= Do not use Edit(GUI) button. =

[[TableOfContents(4)]]

Copyright 2007, 2008  Osamu Aoki GPL, (Please agree to GPL, GPL2, and any version of GPL which is compatible with DSFG if you update any part of wiki page)

Generated HTML is at "[http://people.debian.org/~osamu/pub/getwiki/html/ch07.en.html Debian Reference: Chapter 7. Network applications]".

I welcome your contributions to update this wiki page. You must follow these rules:
 * Do not use Edit(GUI) button of MoinMoin.
 * You can update anytime for:
  * grammar errors
  * spelling errors
  * moved URL location
  * package name transition adjustment (emacs23 etc.)
  * clearly broken script.
 * Before updating this wiki content:
  * Read "[http://wiki.debian.org/DebianReference/Test Guide for contributing to Debian Reference]".

= Network applications =

== Web browsers ==

There are many [http://en.wikipedia.org/wiki/Web_Browsers web browser] packages to access remote contents with [http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol Hypertext Transfer Protocol] (HTTP).

|| List of web browsers. || 1 || 2 || 3 ||
|| '''package''' || '''popcon''' || '''size''' || '''description''' ||
|| {{{iceweasel}}} || 17848 || - || Web browser (X) (unbranded Firefox) ||
|| {{{iceape-browser}}} || 1804 || - || Web browser (X) (unbranded Mozilla browser) ||
|| {{{epiphany-browser}}} || 9841 || - || Web browser (X) (Gnome HIG compliant browser) ||
|| {{{galeon}}} || 985 || - || Web browser (X) (Gnome browser) ||
|| {{{konqueror}}} || 5651 || - || Web browser (X) (KDE browser) ||
|| {{{w3m}}} || 6313 || - || Web browser (text) ||
|| {{{lynx}}} || 4662 || - || , , ||
|| {{{elinks}}} || 1343 || - || , , ||
|| {{{links}}} || 1148 || - || , , ||
|| {{{links2}}} || 598 || - || , , ||

=== Browser configuration ===

You may be able to use following special URL strings for some browsers to confirm their settings.

 * "{{{about:}}}"
 * "{{{about:config}}}"
 * "{{{about:plugins}}}"

Debian offers many free browser plugin packages in the main component which can handle not only [http://en.wikipedia.org/wiki/Java_(software_platform) Java (software platform)] and [http://en.wikipedia.org/wiki/Adobe_Flash Flash] but also [http://en.wikipedia.org/wiki/MPEG-1 MPEG], [http://en.wikipedia.org/wiki/MPEG-2 MPEG2], [http://en.wikipedia.org/wiki/MPEG-4 MPEG4], [http://en.wikipedia.org/wiki/DivX DivX], [http://en.wikipedia.org/wiki/Windows_Media_Video Windows Media Video (.wmv)], [http://en.wikipedia.org/wiki/QuickTime QuickTime (.mov)], [http://en.wikipedia.org/wiki/MP3 MP3 (.mp3)], [http://en.wikipedia.org/wiki/Vorbis Ogg/Vorbis] files, DVDs, VCDs, etc.  Debian also offers helper programs to install non-free browser plugin packages as contrib or non-free components.

|| List of browser plugin packages. || 1 || 2 || 3 || ||
|| '''package''' || '''popcon''' || '''size''' || '''component''' || '''description''' ||
|| {{{icedtea-gcjwebplugin}}} || - || - || main || Java plugin using Hotspot JIT ||
|| {{{java-gcj-compat-plugin}}} || - || - || main || Java plugin using the gij runtime ||
|| {{{sun-java5-plugin}}} || - || - || non-free || Java plugin for Sun's Java SE 5.0 (i386 only) ||
|| {{{sun-java6-plugin}}} || - || - || non-free || Java plugin for Sun's Java SE 6 (i386 only) ||
|| {{{swfdec-mozilla}}} || - || - || main || Flash plugin based on libswfdec ||
|| {{{mozilla-plugin-gnash}}} || - || - || main || Flash plugin based on Gnash ||
|| {{{flashplugin-nonfree}}} || - || - || contrib || Flash plugin helper to install Adobe Flash Player (i386, amd64 only) ||
|| {{{mozilla-bonobo}}} || - || - || main || Mozilla plugin support for Gnome Bonobo components ||
|| {{{mozilla-plugin-vlc}}} || - || - || main || Multimedia plugin based on [http://en.wikipedia.org/wiki/VLC_media_player VLC media player] ||
|| {{{totem-mozilla}}} || - || - || main || Multimedia plugin based on [http://en.wikipedia.org/wiki/Totem_(media_player) Gnome's Totem media player] ||
|| {{{gecko-mediaplayer}}} || - || - || main || Multimedia plugin based on (GNOME) [http://en.wikipedia.org/wiki/MPlayer MPlayer] ||
|| {{{nspluginwrapper}}} || - || - || contrib || A wrapper to run i386 Netscape plugins on amd64 architecture ||

## JAVA: FREE: 1.4 CONTRIB: 1.6 NONFREE >>1.6
## FLASH: YOUTUBE=YES, GOOGLE STREET VIEW: only NON=FREE
## GRAPHICS: in order of formats.

## RC buggy and about to be removed.
## || {{{libflash-mozplugin}}} || - || - || main || Flash plugin based on libflash ||
## removed
##|| {{{gcjwebplugin}}} || - || - || main || Java plugin using Free Java Virtual Machine ||


{i} Although use of above Debian packages are much easier, browser plugins can be still manually enabled by installing "*.so" into plugin directories (e.g., {{{/usr/lib/iceweasel/plugins/}}}) and restarting browsers.  

