Secure Batch Email with UUCP and SSH
Pages: 1, 2
Client UUCP Configuration
To set up the UUCP client, you need to create several files in /etc/uucp. Start by creating a file called /etc/uucp/sys, containing:
###### this is the 'sys' file for Taylor UUCP ###### system server alias server-ssh call-login * call-password * time any address server.domain.tld port ssh protocol t remote-send /var/spool/uucppublic remote-receive /var/spool/uucppublic
Next, create a file called /etc/uucp/port, containing:
###### this is the 'port' file for Taylor UUCP ###### port ssh type pipe command /usr/bin/ssh -x -o batchmode=yes server.domain.tld
Create a file called /etc/uucp/call, containing:
###### this is the 'call' file for Taylor UUCP ###### server login password
Finally, set the permissions on these files appropriately. SSH is very paranoid about file permissions. The commands are:
% cd /var/spool/ && chmod go-w uucp % cd /etc/uucp && chown root:uucp * && chmod 550 *
Client SSH Configuration
Now it's time to configure SSH on the client to use UUCP. Run
uucp as root to change the
uucp user's home directory
Next, generate SSH keys for the client:
% su -m uucp $ export HOME=/var/spool/uucp $ cd /var/spool/uucp $ ssh-keygen -t dsa
The final command will prompt you for a password. Don't type one. Just
press the return key. Though this seems like a big security hole, it's not as
bad as it looks; the
uucp user does not have a password in
/etc/passwd, so anyone who can run programs as that user must
already have an account on the client with fairly good permissions.
This step generates an SSH v2 DSA key set; the id_dsa.pub public key file will come in handy later.
Congratulations! You have finished the client side of the configuration.
The server needs Postfix, UUCP, and SSH configured and running correctly.
I take for granted that because this is the main mail server, you already know how to configure Postfix in order for it to be able to send and receive emails from and to the Internet.
Postfix must know to transport all email originating from the client through the UUCP transport, with no exceptions. To do this, create a file called /usr/local/etc/postfix/transport, containing:
####### this is POSTFIX 'transport' file #########
Postfix also needs to accept relaying to your domains, as well. Create a file called /usr/local/etc/postfix/relay_domains, containing:
####### this is POSTFIX 'relay_domains file ######### hosted-domain.tld OK hosted-domain.tld OK
Then tell Postfix about the changes:
% postmap transport relay_domains && postfix reload
The same Postfix rebuilding file above can be just as useful here.
Server UUCP Configuration
In /etc/passwd, use
vipw uucp as root to change
Next, create a file called /etc/uucp/sys, containing:
###### this is the UUCP 'sys' file for Taylor UUCP ####### # client system client time any port tcp protocol t remote-send /var/spool/uucppublic remote-receive /var/spool/uucppublic # other clients use the same lines
Out of paranoia, I recommend to tell UUCP that the directory for
Create a file called /etc/uucp/passwd, containing:
###### this is the UUCP 'passwd' file for Taylor UUCP #######
That's all of the server-side UUCP configuration.
Server SSH Configuration
The final server step is its SSH configuration. Switch to the UUCP user by
su -m uucp, then create the authorized_keys
$ touch /var/spool/uucp/.ssh/authorized_keys
Copy the content of the client's id_dsa.pub file (located in /var/spool/uucp/.ssh/) into /var/spool/uucp/.ssh/authorized_keys on the server. To assuage SSH's paranoid permissions check, perform the following command:
chmod go-rwx && chown uucp:uucp
Edit the authorized_keys file with the editor of your choice and insert this before its content:
The file should now read something like:
command="/usr/libexec/uucp/uucico -l" ssh-dss AAAAB3NzaC1kc3MAAACBA...
Be aware that the DSA key should all fit on one long line; there must be no carriage return.
Once you have done the above, do
cd /var/spool/ && chmod go-w
uucp. This should make SSH less paranoid about these file
Congratulations. You have finished the server configuration.
Final Tweaks and Testing
The end is in sight. Now register the DSA key from with the client's SSH /var/spool/uucp/.ssh/known_hosts file. You only need to do this once.
Switch to the UUCP user (
su -m uucp), then connect to the
ssh -v email@example.com. Answer "yes" when SSH
asks you if you want to add the DSA public key of the server to your list of
known and trusted hosts.
At this point, all incoming mail destined for hosted-domain.tld will end up
spooled and stored in the
/var/spool/uucp/client directory of the
server. UUCP will gladly send it to the client whenever it calls in through
the SSH tunnel.
If this does not work for you, then you forgot something along the way. Check again your Postfix configuration and UUCP configuration on either or both the client and the server.
You can now test your setup from the client.
Dial-up your Internet provider using PPP if you need to. Skip this step if you have a permanent link to the Internet.
su -m uucp followed by
-sserver. To see mail flowing in, type
uulog -f -sserver.
If you need to watch what happens to the email after Postfix receives it, check
the Postfix log file with
tail -f /var/lo/maillog.
Now fire up your email client (Mozilla mail, Thunderbird,
emacs, etc.) and send some mail. You should now also see it being
spooled in the UUCP queue (
uustat -sserver) and waiting to be sent
out to the server next time you launch
Note that you can use
uustat -k <jobid> on the client
or the server to kill any job(s) seen by using
<system>. You'll see something like:
server.NI8whUuAALf1 server uucp 10-06 10:35 Executing rmail \ firstname.lastname@example.org (sending 1452 bytes)
uustat -k system.NI8whUuAALf1 to remove this job from the
UUCP queue before it is sent out.
I encourage anyone who wants to have a deeper understanding of all of the
possibilities of UUCP to read the info file
info UUCP or the PDF
file for Taylor UUCP, which is an invaluable source of information.
Now the final touch: if you want to launch this automatically and you have a
permanent Internet connection, add a
cron job to /var/cron/tabs/uucp.
As root, do
crontab -u uucp -e and insert the content below,
modifying the parameters as you wish. This example polls the UUCP server every
# This is Taylor UUCP crontab file PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/libexec/uucp 0-55/5 * * * * /usr/libexec/uucp/uucico -f -sserver
I hope you enjoyed this little tutorial and that you can put UUCP to work for your own usage. I would like to find out how many people in the world are using UUCP, so please send me email if you are, so that I can compile a list of countries and a number of users.
(I based this article on Fabien Penso's "UUCP+SSH: La Maniére Idéale de Récuperer vos Mails!")
Christophe Prévotaux is the founder of Origami Systems Sarl, a French telco/ISP and custom solutions provider.
Return to the BSD DevCenter.