Archives Archives Select Month September 2020 (6) August 2020 (1) July 2020 (6) June 2020 (5) May 2020 (4) March 2020 (3) February 2020 (6) January 2020 (1) December 2019 (1) November 2019 (2) June 2019 (1) January 2019 (2) September 2018 (5) July 2018 (1) June 2018 (2) March 2018 (3) February 2018 (2) January 2018 (1) December 2017 (3) November 2017 (1) October 2017 (2) September 2017 (3) August 2017 (1) July 2017 (3) April 2017 (1) February 2017 (1) December 2016 (1) November 2016 (1) October 2016 (4) August 2016 (3) July 2016 (3) June 2016 (2) May 2016 (2) February 2016 (3) January 2016 (3) October 2015 (2) September 2015 (2) August 2015 (2) June 2015 (4) April 2015 (1) January 2015 (4) December 2014 (2) October 2014 (2) September 2014 (3) August 2014 (5) July 2014 (10) June 2014 (6) May 2014 (6) April 2014 (11) March 2014 (7) February 2014 (4) January 2014 (4) December 2013 (8) November 2013 (4) October 2013 (3) September 2013 (7) August 2013 (6) July 2013 (3) June 2013 (1) May 2013 (9) March 2013 (2) February 2013 (6) January 2013 (10) December 2012 (14) November 2012 (3) October 2012 (5) September 2012 (6) August 2012 (9) July 2012 (6) June 2012 (8) May 2012 (6) April 2012 (10) March 2012 (9) February 2012 (8) January 2012 (6) December 2011 (9) November 2011 (5) October 2011 (12) September 2011 (2) August 2011 (3) July 2011 (5) June 2011 (7) May 2011 (6) April 2011 (7) March 2011 (7) February 2011 (6) January 2011 (8) December 2010 (5) November 2010 (12) October 2010 (5) September 2010 (7) August 2010 (12) July 2010 (9) June 2010 (15) May 2010 (14) April 2010 (12) March 2010 (20) February 2010 (17) January 2010 (20) December 2009 (9) November 2009 (18) October 2009 (8) September 2009 (7) August 2009 (17) July 2009 (14) June 2009 (16) May 2009 (7) April 2009 (15) March 2009 (19) February 2009 (9) January 2009 (15) December 2008 (8) November 2008 (17) October 2008 (21) September 2008 (24) August 2008 (30) July 2008 (24) June 2008 (24) May 2008 (17) April 2008 (24) March 2008 (6) February 2008 (18) January 2008 (31) December 2007 (13) November 2007 (28) October 2007 (38) September 2007 (33) August 2007 (50) July 2007 (48) June 2007 (16) May 2007 (22) April 2007 (38) March 2007 (35) February 2007 (9) January 2007 (24) December 2006 (26) November 2006 (12) October 2006 (29) September 2006 (30) August 2006 (21) Categories Categories Select Category Asperger (23) Benchmark (15) Blogging (100) Career (41) Cars (32) Ha (42) Health (23) Lca (6) Liberty (55) Links (84) Linux (80) Linux.conf.au (30) LUV (6) Misc Computer (89) Mobile Phones (16) Mta (20) Mysql (5) Networking (61) Politics (149) Postal (4) Prediction (8) Review (104) School (27) Security (220) Society (15) Speech (20) storage (16) Terrorism (11) Uncategorized (118) unix-tips (17) Virtualisation (60) WTF (12) Tags android Beard Best Posts btrfs Bug camera Conference Debian dns Environment Fedora free software insight10 Lazyweb lca2009 Linux.conf.au mobile Most Popular Politics Selinux tech thinkpad Tweets by @etbe

