Sunday, December 26, 2010

Installing and configuring mod_security-Ubuntu 9.04


This how-to is reported to work in Ubuntu 8.04-10.10 as well.

What is mod_security you ask ?


Mod Security can significantly increase the security of your Apache installation.
 
What Is ModSecurity?

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

It is also an open source project that aims to make the web application firewall technology available to everyone.

Do not think you need this ? Follow along with the examples and decide for yourself (This tutorial assumes you already have Apache and php5 installed).
First, let us look at the default Apache behavior. I will use “ubuntuVPS” as the server of interest.

“Insecure” Example 1 – curl

Use curl to obtain information on the server (bodhi@home is a remote machine connecting to “ubutnuVPS”. You can test all this with any browser if you wish, simply use your server’s home page).
bodhi@home# curl -i ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:06:21 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>

Looks like this in your browser (the famous It works! page)

See how with a single command we already know the server is Ubuntu running Apache 2.2.11 and PHP 5.2.6 ?

“Insecure” Example 2 – bad .php

For this I will ask you to create a file “/var/www/insecure.php”
Put the following code in the file :
# vim /var/www/insecure.php
< ? $secret_file = $_GET['secret_file'];
include ( $secret_file); ? >;

Note: I had to put a space at the front of the php tag “<; ?”, remove it.

Now what ? Open a browser and enter http://ubuntuVPS/insecure.php?secret_file=/etc/passwd

I shall use curl in this example:
bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:24:11 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4.1
Vary: Accept-Encoding
Content-Length: 860
Content-Type: text/html
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
postfix:x:104:107::/var/spool/postfix:/bin/false

YIKES !!!

Install and configure mod_secure

There was a time when installing mod_security was a bit difficult, now it is as easy as :
sudo apt-get -y install libapache-mod-security
The “hard part” is that we need to configure mod_security and obtain a few rules.

Configure mod_security

Using any editor, make a file “/etc/apache2/conf.d/modsecurity2.conf” and put the following contents in the file.
#vim /etc/apache2/conf.d/modsecurity2.conf
< ifmodule mod_security2.c>
Include conf.d/modsecurity/*.conf
< /ifmodule>

Note: I had to add a space at the front of the tag “< ifmodule mod_security2.c>” and “< /ifmodule>”, remove them.

By default, mod_security logs to /etc/apache2/logs, the following commands will put the log in /var/log/apache2/mod_security and create a symbolic link back to /etc/apache2/logs

sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs
Download and install rules
Download rules from here

As of this writing, the rule set was “modsecurity-core-rules_2.5-1.6.1.tar.gz”, you may need to adjust accordingly as new rules are released.
sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz


Enable mod_security:

sudo a2enmod mod-security
Now restart Apache
That’s it :)

Testing mod_security

“Secure” Example 1 – curl
bodhi@home# curl -i http://ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:44:42 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>

Look no more server or php information (Fedora apache 2.2.0 , LOL !!! )

“Secure” Example 2 – bad .php
bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 501 Method Not Implemented
Date: Tue, 28 Apr 2009 22:47:38 GMT
Server: Apache/2.2.0 (Fedora)
Allow: TRACE
Vary: Accept-Encoding
Content-Length: 291
Connection: close
Content-Type: text/html; charset=iso-8859-1
< !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< html>< head>
< title>501 Method Not Implemented< /title>
< /head>< body>
< h1>Method Not Implemented< /h1>
< p>GET to /insecure.php not supported.< br />
< /p>
< hr>
< address>Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80< /address>
< /body>< /html>

Looks like this in your browser:
"501 Method Not Implemented
Method Not Implemented"
GET to /insecure.php not supported.Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80
Ah 501 Error looks much better then the contents of /etc/passwd :)
Where to go from here ?

1. Monitor your logs :
tail /var/log/apache2/mod_security/modsec_audit.log
 
2. Learn / edit your mod_security rules : ModSecurity Reference Manual

3. Delete bad.php, LOL
sudo rm -rf /var/www/insecure.php

I hope you enjoyed and learned from this tutorial :)

Reference:
"This is just a copy cat of the post from http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/
All credit should go to the respective author. I tried the method in Ubuntu 10.10 and it works fine."

Note:-
Some of the rules may deny the access to you applications (eg: phpmyadmin/drupal etc). Test the rules well before you implement.

Thursday, July 22, 2010

HowTo: 10 Steps to Configure tftpboot Server in UNIX / Linux (For installing Linux from Network using PXE)


In this article, let us discuss about how to setup tftpboot, including installation of necessary packages, and tftpboot configurations.

TFTP boot service is primarily used to perform OS installation on a remote machine for which you don’t have the physical access. In order to perform the OS installation successfully, there should be a way to reboot the remote server — either using wakeonlan or someone manually rebooting it or some other ways.

In those scenarios, you can setup the tftpboot services accordingly and the OS installation can be done remotely (you need to have the autoyast configuration file to automate the OS installation steps).

Step by step procedure is presented in this article for the SLES10-SP3 in 64bit architecture. However, these steps are pretty much similar to any other Linux distributions.

Required Packages

The following packages needs to be installed for the tftpboot setup.
dhcp services packages: dhcp-3.0.7-7.5.20.x86_64.rpm and dhcp-server-3.0.7-7.5.20.x86_64.rpm
tftpboot package: tftp-0.48-1.6.x86_64.rpm
pxeboot package: syslinux-3.11-20.14.26.x86_64.rpm

Package Installation
Install the packages for the dhcp server services:
$ rpm -ivh dhcp-3.0.7-7.5.20.x86_64.rpm
$ rpm -ivh dhcp-server-3.0.7-7.5.20.x86_64.rpm
$ rpm -ivh tftp-0.48-1.6.x86_64.rpm
$ rpm -ivh syslinux-3.11-20.14.26.x86_64.rpm

After installing the syslinux package, pxelinux.0 file will be created under /usr/share/pxelinux/ directory. This is required to load install kernel and initrd images on the client machine.

Verify that the packages are successfully installed.
$ rpm -qa | grep dhcp $ rpm -qa | grep tftp

Download the appropriate tftpserver from the repository of your respective Linux distribution.
 
Steps to setup tftpboot
Step 1: Create /tftpboot directory
Create the tftpboot directory under root directory ( / ) as shown below.
# mkdir /tftpboot/
Step 2: Copy the pxelinux image
PXE Linux image will be available once you installed the syslinux package. Copy this to /tftpboot path as shown below.
# cp /usr/share/syslinux/pxelinux.0 /tftpboot
Step 3: Create the mount point for ISO and mount the ISO image
Let us assume that we are going to install the SLES10 SP3 Linux distribution on a remote server. If you have the SUSE10-SP3 DVD insert it in the drive or mount the ISO image which you have. Here, the iso image has been mounted as follows:
# mkdir /tftpboot/sles10_sp3
# mount -o loop SLES-10-SP3-DVD-x86_64.iso /tftpboot/sles10_sp3
Refer to our earlier article on How to mount and view ISO files.