Some web sites refuse to be connected based on the user-agent string of your browser.  You can work around this situation by [http://www.mozilla.org/unix/customizing.html#prefs spoofing the user-agent string].  For exaple, you can do this by adding:
{{{
user_pref{"general.useragent.override","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"};
}}}
into user configuration files such as {{{~/.gnome2/epiphany/mozilla/epiphany/user.js}}} or {{{~/.mozilla/firefox/*.default/user.js}}}. Alternatively, you can add and reset this variable by typing "{{{about:config}}}" into URL and right clicking its display contents. 

<!> Spoofed user-agent string may cause [https://bugzilla.mozilla.org/show_bug.cgi?id=83376 bad side effects with Java].

## In order to keep it short and stable, I chose not to include these:
## Other method works varying degree.  
## about:config seems edittable for firefox/iceweasel while ephiphany is just for reset and add.
## * For running X based browsers such as, {{{iceweasel}}}, you can add this variable by typing "{{{about:config}}}" into URL.
## * For running X based mail agents such as {{{icedove}}}, you can add this variable by clicking "Edit" -> "Preferences" -> "Advanced" -> "General" -> "Config Editor".
## * For permanent fix, add "{{{user_pref{"general.useragent.override","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)"};}}}" into configuration files such as {{{~/.gnome2/epiphany/mozilla/epiphany/prefs.js}}} or {{{~/.mozilla/firefox/*.default/prefs.js}}}.

## For more information, see http://www.mozilla.org/unix/customizing.html#prefs .


== The mail system ==

<!> If you are to set up the mail server to exchange mail directly with the Internet, you should be better than reading this elementary document.

=== Modern mail service basics ===

In order to contain spam (unwanted and unsolicited e-mail) problems, many ISPs which provide consumer grade Internet connection are implementing counter measures:
 * The smarthost service for their customers to send message uses the message submission port (587) specified in [http://tools.ietf.org/html/rfc4409 rfc4409] with the password (SMTP AUTH service) specified in [http://tools.ietf.org/html/rfc4954 rfc4954].
 * The [http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol SMTP] port (25) connection from their internal network hosts (except ISP's own outgoing mail server) to the Internet are blocked.
 * The [http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol SMTP] port (25) connection to the ISP's incoming mail server from some suspicious external network hosts are blocked.  (The connection from hosts on the dynamic IP address range used by the dial-up and other consumer grade Internet connections are the first ones to be blocked.)

When configuring your mail system or resolving mail delivery problems, you must consider these new limitations.

In light of these hostile Internet situation and limitations, some independent Internet mail ISPs such as Yahoo.com and Gmail.com offer the secure mail service which can be connected from anywhere on the Internet using [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL)] :
 * The smarthost service for their customers to send message uses the SMTP/SSL port (465) or the message submission port (587) with the password (SMTP AUTH service).
 * The incoming mail is accessible at the TLS/POP3 port (995) with [http://en.wikipedia.org/wiki/Post_Office_Protocol POP3].

<!> It is not realistic to run SMTP server on consumer grade network to send mail directly to the remote host reliably.  They are very likely to be rejected.  You must use some smarthost services offered by your connection ISP or independent mail ISPs.  For the simplicity, I will assume that the smarthost is located at "{{{smtp.hostname.dom}}}", requires SMTP AUTH, and uses the message submission port 587 in the following text.

=== Basic mail software choice ===

|| List of popular mail system for workstation. || 1 || 2 || 3 ||
|| '''package''' || '''popcon''' || '''size''' || '''function''' ||
|| {{{exim4-daemon-light}}} ||  || 909k || Exim4 mail transport agent (MTA: Debian etch default) ||
|| {{{exim4-base}}} ||  ||  || Exim4 documentation (text) and common files ||
|| {{{exim4-doc-html}}} ||  ||  || Exim4 documentation (html) ||
|| {{{exim4-doc-info}}} ||  ||  || Exim4 documentation (info) ||
|| {{{postfix}}} ||  ||  || Postfix mail transport agent (MTA: alternative) ||
|| {{{postfix-doc}}} ||  ||  || Postfix documentation (html+text) ||
|| {{{sasl2-bin}}} ||  ||  || Cyrus SASL API implementation (supplement postfix for SMTP-AUTH) ||
|| {{{cyrus-sasl2-doc}}} || || || Cyrus SASL - documentation ||
|| {{{fetchmail}}} || 1969 || 1843k || Remote mail retrieval and forwarding utility ||
|| {{{procmail}}} || 8677 || 369k || Mail filter utility ||
|| {{{mutt}}} || 6979 with all:15655 || 5124k with 1630k || Mail user agent (MUA) to read/write the mail usually used with {{{vim}}} ||

The choice between {{{exim4-*}}} and {{{postfix}}} packages is really up to you.  

Although the popcon vote count of exim4 looks several times popular than that of postfix, this does not mean postfix is not popular with Debian developers.  The Debian server system uses both exim4 and postfix.  The [http://wiki.debian.org/DefaultMTA mail header analysis] of mailing list postings from prominent Debian developers also indicate both of these MTAs are as popular.

The {{{exim4-*}}} are known to have very small memory consumption and very flexible for its configuration.  The {{{postfix}}} is known to be compact, fast, simple, and secure.  Both come with ample documentation and are as good in quality and license.  

=== The mail configuration strategy for workstation ===

The most simple mail configuration is that the mail is sent to the ISP's smarthost and received from ISP's POP3 server by the MUA itself. This type of configuration is popular with full featured GUI based mail user agent (MUA) such as {{{icedove}}}, {{{evolution}}}, etc.. If you need to filter mail by their types, you use MUA's filtering function. For this case, the local mail transport agent (MTA) need to do local delivery only.

