A Tale of Two Cities LITE(tm)
-- by Charles Dickens
A man in love with a girl who loves another man who looks just
like him has his head chopped off in France because of a mean
lady who knits.
Crime and Punishment LITE(tm)
-- by Fyodor Dostoevski
A man sends a nasty letter to a pawnbroker, but later
feels guilty and apologizes.
The Odyssey LITE(tm)
-- by Homer
After working late, a valiant warrior gets lost on his way home.
The Metamorphosis LITE(tm)
-- by Franz Kafka
A man turns into a bug and his family gets annoyed.
Lord of the Rings LITE(tm)
-- by J. R. R. Tolkien
Some guys take a long vacation to throw a ring into a volcano.
Hamlet LITE(tm)
-- by Wm. Shakespeare
A college student on vacation with family problems, a screwy
girl-friend and a mother who won't act her age.
You will be installing and configuring Postfix as a mail transfer agent (MTA) on your machine, with SSL-enforced reading of email via IMAP with Dovecot. You will also configure your server to allow people to send email through the server after they have properly authenticated with a username and password.
Since we will be once again using SSL to communicate between a client and server, you will be configuring both Postfix and Dovecot to use the same certificate and private key you used in the Apache lab. You will also get mild exposure to a Perl script that I created to demonstrate what you can do with aliases. And when I say mild, all you do is download and place it on your filesystem to be used, but hopefully some of you will be curious enough how it works to dig into it a little bit.
All of the information in this lab was built from the following websites (mainly the first two):
http://www.postfix.org/SASL_README.html
http://www.postfix.org/postconf.5.html
http://adomas.org/2006/08/postfix-dovecot/
http://alma.ch/perl/Mail-Sendmail-FAQ.html (for Perl Stuff)
This lab is due at 9:30am, Tuesday April 15th, 2008.
You must complete all the following tasks for this lab.
postfix' and 'dovecot-imapd'. Select 'Internet Site' when the Postfix installation asks, as well as entering your fully qualified '<machine>.cs.colorado.edu' name when prompted.The main Postfix configuration file is /etc/postfix/main.cf. The main Dovecot configuration file is /etc/dovecot/dovecot.conf. You must complete all of these steps before your server will work.
smtpd_tls_cert_file and smtpd_tls_key_file) in the Postfix configuration to point to your SSL certificate and private key. On coolname.cs.colorado.edu I copied my cert and private key into the directories /etc/ssl/private, respectively.smtpd_recipient_restrictions parameter, be sure to include reject_unauth_destination in addition to the two other parameters (permit_mynetworks and permit_sasl_authenticated), otherwise your server will not work!smtpd_tls_auth_only=yes' to your Postfix configuration.imaps' protocol. Look for the line that begins with 'protocols = ' and edit accordingly.ssl_cert_file and ssl_key_file) to point to the same files you configured above for Postfix.auth default {'.sudo /etc/init.d/dovecot start'Aliases are configured in /etc/aliases. Once you edit this file, you must rebuild the hash file for the alias file by running 'sudo newaliases' as root.
/usr/local/bin directory.sudo chmod +rx /usr/local/bin/report.pl'libmail-sendmail-perl' package."|/usr/local/bin/report.pl"emailreport@<machinename>.cs.colorado.edu' and see what you get back.As always, we have to test our mail server to see if it's working. However, the campus security group has implemented a firewall that blocks all incoming connections to port 25 except to registered servers on campus. Your servers will not be on that registered list, so that means you have to test email while on campus. All of the CSEL machines have mail programs installed (such as Evolution) that you can configure to talk to your server via SMTP and IMAP. See the clarifications below to check on the details.
Once you have a mail server configured, try to send mail through your server somewhere and you should see email show up at the destination from 'user@[host].cs.colorado.edu'. You should also try to receive mail by sending mail from your campus account (such as CULink) to your server email address.
