kgess-mirror/debian-reference
1
0
Fork 0
mirror of https://salsa.debian.org/debian/debian-reference.git synced 2026-01-11 20:07:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
debian-reference/rawxml/06_network_applications.rawxml
Osamu Aoki 78560b8969 Fix duplicated ssh-agent(1) 
Closes: #1100811

Signed-off-by: Osamu Aoki <osamu@debian.org>
2026-01-02 23:49:12 +09:00

1250 lines
78 KiB
XML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!-- vim: set sw=2 et sts=2 ft=xml: -->
<!-- Last content review: 2024-01-21T07:28:28 UTC -->
<!--
* modern browser security update hick-ups with some remote service
* installing 2 browsers helps but not important enough to add text here
* modern mail service migrating to OAuth2 (No easy way for commandline sendmail)
* MS is deprecating legacy support in 2023/Jan
==> Wait until some Debian package appears to support or google shout down legacy support
* references
* Official:
* https://learn.microsoft.com/ja-jp/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
* https://developers.google.com/identity/protocols/oauth2
* Current
* 2024: https://github.com/simonrob/email-oauth2-proxy (Python, *631) - good pointers to other projects -
* 2024: https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py (contrib for mutt, github*138, gitlab*438) - part of official dist
* 2023: https://github.com/tarickb/sasl-xoauth2 (C++, *61) - best for postfix
* 2023: https://mmogilvi.users.sourceforge.net/software/oauthbearer.html (good general guide, fetchmail+postfix based)
* https://mmogilvi.users.sourceforge.net/downloads/oauthbearerScripts-2023-01-01.tar.bz2
* https://github.com/moriyoshi/cyrus-sasl-xoauth2
* 2022: https://billauer.co.il/blog/2022/10/git-send-email-with-oauth2-gmail/ (msmtp based solution)
* https://github.com/billauer/oauth2-helper (msmtp auth addon, Perl, *1)
* https://github.com/pdobsan/mailctl (haskel written, mutt_oauth2.py inspired, *75)
* OLD
* 6YR: https://github.com/simplegeo/python-oauth2/
* 7YR: https://github.com/google/gmail-oauth2-tools/wiki/OAuth2DotPyRunThrough
* 11YR: https://stackoverflow.com/questions/11445523/python-smtplib-is-sending-mail-via-gmail-using-oauth2-possible
-->
<chapter id="_network_applications">
<title>Network applications</title>
<para>After establishing network connectivity (see <xref linkend="_network_setup"/>), you can run various network applications.</para>
<tip> <para>For modern Debian specific guide to the network infrastructure, read <ulink url="https://www.debian.org/doc/manuals/debian-handbook/network-infrastructure">The Debian Administrator's Handbook — Network Infrastructure</ulink>.</para> </tip>
<tip> <para>If you enabled "2-Step Verification" with some ISP, you need to obtain an application password to access POP and SMTP services from your program. You may need to approve your host IP in advance.</para> </tip>
<section id="_web_browsers">
<title>Web browsers</title>
<para>There are many <ulink url="https://en.wikipedia.org/wiki/Web_Browsers">web browser</ulink> packages to access remote contents with <ulink url="https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol">Hypertext Transfer Protocol</ulink> (HTTP).</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of web browsers</title>
<tgroup cols="5">
<colspec colwidth="103pt" align="left"/>
<colspec colwidth="76pt" align="left"/>
<colspec colwidth="70pt" align="left"/>
<colspec colwidth="48pt" align="left"/>
<colspec colwidth="445pt" align="left"/>
<thead>
<row>
<entry> package </entry>
<entry> popcon </entry>
<entry> size </entry>
<entry> type </entry>
<entry> description of web browser </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>chromium</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> X </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Chromium_(web_browser)">Chromium</ulink>, (open-source browser from Google) </entry>
</row>
<row>
<entry> <literal>firefox</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Firefox">Firefox</ulink>, (open-source browser from Mozilla, only available in Debian Unstable) </entry>
</row>
<row>
<entry> <literal>firefox-esr</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Firefox#Extended_Support_Release">Firefox ESR</ulink>, (Firefox Extended Support Release) </entry>
</row>
<row>
<entry> <literal>epiphany-browser</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/GNOME">GNOME</ulink>, <ulink url="https://en.wikipedia.org/wiki/Human_interface_guidelines">HIG</ulink> compliant, <ulink url="https://en.wikipedia.org/wiki/Epiphany_(browser)">Epiphany</ulink> </entry>
</row>
<row>
<entry> <literal>konqueror</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/KDE">KDE</ulink>, <ulink url="https://en.wikipedia.org/wiki/Konqueror">Konqueror</ulink></entry>
</row>
<row>
<entry> <literal>dillo</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Dillo">Dillo</ulink>, (light weight browser, <ulink url="https://en.wikipedia.org/wiki/FLTK">FLTK</ulink> based) </entry>
</row>
<row>
<entry> <literal>w3m</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> text </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/W3m">w3m</ulink> </entry>
</row>
<row>
<entry> <literal>lynx</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Lynx_(web_browser)">Lynx</ulink> </entry>
</row>
<row>
<entry> <literal>elinks</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/ELinks">ELinks</ulink> </entry>
</row>
<row>
<entry> <literal>links</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Links_(web_browser)">Links</ulink> (text only) </entry>
</row>
<row>
<entry> <literal>links2</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> graphics </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Links_(web_browser)">Links</ulink> (console graphics without X) </entry>
</row>
</tbody>
</tgroup>
</table>
<section id="_spoofing_the_user_agent_string">
<title>Spoofing the User-Agent string</title>
<para>In order to access some overly restrictive web sites, you may need to spoof the <ulink url="https://en.wikipedia.org/wiki/User_agent">User-Agent</ulink> string returned by the web browser program. See:</para>
<itemizedlist>
<listitem> <ulink url="https://developer.mozilla.org/en-US/docs/Glossary/User_agent">MDN Web Docs: userAgent</ulink> </listitem>
<listitem> <ulink url="https://developer.chrome.com/docs/devtools/device-mode/override-user-agent/">Chrome Developers: Override the user agent string</ulink> </listitem>
<listitem> <ulink url="https://www.whatismybrowser.com/guides/how-to-change-your-user-agent/">How to change your user agent</ulink> </listitem>
<listitem> <ulink url="https://geekflare.com/change-user-agent-in-browser/">How to Change User-Agent in Chrome, Firefox, Safari, and more</ulink> </listitem>
<listitem> <ulink url="https://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent-without-installing-any-extensions/">How to Change Your Browsers User Agent Without Installing Any Extensions</ulink> </listitem>
<listitem> <ulink url="https://askubuntu.com/questions/472861/how-to-change-the-user-agent-in-gnome-web-epiphany">How to change the User Agent in Gnome Web (epiphany)</ulink></listitem>
</itemizedlist>
<caution> <para>Spoofed user-agent string may cause <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=83376">bad side effects with Java</ulink>.</para> </caution>
</section>
<section id="_browser_extension">
<title>Browser extension</title>