The alternative mail configuration is that the mail is sent via local MTA to the ISP's smarthost and received from ISP's POP3 by {{{fetchmail}}}(1) to the local mailbox.  If you need to filter mail by their types, you use {{{procmail}}}(1) to filter mail into separate mailboxes.  This type of configuration is popular with simple console based MUA such as {{{mutt}}}, {{{gnus}}}, etc., although this is possible with any MUAs. For this case, the local MTA need to do both smarthost delivery and local delivery.

==== The configuration of exim4 ====

For Internet via smarthost, you (re)configure {{{exim4-*}}} packages as follows:

{{{
$ sudo /etc/init.d/exim4 stop
$ sudo dpkg-reconfigure exim4-conf
}}}
 * Chose "mail sent by smarthost; received via SMTP or fetchmail".
 * Set "IP address or host name of the outgoing smarthost:" to "smtp.hostname.dom:587".
{{{
$ sudo vim /etc/exim4/passwd.client
}}}
 * Create password entries for the smarthost.
{{{
$ cat /etc/exim4/passwd.client
^smtp.*\.hostname\.dom:username@hostname.dom:password
$ sudo /etc/init.d/exim4 start
}}}

The host name in {{{/etc/exim4/passwd.client}}} should not be the alias.  You check the real host name with:
{{{
$ host smtp.hostname.dom
smtp.hostname.dom is an alias for smtp99.hostname.dom.
smtp99.hostname.dom has address 123.234.123.89
}}}
I use regex in {{{/etc/exim4/passwd.client}}} to work around the alias issue so even if the ISP moves host pointed by the alias, SMTP AUTH will likely be working.

{i} Local customization file {{{/etc/exim4/exim4.conf.localmacros}}} may be created to set MACROs.  For example, Yahoo's mail service is said to require "{{{MAIN_TLS_ENABLE = true}}}" and "{{{AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS=yes}}}" in it.

(!) Please read the official guide at: {{{/usr/share/doc/exim4-base/README.Debian.gz}}} and {{{update-exim4.conf}}}(8).

<!> You should execute {{{update-exim4.conf}}}(8) after updating exim4 configuration files in {{{/etc/exim4}}}. 

==== The configuration of postfix with SASL ====

For Internet via smarthost, you should first read [http://www.postfix.org/documentation.html postfix documentation] and key manual pages:

|| List of important postfix manual pages || ||
|| '''command''' || '''function''' ||
|| {{{postfix}}}(1) ||   Postfix control program ||
|| {{{postconf}}}(1) ||  Postfix configuration utility ||
|| {{{postconf}}}(5) ||  Postfix configuration parameters ||
|| {{{postmap}}}(1) ||  Postfix lookup table maintenance ||
|| {{{postalias}}}(1) ||  Postfix alias database maintenance ||

You (re)configure {{{postfix}}} and {{{sasl2-bin}}} packages as follows:
{{{
$ sudo /etc/init.d/postfix stop
$ sudo dpkg-reconfigure postfix
}}}
 * Chose "Internet with smarthost"
 * Set "SMTP relay host (blank for none):" to "{{{[smtp.hostname.dom]:587}}}"
{{{
$ sudo postconf -e 'smtp_sender_dependent_authentication = yes'
$ sudo postconf -e 'smtp_sasl_auth_enable = yes'
$ sudo postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
$ sudo postconf -e 'smtp_sasl_type = cyrus'
$ sudo vim /etc/postfix/sasl_passwd
}}}
 * Create password entries for the smarthost.
{{{
$ cat /etc/postfix/sasl_passwd
[smtp.hostname.dom]:587     username:password
$ sudo postmap hush:/etc/postfix/sasl_passwd
$ sudo /etc/init.d/postfix start
}}}

Here the use of {{{[ ]}}} in the dpkg-reconfigure dialogue and {{{/etc/postfix/sasl_passwd}}} ensures not to check MX record but directly use exact hostname specified.  Read more for "Enabling SASL authentication in the Postfix SMTP client" in {{{usr/share/doc/postfix/html/SASL_README.html}}}.

==== The mail address configuration ====

There are a few [http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-mail-transport-agents mail address configuration files for mail transport, delivery and user agents].

|| List of mail address related configuration files. || || ||
|| '''file''' || '''function''' || '''application''' ||
|| {{{/etc/mailname}}} || default host name for (outgoing) mail || Debian specific, {{{mailname}}}(5) ||
|| {{{/etc/email-addresses}}} || host name spoofing for outgoing mail || {{{exim}}}(8) specific, {{{exim4-config_files}}}(5) ||
|| {{{/etc/postfix/generic}}} || host name spoofing for outgoing mail || {{{postfix}}}(1) specific, activated after {{{postmap}}}(1) command execution. ||
|| {{{/etc/aliases}}} || account name alias for incoming mail || general, activated after {{{newaliases}}}(1) command execution. ||

The '''mailname''' in the {{{/etc/mailname}}} file is usually a fully qualified domain name (FQDN) that resolves to one of the host's IP addresses.  The mobile workstation which does not have a hostname with resolvable IP address, set this '''mailname''' to the value of "{{{hostname -f}}}". (This is safe choice and works for both {{{exim4-*}}} and {{{postfix}}}.)

{i} The contents of {{{/etc/mailname}}} is used by many non-MTA programs for their default behavior. For {{{mutt}}}, set "{{{hostname}}}" and "{{{from}}}" variables in {{{~/muttrc}}} file to override the '''mailname''' value.  For {{{devscripts}}} package programs such as {{{bts}}} and {{{dch}}}, export environment variables "{{{DEBFULLNAME}}}" and "{{{DEBEMAIL}}}" to override it.

