出售域名

Chapter 6. Network applications

Table of Contents

6.1. Web browsers
6.1.1. Browser configuration
6.2. The mail system
6.2.1. Email basics
6.2.2. Modern mail service basics
6.2.3. The mail configuration strategy for workstation
6.3. Mail transport agent (MTA)
6.3.1. The configuration of exim4
6.3.2. The configuration of postfix with SASL
6.3.3. The mail address configuration
6.3.4. Basic MTA operations
6.4. Mail user agent (MUA)
6.4.1. Basic MUA — Mutt
6.5. The remote mail retrieval and forward utility
6.5.1. getmail configuration
6.5.2. fetchmail configuration
6.6. Mail delivery agent (MDA) with filter
6.6.1. maildrop configuration
6.6.2. procmail configuration
6.6.3. Redeliver mbox contents
6.7. POP3/IMAP4 server
6.8. The print server and utilities
6.9. The remote access server and utilities (SSH)
6.9.1. Basics of SSH
6.9.2. Port forwarding for SMTP/POP3 tunneling
6.9.3. Connecting without remote passwords
6.9.4. Dealing with alien SSH clients
6.9.5. Setting up ssh-agent
6.9.6. How to shutdown the remote system on SSH
6.9.7. Troubleshooting SSH
6.10. Other network application servers
6.11. Other network application clients
6.12. The diagnosis of the system daemons

After establishing network connectivity (see Chapter 5, Network setup), you can run various network applications.

[Tip] Tip

For modern Debian specific guide to the network infrastructure, read The Debian Administrator's Handbook — Network Infrastructure.

[Warning] Warning

This chapter is getting outdated since this is based on Debian 7.0 (Wheezy) released in 2013.

There are many web browser packages to access remote contents with Hypertext Transfer Protocol (HTTP).


You may be able to use following special URL strings for some browsers to confirm their settings.

  • "about:"

  • "about:config"

  • "about:plugins"

Debian offers many free browser plugin packages in the main archive area which can handle not only Java (software platform) and Flash but also MPEG, MPEG2, MPEG4, DivX, Windows Media Video (.wmv), QuickTime (.mov), MP3 (.mp3), Ogg/Vorbis files, DVDs, VCDs, etc. Debian also offers helper programs to install non-free browser plugin packages as contrib or non-free archive area.


[Tip] Tip

Although use of above Debian packages are much easier, browser plugins can be still manually enabled by installing "*.so" into plugin directories (e.g., "/usr/lib/iceweasel/plugins/") and restarting browsers.

Some web sites refuse to be connected based on the user-agent string of your browser. You can work around this situation by spoofing the user-agent string. For example, you can do this by adding following line into user configuration files such as "~/.gnome2/epiphany/mozilla/epiphany/user.js" or "~/.mozilla/firefox/*.default/user.js".

user_pref{"general.useragent.override","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"};

Alternatively, you can add and reset this variable by typing "about:config" into URL and right clicking its display contents.

[Caution] Caution

Spoofed user-agent string may cause bad side effects with Java.

[Caution] Caution

If you are to set up the mail server to exchange mail directly with the Internet, you should be better than reading this elementary document.

The mail system involves many server programs and many client programs running on multiple hosts. From the functionarity, there are 3 types of mail agent programs:

[Note] Note

The following configuration examples are only valid for the typical mobile workstation on consumer grade Internet connections.

An email message consists of three components, the message envelope, the message header, and the message body.

The "To" and "From" information in the message envelope is used by the SMTP to deliver the email. (The "From" information in the message envelope is also called bounce address, From_, etc.).

The "To" and "From" information in the message header is displayed by the email client. (While it is most common for these to be the same as ones in the message envelope, such is not always the case.)

The email client (MUA) needs to interpret the message header and body data using Multipurpose Internet Mail Extensions (MIME) to deal the content data type and encoding.

In order to minimize exposure to the spam (unwanted and unsolicited email) problems, many ISPs which provide consumer grade Internet connections are implementing counter measures.

When configuring your mail system or resolving mail delivery problems, you must consider these new limitations.

In light of these hostile Internet situation and limitations, some independent Internet mail ISPs such as Yahoo.com and Gmail.com offer the secure mail service which can be connected from anywhere on the Internet using Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL).