Step 4: Copy the vmlinuz and initrd images into /tftpboot
Copy the initrd to the tftpboot directory as shown below.
# cd /tftpboot/sles10_sp3/boot/x86_64/loader 
# cp initrd linux /tftpboot/
Step 5: Create pxelinux.cfg Directory
Create the directory pxelinux.cfg under /tftpboot and define the pxe boot definitions for the client.
# mkdir /tftpboot/pxelinux.cfg 
# cat >/tftpboot/pxelinux.cfg/default 
default linux 
label linux 
kernel linux 
append initrd=initrd showopts instmode=nfs install=nfs://192.168.1.101/tftpboot/sles10_sp3/
The following options are used for,
kernel – specifies where to find the Linux install kernel on the TFTP server.
install – specifies boot arguments to pass to the install kernel.

As per the entries above, the nfs install mode is used for serving install RPMs and configuration files. So, have the nfs setup in this machine with the /tftpboot directory in the exported list. You can add the “autoyast” option with the autoyast configuration file to automate the OS installation steps otherwise you need to do run through the installation steps manually.

Step 6: Change the owner and permission for /tftpboot directory
Assign nobody:nobody to /tftpboot directory.
# chown nobody:nobody /tftpboot 
# chmod 777 /tftpboot
Step 7: Modify /etc/dhcpd.conf
Modify the /etc/dhcpd.conf as shown below.
# cat /etc/dhcpd.conf 
ddns-update-style none; 
default-lease-time 14400; 
filename "pxelinux.0"; 
# IP address of the dhcp server nothing but this machine. 
next-server 192.168.1.101; 
subnet 192.168.1.0 netmask 255.255.255.0 { 
# ip distribution range between 192.168.1.1 to 192.168.1.100 
range 192.168.1.1 192.168.1.100; 
default-lease-time 10; 
max-lease-time 10; 
}
Specify the interface in /etc/syslinux/dhcpd to listen dhcp requests coming from clients.
# cat /etc/syslinux/dhcpd | grep DHCPD_INTERFACE DHCPD_INTERFACE=”eth1”;
Here, this machine has the ip address of 192.168.1.101 on the eth1 device. So, specify eth1 for the DHCPD_INTERFACE as shown above.

On a related note, refer to our earlier article about 7 examples to configure network interface using ifconfig.

Step 8: Modify /etc/xinetd.d/tftpModify the /etc/xinetd.d/tftp file to reflect the following. By default the value for disable parameter is “yes”, please make sure you modify it to “no” and you need to change the server_args entry to -s /tftpboot.
# cat /etc/xinetd.d/tftp 
service tftp { 
     socket_type = dgram 
     protocol = udp 
     wait = yes 
     user = root 
     server = /usr/sbin/in.tftpd 
     server_args = -s /tftpboot 
     disable = no 
                  }
Step 9: No changes in /etc/xinetd.conf
There is no need to modify the etc/xinetd.conf file. Use the default values specified in the xinetd.conf file.

Step 10: Restart xinetd, dhcpd and nfs services
Restart these services as shown below.
# /etc/init.d/xinetd restart 
# /etc/init.d/dhcpd restart 
# /etc/init.d/nfsserver restart
After restarting the nfs services, you can view the exported directory list(/tftpboot) by the following command,
# showmount -e
Finally, the tftpboot setup is ready and now the client machine can be booted after changing the first boot device as “network” in the BIOS settings.
If you encounter any tftp error, you can do the troubleshooting by retrieving some files through tftpd service.

Retrieve some file from the tftpserver to make sure tftp service is working properly using the tftp client. Let us that assume that sample.txt file is present under /tftpboot directory.
$ tftp -v 192.168.1.101 -c get sample.txt

Reference:
This article is a copy of http://www.thegeekstuff.com/2010/07/tftpboot-server/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed:+TheGeekStuff+(The+Geek+Stuff).

Monday, March 15, 2010

12. Postfix Installing and configuring Courier-Auth Libs, Courier-IMAP and POP3


    The Courier mail transfer agent (MTA) is an integrated mail/groupware server based on open commodity protocols, such as ESMTP, IMAP, POP3, LDAP, SSL, and HTTP. Courier provides ESMTP, IMAP, POP3, webmail, and mailing list services within a single, consistent, framework. Individual components can be enabled or disabled at will. The Courier mail server now implements basic web-based calendaring and scheduling services integrated in the webmail module.
Installing Courier Auth Lib:
    The Courier Authentication Library is a generic authentication API that encapsulates the process of validating account passwords. In addition to reading the traditional account passwords from /etc/passwd, the account information can alternatively be obtained from an LDAP directory; a MySQL or a PostgreSQL database; or a GDBM or a DB file. The Courier authentication library must be installed before building any Courier packages that needs direct access to mailboxes (in other words, all packages except for courier-sox  and courier-analog).
    Here we will download compile and install the courier-authlib source code for authentication daemon. This will provides the backend authentication that is required by both POP3 and IMAP. The source code can be  downloaded from http://www.courier-mta.org/. The courier can be used with Sendmail, Qmail or Postfix. The courier-mta supports the retrieval of mail from Maildir format and it doesn't support the old MBOX format. Authentication mechanism using courier authlib:
    MUA sends the authentication to IMAP/POP3. The IMPA/POP3 hands over the request to courier-auth libs. Now the courier auth libs quires the user database (/etc/passwd, LDAP, MySQL)
MUA -> IMPA/POP3 -> Courier authlib -> userdb
Installing courier auth libs
    Here we are interested in installing the courier IMAP and POP3 servers. to accomplish this initially we have to install the courier-auth libraries.
So download the authlib seperately and install it.
# wget http://sourceforge.net/projects/courier/files/authlib/0.63.0/courier-authlib-0.63.0.tar.bz2/download
# tar -jxvf courier-authlib-0.63.0.tar.bz2
# cd courier-authlib
# su user
$ ./configure
$ make
$ su root
# make install
# make install-configure
    The entire process installs the binaries and configuration files. Binary named "authdaemond" under "/usr/local/sbin" directory is executing as the authlib daemon. This consults the /usr/local/etc/authlib/authdaemonrc configuration file.
Starting the authlib daemon
# /usr/local/sbin/authdaemond start
# ps -ef |grep authdaemond
    Auth daemon is not bounded to any tcp or udp ports. But it is ready to accept any of authentication requests from IMAP or POP3. "If the auth daemon is not running the authentication process in IMAP and POP3 will not work".
Installing courier imap (Installs the IMAP and POP3 service)
    Both the pop3 and imap service is installed with the package courier-imap. 
Download the package from http://www.courier-mta.org/download.php#imap and install the package
# wget https://sourceforge.net/projects/courier/files/imap/4.7.0/courier-imap-4.7.0.tar.bz2/download
# tar -jxvf courier-imap-4.7.0.tar.bz2
# cd courier-imap
# su user
If we need to have the SSL support, we need to have installed the openssl and openssl-devel packages installed.