<para>All modern GUI browsers support source code based <ulink url="https://en.wikipedia.org/wiki/Browser_extension">browser extension</ulink> and it is becoming standardized as <ulink url="https://github.com/w3c/webextensions/blob/main/charter.md#webextensions">web extensions</ulink>.</para>
</section>
</section>
<section id="_the_mail_system">
<title>The mail system</title>
<para>This section focuses on typical mobile workstations on consumer grade Internet connections.</para>
<caution> <para>If you are to set up the mail server to exchange mail directly with the Internet, you should be better than reading this elementary document.</para> </caution>
<section id="_email_basics">
<title>Email basics</title>
<para>An <ulink url="https://en.wikipedia.org/wiki/Email">email</ulink> message consists of three components, the message envelope, the message header, and the message body.</para>
<itemizedlist>
<listitem> <para>The "To" and "From" information in the message envelope is used by the <ulink url="https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">SMTP</ulink> to deliver the email. (The "From" information in the message envelope is also called <ulink url="https://en.wikipedia.org/wiki/Bounce_address">bounce address</ulink>, From_, etc.).</para> </listitem>
<listitem> <para>The "To" and "From" information in the message header is displayed by the <ulink url="https://en.wikipedia.org/wiki/Email_client">email client</ulink>. (While it is most common for these to be the same as ones in the message envelope, such is not always the case.)</para> </listitem>
<listitem> <para>The email message format covering header and body data is extended by <ulink url="https://en.wikipedia.org/wiki/MIME">Multipurpose Internet Mail Extensions (MIME)</ulink> from the plain ASCII text to other character encodings, as well as attachments of audio, video, images, and application programs.</para> </listitem>
</itemizedlist>
<para>Full featured GUI based <ulink url="https://en.wikipedia.org/wiki/Email_client">email clients</ulink> offer all the following functions using the GUI based intuitive configuration.</para>
<itemizedlist>
<listitem> <para>It creates and interprets the message header and body data using <ulink url="https://en.wikipedia.org/wiki/MIME">Multipurpose Internet Mail Extensions (MIME)</ulink> to deal the content data type and encoding.</para> </listitem>
<listitem> <para>It authenticates itself to the ISP's SMTP and IMAP servers using the legacy <ulink url="https://en.wikipedia.org/wiki/Basic_access_authentication">basic access authentication</ulink> or modern <ulink url="https://en.wikipedia.org/wiki/OAuth">OAuth 2.0</ulink>. (For <ulink url="https://en.wikipedia.org/wiki/OAuth">OAuth 2.0</ulink>, set it via Desktop environment settings. E.g., "Settings" -> "Online Accounts".) </para> </listitem>
<listitem> <para>It sends the message to the ISP's smarthost SMTP server listening to the message submission port (587).</para> </listitem>
<listitem> <para>It receives the stored message on the ISP's server from the TLS/IMAP4 port (993).</para> </listitem>
<listitem> <para>It can filter mails by their attributes.</para> </listitem>
<listitem> <para>It may offer additional functionalities: Contacts, Calendar, Tasks, Memos.</para> </listitem>
</itemizedlist>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of mail user agent (MUA)</title>
<tgroup cols="4">
<colspec colwidth="70pt" align="left"/>
<colspec colwidth="76pt" align="left"/>
<colspec colwidth="70pt" align="left"/>
<colspec colwidth="537pt" align="left"/>
<thead>
<row>
<entry> package </entry>
<entry> popcon </entry>
<entry> size </entry>
<entry> type </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>evolution</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> X GUI program (GNOME3, groupware suite) </entry>
</row>
<row>
<entry> <literal>thunderbird</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> X GUI program (GTK, <ulink url="https://en.wikipedia.org/wiki/Mozilla_Thunderbird">Mozilla Thunderbird</ulink>) </entry>
</row>
<row>
<entry> <literal>kmail</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> X GUI program (KDE) </entry>
</row>
<row>
<entry> <literal>mutt</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> character terminal program probably used with <literal>vim</literal> </entry>
</row>
<row>
<entry> <literal>mew</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> character terminal program under <literal>(x)emacs</literal> </entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="_modern_mail_service_limitation">
<title>Modern mail service limitation</title>
<para>Modern mail service are under some limitations in order to minimize exposure to the spam (unwanted and unsolicited email) problems.</para>
<itemizedlist>
<listitem> <para>It is not realistic to run SMTP server on the consumer grade network to send mail directly to the remote host reliably.</para> </listitem>
<listitem> <para>A mail may be rejected by any host en route to the destination quietly unless it appears as authentic as possible.</para> </listitem>
<listitem> <para>It is not realistic to expect a single smarthost to send mails of unrelated source mail addresses to the remote host reliably.</para> </listitem>
</itemizedlist>
<para>This is because:</para>
<itemizedlist>
<listitem> <para>The SMTP port (25) connections from hosts serviced by the consumer grade network to the Internet are blocked.</para> </listitem>
<listitem> <para>The SMTP port (25) connections to hosts serviced by the consumer grade network from the Internet are blocked.</para> </listitem>
<listitem> <para>The outgoing messages from hosts serviced by the consumer grade network to the Internet can only be sent via the message submission port (587).</para> </listitem>
<listitem> <para><ulink url="https://en.wikipedia.org/wiki/Anti-spam_techniques">Anti-spam techniques</ulink> such as <ulink url="https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail">DomainKeys Identified Mail (DKIM)</ulink>, <ulink url="https://en.wikipedia.org/wiki/Sender_Policy_Framework">Sender_Policy_Framework (SPF)</ulink>, and <ulink url="https://en.wikipedia.org/wiki/DMARC">Domain-based Message Authentication, Reporting and Conformance (DMARC)</ulink> are widely used for the <ulink url="https://en.wikipedia.org/wiki/Email_filtering">email filtering</ulink>.</para> </listitem>
<listitem> <para>The <ulink url="https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail">DomainKeys Identified Mail</ulink> service may be provided for your mail sent through the smarthost.</para> </listitem>
<listitem> <para>The smarthost may rewrite the source mail address in the message header to your mail account on the smarthost to prevent email address spoofing.</para> </listitem>
</itemizedlist>
</section>
<section id="_historic_mail_service_expectation">
<title>Historic mail service expectation</title>
<para>Some programs on Debian expect to access the <literal>/usr/sbin/sendmail</literal> command to send emails as their default or customized setting since the mail service on a UNIX system functioned historically as:</para>
<itemizedlist>
<listitem> <para>An email is created as a text file.</para> </listitem>
<listitem> <para>The email is handed to the <literal>/usr/sbin/sendmail</literal> command.</para> </listitem>
<listitem>
<para>For the destination address on the same host, the <literal>/usr/sbin/sendmail</literal> command makes local delivery of the email by appending it to the <literal>/var/mail/$username</literal> file.</para>
<itemizedlist>