  • The smarthost service on port 465 with the deprecated SMTP over SSL (SMTPS protocol).

  • The smarthost service on port 587 with the STARTTLS.

  • The incoming mail is accessible at the TLS/POP3 port (995) with POP3.

[Caution] Caution

It is not realistic to run SMTP server on consumer grade network to send mail directly to the remote host reliably. They are very likely to be rejected. You must use some smarthost services offered by your connection ISP or independent mail ISPs.

For the simplicity, I assume that the smarthost is located at "smtp.hostname.dom", requires SMTP Authentication, and uses the message submission port (587) with the STARTTLS in the following text.

The most simple mail configuration is that the mail is sent to the ISP's smarthost and received from ISP's POP3 server by the MUA (see Section 6.4, “Mail user agent (MUA)”) itself. This type of configuration is popular with full featured GUI based MUA such as icedove(1), evolution(1), etc. If you need to filter mail by their types, you use MUA's filtering function. For this case, the local MTA (see Section 6.3, “Mail transport agent (MTA)”) need to do local delivery only (when sender and receiver are on the same host).

Please note that the Debian system is the multiuser system. Even if you are the only user, there are many programs running as root and they may send you a mail.

The alternative mail configuration is that the mail is sent via local MTA to the ISP's smarthost and received from ISP's POP3 by the mail retriever (see Section 6.5, “The remote mail retrieval and forward utility”) to the local mailbox. If you need to filter mail by their types, you use MDA with filter (see Section 6.6, “Mail delivery agent (MDA) with filter”) to filter mail into separate mailboxes. This type of configuration is popular with simple console based MUA such as mutt(1), mew(1), etc., although this is possible with any MUAs (see Section 6.4, “Mail user agent (MUA)”). For this case, the local MTA (see Section 6.3, “Mail transport agent (MTA)”) need to do both smarthost delivery and local delivery. Since mobile workstation does not have valid FQDN, you must configure the local MTA to hide and spoof the real local mail name in outgoing mail to avoid mail delivery errors (see Section 6.3.3, “The mail address configuration”).

[Tip] Tip

You may wish to configure MUA/MDA to use Maildir for storing email messages somewhere under your home directory.

For normal workstation, the popular choice for Mail transport agent (MTA) is either exim4-* or postfix packages. It is really up to you.


Although the popcon vote count of exim4-* looks several times popular than that of postfix, this does not mean postfix is not popular with Debian developers. The Debian server system uses both exim4 and postfix. The mail header analysis of mailing list postings from prominent Debian developers also indicate both of these MTAs are as popular.

The exim4-* packages are known to have very small memory consumption and very flexible for its configuration. The postfix package is known to be compact, fast, simple, and secure. Both come with ample documentation and are as good in quality and license.

There are many choices for mail transport agent (MTA) packages with different capability and focus in Debian archive.


For the Internet mail via smarthost, you (re)configure exim4-* packages as the following.

$ sudo /etc/init.d/exim4 stop
$ sudo dpkg-reconfigure exim4-config

Select "mail sent by smarthost; received via SMTP or fetchmail" for "General type of mail configuration".

Set "System mail name:" to its default as the FQDN (see Section 5.1.1, “The hostname resolution”).

Set "IP-addresses to listen on for incoming SMTP connections:" to its default as "127.0.0.1 ; ::1".

Unset contents of "Other destinations for which mail is accepted:".

Unset contents of "Machines to relay mail for:".

Set "IP address or host name of the outgoing smarthost:" to "smtp.hostname.dom:587".

Select "<No>" for "Hide local mail name in outgoing mail?". (Use "/etc/email-addresses" as in Section 6.3.3, “The mail address configuration”, instead.)

Reply to "Keep number of DNS-queries minimal (Dial-on-Demand)?" as one of the following.

  • "No" if the system is connected to the Internet while booting.

  • "Yes" if the system is not connected to the Internet while booting.

Set "Delivery method for local mail:" to "mbox format in /var/mail/".

Select "<Yes>" for "Split configuration into small files?:".

Create password entries for the smarthost by editing "/etc/exim4/passwd.client".

