E-mail configuration for a testing workstation

Configuring MTA and MUA on our example Debian testing workstation/desktop machine

Author: Francesco Poli
Contact: invernomuto@paranoici.org
Version: 0.57
Copyright: Expat license
Notice:

Copyright (c) 2007-2023 Francesco Poli

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

About this document
Web form HyperText Markup Language
Source form reStructuredText
Web stylesheet Cascading StyleSheets
Build directives Makefile

Contents

Summary of previous episodes

In another document (HTML, reST) you saw how to install and tune some network tools on our example Debian testing workstation/desktop box. Now it's time to configure e-mail handling.

Mail transfer agent

An MTA has already been installed and configured to handle local mail only (see the document on initial configuration: HTML, reST). It's time to reconfigure it so that it can handle outgoing mail through an external SMTP server, as well:

# dpkg-reconfigure exim4-config

You'll be asked to choose the general type of mail configuration: select "mail sent by smarthost; received via SMTP or fetchmail". The next dialog asks you to specify a mail name and proposes the hostname: you can safely accept the proposed name. At this point, an important setting has to be made, that is to say IP addresses to listen on for incoming SMTP connections: make sure you enter "127.0.0.1 ; ::1" and nothing else. Another important question is: other destinations for which mail is accepted? make sure you enter the hostname, followed by " ; localhost". One further question: machines to relay mail for? make sure you leave the list blank.

Now, you have to specify the smarthost: enter the name (or IP address) of the remote SMTP server which will relay mail for you (if the smarthost only accepts connections on a TCP port different from 25, you can append two colons and the port number, as in smtp.example.net::587); you can also specify more than one smarthost in a semicolon separated list (each of them is tried in the order specified).

After that, you are asked whether you want to hide local mail name in outgoing mail (you can answer "No") and whether you want to keep number of DNS-queries minimal (again, you can answer "No", unless you have a dial-on-demand Internet connection). Then you have to select the delivery method for local mail: choose "mbox format in /var/mail/". Finally, you'll be asked whether you want to split the configuration into small files: answer "No", unless you have special needs.

The MTA should automatically be stopped and restarted.

If SMTP authentication is to be used on the smarthost, you may set the correct credentials in the file named /etc/exim4/passwd.client.

If the smarthost requires an encrypted TLS connection (as it should!), create the following file:

# cat /etc/exim4/exim4.conf.localmacros
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *

Then regenerate the configuration:

# update-exim4.conf
# service exim4 restart

Add a line for your regular user in the file named /etc/email-addresses, specifying your primary e-mail address: that way outgoing mail will get that address in the headers. Add other lines, one for each additional user of the system (if any), and remember to update the file whenever you add or delete a user. One line should be added for the root user as well, specifying the administrator's (that is to say, your!) primary e-mail address.

Encryption for e-mail and beyond

Privacy is important: use and spread e-mail encryption!

Configuring GnuPG

You should have the gnupg package already installed (because it is used by aptitude to verify the integrity of packages that come from the repositories):

$ aptitude search gnupg | grep '^i *gnupg'
i  gnupg - GNU privacy guard - a free PGP replacement

You should also have the pinentry-gtk2 package already installed:

$ aptitude search pinentry | grep ^i
i A pinentry-gtk2 - GTK+-2-based PIN or pass-phrase entry dialog for GnuPG

You may wish to install a text-only alternative:

# aptitude install pinentry-tty

Another useful package is gpgsm:

# aptitude install gpgsm

First off, create a default ~/.gnupg/ directory for your regular user, if you do not yet have one:

$ gpg --list-keys

Add the following lines at the end of the GnuPG configuration file:

$ tail -n 12 ~/.gnupg/gpg.conf

# prefer strong algorithms
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

# prefer long key ids
keyid-format 0xlong

# also display fingerprints
with-fingerprint

This way, GnuPG will prefer using stronger digest algorithms than the default ones and will always display long key ids and fingerprints.

You can then proceed to generate a key pair for your regular user:

$ gpg --gen-key

You'll be asked to select what kind of key you want: choose the default kind ("RSA and RSA", option number 1); then, you have to set the keysize: the recommended choice is 4096 bit; finally, you must set the expiration date: choose a suitable validity period (say 2 years) or create a key that never expires (this is the default answer, 0, but is recommended against). After your confirmation, you'll be asked for your real name, e-mail address, and a comment: insert them and confirm again. You'll have to choose a passphrase: think of a very good one (among other things, it should be different from any password you use) and type it twice, as requested.

