Re: [Nmh-workers] Need some general advice

2016-09-16 Thread Ralph Corderoy
Hi rfg,

I have a SMTP server on the Internet that accepts the email and holds
it, ready for fetchmail(1) to run at home and pull it down to hand to a
local SMTP server that plonks it in a spool file for nmh's inc(1) to
read.  You could probably cut out some of those parts with nmh's more
recent features, but I also like to send email between home users
without it leaving the machine, and use mail(1) occassionally too.

Some packages/programs to look out for in your research apart from the
normal postfix are

https://en.wikipedia.org/wiki/Amavis
https://en.wikipedia.org/wiki/Spamassassin
https://en.wikipedia.org/wiki/Clam_AntiVirus
https://postgrey.schweikert.ch/

They'll mention other things, like Pyzor.

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

___
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers


Re: [Nmh-workers] Need some general advice

2016-09-14 Thread Paul Fox
robert wrote:
 > That is, I simply use ssh (including ssh IP tunnels) to handle all the
 > security issues - I assume that anyone who needs can have an account

i use ssh tunnels in similar ways, though in my case it's to traverse
the bi-directional link between my home server, whose address can
change (and which can't serve SMTP directly), and my colo (which is my
actual MX host).  (i don't really have a "receive mail remotely"
solution -- i simply ssh into the home server and read it "locally"
there.  it serves my purposes.)  all of robert's points about the
flexibility of running your own server are spot on.  for instance, i
deliver copies of all my mail to a Maildir on the colo itself, just
in case i'm away from home for an extended time and the home server or
ISP connection fails.  i can still log into the colo and read the last
month's worth of mail using mutt.  (i could install MH, but it's
really just for emergency use.)

 > The tunnels are maintained by a "while true; do ssh ...; done" script
 > that simply runs on my laptop from when I start it ...

i also wanted to mention that the "while true" loop can be handled by
"autossh".  i like it because i actually use ssh tunnels for quite a
few things, and having a standard one-liner to maintain them is quite
convenient.  http://www.harding.motd.ca/autossh/

paul
=--
 paul fox, p...@foxharp.boston.ma.us (arlington, ma, where it's 78.6 degrees)

___
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers


Re: [Nmh-workers] Need some general advice

2016-09-14 Thread Robert Elz
Date:Tue, 13 Sep 2016 20:29:41 -0700
From:"Ronald F. Guilmette" 
Message-ID:  <69684.1473823...@segfault.tristatelogic.com>

  | I'll be trying to figure out how I'm gonna handle all this in the
  | very near future.  I may be back soon with more questions.

If it helps, and based upon the assumption that the server is under
your control, you could also perhaps use a setup more like what I do.

That is, I simply use ssh (including ssh IP tunnels) to handle all the
security issues - I assume that anyone who needs can have an account
on the server that they can use for this purpose.   On the client, I
have an MTA setup, that delivers all mail to a magic port on localhost.
That port connects to a ssh tunnel that connects to the SMTP server at
the server.  MH (nmh) cimply connects to the localhost (laptop or whatever)
MTA as normal.

If you look at the Received headers of this message you'll see that in
action - andromeda (first hop) is my laptop, which is buried behind an
(IPv4 & NAT only unfortunately) ADSL link with an address that changes daily.
munnari is the server - you'll see on its Received header that it also
receives the mail from "localhost" (IPv6 localhost but that's irrelevant) -
that's the effect of the incoming SMTP connection via the ssh tunnel.
After that it is SMTP as normal.   The server only needs to permit mail
submission from localhost, not the whole internet, so there's no possibility
of being used as a spam relay, and it needs no SMTP authentication (though
you could use it if desired), so works whatever MTA you choose to run with
no special config.

Multiple users (whatever domain name their email address appears as)
should be no problem, each just needs some (server local) unique login
name that they can use to ssh as (which doesn't need to be any way
similar to their e-mail addresses.)

The tunnels are maintained by a "while true; do ssh ...; done" script
that simply runs on my laptop from when I start it (more correctly, from
when the encrypted filesys that holds the ssh key files becomes available)
until it shuts down, the loop handles the connection breakage that occurs
when the ISP decides an IP addr change is needed (and other random network
outages), and running a local MTA deals with queueing so I can send e-mail
any time, and if that happens to be when something is preventing the tunnel
from working, I know the mail will get transmitted eventually, when all
is good again.)

For incoming mail I just scp the mailbox file from the server (a little
more complicated than that, as it needs protection against mail arriving
while the copy is in progress - so I just move the mailbox file first,
in a way that guarantees messages will either be complete in the old mailbox
or go into a new one) - after it arrives on my laptop I use procmail to
spread it around my MH folders, but inc would work as well (this scheme has
the advantage that I keep the mailbox copy files on both my laptop and
the server for a while, so if anything goes wrong I can always just unpack
one, or more, again.)   They could also be unpacked on the server as well,
if I needed that - I don't, I have used my laptop (exclusively) for all
e-mail for decades now (not the same laptop of course...) which is why
I had nothing to contribute on the "Sharing MH files..." thread of earlier
in the month.

