932
edits
Changes
m
smtpd_tls_auth_only = nosmtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.org.keysmtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.org.crt
:'''NOTE:''' Your message may look slightly different (This author, that created the diagram above, made a little mistake when generating the certificate).
Let's start by generating a new certificate for Dovecot on vm3''Perform the following steps:'''
The ::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine - (i.e. you can share the certificate between them). In our case , they're are not on the same machine.
Now <ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''dovecot.cont''', '''10-auth.conf ''', <u>and </u> '''10-ssl.conf to ''' files and change the following settings:</li></ol>
* <source lang="bash">ssl = required* ssl_cert = <path_to_your_crt_file* ssl_key = <path_to_your_key_file* disable_plaintext_auth = yes* protocols = imaps (instead of imap)</source>
==INVESTIGATION 2: OTHER EMAIL CONSIDERATIONS If you got to this point and everything worked (NOT COVERED IN THIS LABand you understand what you've done)==: congratulations, you have set up a working email server and you can now have an intelligent conversation with an employer about this hugely important system.
If you got to this point and everything worked (and you understand what you've done) On the other hand, even though we spent three weeks on e- congratulationsmail server configuration, you we have set up a working email server and you can now only performed the simplest possible setup. In the rest of the section, we will only list other commonly-needed services/tools/concepts that we just don't have an intelligent conversation with an employer about time for this hugely important systemsemester.
But be aware that even though we spent three weeks on Although you are <u>not</u> required to perform any of the operations below, it - we've only done is recommended to note and understand the simplest possible setup. In the rest of the section we'll list other commonlyfollowing elements to compliment a fully-needed services/tools/concepts that we just don't have time for this semesterfunctioning email system.
# *Restrict your "sending" SMTP server to only work on your network. ISPs commonly do this. This doesn't work very well if you have mobile clients (laptops, phones) which are not always connected to your ISPs network.# *Use SASL or some other means of checking that the person trying to use the SMTP server has a valid user on the system. This way only your users will be able to use your server to relay email.
One '''DomainKeys Identified Mail (DKIM)''' is one of several popular spam-prevention measure measures that uses use encryption to sign messages originating from your server so that receiving servers can verify that the messages really did come from your server (the keys are published in DNS).
It's a neat idea DKIM is considered to be an interesting method, but the strength of the encryption using DKIM is pretty patheticnot high. So it's DKIM is a good deterrent against mass amounts of spam, but it doesn't really guarantee anythingother types of attacks on your email server.
Removing a duplicate paramter.
Online References:
* [ Course Notes ]* [https://en.wikipedia.org/wiki/Transport_Layer_Security TSL, SSL Definition]* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]
According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security), '''Transport Layer Security''' (TLS) and its predecessor, '''Secure Sockets Layer''' (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.
Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statemen,t statement but that is mainlyy mainly how public key encryption works on the Internet today.
We will be generating our own public keys, mainly in order to avoid paying for a certificate. We will not have enough time to get into the details of what all the following commands do in this section. They are from [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix this blog post]. If you don't understand what the blog post refers to but would like to understand in more details, a good recommended book for interest, called Crypto by Steven Levy, provides a more in-depth discussion of encryption and security.
#Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing <u>andrewsmith.org</u> with '''<u>your</u> domain name''':
<source lang="bash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}cd /root/postfix-keys
openssl genrsa -des3 -out vm2.andrewsmith.org.key 2048
chmod 600 vm2.andrewsmith.org.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm2.andrewsmith.org.key cakey.pem
cp vm2.andrewsmith.org.key cakey.pem /etc/ssl/private/cp vm2.andrewsmith.org.crt cacert.pem /etc/ssl/certs/</source>
::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and a sign your certificate with your certificate authority. Same <br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own.
<ol><li value="2">Now, configure Postfix to use the generated certificate, by adding the following to your '''main.cf''' file:</li></ol>
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandom
'''Perform the following steps:'''
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.org''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server'''). # We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
#Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
[[Image:SMTP-certificate-warning.png]]
::'''NOTE:''' Your message may look slightly different (This author, that created the diagram above, made a little mistake when generating the certificate). <ol><li value="34">After you confirm that security exception, send another email to yourself and make sure you receive it.</li><li> Notice that from the user's point of view nothing is different. But if you were an evildoer trying to steal an identity (the difference is huge). Before it was trivial and now it's computationally prohibitive.</li></ol>
=== Encryption Dovecot with Secure Socket layer (SSL) ===
Now we'll will ensure that our '''Dovecot ''' connection is secure, and we'll enforce thatpolicy. With SMTP , you will need to allow plain text connections because since that's is the only way method to pass email from server-to-server. With IMAP , there is no server-to-serverinteraction, but rather only client-to-serverinteraction. The only reason to have an unencrypted IMAP connection would be if your '''IMAP server ''' and '''IMAP client ''' were the <u>same </u> machine (this would be the case with situation when using webmail).
