== Network applications

// vim: set sts=2 expandtab:
// Use ":set nowrap" to edit table

After establishing network connectivity (see <<_network_setup>>), you can run various network applications.

TIP: For modern Debian specific guide to the network infrastructure, read https://www.debian.org/doc/manuals/debian-handbook/network-infrastructure[The Debian Administrator's Handbook -- Network Infrastructure].

WARNING: This chapter is getting outdated since this is based on Debian 7.0 (`Wheezy`) released in 2013.

=== Web browsers

There are many http://en.wikipedia.org/wiki/Web_Browsers[web browser] packages to access remote contents with http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol[Hypertext Transfer Protocol] (HTTP).

.List of web browsers
[grid="all"]
`------------------`-------------`------------`--------`---------------------------------------------------------------------------------
package            popcon        size         type     description of web browser
-----------------------------------------------------------------------------------------------------------------------------------------
`chromium`         @-@popcon1@-@ @-@psize1@-@ X        http://en.wikipedia.org/wiki/Chromium_(web_browser)[Chromium], (open-source browser from Google)
`iceweasel`        @-@popcon1@-@ @-@psize1@-@ , ,      http://en.wikipedia.org/wiki/Mozilla_Corporation_software_rebranded_by_the_Debian_project[unbranded] http://en.wikipedia.org/wiki/Mozilla_Firefox[Mozilla Firefox]
`iceape-browser`   N/A           N/A          , ,      http://en.wikipedia.org/wiki/Mozilla_Corporation_software_rebranded_by_the_Debian_project[unbranded] http://en.wikipedia.org/wiki/Mozilla[Mozilla], removed due to security concerns http://bugs.debian.org/505565[bug#505565]
`epiphany-browser` @-@popcon1@-@ @-@psize1@-@ , ,      http://en.wikipedia.org/wiki/GNOME[GNOME], http://en.wikipedia.org/wiki/Human_interface_guidelines[HIG] compliant, http://en.wikipedia.org/wiki/Epiphany_(browser)[Epiphany]
`konqueror`        @-@popcon1@-@ @-@psize1@-@ , ,      http://en.wikipedia.org/wiki/KDE[KDE], http://en.wikipedia.org/wiki/Konqueror[Konqueror]
`dillo`            @-@popcon1@-@ @-@psize1@-@ , ,      http://en.wikipedia.org/wiki/Dillo[Dillo], (light weight browser, http://en.wikipedia.org/wiki/FLTK[FLTK] based)
`w3m`              @-@popcon1@-@ @-@psize1@-@ text     http://en.wikipedia.org/wiki/W3m[w3m]
`lynx`             @-@popcon1@-@ @-@psize1@-@ , ,      http://en.wikipedia.org/wiki/Lynx_(web_browser)[Lynx]
`elinks`           @-@popcon1@-@ @-@psize1@-@ , ,      http://en.wikipedia.org/wiki/ELinks[ELinks]
`links`            @-@popcon1@-@ @-@psize1@-@ , ,      http://en.wikipedia.org/wiki/Links_(web_browser)[Links] (text only)
`links2`           @-@popcon1@-@ @-@psize1@-@ graphics http://en.wikipedia.org/wiki/Links_(web_browser)[Links] (console graphics without X)
-----------------------------------------------------------------------------------------------------------------------------------------

// Although I tend to drop reference to removed packages, I keep mozilla as an exception !

==== Browser configuration

You may be able to use following special URL strings for some browsers to confirm their settings.

- "`about:`"
- "`about:config`"
- "`about:plugins`"

Debian offers many free browser plugin packages in the main archive area which can handle not only http://en.wikipedia.org/wiki/Java_(software_platform)[Java (software platform)] and http://en.wikipedia.org/wiki/Adobe_Flash[Flash] but also http://en.wikipedia.org/wiki/MPEG-1[MPEG], http://en.wikipedia.org/wiki/MPEG-2[MPEG2], http://en.wikipedia.org/wiki/MPEG-4[MPEG4], http://en.wikipedia.org/wiki/DivX[DivX], http://en.wikipedia.org/wiki/Windows_Media_Video[Windows Media Video (.wmv)], http://en.wikipedia.org/wiki/QuickTime[QuickTime (.mov)], http://en.wikipedia.org/wiki/MP3[MP3 (.mp3)], http://en.wikipedia.org/wiki/Vorbis[Ogg/Vorbis] files, DVDs, VCDs, etc.  Debian also offers helper programs to install non-free browser plugin packages as contrib or non-free archive area.

.List of browser plugin packages
[grid="all"]
`------------------------`-------------`------------`---------`---------------------------------------------------------------------------
package                  popcon        size         area      description
------------------------------------------------------------------------------------------------------------------------------------------
`icedtea-plugin`         @-@popcon1@-@ @-@psize1@-@ main      Java plugin based on OpenJDK and IcedTea
`mozilla-plugin-gnash`   @-@popcon1@-@ @-@psize1@-@ main      Flash plugin based on Gnash
`flashplugin-nonfree`    @-@popcon1@-@ @-@psize1@-@ contrib   Flash plugin helper to install Adobe Flash Player (i386, amd64 only)
`browser-plugin-vlc`     @-@popcon1@-@ @-@psize1@-@ main      Multimedia plugin based on http://en.wikipedia.org/wiki/VLC_media_player[VLC media player]
------------------------------------------------------------------------------------------------------------------------------------------

TIP: Although use of above Debian packages are much easier, browser plugins can be still manually enabled by installing "\*.so" into plugin directories (e.g., "`/usr/lib/iceweasel/plugins/`") and restarting browsers.

Some web sites refuse to be connected based on the user-agent string of your browser.  You can work around this situation by http://www.mozilla.org/unix/customizing.html#prefs[spoofing the user-agent string].  For example, you can do this by adding following line into user configuration files such as "`\~/.gnome2/epiphany/mozilla/epiphany/user.js`" or "`\~/.mozilla/firefox/\*.default/user.js`".

--------------------
user_pref{"general.useragent.override","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"};
--------------------

Alternatively, you can add and reset this variable by typing "`about:config`" into URL and right clicking its display contents.

CAUTION: Spoofed user-agent string may cause https://bugzilla.mozilla.org/show_bug.cgi?id=83376[bad side effects with Java].

=== The mail system

CAUTION: If you are to set up the mail server to exchange mail directly with the Internet, you should be better than reading this elementary document.

The mail system involves many server programs and many client programs running on multiple hosts.  From the functionarity, there are 3 types of mail agent programs:

* The mail transport agent (http://en.wikipedia.org/wiki/Message_transfer_agent[MTA], see <<_mail_transport_agent_mta>>) is a program for transferring mails between different hosts.
* The mail delivery agent (http://en.wikipedia.org/wiki/Mail_delivery_agent[MDA], see <<_mail_delivery_agent_mda_with_filter>>) is a program for delivering messages to the users' mailboxes within a host.
* The mail user agent (MUA, also known as http://en.wikipedia.org/wiki/Email_client[email client], see <<_mail_user_agent_mua>>) is the program to generate messages and to access delivered messages.

NOTE: The following configuration examples are only valid for the typical mobile workstation on consumer grade Internet connections.

==== Email basics

An http://en.wikipedia.org/wiki/Email[email] message consists of three components, the message envelope, the message header, and the message body.

The "To" and "From" information in the message envelope is used by the http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol[SMTP] to deliver the email. (The "From" information in the message envelope is also called http://en.wikipedia.org/wiki/Bounce_address[bounce address], From_, etc.).

The "To" and "From" information in the message header is displayed by the http://en.wikipedia.org/wiki/Email_client[email client]. (While it is most common for these to be the same as ones in the message envelope, such is not always the case.)

The http://en.wikipedia.org/wiki/Email_client[email client] (MUA) needs to interpret the message header and body data using http://en.wikipedia.org/wiki/MIME[Multipurpose Internet Mail Extensions (MIME)] to deal the content data type and encoding.

==== Modern mail service basics

In order to minimize exposure to the spam (unwanted and unsolicited email) problems, many ISPs which provide consumer grade Internet connections are implementing counter measures.

- The smarthost service for their customers to send message uses the message submission port (587) specified in http://tools.ietf.org/html/rfc4409[rfc4409] with the password (http://en.wikipedia.org/wiki/SMTP-AUTH[SMTP AUTH] service) specified in http://tools.ietf.org/html/rfc4954[rfc4954].
- The http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol[SMTP] port (25) connection from their internal network hosts (except ISP@@@sq@@@s own outgoing mail server) to the Internet are blocked.
- The http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol[SMTP] port (25) connection to the ISP@@@sq@@@s incoming mail server from some suspicious external network hosts are blocked.  (The connection from hosts on the dynamic IP address range used by the dial-up and other consumer grade Internet connections are the first ones to be blocked.)
- http://en.wikipedia.org/wiki/Anti-spam_techniques[Anti-spam techniques] such as http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail[DomainKeys Identified Mail (DKIM)] and http://en.wikipedia.org/wiki/Sender_Policy_Framework[Sender_Policy_Framework (SPF)] are widely used for the http://en.wikipedia.org/wiki/Email_filtering[email filtering].
- The http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail[DomainKeys Identified Mail] service may be provided for your mail sent through the smarthost.

When configuring your mail system or resolving mail delivery problems, you must consider these new limitations.

In light of these hostile Internet situation and limitations, some independent Internet mail ISPs such as Yahoo.com and Gmail.com offer the secure mail service which can be connected from anywhere on the Internet using http://en.wikipedia.org/wiki/Transport_Layer_Security[Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL)].

- The smarthost service on port 465 with the deprecated SMTP over SSL (http://en.wikipedia.org/wiki/SMTPS[SMTPS] protocol).
- The smarthost service on port 587 with the http://en.wikipedia.org/wiki/STARTTLS[STARTTLS].
- The incoming mail is accessible at the TLS/POP3 port (995) with http://en.wikipedia.org/wiki/Post_Office_Protocol[POP3].

CAUTION: It is not realistic to run SMTP server on consumer grade network to send mail directly to the remote host reliably.  They are very likely to be rejected.  You must use some smarthost services offered by your connection ISP or independent mail ISPs.

For the simplicity, I assume that the smarthost is located at "`smtp.hostname.dom`", requires http://en.wikipedia.org/wiki/SMTP_Authentication[SMTP Authentication], and uses the message submission port (587) with the http://en.wikipedia.org/wiki/STARTTLS[STARTTLS] in the following text.

==== The mail configuration strategy for workstation

The most simple mail configuration is that the mail is sent to the ISP@@@sq@@@s smarthost and received from ISP@@@sq@@@s POP3 server by the MUA (see <<_mail_user_agent_mua>>) itself. This type of configuration is popular with full featured GUI based MUA such as `icedove`(1), `evolution`(1), etc. If you need to filter mail by their types, you use MUA@@@sq@@@s filtering function. For this case, the local MTA (see <<_mail_transport_agent_mta>>) need to do local delivery only (when sender and receiver are on the same host).

Please note that the Debian system is the multiuser system.  Even if you are the only user, there are many programs running as root and they may send you a mail.

The alternative mail configuration is that the mail is sent via local MTA to the ISP@@@sq@@@s smarthost and received from ISP@@@sq@@@s POP3 by the mail retriever (see <<_the_remote_mail_retrieval_and_forward_utility>>) to the local mailbox.  If you need to filter mail by their types, you use MDA with filter (see <<_mail_delivery_agent_mda_with_filter>>) to filter mail into separate mailboxes.  This type of configuration is popular with simple console based MUA such as `mutt`(1), `mew`(1), etc., although this is possible with any MUAs (see <<_mail_user_agent_mua>>). For this case, the local MTA (see <<_mail_transport_agent_mta>>) need to do both smarthost delivery and local delivery.  Since mobile workstation does not have valid FQDN, you must configure the local MTA to hide and spoof the real local mail name in outgoing mail to avoid mail delivery errors (see <<_the_mail_address_configuration>>).

TIP: You may wish to configure MUA/MDA to use http://en.wikipedia.org/wiki/Maildir[Maildir] for storing email messages somewhere under your home directory.

=== Mail transport agent (MTA)

For normal workstation, the popular choice for Mail transport agent (MTA) is either `exim4-\*` or `postfix` packages.  It is really up to you.

.List of basic mail transport agent related packages for workstation
[grid="all"]
`--------------------`-------------`------------`--------------------------------------------------------------------
package              popcon        size         description
---------------------------------------------------------------------------------------------------------------------
`exim4-daemon-light` @-@popcon1@-@ @-@psize1@-@ Exim4 mail transport agent (MTA: Debian default)
`exim4-base`         @-@popcon1@-@ @-@psize1@-@ Exim4 documentation (text) and common files
`exim4-doc-html`     @-@popcon1@-@ @-@psize1@-@ Exim4 documentation (html)
`exim4-doc-info`     @-@popcon1@-@ @-@psize1@-@ Exim4 documentation (info)
`postfix`            @-@popcon1@-@ @-@psize1@-@ Postfix mail transport agent (MTA: alternative)
`postfix-doc`        @-@popcon1@-@ @-@psize1@-@ Postfix documentation (html+text)
`sasl2-bin`          @-@popcon1@-@ @-@psize1@-@ Cyrus SASL API implementation (supplement postfix for SMTP AUTH)
`cyrus-sasl2-doc`    @-@popcon1@-@ @-@psize1@-@ Cyrus SASL - documentation
---------------------------------------------------------------------------------------------------------------------

Although the popcon vote count of `exim4-\*` looks several times popular than that of `postfix`, this does not mean `postfix` is not popular with Debian developers.  The Debian server system uses both `exim4` and `postfix`.  The http://wiki.debian.org/DefaultMTA[mail header analysis] of mailing list postings from prominent Debian developers also indicate both of these MTAs are as popular.

The `exim4-\*` packages are known to have very small memory consumption and very flexible for its configuration.  The `postfix` package is known to be compact, fast, simple, and secure.  Both come with ample documentation and are as good in quality and license.

There are many choices for mail transport agent (MTA) packages with different capability and focus in Debian archive.

.List of choices for mail transport agent (MTA) packages in Debian archive
[grid="all"]
`--------------------`-------------`------------`---------------------------------------------------
package              popcon        size         capability and focus
----------------------------------------------------------------------------------------------------
`exim4-daemon-light` @-@popcon1@-@ @-@psize1@-@ full
`postfix`            @-@popcon1@-@ @-@psize1@-@ full (security)
`exim4-daemon-heavy` @-@popcon1@-@ @-@psize1@-@ full (flexible)
`sendmail-bin`       @-@popcon1@-@ @-@psize1@-@ full (only if you are already familiar)
`nullmailer`         @-@popcon1@-@ @-@psize1@-@ strip down, no local mail
`ssmtp`              @-@popcon1@-@ @-@psize1@-@ strip down, no local mail
`courier-mta`        @-@popcon1@-@ @-@psize1@-@ very full (web interface etc.)
`masqmail`           @-@popcon1@-@ @-@psize1@-@ light
`esmtp`              @-@popcon1@-@ @-@psize1@-@ light
`esmtp-run`          @-@popcon1@-@ @-@psize1@-@ light (sendmail compatibility extension to `esmtp`)
`msmtp`              @-@popcon1@-@ @-@psize1@-@ light
`msmtp-mta`          @-@popcon1@-@ @-@psize1@-@ light (sendmail compatibility extension to `msmtp`)
----------------------------------------------------------------------------------------------------

==== The configuration of exim4

For the Internet mail via smarthost, you (re)configure `exim4-\*` packages as the following.

--------------------
$ sudo /etc/init.d/exim4 stop
$ sudo dpkg-reconfigure exim4-config
--------------------

Select "mail sent by smarthost; received via SMTP or fetchmail" for "General type of mail configuration".

Set "System mail name:" to its default as the FQDN (see <<_the_hostname_resolution>>).

Set "IP-addresses to listen on for incoming SMTP connections:" to its default as "127.0.0.1 ; ::1".

Unset contents of "Other destinations for which mail is accepted:".

Unset contents of "Machines to relay mail for:".

Set "IP address or host name of the outgoing smarthost:" to "smtp.hostname.dom:587".

Select "<No>" for "Hide local mail name in outgoing mail?". (Use "`/etc/email-addresses`" as in <<_the_mail_address_configuration>>, instead.)

Reply to "Keep number of DNS-queries minimal (Dial-on-Demand)?" as one of the following.

- "No" if the system is connected to the Internet while booting.
- "Yes" if the system is **not** connected to the Internet while booting.

Set "Delivery method for local mail:" to "mbox format in /var/mail/".

Select "<Yes>" for "Split configuration into small files?:".

Create password entries for the smarthost by editing "`/etc/exim4/passwd.client`".

--------------------
$ sudo vim /etc/exim4/passwd.client
 ...
$ cat /etc/exim4/passwd.client
^smtp.*\.hostname\.dom:username@hostname.dom:password
--------------------

Start `exim4` by the following.

--------------------
$ sudo /etc/init.d/exim4 start
--------------------

The host name in "`/etc/exim4/passwd.client`" should not be the alias.  You check the real host name with the following.

--------------------
$ host smtp.hostname.dom
smtp.hostname.dom is an alias for smtp99.hostname.dom.
smtp99.hostname.dom has address 123.234.123.89
--------------------

I use regex in "`/etc/exim4/passwd.client`" to work around the alias issue.  SMTP AUTH probably works even if the ISP moves host pointed by the alias.

You can manually update `exim4` configuration by the following:

- Update `exim4` configuration files in "`/etc/exim4/`".
 * creating "`/etc/exim4/exim4.conf.localmacros`" to set MACROs and editing "`/etc/exim4/exim4.conf.template`". (non-split configuration)
 * creating new files or editing existing files in the "`/etc/exim4/exim4.conf.d`" subdirectories. (split configuration)
- Run "`invoke-rc.d exim4 reload`".

Please read the official guide at: "`/usr/share/doc/exim4-base/README.Debian.gz`" and `update-exim4.conf`(8).

CAUTION: Starting `exim4` takes long time if "No" (default value) was chosen for the debconf query of "Keep number of DNS-queries minimal (Dial-on-Demand)?" and the system is **not** connected to the Internet while booting.

WARNING: It is insecure to use plain text password without encryption even if your ISP allows it.

TIP: Although use of http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol[SMTP] with http://en.wikipedia.org/wiki/STARTTLS[STARTTLS] on port 587 is recommended, some ISPs still use deprecated http://en.wikipedia.org/wiki/SMTPS[SMTPS] (SSL on port 465).  Exim4 after 4.77 supports this deprecated SMTPS protocol for both as client and as server.

TIP: If you are looking for a light weight MTA that respects "`/etc/aliases`" for your laptop PC, you should consider to configure `exim4`(8) with "`QUEUERUNNER=@@@sq@@@queueonly@@@sq@@@`", "`QUEUERUNNER=@@@sq@@@nodaemon@@@sq@@@`", etc. in "`/etc/default/exim4`".

==== The configuration of postfix with SASL

For the Internet mail via smarthost, you should first read http://www.postfix.org/documentation.html[postfix documentation] and key manual pages.

.List of important postfix manual pages
[grid="all"]
`--------------`----------------------------------
command        function
--------------------------------------------------
`postfix`(1)   Postfix control program
`postconf`(1)  Postfix configuration utility
`postconf`(5)  Postfix configuration parameters
`postmap`(1)   Postfix lookup table maintenance
`postalias`(1) Postfix alias database maintenance
--------------------------------------------------

You (re)configure `postfix` and `sasl2-bin` packages as follows.

--------------------
$ sudo /etc/init.d/postfix stop
$ sudo dpkg-reconfigure postfix
--------------------

Chose "Internet with smarthost".

Set "SMTP relay host (blank for none):" to "`[smtp.hostname.dom]:587`" and configure it by the following.

--------------------
$ sudo postconf -e 'smtp_sender_dependent_authentication = yes'
$ sudo postconf -e 'smtp_sasl_auth_enable = yes'
$ sudo postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
$ sudo postconf -e 'smtp_sasl_type = cyrus'
$ sudo vim /etc/postfix/sasl_passwd
--------------------

Create password entries for the smarthost.

--------------------
$ cat /etc/postfix/sasl_passwd
[smtp.hostname.dom]:587     username:password
$ sudo postmap hush:/etc/postfix/sasl_passwd
--------------------

Start the `postfix` by the following.

--------------------
$ sudo /etc/init.d/postfix start
--------------------

Here the use of "`[`" and "`]`" in the `dpkg-reconfigure` dialog and "`/etc/postfix/sasl_passwd`" ensures not to check MX record but directly use exact hostname specified.  See "Enabling SASL authentication in the Postfix SMTP client" in "`/usr/share/doc/postfix/html/SASL_README.html`".

==== The mail address configuration

There are a few http://www.debian.org/doc/debian-policy/ch-customized-programs#s-mail-transport-agents[mail address configuration files for mail transport, delivery and user agents].

.List of mail address related configuration files
[grid="all"]
`----------------------`-------------------------------------`----------------------------------------------------------------------
file                   function                              application
------------------------------------------------------------------------------------------------------------------------------------
`/etc/mailname`        default host name for (outgoing) mail Debian specific, `mailname`(5)
`/etc/email-addresses` host name spoofing for outgoing mail  `exim`(8) specific, `exim4-config_files`(5)
`/etc/postfix/generic` host name spoofing for outgoing mail  `postfix`(1) specific, activated after `postmap`(1) command execution.
`/etc/aliases`         account name alias for incoming mail  general, activated after `newaliases`(1) command execution.
------------------------------------------------------------------------------------------------------------------------------------

The **mailname** in the "`/etc/mailname`" file is usually a fully qualified domain name (FQDN) that resolves to one of the host@@@sq@@@s IP addresses.  For the mobile workstation which does not have a hostname with resolvable IP address, set this **mailname** to the value of "`hostname -f`". (This is safe choice and works for both `exim4-\*` and `postfix`.)

TIP: The contents of "`/etc/mailname`" is used by many non-MTA programs for their default behavior. For `mutt`, set "`hostname`" and "`from`" variables in `\~/muttrc` file to override the **mailname** value.  For programs in the `devscripts` package, such as `bts`(1) and `dch`(1), export environment variables "`$DEBFULLNAME`" and "`$DEBEMAIL`" to override it.

TIP: The `popularity-contest` package normally send mail from root account with FQDN.  You need to set `MAILFROM` in `/etc/popularity-contest.conf` as described in the `/usr/share/popularity-contest/default.conf` file.  Otherwise, your mail will be rejected by the smarthost SMTP server. Although this is tedious, this approach is safer than rewriting the source address for all mails from root by MTA and should be used for other daemons and cron scripts.

When setting the **mailname** to "`hostname -f`", the spoofing of the source mail address via MTA can be realized by the following.

- "`/etc/email-addresses`" file for `exim4`(8) as explained in the `exim4-config_files`(5)
- "`/etc/postfix/generic`" file for `postfix`(1) as explained in the `generic`(5)

For `postfix`, the following extra steps are needed.

--------------------
# postmap hash:/etc/postfix/generic
# postconf -e 'smtp_generic_maps = hash:/etc/postfix/generic'
# postfix reload
--------------------

You can test mail address configuration using the following.

- `exim`(8) with `-brw, -bf, -bF, -bV, ...` options
- `postmap`(1) with `-q` option.

TIP: Exim comes with several utility programs such as `exiqgrep`(8) and `exipick`(8).  See "`dpkg -L exim4-base|grep man8/`" for available commands.

==== Basic MTA operations

There are several basic MTA operations.  Some may be performed via `sendmail`(1) compatibility interface.

.List of basic MTA operation
[grid="all"]
`---------------------`-----------------------------------------`---------------------------------------------------------------
exim command          postfix command                           description
--------------------------------------------------------------------------------------------------------------------------------
`sendmail`            `sendmail`                                read mails from standard input and arrange for delivery (`-bm`)
`mailq`               `mailq`                                   list the mail queue with status and queue ID (`-bp`)
`newaliases`          `newaliases`                              initialize alias database (`-I`)
`exim4 -q`            `postqueue -f`                            flush waiting mails (`-q`)
`exim4 -qf`           `postsuper -r ALL deferred; postqueue -f` flush all mails
`exim4 -qff`          `postsuper -r ALL; postqueue -f`          flush even frozen mails
`exim4 -Mg queue_id`  `postsuper -h queue_id`                   freeze one message by its queue ID
`exim4 -Mrm queue_id` `postsuper -d queue_id`                   remove one message by its queue ID
 N/A                  `postsuper -d ALL`                        remove all messages
--------------------------------------------------------------------------------------------------------------------------------

TIP: It may be a good idea to flush all mails by a script in "`/etc/ppp/ip-up.d/*`".

=== Mail user agent (MUA)

If you subscribe to Debian related mailing list, it may be a good idea to use such MUA as `mutt` and `mew` which are the de facto standard for the participant and known to behave as expected.

.List of mail user agent (MUA)
[grid="all"]
`------------`-------------`------------`--------------------------------------------------------------------------------------------------
package      popcon        size         type
-------------------------------------------------------------------------------------------------------------------------------------------
`evolution`  @-@popcon1@-@ @-@psize1@-@ X GUI program (GNOME3, groupware suite)
`icedove`    @-@popcon1@-@ @-@psize1@-@ X GUI program (GNOME2, http://en.wikipedia.org/wiki/Mozilla_Corporation_software_rebranded_by_the_Debian_project[unbranded] http://en.wikipedia.org/wiki/Mozilla_Thunderbird[Mozilla Thunderbird])
`kmail`      @-@popcon1@-@ @-@psize1@-@ X GUI program (KDE)
`mutt`       @-@popcon1@-@ @-@psize1@-@ character terminal program probably used with `vim`
`mew`        @-@popcon1@-@ @-@psize1@-@ character terminal program under `(x)emacs`
-------------------------------------------------------------------------------------------------------------------------------------------

==== Basic MUA — Mutt

Customize "`\~/.muttrc`" as the following to use `mutt` as the mail user agent (MUA) in combination with `vim`.

--------------------
#
# User configuration file to override /etc/Muttrc
#
# spoof source mail address
set use_from
set hostname=example.dom
set from="Name Surname <username@example.dom>"
set signature="~/.signature"

# vim: "gq" to reformat quotes
set editor="vim -c 'set tw=72 et ft=mail'"

# "mutt" goes to Inbox, while "mutt -y" lists mailboxes
set mbox_type=Maildir           # use qmail Maildir format for creating mbox
set mbox=~/Mail                 # keep all mail boxes in $HOME/Mail/
set spoolfile=+Inbox            # mail delivered to $HOME/Mail/Inbox
set record=+Outbox              # save fcc mail to $HOME/Mail/Outbox
set postponed=+Postponed        # keep postponed in $HOME/Mail/postponed
set move=no                     # do not move Inbox items to mbox
set quit=ask-yes                # do not quit by "q" only
set delete=yes                  # always delete w/o asking while exiting
set fcc_clear                   # store fcc as non encrypted

# Mailboxes in Maildir (automatic update)
mailboxes `cd ~/Mail; /bin/ls -1|sed -e 's/^/+/' | tr "\n" " "`
unmailboxes Maillog *.ev-summary

## Default
#set index_format="%4C %Z %{%b %d} %-15.15L (%4l) %s"
## Thread index with senders (collapse)
set index_format="%4C %Z %{%b %d} %-15.15n %?M?(#%03M)&(%4l)? %s"

## Default
#set folder_format="%2C %t %N %F %2l %-8.8u %-8.8g %8s %d %f"
## just folder names
set folder_format="%2C %t %N %f"
--------------------

Add the following to "`/etc/mailcap`" or "`\~/.mailcap`" to display HTML mail and MS Word attachments inline.

--------------------
text/html; lynx -force_html %s; needsterminal;
application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc
--------------------

TIP: Mutt can be used as the http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol[IMAP] client and the mailbox format converter.  You can tag messages with "`t`", "`T`", etc.  These tagged messages can be copied with "`;C`" between different mailboxes and deleted with "`;d`" in one action.

=== The remote mail retrieval and forward utility

Instead of running a MUA to access remote mails and to process them manually, you may wish to automate such process to have all the mails delivered to the local host.  The remote mail retrieval and forward utility is the tool for you.

Although `fetchmail`(1) has been de facto standard for the remote mail retrieval on GNU/Linux, the author likes `getmail`(1) now.  If you want to reject mail before downloading to save bandwidth, `mailfilter` or `mpop` may be useful.  Whichever mail retriever utilities are used, it is a good idea to configure system to deliver retrieved mails to MDA, such as `maildrop`, via pipe.

.List of remote mail retrieval and forward utilities
[grid="all"]
`------------`-------------`------------`-------------------------------------------------------------------
package      popcon        size         description
-------------------------------------------------------------------------------------------------------------
`fetchmail`  @-@popcon1@-@ @-@psize1@-@ mail retriever (POP3, APOP, IMAP) (old)
`getmail4`   @-@popcon1@-@ @-@psize1@-@ mail retriever (POP3, IMAP4, and SDPS) (simple, secure, and reliable)
`mailfilter` @-@popcon1@-@ @-@psize1@-@ mail retriever (POP3) with with regex filtering capability
`mpop`       @-@popcon1@-@ @-@psize1@-@ mail retriever (POP3) and MDA with filtering capability
-------------------------------------------------------------------------------------------------------------

==== getmail configuration

`getmail`(1) configuration is described in http://pyropus.ca/software/getmail/documentation.html[getmail documentation]. Here is my set up to access multiple POP3 accounts as user.

Create "`/usr/local/bin/getmails`" as the following.

--------------------
#!/bin/sh
set -e
if [ -f $HOME/.getmail/running ]; then
  echo "getmail is already running ... (if not, remove $HOME/.getmail/running)" >&2
  pgrep -l "getmai[l]"
  exit 1
else
  echo "getmail has not been running ... " >&2
fi
if [ -f $HOME/.getmail/stop ]; then
  echo "do not run getmail ... (if not, remove $HOME/.getmail/stop)" >&2
  exit
fi
if [ "x$1" = "x-l" ]; then
  exit
fi
rcfiles="/usr/bin/getmail"
for file in $HOME/.getmail/config/* ; do
  rcfiles="$rcfiles --rcfile $file"
done
date -u > $HOME/.getmail/running
eval "$rcfiles $@"
rm $HOME/.getmail/running
--------------------

Configure it as the following.

--------------------
$ sudo chmod 755 /usr/local/bin/getmails
$ mkdir -m 0700 $HOME/.getmail
$ mkdir -m 0700 $HOME/.getmail/config
$ mkdir -m 0700 $HOME/.getmail/log

--------------------

Create configuration files "`$HOME/.getmail/config/pop3_name`" for each POP3 accounts as the following.

--------------------
[retriever]
type = SimplePOP3SSLRetriever
server = pop.example.com
username =  pop3_name@example.com
password = <your-password>

[destination]
type = MDA_external
path = /usr/bin/maildrop
unixfrom = True

[options]
verbose = 0
delete = True
delivered_to = False
message_log = ~/.getmail/log/pop3_name.log
--------------------

Configure it as the following.

--------------------
$ chmod 0600 $HOME/.getmail/config/*
--------------------

Schedule "`/usr/local/bin/getmails`" to run every 15 minutes with `cron`(8) by executing "`sudo crontab -e -u <user_name>`" and adding following to user's cron entry.

--------------------
5,20,35,50 * * * * /usr/local/bin/getmails --quiet
--------------------

TIP: Problems of POP3 access may not come from `getmail`. Some popular free POP3 services may be violating the POP3 protocol and their SPAM filter may not be perfect.  For example, they may delete messages just after receiving RETR command before receiving DELE command and may quarantined messages into Spam mailbox.  You should minimize damages by configuring them to archive accessed messages and not to delete them. See also http://mail.google.com/support/bin/answer.py?answer=13291@@@amp@@@topic=1555["Some mail was not downloaded"].

==== fetchmail configuration

`fetchmail`(1) configuration is set by "`/etc/default/fetchmail`", "`/etc/fetchmailrc`" and "`$HOME/.fetchmailrc`".  See its example in "`/usr/share/doc/fetchmail/examples/fetchmailrc.example`".

=== Mail delivery agent (MDA) with filter

Most MTA programs, such as `postfix` and `exim4`, function as MDA (mail delivery agent). There are specialized MDA with filtering capabilities.

Although `procmail`(1) has been de facto standard for MDA with filter on GNU/Linux, author likes `maildrop`(1) now.  Whichever filtering utilities are used, it is a good idea to configure system to deliver filtered mails to a http://en.wikipedia.org/wiki/Maildir[qmail-style Maildir].

.List of MDA with filter
[grid="all"]
`-----------`-------------`------------`--------------------------------------
package     popcon        size         description
------------------------------------------------------------------------------
`procmail`  @-@popcon1@-@ @-@psize1@-@ MDA with filter (old)
`mailagent` @-@popcon1@-@ @-@psize1@-@ MDA with Perl filter
`maildrop`  @-@popcon1@-@ @-@psize1@-@ MDA with structured filtering language
------------------------------------------------------------------------------

==== maildrop configuration

`maildrop`(1) configuration is described in http://www.courier-mta.org/maildrop/maildropfilter.html[maildropfilter documentation].  Here is a configuration example for "`$HOME/.mailfilter`".

--------------------
# Local configuration
MAILROOT="$HOME/Mail"
# set this to /etc/mailname contents
MAILHOST="example.dom"
logfile $HOME/.maildroplog

# rules are made to override the earlier value by the later one.

# mailing list mails ?
if (     /^Precedence:.*list/:h || /^Precedence:.*bulk/:h )
{
    # rules for mailing list mails
    # default mailbox for mails from mailing list
    MAILBOX="Inbox-list"
    # default mailbox for mails from debian.org
    if ( /^(Sender|Resent-From|Resent-Sender): .*debian.org/:h )
    {
        MAILBOX="service.debian.org"
    }
    # default mailbox for mails from bugs.debian.org (BTS)
    if ( /^(Sender|Resent-From|Resent-sender): .*@bugs.debian.org/:h )
    {
        MAILBOX="bugs.debian.org"
    }
    # mailbox for each properly maintained mailing list with "List-Id: foo" or "List-Id: ...<foo.bar>"
    if ( /^List-Id: ([^<]*<)?([^<>]*)>?/:h )
    {
        MAILBOX="$MATCH2"
    }
}
else
{
    # rules for non-mailing list mails
    # default incoming box
    MAILBOX="Inbox-unusual"
    # local mails
    if ( /Envelope-to: .*@$MAILHOST/:h )
    {
        MAILBOX="Inbox-local"
    }
    # html mails (99% spams)
    if ( /DOCTYPE html/:b ||\
         /^Content-Type: text\/html/ )
    {
        MAILBOX="Inbox-html"
    }
    # blacklist rule for spams
    if ( /^X-Advertisement/:h ||\
         /^Subject:.*BUSINESS PROPOSAL/:h ||\
         /^Subject:.*URGENT.*ASISSTANCE/:h ||\
         /^Subject: *I NEED YOUR ASSISTANCE/:h )
    {
        MAILBOX="Inbox-trash"
    }
    # whitelist rule for normal mails
    if ( /^From: .*@debian.org/:h ||\
         /^(Sender|Resent-From|Resent-Sender): .*debian.org/:h ||\
         /^Subject: .*(debian|bug|PATCH)/:h )
    {
        MAILBOX="Inbox"
    }
    # whiltelist rule for BTS related mails
    if ( /^Subject: .*Bug#.*/:h ||\
         /^(To|Cc): .*@bugs.debian.org/:h )
    {
        MAILBOX="bugs.debian.org"
    }
    # whitelist rule for getmails cron mails
    if ( /^Subject: Cron .*getmails/:h )
    {
        MAILBOX="Inbox-getmails"
    }
}

# check existance of $MAILBOX
`test -d $MAILROOT/$MAILBOX`
if ( $RETURNCODE == 1 )
{
    # create maildir mailbox for $MAILBOX
    `maildirmake $MAILROOT/$MAILBOX`
}
# deliver to maildir $MAILBOX
to "$MAILROOT/$MAILBOX/"
exit
--------------------

WARNING: Unlike `procmail`, `maildrop` does not create missing maildir directories automatically.  You must create them manually using `maildirmake`(1) in advance as in the example "`$HOME/.mailfilter`".

==== procmail configuration

Here is a similar configuration with "`$HOME/.procmailrc`" for `procmail`(1).

--------------------
MAILDIR=$HOME/Maildir
DEFAULT=$MAILDIR/Inbox/
LOGFILE=$MAILDIR/Maillog
# clearly bad looking mails: drop them into X-trash and exit
:0
* 1^0 ^X-Advertisement
* 1^0 ^Subject:.*BUSINESS PROPOSAL
* 1^0 ^Subject:.*URGENT.*ASISSTANCE
* 1^0 ^Subject: *I NEED YOUR ASSISTANCE
X-trash/

# Delivering mailinglist messages
:0
* 1^0 ^Precedence:.*list
* 1^0 ^Precedence:.*bulk
* 1^0 ^List-
* 1^0 ^X-Distribution:.*bulk
{
:0
* 1^0 ^Return-path:.*debian-devel-admin@debian.or.jp
jp-debian-devel/

:0
* ^Resent-Sender.*debian-user-request@lists.debian.org
debian-user/

:0
* ^Resent-Sender.*debian-devel-request@lists.debian.org
debian-devel/

:0
* ^Resent-Sender.*debian-announce-request@lists.debian.org
debian-announce

:0
mailing-list/
}

:0
Inbox/
--------------------

==== Redeliver mbox contents

You need to manually deliver mails to the sorted mailboxes in your home directory from "`/var/mail/<username>`" if your home directory became full and `procmail`(1) failed.  After making disk space in the home directory, run the following.

--------------------
# /etc/init.d/${MAILDAEMON} stop
# formail -s procmail </var/mail/<username>
# /etc/init.d/${MAILDAEMON} start
--------------------

=== POP3/IMAP4 server

If you are to run a private server on LAN, you may consider to run http://en.wikipedia.org/wiki/Post_Office_Protocol[POP3] / http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol[IMAP4] server for delivering mail to LAN clients.

.List of POP3/IMAP4 servers
[grid="all"]
`-----------------`-------------`------------`----`----------------------------------------------------------
package           popcon        size         type description
-------------------------------------------------------------------------------------------------------------
`courier-pop`     @-@popcon1@-@ @-@psize1@-@ POP3 Courier mail server - POP3 server (maildir format only)
`cyrus-pop3d`     @-@popcon1@-@ @-@psize1@-@ POP3 Cyrus mail system (POP3 support)
`courier-imap`    @-@popcon1@-@ @-@psize1@-@ IMAP Courier mail server - IMAP server (maildir format only)
`cyrus-imapd`     @-@popcon1@-@ @-@psize1@-@ IMAP Cyrus mail system (IMAP support)
-------------------------------------------------------------------------------------------------------------

=== The print server and utilities

In the old Unix-like system, the BSD http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol[Line printer daemon] was the standard.  Since the standard print out format of the free software is PostScript on the Unix like system, some filter system was used along with http://en.wikipedia.org/wiki/Ghostscript[Ghostscript] to enable printing to the non-PostScript printer.

Recently, http://en.wikipedia.org/wiki/Common_Unix_Printing_System[Common UNIX Printing System] (CUPS) is the new de facto standard.  The CUPS uses http://en.wikipedia.org/wiki/Internet_Printing_Protocol[Internet Printing Protocol] (IPP). The IPP is now supported by other OSs such as Windows XP and Mac OS X and has became new cross-platform de facto standard for remote printing with bi-directional communication capability.

The standard printable data format for the application on the Debian system is the http://en.wikipedia.org/wiki/PostScript[PostScript (PS)] which is a page description language.  The data in PS format is fed into the Ghostscript PostScript interpreter to produce the printable data specific to the printer.  See <<_ghostscript>>.

Thanks to the file format dependent auto-conversion feature of the CUPS system, simply feeding any data to the `lpr` command should generate the expected print output. (In CUPS, `lpr` can be enabled by installing the `cups-bsd` package.)

The Debian system has some notable packages for the print servers and utilities.

.List of print servers and utilities
[grid="all"]
`---------------------------`-------------`------------`--------------`----------------------------------------------------------------------
package                     popcon        size         port           description
------------------------------------------------------------------------------------------------------------------------------------------
`lpr`                       @-@popcon1@-@ @-@psize1@-@ printer (515)  BSD lpr/lpd (http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol[Line printer daemon])
`lprng`                     @-@popcon1@-@ @-@psize1@-@ , ,            , , (Enhanced)
`cups`                      @-@popcon1@-@ @-@psize1@-@ IPP (631)      Internet Printing CUPS server
`cups-client`               @-@popcon1@-@ @-@psize1@-@ , ,            http://en.wikipedia.org/wiki/System_V_printing_system[System V printer commands] for CUPS: `lp`(1), `lpstat`(1), `lpoptions`(1), `cancel`(1), `lpmove`(8), `lpinfo`(8), `lpadmin`(8), ...
`cups-bsd`                  @-@popcon1@-@ @-@psize1@-@ , ,            http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol[BSD printer commands] for CUPS: `lpr`(1), `lpq`(1), `lprm`(1), `lpc`(8)
`printer-driver-gutenprint` @-@popcon1@-@ @-@psize1@-@ Not applicable printer drivers for CUPS
------------------------------------------------------------------------------------------------------------------------------------------

TIP: You can configure CUPS system by pointing your web browser to "http://localhost:631/[http://localhost:631/]" .

=== The remote access server and utilities (SSH)

The http://en.wikipedia.org/wiki/Secure_Shell[Secure SHell] (SSH) is the **secure** way to connect over the Internet.  A free version of SSH called http://www.openssh.org/[OpenSSH] is available as `openssh-client` and `openssh-server` packages in Debian.

.List of remote access server and utilities
[grid="all"]
`------------------------`-------------`------------`---------------------------`-------------------------------------------------
package                  popcon        size         tool                        description
----------------------------------------------------------------------------------------------------------------------------------
`openssh-client`         @-@popcon1@-@ @-@psize1@-@ `ssh`(1)                    Secure shell client
`openssh-server`         @-@popcon1@-@ @-@psize1@-@ `sshd`(8)                   Secure shell server
`ssh-askpass-fullscreen` @-@popcon1@-@ @-@psize1@-@ `ssh-askpass-fullscreen`(1) asks user for a pass phrase for ssh-add (GNOME2)
`ssh-askpass`            @-@popcon1@-@ @-@psize1@-@ `ssh-askpass`(1)            asks user for a pass phrase for ssh-add (plain X)
----------------------------------------------------------------------------------------------------------------------------------

CAUTION: See <<_extra_security_measures_for_the_internet>> if your SSH is accessible from the Internet.

TIP: Please use the `screen`(1) program to enable remote shell process to survive the interrupted connection (see <<_the_screen_program>>).

==== Basics of SSH

WARNING: "`/etc/ssh/sshd_not_to_be_run`" must not be present if one wishes to run the OpenSSH server.

SSH has two authentication protocols.

.List of SSH authentication protocols and methods
[grid="all"]
`------------`-----------------------------------`----------------------------------------------------------------------------------------
SSH protocol SSH method                          description
------------------------------------------------------------------------------------------------------------------------------------------
SSH-1        "`RSAAuthentication`"               RSA identity key based user authentication
, ,          "`RhostsAuthentication`"            "`.rhosts`" based host authentication (insecure, disabled)
, ,          "`RhostsRSAAuthentication`"         "`.rhosts`" based host authentication combined with RSA host key (disabled)
, ,          "`ChallengeResponseAuthentication`" RSA challenge-response authentication
, ,          "`PasswordAuthentication`"          password based authentication
SSH-2        "`PubkeyAuthentication`"            public key based user authentication
, ,          "`HostbasedAuthentication`"         "`\~/.rhosts`" or "`/etc/hosts.equiv`" based host authentication combined with public key client host authentication (disabled)
, ,          "`ChallengeResponseAuthentication`" challenge-response authentication
, ,          "`PasswordAuthentication`"          password based authentication
------------------------------------------------------------------------------------------------------------------------------------------

CAUTION: Be careful about these differences if you are using a non-Debian system.

See "`/usr/share/doc/ssh/README.Debian.gz`", `ssh`(1), `sshd`(8), `ssh-agent`(1), and `ssh-keygen`(1) for details.

Following are the key configuration files.

.List of SSH configuration files
[grid="all"]
`-------------------------`--------------------------------------------------------------------------------------------------
configuration file        description of configuration file
-----------------------------------------------------------------------------------------------------------------------------
`/etc/ssh/ssh_config`     SSH client defaults, see `ssh_config`(5)
`/etc/ssh/sshd_config`    SSH server defaults, see `sshd_config`(5)
`\~/.ssh/authorized_keys` default public SSH keys that clients use to connect to this account on this SSH server
`\~/.ssh/identity`        secret SSH-1 RSA key of the user
`\~/.ssh/id_rsa`          secret SSH-2 RSA key of the user
`\~/.ssh/id_dsa`          secret SSH-2 DSA key of the user
-----------------------------------------------------------------------------------------------------------------------------

TIP: See `ssh-keygen`(1), `ssh-add`(1) and `ssh-agent`(1) for how to use public and secret SSH keys.

TIP: Make sure to verify settings by testing the connection.  In case of any problem, use "`ssh -v`".

TIP: You can change the pass phrase to encrypt local secret SSH keys later with "`ssh-keygen -p`".

TIP: You can add options to the entries in "`\~/.ssh/authorized_keys`" to limit hosts and to run specific commands.  See `sshd`(8) for details.

The following starts an `ssh`(1) connection from a client.

.List of SSH client startup examples
[grid="all"]
`--------------------------------------------------------------------------`-------------------------------------------------
command                                                                    description
-----------------------------------------------------------------------------------------------------------------------------
`ssh username@hostname.domain.ext`                                         connect with default mode
`ssh -v username@hostname.domain.ext`                                      connect with default mode with debugging messages
`ssh -1 username@hostname.domain.ext`                                      force to connect with SSH version 1
`ssh -1 -o RSAAuthentication=no -l username hostname.domain.ext`           force to use password with SSH version 1
`ssh -o PreferredAuthentications=password -l username hostname.domain.ext` force to use password with SSH version 2
-----------------------------------------------------------------------------------------------------------------------------

If you use the same user name on the local and the remote host, you can eliminate typing "`username@`".  Even if you use different user name on the local and the remote host, you can eliminate it using "`\~/.ssh/config`".  For http://alioth.debian.org/[Debian Alioth service] with account name "`foo-guest`", you set "`\~/.ssh/config`" to contain the following.

--------------------
Host alioth.debian.org svn.debian.org git.debian.org
    User foo-guest
--------------------

For the user, `ssh`(1) functions as a smarter and more secure `telnet`(1).  Unlike `telnet` command, `ssh` command does not stop on the `telnet` escape character (initial default CTRL-]).

==== Port forwarding for SMTP/POP3 tunneling

To establish a pipe to connect to port 25 of `remote-server` from port 4025 of `localhost`, and to port 110 of `remote-server` from port 4110 of `localhost` through `ssh`, execute on the local host as the following.

--------------------
# ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server
--------------------

This is a secure way to make connections to SMTP/POP3 servers over the Internet.  Set the "`AllowTcpForwarding`" entry to "`yes`" in "`/etc/ssh/sshd_config`" of the remote host.

==== Connecting without remote passwords

One can avoid having to remember passwords for remote systems by using "`RSAAuthentication`" (SSH-1 protocol) or "`PubkeyAuthentication`" (SSH-2 protocol).

On the remote system, set the respective entries, "`RSAAuthentication yes`" or "`PubkeyAuthentication yes`", in "`/etc/ssh/sshd_config`".

Generate authentication keys locally and install the public key on the remote system by the following.

- "`RSAAuthentication`": RSA key for SSH-1 (deprecated because it is superseded.)

--------------------
$ ssh-keygen
$ cat .ssh/identity.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
--------------------

- "`PubkeyAuthentication`": RSA key for SSH-2

--------------------
$ ssh-keygen -t rsa
$ cat .ssh/id_rsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
--------------------

- "`PubkeyAuthentication`": DSA key for SSH-2  (deprecated because it is slow.)

--------------------
$ ssh-keygen -t dsa
$ cat .ssh/id_dsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
--------------------

TIP: Use of DSA key for SSH-2 is deprecated because key is smaller and slow. There are no more reasons to work around RSA patent using DSA since it has been expired.  DSA stands for http://en.wikipedia.org/wiki/Digital_Signature_Algorithm[Digital Signature Algorithm] and is slow. Also see http://www.debian.org/security/2008/dsa-1571[DSA-1571-1].

NOTE: For "`HostbasedAuthentication`" to work in SSH-2, you must adjust the settings of "`HostbasedAuthentication`" to "`yes`" in both "`/etc/ssh/sshd_config`" on the server host and "`/etc/ssh/ssh_config`" or "`\~/.ssh/config`" on the client host.

==== Dealing with alien SSH clients

There are some free http://en.wikipedia.org/wiki/Secure_Shell[SSH] clients available for other platforms.

.List of free SSH clients for other platforms
[grid="all"]
`-----------------`-----------------------------------------------------------------
environment       free SSH program
------------------------------------------------------------------------------------
Windows           puTTY (http://www.chiark.greenend.org.uk/\~sgtatham/putty/) (GPL)
Windows (cygwin)  SSH in cygwin (http://www.cygwin.com/) (GPL)
Macintosh Classic macSSH (http://www.macssh.com/) (GPL)
Mac OS X          OpenSSH; use `ssh` in the Terminal application (GPL)
------------------------------------------------------------------------------------

==== Setting up ssh-agent

It is safer to protect your SSH authentication secret keys with a pass phrase.  If a pass phrase was not set, use "`ssh-keygen -p`" to set it.

Place your public SSH key (e.g.  "`\~/.ssh/id_rsa.pub`") into "`\~/.ssh/authorized_keys`" on a remote host using a password-based connection to the remote host as described above.

--------------------
$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/<username>/.ssh/id_rsa:
Identity added: /home/<username>/.ssh/id_rsa (/home/<username>/.ssh/id_rsa)
--------------------

No remote password needed from here on for the next command.

--------------------
$ scp foo <username>@remote.host:foo
--------------------


Press \^D to terminating ssh-agent session.

For the X server, the normal Debian startup script executes `ssh-agent` as the parent process.  So you only need to execute `ssh-add` once. For more, read `ssh-agent`(1) and `ssh-add`(1).

==== How to shutdown the remote system on SSH

You need to protect the process doing "`shutdown -h now`" (see <<_how_to_shutdown_the_system>>) from the termination of SSH using the `at`(1) command (see <<_scheduling_tasks_once>>) by the following.

--------------------
# echo "shutdown -h now" | at now
--------------------

Running "`shutdown -h now`" in `screen`(1) (see <<_the_screen_program>>) session is another way to do the same.

==== Troubleshooting SSH

If you have problems, check the permissions of configuration files and run `ssh` with the "`-v`" option.

Use the "`-p`" option if you are root and have trouble with a firewall; this avoids the use of server ports 1 -- 1023.

If `ssh` connections to a remote site suddenly stop working, it may be the result of tinkering by the sysadmin, most likely a change in "`host_key`" during system maintenance.  After making sure this is the case and nobody is trying to fake the remote host by some clever hack, one can regain a connection by removing the "`host_key`" entry from "`\~/.ssh/known_hosts`" on the local host.

=== Other network application servers

Here are other network application servers.

.List of other network application servers
[grid="all"]
`---------------------`-------------`------------`----------------------------------------------------------------------`--------------------------------------------------------------------------------------------------------------------------
package               popcon        size         protocol                                                               description
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
`telnetd`             @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/TELNET[TELNET]                            TELNET server
`telnetd-ssl`         @-@popcon1@-@ @-@psize1@-@ , ,                                                                    , , (SSL support)
`nfs-kernel-server`   @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Network_File_System_(protocol)[NFS]       Unix file sharing
`samba`               @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Server_Message_Block[SMB]                 Windows file and printer sharing
`netatalk`            @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/AppleTalk[ATP]                            Apple/Mac file and printer sharing (AppleTalk)
`proftpd-basic`       @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/File_Transfer_Protocol[FTP]               General file download
`apache2`             @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol[HTTP]         General web server
`squid`               @-@popcon1@-@ @-@psize1@-@ , ,                                                                    General web http://en.wikipedia.org/wiki/Proxy_server[proxy server]
`squid3`              @-@popcon1@-@ @-@psize1@-@ , ,                                                                    , ,
`slpd`                @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Service_Location_Protocol[SLP]            http://www.openslp.org/[OpenSLP] Server as http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol[LDAP] server
`bind9`               @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Domain_Name_System[DNS]                   IP address for other hosts
`isc-dhcp-server`     @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol[DHCP] IP address of client itself
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Common Internet File System Protocol (CIFS) is the same protocol as http://en.wikipedia.org/wiki/Server_Message_Block[Server Message Block (SMB)] and is used widely by Microsoft Windows.

TIP: See <<_the_modern_centralized_system_management>> for integration of server systems.

TIP: The hostname resolution is usually provided by the http://en.wikipedia.org/wiki/Domain_Name_System[DNS] server.  For the host IP address dynamically assigned by http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol[DHCP], http://en.wikipedia.org/wiki/Dynamic_DNS[Dynamic DNS] can be set up for the hostname resolution using `bind9` and `isc-dhcp-server` as described in the http://wiki.debian.org/DDNS[DDNS page on the Debian wiki].

TIP: Use of proxy server such as `squid` is much more efficient for saving bandwidth than use of local mirror server with the full Debian archive contents.

=== Other network application clients

Here are other network application clients.

.List of network application clients
[grid="all"]
`-----------------`-------------`------------`---------------------------------------------------------------------------------------------------------------------------`----------------------
package           popcon        size         protocol                                                                                                                    description
------------------------------------------------------------------------------------------------------------------------------------------
`netcat`          @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/TCP/IP[TCP/IP]                                                                                 TCP/IP swiss army knife
`openssl`         @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Transport_Layer_Security[SSL]                                                                  Secure Socket Layer (SSL) binary and related cryptographic tools
`stunnel4`        @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         universal SSL Wrapper
`telnet`          @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/TELNET[TELNET]                                                                                 TELNET client
`telnet-ssl`      @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         , , (SSL support)
`nfs-common`      @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Network_File_System_(protocol)[NFS]                                                            Unix file sharing
`smbclient`       @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Server_Message_Block[SMB]                                                                      MS Windows file and printer sharing client
`cifs-utils`      @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         mount and umount commands for remote MS Windows file
`ftp`             @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/File_Transfer_Protocol[FTP]                                                                    FTP client
`lftp`            @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         , ,
`ncftp`           @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         full screen FTP client
`wget`            @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol[HTTP] and http://en.wikipedia.org/wiki/File_Transfer_Protocol[FTP] web downloader
`curl`            @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         , ,
`axel`            @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         accelerated downloader
`aria2`           @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         accelerated downloader with http://en.wikipedia.org/wiki/BitTorrent_(protocol)[BitTorrent] and http://en.wikipedia.org/wiki/Metalink[Metalink] supports
`bind9-host`      @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Domain_Name_System[DNS]                                                                        `host`(1) from bind9, "`Priority: standard`"
`dnsutils`        @-@popcon1@-@ @-@psize1@-@ , ,                                                                                                                         `dig`(1) from bind, "`Priority: standard`"
`isc-dhcp-client` @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol[DHCP]                                                      obtain IP address
`ldap-utils`      @-@popcon1@-@ @-@psize1@-@ http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol[LDAP]                                                    obtain data from LDAP server
------------------------------------------------------------------------------------------------------------------------------------------

=== The diagnosis of the system daemons

The `telnet` program enables manual connection to the system daemons and its diagnosis.

For testing plain http://en.wikipedia.org/wiki/Post_Office_Protocol[POP3] service, try the following

--------------------
$ telnet mail.ispname.net pop3
--------------------

For testing the http://en.wikipedia.org/wiki/Transport_Layer_Security[TLS]/SSL enabled http://en.wikipedia.org/wiki/Post_Office_Protocol[POP3] service by some ISPs, you need TLS/SSL enabled `telnet` client by the `telnet-ssl` or `openssl` packages.

--------------------
$ telnet -z ssl pop.gmail.com 995
--------------------

--------------------
$ openssl s_client -connect pop.gmail.com:995
--------------------

The following http://www.ietf.org/rfc.html[RFCs] provide required knowledge to each system daemon.

.List of popular RFCs
[grid="all"]
`-------------------------------------------------------------------------------------------`---------------------------------------------
RFC                                                                                         description
------------------------------------------------------------------------------------------------------------------------------------------
http://tools.ietf.org/html/rfc1939[rfc1939] and http://tools.ietf.org/html/rfc2449[rfc2449] http://en.wikipedia.org/wiki/Post_Office_Protocol[POP3] service
http://tools.ietf.org/html/rfc3501[rfc3501]                                                 http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol[IMAP4] service
http://tools.ietf.org/html/rfc2821[rfc2821] (http://tools.ietf.org/html/rfc821[rfc821])     http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol[SMTP] service
http://tools.ietf.org/html/rfc2822[rfc2822] (http://tools.ietf.org/html/rfc822[rfc822])     Mail file format
http://tools.ietf.org/html/rfc2045[rfc2045]                                                 http://en.wikipedia.org/wiki/MIME[Multipurpose Internet Mail Extensions (MIME)]
http://tools.ietf.org/html/rfc819[rfc819]                                                   http://en.wikipedia.org/wiki/Domain_Name_System[DNS] service
http://tools.ietf.org/html/rfc2616[rfc2616]                                                 http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol[HTTP] service
http://tools.ietf.org/html/rfc2396[rfc2396]                                                 http://en.wikipedia.org/wiki/Uniform_Resource_Identifier[URI] definition
------------------------------------------------------------------------------------------------------------------------------------------

The port usage is described in "`/etc/services`".