When setting the '''mailname''' to "{{{hostname -f}}}", the spoofing of the source mail address via MTA can be realized by:
 * {{{/etc/email-addresses}}} file for {{{exim4}}}(8) as explained in the {{{exim4-config_files}}}(5), and
 * {{{/etc/postfix/generic}}} file for {{{postfix}}}(1) as explained in the {{{generic}}}(5).

For {{{postfix}}}, the following extra steps are needed:
{{{
# postmap hash:/etc/postfix/generic
# postconf -e 'smtp_generic_maps = hash:/etc/postfix/generic'
# postfix reload
}}}

You check filters using:
 * {{{exim}}}(8) with {{{-brw, -bf, -bF, -bV, ...}}} options.
 * {{{postmap}}}(1) with {{{-q}}} option.

{i} Exim comes with several utility programs such as {{{exiqgrep}}}(8) and {{{exipick}}}(8).  See "{{{dpkg -L exim4-base|grep man8/}}}" for available commands.

=== Tips for managing the mail ===

==== Basic MTA operations ====

There are several basic MTA operations.  Some may be performed via {{{sendmail}}}(1) compatibility interface.

|| List of basic MTA operation. || || ||
|| '''exim command''' ||  '''postfix command''' || '''description''' ||
|| {{{sendmail}}} || {{{sendmail}}} || Read mail from standard input and arrange for delivery. ({{{-bm}}}) ||
|| {{{mailq}}} || {{{mailq}}} || List the mail queue with status and queue ID. ({{{-bp}}}) ||
|| {{{newaliases}}} || {{{newaliases}}} || Initialize alias database. ({{{-I}}}) ||
|| {{{exim4 -q}}}   || {{{postqueue -f}}} || flush waiting mail ({{{-q}}})||
|| {{{exim4 -qf}}}  || {{{postsuper -r ALL deferred; postqueue -f}}}  || flush all mail ||
|| {{{exim4 -qff}}} || {{{postsuper -r ALL; postqueue -f}}} || flush even frozen mail ||
|| {{{exim4 -Mg queue_id}}} || {{{postsuper -h queue_id}}} || freeze one message by its queue ID ||
|| {{{exim4 -Mrm queue_id}}} || {{{postsuper -d queue_id}}} || remove one message by its queue ID ||
|| --- || {{{postsuper -d ALL}}} || remove all messages ||

For the script in {{{/etc/ppp/ip-up.d/*}}}, "flush all mail" may be good idea.

==== Basic MUA  -- Mutt ====

Use {{{mutt}}} as the mail user agent (MUA) in combination with {{{vim}}}. Customize with {{{~/.muttrc}}}; for example:

{{{
# use visual mode and "gq" to reformat quotes
set editor="vim -c 'set tw=72 et ft=mail'"
#
# header weeding taken from the manual (Sven's Draconian header weeding)
#
ignore *
unignore from: date subject to cc
unignore user-agent x-mailer
hdr_order from subject to cc date user-agent x-mailer
set hostname=spoof.example.org
set from="First Last <username@example.org>"
....
}}}

Add the following to {{{/etc/mailcap}}} or {{{$HOME/.mailcap}}} to display HTML mail and MS Word attachments inline:

{{{
text/html; lynx -force_html %s; needsterminal;
application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc
}}}


==== Redeliver mbox contents ====

You need to manually deliver mails to the sorted mailboxes in your home directory from {{{/var/mail/<username>}}} if your home directory became full and {{{procmail}}} failed.  After making disk space in the home directory, run:
{{{
# /etc/init.d/${MAILDAEMON} stop
# formail -s procmail </var/mail/<username>
# /etc/init.d/${MAILDAEMON} start
}}}


=== Choices of software for the mail ===

For mail system programs, there are many alternatives developed with different priority.  Here is the overview.

==== MTA ====

|| List of MTA. || 1 || 2 || 3 ||
|| '''package''' || '''popcon''' || '''size''' || '''capability''' ||
|| {{{exim4-daemon-light}}} || 26123 || 913 || full ||
|| {{{postfix}}} || 5607 || 2822 || full (security) ||
|| {{{exim4-daemon-heavy}}} || 953 || 1032 || full (flexible) ||
|| {{{sendmail-bin}}} || 591 || 2068 || full (only if you are already familiar) ||
|| {{{nullmailer}}} || 285 || 442 || strip down, no local mail ||
|| {{{ssmtp}}} || 373 || 8 (?) || strip down, no local mail ||
|| {{{nbsmtp}}} || 172 || 123 || ? ||
|| {{{courier-mta}}} || 130 || 4030 || very full (web interface etc.)||
|| {{{xmail}}} || 52 || 795 || light ||
|| {{{masqmail}}} || 39 || 537 || light ||
|| {{{esmtp}}} || 37, 48 || 8+156 || light ||
|| {{{esmtp-run}}} || 37, 48 || 8+156 || light (sendmail compatibility extension to {{{esmtp}}}) ||
|| {{{msmtp}}} || 19 || 49+250 || light ||
|| {{{msmtp-mta}}} || 114 || 49+250 || light (sendmail compatibility extension to {{{msmtp}}}) ||

##|| {{{smail}}} || 25 || 1769 || full (old) ||

==== MUA ====

If you subscribe to Debian related mailing list, it may be a good idea to use such MUA as {{{mutt}}} and {{{gnus}}} which are the de facto standard for the participant and known to behave as expected.

