Lab 9 mnjk: Difference between revisions
| Line 13: | Line 13: | ||
| *'''[https://linux.die.net/man/8/service service]''' | *'''[https://linux.die.net/man/8/service service]''' | ||
| : This lab assumes that you have completed the Bind DNS and have created a MX record   | : This lab assumes that you have completed the Bind DNS and have created a MX record   | ||
| *[[Lab_9_mnjk#Install_BIND_& | *[[Lab_9_mnjk#Install_BIND_&_Enable_Caching | Installing Bind]] | ||
| : | : | ||
Revision as of 22:50, 6 February 2021
Introduction
- In this lab you will perform the following tasks:
- Install a basic email server
- Install Courier MDA software
- Learn how to allow remote users to send mail
- You will use the following commands:
- This lab assumes that you have completed the Bind DNS and have created a MX record
- The MTA to be installed is Postfix. MTA software listens for incoming connections from other MTA servers on port 25 and accepts mail on behalf of users on the system. Once the mail is received it is stored locally for users to retrieve. The most common methods for storing messages is in an .mbox file, where all messages are stored in a single file, or in a Maildir, which is a directory where each message is stored in a separate file. The MTA also listens for connections from client software (MUA) and accepts outbound messages from them and forwards them on to the destination domain's mail server. Advanced configuration of MTA software can allow for anti-spam filtering, mailing list support or other programs to intercept and manipulate mail as it passes through the server.
- Local users accessing their mailbox with MUA software can read and write to the .mbox file or Maildir directly. If a user not locally logged on to the system wants to access their mailbox the server runs MDA software which typically uses the POP3 or IMAP protocol for accessing the .mbox file or Maildir remotely.
Lab Procedure
Prerequisites
- Open an SSH console to your Linux system using the PuTTY software, login with your standard user account
- Make sure that webmin is installed on your system.
- Get the username and domain name of someone else's system in the class who you can send mail to
- This lab requires that you have appropriate domain name records (at least a correct A and MX record) for your system working from the DNS lab before things will work.
Install the Postfix MTA
Video tutorial - Install Postfix MTA
-  Use a package manager to install the postfix package.
- During the installation process select Internet Site as the type of mail server and set the domain name to *.itc2480.campus.ihitc.net where * is the hostname letter of your system.
 
-  Use Telnet to connect to the Postfix SMTP server on port 25: telnet localhost 25
- Type quit and press enter after verifying Postfix is running.
 
-  Because the Courier IMAP and POP3 server software only supports Maildir style message stores and Postfix stores in mbox files by default you must edit the /etc/postfix/main.cf file to fix this. Add the line home_mailbox = Maildir/ And edit the mailbox_command parameter so there is nothing on the line after the equals sign, delete the portion of the line referencing procmail if it exists. The line should look like:mailbox_command = 
- Restart the postfix service to apply your change. Postfix is now saving new incoming messages into the Maildir folder inside each user's home directory. This folder is automatically created by Postfix the first time a new message comes in for a user.
- Set your shell to recognize the maildir as your mail location
-  Edit the /etc/login.defs file and comment out the MAIL_DIR /var/mail line (place a # in front of the line) and add a line setting MAIL_FILE like this:
#MAIL_DIR /var/mail MAIL_FILE Maildir/ 
-  Edit the /etc/pam.d/login file, find and comment out the session    optional   pam_mail.so standard line (place a # in front of the line) and add a line like this immediately below it:
#session optional pam_mail.so standard session optional pam_mail.so dir=~/Maildir standard 
-  Edit the /etc/pam.d/su file, find and comment out the session    optional   pam_mail.so nopen line (place a # in front of the line) and add a line like this immediately below it:
#session optional pam_mail.so nopen session optional pam_mail.so dir=~/Maildir nopen 
-  Edit the /etc/pam.d/sshd file, find and comment out the session    optional     pam_mail.so standard noenv line (place a # in front of the line) and add a line like this immediately below it:
#session optional pam_mail.so standard noenv session optional pam_mail.so dir=~/Maildir standard 
-  Edit the /etc/profile file and at the end of the file add the line: export MAIL=~/Maildir 
-  Test sending and receiving mail as a locally logged on user.
- Install the mailutils package.
-  Try sending a message (replace username with your username): echo "This is my message" | mail -s "Email Subject" username@localhost 
- Log out of your SSH session and open a new SSH session to apply the changes to the /etc/profile and /etc/login.defs files.
- Check to see if the message was received using the mail command, press q to return to the command line.
- You should also be able to see the message in ~/Maildir/ in either the new/ or cur/ directory depending on whether you have viewed the message list yet or not. In either case the message will appear as a text file with a random looking name. It's just a text file so you can use cat or less to view it.
 