$ sudo vim /etc/exim4/passwd.client
 ...
$ cat /etc/exim4/passwd.client
^smtp.*\.hostname\.dom:[email protected]:password

Start exim4 by the following.

$ sudo /etc/init.d/exim4 start

The host name in "/etc/exim4/passwd.client" should not be the alias. You check the real host name with the following.

$ host smtp.hostname.dom
smtp.hostname.dom is an alias for smtp99.hostname.dom.
smtp99.hostname.dom has address 123.234.123.89

I use regex in "/etc/exim4/passwd.client" to work around the alias issue. SMTP AUTH probably works even if the ISP moves host pointed by the alias.

You can manually update exim4 configuration by the following:

  • Update exim4 configuration files in "/etc/exim4/".

    • creating "/etc/exim4/exim4.conf.localmacros" to set MACROs and editing "/etc/exim4/exim4.conf.template". (non-split configuration)

    • creating new files or editing existing files in the "/etc/exim4/exim4.conf.d" subdirectories. (split configuration)

  • Run "invoke-rc.d exim4 reload".

Please read the official guide at: "/usr/share/doc/exim4-base/README.Debian.gz" and update-exim4.conf(8).

[Caution] Caution

Starting exim4 takes long time if "No" (default value) was chosen for the debconf query of "Keep number of DNS-queries minimal (Dial-on-Demand)?" and the system is not connected to the Internet while booting.

[Warning] Warning

It is insecure to use plain text password without encryption even if your ISP allows it.

[Tip] Tip

Although use of SMTP with STARTTLS on port 587 is recommended, some ISPs still use deprecated SMTPS (SSL on port 465). Exim4 after 4.77 supports this deprecated SMTPS protocol for both as client and as server.

[Tip] Tip

If you are looking for a light weight MTA that respects "/etc/aliases" for your laptop PC, you should consider to configure exim4(8) with "QUEUERUNNER='queueonly'", "QUEUERUNNER='nodaemon'", etc. in "/etc/default/exim4".

There are a few mail address configuration files for mail transport, delivery and user agents.


The mailname in the "/etc/mailname" file is usually a fully qualified domain name (FQDN) that resolves to one of the host's IP addresses. For the mobile workstation which does not have a hostname with resolvable IP address, set this mailname to the value of "hostname -f". (This is safe choice and works for both exim4-* and postfix.)

[Tip] Tip

The contents of "/etc/mailname" is used by many non-MTA programs for their default behavior. For mutt, set "hostname" and "from" variables in ~/muttrc file to override the mailname value. For programs in the devscripts package, such as bts(1) and dch(1), export environment variables "$DEBFULLNAME" and "$DEBEMAIL" to override it.

[Tip] Tip

The popularity-contest package normally send mail from root account with FQDN. You need to set MAILFROM in /etc/popularity-contest.conf as described in the /usr/share/popularity-contest/default.conf file. Otherwise, your mail will be rejected by the smarthost SMTP server. Although this is tedious, this approach is safer than rewriting the source address for all mails from root by MTA and should be used for other daemons and cron scripts.

When setting the mailname to "hostname -f", the spoofing of the source mail address via MTA can be realized by the following.

  • "/etc/email-addresses" file for exim4(8) as explained in the exim4-config_files(5)

  • "/etc/postfix/generic" file for postfix(1) as explained in the generic(5)

For postfix, the following extra steps are needed.

# postmap hash:/etc/postfix/generic
# postconf -e 'smtp_generic_maps = hash:/etc/postfix/generic'
# postfix reload

You can test mail address configuration using the following.

  • exim(8) with -brw, -bf, -bF, -bV, … options

  • postmap(1) with -q option.

[Tip] Tip

Exim comes with several utility programs such as exiqgrep(8) and exipick(8). See "dpkg -L exim4-base|grep man8/" for available commands.

If you subscribe to Debian related mailing list, it may be a good idea to use such MUA as mutt and mew which are the de facto standard for the participant and known to behave as expected.


Customize "~/.muttrc" as the following to use mutt as the mail user agent (MUA) in combination with vim.