|| List of MUA. || 1 || 2 || 3 ||
|| '''package''' || '''popcon''' || '''size''' || '''type''' ||
|| {{{iceweasel}}} || 17848 || 29400 || X GUI (unbranded Firefox) ||
|| {{{evolution}}} || 7103 || 8704 || X GUI (part of a groupware suite) ||
|| {{{icedove}}} ||4997 || 38800 || X GUI (unbranded Thunderbird) ||
|| {{{mutt}}} || 6979 with all:15655 || 5325 || character terminal probably with {{{vim}}}||
|| {{{gnus}}} || (*:673) with (all:4841+945) || 6423 || character terminal under {{{(x)emacs}}}||

==== The remote mail retrieval and forward utility ====

|| List of remote mail retrieval and forward utilities. || 1 || 2 || 3 ||
|| '''package''' || '''popcon''' || '''size''' || '''capability''' ||
|| {{{fetchmail}}} || 1969 || 1851 || mail retriever (POP3, APOP, IMAP) (de facto) ||
|| {{{getmail4}}} || 154 || 631 || mail retriever (POP3, IMAP4, and SDPS) ||
|| {{{mailfilter}}} || 28 || 561 || mail retriever (POP3) with with regex filtering capability ||
|| {{{mpop}}} || 14 || 442 || mail retriever (POP3) and MDA with filtering capability ||

The {{{fetchmail}}} is the current de facto standard for the remote mail retrieval utility. The SysV init script in {{{/etc/init.d/fetchmail}}} will start a {{{fetchmail}}} daemon running as the user {{{fetchmail}}} to fetch mail from multiple POP3 accounts on multiple ISPs, if the configuration file {{{/etc/fetchmailrc}}} is present in the system. If the configuration file is not present, nothing is started.

(!) If your email headers are contaminated by ^M due to your ISP's mailer, add "stripcr" to your options in  {{{$HOME/.fetchmailrc}}}:
{{{
options fetchall no keep stripcr
}}}

==== MDA ====

|| List of MDA. || 1 || 2 || 3 ||
|| '''package''' || '''popcon''' || '''size''' || '''description''' ||
|| {{{procmail}}} || 8677 || 369 || MDA with filter (de facto) ||
|| {{{mailagent}}} || 314 || 1630 || MDA with perl filter ||
|| {{{maildrop}}} || 250 || 1028 || MDA with structured filtering language ||

The {{{procmail}}} is the current de facto standard for the mail filter utility. One needs to create {{{$HOME/.procmailrc}}} for each account that uses it.  For example:

{{{
# All delivery to Qmail style Maildir.  i.e. followed by /
# No lock needed
MAILDIR=$HOME/Mail
DEFAULT=$MAILDIR/Inbox/
LOGFILE=$MAILDIR/Maillog

:0
* ^Resent-Sender.*debian-devel-request@lists.debian.org
debian-devel/

:0
Inbox/
}}}

==== POP3/IMAP4 server ====

If you are to run a private server on LAN, you may consider to run [http://en.wikipedia.org/wiki/Post_Office_Protocol POP3] / [http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol IMAP4] server for delivering mail to LAN clients.

|| List of POP3/IMAP4 servers. || 1 || 2 || 3 ||
|| '''package''' || '''popcon''' || '''size''' || '''type''' || '''description''' ||
|| {{{qpopper}}} || 730 || 676 || POP3 || Qualcomm enhanced version ||
|| {{{courier-pop}}} || 411  || 229 || POP3 || support only the maildir format ||
|| {{{ipopd}}} || 126  || 209 || POP3 || formerly part of the University of Washington IMAP package ||
|| {{{cyrus-pop3d-2.2}}} || 56 || 868 || POP3 || part of the Cyrus IMAPd suite ||
|| {{{xmail}}} || 52 || 795 || POP3 || ESMTP/POP3 mail server ||
|| {{{courier-imap}}} || 1536 || 1614 || IMAP || This provides access to email stored in Maildirs ||
|| {{{uw-imapd}}} || 666 || 262 || IMAP || the University of Washington IMAP ||
|| {{{cyrus-imapd-2.2}}} || 151 || 2707 || IMAP || part of the Cyrus IMAPd suite ||


== The print server and utility ==

In the old Unix-like system, the BSD [http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol Line printer daemon] was the standard.  Since the standard print out format of the free software is PostScript on the Unix like system, some filter system was used along with [http://en.wikipedia.org/wiki/Ghostscript Ghostscript] to enable printing to the non-PostScript printer.

Recently, [http://en.wikipedia.org/wiki/Common_Unix_Printing_System Common UNIX Printing System] (CUPS) is the new de facto standard.  The CUPS uses [http://en.wikipedia.org/wiki/Internet_Printing_Protocol Internet Printing Protocol] (IPP). The IPP is now supported by other OSs such as Windows XP and Mac OS X and has became new cross-platform de facto standard for remote printing with bi-directional communication capability.

The standard printable data format for the application on the Debian system is the [http://en.wikipedia.org/wiki/PostScript PostScript (PS)] which is a page description language.  The data in PS format is fed into the Ghostscript PostScript interpreter to produce the printable data specific to the printer.  See: @{@theghostscript@}@ .

Thanks to the file format dependent auto-conversion feature of the CUPS system, simply feeding any data to the {{{lpr}}} command should generate the expected print output. (In CUPS, {{{lpr}}} can be enabled by installing the {{{cups-bsd}}} package.)

