= Email Servers = You may not be aware of it as an user, but email is a very <u>complex</u> system to administer. In fact, the more modern e-mail systems (eg. web-based mail applications, etc) are more technically involved than the other archaic, hard-to-configure, and sometimes inter-operable mail systems. We are going to spread the remaining email labs over a few weeks, so that by the end of this topic, you will have a sufficient understanding of what services are involved in sending, filtering, and reading email. You will also have the skills to configure a basic mail setup using the default services provided for your Centos7 Linux distribution.[[Category:OPS335]][[Category:OPS335 Labs]]

==LAB RESOURCESOVERVIEW=={{Admon/important|Warning|Your lab 4a must be complete before you can start this lab.}}

That setup has some major drawbacks::* [http://wiki.dovecot.org/MailServerOverview Here's It required an overview] SMTP server (common mail server terms'''MTA''')to be configured on each machine.:* [https://inside.senecacollege.ca/its/services/email/email_clients/imap.html Seneca Client Settings] The Message Store (Seneca Server settings for mail client '''MS''') would also be unique to each machine - Thunderbird) what a user received on one server would not exist on any other.

In factFinally, the above diagram does not include reading mail messagesyou will set up an '''IMAP''' server called '''Dovecot''' on your '''vm3''' machine, but this acts so you can read your email from an MUA such as ''Thunderbird'' or a starting point in order to run a basic email server''Webmail'' application. Although You will be learning to administer the mail services set up a webmail application called '''Roundcube''' in the diagram above, we will not required you to go into tremendous depth (just the minimum requirementsa later lab). For example, we will not go over every aspect of the Postfix MTA service, but you should know what it represents and what is its main purpose, as opposed to the following: [https://en.wikipedia.org/wiki/Postfix_%28software%29#Architecture complex diagram 1] , [https://www.credativ.de/blog/postfix-architecture-overview complex diagram 2].

=== Learning About the Services involved Involved in email delivery an Email Delivery ===

In reality, the terms '''MTA''', '''MDA''', '''MUA''', '''LDA''' can actually be considered misleading since some of those services can be combined together to form a single entity (application), while other applications may operate as separate entities. There may be overlap, so if you don't find those acronyms helpful, don't worry too much about them. On the other hand, when referred to in diagrams, they can help to visualize those processes when try trying to understand how an e-mail system works.

[http://wiki.dovecot.org/MailServerOverview Here's is an overview] of those terms (from the Dovecot wiki). It is worth viewing this link.

* A '''userUser Account'''. That's the person The individual who wants to send an emailor receive mail messages.* An '''MUA''' (email client). This is the application that the user individual uses to send an emailor receive mail messages. It can be a '''native application ''' or a '''web application'''. We'll set up You will learn how to setup and use both typesof these applications throughout the remainder of this course.* Two '''MTAsMTA'''servers. These are the servers responsible for getting your emails to the <u>destination</u> server.

* The '''LDA/MDA''' Server. This server will receive the email from the MTA, and will store it on disk in some format. '''MailDir''' and '''MBOX''' are the most popular mailbox formats.* '''IMAP/POP3''' server(s). When sending an email, you send it to the destination using your MTA, but you also want to save it in your '''"Sent"''' folder for yourself. This is accomplished by a separate connection to either your '''IMAP''' or '''POP3''' server.

* Note that a '''DNS''' Server. A DNS server is also involved - it is needed to retrieve the address of the email server responsible for email for a particular domain. This is done with the '''MX ''' records we looked at in the DNS labs.

=== Install Thunderbird Application and Setup a Reference Client Online References===

Eventually * [https://help.ubuntu.com/community/Dovecot Dovecot Community Documentation]* [http://wiki.dovecot.org/LDA Dovecot-lda]* [http://wiki.dovecot.org/LDA/Postfix Configuring dovecot-lda with postfix] == INVESTIGATION 1: INSTALL THUNDERBIRD (MUA) and SETUP A REFERENCE CLIENT== Unlike the '''mailx''' (MUA) application you installed and used in Lab 4a, this lab will be using the '''Thunderbird''' (MUA) application instead which is a graphical application that uses a '''centralized Message Store''' (MS) to retrieve and read mail messages.  Although wewill be eventually setting up the Thunderbird application to perform all the mail operations discussed above, you need to learn to '''"walk before you can run"'re ''. Eventually, you are going to set up all those mail services, but to begin with, we you will set up an email client to connect to a (hopefully) an already working server - which is the '''Seneca email server'''. This will be a good exercise with an Once we learn how to do this for our Seneca email clientaccount, then we can use it for our mail servers for our VM2 and VM3.

