Project:Infrastructure/Developer E-Mail
This document describes what Gentoo Developers can expect from the Infrastructure's e-mail system and provides configuration details as required.
Gentoo developer e-mail possibilities
Introduction
This document describes the various options for checking your gentoo.org email address. You can opt for having the e-mails forwarded to a specific e-mail address, or let them stay on the dev.gentoo.org server to which you can connect using your favorite e-mail client with POP3S or IMAPS (the secure implementations of POP3 and IMAP respectively).
Logging on to dev.gentoo.org is performed using the ssh keys you have generated and submitted to your mentor with your quiz (or that you have updated in LDAP if your previous key reached expiration).
For convenience, export your username to a USERNAME variable. This will enable you to copy and paste the relevant commands that follow. The example below uses a value of larry
as an example, be sure to substitute larry
with your proper username:
user $
export USERNAME="larry"
Forwarding e-mails
Please note that the current implementation of forwarding causes SPF failures. If you wish to forward your mail outside gentoo.org, please either disable SPF on your MTA, or whitelist gentoo.org mail servers. If you fail to do so, users will be unable to mail your @gentoo.org address. For more information, see bug #627840.
If you want to have your e-mails forwarded to another e-mail address, you should log on to dev.gentoo.org and put the e-mail address in a ~/.forward file. Simply:
user $
ssh ${USERNAME}@dev.gentoo.org
If a connection cannot be made be sure to verify the ssh key being used to login to dev.gentoo.org is the same key submitted with your quiz.
Once connected:
user@woodpecker $
echo "new.e-mail@address.com" > ~/.forward
user@woodpecker $
exit
If you at some point want to change the e-mail address to which the e-mails should be forwarded, change the content of the ~/.forward file to the new e-mail address.
If you use a forward please make sure that it is reliable. If the queue on dev.gentoo.org starts to grow due to bouncing e-mail Infra will be forced to remove your forward. All e-mail will then be delivered locally until you fix it.
Using the mailbox on dev.gentoo.org
If you want to use the mailbox on dev.gentoo.org, you must make sure that there is no .forward in your home directory. Doing this requires access to dev.gentoo.org (duh). As noted in the Introduction section above, accessing dev.gentoo.org requires an ssh key. Be sure the correct ssh key is being used when connecting.
Remove the ~/.forward file (if it exists):
user $
ssh -l ${USERNAME} dev.gentoo.org 'rm ~/.forward'
There are some things you must know about your mailbox on dev.gentoo.org:
- You can only access it using POP3S or IMAPS (see the following chapter).
- There are some local e-mail clients installed on dev.gentoo.org (mutt and alpine to be exact). Only use those if you know how to use them :)
- The password to access the mailbox is the same password you can set on dev.gentoo.org using the passwd command.
Using dev.gentoo.org for your e-mails
2017/07/11 onwards, we moved to Let's Encrypt as the Certificate Authority for all of the following SSL certificates.
2014/04/12 onwards, we use DigiCert as the Certificate Authority for all of the following SSL certificates.
2009/06/29-2014/04/12, we used CACert as the Certificate Authority for all of the following SSL certificates.
Prior to 2011/12/, Gentoo Infrastructure only supported the pure SSL variants of the protocols, which provided a complete SSL wrapper around the POP3 or IMAP protocols. While POP3S and IMAPS is still supported, we encourage users to migrate to using STARTTLS instead, as it is easier to debug by being able to see the initial plaintext on tcpdump. Users behind aggressive firewalls that conduct deep-packet inspection to block based on plaintext headers should still use the pure SSL variants.
Accessing dev.gentoo.org using POP3 and STARTTLS or POP3S
POP3 is a pull-protocol, meaning that e-mails are pulled from the server to your local disk.
To set up your favorite e-mail client for POP3 and STARTTLS or POP3S, use the following settings:
- POP3 server : dev.gentoo.org
- Use SSL : yes
- Account : your username
- Password : your dev.gentoo.org password
POP3 without SSL/TLS is not supported! It is insecure because it transmits the password in plain text, which is a Bad Thing (TM).
For instance, if you are using fetchmail to fetch your e-mails, your .fetchmailrc should read something like this:
poll dev.gentoo.org proto pop3
user username
pass password
nokeep sslcertck
# This is the issuer for Let's Encrypt Authority X3.
sslcertfile /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
sslproto TLS1.2+
# sslfingerprint "..." # This option is no longer recommended, due to regular key rotation practices.
The above will have fetchmail using POP3 with STARTTLS. If you need POP3S instead, add the
ssl
keyword before the sslcertck
keyword.If you are using sylpheed for your e-mails, create a new account and make sure that the Receive tab uses POP3 and the SSL tab has the Use SSL for POP3 connection selected.