$ ./configure
$ make
$ su root
# make install
# make install-configure
    These steps finishes courier-imap installaion. "/usr/lib/courier-imap" is the directory location of the courier-imap installation. "/usr/lib/courier-imap" contains binaries, libraries, shared libraries and configuration files.
    Note: The default facility in syslog used by courier-imap is "mail". This can be chaged while compiling the binary

Configuring and Running Courier-POP3
    Now we will configure the Courier-pop3 for retrieval of mail.
Inside "/usr/lib/courier-imap/libexec" directory has the startup script named pop3.rc and pop3-ssl.rc to start  the pop3 and  pop3 ssl services respectively.
Starting the pop3 service
# cd /usr/lib/courier-imap/libexec
# ./pop3.rc start
    This will start the pop3 service and bind to 110. Now check the service runs by the following command
# netstat -ntlp | grep 110
    Now test the retrieval of msg using any MUA from outside using the pop3 protocol. By default courier will retrieve the msgs from user mailbox (Maildir). Usually pop3 retrieves the mails from the "new" directory of Maildir struchure.

Implementing pop3-ssl
    Normal pop3 transmits the msg in clear text format over the wire.In order to implemented the secured transfer of mails (encrypted) we have to run pop3-ssl.To Inorder to accomplish this we have to generate the self  signed certificate or purchase a signed certificate from a trusted certificate authority that our email client trust.

Generating own self signed certificate:
    Courier-mta includes the scripts to generate self signed certificate using openssl.
# cd /usr/lib/courier-imap/etc
    In this directory we have a file called pop3d.cnf which contains the answers to the questions usually asked while attempt to generate the self signed certificate using the script inbuilt in courier-mta
# vim pop3d.cnf
    Change the parameters to suite our enviornment. eg:- Locality, organization, organization unit, host, email address etc Save the file and navigate to the folder which contains the script to generate the certificate.
# cd ../share
# ./mkpop3dcert

# ls pop3.pem
    This will generate the certificate with respect to the pop3d.cnf created before in current location.
Now navigate to libexec folder and start the pop3d-ssl script to start pop3 in secure mode. This will bind the port 995
# cd /usr/lib/courier-imap/libexec
# ./pop3d-ssl.rc start
# netstat -tulpn |grep 995
    Now we can see that the pop3s server started and running on port 995.
Test it in MUA by changing the incoming mail pop3 to use a secure connection (ssl).Now send and receive mails by accepting the certificate.

Making the pop3 and pop3s service available at startup
Make a symbolic link to /etc/init.d.
# ln -s /usr/lib/courier-imap/libexec/pop3d.rc    /etc/init.d/
# ln -s /usr/lib/courier-imap/libexec/pop3d-ssl.rc    /etc/init.d/
# cd /etc/init.d
Now point to the runlevel where to start the script. To start in runlevel 3
# cd /etc/init.d/rc3.d
# ln -s ../pop3d.rc S20pop3d
# ln -s ../pop3d-ssl.rc S20pop3-ssld
    This will create a startup script for the given runlevel. Make sure that we will create a Kill script in same method to kill/stop the service when system changes its runlevel.

Configuring and running Courier-imap service
    The Courier-imap service startup script reside at the same location, where courier-pop3 locates
Starting the imap service
# cd /usr/lib/courier-imap/libexec
# ./impad.rc start
# netstat -ntlp | grep 143
    This will show the imap service running and listening to the port 143
Configuring Courier-imap
    The configuration file is located at "/usr/lib/courier-imap/etc" named "imapd"
# vim /usr/lib/courier-imap/etc/imapd
    All derivatives are self explanatory. This file used to configure the listening address, port and number of daemons to start upon the binary starts etc.
    Test the mail retrievel by configuring the MUA with IMAP. The credentials given is matched by the server with the /etc/passwd by default. And /etc/passwd is the file that tells where the Maildir resides (Courier checks the mails in the  Maildir of users mail directory). IMAP communicates with clear text format by default.

Configuring Courier-imaps
    This enables the communication by encryption with the help of SSL.
# vim /usr/lib/courier-imap/etc/imapd.cnf
    Edit the above file for generate the certificate properly. Change the Country, State, Locality, Organization unit, Common name email address etc. Now generate the certificate
# ./usr/lib/courier-imap/share/mkimapdcert
    This will create a certificate named imapd.pem.
Now start the imapd-ssl service
# ./usr/lib/courier-imap/libexec/imap-ssl.rc start
# netstat -ntlp |grep 993
    Most client that support Imap with ssl will connect default to the port 993. This port is configurable in "courier-imap/etc/imapd-ssl" . Test the configuration by changing the Incoming mail server as imap with ssl. Restart the application and this will prompt to accept the certification for further communication.

Wednesday, March 10, 2010

11. Postfix MailBox


Postfix supports 2 types of Mail Box formats
1. MBOX Format
2. MailDir Format

MBOX (/var/spool/mail/$user)
    MBOX is the default storage method used in the Postfix. This is also the traditional Unix format to store the msgs. This appends the mails to a single file in sequential fashion. This file needs to be locked by any application for writing into it. In a high utilized servers there may be issues of locking and performance if you are using the MBOX format. Because only one application at a time is able to read and write the file same time. By default postfix delivers mail to the file object in the spool directory. (For Eg: For user root the  MBOX file is /var/spool/mail/root). Most of the mail retrieving technologies such as imap and pop3 base servers are following this directory structure by default.
Spooling mails in same MBOX format to users home directory.
    This will results the mail delivery in users home directory. There is a MAIL variable in users shell that defines the default location of the mails for the MUA. The following command shows the mail variable.
# echo $MAIL
# set |grep -i mail
Moving the MBOX to users home
# vim  /etc/postfix/main.cf
home_mailbox = Mailbox
# postfix reload
    The default behavior of postfix is to spool the mail to the /var/spool/mail directory. By defining the home_mailbox postfix will delivers the mail to the users home directory. The file named "Mailbox" will be created by the Postfix daemon.
Now change the mail variable for the user(recommended when localy installed MUA such as mutt, mail etc used).
# export MAIL=~/Mailbox
Make it permanent (following shows for bash shell)
# vim /etc/bashrc
export MAIL=~/Mailbox
Now source the file and check the mail variable
# .   /etc/bashrc
# echo $MAIL
    Now the MUA will be able to get the mail from exact location.

