Linux
Mail
Email
messages transaction is done using a client/server topology. An email
message is created using a mail client program that sends the message
to an email server using SMTP
protocol. The server then forwards the message to the recipient's
SMTP email server, where the message is then supplied to the
recipient's email using POP/IMAP
protocols.
SMTP Simple Mail Transfer Protocol is a set of rules for transferring email data used by various mail transfer agents in order to transport emails messages from the source where the email is created to the destination recipient. As many services on the Internet SMTP depends on DNS resolutions and routing in order to delivery the email to recipient SMTP email server. Once the email have reached the SMTP email server, the email is dropped to the final user email client using POP or IMAP protocols.
SMTP Simple Mail Transfer Protocol is a set of rules for transferring email data used by various mail transfer agents in order to transport emails messages from the source where the email is created to the destination recipient. As many services on the Internet SMTP depends on DNS resolutions and routing in order to delivery the email to recipient SMTP email server. Once the email have reached the SMTP email server, the email is dropped to the final user email client using POP or IMAP protocols.
SMTP Server
As said before the purpose of SMTP server is to
transfer email between mail servers. To send email, the client sends
the message to an outgoing mail server, which in turn contacts the
destination mail server for delivery.
SMTP protocol does not require authentication. It allows anyone on the Internet to send email to anyone else or even to large groups of people. Imposing relay restrictions limits any users on the Internet from sending email through your SMTP server, to other servers on the Internet. Servers that do not impose such restrictions are called open relay servers and are labelled as SPAM SMTP server.
On RHEL6 the default SMTP email server is 'postfix' installed by postfix rpm. The 'postfix' service listen on port 25 TCP/IP, it is configured on /etc/postfix directory files and logs on /var/log/maillog.
# yum install postfix
SMTP protocol does not require authentication. It allows anyone on the Internet to send email to anyone else or even to large groups of people. Imposing relay restrictions limits any users on the Internet from sending email through your SMTP server, to other servers on the Internet. Servers that do not impose such restrictions are called open relay servers and are labelled as SPAM SMTP server.
On RHEL6 the default SMTP email server is 'postfix' installed by postfix rpm. The 'postfix' service listen on port 25 TCP/IP, it is configured on /etc/postfix directory files and logs on /var/log/maillog.
# yum install postfix
/etc/postfix/main.conf
The main postfix SMTP server configuration file is
/etc/postfix/main.conf. The following are the main directives
that can be configured.
# cat /etc/postfix/main.conf
... # This directive configures from which domain the postfix server is going to be the SMTP server.
mydomain = info.net
... # It complements the email address with 'mydomain' domain. For example a mail for user 'john' -> 'john@info.net'
myorigin = $mydomain
# In which server interfaces the SMTP server port 25 TCP/IP must be listening. In this case it will be listening on all system interfaces.
inet_interfaces = all
... # The mydestination parameter specifies the list of domains that this machine considers itself the final destination for.
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, server.$mydomain, mail.$mydomain
...
# The mynetworks parameter specifies the list of "trusted" SMTP clients that have more privileges than "strangers".
mynetworks = 192.168.01.0/24, 127.0.0.0/8
... # The home_mailbox parameter specifies the pathname of a mailbox file relative to a user's home directory where the mailbox will be stored
home_mailbox = Maildir/
...
Once configured the postfix service just start it and make sure that it will be started at boot.
# /etc/init.d/postfix restart
# chkconfig postfix on
# cat /etc/postfix/main.conf
... # This directive configures from which domain the postfix server is going to be the SMTP server.
mydomain = info.net
... # It complements the email address with 'mydomain' domain. For example a mail for user 'john' -> 'john@info.net'
myorigin = $mydomain
# In which server interfaces the SMTP server port 25 TCP/IP must be listening. In this case it will be listening on all system interfaces.
inet_interfaces = all
... # The mydestination parameter specifies the list of domains that this machine considers itself the final destination for.
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, server.$mydomain, mail.$mydomain
...
# The mynetworks parameter specifies the list of "trusted" SMTP clients that have more privileges than "strangers".
mynetworks = 192.168.01.0/24, 127.0.0.0/8
... # The home_mailbox parameter specifies the pathname of a mailbox file relative to a user's home directory where the mailbox will be stored
home_mailbox = Maildir/
...
Once configured the postfix service just start it and make sure that it will be started at boot.
# /etc/init.d/postfix restart
# chkconfig postfix on
SMTP Server Security
Firewall
As said before SMTP server listen on port 25 TCP/IP. It
also uses port 25 UDP for data transactions so both ports must be
open in order to allow SMTP service through a firewall.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 25 -j ACCEPT
SElinux
The unique SElinux parameter that can be configured is
the ability to write on /var/spool/mail by postfix service. In this
directory is where are stored the email received by the SMTP server
and is enabled by default.