Once your new key pair has been generated, you may want to add other identities to it:

$ gpg --edit-key $MYKEYID

where $MYKEYID should be substituted with your key identifier (the recommended key identifier is 0x followed by the fingerprint with no blank characters). You can issue the adduid command and enter real name, e-mail address, and comment for the second identity. After adding all your other identities, if any, you may select the main one (with the command uid 1, for instance) and mark it as primary (with the command primary). Finally, you may save and exit (command save).

Now, generate a revocation certificate for the newly created key pair:

$ gpg --output revoke-my-key.asc --gen-revoke $MYKEYID

You have to confirm that you really want to generate the certificate and specify a reason ("1 = Key has been compromised" is the recommended choice). You are also asked for an optional description, but you usually do not need to insert one: just press [Enter]. After confirming again, you must enter your passphrase.

Copy this certificate (possibly along with the secret key ring ~/.gnupg/secring.gpg) to a medium (floppy disk, CD-ROM, ...) that you can hide in a safe. You can also print the certificate on paper (your media could become unreadable!) and, of course, hide the paper in the safe.

Make sure you securely delete any intermediate copy of the secret key and of the revocation certificate: those files must not become available to anyone else but you! A tool for secure file deletion is:

# aptitude install wipe

After all this, you can further customize the behavior of GnuPG by editing its configuration file so that:

$ grep greeting ~/.gnupg/gpg.conf
no-greeting
$ grep default-key ~/.gnupg/gpg.conf
default-key $MYKEYID
$ grep ^encrypt-to ~/.gnupg/gpg.conf
encrypt-to $MYKEYID
$ grep ^keyserver ~/.gnupg/gpg.conf
keyserver hkps://pgp.surf.nl
keyserver-options auto-key-retrieve
keyserver-options no-honor-keyserver-url
$ grep ^photo-viewer ~/.gnupg/gpg.conf
photo-viewer "feh %i"

Finally, you can send your public key to the keyserver network, so that your correspondents can retrieve it:

$ gpg --send-keys $MYKEYID

In order to speed up the signature verification performed by gpgsm, you can create the following configuration file:

$ cat ~/.gnupg/gpgsm.conf
disable-crl-checks

Managing your public keyring

When you need to get the public key of one of your correspondents, you can retrieve it from the keyserver network with the following command:

$ gpg --recv-keys $OTHERKEYID

where $OTHERKEYID should be substituted with your correspondent's key identifier. Please note that this is superfluous, if the key has already been automatically retrieved (e.g.: when checking a signature made by your correspondent).

Sometimes, it may happen that the directory manager (used by GnuPG to access keyservers) becomes unable to resolve IP addresses. If you need to stop it, for this or whatever other reason, you may do so by issueing the following command:

$ gpgconf --kill dirmngr

After being stopped, the directory manager will be automatically restarted by GnuPG.

You should often update your public keyring: a useful script is Refresh-pubring: you may place it in your regular user's ~/bin directory:

$ mkdir -p ~/bin
$ cd ~/bin
$ wget http://www.inventati.org/frx/progs/scripts/refresh-pubring
$ chmod u+x refresh-pubring

Preparing for key signing parties

Install a useful package to prepare for key signing activities (in key signing parties, or, more generally, whenever you meet another OpenPGP user):

# aptitude install signing-party

You should then configure caff for your regular user:

$ caff

This first run will generate a default configuration file ~/.caffrc which you should edit, setting at least your name, e-mail address, keyid(s) to be kept while pruning the signed keys, local-user(s) to be used for signing other people's keys. Then set things up so that caff will use your regular GnuPG configuration, unless you have something troublesome in it:

$ mkdir -p ~/.caff/gnupghome/
$ chmod go-rwx ~/.caff/gnupghome/
$ cd ~/.caff/gnupghome/ && ln -s ../../.gnupg/gpg.conf

Then you can use it to sign other people keys (after meeting them personally, checking their key fingerprint and photo ID document, of course!):

$ caff --keys-from-gnupg first_keyid second_keyid third_keyid

Extending the expiration date for your key

If you set the expiration date for your OpenPGP key, you need to remember to extend this date before the key expires (but please note that, if needed, this can also been done after the key expired...).