# Let's start by generating a new certificate for Dovecot on your vm3 machine by issuing the following commands:<source lang="bash">mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm3.andrewsmith.org.key 2048
chmod 600 vm3.andrewsmith.org.key
openssl req -new -key vm3.andrewsmith.org.key -out vm3.andrewsmith.org.csr
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm3.andrewsmith.org.key cakey.pem
cp vm3.andrewsmith.org.key cakey.pem /etc/ssl/private/cp vm3.andrewsmith.org.crt cacert.pem /etc/ssl/certs/</source>
<ol><li value="3">Your key/certificate dondoesn't have a '''.pem ''' extension but they are PEM-encoded files. You can confirm that using the '''file''' command. If you're interested - here's some , learning more about configuring Dovecot for SSL, refer to the following documentation about : [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration].</li></ol>
=== Verifying that Mail Messages are Encrypted===
'''Perform the following steps:''' #Use the '''netstat ''' command to confirm you're only listening on the '''imaps ''' port, and not the plain imap port. Then #Next, reconfigure your account settings in Thunderbird to use the '''SSL/TLS ''' connection security with your IMAP server. ::'''NOTE:''' You'll will get a warning because you're using a self-signed certificate, authorise in that case, make certain to authorize the exception.
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
==INVESTIGATION 2: OTHER EMAIL CONSIDERATIONS (NOT COVERED IN THIS LAB)==
=== Open Relays ===
Your SMTP servers are open relays. That means if they were accessible on the internet - Internet, anyone could use them in order to send spam. This would very quickly get your server blacklisted and you'd have a very hard time getting yourself off that blacklist.
There are two common solutions for that:
=== Sender Policy Framework (SPF ) ===
'''Sender Policy Framework (SPF )''' uses DNS to publish a list of server IP addresses that are allowed to send email for your domain. That In this way , a receiving server can check whether the sending server is authorized (i.e. message is likely not spam) or not (i.e. message is probably spam).
SPF is a pretty cool system, but it's not perfect. It works very well for single servers but if you send mail for your domain from multiple servers (and perhaps a varying number of them) - , you have are required to put in wildcards use wild-cards which lower reduce the effectiveness of this system.
=== DomainKeys Identified Mail (DKIM ) ===
=== Address Books ===
An address book has nothing to do with email, even though you might think they are related systems. Typically , an address book is a completely separate system - using either a '''CardDav ''' server (one easy to set up comes with OwnCloud) or an LDAP server. Even tightly integrated services like Microsoft's Active Directory keep the address book separate from the email.
=== Vacation Responders ===
If you think about it - , it's is not really clear what service should be responsible for sending out vacation messages. Your receiving SMTP server? Do you really want your users to be able to control that? The client? It's is probably not running.
It's usually yet another is most likely a separate service. Even though the settings to enable vacation response will usually be next to your other email settings - , they will be controlling a separate system that's hooked into your MTA.
=== Other Stuff Email Features ===
There are countless other features and extensions for email. Not to mention propietary proprietary ones like '''Gmail''', '''Yahoo mail''', '''Office 365''', etc. But having Having mastered the email portion of this course - , on the other hand, allows you will be qualified to evaluate capabilities, design integrated systems, and customise customize the email service for you organization like no regular email user can even attempt to comprehend or understand.
'''Note important considerations not covered in this INVESTIGATION into your OPS335 lab log-book'''
==EXPLORATION QUESTIONS==
#Briefly define the term '''TSL'''.#Briefly define the term '''SSL'''.#List the steps to setup Encryption for Postfix with TLS.#List the steps to setup Encryption for Dovecot with SSL.#List the steps to setup Encryption for the Thunderbird application.#Provide a brief description of the following terms as they relate to mail servers:#*'''Open Relay'''#*'''SPF'''#*'''DKIM'''