Maildir
    This is newer Unix standard to route the mail to a directory struchure. Maildir provides the superior scaling as well as "no locking issues".
Implementing Maildir
# vim /etc/postfix/main.cf
home_mailbox = Maildir/
# postfix reload
     The above process will create a sub-directory in each users home directory called Maildir. Beneath this directory contains the structure that contains the msgs. Maildir is introduced by Qmail and recognized and supported by almost all the MUAs. Test sending a mail to any user in the system and trace the newly created directory inside the home.
# ls ~/Maildir
cur
new
tmp
    These are the three sub directories created by postfix. When a msg is spooled typically copied in to the "tmp" directory. "new" directory contains the unread mails. The mails containing in the directory "new"  has a typical nomenclature for the identification of the msgs.
Eg:- 2214525412.v80osui654.destinedhost.
    In the above file name the initial prefix (2214525412) is the unique identified that corresponds to the time after the epoc time 1970 (command "date +%s" shows the current epoc time). "v80osui654" is the identified added by postfix and followed by the destination host name of the mailbox."cur" (current) directory contains the read mails
The MAILDIR variable has to be set and MAIL variable has to be unset
# unset MAIL
# export MAILDIR=~/Maildir
    The variable change need to be specified globally. if we are using any MUAs depends upon this variable, else the mails wont be able to process by MUAs.
Set the variables globally
# vim /etc/bashrc
unset MAIL
export MAILDIR=~/Maildir
# . /etc/bashrc

Monday, March 8, 2010

10. Postfix Virtual Domains


    By default postfix has setup to handle few domains, defined by $mydestination. The idea of the virtual domain is to  map the multiple domains to the same server. " hostname -f " shows the FQDN also known as canonical domain used by Postfix.
Note: The IP address also considers as domain. For eg:- A message To: user@[10.0.0.1] (The "[]" is must). So in this case the IP address is also considered as the domain. This domain is also considered as a part of the canonical domain.

Basic Virtual Domain Configuration

# vim /etc/postfix/main.cf
mydestination = $myhostname, localhost, $mydomain, anewdomain.com, someotherdomain.com
relay_domains = $mydestination
# postfix reload
    Now the messages that destined to the domains listed in the $mydestination will be handled by the server. So messages send to a user at domain that defined at $mydestination will be delivered locally.
For Eg:- Mail send to kiran@anewdomain.com and kiran@someotherdomain.com will get deliver to the same user in the host. In other words the list of domains that defined in the $mydestination will be considered to be local and delivers the mail locally.

Virtual Domains Using Maps For Single Domain
    This scenario is used ideally in a Linux mail server where the local users need to share the different domains, (used in ISP environment).
Splitting Local users in to separate domains
    To do so we have to setup the virtual aliases maps
# vim /etc/postfix/main.cf
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
     virtual_alias_domains tells what domains are needed to be supported by virtaul alias maps
# vim /etc/postfix/virtual
userdd@example.com    kiran
dduser@example.com    jam
# postmap /etc/postfix/virtual
   The format is as same as in the transport table. In the Left Hand Side we mention the address that need to be mapped and in Right Hand Side we mention the local or remote user mail address to which mail has to be delivered.
# postfix reload
Reload the postfix service

# postconf  | grep virtual_alias_
    Now test the setting by composing the msg to the user userdd@example.com and dduser@example.com. The msg will be delivered to the local user kiran and jam respectively.

Virtual Domains Using catch all features.
    In a virtual alias map environment if mail is send to a non-existing Local user in a postfix server the mail will be rejected with the error "recipient address rejected" in log file. This situation could be overcome by defining the catchall address for the domain. But these feature will be subjected to catch all the mails that coming to the domain and obviously the server will be filled up with spam mails. So it is not at all considered to be used at production environment.
Defining the catch all
# vim /etc/postfix/main.cf
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual
 # vim /etc/postfix/virtual
@example.com    kiran
# postmap /etc/postfix/virtual
    Here all the mails that comes to the domain example.com will be routed to user kiran.

The following virtual map file will send the all mails coming to the domain example.com to multiple recipients.
# vim /etc/postfix/virtual
@example.com    kiran, user1, user2, user3

The following virtual map will send the mails coming to user kiran@example.com to remote domain kiran@secureserver.com.
# vim /etc/postfix/virtual
kiran@example.com        kiran@secureserver.com
   
Virtual alias Maps For Multiple Domains
    The following example shows the configuration of the multiple domains
# vim  /etc/postfix/main.cf
virtual_alias_domains = firstdomain.com, seconddomain.net, thirddomain.org, fourthdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual


# vim /etc/postfix/virtual
sales@firstdomain.com             kiran
hr@seconddomain.net               jam
finance@thirddomain.org        jeo
project@fourthdomain.com      paul
abuse@seconddomain.net        abuse

# postmap /etc/postfix/virtual
    This finishes the configuration of the Virtual alias maps
#postmap -q abuse@seconddomain.net /etc/postfix/virtual
    The above command will query the virtual map file for the mapped address.
# postfix reload
    Test the settings by sending mails to each and every users in the new domains.
While testing this configuration make sure that the proper DNS entry in place.

Thursday, March 4, 2010

9. Postfix SmartHost and NullClient


SmartHost
    SmartHost forwards all the mails that are not destined to the same server. Ideally this feature is used to forward mails to the SmartHost Mail server which can masquerade and relay mails to outer world.
Mail Flow example:
Local Server -> SmartHost Server -> Outer World
    In Local server we defines the SmartHost server. So all the mails that are not destined to the Local server will be forwarded to SmartHost Server. Then SmartHost server forwards the msgs to the outer world.

Defining SmartHost
Initially check that what domains the postfix will accept the mails for.
# postconf |grep mydestination
    The output shows the list of the domains that postfix accepts mails for. After defining the SmartHost postfix will forward all the mails to the SmartHost server which are not destined to $mydestination.
# vim /etc/postfix/main.cf
relayhost = smarthost.server.com
    In this scenario postfix forwards all the mails that are not destined local to smarthost.server.com.
Note: In this case the postfix will perform DNS MX record query to the domain smarthost.server.com. Adding square brackets "[]" will skip the MX record query and delivers the msgs directly.
eg: relay_host = [mail1.smarthost.server.com]
# postconf |grep relayhost
# postfix reload
Verify the configuration and reload the postfix service
    Test the configuration by sending mails to outside using this Local Server.Examine the Logs in the Local server as well as in the SmartHost server.

NullClient
    NullClient forwards all the mails including locally generated to the defined server. NullClient never receives any mails.
Mail Flow Example:
internet -> Mail Server exposed Internet -> Internel Mail Server
    From any internet Box the Mail server Exposed to Internet will accept the mails and Using the NullCLient configuration all the mails will be forwarded to Internal Mail Server.

