<?xml version="1.0" encoding="UTF-8"?>
<chapter version="5.0" xml:id="sdiMail" xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:m="http://www.w3.org/1998/Math/MathML"
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook">
<title>Mail</title>
<section xml:id="sdiMailPrepare">
<title>Recommended Preparations</title>
<itemizedlist>
<listitem>
<para>Good starting point and Installguide (in German) but for CentoOS
<link
xlink:href="http://dokuwiki.nausch.org/doku.php/centos:mailserver:grundinstallation_von_postfix">dokuwiki.nausch.org</link>.</para>
</listitem>
<listitem>
<para><link xlink:href="https://wiki.debian.org/Postfix">Installguide
on Debian</link></para>
</listitem>
<listitem>
<para xml:lang="de"><link
xlink:href="http://www.postfix.org/documentation.html">Postfix
Dokumentation</link></para>
</listitem>
<listitem>
<para xml:lang="de">Das Postfix-Buch : sichere Mailserver mit Linux
von Peer Heinlein</para>
</listitem>
<listitem>
<para xml:lang="de"><link
xlink:href="http://www.admin-magazin.de/Das-Heft/2012/02/Eigener-Mailserver-mit-Postfix-und-Dovecot">Eigener
Mailserver mit Postfix und Dovecot</link></para>
</listitem>
<listitem>
<para xml:lang="de"><link xlink:href="???">Postfix einrichten und
absichern</link></para>
</listitem>
<listitem>
<para><orgname>Wikipedia</orgname>: <link
xlink:href="https://de.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">SMTP</link>,
mail server, <acronym>IMAP</acronym>,
<acronym>Maildir</acronym></para>
</listitem>
</itemizedlist>
<para>The following questions might arise when starting practical
work:</para>
<itemizedlist>
<listitem>
<para>What are:<itemizedlist>
<listitem>
<para><acronym>MTA</acronym></para>
</listitem>
<listitem>
<para><acronym>MDA</acronym></para>
</listitem>
<listitem>
<para><acronym>MUA</acronym></para>
</listitem>
</itemizedlist></para>
</listitem>
<listitem>
<para>The difference between <acronym>MBOX</acronym> and
<acronym>Maildir</acronym></para>
</listitem>
<listitem>
<para>What is <acronym>SASL</acronym> and where do we use it?</para>
</listitem>
<listitem>
<para>What advantages and disadvantage are to be considered when
running Postfix in a <command
xlink:href="http://linux.die.net/man/1/chroot">chroot</command>
environment?</para>
</listitem>
<listitem>
<para>Which purposes are being addressed by the configuration files
<filename>master.cf</filename> and
<filename>main.cf</filename>?</para>
</listitem>
<listitem>
<para>What are local and virtual domains?</para>
</listitem>
<listitem>
<para>What do smtpd_*_restrictions account for?</para>
</listitem>
<listitem>
<para>What is an open relay?</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiMailExercises">
<title>Exercises</title>
<para>Our aim is to install and configure the <acronym>MTA</acronym>
Postfix. Sending, delivering and receiving an email works like:</para>
<informalfigure>
<mediaobject>
<imageobject>
<imagedata fileref="Ref/Fig/E-mail.svg"/>
</imageobject>
</mediaobject>
</informalfigure>
<section xml:id="sdiMailInstallSendLocalUsers">
<title>Install and send to local Users</title>
<para>Install postfix. If asked use "No Configuration". Later it is
maybe needed to install extra postfix-* packages.</para>
<programlisting language="none">apt-get install postfix</programlisting>
<itemizedlist>
<listitem>
<para>check that postfix is running; try to connect via telnet
(telnet localhost 25)</para>
</listitem>
<listitem>
<para>add a local <productname>Linux</productname> user (<command
xlink:href="http://linux.die.net/man/8/useradd">useradd</command> is
your friend!)</para>
</listitem>
<listitem>
<para>send an email via telnet to that user</para>
<itemizedlist>
<listitem>
<para>emails will be stored in
<filename>/var/mail/username</filename></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>add an alias to <filename>/etc/aliases</filename> and try to
send an email to this newly defined alias</para>
</listitem>
<listitem>
<para>add <acronym>mx</acronym> records on both VMs to your <xref
linkend="glo_DNS"/> Setup</para>
</listitem>
<listitem>
<para>try to send an email via your second host (sdiXb) to the user
being defined on your first host (sdXa).</para>
<itemizedlist>
<listitem>
<para>meaning use telnet on your local host system (the pc in
front of you, not a vm) to sdiXb and send a mail to a user on
sdXa</para>
</listitem>
<listitem>
<para>why does that fail?</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectAuthenticationSetupVirtualUsers">
<title>Authentication Setup and Virtual Users</title>
<itemizedlist>
<listitem>
<para>add authentication to your setup</para>
</listitem>
<listitem>
<para>install a <acronym>sasl</acronym> implementation
(<command>cyrus</command> or <command>dovecot</command>)</para>
<itemizedlist>
<listitem>
<para>first use your already added local users</para>
</listitem>
<listitem>
<para>then bind your <acronym>sasl</acronym> authentication to
your existing <xref linkend="glo_LDAP"/>. (optional)</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>try again sending an email via your second host to a user on
the first host using authentication</para>
</listitem>
<listitem>
<para>use an email client (<acronym>MUA</acronym>) like
<productname>thunderbird</productname> for sending emails</para>
</listitem>
<listitem>
<para>add an fantasy domain (e.g. supertollermistudent.de) to your
<xref linkend="glo_DNS"/> Setup and let its <acronym>mx</acronym>
record point to your mail server</para>
</listitem>
<listitem>
<para>add that domain to your mail setup</para>
</listitem>
<listitem>
<para>now configure email addresses within this domain</para>