- Create an "alias" for sysadmin which forwards mail sent to sysadmin@localhost to your username and send a copy of all mail to the root account to your username as well by editing the /etc/aliases file and then running the newalises program
- It might be a good time to try logging on to Webmin again, re-scanning for modules and then taking a look at the Postfix module in the Servers section.
- Take a look at your /var/log/mail.info log to see Postfix sending and receiving messages for users.
Install Courier MDA
Video tutorial - Install Courier MDA
- Most users prefer to retrieve mail from a mail server using an MDA protocol like POP3 or IMAP which can be provided by the Courier programs. Install the courier-pop, courier-imap, and fam packages.
- Do not create the directories for web-based administration as they are unneeded for our setup
 
- Install an email client (MUA) on your host system such as Mozilla Thunderbird
- Setup two user accounts in your MUA, the usernames and passwords should be the same as users and their passwords on your system. Use IMAP as the protocol for retrieving mail. The email address for each should be username@*.itc2480.campus.ihitc.net where the * is replaced by the host letter of your system. You can verify the IMAP and SMTP settings that are detected, both server addresses should be *.itc2480.campus.ihitc.net where the * is replaced by the host letter of your system.
- NOTE: The first time you check messages and the first time you send messages to your server from Thunderbird you will need to accept an invalid security certificate in the Thunderbird window.
- NOTE: To see the Tools menu with the Account Settings window in recent versions of Thunderbird (where you can add more accounts) you need to press ALT-F and then the menu bar will temporarily appear.
 
- Try sending a message from one user to the other user by sending a message to the other account like username@localhost Verify that you can receive and read the messages.
- Note: If a user has not yet received any mail Postfix has not created a Maildir for the user and the Courier software will send an error to the client software. Use the mail program explained above to send some mail to the user, see that the ~/Maildir is then created and try retrieving the messages again with your MUA.
 
Allow Remote Users to Send Mail
Video tutorial - Allow Remote Users to Send Mail
- Try setting up your MUA software to send mail by creating an SMTP server entry and sending an email to anotheruser@localhost This should work because localhost is your own server but if you try sending email to someuser@somedomain.com like root@ben.itc2480.campus.ihitc.net that will fail.
- The problem is you don't want just anyone to send mail through your mailserver (we did allow this in the olden days) because a spammer could then use your server to send mail worldwide and it would all trace back to the IP of your server, we call servers setup like this "open relays" because they relay mail for anyone and they are generally considered very bad practice and can get your mailserver on lists of servers to ignore all messages from. There are a number of ways to solve this. By default Postfix will only allow mail relaying from computers on the same network (based on IP) as set in the /etc/postfix/main.cf mynetworks parameter but this is inconvenient for remote users as you would need to know the remote IP address they are connecting from. The SASL protocol allows users to authenticate with a username and password before sending mail and then relay messages are accepted from them.
- See if you can follow these instructions for setting up SASL with Postfix.
- Note: You do NOT need to setup TLS to support SASL (more on that in the additional considerations section below)
 
- Now modify your MUA to use a username and password when connecting to your SMTP server and try sending mail to someone else's system from your MUA using a destination address like root@*.itc2480.campus.ihitc.net where the * is replaced by the host letter of your system.
- NOTE: You MUST actually exchange messages with someone else in the class (both sending to them and receiving from them). It is not possible to test using an outside email account of your own (you will not be able to send a message back to your server because it is behind a firewall). It is not enough to just be able to send a message to another system. It is not enough to just be able to receive a message from another user.
 
- Troubleshoot as needed using the mail log files on your system.
Additional Considerations
Running a mailserver is tricky business. The basic server we have setup does not use valid certificates for encrypting connections meaning usernames, passwords, and mail contents are all being sent to an unverified server. This is very undesirable from a security standpoint and it would be suggested to support SSL/TLS encryption for both the MTA and MDA portions with a valid certificate purchased from a certificate authority (CA) or from a free CA like Let's Encrypt. In addition, you will almost certainly want spam filtering at the server. More complicated setups also use database tables for users, passwords and domains so that you can host multiple domains on a single server and have email user boxes for people who do not have local logins on the system.