#
# User configuration file to override /etc/Muttrc
#
# spoof source mail address
set use_from
set hostname=example.dom
set from="Name Surname <[email protected]>"
set signature="~/.signature"

# vim: "gq" to reformat quotes
set editor="vim -c 'set tw=72 et ft=mail'"

# "mutt" goes to Inbox, while "mutt -y" lists mailboxes
set mbox_type=Maildir           # use qmail Maildir format for creating mbox
set mbox=~/Mail                 # keep all mail boxes in $HOME/Mail/
set spoolfile=+Inbox            # mail delivered to $HOME/Mail/Inbox
set record=+Outbox              # save fcc mail to $HOME/Mail/Outbox
set postponed=+Postponed        # keep postponed in $HOME/Mail/postponed
set move=no                     # do not move Inbox items to mbox
set quit=ask-yes                # do not quit by "q" only
set delete=yes                  # always delete w/o asking while exiting
set fcc_clear                   # store fcc as non encrypted

# Mailboxes in Maildir (automatic update)
mailboxes `cd ~/Mail; /bin/ls -1|sed -e 's/^/+/' | tr "\n" " "`
unmailboxes Maillog *.ev-summary

## Default
#set index_format="%4C %Z %{%b %d} %-15.15L (%4l) %s"
## Thread index with senders (collapse)
set index_format="%4C %Z %{%b %d} %-15.15n %?M?(#%03M)&(%4l)? %s"

## Default
#set folder_format="%2C %t %N %F %2l %-8.8u %-8.8g %8s %d %f"
## just folder names
set folder_format="%2C %t %N %f"

Add the following to "/etc/mailcap" or "~/.mailcap" to display HTML mail and MS Word attachments inline.

text/html; lynx -force_html %s; needsterminal;
application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc
[Tip] Tip

Mutt can be used as the IMAP client and the mailbox format converter. You can tag messages with "t", "T", etc. These tagged messages can be copied with ";C" between different mailboxes and deleted with ";d" in one action.

Instead of running a MUA to access remote mails and to process them manually, you may wish to automate such process to have all the mails delivered to the local host. The remote mail retrieval and forward utility is the tool for you.

Although fetchmail(1) has been de facto standard for the remote mail retrieval on GNU/Linux, the author likes getmail(1) now. If you want to reject mail before downloading to save bandwidth, mailfilter or mpop may be useful. Whichever mail retriever utilities are used, it is a good idea to configure system to deliver retrieved mails to MDA, such as maildrop, via pipe.


getmail(1) configuration is described in getmail documentation. Here is my set up to access multiple POP3 accounts as user.

Create "/usr/local/bin/getmails" as the following.

#!/bin/sh
set -e
if [ -f $HOME/.getmail/running ]; then
  echo "getmail is already running ... (if not, remove $HOME/.getmail/running)" >&2
  pgrep -l "getmai[l]"
  exit 1
else
  echo "getmail has not been running ... " >&2
fi
if [ -f $HOME/.getmail/stop ]; then
  echo "do not run getmail ... (if not, remove $HOME/.getmail/stop)" >&2
  exit
fi
if [ "x$1" = "x-l" ]; then
  exit
fi
rcfiles="/usr/bin/getmail"
for file in $HOME/.getmail/config/* ; do
  rcfiles="$rcfiles --rcfile $file"
done
date -u > $HOME/.getmail/running
eval "$rcfiles $@"
rm $HOME/.getmail/running

Configure it as the following.

$ sudo chmod 755 /usr/local/bin/getmails
$ mkdir -m 0700 $HOME/.getmail
$ mkdir -m 0700 $HOME/.getmail/config
$ mkdir -m 0700 $HOME/.getmail/log

Create configuration files "$HOME/.getmail/config/pop3_name" for each POP3 accounts as the following.

[retriever]
type = SimplePOP3SSLRetriever
server = pop.example.com
username =  [email protected]
password = <your-password>

[destination]
type = MDA_external
path = /usr/bin/maildrop
unixfrom = True

[options]
verbose = 0
delete = True
delivered_to = False
message_log = ~/.getmail/log/pop3_name.log

Configure it as the following.

$ chmod 0600 $HOME/.getmail/config/*

Schedule "/usr/local/bin/getmails" to run every 15 minutes with cron(8) by executing "sudo crontab -e -u <user_name>" and adding following to user's cron entry.