#When you see first launch the Thunderbird application, a configuration dialog box, configure it in a similar way (''using your own information'') should appear as shown in the diagram below:

<br>::[[Image:Seneca-student-thunderbird-email-setup.png|600px]]<br><ol><li value="3">Use the data in the table below to configure the Thunderbird settings dialog box for YOUR Seneca e-mail account:</li></ol>

{| class="wikitable" border="1" style="margin-left:40px;"! Setting !! '''Incoming: IMAP''' !! '''Outgoing:Notice that there are <u>unencrypted</u> options available to connect to your SMTP'''|-| '''Username'''|| yoursenecauserid@myseneca.ca || yoursenecauserid@myseneca.ca|-| '''servername''' || outlook.office365.com || outlook.office365.com|-| '''port''' || 993 || 587|-| '''security''' || SSL/IMAP servers but those are rarely used these days TLS || STARTTLS|- the potential for abuse is too great| '''References''' | colspan="2" | [1] [https://employees.senecacollege. On a free wifi network, the operator would be able to not only read your email, but also obtain your password without any passwordca/spaces/77/encryption cracking tools. In fact, even on a private wired network, it is not uncommon for an employer to use a packet sniffer utility to monitor all the traffic going over their network (Packet Sniffing applications were actually found to be legally acceptable practices if used by the management of organizations).-services/wiki/view/2394/other-email-clients ITS - Configuring other Email Clients]|}

::The specific security settings depend on how Note that your servers were configured. '''The settings for the seneca servers are [https://inside.senecacollegeusername is your full email address(<em>yourid@myseneca.ca</itsem>) and not just <em>yourid</services/email/email_clients/imap.html published here]'''em>.

The main objective of this section was to learn how to setup '''Record steps, commands, and your Thunderbird application to read your Seneca email, so observations in INVESTIGATION 1 in the next section you can use the exact type of setup for your own email server.OPS335 lab log-book'''

== INVESTIGATION 12: SETUP MAIL TRANSFER AGENT (MTA) FOR SENDING (NO ENCRYPTION) A CENTRALIZED MESSAGE STORE ==

We be using the '''Postfix''' application as the '''=== Setup Your MTA''', and we will be setting it up on your '''vm2''' machine. This will act as the email server for your internal network. You will be able to send email out of your network, and receive email from within your network, but you will '''<u>not</u>''' receive email from outside of your network due to the following reasons:* Individuals outside of your domain will never find the MX records because there are no '''.org''' servers pointing to your DNS server (i.e. you haven't paid for it).* Even if they the individuals could read your MX records, your local network is using IP addresses on a '''private subnet''', which is not routeable on the Internet, so it cannot be reached from outside of your system.Use Correct Domain===

=== Verify In Lab 4a, both of your email servers were sending mail messages addressed from users of the Postfix Service Status ===actual machines themselves. This would be confusing for the receiver who might get emails from the same user @vm1, vm2, and vm3. Which would they respond to? To avoid this problem from occurring, we can make all servers make the sent mail appear to come from a central location (usually the '''domain'''), and make incoming email sent to that address to be accessible from machines within our network.

#The Issue the '''mail''' command to view the email messages you sent between your '''vm2''' and '''postfixvm3''' application should be installed by defaultin your lab 4a. If it isn't, install Notice that each is addressed from root on whichever machine sent it.#Install also On both machines (vm2 and vm3), edit the '''netstat/etc/postfix/main.cf''' application (tip: use yum search file to find the package name) and also install change the '''telnetmyorigin''' parameter from '''$myhostname''' to '''$mydomain''' command.#Postfix will work with the default configuration, so start and enable this service, and verify that Restart the '''postfix ''' service is running.#Look for Now, send emails messages (via the running postfix service in the list '''mail''' command) between both of listening ports by issuing the following command:<br><source lang="bash">netstat -atnp</source>#Which service is postfix running? Locate the port used by SMTPyour vm2 and vm3 machines, and look for connctions with view the state LISTEN (imail messages by issuing '''mail''' in each vm.e The sender address should now read that the received mail messages came from '''root@yourdomain. currently listening).#Write your observations in your lab logbookops'''.