If you are using mutt, you're smart enough to figure this one out yourself.
Manually specifying the SSL key fingerprints is no longer recommended, due to regular rotation of keys. If possible, clients with DNSSEC can verify the certificate via TLSA.
MD5 Fingerprint=2C:78:E9:43:B5:03:1E:E2:14:9E:FA:79:AD:E4:D5:E3
SHA1 Fingerprint=40:F3:63:7C:68:56:5E:D2:B2:2F:8E:EC:4B:0B:1A:C3:D8:04:EA:D8
MDC2 Fingerprint=CB:E6:6F:70:3F:58:A7:F0:37:82:F5:7A:38:9B:60:83
SHA256 Fingerprint=9F:DF:AB:E2:E6:EB:37:3C:88:58:E6:07:DC:3C:EF:83:EE:FB:62:0C:45:B0:BF:9B:5B:21:B8:4F:27:56:05:7E
SHA512 Fingerprint=51:D6:B7:C9:05:73:E2:74:F7:45:1F:B5:A3:BC:42:BD:DC:6E:FC:87:3E:49:58:22:9A:A6:AA:51:86:A9:D3:0E:C9:99:F2:BD:88:C5:B1:EA:D5:C1:A5:80:4E:B8:01:97:72:F5:98:5A:41:72:9D:AD:C5:01:34:F9:23:DC:FF:88
Accessing dev.gentoo.org using IMAP and STARTTLS or IMAPS
IMAP is a push-protocol, meaning that e-mails stay on the remote server and you can manage separate mailboxes on that server.
To set up your favorite e-mail client for IMAP and STARTTLS or IMAPS, use the following settings:
- IMAP server : dev.gentoo.org
- Use SSL : yes
- Account : your username
- Password : your dev.gentoo.org password
IMAP without SSL/TLS is not supported! It is insecure because it uses static authentication, which is a Bad Thing (TM).
Your *.gentoo.org LDAP password is the same as the one used on all Gentoo infrastructure you have access to. If you don't know your password anymore, ask infra to reset your password.
For instance, if you are using fetchmail
to fetch your e-mails, your .fetchmailrc should read something like this:
poll dev.gentoo.org proto imap
user username
pass password
nokeep sslcertck
# This is the issuer for Let's Encrypt Authority X3.
sslcertfile /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
sslproto TLS1.2+
# sslfingerprint "..." # This option is no longer recommended, due to regular key rotation practices.
The above will have fetchmail using IMAP with STARTTLS. If you need IMAPS instead, add the keyword
ssl
before the sslcertck
keyword.If you are using mutt, you're smart enough to figure this one out yourself.
Manually specifying the SSL key fingerprints is no longer recommended, due to regular rotation of keys. If possible, clients with DNSSEC can verify the certificate via TLSA.
MD5 Fingerprint=2C:78:E9:43:B5:03:1E:E2:14:9E:FA:79:AD:E4:D5:E3
SHA1 Fingerprint=40:F3:63:7C:68:56:5E:D2:B2:2F:8E:EC:4B:0B:1A:C3:D8:04:EA:D8
MDC2 Fingerprint=CB:E6:6F:70:3F:58:A7:F0:37:82:F5:7A:38:9B:60:83
SHA256 Fingerprint=9F:DF:AB:E2:E6:EB:37:3C:88:58:E6:07:DC:3C:EF:83:EE:FB:62:0C:45:B0:BF:9B:5B:21:B8:4F:27:56:05:7E
SHA512 Fingerprint=51:D6:B7:C9:05:73:E2:74:F7:45:1F:B5:A3:BC:42:BD:DC:6E:FC:87:3E:49:58:22:9A:A6:AA:51:86:A9:D3:0E:C9:99:F2:BD:88:C5:B1:EA:D5:C1:A5:80:4E:B8:01:97:72:F5:98:5A:41:72:9D:AD:C5:01:34:F9:23:DC:FF:88
Using dev.gentoo.org as a mail relay server
If you would like to reduce the SRF spam scoring against your email, or do not wish to use your ISP's relay, you may relay your email through dev.gentoo.org.
Multiple ports are provided, because some ISPs block outbound connections from their networks on certain ports, to reduce spam.
- Port 25: you must enable STARTTLS
- Port 587: You must enable STARTTLS
- Port 465: Implicit TLS required.
