<?xml version="1.0" encoding="UTF-8"?>
<chapter version="5.0" xml:id="sdiMail" xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:m="http://www.w3.org/1998/Math/MathML"
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook">
<title>Mail</title>
<section xml:id="sdiMailPrepare">
<title>Recommended Preparations</title>
<itemizedlist>
<listitem>
<para>Good starting point and Installguide (in German) but for CentoOS
<link
xlink:href="http://dokuwiki.nausch.org/doku.php/centos:mailserver:grundinstallation_von_postfix">dokuwiki.nausch.org</link>.</para>
</listitem>
<listitem>
<para><link xlink:href="https://wiki.debian.org/Postfix">Installguide
on Debian</link></para>
</listitem>
<listitem>
<para xml:lang="de"><link xlink:href="???">Postfix
Dokumentation</link></para>
</listitem>
<listitem>
<para xml:lang="de">Das Postfix-Buch : sichere Mailserver mit Linux
von Peer Heinlein</para>
</listitem>
<listitem>
<para xml:lang="de"><link
xlink:href="http://www.admin-magazin.de/Das-Heft/2012/02/Eigener-Mailserver-mit-Postfix-und-Dovecot">Eigener
Mailserver mit Postfix und Dovecot</link></para>
</listitem>
<listitem>
<para xml:lang="de"><link xlink:href="???">Postfix einrichten und
absichern</link></para>
</listitem>
<listitem>
<para><orgname>Wikipedia</orgname>: <link
xlink:href="https://de.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol">SMTP</link>,
mail server, <acronym>IMAP</acronym>,
<acronym>Maildir</acronym></para>
</listitem>
</itemizedlist>
<para>The following questions might arise when starting practical
work:</para>
<itemizedlist>
<listitem>
<para>What are:<itemizedlist>
<listitem>
<para><acronym>MTA</acronym></para>
</listitem>
<listitem>
<para><acronym>MDA</acronym></para>
</listitem>
<listitem>
<para><acronym>MUA</acronym></para>
</listitem>
</itemizedlist></para>
</listitem>
<listitem>
<para>The difference between <acronym>MBOX</acronym> and
<acronym>Maildir</acronym></para>
</listitem>
<listitem>
<para>What is <acronym>SASL</acronym> and where do we use it?</para>
</listitem>
<listitem>
<para>What advantages and disadvantage are to be considered when
running Postfix in a <command
xlink:href="http://linux.die.net/man/1/chroot">chroot</command>
environment?</para>
</listitem>
<listitem>
<para>Which purposes are being addressed by the configuration files
<filename>master.cf</filename> and
<filename>main.cf</filename>?</para>
</listitem>
<listitem>
<para>What are local and virtual domains?</para>
</listitem>
<listitem>
<para>What do smtpd_*_restrictions account for?</para>
</listitem>
<listitem>
<para>What is an open relay?</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiMailExercises">
<title>Exercises</title>
<para>Our aim is to install and configure the <acronym>MTA</acronym>
Postfix with many features used in production today.</para>
<section xml:id="sdiMailInstallSendLocalUsers">
<title>Install and send to local Users</title>
<para>Install postfix. If asked use "No Configuration". Later it is
maybe needed to install extra postfix-* packages.</para>
<programlisting language="none">apt-get install postfix</programlisting>
<itemizedlist>
<listitem>
<para>check that postfix is running; try to connect via
telnet</para>
</listitem>
<listitem>
<para>add a local <productname>Linux</productname> user (<command
xlink:href="http://linux.die.net/man/8/useradd">useradd</command> is
your friend!)</para>
</listitem>
<listitem>
<para>send an email via telnet to that user</para>
<itemizedlist>
<listitem>
<para>emails will be stored in
<filename>/var/mail/username</filename></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>add an alias to <filename>/etc/aliases</filename> and try to
send an email to this newly defined alias</para>
</listitem>
<listitem>
<para>add <acronym>mx</acronym> records on both VMs to your <xref
linkend="glo_DNS"/> Setup</para>
</listitem>
<listitem>
<para>try to send an email via your second host (sdiXb) to the user
being defined on your first host (sdXa).</para>
<itemizedlist>
<listitem>
<para>meaning use telnet on your local host system to sdiXb and
send a mail to a user on sdXa</para>
</listitem>
<listitem>
<para>why does that fail?</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectAuthenticationSetupVirtualUsers">
<title>Authentication Setup and Virtual Users</title>
<itemizedlist>
<listitem>
<para>add authentication to your setup</para>
</listitem>
<listitem>
<para>install a <acronym>sasl</acronym> implementation
(<command>cyrus</command> or <command>dovecot</command>)</para>
<itemizedlist>
<listitem>
<para>first use your already added local users</para>
</listitem>
<listitem>