<itemizedlist>
<listitem>
<para>define these virtual email addresses in
<filename>/etc/postfix/virtual</filename></para>
</listitem>
<listitem>
<para>configure a virtual email address pointing to your local
user</para>
</listitem>
<listitem>
<para>configure a virtual email address pointing to your own
<orgname>HdM</orgname> mail account.</para>
<tip>
<para>Read about <command
xlink:href="http://linux.die.net/man/1/postmap">postmap</command>
and set your local resolver (resolv.conf) to your own
DNS</para>
</tip>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectTls">
<title><xref linkend="glo_TLS"/></title>
<para>You already got a CA in place. Use your CA to generate a new
certificate for your mail server. Add that certificate and your Root CA
to your mail server setup.</para>
<itemizedlist>
<listitem>
<para>Use <command>openssl</command> <option>s_client</option> to
connect to your mail server</para>
</listitem>
<listitem>
<para>verify that you set the certificate for incoming and outgoing
connections</para>
<itemizedlist>
<listitem>
<para>send an email with <command>starttls</command> using a
<acronym>MUA</acronym>.</para>
</listitem>
<listitem>
<para>Use a <acronym>MUA</acronym> to send an email to your HdM
Account using your mail server system as a relay.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>both connections should be secured via <xref
linkend="glo_TLS"/>. Look in your mail.log to verify this </para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectSpamVirusDefense">
<title>Spam and Virus defense (optional)</title>
<para><itemizedlist>
<listitem>
<para>Because we have not enough time this is optional. If you
want your own mailserver someday you should do all those
things</para>
</listitem>
<listitem>
<para>Now we will use the smtpd_*_restrictions in the
<filename>main.cf</filename>. This are one key element to make
your mailserver block spam and other unwanted mails.</para>
</listitem>
</itemizedlist></para>
<section xml:id="sdiSectBlackGreyListing">
<title>blacklisting and greylisting</title>
<itemizedlist>
<listitem>
<para>install the <code>postgrey</code> package and add it to
smtpd_recipient_restrictions</para>
<itemizedlist>
<listitem>
<para>test sending emails using telnet or a
<acronym>MUA</acronym> to your virtual email address</para>
<tip>
<para>this needs to be done without authentication</para>
</tip>
</listitem>
<listitem>
<para>see how messages get blocked</para>
</listitem>
<listitem>
<para>try again in 10 min</para>
</listitem>
<listitem>
<para>send an email via your second mail server to an email
account on your first system and watch the logs. Your mail
server will try again until the mail is send to the intended
mail account</para>
</listitem>
<listitem>
<para>Use either of <command>postfix</command>
<option>restart</option>, <command>postfix</command>
<option>flush</option> or <command>postsuper</command>
<option>-r QUEUEID</option> to force resending</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>add some blacklists to your
<code>smtpd_recipient_restrictions</code></para>
<itemizedlist>
<listitem>
<para>this can't be tested very well expect building your own
blacklist server (beyond scope of current exercise)</para>
</listitem>
<listitem>
<para>Supply some common blacklist entries and pretend these
will work.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectAmavisClamavSpamassassin">
<title><productname>Amavis</productname>,
<productname>Clamav</productname> and
<productname>Spamassasin</productname></title>
<itemizedlist>
<listitem>
<para>Install amavis, clamav and spamassasin.</para>
</listitem>
<listitem>
<para>configure amavis to use virus checking through clamav and
spam checking through spamassasin</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>Configure postfix to use amavis. Add amavis to
<filename>main.cf </filename>as content_filter. You also need to
edit the <filename>master.cf</filename>.</para>
</listitem>
<listitem>
<para>send an <filename>EICAR-TEST-FILE</filename> to check that
virus checking via amavis and clamav are working correctly.</para>
</listitem>
<listitem>
<para>try to send a Spam Test Mail</para>
</listitem>
<listitem>
<para>reconfigure the <filename>main.cf</filename> to use amavis
as smtpd_proxy_filter instead of content_filter</para>
<itemizedlist>
<listitem>
<para>what is the difference?</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectSpf">
<title><acronym>SPF</acronym></title>
<para>Where are plenty of Spam prevention techniques like
<acronym>DMARC</acronym>, <acronym>DKIM</acronym>,
<acronym>DANE</acronym>, Postscreen and other Policy Deamons (e.g.
<link xlink:href="???">policyd-weight</link>). Good Providers use most
of them. We can't test all of them in SDI. They help to detect spam
but not scam. So if Spammers use meine-dt-bank.de to obtain your
PIN/TAN by a scam this mails could also use SPF or DKIM for there
domain. So this techniques won't help there. The user is still
responsible to detect such scams.</para>
<para/>
<itemizedlist>
<listitem>
<para>Add a SPF (Sender Policy Framework) Record to match mx and a
to your DNS for your fantasy domain</para>
</listitem>
<listitem>
<para>its a little bit hard to test this. if you want you could
try to configure amavis to test for spf and set it to debug so
that in the mail.log you'll see what amavis does</para>
</listitem>
<listitem>
<para>then send a mail from a mailadresse from your fantasy domain
to an emailadresse on your server. your mailserver must use your
own dns</para>
</listitem>
</itemizedlist>
</section>
</section>
</section>
</chapter>