It was only a matter of time and I finally decided to take the plunge. I didn’t get a smartphone for the today, but I did get a phone that allows me to check email. As phones go, well, it’s pretty basic as it’s just an LG Octane. To be honest, I can barely type on the damn thing because the keyboard keys are so small and my fingers aren’t. But the next step up is a smartphone and Verizon requires one of their expensive data plans with those.
Enough of that. The point of this post is that I had to modify my home mail server in order to get the crappy limited little email client that Verizon offers to retrieve and send mail with it. Following are the mods I made.
First, my home server has a dovecot server configured for IMAP and exim4 configured as my sendmail program via a debian setup. Also, my home server is protected by a Netgear firewall/router.
The easiest thing to configure is dovecot, which as long as it’s configured for IMAP, should pretty much be good to go. The default configuration listens on port 993 for SSL connections, which is important for security reasons. There are plenty of other guides out there for getting dovecot working.
Exim, it turns out, is a little more difficult to configure. There are 2 things it must be setup to handle: ssmtp over port 465 and relaying from the Verizon servers.
Setting up ssmtp is not difficult, but it’s also non-trivial. First, a signed certificate is required. A while back, I setup my own certificate authority for just such a situation. I followed these instructions to setup the CA (that was awhile ago) and I followed the portion about requests and signing tonight to setup my new certificates for exim and SMTP over SSL. Alternatively, exim has files to generate the certificate and key file.
The two files should be named exim.crt and exim.key and placed in the /etc/exim4/ directory. Change the permissions as follows:
$ chown root:Debian-exim exim.crt exim.key
$ chmod 640 exim.crt exim.key
That will lock them down so only exim and root can access the files.
Next, I added the following settings to my exim4.conf.template file (I put them near the beginning of the file):
tls_on_connect_ports = 465
MAIN_TLS_ENABLE = true
Save that and exit. The first line will make exim listen on port 465 for SSL connections. The second line enables other configuration settings needed by exim to make SSL work. The nice thing here is, if exim was configured to listen on the local network on port 25, operation there will be unaffected. So there’s no need to go running around reconfiguring other clients.
Next up, the update-exim4.conf.conf file must be modified. The Verizon client requires a working SMTP server. In order for the server to be considered “working” it has to act as a relay for the email host Verizon uses. The only way I could figure out the host name was to attempt to setup the account and then check the exim logs to see what host tried to connect. In my case, the hostname was sjc002-egress-a.seven.com. This hostname (it may end up being different on other setups) must be added as a relay net. Open up the update-exim4.conf.conf and add it as a semi-colon separated entry (if there are other entries) to the dc_relay_nets parameter.
To finish the exim modifications, modify the SMTPLISTENEROPTIONS entry in /etc/default/exim4 as follows:
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
Finally, enter the following commands as root:
$ update-exim4.conf
$ /etc/init.d/exim4 restart
Actually, only use those commands if you’ve got a debian setup. Basically, the first command regenerates the live configuration file located in /var/lib/exim4/config.autogenerated. The second one restarts the exim daemons. Perform whatever the equivalent is for your system accordingly.
Last, setup port forwarding on the router. This consists of telling the router to listen for connections on certain ports and then forward those requests to a specific IP address for processing. This has to be done for port 993 for IMAPS and port 465 for SSMTP. Chances are you’ll be using web utility on your router. If you’re more security conscious, I suppose you could configure special ports on the router side that forward to the appropriate ports on the LAN side to make it less obvious to interlopers what’s going on.
Once all that’s done, the server should be good to go. Once I had everything setup properly, my phone was able to “activate” my account without any special settings on the phone.