<listitem> <para>Commands expecting this feature: <literal>apt-listchanges</literal>, <literal>cron</literal>, <literal>at</literal>, ...</para> </listitem>
</itemizedlist>
</listitem>
<listitem>
<para>For the destination address on the remote host, the <literal>/usr/sbin/sendmail</literal> command makes remote transfer of the email to the destination host found by the DNS MX record using SMTP.</para>
<itemizedlist>
<listitem> <para>Commands expecting this feature: <literal>popcon</literal>, <literal>reportbug</literal>, <literal>bts</literal>, ...</para> </listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section id="_mail_transport_agent_mta">
<title>Mail transport agent (MTA)</title>
<para>Debian mobile workstations can be configured just with full featured GUI based <ulink url="https://en.wikipedia.org/wiki/Email_client">email clients</ulink> without <ulink url="https://en.wikipedia.org/wiki/Message_transfer_agent">mail transfer agent (MTA)</ulink> program after Debian 12 Bookworm. </para>
<para>Debian traditionally installed some MTA program to support programs expecting the <literal>/usr/sbin/sendmail</literal> command. Such MTA on mobile workstations must cope with <xref linkend="_modern_mail_service_limitation"/> and <xref linkend="_historic_mail_service_expectation"/>.</para>
<para>For mobile workstations, the typical choice of MTA is either <literal>exim4-daemon-light</literal> or <literal>postfix</literal> with its installation option such as "Mail sent by smarthost; received via SMTP or fetchmail" selected. These are light weight MTAs that respect "<literal>/etc/aliases</literal>".</para>
<tip> <para>Configuring <literal>exim4</literal> to send the Internet mail via multiple corresponding smarthosts for multiple source email addresses is non-trivial. If you need such capability for some programs, set them up to use <literal>msmtp</literal> which is easy to set up for multiple source email addresses. Then leave main MTA only for a single email address. </para> </tip>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of basic mail transport agent related packages</title>
<tgroup cols="4">
<colspec colwidth="114pt" align="left"/>
<colspec colwidth="76pt" align="left"/>
<colspec colwidth="70pt" align="left"/>
<colspec colwidth="374pt" align="left"/>
<thead>
<row>
<entry> package </entry>
<entry> popcon </entry>
<entry> size </entry>
<entry> description </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>exim4-daemon-light</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Exim4 mail transport agent (MTA: Debian default) </entry>
</row>
<row>
<entry> <literal>exim4-daemon-heavy</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Exim4 mail transport agent (MTA: flexible alternative) </entry>
</row>
<row>
<entry> <literal>exim4-base</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Exim4 documentation (text) and common files </entry>
</row>
<row>
<entry> <literal>exim4-doc-html</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Exim4 documentation (html) </entry>
</row>
<row>
<entry> <literal>exim4-doc-info</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Exim4 documentation (info) </entry>
</row>
<row>
<entry> <literal>postfix</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Postfix mail transport agent (MTA: secure alternative) </entry>
</row>
<row>
<entry> <literal>postfix-doc</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Postfix documentation (html+text) </entry>
</row>
<row>
<entry> <literal>sasl2-bin</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Cyrus SASL API implementation (supplement postfix for SMTP AUTH) </entry>
</row>
<row>
<entry> <literal>cyrus-sasl2-doc</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Cyrus SASL - documentation </entry>
</row>
<row>
<entry> <literal>msmtp</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Light weight MTA </entry>
</row>
<row>
<entry> <literal>msmtp-mta</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Light weight MTA (sendmail compatibility extension to <literal>msmtp</literal>) </entry>
</row>
<row>
<entry> <literal>esmtp</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Light weight MTA </entry>
</row>
<row>
<entry> <literal>esmtp-run</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Light weight MTA (sendmail compatibility extension to <literal>esmtp</literal>) </entry>
</row>
<row>
<entry> <literal>nullmailer</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Strip down MTA, no local mail </entry>
</row>
<row>
<entry> <literal>ssmtp</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Strip down MTA, no local mail </entry>
</row>
<row>
<entry> <literal>sendmail-bin</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Full featured MTA (only if you are already familiar) </entry>
</row>
<row>
<entry> <literal>courier-mta</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Full featured MTA (web interface etc.) </entry>
</row>
<row>
<entry> <literal>git-email</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <literal>git-send-email</literal>(1) program for sending series of patch emails </entry>
</row>
</tbody>
</tgroup>
</table>
<section id="_the_configuration_of_exim4">
<title>The configuration of exim4</title>
<para>For the Internet mail via smarthost, you (re)configure <literal>exim4-*</literal> packages as the following.</para>
<screen>$ sudo systemctl stop exim4
$ sudo dpkg-reconfigure exim4-config</screen>
<para>Select "mail sent by smarthost; received via SMTP or fetchmail" for "General type of mail configuration".</para>
<para>Set "System mail name:" to its default as the FQDN (see <xref linkend="_the_hostname_resolution"/>).</para>
<para>Set "IP-addresses to listen on for incoming SMTP connections:" to its default as "127.0.0.1 ; ::1".</para>
<para>Unset contents of "Other destinations for which mail is accepted:".</para>
<para>Unset contents of "Machines to relay mail for:".</para>
<para>Set "IP address or host name of the outgoing smarthost:" to "smtp.hostname.dom:587".</para>
<para>Select "No" for "Hide local mail name in outgoing mail?". (Use "<literal>/etc/email-addresses</literal>" as in <xref linkend="_the_mail_address_configuration"/>, instead.)</para>
<para>Reply to "Keep number of DNS-queries minimal (Dial-on-Demand)?" as one of the following.</para>
<itemizedlist>
<listitem> <para> "No" if the system is connected to the Internet while booting. </para> </listitem>
<listitem> <para> "Yes" if the system is <emphasis role="strong">not</emphasis> connected to the Internet while booting. </para> </listitem>
</itemizedlist>
<para>Set "Delivery method for local mail:" to "mbox format in /var/mail/".</para>
<para>Select "Yes" for "Split configuration into small files?:".</para>
<para>Create password entries for the smarthost by editing "<literal>/etc/exim4/passwd.client</literal>".</para>
<screen>$ sudo vim /etc/exim4/passwd.client
...
$ cat /etc/exim4/passwd.client
^smtp.*\.hostname\.dom:username@hostname.dom:password</screen>
<para>Configure <literal>exim4</literal>(8) with "<literal>QUEUERUNNER='queueonly'</literal>", "<literal>QUEUERUNNER='nodaemon'</literal>", etc. in "<literal>/etc/default/exim4</literal>" to minimize system resource usages. (optional)</para>
<para>Start <literal>exim4</literal> by the following.</para>
<screen>$ sudo systemctl start exim4</screen>
<para>The host name in "<literal>/etc/exim4/passwd.client</literal>" should not be the alias. You check the real host name with the following.</para>
<screen>$ host smtp.hostname.dom
smtp.hostname.dom is an alias for smtp99.hostname.dom.