Now setup your e-mail client to use dev.gentoo.org as the SMTP server:
- Select yes when asked if the server uses authentication.
- Enable STARTTLS if you are using port 25 or 587.
- If you get the choice, select plain as the hash-method. Use your username and your LDAP password for authentication.
Manually specifying the SSL key fingerprints is no longer recommended, due to regular rotation of keys. If possible, clients with DNSSEC can verify the certificate via TLSA.
MD5=63:51:09:C6:8A:0C:B0:C5:F7:4E:65:0E:BA:6D:0D:72
SHA1=65:39:B0:33:75:C8:AE:F4:BF:8A:34:F9:35:9E:C0:1F:20:64:D1:C0
MDC2=B8:C3:DE:E2:4C:9F:04:34:DE:36:91:F1:A9:A6:75:51
SHA256=A6:56:5E:9D:4D:99:11:97:AD:27:41:30:EF:53:F9:39:B4:2A:89:00:34:E5:0C:1D:97:8B:31:C9:7D:4B:92:27
SHA512=39:42:D4:52:08:33:54:CF:AF:DC:64:EC:16:A8:05:B6:4B:5D:DA:AA:F0:5D:ED:32:B7:B9:23:ED:4A:24:26:78:81:3D:D1:27:8B:6D:DF:04:73:03:86:44:4C:45:A4:47:F3:44:6C:2E:89:4C:0A:FF:8D:C6:B7:B0:8B:8E:C0:57
Setting up procmail rules for Spam Checking
All email coming into dev.gentoo.org is scanned for spam and viruses. Viruses are automatically deleted so there is no need to check for them yourself. To check for spam use something like the following procmail recipe.
:0:
* ^X-Spam-Status: Yes
.maildir/.spam/
If you wish to check your spam based on spam level a recipe like the following can be used (adjust the number of '\*' to the level that fits you best, the more stars the greater the possibility that what you are filtering is spam).
:0:
* ^X-Spam-Level: \*\*\*
.maildir/.spam/
Mail placed into ~/.maildir/.spam is auto cleaned every 14 days. If you wish to save your potential spam for an extended period of time please place it in another directory. The usage of ~/.maildir/.spam is strongly encouraged.
I am getting a lot of spam
Try taking a spam email and piping it into spamassassin.
spamassassin --test < /path/to/the/email
Often it takes a while for RBLs to learn about spam campaigns, and so we may get short peaks of spam until the RBLs learn about the spammy senders and we start tagging email. Compare the spamassassin -test output to the X-SPAM tags you see when you originally saw the mail.
Setting up procmail for Reply-To handling
This section is written on request of many Gentoo developers to cover how to modify the Reply-To header in an email for consistency across all of the Gentoo mailing lists. For reasons not mentioned here, there is an inconsistency between the gentoo-core
private mailing list, and the rest of the Gentoo mailing lists.
Removing Reply-To
Users who have a MUA that supports a Reply-To-List function will likely want to remove the munged Reply-To headers. This allows them to use their mail client how it was intended, with the Reply button replying to the Author. If your mail client has a Reply-To-List function, you can use the following recipe snippet in your .procmailrc file to remove the Reply-To headers.
# This removes those Reply-To: headers
:0 fhw
* ^List-Id:.*gentoo.org.
| formail -I "Reply-To:"
This scans the message headers for any Gentoo list and removes any Reply-To header that it finds.
Adding Reply-To
Some of the most popular mail clients in use do not support a Reply-To-List function. This causes problems for the users of these clients and has resulted in Reply-To munging being used to reduce complexity for these users. Since only the gentoo-core
mailing list does not use Reply-To munging, the following rule only touches that list.
# This adds a Reply-To: header
:0 fhw
* ^List-Id:.*gentoo-core\.gentoo\.org
|formail -I "Reply-To: gentoo-core@lists.gentoo.org"
This scans for the gentoo-core
list and adds a Reply-To header pointing to the list.
Sender Policy Framework
Gentoo uses the Sender Policy Framework, or SPF, to filter forged @gentoo.org email, so it's important to configure your mail client or server correctly so it doesn't get filtered. The most important thing is that MAIL FROM:
and your body From:
needs to match and that you can't forge return-path. If you obey these rules you shouldn't have problems with SPF filtering your emails.
Below are some configurations for a few common clients and mailers.