Configuring the NullClient
In the above mail flow diagram the configuration come at the Mail server exposed to Internet
# vim /etc/postfix/main.cf
mydestination =
local_transport = error:Local Mailing is Disabled
relayhost = smarthost.domain.com
mydestination = "nothing" This tells the postfix that we are not handling mails for any domains
local_transport = error:Local Mailing is Disabled  tells that postfix is not handling any of the local mails too.
relayhost tells postfix now to forward all the mails destined local or remote to the SmartHost server defined. Make sure that the SmartHost server has configured to receive the mails for.
Note:
It is "not mandatory" that in a Null Client configuration there should be a "relayhost". If we are not mentioning any smarthost Postfix will attempt to resolve the MX of the destination of the mail and sends the mail directly.
Update master.cf
# vim master.cf
# local     unix        n    n    -    -    local
Comment the above derivative to disable the "local" transport feature of Postfix (local mailing).
# postfix reload
    Reload the postfix configuration. Now the postfix server will act as Null Client and all the mails that generates will be forwarded to the smarthost defined. Test the configuration by sending the mail "from" and "to" to the NullClient host and check the logs.

Wednesday, March 3, 2010

8. Postfix Transport Table - SMTP Routing


    This feature allows to route messages to additional domains according to the Map defined. Here Postfix accepts the message and rather than consulting the DNS for MX record it routes the mail by checking the transport map. In sendmail this feature is called mailertable

Transport Map
The map format is as follows
Left Handside                    Right Hand Side
user@domain.com                 transport:nexthope       
domain.com                       transport:nexthope
host1.domain.com                 transport:nexthope
   In the above format the Right Hand side defines the list of the domains that Postfix accepts the messages and routes. In Left Hand Side defines the transport mechanism that used and the destination of the mails.

Setting up the Transport Mechanism to Route the messages:
Check the derivative that supports transport map
# postconf |grep transport_maps
    transport_maps is the derivative that enables the transport map. By default the derivative will be undefined. The types of transport that supported by the Postfix can be determined by examining the "/etc/postfix/master.cf" file. smtp, local, error etc are the types of the transport defined.
Create the transport map file
# vim /etc/postfix/transport
sales.domain.com           smtp:[internalhost1.domain.com]
tax.domain.com              smtp:[internalhost2.domain.com]
finance.domain.com       smtp:newdomain.com
    The Left hand side we have mentioned the "mails coming from domains" which has to be routed (sales.domain.com) and in the Right hand side we have mentioned the transported which has to be use (smtp) and the destination machine (internalhost1.domain.com).
Note: "While using the transport table, when mails subjected to route, to disable the MX lookup by postfix for the destination domains we have to add the recieving domains inside the square bracket ("[]"). This will tell Postfix to "not perform" the MX lookup of the destined domains.
# postmap /etc/postfix/transport
   Now we have generated the transport map file named transport.db
Enable the transport map feature in the postfix
# vim  /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
# postfix reload
    Now we have integrated the transport map with the postfix.

Testing the configuration
# postconf |grep transport_maps
    Check the maps are defined correctly.
Make sure that the MX record for all the domains that needs to route the mail to another server points to the Mail Routing Server. Now try sending mails destined to domains sales.domain.com, tax.domain.com, finance.domain.com. According to the map defined the Mail Routing server will route the mails to respective host. It is understood that the receiving host has configured to accept the mails from the Mail Router.

Tuesday, March 2, 2010

7. Postfix Relay Domains


      This is an another way of enabling relaying in postfix. By default Postfix will relay mails for the domains that specified in the "mydestination" derivatives (Postfix considers the mail that are originated locally). If we need to add more domains to be relayed through the same server we can user "relay_domains" as well as "mydestination" derivatives.
By default "relay_domains" will be configured with mydestination.
i.e,
relay_domains = $mydestination
By using "relay_domains" derivative postfix is configured to relay mail from domains defined.
For example:
# vim main.cf
relay_domains = $mydestination, new1domain.com, new2nd.domain.com
# smtpd_client_restrictions =
Comment out the above derivative.The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from. By default, this restriction is applied when the client sends the RCPT TO command, the RCPT TO error in the log file points this error.
# postfix reload
# ps -ef |grep master
The above change will allow postfix to relay the mails from new1domain.com & new2nd.domain.com domains."smtpd_client_restrictions" makes the policy to reject the relay from other domains by default.
Note: All the subdomains will be relayed if a domain is specified in "relay_domains". For eg:- if newdomain.com is specified then postfix server will allow relaying all the subdomains like host1.newdomain.com, host2.newdomain.com etc.

Relay Domains with Maps
      Enabling the maps makes MTA to query the data from a database machanism. If a server is hosting many domains and practically entering each domain name in the configuration file is not possible, then we can use database maps for fast query and easier management.

Defining Rlay_domains Maps
# rpm -qa |grep db
Initially check for the Berkley DB packages are installed. These packages will be used by the postfix for database support.
# vim /etc/postfix/main.cf
relay_domains = $mydestination, hash:/etc/postfix/relaydomains
  Now postfix will refer the db file  "/etc/postfix/relaydomains.db" for relaying.
# vim /etc/postfix/relaydomains
domain1.com
domain2.com
domain3.com
domain4.com
domain5.com
# postmap /etc/postfix/relaydomains
"postmap" generates the db file with respect to /etc/postfix/relaydomains.
Note: The postmap utility will show error while running. It is because postmap expects the keys and values. The map file consist of keys and values separated with a white space. In our case we have only mentioned the keys. In a db map file Postmap expects the values for each key at right hand side. In this case the error is ignorable because this is the rare case that postfix will not read the "values" in the right hand side. Even if it shows the error the db file will be created.
# postfix reload
#ps -ef |grep master
  Now we will be able to relay mails from all the domains defined in the "relaydomains" file. After initializing Postfix a new entry to the file along with the postmap command is sufficient for postfix to relay to the newly added domain without restarting the service.

Monday, March 1, 2010

6. Postfix Basic Relay and SMTP-AUTH


Introduction
         Most important feature of the MTA's are the ability to control the relay. Most of the MTA's denies the relay from domains that are consider to be not local or hosts that are considered to be not in same subnet.

Postfix Relay
       Postfix will relay the domains that are "considered to be local by default". These are specified in the main.cf file, but in sendmail there is a local file that contains the list of domains for relay. "hostname -f" which gives the FQDN of the server, by default postfix will accept the mails destined to its domain because it considered to be local. By using the "mydestination" directive the postfix accepts the mails that coming for the domains defined there. "mynetworks" and "mynetworks_style" also controls the relaying initially. All other domains are considered to be "only relayed if the relay is specifically defined".
The Basic relay configuration is done in postfix by
  • mydestination
  • mynetworks
  • mynetworks_style
Following example configures postfix to relay only localhost. (Same method can be applied to configure any single hosts as well.) All other request for relay from other hosts will be rejected.