We will be demonstrating the use of the telnet application ::The next step is to test configure what addresses that the server will receive email for. This is done using postfix service by setting the '''mydestination''' parameter (configuration variable) to include '''$mydomain''' (this is running. assuming you've set up '''mydomain''', '''myorigin''' , and '''Perform the following steps:inet_interfaces'''properly).

<ol><li value="4">Edit the '''/etc/postfix/main.cf''' file for '''vm3 ONLY''', scroll down to the line containing:'''mydestination''' and change line to the text shown below:<br><source>mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost</source>'''NOTENote:''' If it workedEven though your machine's name is ''vm3.yoursenecaid.ops'', your postfix MTA will also receive emails addressed to the domain called: yoursenecaid.ops</li></ol><br>::In order for this indicates to work, we need to add a DNS record that will point mail sent to the postfix service is running and listening and responding domain towards one of the SMTP servers configured to connectionsaccept it.

<ol><li value="45">LetAdd an '''MX's see if it works from other machines. Telnet '' record to vm2 from the forward lookup zone on '''host (connect ''' so that all incoming mail addressed to the SMTP port) and see if it works. If domain is sent to your firewall is set up properly, the telnet command should not permit a connectionvm3.</li><li>Issue an iptables rule to allow incoming connections to Restart the service and use the '''TCP port 25dig'''command to confirm that it works.</li><li>Once you open the port in the firewall, retry the Send an email from your '''vm2'''telnetto ''' commandroot@yourdomain. You should get a different error this time. This time the problem is ops'''</li><li>Confirm that it arrives on your service isn't listening on the outside interface, it's currently configured to listen only on the loopback (lo) interface.'vm3''' machine</li></ol>

=== Listening on all interfaces Relay Email Through Another Server===

Our first editing change to When email is sent from either vm, it is addressed from the domain, but receiving MTAs might query why mail sent from vm2 doesn't match the Postfix configuration will be to make address of the service "listen" MX record for incoming connections on the external interface domain. This would be a red-flag for potential spam. To avoid this, we can relay all mail sent from vm2 (i.e '''eth0''' or any other machine in our network) through vm3 so that it properly appears to come from the VMs point of view)mail server that matches the MX record for the domain.

# Launch in Move to your vm2 machine.# Direct your '''vm2''' MTA to relay mail through vm3, by making the following editing session change for the postfix configuration file called: '''/etc/postfix/main.cf'''file:<br><source>relayhost = vm3.<yourdomain>.ops</source># Change Restart the value of '''postfix''' service.# Next, you must instruct your '''vm3''' machine to allow your vm2 machine to pass email through it by making the following parameter editing change to what is displayed belowthe '''/etc/postfix/main.cf''' file:<br><source>mynetworks = 192.168.X.0/24</source>NOTE:Substitute in your '''own network''' for X<br><br> inet_interfaces = all# Restart the '''postfix''' service.

<ol><li value="3">We should also set the string that will end up in the '''From:''' header in messages sent by this server. Change '''mydomain''' All mail is now being delivered to your domain name a centralized location (and '''myorigin''' also appears to '''$mydomain'''.</li><li>Restart the postfix service and confirm (using netstatbe coming from that same location) , but a user would still have to access that the service is now listening on <u>all</u> interfaces (not just loopback)</li><li>Test by connecting server to retrieve it (using telnet) from your '''host''' machine.</li></ol>

=== DNS Server used by Install and Configure the host Local Delivery Agent (LDA/MDA) ===

So farPostfix is capable of performing the function of an LDA, you but its LDA capabilities are limited, thus postfix is generally not used for that purpose. Currently, the most popular LDA is ''LMTP'', but we will be installing, configuring, and using vm1 as the DNS server for your an LDA called '''hostDovecot''' machine. We since it is also popular and we will need to change the DNS configuration in order for the email server to operate correctly. Normally you don't need an entire DNS server for running an email server, you can simply add setting up Dovecot as an '''MXIMAP''' record server later in your registrar's web interface, but we haven't paid for this lab. Using both Postfix and Dovecot will actually increase the performance of our domains; therefore, we don't have a registrar with a web interfaceIMAP server.

