OPS535-online-L5
Draft - This lab is still under construction.
Contents
Overview
Postfix is a complete MTA (Mail Transport Agent) package which replaced Sendmail. Postfix uses several different programs to implement the MTA functionality. Postfix is considered to be more secure than Sendmail as it requires a separate user ID for running each module. Postfix uses plain text parameters and value names in its configuration files. The Postfix program plays a variety of roles:
- Listens to the network for incoming mail
- Transports mail messages to other machines
- Performs local mail delivery or hands local mail over to a local program for delivery
- Appends mail to files, Pipes mail through other programs
- Queues mail for later delivery
- Understands the aliasing of one recipient name to another
Understanding how Postfix handles the tasks listed above is essential in keeping the email service running properly for your users.
Pre-requisites
- Must complete assignment 1 on ops535 virtual lab and ensure that
- all your four VMs have network connectivity to each other via the ens224 network interfaces.
- your VMs have the proper FQDN which can be resolved by your authoritative DNS server(s).
- Install the nmap-ncat package on your host (optinally, install it on your other VMs as well).
- Install postfix it it is not already installed.
Investigation 1: SMTP
Perform the following steps on your VM2 (pri-dns)
- login to your VM2 as the student user.
- Find out the version of the postfix rpm installed on the system with one of the following commands and keep a record of it.
rpm -q postfix yum info postifx
- SMTP servers use one of the well-known ports, you can find out the port number used by the smtp protocol with the following command:
grep -w smtp /etc/services
- Make sure that the postfix.service is running on VM2, if not, start the postfix.service and confirm that it is running properly.
- Beside the systemctl command, there are two more places (or commands) you can use to confirm whether there is a SMTP server running on your system: the "ss -at" and "ps -ef" command:
- Try the following command pipe line and look for the SMTP port number under the "Local Address" column and record the line(s) for future reference.
ss -at | grep smtp ss -atn | grep [smtp port number]
- Note that if the Local Address shown is 127.0.0.1 only, your SMTP server will not be reachable by other machines.
- Run the following command pipe line and study the output carefully:
[instructor@pri-dns ~]$ ps -ef | grep -v grep | grep postfix root 122055 1 0 18:53 ? 00:00:00 /usr/libexec/postfix/master -w postfix 122057 122055 0 18:53 ? 00:00:00 qmgr -l -t unix -u postfix 122105 122055 0 18:54 ? 00:00:00 tlsmgr -l -t unix -u postfix 122216 122055 0 20:33 ? 00:00:00 pickup -l -t unix -u
- Look up the man page for "qmgr", "tlsmgr", and "pickup", and find out the purpose of those processes.
The SMTP Protocol: clear text commands/responses
- As a regular user on VM2, execute the commands given in the "Command" column and record the output in the corresponding "Response" column for future reference. Do not proceed if the first command does not establish a connection to the SMTP port on the local host.
| - - - Command - - - | - - - - - - - - - - - - Response - - - - - - - - - - - - |
|---|---|
| nc localhost 25 | 220 pri-dns.gbecker.ops ESMTP Postfix |
| HELO seneca.ops | |
| ELHO seneca.ops | |
| NOOP | |
| RSET | |
| VERB | |
| EXPN ops535m | |
| VRFY root | |
| VRFY nobody | |
| HELP | |
| QUIT |
postfix main configuration file: /etc/postfix/main.cf
- Login to your VM1, and run the following nc command to try to connect to the SMTP server on your VM2:
nc 192.168.x.2 25 (replace x with your network number)
- You may get one of the following responses:
[instructor@router ~]$ nc 192.168.2.2 25 Ncat: No route to host.
or
[instructor@router ~]$ nc 192.168.2.2 25 Ncat: Connection refused.
- The 1st problem is due to the firewalld configuration on your VM2. You need to enable the smtp service.
- The 2nd problem is due to the configuration of postfix, its default configuration is just bind to the loop back interface.
- Switch back to VM2, backup the file /etc/postfix/main.cf to /etc/postfix/main.cf.org as root or by sudo.
- Study the contents of the file /etc/postfix/main.cf. (Look for the parameters you learned about in OPS335)
- Edit the file "/etc/postfix/main.cf" with the following changes:
comment out the line "inet_interfaces = localhost" uncomment the line "inet_interfaces = all"
- Save the changes, and run the "diff" command on /etc/postfix/main.cf and /etc/postfix/main.cf.org and make sure you get something similar to the following:
[instructor@pri-dns ~]$ diff /etc/postfix/main.cf.org /etc/postfix/main.cf 132c132 < #inet_interfaces = all --- > inet_interfaces = all 135c135 < inet_interfaces = localhost --- > #inet_interfaces = localhost
- 132c132 means line 132 in /etc/postfix/main.cf.org has been changed to line 132 in /etc/postfix/main.cf and 135c135 means similarly.
