Installation Details


Hypermail provides a web interface to OpenVMS mail index files and list archives by reading the index directly and generating HTML on the fly. It interacts as a DECnet task with the OSU DECthreads web server and is accessed and controlled via URLs.

Installation:

Place this program and it's include file in your webserver account's SCRIPT_CODE directory (e.g. [http_server.script_code]) and compile it.

Example: $ FORTRAN/EXTEND_SOURCE HYPERMAIL
	 $ LINK HYPERMAIL !/NOTRACEBACK
If no errors are encountered, place the executable in the webserver account's script BIN directory (e.g. [http_server.bin]). You're done.

The /NOTRACEBACK qualifier is necessary if you wish to install Hypermail with SYSNAM privilege.

Customizing the Hypermail Banner

By default, Hypermail presents a standard banner on every page composed of two HTML headers, H1 and H2. Either or both of these default headers can be changed through defining the process logical names HYPERMAIL$H1 and HYPERMAIL$H2. Notice that these logicals, if defined, are sent un-escaped to the browser. This allows any valid markup to be injected into the header, including inlined graphics.

Example:

$ define hypermail$h1 "JB's Moldering Email Archive"
$ define hypermail$h2 "<img src=""/graphics/hellsgate.gif"" alt=""Abandon all hope, ye who enter here!"">"

These logical definitions would cause Hypermail to place a large level 1 header, "JB's Moldering Email Archive", on every page, and beneath it a GIF, in this case "hellsgate.gif". Don't forget to double your double-quotes.

Banner customization is most suitable for the website administrator to present corporate logos and global website introductory remarks or navigation links. In addition, Hypermail presentation can be further customized with headers and footers specific to the archive being served. The latter capability is intended for the archive administrator to introduce his archive, provide mailto links to the list itself, or explain how readers can subscribe or unsubscribe.

Security Note 1

The OpenVMS callable mail interface is insufficiently flexible in the sense that it will not open mail index files without RW privileges. This makes it hard for owners of email archives to allow others (such as the Hypermail webserver) to read their mail.

There are several workarounds:

  1. Give ownership of all mail archives to the webserver account
  2. Patch a local copy of MAILSHR such that it will open files READONLY
  3. Set up ACLs for all mail archives and grant RW access from webserver
  4. Install the Hypermail image with privilege
  5. Give the webserver account elevated privilege
  6. Open up mail archive for RW to group which includes webserver
The author has gone with #2 since it's easy, works well, is trivial to manage, and most importantly does not give write access to important mail archives from a possibly hacked or otherwise compromised Hypermail server script.

Security Note 2

The OpenVMS callable mail interface accesses both SYSUAF.DAT and VMSMAIL_PROFILE.DATA in order to employ the ~username syntax. The user's default directory, and his/her default mail subdirectory, must both be found in order to determine where the default mail index is located. Since full access to VMSMAIL_PROFILE gives others a user's Personal Name and can therefore suggest passwords, Digital regards this as a potential breach of security (despite the fact that this information is typically mailed all over the world!) and disallows most access to VMSMAIL_PROFILE without privilege. SYSNAM is therefore required to use the ~username syntax with Hypermail.

You can give Hypermail SYSNAM privilege either by:

  1. Giving the webserver account SYSNAM privilege, or
  2. Installing Hypermail with SYSNAM privilege, or
  3. Other alternatives. (If you have any, please email jsb@NewTrumpet.org immediately!)

The author has gone with the second option since exploitation of SYSNAM (e.g. resetting the SYSUAF logical) while accessing Hypermail is very nearly an incredible threat.

[Hypermail] [Installation] [Customization] [Typical Use] [Security]


Last updated July 23, 1997,
Jonathan Boswell, jsb@NewTrumpet.org