5,20,35,50 * * * * /usr/local/bin/getmails --quiet
[Tip] Tip

Problems of POP3 access may not come from getmail. Some popular free POP3 services may be violating the POP3 protocol and their SPAM filter may not be perfect. For example, they may delete messages just after receiving RETR command before receiving DELE command and may quarantined messages into Spam mailbox. You should minimize damages by configuring them to archive accessed messages and not to delete them. See also "Some mail was not downloaded".

Most MTA programs, such as postfix and exim4, function as MDA (mail delivery agent). There are specialized MDA with filtering capabilities.

Although procmail(1) has been de facto standard for MDA with filter on GNU/Linux, author likes maildrop(1) now. Whichever filtering utilities are used, it is a good idea to configure system to deliver filtered mails to a qmail-style Maildir.


maildrop(1) configuration is described in maildropfilter documentation. Here is a configuration example for "$HOME/.mailfilter".

# Local configuration
MAILROOT="$HOME/Mail"
# set this to /etc/mailname contents
MAILHOST="example.dom"
logfile $HOME/.maildroplog

# rules are made to override the earlier value by the later one.

# mailing list mails ?
if (     /^Precedence:.*list/:h || /^Precedence:.*bulk/:h )
{
    # rules for mailing list mails
    # default mailbox for mails from mailing list
    MAILBOX="Inbox-list"
    # default mailbox for mails from debian.org
    if ( /^(Sender|Resent-From|Resent-Sender): .*debian.org/:h )
    {
        MAILBOX="service.debian.org"
    }
    # default mailbox for mails from bugs.debian.org (BTS)
    if ( /^(Sender|Resent-From|Resent-sender): .*@bugs.debian.org/:h )
    {
        MAILBOX="bugs.debian.org"
    }
    # mailbox for each properly maintained mailing list with "List-Id: foo" or "List-Id: ...<foo.bar>"
    if ( /^List-Id: ([^<]*<)?([^<>]*)>?/:h )
    {
        MAILBOX="$MATCH2"
    }
}
else
{
    # rules for non-mailing list mails
    # default incoming box
    MAILBOX="Inbox-unusual"
    # local mails
    if ( /Envelope-to: .*@$MAILHOST/:h )
    {
        MAILBOX="Inbox-local"
    }
    # html mails (99% spams)
    if ( /DOCTYPE html/:b ||\
         /^Content-Type: text\/html/ )
    {
        MAILBOX="Inbox-html"
    }
    # blacklist rule for spams
    if ( /^X-Advertisement/:h ||\
         /^Subject:.*BUSINESS PROPOSAL/:h ||\
         /^Subject:.*URGENT.*ASISSTANCE/:h ||\
         /^Subject: *I NEED YOUR ASSISTANCE/:h )
    {
        MAILBOX="Inbox-trash"
    }
    # whitelist rule for normal mails
    if ( /^From: .*@debian.org/:h ||\
         /^(Sender|Resent-From|Resent-Sender): .*debian.org/:h ||\
         /^Subject: .*(debian|bug|PATCH)/:h )
    {
        MAILBOX="Inbox"
    }
    # whiltelist rule for BTS related mails
    if ( /^Subject: .*Bug#.*/:h ||\
         /^(To|Cc): .*@bugs.debian.org/:h )
    {
        MAILBOX="bugs.debian.org"
    }
    # whitelist rule for getmails cron mails
    if ( /^Subject: Cron .*getmails/:h )
    {
        MAILBOX="Inbox-getmails"
    }
}

# check existance of $MAILBOX
`test -d $MAILROOT/$MAILBOX`
if ( $RETURNCODE == 1 )
{
    # create maildir mailbox for $MAILBOX
    `maildirmake $MAILROOT/$MAILBOX`
}
# deliver to maildir $MAILBOX
to "$MAILROOT/$MAILBOX/"
exit
[Warning] Warning

Unlike procmail, maildrop does not create missing maildir directories automatically. You must create them manually using maildirmake(1) in advance as in the example "$HOME/.mailfilter".

If you are to run a private server on LAN, you may consider to run POP3 / IMAP4 server for delivering mail to LAN clients.


In the old Unix-like system, the BSD Line printer daemon was the standard. Since the standard print out format of the free software is PostScript on the Unix like system, some filter system was used along with Ghostscript to enable printing to the non-PostScript printer.

Recently, Common UNIX Printing System (CUPS) is the new de facto standard. The CUPS uses Internet Printing Protocol (IPP). The IPP is now supported by other OSs such as Windows XP and Mac OS X and has became new cross-platform de facto standard for remote printing with bi-directional communication capability.

The standard printable data format for the application on the Debian system is the PostScript (PS) which is a page description language. The data in PS format is fed into the Ghostscript PostScript interpreter to produce the printable data specific to the printer. See Section 11.4.1, “Ghostscript”.

Thanks to the file format dependent auto-conversion feature of the CUPS system, simply feeding any data to the lpr command should generate the expected print output. (In CUPS, lpr can be enabled by installing the cups-bsd package.)

The Debian system has some notable packages for the print servers and utilities.


[Tip] Tip

You can configure CUPS system by pointing your web browser to "http://localhost:631/" .

The Secure SHell (SSH) is the secure way to connect over the Internet. A free version of SSH called OpenSSH is available as openssh-client and openssh-server packages in Debian.


[Caution] Caution

See Section 4.7.3, “Extra security measures for the Internet” if your SSH is accessible from the Internet.

[Tip] Tip

Please use the screen(1) program to enable remote shell process to survive the interrupted connection (see Section 9.1, “The screen program”).

[Warning] Warning

"/etc/ssh/sshd_not_to_be_run" must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols.


[Caution] Caution

Be careful about these differences if you are using a non-Debian system.

See "/usr/share/doc/ssh/README.Debian.gz", ssh(1), sshd(8), ssh-agent(1), and ssh-keygen(1) for details.

Following are the key configuration files.


[Tip] Tip

See ssh-keygen(1), ssh-add(1) and ssh-agent(1) for how to use public and secret SSH keys.

[Tip] Tip

Make sure to verify settings by testing the connection. In case of any problem, use "ssh -v".

[Tip] Tip

You can change the pass phrase to encrypt local secret SSH keys later with "ssh-keygen -p".

[Tip] Tip

You can add options to the entries in "~/.ssh/authorized_keys" to limit hosts and to run specific commands. See sshd(8) for details.

The following starts an ssh(1) connection from a client.


If you use the same user name on the local and the remote host, you can eliminate typing "username@". Even if you use different user name on the local and the remote host, you can eliminate it using "~/.ssh/config". For Debian Alioth service with account name "foo-guest", you set "~/.ssh/config" to contain the following.

Host alioth.debian.org svn.debian.org git.debian.org
    User foo-guest

For the user, ssh(1) functions as a smarter and more secure telnet(1). Unlike telnet command, ssh command does not stop on the telnet escape character (initial default CTRL-]).

You need to protect the process doing "shutdown -h now" (see Section 1.1.8, “How to shutdown the system”) from the termination of SSH using the at(1) command (see Section 9.3.13, “Scheduling tasks once”) by the following.

# echo "shutdown -h now" | at now

Running "shutdown -h now" in screen(1) (see Section 9.1, “The screen program”) session is another way to do the same.

Here are other network application servers.


Common Internet File System Protocol (CIFS) is the same protocol as Server Message Block (SMB) and is used widely by Microsoft Windows.

[Tip] Tip

See Section 4.5.2, “The modern centralized system management” for integration of server systems.

[Tip] Tip

The hostname resolution is usually provided by the DNS server. For the host IP address dynamically assigned by DHCP, Dynamic DNS can be set up for the hostname resolution using bind9 and isc-dhcp-server as described in the DDNS page on the Debian wiki.

[Tip] Tip

Use of proxy server such as squid is much more efficient for saving bandwidth than use of local mirror server with the full Debian archive contents.

Here are other network application clients.


The telnet program enables manual connection to the system daemons and its diagnosis.

For testing plain POP3 service, try the following

$ telnet mail.ispname.net pop3

For testing the TLS/SSL enabled POP3 service by some ISPs, you need TLS/SSL enabled telnet client by the telnet-ssl or openssl packages.

$ telnet -z ssl pop.gmail.com 995
$ openssl s_client -connect pop.gmail.com:995

The following RFCs provide required knowledge to each system daemon.


The port usage is described in "/etc/services".


host by nrdoc.com  CDN