- Restart "postfix" service on VM2.
- Check to confirm that postfix is listening on smtp port on all network interface (i.e. with local address 0.0.0.0):
[instructor@pri-dns ~]$ ss -at State Recv-Q Send-Q Local Address:Port Peer Address:Port ... LISTEN 0 100 0.0.0.0:smtp 0.0.0.0:* ... LISTEN 0 100 [::]:smtp [::]:* ...
- Switch to VM1, and login as a regular user. Execute the commands given in the "Command" column and record the output in the corresponding "Response" column for future reference. Do not proceed if the first command does not establish a connection to the SMTP port on the VM2, replace the place holder [VM2-IP-ADDR] with your VM2's actual IP address.
| - - - Command - - - | - - - - - - - - - - - - Response - - - - - - - - - - - - |
|---|---|
| nc [VM2-IP-ADDR] 25 | 220 pri-dns.gbecker.ops ESMTP Postfix |
| HELO seneca.ops | |
| ELHO seneca.ops | |
| NOOP | |
| RSET | |
| EXPN ops535m | |
| VRFY ops535m | |
| QUIT |
Investigation 2: mailing list (on postfix)
Files from the postfix rpm package
- Postfix keeps its configuration files in the /etc/postfix directory. Postfix's two main configuration files are /etc/postfix/main.cf and /etc/postfix/master.cf. On a CentOS 8.x system, you can use the "rpm -ql" command to get a list of all the files in the posftfix rpm package. You may notice that the postfix rpm package contains a few files named or partly named as "sendmail". You can get a list of those files with the following command:
rpm -ql postfix | grep sendmail
Investigate the purpose of the two files named "/usr/lib/sendmail" and "/usr/bin/sendmail".
- Postfix use an alias file to implement simple mailing list. The name and location of the alias file is configured in the main.cf file.
Try the following command:
grep "alias_[maps|database]" main.cf | grep -v "#"
and record the output for future reference.
Configure mailing list for postfix
- On your VM2. Backup the file "/etc/aliases" to /etc/aliases.org" and execute the following commands as root:
[root@pri-dns ~]# echo "ops535m: adm,ftp" >> /etc/aliases [root@pri-dns ~]# echo "smtp-lab: student,instructor" >> /etc/aliases [root@pri-dns ~]# newaliases
- Switch back to regular user and execute the command in the "Command" column and record the output in the "Response" column. Please replace the IP address place holder [IP-Addr] with the actual IP address of your VM2.
| - - - Command - - - | - - - - - - - - - - - - Response - - - - - - - - - - - - |
|---|---|
| nc [IP-Addr] 25 | 220 pri-dns.gbecker.ops ESMTP Postfix |
| HELO seneca.ops | |
| EXPN ops535m | |
| VRFY ops535m | |
| VRFY smtp-lab | |
| QUIT |
- Compare the results for "VRFY ops535m" in this investigation and the previous one and comment on their difference.
- Login using your Seneca user name <senaca_name> and execute the following command:
/usr/sbin/sendmail -bv postmater
- You should get a response similar to:
Mail Delivery Status Report will be mailed to <seneca_name>.
- Type the "mail" command and check for the "Mail Delivery Status Report" and answer the following questions:
- (a) If a message is addressed to "postmater", who will actually receive the message?
- (b) If a message is addressed to "smtp-lab", who (may be more than one) will actually receive the message?
- Study the /etc/aliases file on VM2.
- Type the "mail" command and check for the "Mail Delivery Status Report" and answer the following questions:
Investigation 3: mail queues (on postfix)
Completing the Lab
Review Questions
- 1. Why did you get “command not recognized” as the output for the EXPN command?
- 2. What does the VRFY command ask Postfix to do?
- 3. How do you add a mailing list called “helpdesk” on your Postfix VM so that all email send to the “helpdesk”mail list will be forwarded to user ldapuser1?
- 4. Would you be able to nc from your other virtual machines to the SMTP port on your VM3 and repeat the task in investigation 1 step (15)? If not, what would you need to change on your Postfix server to allow other machines to connect to the Postfix mail server?
- 5. Who is the owner of the file /tmp/ops535.mail?
- 6. Who has the read permission on the file /tmp/ops535.mail?
- 7. What is the "Return Path" indicated in the file /tmp/ps535.mail?
- 8. What command will perform the same function as "/usr/sbin/sendmail -bi" ?
- 9. What is the absolute path and access permission of the directory used by Postfix to store outgoing messages?
- 10.What command would you use to get a Mail Delivery Status Report?
- 11. What command will show you the queue ID of an outgoing email waiting for delivery in the mail queue?
- 12.How do you delete an outgoing message which is sitting in the queue directory?
