Purpose: The purpose of this assignment is to familiarize the student with the w
ID: 3782025 • Letter: P
Question
Purpose:
The purpose of this assignment is to familiarize the student with the working of an internet email system. A working email system is critical for any Linux/UNIX system. Many time you will need to setup the email coming from a local system to relay to a master email server.
This assignment should teach you how to setup the email to properly and with some authentication relay to another email server. In this case, you will be using one of your public email addresses and it's email server and you will probably use username/password authentication. You may have to change the port on which "sendmail" is run because some ISPs block this information.
Tasks:
*On the Ubuntu system that you created, you are to configure the server to have the capability to send email to the internet. You may need to relay email through a valid email server using username/password authentication.
*You need to install postfix on the system [app-get install postfix (hint)]
*You need to install Mail (mailx) on the system
*You need also need to setup root's email as follows
**A copy should remain local on the machine
**A copy should be sent to one of your public email addresses
***Don't do that step until you get the public email working
Grading criteria:
*A complete copy of an email sent from the server to one of your public email accounts
**The copy should include all of the email headers
*A copy of all of the mail configuration files that you setup
*A display of the local mailbox for root
Explanation / Answer
A message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client-server application architecture.
Postfix is a free and open-source mail transfer agent (MTA). Postfix routes and delivers electronic mail.
The elements stated above are the basic elements for a complete web e-mail server. However, we have to care also about security. Authentication mechanism is a client/server protocol.
In the description given above, you need to install Postfix on your server and to create host for your email domain.
Here, consider you are about to create host cosmolinux.
Below are the steps:
1. Installation and Configuration of Postfix
We imagine from now on that the name of the server is cosmolinux.no-ip.org and the e-mail address will be something like dan@cosmomolinux.no-ip.org. In such case the hostname of our computer should be cosmolinux. Then edit the file /etc/hostname
sudo gedit /etc/hostname
and change the hostname. We have to edit also the file /etc/hosts. Change the file so we have something like this:
127.0.0.1 localhost
127.0.1.1 cosmolinux.no-ip.org cosmolinux
192.168.1.10 cosmolinux.no-ip.org
where 192.168.1.10 should be the internal IP of your server. To make all this changes to take full effect, the easiest thing to do is to restart the computer. After restarting, open a terminal and type
sudo hostname --fqd
and you should get cosmolinux.no-ip.org. Now we are ready to start the real party. Open a terminal and type:
aptitude install postfix postfix-tls libsasl2-2 sasl2-bin libsasl2-modules nmap popa3d
During installation, postfix will ask a few questions that you have to answer:
Simply accept the defaults for any other questions. Let us edit now the configuration file:
sudo gedit /etc/postfix/main.cf
Add the following:
# Add the following 4 lines to enable authentication of our users
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = cosmolinux.no-ip.org
smtpd_sasl_security_options = noanonymous
# Add the following 10 lines ONLY IF YOU NEED GOOGLE'S SMTP RELAY
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
# Secure channel TLS with exact nexthop name match.
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /usr/share/ncat/ca-bundle.crt
relayhost = smtp.mail.com:587
#Add the following Security Restrictions
# HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
# Sender restrictions:
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
permit
# Recipient restrictions:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_sender_access
hash:/etc/postfix/sender_access,
permit
smtpd_data_restrictions = reject_unauth_pipelining
Please check the location of the file ca-bundle.crt (Notice the sentence starting by smtp_tls_CAfile) in your system with the command: sudo find / -name 'ca-bundle.crt'. Check if it it is the same as the one in the configuration file. If your file is in a different folder you have to change the sentence.
Add the following two lines:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
The full configuration file follows. Please check everything:
----------------------------------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = cosmolinux.no-ip.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = cosmolinux.no-ip.org, cosmolinux.home, localhost.home, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# Add this to enable authentication of our users using SASL-TLS
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = cosmolinux.no-ip.org
smtpd_sasl_security_options = noanonymous
# Add this if you need Google's SMTP relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
# Secure channel TLS with exact nexthop name match.
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /usr/share/ncat/ca-bundle.crt
relayhost = smtp.mail.com:587
#Add the following Security Restrictions if you want a secure mail server
# HELO restrictions:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
# Sender restrictions:
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
permit
# Recipient restrictions:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_sender_access
hash:/etc/postfix/sender_access,
permit
smtpd_data_restrictions = reject_unauth_pipelining
------------------------------------------------------
We need to create the file /etc/postfix/sender_access where we whitelist or blacklist clients with the following content:
-----------------------------------------------------
####################################################
#
# Black/Whitelist for senders matching the 'MAIL FROM' field. Examples:
#
myfriend@example.com OK
junk@spam.com REJECT
marketing@ REJECT
theboss@ OK
deals.marketing.com REJECT
somedomain.com OK
-----------------------------------------------------
When you are finished, then execute:
postmap /etc/postfix/sender_access
You should do that every time you change the list.
Postfix does a chroot so it can't communicate with saslauthd. Then do the following:
rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl
By default Postfix will use mbox for the mailbox format. This means that the mail will go to the file /var/mail/username. This file is called INBOX in IMAP world. We shall take this into account in the configuration of dovecot.