Logs! Always check your logs. You will notice a couple of them under /var/log that deal with mail:
chris@coolname:~$ ls -l /var/log/mail* -rw-r--r-- 1 root root 83747 2007-04-04 03:29 /var/log/mail.err -rw-r--r-- 1 root root 128548 2007-04-05 00:12 /var/log/mail.info -rw-r--r-- 1 root root 153233 2007-04-05 00:12 /var/log/mail.log -rw-r--r-- 1 root root 115291 2007-04-04 03:30 /var/log/mail.warn
The first one I always check is mail.log.
You have successfully created an alias which sends an email to STDIN of a program (in this case, a Perl script). This script will receive an email and will send back the output of the 'w' command to the person who sent the email. Try emailing this new alias at your machine: emailreport@<machinename>.cs.colorado.edu. You should get an email back, and if not, the alias isnt't working. Check your logs for any errors!
Logwatch is a nice utility which scans your logs once a night and creates a report for you. The 'root' user receives these logwatch emails, and since you setup the 'root' alias to point to your user, YOU are now receiving email for root.
'TLS', or Transport Layer Security, is just another version of SSL (at least as far as I've seen or read). To test if you have it enabled, telnet to port 25 on your machine and send the 'ehlo' command:
chris@coolname:~$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 coolname ESMTP Postfix (Ubuntu) ehlo localhost 250-coolname 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
If you do NOT see '250-STARTTLS', then you haven't done it properly. If you DO see 'AUTH PLAIN LOGIN' or a variant, you have NOT disabled plain-text password authentication!
The transaction basics are as follows: say hello, say who the envelope sender is, say who the recipients are (may be more than one), and send the data.
chris@coolname:~$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 coolname ESMTP Postfix (Ubuntu) helo localhost 250 coolname mail from: schenkc@cs.colorado.edu 250 2.1.0 Ok rcpt to: schenkc@colorado.edu 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> From: "Yo momma" <blahblah@blah.com> To: "Rupert" <cartman@southpark.com> Subject: Hi mom! I'm sending email as only a geek can, with TELNET! . 250 2.0.0 Ok: queued as 240E5B9B1F
smtpd_recipient_restrictions parameterTurns out the order in which you put these restrictions in place actually matters, and operates on a first-match-wins kind of basis. Let's take a look at the default line for this option:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
With this setting in this way, I can telnet to localhost and send email like the test in the lab describes. Now, if I reverse the order:
smtpd_recipient_restrictions = reject_unauth_destination, permit_mynetworks
I can no longer send email through localhost to other places! Make sure you put your 'permit_mynetworks' and 'permit_sasl_authenticated' BEFORE 'reject_unauth_destination', or you will never be able to send mail through your server!
You may see this in the logs:
Apr 4 03:27:56 coolname postfix/smtpd[20267]: warning: SASL: Connect to private/auth failed: No such file or directory Apr 4 03:27:56 coolname postfix/smtpd[20267]: fatal: no SASL authentication mechanisms Apr 4 03:27:57 coolname postfix/master[16563]: warning: process /usr/lib/postfix/smtpd pid 20267 exit status 1 Apr 4 03:27:57 coolname postfix/master[16563]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
This is most likely due to the fact that you have configured Postfix to authenticate with SASL, but have not actually started the Dovecot daemon. Start the daemon with 'sudo /etc/init.d/dovecot start' If you still see the same errors in Postfix above, then you have not properly configured Dovecot to create its Unix domain socket (type 's' on the filesystem, same as /dev/log, take a look). Dovecot creates this socket under /var/spool/postfix/private/auth so Postfix can reference it (as you can see it tries above in the log entries).
If you have properly setup your DNS, firewall, Postfix and Dovecot, then you should be able to setup an email program (such as Thunderbird or Outlook) with the following settings:
Once you have the above configured, you should be able to send mail to '<username>@<machinename>.cs.colorado.edu' and have it show up in your inbox, querying you to accept the SSL certificate you configured from the previous Apache lab. You should also be able to send outgoing mail THROUGH the server to your real CU account. Check the 'Received:' headers to see what path everything takes!
ITS has an external firewall setup that blocks incoming port 25 connections to all but specific registered email servers on campus. You will have to test your configuration on the campus networks, 128.138.0.0/16, or 172.21.0.0/12.