Configure the postfix to be used to relay only localhost
# vim /etc/postfix/main.cf
mynetworks = 127.0.0.1
mynetwork_style = host
     This means Postfix only relays mails from localhost.
# postfix reload
# postconf |grep mynetwork
    Now try sending msg from any of the hosts in the local network to out side. The relay through this server will be denied. Only the localhost will be able to relay the mails outside. Note: "The server will still be accepting mails avoid confusing the relay with this feature".

SMTP Authentication:
     SMTP auth is used to relay based on the user authentication, permitting roaming users.
We need the cyrus packages which will support the smtp authentication
Check the package availability by the following command. If not install all the cyrus packages
# rpm -qa |grep cyrus
Check the Postfix whether MTA supports the authentication
# telnet localhost 25
ehlo
(have to get the 250-auth reply from the server)
If the binary is not build with the SMPT-AUTH support have to compile and install the postfix with the smtp support. So go to postfix source directory compile and install the postfix
# cd postfix-2.7
# make makefiles CCARG="-DUSE_SASL_AUTH -I/usr/include/sasl" AUXLIBS="-L/usr/lib -lsasl2"
# postfix stop
# make install
    This will compile the binary package with smtp-auth, and the interactive menu appears for installation of the binaries.
After installation of the postfix binaries include the derivatives that supports the smtp-auth in main.cf file
# vim /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
#This enables the smtpd authentication
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# postfix reload
   "smtpd_recipient_restrictions" is a type of smtpd access policy which is used to reduce the amount of the junk messages and also used to tight the SMTP relay. By defining "smtpd_recipient_restrictions" we are instructing postfix to permit or deny relay to certain destination based on the specification in the policy. Here we have defined the "permit_mynetworks" to permit the relay for all the hosts defined in the mynetworks and "permit_sasl_authenticated" to permit the relay for all the users that have done SMTP authentication and rest all the requests will be rejected using the reject_unauth_destination policy
Confirm the SMTP_AUTH supported
# telnet localhost 25
ehlo localhost
(Check for the 250-AUTH reply)
# tail /var/log/maillog
     Check the log file for any errors
Now we have to configure the SASL to handle the SMTP authentication requests. Create the following file to invoke smtp authentication by SASL
# vim /usr/lib/sasl2/smtp.conf
pwcheck_method: saslauthd
mech_list: plain login
The mech_list is optional that defines the type of the authentication carried out.
# service saslauthd start
# service postfix restart
# ps -ef |grep saslauth
Check the service is running. Now got to the any MUA that supports the smtp authtentication and test the mail relay.

Tuesday, February 23, 2010

5. Postfix - Remote mail, Masquerading, Canonical Names & BCC Maps


Receiving Remote Mail:
 Configuring postfix to receive mail from address as "user@example.com"
    Until and unless we specify the following options the postfix server will not be able to accept the mail for the given domain.
# vim /etc/postfix/main.cf
mydomains = example.com
mydestination = $myhostname, $mydomain, localhost.localdomain
relay_domains = $mydestination
# postfix reload
    The "mydestination" derivative tells postfix that for which domains it receives the mail for. With out the domain information entry in all the three derivatives the postfix will not be able to handle the msgs destined to the domain example.com. With out this entry the postfix will bounce back the msg to the client saying the "msg loop back to my self" error.

Rewriting the Envelops and Headers In Postfix.

Masquerading
Defining outbound Envelop in postfix:
    When we compose and send a msg the envelop and header will reveal the senders FQDN to which we can reply to and the hops (IP address) information respectively.
Masquerading the msg:
# vim /etc/postfix/main.cf
mydomain = example.com
myorigin = $mydomain
    "myorigin" header sets the postfix to appear the msgs to be send from the domain example.com
Note:-
    "Sendmail calls it masquerading and postfix calls it as myorigin"

Canonical Maps:
    In addition to the "myorigin" changes or rewrites the envelop and headers, the postfix can also perform the other hosts envelop and header rewriting based on the maps defined. Before the cleanup daemon stores inbound mail into the incoming queue, it uses the canonical table to rewrite all addresses in message envelopes and in message headers, local or remote. The mapping is useful to replace login names by Firstname.Lastname style addresses, or to clean up invalid domains in mail addresses produced by legacy mail systems. In very simple words we can change the senders from address. Canonical mapping is disabled by default. To enable, edit the canonical_maps parameter in the main.cf file and specify one or more lookup tables, separated by white space or commas. These maps are defined in two columns in a file and converted in to Berkly database.

Canonical maps can be defined in 3 ways.
    1. canonical_maps - rewrites the sender and recipient address
    2. sender_canonical_maps - rewrites the sender address
    3. recipient_canonical_maps - rewrites the recipient address
1. canonical_maps
For Example:-
# vim /etc/postfix/main.cf
canonical_maps = hash:/etc/postfix/canonical
# vim /etc/postfix/canonical
# Left side                        Right Side
# address that would like to rewrite        New Address
kiran        kiranjith.tg

# postmap canonical
    Postmap will convert the canonical file into db file.
# postfix reload
    Reloads the postfix service with new configuration.
Now In order to test the settings send a mail to user kiran being the same user that defined in the canonical map file.
# su - kiran
$ sendmail -v root

Subject:Testing the canonical maps
.
Now check the log and check the mail as logging as root
# tail -f /var/log/maillog
$ mutt
    Being the user Kiran check the header of the mail now. "mutt" is a CLI based mail client in which we can verify the address. We could be able to see that the envelop, both the recipient and sender has been rewritten to the information that stored in the canonical map file. Here in this scenario the mail will appear to be generated from kiranjith.tg@example.com
Note:-
    If the user kiran tries to send the mail to himself in above example the mail envelop will be rewritten with respect to the canonical map defined. So in this case better to have the virtual aliases setup to get these kind of msgs delivered to user. Below example will tell how to have a work around for this issue.

2. sender_canonical_maps:
Rewriting the sender address using sender_canonical_map derivative.
    Sender canonical map only changes the senders address and it leaves the Recipient portion of the envelop untouched in case of user sending the mail to the same user or if a match found in the map file.
# vim /etc/postfix/main.cf
sender_canonical_maps = hash:/etc/postfix/canonical
# vim /etc/postfix/canonical
# Left side                        Right Side
# address that would like to rewrite        New Address
kiran        kiranjith.tg
    Same map file that used for above example can be used in this example also
# postmap canonical
    Creates the canonical db file.
# postfix reload
    Reload the service with new configuration.
        Now test the settings by sending the mail and check the headers. Here we could see that the recipient part is untouched

3. recipient_canonical_maps:
    As we discussed above this derivative will only change the recipient address in case of sending the mail to same or remote user and if the match is done in the canonical map file. Test this derivative by following the above example. Same map file can be used here as well.

Blind Carbon Copy (BCC) maps.
        This feature makes mails to be automatically BCC to defined recipients.

Using Global Method.
# vim /etc/mail/postfix
always_bcc = username
# postfix reload
# postconf  |grep always_bcc
    Now in this scenario all the mails in the system will be send as BCC to the user "username" globally. This scenario typically follows in certain corporates where all the mailing activities should be logged, such as banking industry.
"Test sending a mail by any user. and u should receive a mail BCC to the user "username"".

Using sender_bcc:
    This feature is used to always bcc the mails that comes from a perticular user(sender).
# vim /etc/mail/postfix
sender_bcc_maps = hash:/etc/postfix/sender_bcc
# vim /etc/postfix/sender_bcc
 # the sender     (tab) To whom the bcc recipient mail to go
    user                    monitoring.user
# postmap sender_bcc
Note:-
    Berkley database Library and devel packages are needed to run this postmap utility. Ensure these package are installed or download and install the latest version from the sleepycat website.
# postfix reload
# postconf |grep sender_bcc
# ps -ef |grep master
    Any mails that send by the user "user" will be automatically BCC to the user "monitoring.user"

Using recipient_bcc:
    This process is just the opposite of the sender_bcc process. Here any mails that came to the given user will be BCC to the defined used in the recipient_bcc map database.

Thursday, February 18, 2010

4. Postfix Aliases & .forward file


Aliases
    The common entries in aliases file are postmaster, abuse etc. The default aliases file is located at the /etc/aliases used by Postfix. Also postfix will install the aliases file inside the directory /etc/postfix. The text file is converted to a db file using newaliases command. Aliases file are subjected to grow very large (If it is large company they will have numerous alias entries ), as a result the MTA's will be in much advantage to place these alias entries in a database format for fast and reliable enquiry. The aliases database are by default in "Hash" format. Postfix supports Hash, DBMS etc.
# file /etc/aliases.db
Check your aliases.db file with above command.

Aliases Type
    We already have a detailed description about aliases - Refer Below URL
Refer:
Postfix aliases file has same format as sendmail server use. In fact aliases feature has been taken from sendmail.

Convert Sendmail Aliases File To Postfix
      The change that have to be made in the aliases file is adding the postfix user aliases pointing to user root Thus converting a sendmail aliases file to postfix.
#vim /etc/aliases
postfix: root
# newaliases
# postfix reload
    This is the aliases requirement for the postfix daemon according to postfix documentation. Also we can use the aliases file that created with the installation of postfix. This can be useful if we are creating a new mail server.

Forwarding(Making use of the .forward file) in Postfix
     As in Sendmail if we define a local .forward file in the users home directory Postfix similar to sendmail will attempt to process the ~/.forward file. This .forward file follows the similar syntax as the /etc/aliases file. Any msgs destined to a user can be further forwarded or redirected using .forward file. It allows the user to have control on forwarding the mails.
For Eg:-
The Vacation program is setup by using this .forward file

Setting up Vacation Program
   Go to the home directory of the user 
# cd ~
   Enter the out of office msg
# vim .vacation.msg
Hi thanks for the mail.. I will revert back once I am back
Create the .forward file
# vim .forward
\user, "|/usr/bin/vacation user"
      \user makes postfix to no further look up in the aliases.This enables the vacation program once a mail reaches the user mail box
# vacation -i
This initialise the vacation.db file. This instruct postfix to respond for all the incoming msgs.
Test the vacation program by sending mail to the "user". The user will return a mail with the contends on .vacation.msg

3. Postfix - Local Mail


Working Architecture of Postfix Local Mail
          When a msg is submitted by a local user on the system msgs are place in to "/var/spool/postfix/maildrop" directory. This process can be done by the "sendmail" binary that installed along with the Postfix installation. The msgs can be placed in to the directory with or without the "master" process (Postfix Master daemon). In other words even if the MTA is down the users can place msgs into the queue (maildrop directory) using "sendmail" binary using the process "postdrop". From this maildrop directiory the process called "/usr/libexec/postfix/pickup" which picks up the msgs. This process is spawned by the "master" program. The "pickup" process then feeds the locally submitted msgs to the "cleanup" process. The cleanup process takes care of addressing. Addressing means it fills the missing From & To address with FQDN. Then it moves the msg to the "incoming" queue directory in "/var/spool/postfix". From here the "qmgr" pickups the msgs and delivers based on the next architecture, like smtp, lmtp, local(for local mailing), virtual, pipe etc. The qmgr is responsible for delivering the msg either using local mailing or using the combination of local mailing and SMTP.


Configuring postfix to route the Local Mails
Dumping all the configuration parameters to screen
# postconf
The postconf command with no option prints all the configuration parameters of Postfix.

We need the following parameters in /etc/postfix/main.cf
# vim /etc/postfix/main.cf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, nis:mail.aliases
Now check the aliases.db file existence
# ls -al /etc/alilases.db
If the file is not existing have to create it with the following command
# newaliases
This command will create a new aliases database with respect to /etc/aliases file. With out the aliases file the local mailing is not possible."Unlike sendmail postfix includes its own local mailer.It is able to deliver msgs locally with out the assistance of third party program such as maildrop, procmail etc". This means that the Postfix has its own local mail delivery capability.
# postfix restart
Testing Postfix Local Mailing.
Send a mail using the Postfix sendmail version binary in MSP mode to a user using the following command
# sendmail -v user
Subject: Testing postfix
Ctrl + d
Check the delivery status by following method
# mailq
This will echo any msgs are in the queue. Successful mail delivery makes this queue empty
# tail /var/log/maillog
The log shows the exact status of the mail. Now login and check the user mailbox
Note:-
MAILCHECK=60 is the shell variable that cheks the mail in users inbox.

Wednesday, February 17, 2010

2. Postfix Post Installation and Initial Configuration


Postfix has 2 key configuration files
1. master.cf
    master.cf configuration file role is to drive the master process and if necessary spawn additional daemons to manage our environment according to the configuration.
# cat /etc/postfix/master.cf
    /usr/libexec/postfix/master is the binary which was installed by the postfix, reads the master.cf file and based on the directives in the file the master binary knows which daemons has to be started.
For Eg:- Since the smtp service is mentioned in the file it starts the daemon smtpd.
The file format or header values of various columns in the file is as below:
service    type    private    unpriv    chroot    wakeup   maxproc    command    + args
service:
    This is the service name provided by the daemon. eg:- smtp, qmgr, rewrite
type:
    This defines whether the service is (inet) internet based, or unix named socket (fifo) or unix domain socket(unix) etc. inet are tcp or udp protocol based daemons
private:
    Only the local services can be configured as the private.
unpriv:
    Service can run as unprivate mode
chroot:
    This defines the daemon about running in chrooted environment.
wakeup:
    This defines the wake up intervals for each services, For eg:- qmgr has 300. pickup has interval 60 by default. This makes the flexibility of postfix installation that each and every process has been carried out by separate binaries and the properties of those binaries can be defined in master.cf file.
maxproc:
    This defines the max process that can be invoked
command  + args:
    This defines the actual command to start the daemon with any required additional arguments.
 Note:-
If a "-" (hyphen) is defined then that means use the default configuration option for the given service
The master.cf file is responsible for spawning all the binaries of postfix service.

