Categories
Exim exim4 IMAP ldap Linux ssl Uncategorized

Hooking WP7 to exim4 and dovecot with SSL

Okay, so I go this new phone which allows me to access my gmail and hotmail accounts – I have a lot of e-mails. Part of the problem with my frazzled brain is that I setup a lot of different e-mails

Setting up Dovecot

Dovecot was remarkably simple to setup and get the authentication working. A quick follow of these instructions got the SSL connection to my phone working. I was even able to reuse my self-signed certificate which I use for other services on the same CNAME.

Setting up Exim SSL

Exim has two levels here. One is TLS/SSL setup and other is authentication. I first started with SSL to encrypt the content and authentication information. Seems obvious doesn’t it?

My system is a Ubuntu(Debian) system using the single file configuration. I find this far easier to manage.

This is where I ran into my first issue. A follow of these instructions did not fully enable the  connection with the phone.  The Exim log indicated repeated problems with the TLS connection. Not so easy after all.

Reasearch indicates that some e-mail clients are unable to use the new STARTTLS syntax and instead used a immediate jump into SSL. I would be miffed if that was the case with the Windows Phone client. I set about trying it anyway.

Exim has the setting

 tls_on_connect_ports = 465 

This initiates the SSL connection from the start. This did not work either giving other errors. It appeared that my SSL certificates were not compatible with Exim – even though they worked fine with dovecot. (see above)

However even after I used the certificate generation tool

 exim-gencert 

I still received the same errors. This was beyond my meagre skills. So I moved on, perhaps another day I will find the answer.

Setting up Exim Auth

This part of the setup was very much easier, but sorting out the Debian single file setup was a bit of fun. Not really.

As I use LDAP for authentication and mapping of the virtual e-mail addresses the basic Exim – Debian setup was required to be changed. Below is what I used and is pretty self explanatory.

plain: 
 driver = plaintext
 public_name = PLAIN
 server_condition = ${if ldapauth{user="uid=${quote_ldap_dn:$2},PEOPLE_BASEDN" pass=${quote:$3} \
 ldap://localhost/} {yes}{no}}
 server_set_id = $2

login:
 driver = plaintext
 public_name = LOGIN
 server_prompts = Username:: : Password::
 server_condition = ${if and{ {!eq{}{$1} }\
 {ldapauth{user="uid=${quote_ldap_dn:$1},PEOPLE_BASEDN" pass=${quote:$2} \
 ldap://localhost/} }} \
 {yes}{no}}
 server_set_id = $1 

Note that the PLAIN authenticator does not have prompts and that the userid is $2, because $1 is and unique ID passed through, but often not used. As well there is no empty check for userid – like there is with the LOGIN. This seemed to cause errors.

Summary

I can now read and send e-mails from my phone which is great. While the send cannot use SSL for now, this is something I hope to find an answer for.

One last issue is that the phone client likes to store outgoing e-mails in the Sent Items folder and trash in Deleted Items. This is not the standard setup that Outlook and client use so I will show you how to fix that in my next post.

Categories
domains exim4 email ldap

How to refuse users to send mail

In certain circumstances I have found the need to prevent certain user’s from sending e-mail outside my domain.

These user’s are mainly my kids. Who enjoy sending people e-mail – with addresses they can’t replay to (more later).

The way I have my e-mail setup is that I have a host which collects my e-mails at my domain addresses. And I have a fetchmail process which collects this e-mail and drops it into the appropriate folders

But sending e-mail I chose to go with exim4, I found it the easiest to understand. Which you can take anyway you like!

As I said I’m running a local domain, and one the way out the e-mail addresses are rewritten for the company domain, otherwise the reciever couldn’t reply. This I have setup using LDAP in the schema. I am using the mailRoutingAddress field. Perhaps not what it is intended for, but as I am the admin I can do what I like.
On the way out a e-mail has its from:, reply-to: etc.. fields re-written with this address. I haven’t bothered to rewrite on the way back in, leave that for another project.

Now my kids’s e-mail accounts are just for fun. They don’t have a routing address setup in their accounts. But they still sent e-mails out to people. And when that person received the e-mail, they could not reply as the appropriate fields had not been re-written. So I needed a way to stop the e-mails going out.

They way I looked at it in exim4 is that I needed to write a special router to perform a couple of checks and to fail and produce a message if a user’s mailRoutingAddress could not be found.

This is how I modified the


local_only:
   debug_print = "R: local only for $local_part@$domain"
   driver = redirect
   allow_fail
   domains = !+local_domains
   condition = ${if match_domain{$sender_address_domain}{+local_domains}{yes}{no}}
   data = "${lookup ldap {ldap://localhost/uid=$sender_address_local_part,\
     ou=People,dc=my,dc=domain?mailRoutingAddress}\
    {$local_part@$domain}\
    {:fail: Your account is not allowed to send mail outside of the local network}}"
   redirect_router = next_router
This router is only enabled where the outgoing domain is not one I am looking for. The condition like is perhaps optional here, but it keeps the router from failing if I use a purely virtual e-mail address (I think). It then performs a lookup into LDAP checking for the mailRoutingAddress. If it has a value then the router will redirect to another – a time saving measure as I don’t want to loop through this router again. Or it fails and produces a suitable message.
And that’s it.
Categories
ldap MS ssl webdav windows 7

Windows 7, WebDav and basic authentication

In a recent post I gave some tips and experience on setting up a WebDAV server on lighttpd. Now one thing you noticed is that the authentication was basic. This means that the password is sent clear to the server from the client. Unfortunately most web servers which use LDAP as the authentication and authorization back end can only do so using basic authentication.

This is fine using Windows XP. Its WebDAV client doesn’t care. In Vista it will work with basic as long as the connection is encrypted. In Windows 7 it will only work with digest authentication whether or not the connection is encrypted. Well that is my expereince. If someone has a way to get the Win7 WebDAV client to work over a SSL link to a WebDAV server which uses basic authentication please tell us.

As it is we must now use 3rd party WebDAV clients. Typically you have to pay in order to get one that is at least as good as the Windows supplied client.

Microsoft please sort this issue out and take it back to the Vista functionality.