LUV Server Upgrade to Jessie Running a Shell in a Daemon Domain » Mail Server Training Today I ran a hands-on training session on configuring a MTA with Postfix and Dovecot for LUV. I gave each student a virtual machine running Debian/Jessie with full Internet access and instructions on how to configure it as a basic mail server. Here is a slightly modified set of instructions that anyone can do on their own system. Today I learned that documentation that includes passwords on a command-line should have quotes around the password, one student used a semi-colon character in his password which caused some confusion (it’s the command separator character in BASH). I also discovered that trying to just tell users which virtual server to login to is prone to errors, in future I’ll print out a list of user-names and passwords for virtual servers and tear off one for each student so there’s no possibility of 2 users logging in to the same system. I gave each student a sub-domain of unixapropos.com (a zone that I use for various random sysadmin type things). I have changed the instructions to use example.com which is the official address for testing things (or you could use any zone that you use). The test VMs that I setup had a user named “auser”, the documentation assumes this account name. You could change “auser” to something else if you wish. Below are all the instructions for anyone who wants to try it at home or setup virtual machines and run their own training session. Table of Contents Basic MTA Configuration

Basic Pop/IMAP Configuration

POP/IMAP Over SSL

Postfix SSL

SASL

Configuring a MUA Basic MTA Configuration Run “apt-get install postfix” to install Postfix, select “Internet Site” for the type of mail configuration and enter the domain name you selected for the mail name. The main Postfix configuration file is /etc/postfix/main.cf. Change the myhostname setting to the fully qualified name of the system, something like mta.example.com.

You can edit /etc/postfix/main.cf with vi (or any other editor) or use the postconf command to change it, eg “postconf -e myhostname=mta.example.com“. Add “home_mailbox=Maildir/” to the Postfix configuration to make it deliver to a Maildir spool in the user’s home directory. Restart Postfix to apply the changes. Run “apt-get install swaks libnet-ssleay-perl” to install swaks (a SMTP test tool). Test delivery by running the command “swaks -f auser@example.com -t auser@example.com -s localhost“. Note that swaks displays the SMTP data so you can see exactly what happens and if something goes wrong you will see everything about the error. Inspect /var/log/mail.log to see the messages about the delivery. View the message which is in ~auser/Maildir/new. When other students get to this stage run the same swaks command but with the -t changed to the address in their domain, check the mail.log to see that the messages were transferred and view the mail with less to see the received lines. If you do this on your own specify a recipient address that’s a regular email address of yours (EG a Gmail account). Basic Pop/IMAP Configuration Run “apt-get install dovecot-pop3d dovecot-imapd” to install Dovecot POP and IMAP servers.

Run “netstat -tln” to see the ports that have daemons listening on them, observe that ports 110 and 143 are in use. Edit /etc/dovecot/conf.d/10-mail.conf and change mail_location to “maildir:~/Maildir“. Then restart Dovecot. Run the command “nc localhost 110” to connect to POP, then run the following commands to get capabilities, login, and retrieve mail:

user auser

pass WHATEVERYOUMADEIT

capa

list

retr 1

quit Run the command “nc localhost 143” to connect to IMAP, then run the following commands to list capabilities, login, and logout:

a capability

b login auser WHATEVERYOUMADEIT

c logout For the above commands make note of the capabilities, we will refer to that later. Now you have a basically functional mail server on the Internet! POP/IMAP Over SSL To avoid password sniffing we need to use SSL. To do it properly requires obtaining a signed key for a DNS address but we can do the technical work with the “snakeoil” certificate that is generated by Debian. Edit /etc/dovecot/conf.d/10-ssl.conf and change “ssl = no” to “ssl = required“. Then add the following 2 lines:

ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem

ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key Run “netstat -tln” and note that ports 993 and 995 are not in use. Edit /etc/dovecot/conf.d/10-master.conf and uncomment the following lines:

port = 993

ssl = yes

port = 995

ssl = yes Restart Dovecot, run “netstat -tln” and note that ports 993 and 995 are in use. Run “nc localhost 110” and “nc localhost 143” as before, note that the capabilities have changed to include STLS/STARTTLS respectively. Run “gnutls-cli --tofu 127.0.0.1 -p 993” to connect to the server via IMAPS and “gnutls-cli --tofu 127.0.0.1 -p 995” to connect via POP3S. The --tofu option means to “Trust On First Use”, it stores the public key in ~/.gnutls and checks it the next time you connect. This allows you to safely use a “snakeoil” certificate if all apps can securely get a copy of the key. Postfix SSL Edit /etc/postfix/main.cf and add the following 4 lines:

smtpd_tls_received_header = yes

smtpd_tls_loglevel = 1

smtp_tls_loglevel = 1

smtp_tls_security_level = may

Then restart Postfix. This makes Postfix log TLS summary messages to syslog and in the Received header. It also permits Postfix to send with TLS. Run “nc localhost 25” to connect to your SMTP port and then enter the following commands:

ehlo test

quit

Note that the response to the EHLO command includes 250-STARTTLS, this is because Postfix was configured with the Snakeoil certificate by default. Run “gnutls-cli --tofu 127.0.0.1 -p 25 -s” and enter the following commands:

ehlo test

starttls

^D

After the CTRL-D gnutls-cli will establish a SSL connection. Run “swaks -tls -f auser@example.com -t auser@example.com -s localhost” to send a message with SSL encryption. Note that swaks doesn’t verify the key. Try using swaks to send messages to other servers with SSL encryption. Gmail is one example of a mail server that supports SSL which can be used, run “swaks -tls -f auser@example.com -t YOURADDRESS@gmail.com” to send TLS (encapsulated SSL) mail to Gmail via swaks. Also run “swaks -tls -f auser@example.com -t YOURADDRESS@gmail.com -s localhost” to send via your new mail server (which should log that it was a TLS connection from swaks and a TLS connection to Gmail). SASL SASL is the system of SMTP authentication for mail relaying. It is needed to permit devices without fixed IP addresses to send mail through a server. The easiest way of configuring Postfix SASL is to have Dovecot provide it’s authentication data to Postfix. Among other things if you change Dovecot to authenticate in another way you won’t need to make any matching changes to Postfix. Run “mkdir -p /var/spool/postfix/var/spool” and “ln -s ../.. /var/spool/postfix/var/spool/postfix“, this allows parts of Postfix to work with the same configuration regardless of whether they are running in a chroot. Add the following to /etc/postfix/main.cf and restart Postfix:

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = /var/spool/postfix/private/auth

broken_sasl_auth_clients = yes

smtpd_sasl_authenticated_header = yes Edit /etc/dovecot/conf.d/10-master.conf, uncomment the following lines, and then restart Dovecot:

unix_listener /var/spool/postfix/private/auth {

mode = 0666

} Edit /etc/postfix/master.cf, uncomment the line for the submission service, and restart Postfix. This makes Postfix listen on port 587 which is allowed through most firewalls. From another system (IE not the virtual machine you are working on) run “swaks -tls -f auser@example.com -t YOURADDRESS@gmail.com -s YOURSERVER and note that the message is rejected with “Relay access denied“. Now run “swaks -tls --auth-user auser --auth-password WHATEVER -f auser@example.com -t YOURREALADDRESS -s YOURSERVER” and observe that the mail is delivered (subject to anti-spam measures at the recipient). Configuring a MUA If every part of the previous 3 sections is complete then you should be able to setup your favourite MUA. Use “auser” as the user-name for SMTP and IMAP, mail.example.com for the SMTP/IMAP server and it should just work! Of course you need to use the same DNS server for your MUA to have this just work. But another possibility for testing is to have the MUA talk to the server by IP address not by name. Related posts: Mail Server Security I predict that over the course of the next 10... I need an LMTP server I am working on a system where a front-end mail... Moving a Mail Server Nowadays it seems that most serious mail servers (IE mail... MX vs A record One issue that has been the topic of some pointless... An Update on DKIM Signing and SE Linux Policy In my previous post about DKIM [1] I forgot to...