When the key and the subkey are about to expire, you may want to extend both expiration dates by, say, 2 years and a little margin. The following command will generate the date in a suitable format:

$ date -I -d 'now + 2 years 15 days'

let $NEWDATE be the output of the command.

After that, you may edit your key:

$ gpg --edit-key $MYKEYID
gpg> expire
Key is valid for? (0) $NEWDATE
Is this correct? (y/N) y
gpg> key 1
gpg> expire
Key is valid for? (0) $NEWDATE
Is this correct? (y/N) y
gpg> save

Finally, you can send your public key to the keyserver network, so that your correspondents can retrieve it with the updated expiration date:

$ gpg --send-keys $MYKEYID

Address book

In order to manage your address book, you may install the following package:

# aptitude install rolo

Your regular user's address book will be saved (in vCard version 3.0 format) to ~/.rolo/contacts.vcf.

Mail user agents

At least one mail user agent must be installed in order to let users handle their e-mail.

For some programs it is useful to have the following environment variable set to specify your public e-mail address; add the following lines to your regular user's ~/.bashrc:

# set e-mail address
export EMAIL="address@example.org"

where you should put your actual e-mail address.

Sylpheed

Install the package:

# aptitude install sylpheed

The aspell spell-checker has been already automatically installed, along with its English language dictionary. Make sure you have the appropriate dictionaries:

# aptitude install aspell-en aspell-it aspell-de

Configure Sylpheed for your regular user:

$ sylpheed

First of all, you have to specify the location of your mailbox: the default value ("Mail") is fine, so just click on the OK button. After that, you will be asked to configure your first mail account.

For a typical POP3 account, you can do as follows: in the "Basic" tab, set an arbitrarily chosen name, set the account as default, insert your full name, your mail address, your organization if any, set POP3 protocol, the POP3 server domain name as "Server for receiving", the SMTP server domain name as "SMTP server (send)" and the correct username as "User ID"; you can leave the "Password" field blank, so that you'll be asked to type the password in everytime you start Sylpheed and download mail from this account for the first time (this is the recommended method, as it avoids writing your password in cleartext to a configuration file stored in your home directory); otherwise you can insert your password in the "Password" field and avoid typing it when you use Sylpheed (at the price of less security). In the "Receive" tab, uncheck "Use secure authentication (APOP)", check "Remove messages on server when received" (but please note that you can leave this temporarily unchecked while you are doing tests), set "Remove after" 0 days, uncheck "Download all messages (including already received) on server" and "Receive size limit", check "Filter messages on receiving" and set inbox as "Default inbox"; check "Get all checks for new messages on this account". In the "Send" tab, check "Add Date header field" and "Generate Message-ID", uncheck "Add user-defined header", "SMTP Authentication (SMTP AUTH)", and "Authenticate with POP3 before sending". In the "Compose" tab, select File as "Signature", accepting the default value (that should be the file .signature in your home directory, remember to create a short and nice one!); usually there's no need to automatically set addresses. In the "Privacy" tab, check "Sign message by default", "Encrypt message by default", and "Encrypt when replying to encrypted message"; uncheck "Use ASCII-armored format for encryption" and "Use clear text signature"; select "Use default GnuPG key". In the "SSL" tab, select "Use SSL for POP3 connection" if your POP3 server supports POP3s, or otherwise select "Don't use SSL" (and complain about this with your e-mail account provider!); select "Don't use SSL" for SMTP and also check "Use non-blocking SSL". You won't probably need to set anything in the "Advanced" tab, so click on the OK button.

Now you're left in the "Edit accounts" dialog window: you may close it with the Close button (you'll be able to reopen it whenever you need it, by selecting Edit accounts... from the Configuration menu) or use it to add other accounts by clicking on the Add button.

Please note that, if your e-mail account provider uses a self-signed SSL certificate, or one that is signed by an unknown authority, you'll have to explicitly accept the certificate the first time you download your mail from that account. Choosing "Always accept" causes Sylpheed to store the certificate in ~/.sylpheed-2.0/trust.crt. If you want to get detailed information on one of the accepted certificates you can do as follows:

$ grep -n CERTIFICATE ~/.sylpheed-2.0/trust.crt
1:-----BEGIN CERTIFICATE-----
21:-----END CERTIFICATE-----
22:-----BEGIN CERTIFICATE-----
48:-----END CERTIFICATE-----
49:-----BEGIN CERTIFICATE-----
91:-----END CERTIFICATE-----

Certificates are stored in reverse chronological order (the first one is the most recently accepted); let's see details about the second one:

$ sed '22,48!d' < ~/.sylpheed-2.0/trust.crt | openssl \
  x509 -fingerprint -sha1 -text

which will show anything you have ever wanted to know about this certificate!