<para>then bind your <acronym>sasl</acronym> authentication to
your existing <xref linkend="glo_LDAP"/>.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>try again sending an email via your second host to a user on
the first host using authentication</para>
</listitem>
<listitem>
<para>use an email client (<acronym>MUA</acronym>) like
<productname>thunderbird</productname> for sending emails</para>
</listitem>
<listitem>
<para>add an fantasy domain to your <xref linkend="glo_DNS"/> Setup
and let its <acronym>mx</acronym> record point to your mail
server</para>
</listitem>
<listitem>
<para>add that domain to your mail setup</para>
</listitem>
<listitem>
<para>now configure email addresses within this domain</para>
<itemizedlist>
<listitem>
<para>define these virtual email addresses in
<filename>/etc/postfix/virtual</filename></para>
</listitem>
<listitem>
<para>configure a virtual email address pointing to your local
user</para>
</listitem>
<listitem>
<para>configure a virtual email address pointing to your own
<orgname>HdM</orgname> mail account.</para>
<tip>
<para>Read about <command
xlink:href="http://linux.die.net/man/1/postmap">postmap</command>
and set your local resolver to your own DNS</para>
</tip>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectTls">
<title><xref linkend="glo_TLS"/></title>
<para>You already got a CA in place. Use your CA to generate a new
certificate for your mail server. Add that certificate and your Root CA
to your mail server setup.</para>
<itemizedlist>
<listitem>
<para>Use <command>openssl</command> <option>s_client</option> to
connect to your mail server</para>
</listitem>
<listitem>
<para>verify that you set the certificate for incoming and outgoing
connections</para>
<itemizedlist>
<listitem>
<para>send an email with <command>starttls</command> using a
<acronym>MUA</acronym>.</para>
</listitem>
<listitem>
<para>Use a <acronym>MUA</acronym> to send an email to your HdM
Account using your mail server system as a relay.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>both connections should be secured via <xref
linkend="glo_TLS"/>.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectSpamVirusDefense">
<title>Spam and Virus defense</title>
<para><itemizedlist>
<listitem>
<para>Now we will use the smtpd_*_restrictions in the
<filename>main.cf</filename>. This are one key element to make
your mailserver block spam and other unwanted mails.</para>
</listitem>
</itemizedlist></para>
<section xml:id="sdiSectBlackGreyListing">
<title>blacklisting and greylisting</title>
<itemizedlist>
<listitem>
<para>install the <code>postgrey</code> package and add it to
smtpd_recipient_restrictions</para>
<itemizedlist>
<listitem>
<para>test sending emails using telnet or a
<acronym>MUA</acronym> to your virtual email address</para>
<tip>
<para>this needs to be done without authentication</para>
</tip>
</listitem>
<listitem>
<para>see how messages get blocked</para>
</listitem>
<listitem>
<para>try again in 10 min</para>
</listitem>
<listitem>
<para>send an email via your second mail server to an email
account on your first system and watch the logs. Your mail
server will try again until the mail is send to the intended
mail account</para>
</listitem>
<listitem>
<para>Use either of <command>postfix</command>
<option>restart</option>, <command>postfix</command>
<option>flush</option> or <command>postsuper</command>
<option>-r QUEUEID</option> to force resending</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>add some blacklists to your
<code>smtpd_recipient_restrictions</code></para>
<itemizedlist>
<listitem>
<para>this can't be tested very well expect building your own
blacklist server (beyond scope of current exercise)</para>
</listitem>
<listitem>
<para>Supply some common blacklist entries and pretend these
will work.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectAmavisClamavSpamassassin">
<title><productname>Amavis</productname>,
<productname>Clamav</productname> and
<productname>Spamassasin</productname></title>
<itemizedlist>
<listitem>
<para/>
</listitem>
<listitem>
<para/>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para/>
</listitem>
<listitem>
<para>send an <filename>EICAR-TEST-FILE.txt</filename></para>
</listitem>
<listitem>
<para/>
</listitem>
<listitem>
<para/>
</listitem>
<listitem>
<para/>
</listitem>
</itemizedlist>
</section>
<section xml:id="sdiSectSpf">
<title><acronym>SPF</acronym> (optional)</title>
<para>more Spam prevention techniques like <acronym>DMARC</acronym>,
<acronym>DKIM</acronym> and <acronym>DANE</acronym>.</para>
</section>
</section>
</section>
</chapter>