smtp99.hostname.dom has address 123.234.123.89</screen>
<para>I use regex in "<literal>/etc/exim4/passwd.client</literal>" to work around the alias issue. SMTP AUTH probably works even if the ISP moves host pointed by the alias.</para>
<para>You can manually update <literal>exim4</literal> configuration by the following:</para>
<itemizedlist>
<listitem>
<para> Update <literal>exim4</literal> configuration files in "<literal>/etc/exim4/</literal>". </para>
<itemizedlist>
<listitem> <para> creating "<literal>/etc/exim4/exim4.conf.localmacros</literal>" to set MACROs and editing "<literal>/etc/exim4/exim4.conf.template</literal>". (non-split configuration) </para> </listitem>
<listitem> <para> creating new files or editing existing files in the "<literal>/etc/exim4/exim4.conf.d</literal>" subdirectories. (split configuration) </para> </listitem>
</itemizedlist>
</listitem>
<listitem> <para> Run "<literal>systemctl reload exim4</literal>". </para> </listitem>
</itemizedlist>
<caution> <para>Starting <literal>exim4</literal> takes long time if "No" (default value) was chosen for the debconf query of "Keep number of DNS-queries minimal (Dial-on-Demand)?" and the system is <emphasis role="strong">not</emphasis> connected to the Internet while booting.</para> </caution>
<para></para>
<para>Please read the official guide at: "<literal>/usr/share/doc/exim4-base/README.Debian.gz</literal>" and <literal>update-exim4.conf</literal>(8).</para>
<warning> <para>For all practical consideration, use <ulink url="https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">SMTP</ulink> with <ulink url="https://en.wikipedia.org/wiki/STARTTLS">STARTTLS</ulink> on port 587 or <ulink url="https://en.wikipedia.org/wiki/SMTPS">SMTPS</ulink> (SMTP over SSL) on port 465, instead of plain SMTP on port 25.</para> </warning>
</section>
<section id="_the_configuration_of_postfix_with_sasl">
<title>The configuration of postfix with SASL</title>
<para>For the Internet mail via smarthost, you should first read <ulink url="https://www.postfix.org/documentation.html">postfix documentation</ulink> and key manual pages.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of important postfix manual pages</title>
<tgroup cols="2">
<colspec colwidth="81pt" align="left"/>
<colspec colwidth="190pt" align="left"/>
<thead>
<row>
<entry> command </entry>
<entry> function </entry>
</row>
</thead>
<tbody>
<row> <entry><literal>postfix</literal>(1) </entry>
<entry> Postfix control program </entry>
</row>
<row>
<entry><literal>postconf</literal>(1) </entry>
<entry> Postfix configuration utility </entry>
</row>
<row>
<entry><literal>postconf</literal>(5) </entry>
<entry> Postfix configuration parameters </entry>
</row>
<row>
<entry><literal>postmap</literal>(1) </entry>
<entry> Postfix lookup table maintenance </entry>
</row>
<row>
<entry><literal>postalias</literal>(1) </entry>
<entry> Postfix alias database maintenance </entry>
</row>
</tbody>
</tgroup>
</table>
<para>You (re)configure <literal>postfix</literal> and <literal>sasl2-bin</literal> packages as follows.</para>
<screen>$ sudo systemctl stop postfix
$ sudo dpkg-reconfigure postfix</screen>
<para>Chose "Internet with smarthost".</para>
<para>Set "SMTP relay host (blank for none):" to "<literal>[smtp.hostname.dom]:587</literal>" and configure it by the following.</para>
<screen>$ sudo postconf -e 'smtp_sender_dependent_authentication = yes'
$ sudo postconf -e 'smtp_sasl_auth_enable = yes'
$ sudo postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
$ sudo postconf -e 'smtp_sasl_type = cyrus'
$ sudo vim /etc/postfix/sasl_passwd</screen>
<para>Create password entries for the smarthost.</para>
<screen>$ cat /etc/postfix/sasl_passwd
[smtp.hostname.dom]:587 username:password
$ sudo postmap hush:/etc/postfix/sasl_passwd</screen>
<para>Start the <literal>postfix</literal> by the following.</para>
<screen>$ sudo systemctl start postfix</screen>
<para>Here the use of "<literal>[</literal>" and "<literal>]</literal>" in the <literal>dpkg-reconfigure</literal> dialog and "<literal>/etc/postfix/sasl_passwd</literal>" ensures not to check MX record but directly use exact hostname specified. See "Enabling SASL authentication in the Postfix SMTP client" in "<literal>/usr/share/doc/postfix/html/SASL_README.html</literal>".</para>
</section>
<section id="_the_mail_address_configuration">
<title>The mail address configuration</title>
<para>There are a few <ulink url="https://www.debian.org/doc/debian-policy/ch-customized-programs#s-mail-transport-agents">mail address configuration files for mail transport, delivery and user agents</ulink>.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of mail address related configuration files</title>
<tgroup cols="3">
<colspec colwidth="124pt" align="left"/>
<colspec colwidth="206pt" align="left"/>
<colspec colwidth="385pt" align="left"/>
<thead>
<row>
<entry> file </entry>
<entry> function </entry>
<entry> application </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>/etc/mailname</literal> </entry>
<entry> default host name for (outgoing) mail </entry>
<entry> Debian specific, <literal>mailname</literal>(5) </entry>
</row>
<row>
<entry> <literal>/etc/email-addresses</literal> </entry>
<entry> host name spoofing for outgoing mail </entry>
<entry><literal>exim</literal>(8) specific, <literal>exim4-config_files</literal>(5) </entry>
</row>
<row>
<entry> <literal>/etc/postfix/generic</literal> </entry>
<entry> host name spoofing for outgoing mail </entry>
<entry><literal>postfix</literal>(1) specific, activated after <literal>postmap</literal>(1) command execution. </entry>
</row>
<row>
<entry> <literal>/etc/aliases</literal> </entry>
<entry> account name alias for incoming mail </entry>
<entry> general, activated after <literal>newaliases</literal>(1) command execution. </entry>
</row>
</tbody>
</tgroup>
</table>
<para>The <emphasis role="strong">mailname</emphasis> in the "<literal>/etc/mailname</literal>" file is usually a fully qualified domain name (FQDN) that resolves to one of the host's IP addresses. For the mobile workstation which does not have a hostname with resolvable IP address, set this <emphasis role="strong">mailname</emphasis> to the value of "<literal>hostname -f</literal>". (This is safe choice and works for both <literal>exim4-*</literal> and <literal>postfix</literal>.)</para>
<tip> <para>The contents of "<literal>/etc/mailname</literal>" is used by many non-MTA programs for their default behavior. For <literal>mutt</literal>, set "<literal>hostname</literal>" and "<literal>from</literal>" variables in <literal>~/muttrc</literal> file to override the <emphasis role="strong">mailname</emphasis> value. For programs in the <literal>devscripts</literal> package, such as <literal>bts</literal>(1) and <literal>dch</literal>(1), export environment variables "<literal>$DEBFULLNAME</literal>" and "<literal>$DEBEMAIL</literal>" to override it.</para> </tip>
<tip> <para>The <literal>popularity-contest</literal> package normally send mail from root account with FQDN. You need to set <literal>MAILFROM</literal> in <literal>/etc/popularity-contest.conf</literal> as described in the <literal>/usr/share/popularity-contest/default.conf</literal> file. Otherwise, your mail will be rejected by the smarthost SMTP server. Although this is tedious, this approach is safer than rewriting the source address for all mails from root by MTA and should be used for other daemons and cron scripts.</para> </tip>
<para>When setting the <emphasis role="strong">mailname</emphasis> to "<literal>hostname -f</literal>", the spoofing of the source mail address via MTA can be realized by the following.</para>