#Modify Move to your '''vm3''' machine.#Dovecot is not installed when you installed your Virtual machines in previous labs.<br>Install the Dovecot application by issuing the following command:<br><source>yum install dovecot</source>#Edit your '''/etc/resolvpostfix/main.confcf''' file and scroll down to (or search for) '''mailbox_command''' on your . Add the following line:<br><source>mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"</source> ::NOTE: Do <u>'''hostnot''' machine to use your </u> replace any variables, those are set automatically by Postfix when it runs the LDA. If you are interested in learning more about the Dovecot application, you can read about dovecot-lda [http://wiki.dovecot.org/LDA/Postfix here] and [http://wiki.dovecot.org/LDA here].<br><ol><li value="4">Finally, edit the '''vm1/etc/dovecot/conf.d/10-mail.conf''' machine as file and indicate where you want your mail delivered by including the name serverfollowing line:<source>mail_location = maildir:~/Maildir</source></li><li>Restart your postfix service. This will not be a permanent change</li><li>While the emails are still stored only on VM3, since it they will only now be required easier for our email labsother machines/services to access.</li># We <li>Due to permissions on the directories where mail will now be stored, root will have to remember no longer receive mail. Check the logs for an indication as to do this every time you reboot your hostwhy.</li></ol>

If your regular (internet) DNS lookups slow down significantly, you can update the DNS server configuration on '''vm1Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book''' to forward requests to the Google nameserver (8.8.8.8) instead of your host machine.

==INVESTIGATION 3: USING THUNDERBIRD (MUA) FOR VM2 and VM3 MACHINES == === Accessing Received Mail Messages on VM3 VIA IMAP === First, we will set up the IMAP server so we can read email. The current way we have configured our mail server on our VM3 machine should allow all the email for anyaccount@yoursenecaid.ops should be delivered to our '''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-bookvm3'''machine. We will set up Dovecot with IMAP to get easy access to that email.

==INVESTIGATION 2: SETUP THUNDERBIRD MAIL USER AGENT #The configuration file for the Dovecot service (MUAwhich is not the same thing as dovecot-lda) FOR YOUR VIRTUAL NETWORK (vm2is: '''/etc/dovecot/dovecot.conf'''. Modify the '''protocols''' option so that Dovecot will work with IMAP connections, no POP3 or LMTP.# Start the dovecot service, and ensure it will always start automatically when the machine boots.# Use the '''ss''' command to confirm the service is listening, and use '''nc''' on the '''host''' to confirm you can connect to it.# You'll probably fail, so using the information gathered from '''ss''', modify the firewall on vm3) ==to allow IMAP connections from your local network and try '''nc''' again. Once it works, do not forget to save this change so it will still be there the next time you reboot.#If you can connect - it's now time to do something wrong, that is allow connections to our IMAP server over an unencrypted connection.# Edit the '''/etc/dovecot/conf.d/10-auth.conf''' file and set '''disable_plaintext_auth''' to '''no'''.# Then edit the '''/etc/dovecot/conf.d/10-ssl.conf''' file and set '''ssl''' to '''yes'''.<br><br>'''Note:''' This combination of parameters will allow your username and password to be sent over the internet in plain text, for anyone interested to look at. In a later lab we'll set up secure SMTP and IMAP connections, for now this is all we have time for.<br><br># Restart dovecot so the changes take effect.

