Running a Confidant Mail server is easier than running an SMTP server. You will need:
- A machine running Windows, Linux, or other Unix variant
- Python, wxPython, GnuPG, twisted framework, openssl
- A public IP address with a TCP port and a UDP port available. You can use port forwarding from a firewall. The machine does not have to have a public address of its own.
- Either a fixed IP address or a dynamic DNS service
- Enough free storage for your users' mail
- Familiarity with command-line operation, networking, and text file editing
Confidant Mail supports two-way replication. If you want to run a business network or a commercial service provider, you should have two machines which do not share any common power or network infrastructure. One can be an internal server and the other a virtual machine from a cloud-hosting provider.
Even if you only intend to set up a single server now, you should configure two DNS A records pointing to the same IP address. If you later want to convert to a replicated configuration, you can do so just by changing one of the A records, without any client-side changes. If you only configure a single A record, you will have to reconfigure all of your clients when you want to set up replication.
- Install prerequisites.
- Install NTP (Network Time Protocol) to avoid clock skew between servers.
- If you are using Linux, install the telnet client. If you are using Windows, install PuTTY, available at [ http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ]. This allows you to connect interactively to your TCP port.
- Create a home directory and a user for your server. The software should not run as root/administrator. In this example the server is installed under /home/confmail/server.
$ mkdir /home/confmail/server
- Install the python code:
$ cd /home/confmail
$ unzip Confidant Mail-x.x.zip
$ cd server
- Create your SSL private key and self-signed certificate. You can use a paid-for SSL certificate here if you want to, and someday there may be advantages to doing so, but for now a self-signed certificate works fine. You must also create a set of Diffie-Hellman parameters for ephemeral keying.
$ mkdir ssl
$ cd ssl
$ openssl dhparam -2 -out dhparams.pem 2048
$ openssl genrsa -out server.key 2048
$ openssl req -new -key server.key -out server.csr
Fill out your certificate information, which clients will be able to see.
$ openssl x509 -req -days 9999 -in server.csr -signkey server.key -out server.crt
- Create your server configuration file /home/confmail/server/config.txt using the server configuration guide. Single-server example:
- Create your auth.txt file with administrator and replication accounts. The password is at least eight characters, letters and numbers only. With the exception of these special accounts, the auth strings are hex values. The replication line is not required on a single server. Example:
- Your server home directory should now have:
ssl/server.csr (not required)
- Open another window or a "screen" session, and run your server.
$ cd /home/confmail
$ python server.py -homedir /home/confmail/server
On Unix it is possible to run as a daemon; see the server configuration guide.
- Server administration is done via the server's port. Connect to your server. On Unix, do:
$ telnet localhost 8081
> putty -raw -P 8081 localhost
You should get the server greeting:
CONFIDANT MAIL SERVER PROTOCOL 1 READY
- Create a user. On a replicated configuration, user creation is automatically sent to the peer. Type:
LOGIN administrator myadminpass
(server responds) DONE
(server responds with a 40-character hex string and then EndBlock)
Save the hex string and then type:
- The hex string is a user authentication string (password) which can be pasted into the Auth Key field of a client. You can create multiple users at once by changing the 1 to a larger number.
- You can delete a user account by entering:
- Map the TCP and UDP ports (sport and eport) through your firewall to the internal address of the server. Test the TCP port from outside your network.
- Assign DNS A records to your server(s).
- Run the client and create a new key. Paste the authkey you previously generated into the Auth Key field of the Network tab in the Configuration dialog. Enter your server information and click [Save and Open].
- Send yourself a message and verify that you receive it.
- See the storage utility documentation for information on freeing up and measuring server storage.
To add a replication peer to an existing single server:
- Edit the config.txt on the existing server. Add replpeer, repl_authkey, and knode pointing to the new server, which should not be up yet.
- Restart the existing server. Replication records will accumulate in sendqueue until the new server is up.
- Copy the auth.txt, config.txt, and localstore directory from the existing to the new server. This can be done using rsync on Linux, or xcopy on Windows.
- Edit config.txt on the new server to change the replpeer and knode lines to point to the old server.
- Change one of the DNS A records to point to the new server.
- Start the server.py or confserv.exe process on the new server.
- After DNS has propagated and you can see the new A record, send some messages and make sure they get replicated. Check sendqueue on the sending side. It should empty out as the messages are replicated.
- If you have problems, the -logtraffic and -debug command line options can be used to troubleshoot.