<itemizedlist>
<listitem> <para> "<literal>/etc/email-addresses</literal>" file for <literal>exim4</literal>(8) as explained in the <literal>exim4-config_files</literal>(5) </para> </listitem>
<listitem> <para> "<literal>/etc/postfix/generic</literal>" file for <literal>postfix</literal>(1) as explained in the <literal>generic</literal>(5) </para> </listitem>
</itemizedlist>
<para>For <literal>postfix</literal>, the following extra steps are needed.</para>
<screen># postmap hash:/etc/postfix/generic
# postconf -e 'smtp_generic_maps = hash:/etc/postfix/generic'
# postfix reload</screen>
<para>You can test mail address configuration using the following.</para>
<itemizedlist>
<listitem> <para><literal>exim</literal>(8) with <literal>-brw, -bf, -bF, -bV, …</literal> options </para> </listitem>
<listitem> <para><literal>postmap</literal>(1) with <literal>-q</literal> option. </para> </listitem>
</itemizedlist>
<tip> <para>Exim comes with several utility programs such as <literal>exiqgrep</literal>(8) and <literal>exipick</literal>(8). See "<literal>dpkg -L exim4-base|grep man8/</literal>" for available commands.</para> </tip>
</section>
<section id="_basic_mta_operations">
<title>Basic MTA operations</title>
<para>There are several basic MTA operations. Some may be performed via <literal>sendmail</literal>(1) compatibility interface.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of basic MTA operation</title>
<tgroup cols="3">
<colspec colwidth="119pt" align="left"/>
<colspec colwidth="228pt" align="left"/>
<colspec colwidth="347pt" align="left"/>
<thead>
<row>
<entry> exim command </entry>
<entry> postfix command </entry>
<entry> description </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>sendmail</literal> </entry>
<entry> <literal>sendmail</literal> </entry>
<entry> read mails from standard input and arrange for delivery (<literal>-bm</literal>) </entry>
</row>
<row>
<entry> <literal>mailq</literal> </entry>
<entry> <literal>mailq</literal> </entry>
<entry> list the mail queue with status and queue ID (<literal>-bp</literal>) </entry>
</row>
<row>
<entry> <literal>newaliases</literal> </entry>
<entry> <literal>newaliases</literal> </entry>
<entry> initialize alias database (<literal>-I</literal>) </entry>
</row>
<row>
<entry> <literal>exim4 -q</literal> </entry>
<entry> <literal>postqueue -f</literal> </entry>
<entry> flush waiting mails (<literal>-q</literal>) </entry>
</row>
<row>
<entry> <literal>exim4 -qf</literal> </entry>
<entry> <literal>postsuper -r ALL deferred; postqueue -f</literal> </entry>
<entry> flush all mails </entry>
</row>
<row>
<entry> <literal>exim4 -qff</literal> </entry>
<entry> <literal>postsuper -r ALL; postqueue -f</literal> </entry>
<entry> flush even frozen mails </entry>
</row>
<row>
<entry> <literal>exim4 -Mg queue_id</literal> </entry>
<entry> <literal>postsuper -h queue_id</literal> </entry>
<entry> freeze one message by its queue ID </entry>
</row>
<row>
<entry> <literal>exim4 -Mrm queue_id</literal> </entry>
<entry> <literal>postsuper -d queue_id</literal> </entry>
<entry> remove one message by its queue ID </entry>
</row>
<row>
<entry> N/A </entry>
<entry> <literal>postsuper -d ALL</literal> </entry>
<entry> remove all messages </entry>
</row>
</tbody>
</tgroup>
</table>
<tip> <para>It may be a good idea to flush all mails by a script in "<literal>/etc/ppp/ip-up.d/*</literal>".</para> </tip>
</section>
</section>
</section>
<section id="_the_remote_access_server_and_utilities_ssh">
<title>The remote access server and utilities (SSH)</title>
<para>The <ulink url="https://en.wikipedia.org/wiki/Secure_Shell">Secure SHell</ulink> (SSH) is the <emphasis role="strong">secure</emphasis> way to connect over the Internet. A free version of SSH called <ulink url="https://www.openssh.org/">OpenSSH</ulink> is available as <literal>openssh-client</literal> and <literal>openssh-server</literal> packages in Debian.</para>
<para>For the user, <literal>ssh</literal>(1) functions as a smarter and more secure <literal>telnet</literal>(1). Unlike <literal>telnet</literal> command, <literal>ssh</literal> command does not stop on the <literal>telnet</literal> escape character (initial default CTRL-]).</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of remote access server and utilities</title>
<tgroup cols="5">
<colspec colwidth="135pt" align="left"/>
<colspec colwidth="76pt" align="left"/>
<colspec colwidth="70pt" align="left"/>
<colspec colwidth="152pt" align="left"/>
<colspec colwidth="271pt" align="left"/>
<thead>
<row>
<entry> package </entry>
<entry> popcon </entry>
<entry> size </entry>
<entry> tool </entry>
<entry> description </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>openssh-client</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry><literal>ssh</literal>(1) </entry>
<entry> Secure shell client </entry>
</row>
<row>
<entry> <literal>openssh-server</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry><literal>sshd</literal>(8) </entry>
<entry> Secure shell server </entry>
</row>
<row>
<entry> <literal>ssh-askpass</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry><literal>ssh-askpass</literal>(1) </entry>
<entry> asks user for a pass phrase for ssh-add (plain X) </entry>
</row>
<row>
<entry> <literal>ssh-askpass-gnome</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry><literal>ssh-askpass-gnome</literal>(1) </entry>
<entry> asks user for a pass phrase for ssh-add (GNOME) </entry>
</row>
<row>
<entry> <literal>ssh-askpass-fullscreen</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry><literal>ssh-askpass-fullscreen</literal>(1) </entry>
<entry> asks user for a pass phrase for ssh-add (GNOME) with extra eye candy </entry>
</row>
<row>
<entry> <literal>shellinabox</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry><literal>shellinaboxd</literal>(1) </entry>
<entry> web server for <ulink url="https://github.com/shellinabox/shellinabox">browser accessible VT100 terminal emulator</ulink> </entry>
</row>
</tbody>
</tgroup>
</table>
<para> Although <literal>shellinabox</literal> is not a SSH program, it is listed here as an interesting alternative for the remote terminal access.</para>
<para> See also <xref linkend="_x_server_connection"/> for connecting to remote X client programs.</para>
<caution> <para>See <xref linkend="_extra_security_measures_for_the_internet"/> if your SSH is accessible from the Internet.</para> </caution>
<tip> <para>Please use the <literal>screen</literal>(1) program to enable remote shell process to survive the interrupted connection (see <xref linkend="_the_screen_program"/>).</para> </tip>
<section id="_basics_of_ssh">
<title>Basics of SSH</title>
<para>The OpenSSH SSH daemon supports SSH protocol 2 only.</para>
<para>Please read "<literal>/usr/share/doc/openssh-client/README.Debian.gz</literal>", <literal>ssh</literal>(1), <literal>sshd</literal>(8), <literal>ssh-keygen</literal>(1), <literal>ssh-add</literal>(1) and <literal>ssh-agent</literal>(1).</para>
<warning>
<para>"<literal>/etc/ssh/sshd_not_to_be_run</literal>" must not be present if one wishes to run the OpenSSH server.</para>
<para>Don't enable rhost based authentication (<literal>HostbasedAuthentication</literal> in <literal>/etc/ssh/sshd_config</literal>). </para>
</warning>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of SSH configuration files</title>
<tgroup cols="2">
<colspec colwidth="141pt" align="left"/>
<colspec colwidth="537pt" align="left"/>
<thead>
<row>
<entry> configuration file </entry>