The Debian system has few notable packages for the print servers and utilities:

|| List of print servers and utilities. || 1 || 2 || 3 || ||
|| '''package''' || '''popcon''' || '''size''' || '''function''' || '''port''' ||
|| {{{lpr}}} || 5839 || - || BSD lpr/lpd ([http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol Line printer daemon]) || printer (515) ||
|| {{{lprng}}} || 740 || - || , , (Enhanced) || , , ||
|| {{{cups}}} || 20998 || - || Internet Printing CUPS server || IPP (631) ||
|| {{{cups-client}}} || 8248 || - || [http://en.wikipedia.org/wiki/System_V_printing_system System V printer commands] for CUPS: {{{lp}}}(1), {{{lpstat}}}(1), {{{lpoptions}}}(1), {{{cancel}}}(1), {{{lpmove}}}(8), {{{lpinfo}}}(8), {{{lpadmin}}}(8), ... || , , ||
|| {{{cups-bsd}}} || 6639 || - || [http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol BSD printer commands] for CUPS: {{{lpr}}}(1), {{{lpq}}}(1), {{{lprm}}}(1), {{{lpc}}}(8) || , , ||
|| {{{cups-driver-gutenprint}}} || 3210 || - || printer drivers for CUPS || Not applicable ||

{i} You can configure CUPS system by pointing your web browser to "{{{http://localhost:631/}}}" .

== The remote access server and utility (SSH) ==

The [http://en.wikipedia.org/wiki/Secure_Shell Secure SHell] (SSH) is the '''secure''' way to connect over the Internet.  A free version of SSH called [http://www.openssh.org/ OpenSSH] is available as the {{{ssh}}} package in Debian.

|| List of remote access server and utilities. || 1 || 2 || 3 || ||
|| '''package''' || '''popcon''' || '''size''' || '''tool''' || '''comment''' ||
|| {{{openssh-client}}}  || 29037 || - || ssh || Secure shell client ||
|| {{{openssh-server}}} || 22918 || - || sshd || Secure shell server ||
|| {{{ssh-askpass-fullscreen}}} || 140 || - || ssh-askpass-fullscreen || asks user for a pass phrase for ssh-add (GNOME2) ||
|| {{{ssh-askpass}}} || 58 || - || ssh-askpass || asks user for a pass phrase for ssh-add (plain X) ||

{i} Please use the {{{screen}}}(1) program to enable remote shell process to survive the interrupted connection (see @{@thescreenprogram@}@).

<!> See @{@extrasecuritymeasuresfortheinternet@}@ if your SSH is accessible from Internet.

=== Basics of SSH ===

{{{/etc/ssh/sshd_not_to_be_run}}} must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols:

|| List of SSH authentication protocols and methods. || || ||
|| '''SSH protocol''' || '''SSH method''' || '''description''' ||
|| SSH-1 || RSAAuthentication || RSA identity key based user authentication ||
|| , , || RhostsAuthentication || {{{.rhosts}}} based host authentication (insecure, disabled) ||
|| , , || RhostsRSAAuthentication || {{{.rhosts}}} authentication combined with RSA host key (disabled) ||
|| , , || ChallengeResponseAuthentication || RSA challenge-response authentication ||
|| , , || PasswordAuthentication || password based authentication ||
|| SSH-2 || PubkeyAuthentication || public key based user authentication ||
|| , , || HostbasedAuthentication || {{{.rhosts}}} or {{{/etc/hosts.equiv}}} authentication combined with public key client host authentication (disabled) ||
|| , , || ChallengeResponseAuthentication || challenge-response authentication ||
|| , , || PasswordAuthentication || password based authentication ||

Be careful about these differences if you are using a non-Debian system.

See {{{/usr/share/doc/ssh/README.Debian.gz}}}, {{{ssh}}}(1), {{{sshd}}}(8), {{{ssh-agent}}}(1), and {{{ssh-keygen}}}(1) for details.

Following are the key configuration files:

|| List of SSH configuration files. || ||
|| '''configuration file''' || '''function''' ||
|| {{{/etc/ssh/ssh_config}}} || SSH client defaults.  See {{{ssh_config}}}(5). ||
|| {{{/etc/ssh/sshd_config}}} || SSH server defaults.  See {{{sshd_config}}}(5). ||
|| {{{$HOME/.ssh/authorized_keys}}} || the lists of the default public SSH keys that clients use to connect to this account on this host. ||
|| {{{$HOME/.ssh/identity}}} || secret SSH-1 RSA key of the user. ||
|| {{{$HOME/.ssh/id_rsa}}} || secret SSH-2 RSA key of the user. ||
|| {{{$HOME/.ssh/id_dsa}}} || secret SSH-2 DSA key of the user. ||

{i} See {{{ssh-keygen}}}(1), {{{ssh-add}}}(1) and {{{ssh-agent}}}(1) for how to use public and secret SSH keys.

The following will start an {{{ssh}}}(1) connection from a client.

|| List of SSH client startup examples. || ||
|| '''command''' || '''description''' ||
|| {{{ssh username@hostname.domain.ext}}} || connect with default mode ||
|| {{{ssh -v username@hostname.domain.ext}}} || connect with default mode with debugging messages ||
|| {{{ssh -1 username@hostname.domain.ext}}} || force to connect with SSH version 1 ||
|| {{{ssh -1 -o RSAAuthentication=no -l username hostname.domain.ext}}} || force to use password with SSH version 1 ||
|| {{{ssh -o PreferredAuthentications=password -l username hostname.domain.ext}}} || force to use password with SSH version 2 ||

If you use the same user name on the local and the remote host, you can eliminate typing "{{{username@}}}".  Even if you use different user name on the local and the remote host, you can eliminate it using "{{{~/.ssh/config}}}".  For [http://alioth.debian.org/ Debian Alioth service] with account name "{{{foo-guest}}}", you set "{{{~/.ssh/config}}}" to contain:
{{{
Host alioth.debian.org svn.debian.org git.debian.org
    User foo-guest
}}}


For the user, {{{ssh}}}(1) functions as a smarter and more secure {{{telnet}}}(1).  Unlike {{{telnet}}} command, {{{ssh}}} command does not bomb on the {{{telnet}}} escape character (initial default CTRL-]).

=== Port forwarding for SMTP/POP3 tunneling ===

To establish a pipe to connect to port 25 of remote-server from port 4025 of localhost, and to port 110 of remote-server from port 4110 of localhost through {{{ssh}}}, execute on the local machine:

{{{
# ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server
}}}

This is a secure way to make connections to SMTP/POP3 servers over the Internet.  Set the {{{AllowTcpForwarding}}} entry to {{{yes}}} in {{{/etc/ssh/sshd_config}}} of the remote host.

=== Connecting with fewer passwords -- RSA ===

One can avoid having to remember a password for each remote system by using RSAAuthentication (SSH-1 protocol) or PubkeyAuthentication (SSH-2 protocol).

On the remote system, set the respective entries, "RSAAuthentication yes" or "PubkeyAuthentication yes", in {{{/etc/ssh/sshd_config}}}.

Then generate authentication keys locally and install the public key on the remote system:

 * RSAAuthentication: RSA1 key for SSH-1 (deprecated because superseded.)
{{{
$ ssh-keygen
$ cat .ssh/identity.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
}}}
 * PubkeyAuthentication: RSA key for SSH-2
{{{
$ ssh-keygen -t rsa
$ cat .ssh/id_rsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
}}}
 * PubkeyAuthentication: DSA key for SSH-2 (deprecated because key is smaller and slow.  Also see [http://www.debian.org/security/2008/dsa-1571 DSA-1571-1].)
{{{
$ ssh-keygen -t dsa
$ cat .ssh/id_dsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
}}}

(!) There are no more reasons to work around RSA patent using DSA since it has been expired.  DSA stands for [http://en.wikipedia.org/wiki/Digital_Signature_Algorithm Digital Signature Algorithm] and slow.

One can change the pass phrase later with "{{{ssh-keygen -p}}}".  Make sure to verify settings by testing the connection.  In case of any problem, use "{{{ssh -v}}}".

You can add options to the entries in {{{authorized_keys}}} to limit hosts and to run specific commands.  See {{{sshd}}}(8) for details.

Note that SSH-2 has {{{HostbasedAuthentication}}}.  For this to work, you must adjust the settings of {{{HostbasedAuthentication}}} to {{{yes}}} in both {{{/etc/ssh/sshd_config}}} on the server machine and {{{/etc/ssh/ssh_config}}} or {{{$HOME/.ssh/config}}} on the client machine.


=== Dealing with alien SSH clients ===

There are a few free [http://en.wikipedia.org/wiki/Secure_Shell SSH] clients available for other platforms.

|| List of free SSH clients for other platforms. || ||
|| '''environment''' || '''free SSH program''' ||
|| Windows || puTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) (GPL) ||
|| Windows (cygwin) || SSH in cygwin (http://www.cygwin.com/) (GPL) ||
|| Macintosh Classic || macSSH (http://www.macssh.com/) (GPL) ||
|| Mac OS X || OpenSSH; use {{{ssh}}} in the Terminal application (GPL) ||

=== Setting up ssh-agent ===

It is safer to protect your SSH authentication key with a pass phrase.  If it was not set, use {{{ssh-keygen -p}}} to set it.

Place your public key (e.g.  {{{~/.ssh/id_rsa.pub}}}) into {{{~/.ssh/authorized_keys}}} on a remote host using a password-based connection to the remote host as described above.

{{{
$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/osamu/.ssh/id_rsa:
Identity added: /home/osamu/.ssh/id_rsa (/home/osamu/.ssh/id_rsa)
}}}
 * No passphrase needed from here on, e.g.:
{{{
$ scp foo user@remote.host:foo
}}}
 * No password requested.
 * Press ^D to terminating ssh-agent session.

For the X server, the normal Debian startup script executes {{{ssh-agent}}} as the parent process.  So you only need to execute {{{ssh-add}}} once. For more, read {{{ssh-agent}}}(1)and {{{ssh-add}}}(1).

=== Troubleshooting SSH ===

If you have problems, check the permissions of configuration files and run {{{ssh}}} with the "{{{-v}}}" option.

Use the "{{{-P}}}" option if you are root and have trouble with a firewall; this avoids the use of server ports 1--1023.

If {{{ssh}}} connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in {{{host_key}}} during system maintenance.  After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a
connection by removing the {{{host_key}}} entry from {{{$HOME/.ssh/known_hosts}}} on the local machine.