# setsebool -P allow_postfix_local_write_mail_spool 1
# setsebool -P allow_postfix_local_write_mail_spool 1
Host Based Restrictions
Using the following configuration parameters on
/etc/postfix/main.cf and /etc/postfix/access files is
possible restrict the access to the SMTP server based on host/IP
address.
smtpd_client_restrictions=hash:/etc/postfix/access --> /etc/postfix/main.cf
# echo "192.168.2.0/24 OK" >> /etc/postfix/access
# echo "192.168.2.10 REJECT" >> /etc/postfix/access
# postmap /etc/postfix/access
# /etc/init.d/postfix reload
With this configuration the SMTP server must allow connections from clients on 192.168.2.0/24 LAN except from 192.168.2.10 IP.
smtpd_client_restrictions=hash:/etc/postfix/access --> /etc/postfix/main.cf
# echo "192.168.2.0/24 OK" >> /etc/postfix/access
# echo "192.168.2.10 REJECT" >> /etc/postfix/access
# postmap /etc/postfix/access
# /etc/init.d/postfix reload
With this configuration the SMTP server must allow connections from clients on 192.168.2.0/24 LAN except from 192.168.2.10 IP.
Email Domain Forwarding
Sometimes is necessary to forward any incoming email
for a secondary domain that our SMTP server recognises as virtual
domain to a secondary SMTP.
virtual_alias_domains = example.net --> /etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual --> /etc/postfix/main.cf
# echo "@example.net infonetaccount@example.com" >> /etc/postfix/virtual
# postmap /etc/postfix/virtual
# /etc/init.d/postfix reload
With this configuration any incoming email with '@example.net' address destination will be forwarded to 'infonetaccount@external.com' account on external.com SMTP server.
virtual_alias_domains = example.net --> /etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual --> /etc/postfix/main.cf
# echo "@example.net infonetaccount@example.com" >> /etc/postfix/virtual
# postmap /etc/postfix/virtual
# /etc/init.d/postfix reload
With this configuration any incoming email with '@example.net' address destination will be forwarded to 'infonetaccount@external.com' account on external.com SMTP server.
Email Forwarding : /etc/aliases
For one-to-one email forwarding is much easier the use
of the /etc/aliases file.
# echo "root: john" >> /etc/aliases
# echo "sales: charles,john,mike" >> /etc/aliases
# echo "charles: charles@gmail.com" >> /etc/aliases
# newaliases
With this configuration any email coming to root@info.net will be forwarded to john@info.net without leaving our info.net SMTP server. We have also created the email group called 'sales@info.net', any email directed to this address will be forwarded to john, charles and mike email addresses. Also any email coming to charles@info.net will be forwarded to charles@gmail.com on gmail.com SMTP server.
# echo "root: john" >> /etc/aliases
# echo "sales: charles,john,mike" >> /etc/aliases
# echo "charles: charles@gmail.com" >> /etc/aliases
# newaliases
With this configuration any email coming to root@info.net will be forwarded to john@info.net without leaving our info.net SMTP server. We have also created the email group called 'sales@info.net', any email directed to this address will be forwarded to john, charles and mike email addresses. Also any email coming to charles@info.net will be forwarded to charles@gmail.com on gmail.com SMTP server.
SMTP and DNS
When a SMTP server has to send an email to an external
SMTP server it relies on DNS name resolution to send the email to the
correct SMTP server IP. For example if our info.net SMTP server has
to send a message to charles@gmail.com account, our SMTP server will
look for the domain gmail.com MX registry using the local DNS
configured on /etc/resolv.conf as said on DNS lesson.
# dig gmail.com mx
...
gmail.com. 345 IN MX 10 alt1.gmail-smtp-in.l.google.com.
...
So the email to charles@gmail.com will be forwarded by our SMTP server to alt1.gmail-smtp-in.l.google.com port 25 TCP/IP where the gmail.com SMTP server is running.
Taking into account the strong relation between SMTP and DNS, in order to make your SMTP server public on the Internet and receive emails from others servers, your domain DNS server must have the MX registry pointing to the SMTP server IP. Of course your DNS must be also public to the Internet.
When name resolution is not working, postfix doesn't know where to send your outbound e-mail. These messages are placed in a queue that tries to resend your e-mail at regular intervals. Messages like following are written to /var/log/maillog in this situation. .
550 5.1.2 mike@gmail.com ... Host unknown
All mails queued on the SMTP server can be displayed with the command mailq. Some info about the reason of why they are queued is displayed also.
# mailq
# dig gmail.com mx
...
gmail.com. 345 IN MX 10 alt1.gmail-smtp-in.l.google.com.
...