<entry> description of configuration file </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>/etc/ssh/ssh_config</literal> </entry>
<entry> SSH client defaults, see <literal>ssh_config</literal>(5) </entry>
</row>
<row>
<entry> <literal>/etc/ssh/sshd_config</literal> </entry>
<entry> SSH server defaults, see <literal>sshd_config</literal>(5) </entry>
</row>
<row>
<entry> <literal>~/.ssh/authorized_keys</literal> </entry>
<entry> default public SSH keys that clients use to connect to this account on this SSH server </entry>
</row>
<row>
<entry> <literal>~/.ssh/id_rsa</literal> </entry>
<entry> secret SSH-2 RSA key of the user </entry>
</row>
<row>
<entry> <literal>~/.ssh/id_<emphasis>key-type-name</emphasis></literal> </entry>
<entry> secret SSH-2 <emphasis>key-type-name</emphasis> key such as <literal>ecdsa</literal>, <literal>ed25519</literal>, ... of the user </entry>
</row>
</tbody>
</tgroup>
</table>
<para>The following starts an <literal>ssh</literal>(1) connection from a client.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of SSH client startup examples</title>
<tgroup cols="2">
<colspec colwidth="407pt" align="left"/>
<colspec colwidth="271pt" align="left"/>
<thead>
<row>
<entry> command </entry>
<entry> description </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>ssh username@hostname.domain.ext</literal> </entry>
<entry> connect with default mode </entry>
</row>
<row>
<entry> <literal>ssh -v username@hostname.domain.ext</literal> </entry>
<entry> connect with default mode with debugging messages </entry>
</row>
<row>
<entry> <literal>ssh -o PreferredAuthentications=password username@hostname.domain.ext</literal> </entry>
<entry> force to use password with SSH version 2 </entry>
</row>
<row>
<entry> <literal>ssh -t username@hostname.domain.ext passwd</literal> </entry>
<entry> run <literal>passwd</literal> program to update password on a remote host </entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="_user_name_on_the_remote_host">
<title>User name on the remote host</title>
<para>If you use the same user name on the local and the remote host, you can eliminate typing "<literal>username@</literal>".</para>
<para>Even if you use different user name on the local and the remote host, you can eliminate it using "<literal>~/.ssh/config</literal>". For <ulink url="https://salsa.debian.org/">Debian Salsa service</ulink> with account name "<literal>foo-guest</literal>", you set "<literal>~/.ssh/config</literal>" to contain the following.</para>
<screen>Host salsa.debian.org people.debian.org
User foo-guest</screen>
</section>
<section id="_connecting_without_remote_passwords">
<title>Connecting without remote passwords</title>
<para>One can avoid having to remember passwords for remote systems by using "<literal>PubkeyAuthentication</literal>" (SSH-2 protocol).</para>
<para>On the remote system, set the respective entries, "<literal>PubkeyAuthentication yes</literal>", in "<literal>/etc/ssh/sshd_config</literal>".</para>
<para>Generate authentication keys locally and install the public key on the remote system by the following.</para>
<screen>$ ssh-keygen -t rsa
$ cat .ssh/id_rsa.pub | ssh user1@remote "cat - &gt;&gt;.ssh/authorized_keys"</screen>
<para>You can add options to the entries in "<literal>~/.ssh/authorized_keys</literal>" to limit hosts and to run specific commands. See <literal>sshd</literal>(8) "AUTHORIZED_KEYS FILE FORMAT".</para>
</section>
<section id="_dealing_with_alien_ssh_clients">
<title>Dealing with alien SSH clients</title>
<para>There are some free <ulink url="https://en.wikipedia.org/wiki/Secure_Shell">SSH</ulink> clients available for other platforms.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of free SSH clients for other platforms</title>
<tgroup cols="2">
<colspec colwidth="97pt" align="left"/>
<colspec colwidth="358pt" align="left"/>
<thead>
<row>
<entry> environment </entry>
<entry> free SSH program </entry>
</row>
</thead>
<tbody>
<row>
<entry> Windows </entry>
<entry> puTTY (<ulink url="https://www.chiark.greenend.org.uk/~sgtatham/putty/">PuTTY: a free SSH and Telnet client</ulink>) (GPL) </entry>
</row>
<row>
<entry> Windows (cygwin) </entry>
<entry> SSH in cygwin (<ulink url="https://www.cygwin.com/">Cygwin: Get that Linux feeling - on Windows</ulink>) (GPL) </entry>
</row>
<row>
<entry> Mac OS X </entry>
<entry> OpenSSH; use <literal>ssh</literal> in the Terminal application (GPL) </entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="_setting_up_ssh_agent">
<title>Setting up ssh-agent</title>
<para>It is safer to protect your SSH authentication secret keys with a pass phrase. If a pass phrase was not set, use "<literal>ssh-keygen -p</literal>" to set it.</para>
<para>Place your public SSH key (e.g. "<literal>~/.ssh/id_rsa.pub</literal>") into "<literal>~/.ssh/authorized_keys</literal>" on a remote host using a password-based connection to the remote host as described above.</para>
<screen>$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/<emphasis>username</emphasis>/.ssh/id_rsa:
Identity added: /home/<emphasis>username</emphasis>/.ssh/id_rsa (/home/<emphasis>username</emphasis>/.ssh/id_rsa)</screen>
<para>No remote password needed from here on for the next command.</para>
<screen>$ scp foo <emphasis>username</emphasis>@remote.host:foo</screen>
<para>Press ^D to terminating ssh-agent session.</para>
<para>For the X server, the normal Debian startup script executes <literal>ssh-agent</literal> as the parent process. So you only need to execute <literal>ssh-add</literal> once. For more, read <literal>ssh-agent</literal>(1) and <literal>ssh-add</literal>(1).</para>
</section>
<section id="_sending_a_mail_from_a_remote_host">
<title>Sending a mail from a remote host</title>
<para>If you have an SSH shell account on a server with proper DNS settings, you can send a mail generated on your workstation as an email genuinely sent from the remote server.</para>
<screen>$ ssh username@example.org /usr/sbin/sendmail -bm -ti -f "username@example.org" &lt; mail_data.txt</screen>
</section>
<section id="_port_forwarding_for_smtp_pop3_tunneling">
<title>Port forwarding for SMTP/POP3 tunneling</title>
<para>To establish a pipe to connect to port 25 of <literal>remote-server</literal> from port 4025 of <literal>localhost</literal>, and to port 110 of <literal>remote-server</literal> from port 4110 of <literal>localhost</literal> through <literal>ssh</literal>, execute on the local host as the following.</para>
<screen># ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server</screen>
<para>This is a secure way to make connections to SMTP/POP3 servers over the Internet. Set the "<literal>AllowTcpForwarding</literal>" entry to "<literal>yes</literal>" in "<literal>/etc/ssh/sshd_config</literal>" of the remote host.</para>
</section>
<section id="_how_to_shutdown_the_remote_system_on_ssh">
<title>How to shutdown the remote system on SSH</title>
<para>You need to protect the process doing "<literal>shutdown -h now</literal>" (see <xref linkend="_how_to_shutdown_the_system"/>) from the termination of SSH using the <literal>at</literal>(1) command (see <xref linkend="_scheduling_tasks_once"/>) by the following.</para>
<screen># echo "shutdown -h now" | at now</screen>
<para>Running "<literal>shutdown -h now</literal>" in <literal>screen</literal>(1) (see <xref linkend="_the_screen_program"/>) session is another way to do the same.</para>
</section>
<section id="_troubleshooting_ssh">
<title>Troubleshooting SSH</title>
