######################################################################## # # Presentation about the new ppsw # Wednesday 2004-05-19 # # $Cambridge: hermes/doc/talks/2004-05-techlinks/talk.mgp,v 1.1 2004/05/19 14:02:47 fanf2 Exp $ # ######################################################################## # %deffont "standard" tfont "standard.ttf", size 5 %deffont "thick" tfont "thick.ttf" %deffont "typewriter" tfont "typewriter.ttf" # %default 1 area 90 90, leftfill, size 2, fore "black", back "white", font "thick" %default 2 size 7, vgap 10, prefix " " %default 3 size 2, bar "gray70", vgap 10 %default 4 fore "black", vgap 30, prefix " ", font "standard", size 5 # %tab 1 prefix " ", icon box "gray30" 50 # ######################################################################## %page %nodefault, center, fore "black", back "white", font "thick", size 8 The new ppsw %size 6 TechLinks 2004-05-19 %font "standard", size 5 Tony Finch Mail Support University of Cambridge Computing Service # # General plan of talk: # Progress on New Hermes # New smtp.hermes features and configuration advice # departmental email server configuration stability # technical details of the new ppsw # ######################################################################## %page Progress on Hermes %center %newimage -zoom 90 "progress.jpg" # # This is the Russian Progress unmanned resupply vehicle. # ######################################################################## %page New Hermes architecture %center %newimage -xscrzoom 90 "hermes-new-old.eps" # # shaded boxes are still running on the old system # # webmail less so # -- it has been upgraded a little during construction of the new system # ######################################################################## %page Migration status 32800 users on new Cyrus message store 17 users on old UW-IMAP message store 5.6 TB total storage 1.3 TB used (23%) 11 GB left on NetApps New Hermes telnet/ssh service in construction 2 x 3GHz CPU, 3 GB RAM, 350 GB disk Replacement admin server under construction Exim open development server to be set up # # new login service rather overpowered for its purpose # will probably also run webmail # ######################################################################## %page New Hermes architecture %center %newimage -xscrzoom 90 "hermes-new-ppsw.eps" # # Rest of this talk is about ppsw. # ######################################################################## %page Rollout problems %center %newimage -zoom 100 "dunce.png" # # TLS client certificate verification breaks some clients # Kernel limits in Linux 2.4 cause problems # with 1700 concurrent processes and fast-forking POP # ######################################################################## %page New features %center %newimage -zoom 100 "businessman.jpg" # # New features for users # Especially helpful for people who roam or work from home. # ######################################################################## %page Remote message submission Server: smtp.hermes.cam.ac.uk Port: 587 (message submission) Options: STARTTLS + SMTP AUTH less-good alternatives: Port 465 (smtps) for clients that can't do STARTTLS however TLS-on-connect is deprecated Port 25 (smtp) may be blocked by ISPs might cause email to disappear # # SSL on port 465 is an old feature but it was limited to the CUDN # because we couldn't restrict relaying properly # and it didn't support SMTP AUTH # ######################################################################## %page Remote message retrieval Server: imap.hermes.cam.ac.uk Port: 143 (STARTTLS) 993 (TLS-on-connect) Server: pop.hermes.cam.ac.uk Port: 110 (TLS) 995 (TLS-on-connect) # # just a reminder, not new # ######################################################################## %page Configuration stability %center %newimage -yscrzoom 80 "balanced.jpg" # # New features for technical staff # ######################################################################## %page Configuration stability Fixed address range 131.111.8.128 ... 131.111.8.159 Email will only come from these addresses For those who like strict access controls Virtual IP address 131.111.8.129 For those whose software can't do DNS correctly # # We will be able to install and remove machines without liaising with # other departments or colleges, which can delay things by weeks and # cause email to bounce. # ######################################################################## %page New features %center %newimage -zoom 100 "happy-baby.jpg" ######################################################################## %page Technical details %center %newimage -zoom 80 "hawking.jpg" # ######################################################################## %page Technical details %size 6 Naming and addressing scheme already mentioned on ucam-itsupport@lists http://www.cus.cam.ac.uk/ ~fanf2/hermes/doc/misc/ppsw.txt The service has a different personality depending on how you address it # # If you call it names it'll be nasty. # ######################################################################## %page Name-calling %center %newimage "ppsw-m-invalid-helo.png" ######################################################################## %page Multiple personalities %center %newimage -zoom 50 "janus.png" # # You might remember the old IP-X.25 gateway called Janus. # # This picture is Janus Bifrons, with two faces looking in opposite directions. # In some places he was Janus Quadrifrons (the four-faced). # ppsw is sort-of Trifrons. # ######################################################################## %page Trifrons - three faces mx.cam.ac.uk incoming email from the Internet strict checking ppsw.cam.ac.uk email smarthost for servers on the CUDN smtp.hermes.cam.ac.uk message submission server for users supports roaming # # I'll show you some demos # all talking to the same machine # from different places # ######################################################################## %page mx.cam.ac.uk - check sending server %center %newimage "ppsw-m-invalid-helo.png" # # note the machine stating its role in the banner # # strict checking of HELO names can't be done for MUAs # but is appropriate for the Internet # # we do the rejection relatively late in the protocol # so that we can find out about failed attempts later on # if we get asked about problems sending email # ######################################################################## %page mx.cam.ac.uk - recipient checking %center %newimage "ppsw-m-invalid-rcpt.png" # # Important for reducing collateral spam # # may reduce amount of email that disappears without trace # ######################################################################## %page ppsw.cam.ac.uk - recipient checking %center %newimage "ppsw-invalid-rcpt.png" # # ppsw and smtp.hermes have more relaxed recipient checking # bounce instead of reject # # bounces have better semantics if only some of the recipients fail # and you are operating as a submission server # ######################################################################## %page ppsw - local sender checking %center %newimage "ppsw-invalid-cam.png" # # we are strict about valid senders # # this has been the case for a while # ######################################################################## %page ppsw - remote sender checking %center %newimage "ppsw-invalid-chiark.png" # # we now check remote addresses too # ######################################################################## %page ppsw.cam.ac.uk - incorrect roaming %center %newimage "ppsw-unauth.png" ######################################################################## %page smtp.hermes - correct roaming %center %newimage "ppsw-h-tls-1.png" # # note STARTTLS advertisement # # however I can't use telnet to demo this # ######################################################################## %page smtp.hermes - demo problem! %center %newimage "ppsw-h-tls-2.png" ######################################################################## %page smtp.hermes - correct roaming %center %newimage "ppsw-h-tls-chiark.png" # # this is a demo of port 465 # only available on smtp.hermes (it's the only one that does TLS) # # using smtp.hermes as an authenticated relay from an external site # ######################################################################## %page Enough! %center %newimage -zoom 100 "yawn.jpg" # # questions? # ######################################################################## %page Future work %center %newimage -zoom 150 "enterprise.jpg" # # SpamAssassin 3.0 when it is released # SMTP-time rejection of messages # New lists system # ######################################################################## %page That's all, folks %center %newimage -zoom 100 "Postman-Pat.jpg" http://www.cus.cam.ac.uk/~fanf2/ mail-support@ucs.cam.ac.uk # ########################################################################