So the email to charles@gmail.com will be forwarded by our SMTP server to alt1.gmail-smtp-in.l.google.com port 25 TCP/IP where the gmail.com SMTP server is running.
Taking into account the strong relation between SMTP and DNS, in order to make your SMTP server public on the Internet and receive emails from others servers, your domain DNS server must have the MX registry pointing to the SMTP server IP. Of course your DNS must be also public to the Internet.
When name resolution is not working, postfix doesn't know where to send your outbound e-mail. These messages are placed in a queue that tries to resend your e-mail at regular intervals. Messages like following are written to /var/log/maillog in this situation. .
550 5.1.2 mike@gmail.com ... Host unknown
All mails queued on the SMTP server can be displayed with the command mailq. Some info about the reason of why they are queued is displayed also.
# mailq
SMTP Open Relay
An Open Relay SMTP server is configured in a way that
processes a mail message from any client on the Internet (Open) where
neither the sender or the recipient is a local user (Relay) . An Open
Relay SMTP server can be used by spammers in order to send SPAM
emails to anywhere to the Internet, making the SMTP server labelled
as SPAM source and then all emails coming from it will be labelled as
SPAM.
By default postfix SMTP server on RHEL6 systems is NOT configured as an Open Relay SMTP server. It only allows RELAY from clients on the internal network specified on 'mynetwork' configuration parameter on /etc/postfix/main.cf.
mynetworks = 192.168.1.0/24, 127.0.0.0/8
*** On Lab1 can be seen the procedure to test if a SMTP server is configured as Open Relay. ***
By default postfix SMTP server on RHEL6 systems is NOT configured as an Open Relay SMTP server. It only allows RELAY from clients on the internal network specified on 'mynetwork' configuration parameter on /etc/postfix/main.cf.
mynetworks = 192.168.1.0/24, 127.0.0.0/8
*** On Lab1 can be seen the procedure to test if a SMTP server is configured as Open Relay. ***
POP/IMAP Server
POP Post Office Protocol and IMAP Internet Message
Access Protocol are two protocols used by email client applications
to retrieve email from mail servers. While POP downloads all e-mail
to the client, an IMAP server maintains all mail messages on the
server. IMAP is commonly used by businesses that service users who
log in from different locations. It's also the most common mail
delivery protocol for Web-based mail services.
On RHEL6 systems both protocols are handled by 'dovecot' service installed by dovecot rpm.
# yum install dovecot
The /etc/dovecot/dovecot.conf file is used to configure POP (port 111 TCP/UDP) , IMAP (port 143 TCP/UDP) services and his secure versions POPs (port 995 TCP/UDP) and IMAPs (port 993 TCP/UDP) protocols.
# cat /etc/dovecot/dovecot.conf
...
protocols = imap pop3
...
mail_location = maildir:~/Maildir
...
# /etc/init.d/dovecot restart
# chkconfig dovecot on
On RHEL6 systems both protocols are handled by 'dovecot' service installed by dovecot rpm.
# yum install dovecot
The /etc/dovecot/dovecot.conf file is used to configure POP (port 111 TCP/UDP) , IMAP (port 143 TCP/UDP) services and his secure versions POPs (port 995 TCP/UDP) and IMAPs (port 993 TCP/UDP) protocols.
# cat /etc/dovecot/dovecot.conf
...
protocols = imap pop3
...
mail_location = maildir:~/Maildir
...
# /etc/init.d/dovecot restart
# chkconfig dovecot on
Firewall
Open the corresponding TCP/UDP ports on the firewall to
allow POP/IMAP dovecot services to run through the system firewall.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 143 -j ACCEPT
Email clients
In order to use an email client that uses the SMTP
server to send and receive emails 'evolution' GUI email client
tools can be used installing evolution rpm.
# yum install evolution
The client email must be configured to use the SMTP server for outgoing email and dovecot (POP/IMAP) to retrieve the email from the SMTP server. It is also possible the use of command line email clients as 'mail' command installed by default on the RHEL6 server installation by 'mailx' rpm.
# echo "Test message" | mail -s "Test subject" root@info.net
It uses the system SMTP server to send and receive emails. It can also be used to read emails just typing 'mail' command. It will open the local mailbox for the user that has executed the mail command.
# yum install evolution
The client email must be configured to use the SMTP server for outgoing email and dovecot (POP/IMAP) to retrieve the email from the SMTP server. It is also possible the use of command line email clients as 'mail' command installed by default on the RHEL6 server installation by 'mailx' rpm.
# echo "Test message" | mail -s "Test subject" root@info.net
It uses the system SMTP server to send and receive emails. It can also be used to read emails just typing 'mail' command. It will open the local mailbox for the user that has executed the mail command.
No comments :
Post a Comment