LESSON 10

Date: 4/9/2009

Email Basics

Linux for Engineering and IT applications

Practical Exercises

Postfix installation, configuration and testing

Your desktop machine, say desktop18, is going to be an e-mail client; your node host, say node18, should be configured as a Postfix e-mail server. You need to change the host names in the configurations below for those of your machines.
Download file hosts and copy it into /etc/hosts on both your desktop and the node.

On the node, install Postfix

apt-get install postfix

During the installation, a configurator started:

choose "No configuration"

Create a new file, /etc/postfix/main.cf, with the following content:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

myhostname = node18.linux.class
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = node18, node18.linux.class, localhost.linux.class, localhost
mynetworks = 127.0.0.0/8

Generate aliases database by running command:

newaliases

Restart the server:

/etc/init.d/postfix stop 
/etc/init.d/postfix start

Test the server by telneting to it from the desktop, say desktop18:

telnet node18 25

Trying 192.168.5.38...
Connected to node18.linux.class.
Escape character is '^]'.
220 node18.linux.class ESMTP Postfix (Debian/GNU)

EHLO desktop18

250-node18.linux.class
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME

mail from: root@desktop18
250 Ok
rcpt to: root@node18.linux.class
250 Ok

data
354 End data with .

Subject: test mail
Hi root.
.


press ENTER

250 Ok: queued as 1D0B8140F3

quit

Check for e-mail in file /var/mail/root on node18

Setup aliases to re-direct e-mail for root to youself on the server. Modify /etc/aliases

root:          jonny 
postmaster:    root

Run command

newaliases

Try to e-mail again something to root@node18
Install UW-IMAP server on node18:

apt-get install uw-imapd

Choose "Yes" for Allow insecure authentication using plaintext passwords.
Choose "Yes" for Continue installing libc-client without Maildir support Select "imap2 and "imaps".
Check if there are entries in /etc/inetd.conf for IMAP and IMAPS:

#:MAIL: Mail, news and uucp services.
imap2   stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/imapd
imaps   stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/imapd

Generate new self-signed SSL certificates for imap:

cd /usr/lib/ssl/certs
openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 365

Restart inetd and verify that the IMAP and IMAPS ports are open (tcp/143 and tcp/993), run

/etc/init.d/openbsd-inetd restart
netstat -nalp | grep inetd

On your desktop, configure an e-mail program. It can be either Mozilla or alpine. You can install the alpine by running apt

apt-get install alpine

In the configuration, specify the name of the domain, outgoing SMTP server, and the Inbox IMAP server, for example

user-domain=node18.linux.class

smtp-server=node18.linux.class

inbox-path="{node18.linux.class:143/novalidate-cert}inbox"

Install ntpdate on both the desktop and the node in order to synchronize the clocks. Otherwise, e-mail time stamps would be inconsistent.

apt-get install ntpdate
ntpdate -su 128.6.224.114

Run pine or Mozilla to send and receive emails at node18.linux.class.

Sending e-mail to remote hosts.
Modify mynetworks in /etc/postfix/main.cf and also add disable_dns_lookups as follows:

mynetworks = 127.0.0.0/8  192.168.5.0/24
disable_dns_lookups = yes

Reload postfix:

/etc/init.d/postfix reload

Send e-mail to the other people in the class (their e-mail servers). You can use either their user name or aliased root on nodes as the recepient e-mail address, such as root@node01.linux.class, root@node02.linux.class, etc. Check if they can receive your e-mails.

Try to email yourself at any remote host outside of our private subnet.
The email should bounce back to you with an error like below

 5.1.8 ... Domain of sender address
 jonny@node18.linux.class does not exist (in reply to MAIL FROM command)

Modify /etc/postfix/main.cf by adding line

smtp_generic_maps = hash:/etc/postfix/canonical

Create a new file, /etc/postfix/canonical with the following content:

@node18.linux.class    @capone.rutgers.edu
@desktop18.linux.class  @capone.rutgers.edu

Rebuild canonical maps and reload the server:

postmap /etc/postfix/canonical
/etc/init.d/postfix reload

If you send email again, it should be delivered fine and appear as coming from User_Name@capone.rutgers.edu. Don't try to respond to it as it won't be delivered to the private network.
Comment out the line in /etc/postfix/main.cf

#smtp_generic_maps = hash:/etc/postfix/canonical

otherwise, email for local destinations will end up at capone. Reload postfix server again.

Header Filtering.
Modify /etc/postfix/main.cf file by including an extra line with

header_checks = regexp:/etc/postfix/bad_headers

Reload the postfix as you always do after modifying /etc/postfix/main.cf:

/etc/init.d/postfix reload

Create a new file, /etc/postfix/bad_headers with the following content:

/^Subject:(.*)Mortgage Low Rates/                                       REJECT Mortgage Rates
/^Subject:(.*)[Vv]iagra/                                                REJECT Viagra
/^Subject:(.*)[Ss]ildenalfil/                                           REJECT You meant the v-word.
/^Subject:(.*)[Cc]itrate/                                               REJECT You meant the v-word.
/^Subject:(.*)[Cc]ialis/                                                REJECT c_ialis.
/^Subject:(.*)[Ee]nzyte/                                                REJECT e_nzyte.
/^Content\-Transfer\-Encoding:(.*)base64$/                              REJECT base_64

Try to send emails to yourself at the node with the following subjects: 'Viagra', 'Mortgage Low Rates', 'Cialis' and notice how emails bounce off.