SSMTP
To forward all mail through mail.gentoo.org configure /etc/ssmtp/ssmtp.conf as follows:
mailhub=mail.gentoo.org:25
AuthUser=username (Replace with your username)
AuthPass=password (Replace with your ~/.asmtp password)
AuthMethod=CRAM-MD5
UseTLS=YES
useSTARTTLS=YES
Mutt
You can set the envelope from address in ~/.muttrc as follows:
envelope_from_address who@example.com
use_envelope_from true
Qmail
You can forward all your email through mail.gentoo.org using the /var/qmail/control/smtproutes file:
:mail.gentoo.org USERNAME PASSWORD (Replace with your username/password)
MSMTP
You can do per-account forwarding using msmtp. Configure ~/.msmtp as follows:
account default
host mail.yourisp.com
user johnsmith (Replace with your username)
password spork (Replace with your password)
tls
Next, configure your mail user agent to use msmtp for sending email. A sample mutt configuration follows:
send2-hook . 'set sendmail="/path/to/msmtp"'
send2-hook '~f gmx' 'set sendmail="/path/to/msmtp -a gmx"'
macro index ,g '<enter-command>set sendmail="/path/to/msmtp -a gmx"<enter>' 'choose gmx smtp profile'
Other user agents
For Thunderbird, Evolution and other MUAs (mail user agents), you can use ssmtp
or another mail transfer agent (MTA) as described above to forward your mail through mail.gentoo.org.
Designating other servers as permitted senders
If you DO still need to send mail via another server, it is strongly recommended that you populate your per-developer SPF record in LDAP. This is contained in the gentooSPF LDAP field.
The gentooSPF LDAP field MUST contain a valid SPF policy, with additional allowance that the v=spf1 prefix is optional in LDAP (it will be included in the DNS records exactly once regardless).
If the gentooSPF LDAP field is not set for a user, the SPF policy default of ~all will be applied.
To permit mail from GMail, Gentoo, and nowhere else
This allows you to send @gentoo.org mail from Gentoo servers (per the top-level gentoo.org SPF rule), Google servers (include:_spf.google.com), and nowhere else (-all)
user@woodpecker $
perl_ldap -b user -M gentooSPF 'include:_spf.google.com -all' ${USERNAME}
To permit mail from only Gentoo and nowhere else
This allows you to send @gentoo.org mail from Gentoo servers only (e.g. if you ALWAYS relay to woodpecker).
user@woodpecker $
perl_ldap -b user -M gentooSPF '-all' ${USERNAME}
Apply some other SPF record
If you wish to deploy some other SPF policy, here is the perl_ldap commandline to do so.
user@woodpecker $
perl_ldap -b user -M gentooSPF '...my spf policy...' ${USERNAME}
Frequently asked and/or anticipated questions
What happens when dev.gentoo.org goes down?
When dev.gentoo.org goes down, e-mails will stay in the mailqueue on mail.gentoo.org and will be delivered whenever dev.gentoo.org is up again.
Can I use procmail on dev.gentoo.org?
Yes, you can. Create a ~/.forward file thought with the following content:
| /usr/bin/procmail
Can I use sieve/managesieve on dev.gentoo.org?
Create a ~/.forward file with the following content:
| "/usr/libexec/dovecot/deliver"
Then create a Sieve script like seen in this example.
Using the dovecot LDA also improves the performance/speed for IMAP and POP3.
Can I use SpamAssassin on dev.gentoo.org?
Spam is automatically marked for you. There is no need to run your mail through any additional filters just check for the appropriate headers.
Why don't you set up a system-wide (spam|virus) filter?
Due to the rapid spread of e-mail borne viruses we have had to filter all of these despite the risk of losing legitimate e-mail. Spam filtering is not 100% accurate so although we tag all e-mail with Spam level headers we do not filter it. We leave that option to the developers to do so if they choose.
How can I exempt myself from Sender Address Verification?
By default all @gentoo.org users get Sender Address Verification enabled for them for free. We recognize that there are times when this is less than ideal and put a system in place for you to exempt yourself from it. You can simply touch ~/.permissive and wait about an hour for the recipient_filtering to be rechecked. Note however that when you opt for permissive mode that no spam or virus filtering is done for your account.
Are my e-mails or the contents of my home directory backed up regularly?
No, it's the responsibility of the individual to back up their own important files and mail.
How can I copy over files from/to dev.gentoo.org?
Use scp, the Secure Copy Program.
Acknowledgements
We would like to thank CACert and DigiCert for their continued support of open source projects by providing SSL certificates.
This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: Kurt Lieber, Lance Albertson, Daniel Ostrow, Mike Doty, Ned Ludd, Robin Johnson (robbat2) , Bryan Østergaard, , Chris Gianelloni
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.