E-MailRelay Reference
=====================

Introduction
------------
This is the E-MailRelay reference guide. It contains material which is
supplementary to the user guide.

Command line usage
------------------
The "emailrelay" program supports the following command-line usage:

	emailrelay [<switch> [<switch> ...]]

where <switch> is:

# --admin (-a)
  Enables the administration interface and specifies its listening port number.

# --as-client (-q)
  Equivalent to "--log --no-syslog --no-daemon --dont-serve --forward --forward-to".

# --as-proxy (-y)
  Equivalent to "--log --close-stderr --immediate --forward-to".

# --as-server (-d)
  Equivalent to "--log --close-stderr".

# --client-auth (-C)
  Enables authentication with remote server, using the given secrets file.

# --close-stderr (-e)
  Closes the standard error stream after start-up.

# --connection-timeout (-U)
  Sets the client-side connection timeout in seconds (default is 40).

# --dont-serve (-x)
  Stops the process acting as a server (usually used with --forward).

# --filter (-z)
  Defines a mail pre-processor (disallowed if running as root).

# --forward (-f)
  Forwards stored mail on startup (requires --forward-to).

# --forward-to (-o)
  Specifies the remote smtp server (required by --forward and --admin).

# --help (-h)
  Displays help text and exits.

# --immediate (-m)
  Forwards each message as soon as it is received (requires --forward-to).

# --log (-l)
  Writes log information on standard error (if open) and syslog (if not disabled).

# --no-daemon (-t)
  Does not detach from the terminal.

# --no-syslog (-n)
  Disables syslog output.

# --pid-file (-i)
  Records the daemon process-id in the given file.

# --port (-p)
  Specifies the smtp listening port number.

# --remote-clients (-r)
  Allows remote clients to connect.

# --response-timeout (-T)
  Sets the client-side response timeout in seconds (default is 1800).

# --server-auth (-S)
  Enables authentication of remote clients, using the given secrets file.

# --spool-dir (-s)
  Specifies the spool directory (default is "/usr/local/var/spool/emailrelay").

# --verbose (-v)
  Generates more verbose logging (if compiled-in and logging enabled and stderr open).

# --version (-V)
  Displays version information and exits.

If no command-line switches are supplied at all then the default
behaviour is:
* to run as a daemon, detached from the terminal
* listen on the standard SMTP port (25)
* store e-mail messages in "/usr/local/var/spool/emailrelay"
* reject connections from remote clients
* disable the administration interface
* generate no logging or diagnostic messages

To foward spooled messages to the ISP the command-line switch "--as-client"
is provided to run the program...
* in foreground, exiting when all spooled mail has been processed
* forwarding spooled mail from "/usr/local/var/spool/emailrelay"
* without listening on any port
* with error, warning and information messages sent to stderr
* without using syslog

The "--as-server" switch makes sure that logging is enabled and that
the standard error stream is closed.

Note that the test for allowing remote clients only takes account of the local
machine's canonical IP address: the connection is regarded as local if the
remote IP address matches the IP address of the local machine's canonical
hostname (ie. not any DNS aliases).

Message store
-------------
Mail messages are stored as text files in the configured spool directory. Each
message is represented as an envelope file and a content file. The envelope
file contains parameters relevant to the SMTP dialogue, and the content file
contains the RFC822 headers and body text. Note that the content is largely
ignored by the SMTP protocol.

The filenames used in the message store have a prefix of "emailrelay", followed
by a process-id and sequence number, followed by "envelope" or "content". The
envelope files then have an additional suffix to implement a simple locking
scheme.

The envelope suffixes are:
* ".new" -- while the envelope is first being written
* <none> -- while the message is spooled
* ".busy" -- while the message is being forwarded
* ".bad" -- if the message cannot be forwarded
* ".local" -- for copies of the envelope file for delivery to local recipeints

Copies of the content file for delivery to local recipeints will also have
a "local" suffix.

If a message cannot be forwarded the envelope file is given a "bad" suffix,
and the failure reason is written into the file.

SMTP issues
-----------
# Authentication:

  The AUTH extension is supported in V0.9.6, but only with the unofficial LOGIN
  mechanism.

# Local delivery:

  E-MailRelay will reject all local recipients, with the exception of
  "postmaster". This is in line with its intended purpose as a simple mail
  relay, rather than a fully-fledged routing MTA. Any addressee (except
  "postmaster") without an "at" sign (@) will be rejected at the time the
  message is submitted by the e-mail front-end.

  Delivery of mail to a local "postmaster" is a feature of E-MailRelay which is
  provided for completeness and for comformance to the SMTP specification. It is
  only relevant if you are in the habit of sending mail to yourself as
  "postmaster"; mail to "postmaster" from an external source is not processed
  by E-MailRelay and should be delivered normally.

  Note that E-MailRelay daemon does not actually deliver mail to the postmaster
  mailbox.  All it does is create an envelope and content file in the spool
  directory with a ".local" suffix. Some external system, such as a shell
  script run from cron calling "procmail", should be used to process the
  ".local" files. An example script is provided.

# Timeouts:

  A simple client-side timeout is implemented which will abort the transaction
  if the server fails to respond to any of the client's SMTP commands within the
  given time period.

# Message loops:

  Message loops are not detected.

# Eight bit messages:

  The 8BITMIME SMTP extension is supported, however no attempt is made to
  re-encode 8-bit messages into 7-bit messages if the downstream server
  does not.

Administration interface
------------------------
If enabled, the server will provide a network interface for performing
administration tasks. This is a simple command-line interface which is
compatible with "telnet".

Currently the only supported command is "flush", which tries to forward spooled
mail to the configured dowstream SMTP server. The downstream server address
must have been defined on the "emailrelay" command line at start-up using the
"--forward-to" switch; it cannot be specified through the administration
interface.

The "flush" command allows you to run a single process which combines the
functionality of storage daemon and forwarding client. This might be useful
in systems which are low on memory: the memory footprint of "telnet" or
"emailrelay-poke" will be much smaller than "emailrelay --as-client".

Mail pre-processing
-------------------
The "--filter" command-line switch allows you to specify a pre-processor program
which operates on mail messages as they pass through the E-MailRelay system. The
pre-processor program is run as soon as the mail message has been stored in the
spool directory, with the full path of the content file specified on the command
line.

This can be combined with the "--immediate" (or "--as-proxy") switch to implement
personal mail pre-processing, without replacing or reconfiguring the system's
default MTA.

For example, the following command will start a proxy server on port 10025
which pre-processes mail using the specified filter program, and then
forwards the mail on to the system's default MTA (on port 25):

	emailrelay --as-proxy localhost:smtp --port 10025 --no-syslog \
	  --filter ${HOME}/.emailrelay/filter \
	  --spool-dir ${HOME}/.emailrelay/spool

The pre-processor program should terminate with an exit code of zero to indicate
success. An exit code of 100 can be used to cancel all further processing of the
message, and any other non-zero exit code is used to indicate an error.

For example, the following pre-processor shell script examines the client's
IP address and conditionally dumps the message into "sendmail" (using the
sendmail command-line interface rather than SMTP):

	#!/bin/sh
	#
	content="${1}"
	envelope="`echo \"${content}\" | sed 's/content/envelope/'`"
	ip="`awk '/MailRelay-Client:/ {print $2;exit}' \"${envelope}\"`"
	if test "${ip}" = "192.168.0.2"
	then
		cat "${content}" | /usr/sbin/sendmail -t
		rm -f "${envelope}" "${content}"
		exit 100 # <= cancel further processing by emailrelay
	fi
	exit 0

An example pre-processor script which does simple rot-13 masking of messages is
also provided in the distribution ("share/emailrelay/emailrelay-process.sh").
This could be used as a template for a more sophisticated message encryption
system.

Security issues
---------------
A major security concern is the use of an external mail pre-processor (using the
"--filter" switch). In this release this feature is simply disabled if the
process is running as root (effective userid is zero). The pre-processor will
run as the same userid as the E-MailRelay program, but with an almost empty set
of environment variables, and no open file descriptors other than
"stdin"/"stdout"/"stderr" open onto "/dev/null". The pre-processor filename has
to be configured using a full path, so there is no dependence on the current
working directory or the PATH variable.

Security issues which relate to the SMTP protocol itself are beyond the scope of
this document, but RFC2821 makes the following observation: "SMTP mail is
inherently insecure in that it is feasible for even [..] casual users to [..]
create messages that will trick a [..] recipient into believing that they came
from somewhere else. [..] Real [..] security lies [..] in end-to-end methods [..]
such as those which use digital signatures."

The "Authentication" section below also relates to security.

Some other points are:
* The program runs with a "umask" of 177 so files are created with "-rw-------" permissions.
* Strings are dynamically allocated, so buffer overflow/truncation issues are avoided.
* By default connections to the SMTP and administrative ports will be rejected if they come from remote machines.
* No configuration parameters can be changed through the administrative interface.
* No exec(), system() or popen() calls are used other than execve() to spawn the mail pre-processor.

Authentication
--------------
E-MailRelay has some support for the ESMTP "AUTH" extension, as defined in
RFC2554, on both the server-side and client-side. The only authentication
mechanism currently provided is the non-standard (but widely used) "LOGIN"
mechanism, using plaintext passwords. A future release may add "CRAM-MD5"
(RFC2195).

Authentication is enabled with the "--auth-client" and "--auth-server"
command-line switches. The switch parameter is the name of a "secrets" file,
containing (in the current release) plaintext passwords.

The secrets file has a line-based format: blank lines are ignored and the hash
character (#) is used for comments. Lines have four white-space delimited
fields: "mechanism", "client-or-server", "userid", and "secret". The "mechanism"
field must be "login" (case-insensitive); the "client-or-server" field must be
"client" or "server"; the "userid" field is xtext-encoded user identifier; and
the "secret" field is the xtext-encoded plaintext password. (The "xtext"
encoding scheme is defined in RFC1891.) A client-side secrets file should
contain at least one "login client" entry, and a server-side secrets file should
contains zero or more "login server" entries. The same secrets file may be
specified for both "--auth-client" and "--auth-server" switches.

For example, the following secrets file defines "jsmith" as the username to be
used when E-MailRelay authenticates with a downstream server, and defines two
usernames ("user1" and "user2") which can be used by clients when they
authenticate with the E-MailRelay server:

	#
	# emailrelay secrets file
	#
	login client jsmith my+20password
	login server user1 secret
	login server user2 ignorance+3Ddeath

Clearly storing plaintext passwords in a file and then sending them unencypted
over a network is a bad thing. You should at least make sure that the secrets
file has tight permissions, and that the passwords in it are not also used for
anything important (such as root access).

On the server side authentication is advertised in the response to the SMTP
"EHLO" command, but authentication by the client is optional. If the client does
authenticate then the authenticated user-id is stored with the message and
then passed on to a downstream server using an "AUTH=userid" parameter on the
SMTP "MAIL FROM" command. If the client chooses not to authenticate then the
submitted messages will be forwarded using "AUTH=<>" on the "MAIL FROM"
command. Note that any "AUTH=userid" information on incoming submitted messages
is ignored and discarded: it is the authorised userid from the AUTH command
which is propogated, not the userid from the incoming "MAIL FROM" command's
"AUTH=" parameter.

On the client side authentication is performed when the client has connected to
a server which supports the AUTH extension with the LOGIN mechanism. If client
authentication is enabled (with the "--auth-client" switch) but the server does not
support the AUTH extension, or does not support the LOGIN mechanism, then the
client will fail the first message and terminate with an error message.

Note that some ISPs require separate POP/IMAP authentication before SMTP access
from a particular IP address is allowed. This type of POP-before-SMTP
authentication can be done outside the E-MailRelay system by POP/IMAP utilities
such as "fetchmail".

Files
-----
By default "make install" installs files in the following locations:
* /usr/local/libexec/emailrelay-poke
* /usr/local/libexec/emailrelay.sh
* /usr/local/sbin/emailrelay
* /usr/local/var/spool/emailrelay/empty_file
* /usr/local/share/emailrelay/emailrelay-notify.sh
* /usr/local/share/emailrelay/emailrelay-deliver.sh
* /usr/local/share/emailrelay/emailrelay-process.sh
* /usr/local/share/emailrelay/*.html
* /usr/local/share/emailrelay/graphics/bullet.gif
* /usr/local/man/man1/emailrelay.1
* /usr/local/man/man1/emailrelay-poke.1

This directory structure is constrained by the GNU/"autoconf" conventions rather
than the Filesystem Hierarchy Standard.



Copyright (C) 2001 Graeme Walker <graeme_walker@users.sourceforge.net>. All rights reserved.