After creating your accounts, it's time to tweak Sylpheed general configuration: select Common preferences... from the Configuration menu. In the "Receive" tab, uncheck "Auto-check new mail", "Check new mail on startup", "Update all local folders after incorporation" and "Execute command when new messages arrived". Check "Incorporate from local spool" and "Filter on incorporation" and set "Spool path" to /var/mail. In the "Send" tab, there are some subtabs. In the "General" subtab, check "Save sent messages to outbox" and "Apply filter rules to sent messages", uncheck "Automatically add recipients to address book", and "Notify for missing attachments when the following strings (comma-separated) are found in the message body", check "Confirm recipients before sending", leaving "Excluded addresses/domains (comma-separated)" blank. In the "Encoding" subtab, select Automatic "Transfer encoding" and RFC 2231 "MIME filename encoding". In the "Compose" tab, "General" subtab, set "--" as "Signature separator", check "Insert automatically", "Automatically select account for replies", "Quote message when replying", "Reply to mailing list by Reply button", and "Inherit recipients on reply to self messages", uncheck "Set only mail address of recipients when replying". In the "Editor" subtab, uncheck "Automatically launch the external editor", set "Undo level" to 50 and "Wrap messages at" 72 characters; uncheck "Wrap quotation", "Wrap on input", and "Auto-save to draft". In the "Format" subtab, configure the "Reply format" by setting "> " as "Quotation mark", and by inserting:

On %d %N wrote:

%Q

then, configure the "Forward format" by setting "> " as "Quotation mark", and by inserting:

[first two lines are blank]

Begin forwarded message:
On %d %N wrote:

%Q

In the "Spell checking" subtab, check "Enable Spell checking" with your "Default language" of choice ("en_US", in my case, since I tend to write more e-mail messages in English than in Italian, and need spell checking in English more than in Italian, being an Italian native speaker!). In the "Display" tab, "General" subtab, click on "Text font" selector and choose a good font (e.g.: Monospace 11), then check "Display unread number next to folder name" and Display message number columns in the folder view "New", "Unread", and "Total", and set "Abbreviate newsgroups longer than" 16 letters; check "Display recipient on `From' column if sender is yourself", uncheck "Expand threads" and set:

%y-%m-%d (%a) %H:%M

as "Date format"; click on the "Set display item of summary" button and set all the items as displayed (except for To), in the following order: Number, Mark, Unread, Attachment, Subject, From, Date, Size. In the "Message" subtab, check "Enable coloration of message" and edit the colors according to the following table:

Color Red Green Blue
Quoted Text - First Level 0 0 130
Quoted Text - Second Level 0 0 153
Quoted Text - Third Level 0 0 179
URI link 0 127 0

Also uncheck "Recycle quote colors". Check "Display header pane above message view" and "Display short headers on message view", and edit displayed headers, in this order: From, To, Cc, Reply-To, Newsgroups, Followup-To, Subject, Date, Sender, Organization, X-Mailer, X-Newsreader, User-Agent. Remember to uncheck "Show all unspecified headers". Check "Render HTML messages as text", uncheck "Treat HTML only messages as attachment", and set "Line space" 2 pixel(s). Uncheck "Half page" and "Smooth scroll", check "Resize attached large images to fit in the window" and "Display images as inline". You won't probably have to set anything in the "Color label" subtab. In the "Encoding" subtab, select Automatic "Default character encoding" and Unicode (UTF-8) "Outgoing character encoding". In the "Junk mail" tab, uncheck "Enable Junk mail control" (since no anti-junk system has been installed so far). In the "Privacy" tab, check "Automatically check signatures" and "Show signature check result in a popup window", uncheck "Store passphrase in memory temporarily" and "Grab input while entering a passphrase", and check "Display warning on startup if GnuPG doesn't work". In the "Details" tab, "Interface" subtab, uncheck "Always open messages in summary when selected", "Open first unread message when a folder is opened", and check "Remember last selected message"; uncheck "Only mark message as read when opened in new window", "Open inbox after receiving new mail", "Open inbox on startup", and check "Execute immediately when moving or deleting messages", "Make the order of buttons comply with GNOME HIG", "Display tray icon"; uncheck "Minimize to tray icon", "Toggle window on trayicon click" and click the "Set key bindings..." button to select Default key bindings. In the "Other" subtab, select "Show receive dialog" Always, uncheck "Don't popup error dialog on receive error", and check "Close receive dialog when finished"; uncheck "Add address to destination when double-clicked", check "Enable address auto-completion", uncheck "Confirm on exit", and check "Empty trash on exit", while unchecking "Ask before emptying"; check "Warn if there are queued messages". In the "External commands" subtab, insert:

