Difference between revisions of "OPS335 Lab 4b"

OVERVIEW & PREPARATION

Last week, we configured and ran the Postfix application (MTA a.k.a. SMTP server) on our vm2 and vm3 machines. This setup had a drawback, in that it required an SMTP server to be configured on each machine. The Message Store (MS) would also be unique to each machine: what a user received on one server would not exist on any other. In this lab we will centralize some of this information, so that a user can send email from any machine in the network, and always be able to access all of their mail.

The a diagram below (duplicate to lab 4a) shows your basic setup of your email system:

We will begin by modifying the existing Postfix servers to make mail they send come from your domain, instead of each machine. Then we will add a record to your DNS server to allow mail to be sent to the domain itself, instead of the machines. Next we will add a Local Delivery Agent (LDA) to your vm3 by installing dovecot-lda, configure it, and test it to make sure that is is working correctly.

Finally, we will set up an IMAP server (Dovecot) on VM3, so you can read your email from an MUA such as Thunderbird or a Webmail (we will set up a webmail application in a later lab).

Services involved in email delivery

In reality, the terms MTA, MDA, MUA, LDA can actually be considered misleading since some of those services can be combined together to form a single entity (application), while other applications may operate as separate entities. There may be overlap, so if you don't find those acronyms helpful, don't worry too much about them. On the other hand, when referred to in diagrams, they can help to visualize those processes when try to understand how an e-mail system works.

Here's an overview of those terms (from the Dovecot wiki). It is worth viewing this link.

In the diagram displayed above, the elements include:

• A user. That's the person who wants to send an email.
• An MUA (email client). This is the application the user uses to send an email. It can be a native application or a web application. We'll set up both types.
• Two MTAs. These are the servers responsible for getting your emails to the destination server.
  • They are similar to routers (which route packets) but work on the application layer rather than the network layer.
  • In our example, there are only two MTAs - but there can be several.
  • You connect to your MTA over a secure connection, so your emails can't be read by the operators of the network you're connected to.
  • The mail message then travels the rest of the way to the destination MTA unencrypted, so anyone with access to the routers in-between can read all your emails. That is why many organizations will refuse to send you confidential information over email.
• The LDA/MDA will receive the email from the MTA, and will store it on disk in some format. MailDir and MBOX are the most popular mailbox formats.
• When sending an email, you send it to the destination using your MTA, but you also want to save it in your "Sent" folder for yourself. This is accomplished by a separate connection to your IMAP or POP3 server.
  • Thus, a situation can occur that although you sent your email successfully, it may never make it to your "Sent" folder - the second connection to your IMAP server is quite unrelated to the first connection to the SMTP server.
• Note that a DNS server is also involved - it is needed to retrieve the address of the email server responsible for email for a particular domain. This is done with MX records.

Online References

• Seneca Client Settings (Seneca Server settings for mail client - Thunderbird)
• Dovecot Community Documentation
• Setting up an IMAP Server with Dovecot

Install Thunderbird Application and Setup a Reference Client

Eventually we're going to set up all those mail services, but to begin with, we will set up an email client to connect to a (hopefully) working server - the Seneca email server. This will be a good exercise with an email client.

Perform the following steps:

1. Switch to your host machine, and install the Thunderbird email application.
2. When you see the configuration dialog box, configure it in a similar way (using your own information) as shown in the diagram below:

Notice that there are unencrypted options available to connect to your SMTP/IMAP servers but those are rarely used these days - the potential for abuse is too great. On a free wifi network, the operator would be able to not only read your email, but also obtain your password without any password/encryption cracking tools. In fact, even on a private wired network, it is not uncommon for an employer to use a packet sniffer utility to monitor all the traffic going over their network (Packet Sniffing applications were actually found to be legally acceptable practices if used by the management of organizations).

The specific security settings depend on how your servers were configured. The settings for the seneca servers are published here.

3. After you create your Thunderbird account, you should be able to read your existing email and send new email within the Thunderbird application.
4. Take time to view your Account Settings and Preferences to get a feel for what settings exist. For example:
   • How often will Thunderbird check for new messages?
   • Will the messages you write be in HTML or plain text?
   • How do you change your SMTP server settings? Why are they in a different section?

The main objective of this section was to learn how to setup your Thunderbird application to read your Seneca email, so in the next section you can use the exact type of setup for your own email server.