<para>If you have problems, check the permissions of configuration files and run <literal>ssh</literal> with the "<literal>-v</literal>" option.</para>
<para>Use the "<literal>-p</literal>" option if you are root and have trouble with a firewall; this avoids the use of server ports 1 — 1023.</para>
<para>If <literal>ssh</literal> connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in "<literal>host_key</literal>" during system maintenance. After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the "<literal>host_key</literal>" entry from "<literal>~/.ssh/known_hosts</literal>" on the local host.</para>
</section>
</section>
<section id="_the_print_server_and_utilities">
<title>The print server and utilities</title>
<para>In the old Unix-like system, the BSD <ulink url="https://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol">Line printer daemon (lpd)</ulink> was the standard and the standard print out format of the classic free software was <ulink url="https://en.wikipedia.org/wiki/PostScript">PostScript (PS)</ulink>. Some filter system was used along with <ulink url="https://en.wikipedia.org/wiki/Ghostscript">Ghostscript</ulink> to enable printing to the non-PostScript printer. See <xref linkend="_ghostscript"/>.</para>
<para>In the modern Debian system, the <ulink url="https://en.wikipedia.org/wiki/Common_Unix_Printing_System">Common UNIX Printing System</ulink> (CUPS) is the de facto standard and the standard print out format of the modern free software is <ulink url="https://en.wikipedia.org/wiki/PDF">Portable Document Format (PDF)</ulink>.</para>
<para>The CUPS uses <ulink url="https://en.wikipedia.org/wiki/Internet_Printing_Protocol">Internet Printing Protocol</ulink> (IPP). The IPP is now supported by other OSs such as Windows XP and Mac OS X and has became new cross-platform de facto standard for remote printing with bi-directional communication capability.</para>
<para>Thanks to the file format dependent auto-conversion feature of the CUPS system, simply feeding any data to the <literal>lpr</literal> command should generate the expected print output. (In CUPS, <literal>lpr</literal> can be enabled by installing the <literal>cups-bsd</literal> package.)</para>
<para>The Debian system has some notable packages for the print servers and utilities.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of print servers and utilities</title>
<tgroup cols="5">
<colspec colwidth="152pt" align="left"/>
<colspec colwidth="76pt" align="left"/>
<colspec colwidth="70pt" align="left"/>
<colspec colwidth="81pt" align="left"/>
<colspec colwidth="385pt" align="left"/>
<thead>
<row>
<entry> package </entry>
<entry> popcon </entry>
<entry> size </entry>
<entry> port </entry>
<entry> description </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>lpr</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> printer (515) </entry>
<entry> BSD lpr/lpd (<ulink url="https://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol">Line printer daemon</ulink>) </entry>
</row>
<row>
<entry> <literal>lprng</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> , , (Enhanced) </entry>
</row>
<row>
<entry> <literal>cups</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> IPP (631) </entry>
<entry> Internet Printing CUPS server </entry>
</row>
<row>
<entry> <literal>cups-client</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/System_V_printing_system">System V printer commands</ulink> for CUPS: <literal>lp</literal>(1), <literal>lpstat</literal>(1), <literal>lpoptions</literal>(1), <literal>cancel</literal>(1), <literal>lpmove</literal>(8), <literal>lpinfo</literal>(8), <literal>lpadmin</literal>(8), … </entry>
</row>
<row>
<entry> <literal>cups-bsd</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol">BSD printer commands</ulink> for CUPS: <literal>lpr</literal>(1), <literal>lpq</literal>(1), <literal>lprm</literal>(1), <literal>lpc</literal>(8) </entry>
</row>
<row>
<entry> <literal>printer-driver-gutenprint</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> Not applicable </entry>
<entry> printer drivers for CUPS </entry>
</row>
</tbody>
</tgroup>
</table>
<tip> <para>You can configure CUPS system by pointing your web browser to "<ulink url="http://localhost:631/">http://localhost:631/</ulink>" .</para> </tip>
</section>
<section id="_other_network_application_servers">
<title>Other network application servers</title>
<para>Here are other network application servers.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of other network application servers</title>
<tgroup cols="5">
<colspec colwidth="119pt" align="left"/>
<colspec colwidth="76pt" align="left"/>
<colspec colwidth="70pt" align="left"/>
<colspec colwidth="385pt" align="left"/>
<colspec colwidth="667pt" align="left"/>
<thead>
<row>
<entry> package </entry>
<entry> popcon </entry>
<entry> size </entry>
<entry> protocol </entry>
<entry> description </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>telnetd</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/TELNET">TELNET</ulink> </entry>
<entry> TELNET server </entry>
</row>
<row>
<entry> <literal>telnetd-ssl</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> , , (SSL support) </entry>
</row>
<row>
<entry> <literal>nfs-kernel-server</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Network_File_System_(protocol)">NFS</ulink> </entry>
<entry> Unix file sharing </entry>
</row>
<row>
<entry> <literal>samba</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Server_Message_Block">SMB</ulink> </entry>
<entry> Windows file and printer sharing </entry>
</row>
<row>
<entry> <literal>netatalk</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/AppleTalk">ATP</ulink> </entry>
<entry> Apple/Mac file and printer sharing (AppleTalk) </entry>
</row>
<row>
<entry> <literal>proftpd-basic</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/File_Transfer_Protocol">FTP</ulink> </entry>
<entry> General file download </entry>
</row>
<row>
<entry> <literal>apache2</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol">HTTP</ulink> </entry>
<entry> General web server </entry>
</row>
<row>
<entry> <literal>squid</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> General web <ulink url="https://en.wikipedia.org/wiki/Proxy_server">proxy server</ulink> </entry>
</row>
<row>
<entry> <literal>bind9</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Domain_Name_System">DNS</ulink> </entry>
<entry> IP address for other hosts </entry>
</row>
<row>
<entry> <literal>isc-dhcp-server</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol">DHCP</ulink> </entry>
<entry> IP address of client itself </entry>
</row>
</tbody>
</tgroup>
</table>
<para>Common Internet File System Protocol (CIFS) is the same protocol as <ulink url="https://en.wikipedia.org/wiki/Server_Message_Block">Server Message Block (SMB)</ulink> and is used widely by Microsoft Windows.</para>
<tip> <para>See <xref linkend="_the_modern_centralized_system_management"/> for integration of server systems.</para> </tip>
<tip> <para>The hostname resolution is usually provided by the <ulink url="https://en.wikipedia.org/wiki/Domain_Name_System">DNS</ulink> server. For the host IP address dynamically assigned by <ulink url="https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol">DHCP</ulink>, <ulink url="https://en.wikipedia.org/wiki/Dynamic_DNS">Dynamic DNS</ulink> can be set up for the hostname resolution using <literal>bind9</literal> and <literal>isc-dhcp-server</literal> as described in the <ulink url="https://wiki.debian.org/DDNS">DDNS page on the Debian wiki</ulink>.</para> </tip>