sensible-browser '%s'

as "Web browser" and:

uxterm -geometry 72x36 -e vim -n -i NONE %s

as "Editor"; uncheck "Use external program for printing" and "Use external program for incorporation"; check "Use external program for sending" and accept the default command:

/usr/sbin/sendmail -t -i

In the "Update" subtab, uncheck "Enable auto update check" and "Use HTTP proxy". In the "Advanced" subtab, uncheck "Enable strict checking of the integrity of summary caches" and set "Socket I/O timeout" to 60 seconds.

Finally, click on the OK button to exit from the Common preferences dialog window. You can now adjust the widths and heights of the three user interface panes in the main window; other visual parameters to adjust are column widths. After that, you can select each folder and select by date from the View/Sort submenu, making sure that Thread view from the View menu is checked.

Some useful operations can be programmed as actions: select Actions... from the Configuration menu and add actions according to the following table:

Menu name Command line
GnuPG/Decrypt ASCII Armored *gpg --no-tty --command-fd 0 --passphrase-fd 0 --decrypt %p|
GnuPG/Import Key From Mail gpg --import %p
GnuPG/Insert Public Key >gpg --export -a `cat`>
GnuPG/Receive Selected Key |gpg --recv-key `cat`
GnuPG/Verify Clear Signed |gpg --no-tty --verify

Now, create the folders you need (for mailing lists you are subscribed to, for special kinds of e-mail messages, for newsletters, ..., you name it!): in the folder pane, select "Mailbox (MH)" and click on it with the right mouse button; choose Create new folder... from the popup menu and insert an appropriate name. If you have some MH folders on another machine that you want to import, you can just copy the corresponding directories to ~/Mail/ and then select Rebuild folder tree from the File/Mailbox submenu.

With many folders, you probably want to set up some filters in order to have each message automatically moved to the appropriate folder as soon as it arrives. Select Filter setting... from the Configuration menu. In the Filter setting dialog window, click on the Add button: the Filter rule dialog window opens up. Enter an appropriate name for the rule, and define the condition and list of actions to be performed; for instance, select "If any of the following condition matches", and specify "List-Id" "contains", while entering a string that is always included in the List-Id header of the messages coming from one mailing list that you want to be stored in a folder you have previously created; then specify "Move to" and the above mentioned folder as action to be performed. Clicking on the OK button registers the rule in the filter list. By repeating this procedure you can define as many filters as you like.

In order to fetch e-mail addresses from your address book whenever you are composing a message, you can tell Sylpheed where your vCard address book is located: select Address book from the Tools menu. Select "vCard" from the left pane of the Address book dialog window, and choose New vCard from the File menu. Enter an appropriate name (e.g.: MyContacts) and /home/$REGULARUSER/.rolo/contacts.vcf as file (substitute $REGULARUSER with your username). After clicking on the OK button, click on the Close button to exit the Address book dialog window. Now you can autocomplete names and e-mail addresses in any recipient field (To:, Cc:, Bcc:) when you compose a new message (or a reply/forward, for that matter) by simply hitting [Tab].

If you want Sylpheed to be your default mail user agent, add the following lines to your regular user's ~/.bashrc:

# set a default mailer
export MAILER="sylpheed --compose"

and issue the following command:

$ xdg-mime default sylpheed.desktop \
   message/rfc822 x-scheme-handler/mailto

Remember that the other applications that may be set as default with this command are described in /usr/share/applications/, while mime-types are listed in /etc/mime.types and in the .desktop description files themselves. The list of default applications is saved to ~/.config/mimeapps.list.

Mutt

Install the package:

# aptitude install mutt

Conclusions

Now you can handle your e-mail. Next step is installing and configuring some web browsers. More details in a separate document (HTML, reST).