== Other network application servers ==

|| List of other network application servers. || 1 || 2 || 3 || ||
|| '''package''' || '''popcon''' || '''size''' || '''protocol''' || '''focus''' ||
|| {{{telnetd}}} || - || - || [http://en.wikipedia.org/wiki/TELNET TELNET] || TELNET server ||
|| {{{telnetd-ssl}}} || - || - || , , || , , (SSL support) ||
|| {{{nfs-kernel-server}}} || 6327 || - || [http://en.wikipedia.org/wiki/Network_File_System_(protocol) NFS] || Unix file sharing ||
|| {{{nfs-user-server}}} || 451 || - || , , || , , ||
|| {{{samba}}} || 9764 || - || [http://en.wikipedia.org/wiki/Server_Message_Block SMB] || windows file and printer sharing ||
|| {{{netatalk}}} || 3023 || - || [http://en.wikipedia.org/wiki/AppleTalk ATP] || apple/mac file and printer sharing (AppleTalk) ||
|| {{{proftpd}}} || 2646 || - || [http://en.wikipedia.org/wiki/FTP FTP] || general file download ||
|| {{{wu-ftpd}}} || 307 || - || , , || , , ||
|| {{{apache2-mpm-prefork}}} || 13107 || - || [http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] || general web server ||
|| {{{apache2-mpm-worker}}} || 1834 || - || , , || , , ||
|| {{{squid}}} || - || - || , , || general web [http://en.wikipedia.org/wiki/Proxy_server proxy server] ||
|| {{{squid3}}} || - || - || , , || , , ||
|| {{{slpd}}} || 212 || - || [http://en.wikipedia.org/wiki/Service_Location_Protocol SLP] || [http://www.openslp.org/ OpenSLP] Server as [http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] server ||
|| {{{bind9}}} || 4308 || - || [http://en.wikipedia.org/wiki/Domain_name_system DNS] || IP address for other hosts ||
|| {{{dhcp3-server}}} || 1851 || - || [http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] || IP address of client itself ||

Common Internet File System Protocol (CIFS) is the same protocol as Server Message Block (SMB).

{i} Use of proxy server such as {{{squid}}} is much more efficient for saving bandwidth than use of local mirror server with the full Debian archive contents.

== Other network application clients ==

|| List of network application clients. || 1 || 2 || 3 || ||
|| '''package''' || '''popcon''' || '''size''' || '''protocol''' || '''focus''' ||
|| {{{netcat}}} || - || - || [http://en.wikipedia.org/wiki/TCP/IP TCP/IP] || TCP/IP swiss army knife ||
|| {{{stunnel4}}} || - || - || [http://en.wikipedia.org/wiki/Transport_Layer_Security SSL] || Universal SSL Wrapper ||
|| {{{telnet}}} || - || - || [http://en.wikipedia.org/wiki/TELNET TELNET] || TELNET client ||
|| {{{telnet-ssl}}} || - || - || , , || , , (SSL support) ||
|| {{{nfs-common}}} || 23629 || - || [http://en.wikipedia.org/wiki/Network_File_System_(protocol) NFS] || Unix file sharing ||
|| {{{smbclient}}} || 4412 || - || [http://en.wikipedia.org/wiki/Server_Message_Block SMB] || MS windows file and printer sharing client ||
|| {{{smbfs}}} || - || - || , , || Mount and umount commands for remote MS windows file ||
|| {{{ftp}}} || 7253 || - || [http://en.wikipedia.org/wiki/FTP FTP] || FTP client ||
|| {{{lftp}}} || 1015 || - || , , || , , ||
|| {{{ncftp}}} || 1322 || - || , , || Full screen FTP client ||
|| {{{wget}}} || - || - || [http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] and [http://en.wikipedia.org/wiki/FTP FTP] || Web downloader ||
|| {{{curl}}} || - || - || , , || , , ||
|| {{{dog}}} || - || - || [http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] || Web uploader ({{{cat}}} with URL support) ||
|| {{{bind9-host}}} || 21432 || - || [http://en.wikipedia.org/wiki/Domain_name_system DNS] || The {{{host}}} command from bind9, priority standard ||
|| {{{dnsutils}}} || 8541 || - || , , || The {{{dig}}} command from bind, priority standard ||
|| {{{host}}} || 1319 || - || , , || The {{{host}}} command from dnsutils, priority extra ||
|| {{{dhcp3-client}}} || 20532 || - || [http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] || Obtain IP address ||
|| {{{ldap-utils}}} || 908 || - || [http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP] || Obtain data from LDAP server ||

## removed
## || {{{cftp}}} || 23 || - || , , || , , ||

== The diagnosis of the system daemons ==

The {{{telnet}}} program enables manual connection and diagnosis of the system daemons.  E.g.:
{{{
$ telnet mail.ispname.net pop3
}}}

The following [http://www.ietf.org/rfc.html RFCs] provide required knowledge to text each system daemon.

|| List of popular RFCs. || ||
|| '''RFC''' || '''description''' ||
|| [http://tools.ietf.org/html/rfc1939 rfc1939] and [http://tools.ietf.org/html/rfc2449 rfc2449] || [http://en.wikipedia.org/wiki/Post_Office_Protocol POP3] service ||
|| [http://tools.ietf.org/html/rfc3501 rfc3501] || [http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol IMAP4] service ||
|| [http://tools.ietf.org/html/rfc2821 rfc2821] ([http://tools.ietf.org/html/rfc821 rfc821]) || [http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol SMTP] service ||
|| [http://tools.ietf.org/html/rfc2822 rfc2822] ([http://tools.ietf.org/html/rfc822 rfc822]) || Mail file format ||
|| [http://tools.ietf.org/html/rfc2045 rfc2045] || [http://en.wikipedia.org/wiki/MIME Multipurpose Internet Mail Extensions (MIME)] ||
|| [http://tools.ietf.org/html/rfc819 rfc819] || [http://en.wikipedia.org/wiki/Domain_name_system DNS] service ||
|| [http://tools.ietf.org/html/rfc2616 rfc2616] || [http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol HTTP] service ||
|| [http://tools.ietf.org/html/rfc2396 rfc2396] || [http://en.wikipedia.org/wiki/Uniform_Resource_Identifier URI] definition ||

The port usage is described in {{{/etc/services}}}.

(!) For testing [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS]/SSL services such as [http://en.wikipedia.org/wiki/Https HTTPS], you need TLS/SSL enabled {{{telnet}}} program.