INVESTIGATION 1: SETTING UP MTA FOR RECEIVING EMAIL

Specifying Which Domains are Used to Send Mail Messages

As of last lab, both of your email servers are sending mail addressed from users of the machines themselves. This would be confusing for the receiver who might get emails from the same user @vm1, vm2, and vm3. Which would they respond to? To avoid this, we can make all servers make the sent mail appear to come from a common location (usually the domain).

Look at the email messages you sent between your vm2 and vm3 in lab 4a. Notice that each is addressed from root on whichever machine sent it.

On both machines, edit /etc/postfix/main.cf and change the myorigin parameter from $myhostname to $mydomain. Restart postfix and send emails between the machines again. The sender address should now read root@yourdomain.org.

Specifying Which Domains are Used to Deliver the "Received" Mail Messages

The next step is to configure what addrssess the server will receive email for. This is done using postfix by setting the mydestination parameter (configuration variable) to include $mydomain (this is assuming you've set up mydomain, myorigin , and inet_interfaces properly).

Perform the following steps on both vm2 and vm3:

1. Edit the /etc/postfix/main.cf file.
2. Scroll down to the line containing: mydestination and change line to the text shown below:

mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost

Note: Even though your machine's name is vm2.yoursenecaid.org, your postfix MTA will also receive emails addressed to the domain called: yoursenecaid.org

In order for this to work, we need to add a DNS record that will point mail sent to the domain towards one of the SMTP servers configured to accept it.

Add an MX record to the forward lookup zone on vm1 so that all incoming mail addressed to the domain is sent to your vm3. Restart the service and use dig to confirm that it works.

Send an email from your vm2 to root@yourdomain.org. Confirm that it arrives on vm3.

All mail is now being delivered to a centralized location (and also appears to be coming from that same location), but a user would still have to access that server to retrieve it.

Installing and Configuring the Local Delivery Agent (LDA)

Postfix is capable of performing the function of an LDA, but its LDA capabilities are limited, thus postfix is generally not used for that purpose. Currently, the most popular LDA is LMTP, but we will be installing, configuring, and using an LDA called Dovecot since it is also popular and we will later be setting up Dovecot as an IMAP server. Using both Postfix and Dovecot will actually increase the performance of our IMAP server.

Perform the following steps:

1. Dovecot is not installed when you installed your Virtual machines in previous labs.
2. Install the Dovecot application by issuing the following command:
   yum install dovecot
3. Edit your /etc/postfix/main.cf file and scroll down to (or search for) mailbox_command. Add the following line:

mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"

NOTE: Do not replace any variables, those are set automatically by Postfix when it runs the LDA. If you are interested in learning more about the Dovecot application, you can read about dovecot-lda here and here (i.e. optional reading for interest only).

4. Finally, edit the /etc/dovecot/conf.d/10-mail.conf file and indicated where you want your mail delivered by including the following line

mail_location = maildir:~/Maildir

5. Restart your postfix service.

While the emails are still stored only on VM3, they will now be easier for other machines/services to access.

INVESTIGATION 2: SETUP THUNDERBIRD MAIL USER AGENT (MUA) FOR YOUR VIRTUAL NETWORK (vm2, vm3)

Perform the following steps:

1. On your host machine, return to the Mail Account Setup dialog box (eg. near top of lab).
2. Set up the account settings to connect to your vm2 for SMTP and vm3 for IMAP. Use no encryption, and use normal password authentication for IMAP (we don't have an IMAP server running yet, but that's ok). Refer to the diagram below for reference:

NOTE: Thunderbird won't let you proceed with the "Done" button because you will fail to connect to IMAP.

3. Use the "Advanced config" button to bypass that check.
4. Use the Thunderbird application to send an email to your myseneca address. If you've done everything right, it will send the message successfully, but it will fail to save it in the Sent folder since that's done with IMAP and you don't have an IMAP server yet.
5. Verify that your message has been sent. Check your myseneca email and look at /var/log/maillog on vm2 (your email server).

Sending a Mail Message from VM2 (Using Thunderbird)

Sent messages will not be saved to the sent folder
During this step the messages you send will not be saved to the sent folder and Thunderbird will permanently hang with a message that it is saving the message. It will never succeed, as we have not yet configured the imap server to accept the connection necessary for that to work.

