAssassin on dev.gentoo.org?

Spam is automatically marked for you. There is no need to run your mail through any additional filters just check for the appropriate headers.

Why don't you set up a system-wide (spam|virus) filter?

Due to the rapid spread of e-mail bourne viruses we have had to filter all of these despite the risk of loosing legitimate e-mail. Spam filtering is not 100% accurate so although we tag all e-mail with Spam level headers we do not filter it. We leave that option to the developers to do so if they choose.

How can I exempt myself from Sender Address Verification?

By default all @gentoo.org users get Sender Address Verification enabled for them for free. We recognize that there are times when this is less than ideal and put a system in place for you to exempt yourself from it. You can simply touch ~/.permissive and wait about an hour for the recipient_filtering to be rechecked. Note however that when you opt for permissive mode that no spam or virus filtering is done for your account.

Are my e-mails or the contents of my home directory backed up regularly?

No, it's the responsibility of the individual to back up their own important files and mail.

How can I copy over files from/to dev.gentoo.org?

Use scp.

Acknowledgements

We would like to thank the following authors and editors for their contributions to this guide:

  • Sven Vermeulen
  • Kurt Lieber
  • Lance Albertson
  • Daniel Ostrow
  • Mike Doty
  • Ned Ludd
  • Robin H. Johnson
  • Bryan Østergaard
  • Joshua Saddler
  • Chris Gianelloni

We would like to thank CACert and DigiCert for their continued support of open source projects by providing SSL certificates.