To use Google's SMTP relay it is also necessary to create a password file so that Postfix can authenticate to mail's servers. You do this by creating a file named sasl_passwd in /etc/postfix. Replace smtp_user and smtp_passwd with their respective values (your username and password of your mail account) in the following command:
echo "smtp.mail.com smtp_user:smtp_passwd" > /etc/postfix/sasl_passwd
You then hash that file so that the password is not stored in clear text. This command will create a file named sasl_passwd.db in the /etc/postfix/ directory:
postmap hash:/etc/postfix/sasl_passwd
And that's all for Postfix for now... Oh no! wait, it is a good idea to limit the maximum size that e-mails may have. Default is about 10MB. If you want to change this, and have a maximum size of 30MB, you add the following to the configuration file /etc/postfix/main.cf
message_size_limit = 30000000
Last step for postfix is to create an SSL certificate. To create a certificate to be used by Postfix use:
sudo openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem -keyout /etc/ssl/private/postfix.pem
What you enter in the fields is entirely your choice. The only notable exception is the "Common Name" which has to be exactly the name of your server in the way that users will access it. So if you tell your users to access your mail server at "cosmolinux.no-ip.org" then this has to be entered here. This certificate will be valid for 10 years (10 times 365 days).
You will have to tell Postfix where to find your certificate and private key because by default it will look for a dummy certificate file called "ssl-cert-snakeoil":
sudo postconf -e smtpd_tls_cert_file=/etc/ssl/certs/postfix.pem sudo postconf -e smtpd_tls_key_file=/etc/ssl/private/postfix.pem
This is for postfix.
2. Installation and Configuration of Dovecot
First we download and install the following:
sudo aptitude install dovecot-imapd dovecot-pop3d dovecot-common
Dovecot configuration file is located at: /etc/dovecot/dovecot.conf. We edit this file
sudo gedit /etc/dovecot/dovecot.conf
Double check the following entries in the file if the values are entered properly.
# specify protocols = imap imaps pop3 pop3s
protocols = pop3 imap
# uncomment this and change to no.
disable_plaintext_auth = no
pop3_uidl_format = %08Xu%08Xv
#In the section Mailbox locations and namespaces use the following
mail_location = mbox:~/mail:INBOX=/var/mail/%u
We need to specify the dovecot authentication daemon socket. Look for the line that starts with auth default, before that insert the lines below.
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Now, rename previous auth default to auth default2.
Last step is to create an SSL certificate for Dovecot. Here comes the command to create a Dovecot certificate:
sudo openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem
What you enter in the fields is again entirely your choice. And again the "Common Name" has to be exactly the name of your server in the way that users will access it. So if you tell your users to access your mail server at "cosmolinux.no-ip.org" then this has to be entered here. This certificate will also be valid for 10 years (10 times 365 days).
So much for Dovecot.
3. Installation and Configuration of SquirrelMail
Together with SquirrelMail, we need to install apache2 with php support (since we will access SquirrelMail through Apache web server)
sudo aptitude install apache2 libapache2-mod-php5 php5-cli php5-common php5-cgi squirrelmail squirrelmail-decode squirrelmail-compatibility squirrelmail-spam-buttons
Squirrelmail configuration file is located in: /etc/squirrelmail/ folder. By default all settings are preloaded. Run squirrelmail configuration utility:
sudo /usr/sbin/squirrelmail-configure
We have to tell Squirrel we are using dovecot and the domain name of our mail server. Go to "2. Server Settings": and take care of the following:
Then go to "A. update IMAP Settings" and enter the following:
Go to "B. SMTP settings" and check the following:
Later on you can check other options like plugins. Basic configuration is over.
Now we have to tell Apache webserver about some configuration of SquirrelMail. Edit apache configuration file /etc/apache2/apache2.conf and insert the following lines at the end of the file
# Squirrel configuration
Include /etc/squirrelmail/apache.conf
Restart everything....
sudo /etc/init.d/apache2 restart
sudo /etc/init.d/saslauthd restart
sudo /etc/init.d/postfix restart
sudo /etc/init.d/dovecot restart
Now you can access your webmail using the following link
http://yourdomain_or_server_ip/squirrelmail
You may login with your system username and password. If you have problems with your reverse DNS (remember what we said in the introduction) you still need to do make a last step
Installation process for these plugins is very similar and very simple. All plugins should be located at /usr/share/squirrelmail/plugin. There are instructions in every package. Read them to install them properly.
4. Google's SMTP relay
You need to enter you user account in mail. Then go to Settings --> Accounts. In the section "Add another e-mail address, enter the e-mail address in your server. Then, after it is accepted, make it the default e-mail address. And that's all. Now everything should work and you should be able to both send and receive e-mails.
You may be interested in forwarding all the mail that you get in your mail account, including spam. Among other reasons, it can be a good way to test your setup. To forward spam e-mail, you have to followa curious procedure. You have to define a filter. In the field "Has the words" you enter is:spam. Then you click on the link below all the fields "Create filter with this search". You have to activate the option "Never send it to spam" and then "Create filter". And you are done.
5. Maildir
Maildir has some advantages over mbox format. It keeps emails in separate files, allows for multiple applications to read mail, etc.
To use maildir format in your mailbox which creates separate files for each email you can use the following commands:
postconf -e "home_mailbox = Maildir/" postconf -e "mailbox_command ="
Then edit the configuration file of dovecot
sudo gedit /etc/dovecot/dovecot.conf
and change from
mail_location = mbox:~/mail:INBOX=/var/mail/%u
to
mail_location = maildir:~/Maildir
and restart both postfix and dovecot
sudo /etc/init.d/postfix
sudo /etc/init.d/dovecot
Thank you.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.