2. main.cf
    main.cf contains the directives to drive postfix on our environment.
The key directives that has to be configured for running the postfix with minimal configuration is defined below
Open the file and change the key derivatives
# vim /etc/postfix/main.cf
myhostname = mail.$mydomain
# the host name can be FQDN or host.domain format or just the hostname itself
mydomain = domain.com
myorigin = $mydomain
# This option is for sending the mail.This pertains the msgs are sourced from the local machine. This tells the postfix how to present the from address in the msg header and envolop even if it sending the msg to same system. The above example will send the locally generated mail with the address user@domain.com
# myorigin = $myhostname
    This option will make postfix to send mail with the envelop with full host name(FQDN because the myhostname is defined as hostname.$mydomain), i.e user@mail.domain.com
mydestination = $myhostname, localhost, localhost.$mydomain
# This tells the postfix that which hosts and domains the postfix receives the mails for. This is the replacement of the local-host-names file.
    These are the main configuration changes that needed to start postfix with minimal configurations. Now save the file and start the postfix
# postfix start
# ps -ax |grep master
    Here now we can see that master process is running
# netstat -ntulpn | grep :25
    The port 25 is opened and listening. The master process is running now, which resembles like the inted daemon in Linux machine, because it spawns the binary when necessary.

Configuring postfix to recieve mail having the To address as user@example.com
    Until and unless we specify the following options the postfix server will not be able to accept the mail for the given domian.
# vim /etc/postfix/main.cf
mydomains = example.com
mydestination = $myhostname, $mydomain, localhost.localdomain
relay_domains = $mydestination
# postfix reload
    The "mydestination" derivative tells postfix that for which domains it recieves the mail for.
With out the domain information entry in all the three derivatives the postfix will not be able to handle the msgs destined to the example.com. With out this entry the postfix will bounce back the msg to the client saying the "msg loop back to my self".

Tuesday, February 16, 2010

1. Postfix Installation


Introduction
    In December of 1998, IBM released Secure Mailer as open source software providing a new, freely available alternative to the nearly universal Sendmail program. The program, more commonly known in open-source circles as Postfix, attempts to be fast, easy to administer, and secure. Originally written in 1997 by Wietse Venema at the IBM Thomas J. Watson Research Center and first released in December 1998, Postfix continues as of 2010 to be actively developed by its creator and a small number of contributors. The software is also known under its former names VMailer and IBM Secure Mailer. One of the primary goals of Postfix is to be widely implemented in order to make the most significant impact on the performance and security of Internet email overall. Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.

Features of Postfix
Refer:

Download & Install Postfix
    Download the latest version of source from http://www.postfix.org. Download the PGP key and signature as well to verify the source code integrity.Postfix released versions of packages are denoted as postfix.xx.xx.xx.tgz. For example in package postfix.2.6.5.tgz the version can be defined as postfix.MajorRelease.MinorRelease.patch level.tgz.
After downloading we have to match the gpg keys before compiling and installing the package
# gpg --import wiestse.pgp
    The GPG is compatible with the PGP. The above command imports the PGP key downloaded from the Postfix website.
# gpg --list-keys
    Lists all the keys that have imported to GPG.
# gpg --verify postfix-xx.xx.xx.tgz.sig postfix-xx.xx.xx.tgz
    It gives the information about the signature. If there any critical error occurs, have to be taken care and a fresh source code package has to downloaded.

# tar -zxvf postfix-xx.xx.xx.tgz
    Extracts the postfix package and creates the new directory structure named postfix-xx.xx.xx.
Note:-
    It is better to remove all the Mailer programs in the system before installation of the source.
Inside the extracted package the "conf" directory contains the configuration files that moves to /etc/postfix directory after installation. Directory "examples" contains the advanced secured configurations of postfix which includes chroot-setup, qmail-local(how to operate with Qmail), And ways to define the smtp-policy etc. Many binaries such as Sendmail and Postfix tend to run as root. But Postfix has an exception that, Postfix primarily runs as user "postfix", but some of the components need the root privilages such as binding to port 25.
Other directory called "html" contains the documentation of postfix in HTML format so that we can brows through a web client locally. "man" folder contains the man pages that can be copied to system while installation. "src" sub directory holds all the codes for the binaries that produces as a result of the compilation process.


Compiling and Installing  Postfix
Pre-Requisites before compiling Postfix:
    1. As root have to add user & group called postfix and a separate group called "postdrop".
# groupadd postfix
# useradd -g postfix -s /bin/false postfix
    The user postfix doesn't need to have a shell access.
# groupadd postdrop
    2. Backup the binaries which will be over written by postfix installation.
        newaliases - Which generates the aliases
        mailq         - enumerates the mails in the queue
        sendmail    - the Sendmail binaries
            Now backup these binaries, just a renaming will be sufficient. Because all Linux distros ships with a Mailer agent which may contain these binaries.
Compile and install postfix
# cd postfix-2.6.5/
# make
    This makes the binaries with default options.
# make install
    This will install the binaries in to the system folders.
While executing this command, postfix will ask certain questions including the following:-
The install_root - The temp space for installation location
The default configuration directory
The daemon directory
Path of the administrative user command directory
Queue directory
The sendmail path (The postfix provides a sendmail compatible binary which accepts all the command line options that sendmail do)
newalialses path
mailq path
The mail owner
setgid group (here we defines the mail submission group, i.e, postdrop. It is equvalent to sendmail's MSP)
The html documentation location
The man page directory (install with respect to the $MANPATH variable)
Readme file access etc
    After providing the information,the Postfix installation process will start (copies the binaries into the path).

Installed binaries and files:
/usr/libexec/postfix
     This folder contains the binaries which runs as daemons in background as well some applications that are invoke upon necessary. Main binaries are qmgr, cleanup, flush, smtpd. The most important binary is the master binary, which starts while we invoke the postfix daemon (service postfix start).
/usr/sbin
    This folder will be containing postalias, postcat, postfix, sendmail, etc
/var/spool/
    This folder contains folders called Postfix. Postfix perform all of his mail handling in this "postfix" directory including.
/etc/postfix
    This folder contains the key configuration files

Initial configuration before starting the postfix at very first time
    With the default configuration, Postfix returns the warning of hostname is not fully qualified. The hostname search is done by postfix using the binary "hostname ". This returns the short hostname. The FQDN returns with the command "hostname -f". The mailing is relying upon the proper name so its vital to specify the proper FQDN in /etc/postfix/main.cf. Same way we have to define the myorigin,mydestination and mynetworks parameter in same file. /etc/aliases file should be set and the "newalialses" binary should be executed before starting the postfix service.