Perform the following steps:

1. Use the ss and nc commands (like you did in lab 4b) to confirm your service is listening on the correct ports/interfaces. You will probably have to open the appropriate firewall port on vm3 to allow incoming SMTP connections.
   
   Note: You should be able to send email to any regular user on vm3 using the email address yourusername@yoursenecaid.org using the Thunderbird application on your host machine (which is configured to use the account on your vm2).
   
   

2. Create a new account on your vm3 machine using only your first name. We will use this account as a one-time "test" if the mail message has been received on your VM3 machine (from your VM2 machine).
   
   Note: It is important that you don't create this same account name on your vm2 machine, since you want to easily identify the difference between the sending and receiving SMTP servers.
   
   

3. We still haven't set up IMAP (for reading email) but we can test that the message is being delivered. Use the new account in Thunderbird to send an email to firstname@yoursenecaid.org and then check the contents of /home/firstname/Maildir/new/ on your vm3 machine. There should be a file there with the contents of your email.
4. If there is no file, then check the log file /var/log/maillog to see what went wrong.
5. If you can see a file in the /home/firstname/Maildir/new/ directory, then review the procedures on how you got the email server working (since you have performed many steps and set up many services).
6. Refer to the diagram at the top of this lab. Which services have you currently set up? Record your findings in your lab Logbook.

Encountering error messages when sending email
If you cannot properly receive sent e-mail messages, check the /var/log/syslog file for errors.

If you locate an error message in that file such as: Fatal: Error reading configuration: Invalid settings..., then add the following parameter in /etc/dovecot/dovecot.conf:
postmaster_address at DOMAIN (where DOMAIN is actually your domain).

After you have saved those changes, then restart your dovecot service.

Viewing Received Mail Message on VM3 VIA IMAP (Using Thunderbird)

Finally, we will set up the IMAP server so we can read email. The current way we have configured our mail server on our VM3 machine should allow all the email for anyaccount@yoursenecaid.org should be delivered to our vm3 machine. We will set up Dovecot (with IMAP, IMAPS in the next lab) to get easy access to that email.

Perform the following steps:

1. The configuration file for the Dovecot service (which is not the same thing as dovecot-lda) is: /etc/dovecot/dovecot.conf. Modify the protocols option so that Dovecot will work with IMAP connections, no POP3 or LMTP.
2. Start the dovecot service, and ensure it will always start automatically when the machine boots.
3. Use the ss command to confirm the service is listening, and use nc on the host to confirm you can connect to it.
4. If you can connect - it's now time to do something wrong, that is connect to our IMAP server using Thunderbird over an unencrypted connection.
5. Edit the /etc/dovecot/conf.d/10-auth.conf file and set disable_plaintext_auth to no.
6. Then edit the /etc/dovecot/conf.d/10-ssl.conf file and set ssl to yes.
   
   Note: This combination of parameters will allow your username and password to be sent over the internet in plain text, for anyone interested to look at. In the following lab we'll set up secure SMTP and IMAP connections, for now this is all we have time for.
   
   
7. Restart dovecot so the changes take effect.
8. Try to connect to your IMAP server with Thunderbird by clicking on your Inbox.
9. If nothing happens, then check the Thunderbird Activity Manager for any errors. If the connection is successful, you should see the Trash box appear below Inbox.
10. Finally, send an email message from yoursenecaid@yoursenecaid.org to yoursenecaid@yoursenecaid.org using the Thunderbird application. The mail message should be sent without errors, and you should notice a Sent folder appear in the list. If all worked well, you should see your message arrive in the Inbox and you know that your configuration works correctly.

Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book

COMPLETING THE LAB

Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below

Online Submission

Follow the instructions for lab 4b on moodle.

In Class Submission

Students should be prepared with all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff.

Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:

✓Status and configuration of your Postfix service on vm2.

✓Proof that you can connect to that service from the host.

✓Your Thunderbird configuration.

✓The email you sent to your myseneca account.

EXPLORATION QUESTIONS

1. What is the purpose of the Thunderbird application?
2. List the steps to configure your DNS to allow your Thunderbird application to connect to your mail server.
3. What is the purpose of the Dovecot package?
4. What is the purpose of the mydestination parameter contained in the /etc/postfix/main.cf file?
5. Why are IMAP and POP email servers placed on separate machines (vms)?
6. What is the purpose of the mail_location parameter contained in the /etc/dovecot/conf.d/10-mail.conf file?