<tip> <para>Use of proxy server such as <literal>squid</literal> is much more efficient for saving bandwidth than use of local mirror server with the full Debian archive contents.</para> </tip>
</section>
<section id="_other_network_application_clients">
<title>Other network application clients</title>
<para>Here are other network application clients.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of network application clients</title>
<tgroup cols="5">
<colspec colwidth="97pt" align="left"/>
<colspec colwidth="76pt" align="left"/>
<colspec colwidth="70pt" align="left"/>
<colspec colwidth="684pt" align="left"/>
<colspec colwidth="124pt" align="left"/>
<thead>
<row>
<entry> package </entry>
<entry> popcon </entry>
<entry> size </entry>
<entry> protocol </entry>
<entry> description </entry>
</row>
</thead>
<tbody>
<row>
<entry> <literal>netcat-traditional</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/TCP/IP">TCP/IP</ulink> </entry>
<entry> TCP/IP swiss army knife </entry>
</row>
<row>
<entry> <literal>netcat-openbsd</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/TCP/IP">TCP/IP</ulink> </entry>
<entry> TCP/IP swiss army knife with support for IPv6, proxies, and Unix sockets</entry>
</row>
<row>
<entry> <literal>openssl</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Transport_Layer_Security">SSL</ulink> </entry>
<entry> Secure Socket Layer (SSL) binary and related cryptographic tools </entry>
</row>
<row>
<entry> <literal>stunnel4</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> universal SSL Wrapper </entry>
</row>
<row>
<entry> <literal>telnet</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/TELNET">TELNET</ulink> </entry>
<entry> TELNET client </entry>
</row>
<row>
<entry> <literal>telnet-ssl</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> , , (SSL support) </entry>
</row>
<row>
<entry> <literal>nfs-common</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Network_File_System_(protocol)">NFS</ulink> </entry>
<entry> Unix file sharing </entry>
</row>
<row>
<entry> <literal>smbclient</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Server_Message_Block">SMB</ulink> </entry>
<entry> MS Windows file and printer sharing client </entry>
</row>
<row>
<entry> <literal>cifs-utils</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> mount and umount commands for remote MS Windows file </entry>
</row>
<row>
<entry> <literal>ftp</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/File_Transfer_Protocol">FTP</ulink> </entry>
<entry> FTP client </entry>
</row>
<row>
<entry> <literal>lftp</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> , , </entry>
</row>
<row>
<entry> <literal>ncftp</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> full screen FTP client </entry>
</row>
<row>
<entry> <literal>wget</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol">HTTP</ulink> and <ulink url="https://en.wikipedia.org/wiki/File_Transfer_Protocol">FTP</ulink> </entry>
<entry> web downloader </entry>
</row>
<row>
<entry> <literal>curl</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> , , </entry>
</row>
<row>
<entry> <literal>axel</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> accelerated downloader </entry>
</row>
<row>
<entry> <literal>aria2</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry> accelerated downloader with <ulink url="https://en.wikipedia.org/wiki/BitTorrent_(protocol)">BitTorrent</ulink> and <ulink url="https://en.wikipedia.org/wiki/Metalink">Metalink</ulink> supports </entry>
</row>
<row>
<entry> <literal>bind9-host</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Domain_Name_System">DNS</ulink> </entry>
<entry><literal>host</literal>(1) from bind9, "<literal>Priority: standard</literal>" </entry>
</row>
<row>
<entry> <literal>dnsutils</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> , , </entry>
<entry><literal>dig</literal>(1) from bind, "<literal>Priority: standard</literal>" </entry>
</row>
<row>
<entry> <literal>isc-dhcp-client</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol">DHCP</ulink> </entry>
<entry> obtain IP address </entry>
</row>
<row>
<entry> <literal>ldap-utils</literal> </entry>
<entry> @-@popcon1@-@ </entry>
<entry> @-@psize1@-@ </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol">LDAP</ulink> </entry>
<entry> obtain data from LDAP server </entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section id="_the_diagnosis_of_the_system_daemons">
<title>The diagnosis of the system daemons</title>
<para>The <literal>telnet</literal> program enables manual connection to the system daemons and its diagnosis.</para>
<para>For testing plain <ulink url="https://en.wikipedia.org/wiki/Post_Office_Protocol">POP3</ulink> service, try the following</para>
<screen>$ telnet mail.ispname.net pop3</screen>
<para>For testing the <ulink url="https://en.wikipedia.org/wiki/Transport_Layer_Security">TLS</ulink>/SSL enabled <ulink url="https://en.wikipedia.org/wiki/Post_Office_Protocol">POP3</ulink> service by some ISPs, you need TLS/SSL enabled <literal>telnet</literal> client by the <literal>telnet-ssl</literal> or <literal>openssl</literal> packages.</para>
<screen>$ telnet -z ssl pop.gmail.com 995</screen>
<screen>$ openssl s_client -connect pop.gmail.com:995</screen>
<para>The following <ulink url="https://www.ietf.org/standards/rfcs/">RFCs</ulink> provide required knowledge to each system daemon.</para>
<table pgwide="0" frame="topbot" rowsep="1" colsep="1">
<title>List of popular RFCs</title>
<tgroup cols="2">
<colspec colwidth="499pt" align="left"/>
<colspec colwidth="249pt" align="left"/>
<thead>
<row>
<entry> RFC </entry>
<entry> description </entry>
</row>
</thead>
<tbody>
<row>
<entry><ulink url="https://datatracker.ietf.org/doc/rfc1939/">rfc1939</ulink> and <ulink url="https://datatracker.ietf.org/doc/rfc2449/">rfc2449</ulink> </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Post_Office_Protocol">POP3</ulink> service </entry>
</row>
<row>
<entry> <ulink url="https://datatracker.ietf.org/doc/rfc3501/">rfc3501</ulink> </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Internet_Message_Access_Protocol">IMAP4</ulink> service </entry>
</row>
<row>
<entry><ulink url="https://datatracker.ietf.org/doc/rfc2821/">rfc2821</ulink> (<ulink url="https://datatracker.ietf.org/doc/rfc821/">rfc821</ulink>) </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">SMTP</ulink> service </entry>
</row>
<row>
<entry><ulink url="https://datatracker.ietf.org/doc/rfc2822/">rfc2822</ulink> (<ulink url="https://datatracker.ietf.org/doc/rfc822/">rfc822</ulink>) </entry>
<entry> Mail file format </entry>
</row>
<row>
<entry> <ulink url="https://datatracker.ietf.org/doc/rfc2045/">rfc2045</ulink> </entry>
<entry> <ulink url="https://en.wikipedia.org/wiki/MIME">Multipurpose Internet Mail Extensions (MIME)</ulink> </entry>
</row>
<row>
<entry> <ulink url="https://datatracker.ietf.org/doc/rfc819/">rfc819</ulink> </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Domain_Name_System">DNS</ulink> service </entry>
</row>
<row>
<entry> <ulink url="https://datatracker.ietf.org/doc/rfc2616/">rfc2616</ulink> </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol">HTTP</ulink> service </entry>
</row>
<row>
<entry> <ulink url="https://datatracker.ietf.org/doc/rfc2396/">rfc2396</ulink> </entry>
<entry><ulink url="https://en.wikipedia.org/wiki/Uniform_Resource_Identifier">URI</ulink> definition </entry>
</row>
</tbody>
</tgroup>
</table>
<para>The port usage is described in "<literal>/etc/services</literal>".</para>
</section>
</chapter>
Reference in a new issue View git blame Copy permalink