Lab 9 mnjk: Difference between revisions
| Line 102: | Line 102: | ||
| :* See if you can follow [https://wiki.debian.org/PostfixAndSASL these instructions] for setting up SASL with Postfix. | :* See if you can follow [https://wiki.debian.org/PostfixAndSASL these instructions] for setting up SASL with Postfix. | ||
| :'' Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below) | :'' Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below) | ||
| <li>Test and troubleshoot SASL<li> | <li>Test and troubleshoot SASL</li> | ||
| :* Modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like ''root@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system. | :* Modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like ''root@*.itc2480.campus.ihitc.net'' where the * is replaced by the host letter of your system. | ||
| :'' NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user. | :'' NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user. | ||
Revision as of 20:18, 12 February 2021
Introduction
In this lab you will perform the following tasks:
- Install a basic email server
- Install Courier MDA software
- Learn how to allow remote users to send mail
You will use the following commands:
This lab assumes that you know the IP address of your Linux system and are connected to the ITCnet VPN network.  Additionally, this lab assumes that you have completed the Bind DNS and have created a MX record that directs mail to your mail server. 
Lab Procedure
Prerequisites
- Open an SSH console to your Linux system using the PuTTY software, login with your standard user account
- Make sure that webmin is installed on your system.
- Get the username and domain name of someone else's system in the class who you can send mail to
- This lab requires that you have appropriate domain name records (at least a correct A and MX record) for your system working from the DNS lab before things will work.
Install the Postfix MTA
Video Tutorial - Install Postfix MTA
-  Use a package manager to install the postfix package.
- During the installation process select Internet Site as the type of mail server and set the domain name to *.itc2480.campus.ihitc.net where * is the hostname letter of your system.
 - MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.
 
- Test the connection an verify the port is open
- Use Telnet to connect to the Postfix SMTP server on port 25: telnet localhost 25
 
  - Type quit and press enter after verifying Postfix is running.
 
-  Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the /etc/postfix/main.cf file to fix this. Add the line home_mailbox = Maildir/ And edit the mailbox_command parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like:mailbox_command = 
- Restart the postfix service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.
- Set your shell to recognize the maildir as your mail location
- Edit the /etc/login.defs file and comment out the MAIL_DIR /var/mail line (place a # in front of the line) and add a line setting MAIL_FILE like this:
 
- Edit the /etc/pam.d/login file, find and comment out the session optional pam_mail.so standard line (place a # in front of the line) and add a line like this immediately below it:
 
- Edit the /etc/pam.d/su file, find and comment out the session optional pam_mail.so nopen line (place a # in front of the line) and add a line like this immediately below it:
 
- Edit the /etc/pam.d/sshd file, find and comment out the session optional pam_mail.so standard noenv line (place a # in front of the line) and add a line like this immediately below it:
 
- Edit the /etc/profile file and at the end of the file add the line: export MAIL=~/Maildir 
 
- Edit the /etc/profile file and at the end of the file add the line: 
- Test sending and receiving mail as a locally logged on user.
- Install the mailutils package.
- Try sending a message (replace username with your username): echo "This is my message" | mail -s "Email Subject" username@localhost 
- Log out of your SSH session and open a new SSH session to apply the changes to the /etc/profile and /etc/login.defs files.
- Check to see if the message was received using the mail command, press q to return to the command line.
 
- You should also be able to see the message in ~/Maildir/ in either the new/ or cur/ directory depending on whether you have viewed the message list yet or not. In either case the message will appear as a text file with a random looking name. It's just a text file so you can use cat or less to view it.
- Create Aliases
- You can create aliases and forward mail between users by editing the /etc/aliases file and then running the newalises program.
- Create an "alias" for sysadmin which forwards mail sent to sysadmin@localhost to your username
- Send a copy of all mail to the root account to your username
 
- Now would be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the Servers section.
- Explore the mail log file
- Take a look at your /var/log/mail.info log to see Postfix sending and receiving messages for users.
#MAIL_DIR /var/mail MAIL_FILE Maildir/
#session optional pam_mail.so standard session optional pam_mail.so dir=~/Maildir standard
#session optional pam_mail.so nopen session optional pam_mail.so dir=~/Maildir nopen
#session optional pam_mail.so standard noenv session optional pam_mail.so dir=~/Maildir standard
Install Courier MDA
Video Tutorial - Install Courier MDA
- Install required courier packages
- Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the courier-pop, courier-imap, and fam packages.
- Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.
- Do not create the directories for web-based administration as they are unneeded for our setup
 
- Install MUA Client on remote system
- Install an email client (MUA) on your host (home) system such as Mozilla Thunderbird
- Setup two user accounts in your MUA, the usernames and passwords should be the same as users and their passwords on your system. Use IMAP as the protocol for retrieving mail. The email address for each should be username@*.itc2480.campus.ihitc.net where the * is replaced by the host letter of your system. You can verify the IMAP and SMTP settings that are detected, both server addresses should be *.itc2480.campus.ihitc.net where the * is replaced by the host letter of your system.
 
- NOTE: The first time you check messages and the first time you send messages to your server from Thunderbird you will need to accept an invalid security certificate in the Thunderbird window.
- NOTE: To see the Tools menu with the Account Settings window in recent versions of Thunderbird (where you can add more accounts) you need to press ALT-F and then the menu bar will temporarily appear.
- Send mail between local users
- Try sending a message from one user to the other user by sending a message to the other account like username@localhost Verify that you can receive and read the messages.
- Note: If a user has not yet received any mail Postfix has not created a Maildir for the user and the Courier software will send an error to the client software. Use the mail program explained above to send some mail to the user, see that the ~/Maildir is then created and try retrieving the messages again with your MUA.
 
Allow Remote Users to Send Mail
Video tutorial - Allow Remote Users to Send Mail
- Testing SMTP mail to another domain
- Try setting up your MUA software to send mail by creating an SMTP server entry and sending an email to anotheruser@localhost This should work because localhost is your own server but if you try sending email to someuser@somedomain.com like root@ben.itc2480.campus.ihitc.net that will fail.
 
- The problem is you don't want just anyone to send mail through your mailserver (we did allow this in the olden days) because a spammer could then use your server to send mail worldwide and it would all trace back to the IP of your server, we call servers setup like this "open relays" because they relay mail for anyone and they are generally considered very bad practice and can get your mailserver on lists of servers to ignore all messages from. There are a number of ways to solve this. By default Postfix will only allow mail relaying from computers on the same network (based on IP) as set in the /etc/postfix/main.cf mynetworks parameter but this is inconvenient for remote users as you would need to know the remote IP address they are connecting from. The SASL protocol allows users to authenticate with a username and password before sending mail and then relay messages are accepted from them.
- Configure Simple Autherntication and Security Layer - SASL
- See if you can follow these instructions for setting up SASL with Postfix.
 
- Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below)
- Test and troubleshoot SASL
- Modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like root@*.itc2480.campus.ihitc.net where the * is replaced by the host letter of your system.
 
-  NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user.
- Troubleshoot as needed using the mail log files on your system.
 
Additional Considerations
Running a mailserver is tricky business. The basic server we have setup does not use valid certificates for encrypting connections meaning usernames, passwords, and mail contents are all being sent to an unverified server. This is very undesirable from a security standpoint and it would be suggested to support SSL/TLS encryption for both the MTA and MDA portions with a valid certificate purchased from a certificate authority (CA) or from a free CA like Let's Encrypt. In addition, you will almost certainly want spam filtering at the server. More complicated setups also use database tables for users, passwords and domains so that you can host multiple domains on a single server and have email user boxes for people who do not have local logins on the system.