Body content filtering
Modify /etc/postfix/main.cf file by including an extra line with

body_checks =  regexp:/etc/postfix/bad_content

Reload the postfix as you always do after modifying /etc/postfix/main.cf:

/etc/init.d/postfix reload

Create a new file, /etc/postfix/bad_content with the following content:

/Nude Celebrities/                                              REJECT  Nude celebrities
/FREE MEMBERSHIP/                                               REJECT  Free membership

Try to send emails to yourself containing 'Nude Celebrities' and 'FREE MEMBERSHIP' in the text and watch for error messages.

Reject email from hosts with unresolvable names.
Modify /etc/postfix/main.cf file by including extra two lines with

smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unknown_hostname

Reload the postfix. Email to youself at the node machine. You should get a bounce off error similar to the following:

[Mail not sent: : Helo command rejected: Host not found]

Since we don't have a local DNS, your desktop machine is unresolvable. Comment out these lines in /etc/postfix/main.cf, otherwise, you won't be able to send emails from your desktop.

Setting SMTP AUTH
Install Simple Authentication and Security Layer (SASL) libraries:

apt-get install libsasl2 libsasl2-modules sasl2-bin

Edit /etc/default/saslauthd and set the following parameters:

START=yes

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Start SASL

/etc/init.d/saslauthd start

Create file /etc/postfix/sasl/smtpd.conf with the following entry

  pwcheck_method: saslauthd
  mech_list: PLAIN LOGIN

Add user postfix into group sasl:

usermod -G sasl postfix

Set permission on the SASL working directory

chown -R root.sasl /var/spool/postfix/var/run/saslauthd/
chmod 750 /var/spool/postfix/var/run/saslauthd/

Edit the postfix configuration file /etc/postfix/main.cf and enable SASL authentication by adding the following entries:

 smtpd_sasl_auth_enable = yes
 smtpd_sasl_path = smtpd
 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, 
  reject_unauth_destination

Reload postfix

postfix reload

To test the server side, connect to the Postfix SMTP server port via telnet and you should be able to have a conversation as shown below. Information sent by the client (that is, you) is shown in bold font.

telnet node18.linux.class 25
Trying 192.168.5.28...
Connected to node18.linux.class.
Escape character is '^]'.
220 node18.linux.class ESMTP Postfix (Ubuntu/GNU)
ehlo desktop18
250-node18.linux.class
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHJvb3QAY2FpcDE=
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

Instead of AHJvb3QAY2FpcDE=, specify the base64 encoded form of \0username\0password (the \0 is a null byte). The example above is for a user named root with password testpass.

perl -MMIME::Base64 -e 'print encode_base64("\0root\0testpass");'

Setting up TLS
Generate certificates in directory /usr/lib/ssl/misc

cd /usr/lib/ssl/misc
./CA.pl -newca

The entries can be arbitrary, except the 'Common Name' where you should use the name of the server, for example, node18.linux.class.
Then, create the server certificate request

./CA.pl -newreq-nodes

Finally, sign the certificate request with the new CA.

./CA.pl -sign

Make the certificates available for the postfix

mkdir /etc/postfix/ssl
cp newkey.pem /etc/postfix/ssl
cp newcert.pem /etc/postfix/ssl
cp demoCA/cacert.pem /etc/postfix/ssl
chown postfix:postfix /etc/postfix/ssl/*
chmod 600 /etc/postfix/ssl/*

Add TLS in the postfix configuration by editing file /etc/postfix/main.cf:

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/newkey.pem
smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

Reload postfix

postfix reload

See if STARTTLS is available at handshake with the SMTP server:

telnet node18 25
Trying 192.168.5.28...
Connected to node18.linux.class.
Escape character is '^]'.
220 node18.linux.class ESMTP Postfix (Ubuntu/GNU)
ehlo desktop18
250-node18.linux.class
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN
504 5.5.4 Encryption required for requested authentication mechanism

Include the TLS on the client (desktop). Edit .pinerc in the home directory on the desktop and modify the entry for the smpt-server:

smtp-server=node18.linux.class/tls/novalidate-cert/user=$USER

Try sending e-mail from the client.

Setting up Maildir
By default, postfix delivers e-mail into Inbox. We are going to replace the Inbox by Maildir on the server.
Edit file /etc/postfix/main.cf and add the Maildir configuration:

home_mailbox = Maildir/

Reload postfix:

postfix reload

Install dovecot-imap server, which supports both Maildir and Inbox type of mail storage.

apt-get install dovecot-imapd

Edit the configuration file, /etc/dovecot/dovecot.conf and set mail location in Maildir:

mail_location = maildir:~/Maildir

Set path to the SSL certificates in the configuration file:

ssl_cert_file = /etc/postfix/ssl/newcert.pem
ssl_key_file =  /etc/postfix/ssl/newkey.pem

Restart dovecot IMAP server:

/etc/init.d/dovecot restart

Run the e-mail program on the desktop and try to sending and receiveing e-mail on the node. Check out directory Maildir in the user home directory on the server.

Basic Steps of Email Transaction
Composing and Sending Email
Email Envelope and Headers
Popular Unix SMTP servers
IMAP and POP servers
Example of POP3 session
Example of IMAP session
SMTP and DNS
Basic Postfix Settings
Open Relay
Relaying e-mail to the outside of NAT
Steps to Protect Email Server on the Internet
Practical Exercises
Take me to the Course Website