Although We are far from having a working email server, at this point we still have configured enough === Connecting to be able to test the running mail service (postfix) with the '''Thunderbird''' application.This process is a little challenging, since IMAP Servers Using Thunderbird tries really hard to prevent you from connecting to a server that doesn't work (and ours mostly doesn't work at this point).===

#On your '''host ''' machine, return to the Mail Account Setup dialog box (eg. near top of lab).# Set up the a '''new email account'''. You will be using account settings to connect to your '''vm2''' for '''SMTP''' and '''vm3''' for '''IMAP'''. Use <u>no</u> encryption, and use normal password authentication for IMAP (we don't have an IMAP server running yet, but that's ok). Refer to the diagram below for reference:

::<ol><li value="3">Try to connect to your IMAP server with Thunderbird by clicking on your '''NOTE:Inbox''' .</li><li>If nothing happens, then check the Thunderbird wonActivity Manager for any errors. If the connection is successful, you should see the '''Trash'''t let box <u>appear</u> below Inbox.</li><li>Use the Thunderbird application to send an email to your myseneca address. If you proceed with 've done everything right, it will send the message successfully</li><li>Verify that your message has been sent. Check your myseneca email and look at '''/var/log/maillog''' on vm2 (your email server).</li></ol> === Sending a Mail Message from VM2 (Using Thunderbird)=== '''Perform the following steps:''' #Use the "Done" button because '''ss''' and '''nc''' commands (like you did in lab 4a) to confirm your service is listening on the correct ports/interfaces. You will fail probably have to open the appropriate firewall port on '''vm3''' to allow incoming '''SMTP''' connections.<br><br>'''Note:''' You should be able to send email to connect any regular user <u>on</u> '''vm3''' using the email address '''yourusername@yoursenecaid.ops''' using the Thunderbird application on your host machine (which is configured to IMAPuse the account on your vm2).<br><br>

<ol><li value="32"> Use the Create a new account on your '''vm3''' machine using only your <u>first</u> name. We will use this account as a one-time "Advanced configtest" button to bypass that checkif the mail message has been received on your VM3 machine (from your VM2 machine).</libr><libr>Use the Thunderbird application to send an email to your myseneca address. If you've done everything right, it will send the message successfully, but it will fail to save it in the Sent folder since that's done with IMAP and you don't have an IMAP server yet.Note:''' It is </liu>'''important'''<li/u>Verify that your message has been sent. Check your myseneca email and look at you '''<u>don't</var/log/maillogu>''' create this same account name on your vm2 (your email server)machine, since you want to easily identify the difference between the sending and receiving SMTP servers.<br /><br /></li></ol>

{{Admon/important |Encountering error messages when sending email|If you cannot properly receive sent e-mail messages, check the '''/var/log/syslog''' file for errors.<br><br> If you locate an error message in that file such as: '''Fatal: Error reading configuration: Invalid settings...'''Record steps, commandsthen add the following <u>parameter</u> in '''/etc/dovecot/dovecot.conf''':<br />'''postmaster_address <nowiki>=</nowiki> DOMAIN''' (where DOMAIN is actually <u>your</u> domain).<br /><br />After you have saved those changes, and then '''restart''' your dovecot service. This problem can also be resolved by properly setting the hostname of your machine to include the domain.}} {{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your observations in INVESTIGATION 2 in '''OPS335 labs''' or when working on your '''OPS335 lab log-bookassignments'''. You should be using the dump or rsync command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}

Students should be prepared with ===Online Submission===Follow the instructions for lab 4b on blackboard.<!--===Andrew's sections=== You may choose to:* Submit screenshots of your work on Blackboard, in which case you don''all required commands (system information) displayed in a terminal (or multiple terminals) prior t need to come to the lab.* Or come to calling the instructor for signoff''lab, show me your work, and talk to me about it. I want to hear what you've learned and answer any questions you have.

You'''Arrange evidence (command output) for each ll get the same grade regardless of these items on how you choose to submit your screen, then ask your instructor to review them and sign off on the lab's completion:'''work.

# List the steps to configure your DNS to temporarily allow your Thunderbird application to connect to your mail server.# What is the purpose of the '''Dovecot''' package?# What is the purpose of the '''mydestination''' parameter contained in the '''/etc/postfix/main.cf''' file?# Why are '''IMAP''' and '''POP''' email servers placed on separate machines (vms)?# What is the purpose of the '''mail_location''' parameter contained in the '''/etc/dovecot/conf.d/10-mail.conf''' file?# Why is root not able to receive mail with the changed mail location? What could you change to allow mail to be sent to root again?