Ths point of this message isn't really to suggest that you should duplicate
my setup, rather that if you have the ability at the server end, you can
come up with innovative solutions that do exactly what you need, which is
a luxury denied to those who are forced to deal with ISP (or corporate)
provided servers and can only use the methods that also work on windows...

For example, since you are running an HTTP server anyway (you said) you
could create a magic https:// URL that would download mail for you (and
access it using wget or curl or whatever) and another than would allow you
to post mail (would need more work on the local end to make work) - which
would have the advantage of keeping e-mail access working even if you get
stuck in a location where there's a firewall that allows nothing but http
(even intermediate proxy servers should do no harm.)   Note I have never
tried this (munnari has no HTTP server) so I don't know how easy it would
be - particularly dealing with user authentication safely -(or even if it
really is possible.)

Any of this means that you don't need to deal with the limitations of POP,
nor to attempt to dream about how MH and IMAP might one day be integrated,
where none of the imagined solutions actually looks very much as if what
you would end up with is nearly as nice as MH is supposed to be (and is.)

kre


___
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers


Re: [Nmh-workers] Need some general advice

2016-09-13 Thread Ronald F. Guilmette


I just wanted to thank you guys who responded to my request for
advice.

I think that I'm going to have to think about this all some more.
When I posted, I neglected to mention that getting all my mail
to flow the way I want it may perhaps be complicated by the fact
that I have multiple domains, and also multiple mail users within
each domain.

I'll be trying to figure out how I'm gonna handle all this in the
very near future.  I may be back soon with more questions.


Regards,
rfg

___
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers


Re: [Nmh-workers] Need some general advice

2016-09-12 Thread David Levine
Ron wrote:

> Before answering, keep in mind that I will likely need to configure the
> SMTP server on the remote VM (postfix) in such a way that my home machine
> will be able to authenticate to it, you know, in order to send outbound
> mail.  (The last time I tried something like this I think I gave up in
> the end because it seemed like too much of a pain in the ass to get the
> authentication all working.  But now I have no choice, and have to make
> it work this time.)

Support for authentication in nmh 1.6 is better than it used to
be.  See "credentials" in the mh-profile (5) man page.  Support
for XOAUTH2 will be in the next release, and is currently on the
main trunk.

David

___
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers


Re: [Nmh-workers] Need some general advice

2016-09-12 Thread Ken Hornstein
>1)  I can try to arrange things so that mail from the remote VM will
>be sent down to either an SMTP server or something else which
>runs on my home machine, all via (somehow authenticated) SMTP.
>Perhaps I can use the SMTP TURN command for this.

I am unsure if modern SMTP servers still support TURN (or ETRN).  I think
you're going to be on the fringe there, because most people do this:

>2)  I can set things up so that the remote VM will run a POP3 server
>which I can then (periodically) have something on my home machine
>authenticate to and then suck pending messages out of in such a way
>that the NMH "inc" command will be able to get them.

Personally, that's what I do.  Works great.  Except that I don't run my
own POP server; someone else does that.  I suppose you could arrange for
mail to get delivered to your client box, but personally I don't see
the point.  But I suppose it's all what you want to do.

>Before answering, keep in mind that I will likely need to configure the
>SMTP server on the remote VM (postfix) in such a way that my home machine
>will be able to authenticate to it, you know, in order to send outbound
>mail.  (The last time I tried something like this I think I gave up in
>the end because it seemed like too much of a pain in the ass to get the
>authentication all working.  But now I have no choice, and have to make
>it work this time.)

FWIW, nmh supports the client-side of SMTP authentication; you just need to
get it working on the server side.  It looks like Joel gave you some hints
there.

--Ken

___
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers


Re: [Nmh-workers] Need some general advice

2016-09-12 Thread Joel Uckelman
Thus spake "Ronald F. Guilmette":
> 
> Before answering, keep in mind that I will likely need to configure the
> SMTP server on the remote VM (postfix) in such a way that my home machine
> will be able to authenticate to it, you know, in order to send outbound
> mail.  (The last time I tried something like this I think I gave up in
> the end because it seemed like too much of a pain in the ass to get the
> authentication all working.  But now I have no choice, and have to make
> it work this time.)

This part isn't too hard if you're using Postfix.

Configuration locally, in main.cf:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous

Configuration remotely, in main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 ... lots of spam checks here ...
 permit

And you need to set up one of the supported SASL authenticators. I
happen to be using dovecot for that.

See http://www.postfix.org/SASL_README.html for more details.

-- 
J.

___
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers