ONLamp.com
oreilly.comSafari Books Online.Conferences.

advertisement


Secure Batch Email with UUCP and SSH
Pages: 1, 2

Client UUCP Configuration

To set up the UUCP client, you need to create several files in /etc/uucp. Start by creating a file called /etc/uucp/sys, containing:

###### this is the 'sys' file for Taylor UUCP ######
system server
alias server-ssh
call-login *
call-password *
time any
address server.domain.tld
port ssh
protocol t
remote-send /var/spool/uucppublic
remote-receive /var/spool/uucppublic

Next, create a file called /etc/uucp/port, containing:

###### this is the 'port' file for Taylor UUCP ######
port ssh
type pipe
command /usr/bin/ssh -x -o batchmode=yes server.domain.tld

Create a file called /etc/uucp/call, containing:

###### this is the 'call' file for Taylor UUCP ######
server login password

Finally, set the permissions on these files appropriately. SSH is very paranoid about file permissions. The commands are:

% cd /var/spool/ && chmod go-w uucp
% cd /etc/uucp && chown root:uucp * && chmod 550 *

Client SSH Configuration

Now it's time to configure SSH on the client to use UUCP. Run vipw uucp as root to change the uucp user's home directory from

uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico

to

uucp:*:66:66:UUCP pseudo-user:/var/spool/uucp:/usr/libexec/uucp/uucico

Next, generate SSH keys for the client:

% su -m uucp
$ export HOME=/var/spool/uucp
$ cd /var/spool/uucp
$ ssh-keygen -t dsa

The final command will prompt you for a password. Don't type one. Just press the return key. Though this seems like a big security hole, it's not as bad as it looks; the uucp user does not have a password in /etc/passwd, so anyone who can run programs as that user must already have an account on the client with fairly good permissions.

This step generates an SSH v2 DSA key set; the id_dsa.pub public key file will come in handy later.

Congratulations! You have finished the client side of the configuration.

Server Setup

The server needs Postfix, UUCP, and SSH configured and running correctly.

Postfix Configuration

I take for granted that because this is the main mail server, you already know how to configure Postfix in order for it to be able to send and receive emails from and to the Internet.

Postfix must know to transport all email originating from the client through the UUCP transport, with no exceptions. To do this, create a file called /usr/local/etc/postfix/transport, containing:

####### this is POSTFIX 'transport' file #########
hosteddomain.tld uucp:client

Postfix also needs to accept relaying to your domains, as well. Create a file called /usr/local/etc/postfix/relay_domains, containing:

####### this is POSTFIX 'relay_domains file #########
hosted-domain.tld OK
hosted-domain.tld OK

Then tell Postfix about the changes:

% postmap transport relay_domains && postfix reload

The same Postfix rebuilding file above can be just as useful here.

Server UUCP Configuration

In /etc/passwd, use vipw uucp as root to change

uucp:*:66:66:UUCP pseudo-user:/var/spool/uucp:/usr/libexec/uucp/uucico

to

uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucp:/bin/sh

Next, create a file called /etc/uucp/sys, containing:

###### this is the UUCP 'sys' file for Taylor UUCP #######
# client
system client
time any
port tcp
protocol t
remote-send /var/spool/uucppublic
remote-receive /var/spool/uucppublic
# other clients use the same lines

Out of paranoia, I recommend to tell UUCP that the directory for remote-send and remote-receive is /var/spool/uucppublic.

Create a file called /etc/uucp/passwd, containing:

###### this is the UUCP 'passwd' file for Taylor UUCP #######
yourlogin yourpassword

That's all of the server-side UUCP configuration.

Server SSH Configuration

The final server step is its SSH configuration. Switch to the UUCP user by doing su -m uucp, then create the authorized_keys file:

$ touch /var/spool/uucp/.ssh/authorized_keys

Copy the content of the client's id_dsa.pub file (located in /var/spool/uucp/.ssh/) into /var/spool/uucp/.ssh/authorized_keys on the server. To assuage SSH's paranoid permissions check, perform the following command:

chmod go-rwx && chown uucp:uucp

Edit the authorized_keys file with the editor of your choice and insert this before its content:

command="/usr/libexec/uucp/uucico -l

The file should now read something like:

command="/usr/libexec/uucp/uucico -l" ssh-dss AAAAB3NzaC1kc3MAAACBA...

Be aware that the DSA key should all fit on one long line; there must be no carriage return.

Once you have done the above, do cd /var/spool/ && chmod go-w uucp. This should make SSH less paranoid about these file permissions.

Congratulations. You have finished the server configuration.

Final Tweaks and Testing

The end is in sight. Now register the DSA key from with the client's SSH /var/spool/uucp/.ssh/known_hosts file. You only need to do this once.

Switch to the UUCP user (su -m uucp), then connect to the server with ssh -v uucp@server.domain.tld. Answer "yes" when SSH asks you if you want to add the DSA public key of the server to your list of known and trusted hosts.

At this point, all incoming mail destined for hosted-domain.tld will end up spooled and stored in the /var/spool/uucp/client directory of the server. UUCP will gladly send it to the client whenever it calls in through the SSH tunnel.

If this does not work for you, then you forgot something along the way. Check again your Postfix configuration and UUCP configuration on either or both the client and the server.

Going Live

You can now test your setup from the client.

Dial-up your Internet provider using PPP if you need to. Skip this step if you have a permanent link to the Internet.

Do su -m uucp followed by /usr/libexec/uucp/uucico -f -sserver. To see mail flowing in, type uulog -f -sserver. If you need to watch what happens to the email after Postfix receives it, check the Postfix log file with tail -f /var/lo/maillog.

Now fire up your email client (Mozilla mail, Thunderbird, sylpheed, nmh, emacs, etc.) and send some mail. You should now also see it being spooled in the UUCP queue (uustat -sserver) and waiting to be sent out to the server next time you launch uucico.

Note that you can use uustat -k <jobid> on the client or the server to kill any job(s) seen by using uusat -s <system>. You'll see something like:

server.NI8whUuAALf1 server uucp 10-06 10:35 Executing rmail \
	user@domain.tld (sending 1452 bytes)

Type uustat -k system.NI8whUuAALf1 to remove this job from the UUCP queue before it is sent out.

I encourage anyone who wants to have a deeper understanding of all of the possibilities of UUCP to read the info file info UUCP or the PDF file for Taylor UUCP, which is an invaluable source of information.

Now the final touch: if you want to launch this automatically and you have a permanent Internet connection, add a cron job to /var/cron/tabs/uucp. As root, do crontab -u uucp -e and insert the content below, modifying the parameters as you wish. This example polls the UUCP server every five minutes:

# This is Taylor UUCP crontab file
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/libexec/uucp 
0-55/5 *       *       *       *       /usr/libexec/uucp/uucico -f -sserver

Final Words

I hope you enjoyed this little tutorial and that you can put UUCP to work for your own usage. I would like to find out how many people in the world are using UUCP, so please send me email if you are, so that I can compile a list of countries and a number of users.

(I based this article on Fabien Penso's "UUCP+SSH: La Maniére Idéale de Récuperer vos Mails!")

Christophe Prévotaux is the founder of Origami Systems Sarl, a French telco/ISP and custom solutions provider.


Return to the BSD DevCenter.



Sponsored by: