EMAIL SYSTEM
Contents
1. File used Purpose Frontend Back end theano gorgo elysso mirto etc aliases used only for OS users so it is static V V and does not need to change usr local etc postfix access Universal access permissions control y UCY virtual alias UCY aliases as forwarded to us from y YPS valid for both ucy and cs CS virtual alias CS aliases as defined by CS valid y only for lt alias gt cs ucy ac cy CS mailing lists CS custom mailing lists y V CS mailman lists CS mailing lists mailman y y Table 4 Summary of user groups lists and alias definition files Temporary arrangements For legacy system files root sendfiles root sendmailaliases Processing on the receivers is also done by cron See crontab l to the LDAP repository Note1 Some users groups are already ONLY on LDAP 13 10 2014 not receive email on Qin O aliases groups and lists are prepared on nireas under etc postfix and are transferred to other servers via cron See This will be changed eventually when all names groups aliases lists are cleaned up and the functionality is transferred Note2 A root in cs ucy ac cy gt root cs ucy ac cy is required to catch all servers Min sending messages since the real servers do Protecting Internal Mail lists NOTE2 Policy on lists and groups Who can send to which list ex csall eplxxx etc The preferred method of protecting mailing lists is by using th2. Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 Server functionality Theano Relay 1 Elysso Relay 2 Gorgo Back end 1 Mirto Back end 2 Thalia Webmail Ariadne Listserver obsolete SMTPD receive Postfix MX port 25 v v v from relays only v from relays only SMTPD receive submission Postfix port 587 SMTPD user verification reject_unverified_recipient SMTP Relay send front end LMTP v SMTP relay to nireas vV SMTP relay to nireas IMAP front end Dovecot director proxy port 143 Managesieve proxy port 4190 SMTP Back end Receiver LMTP Sieve Global Sieve Users Sieve using Dovecot LDA SMTP out going postfix IMAP back end Dovecot LDA dsync Managesieve back end port 4190 AmavisD SPAM virus WebMail client Mailing List Manager mailman client Table 2 Server services summary Operating System Software Setup The OS described here is the RedHat CentOS line of distributions The instructions in this guide are based largely on the CentOS 6 system The Linux Installation guide CS wiki is followed for initial OS setup The email system assumes that there is a working Linux system available with a proper connection to the Email System Administrator Manual 0 9 odt Version 0 9 39 Feb
3. Feb 16 2015 3 Releasing MESSAGES ici taia fase inci eaea cad eae aa et lane bee de aa daa 32 Managing cleaning the quarantine folder nnnnnnnnnnnnnneneeneneeenennnennnnnnnneeereenenneneeenennennennnnnn nennen 32 Securty wee ate aarin menten WO eetbare kene Sada ee a Sead tae eee ee Geld eel aed 32 Sever OS Secur irt Ma A A corn Cesena tea hina seh ie thse A let eee 32 Network Protect tarta ieee aiid alienate eats 33 sewer protectionisme rd neee etna tee ein Aaa see adenine needed 33 Ar ETE 33 SESSION SEEN taa tenes tae Eta danse daneen Ed 33 MEES ANILO i oT O ETEA A A EA 34 Back scatter E Mal cto ad a dae A aneia 34 WESSELS 34 Pla tn val ate oe tente E bead 34 Web Mall SEVES nan netannsteern A N AA 34 Web mail client and server configuration nnnnnnnnnnnnnneenene ener ee ren enennnnenennnnnnneeeeeneneneeeeneeneeenee nennen 34 Malling ist Serveri nmmr aaan ninae ad aars dn dend enn dane 35 AOMINISITA ION ccoo nai 35 CA A fee eik deken ante aa E dn re eed dae ewe de 35 CritiCalOS Cheeks A Sale oes an AT Ale ile HATEN added Pae 35 OSupgradES son neren aa daneen Prevner annae Satan dta ae ed erdee vaer eves heady hse ieee 36 OE U EN 36 DOVE COL OE 36 PEO MAN E PAS E NA EEE E it Heatran deerne deden wanen 37 Fault tolera E coito rta a idea 37 A ceri ciatevewhudensasnely edule a a dee daan alah aha tal leraar hell adits lean bedelen aen da names 37 Monitoring the Mail system a E a Taa a a aaa a ar ADA A anaa a
4. iscscI sys data mail hermes csfs9 horpheas csfs11 argos artemis netapp The message store is accessed by the SMTP IMAP servers by using NFS Future options to change to more involved network storage infrastructure GFS or Gluster is possible Note Mail perms 757 for dovecot Ida to autocreate directories Note2 HERMES export rw sync insecure no_root_squash for mirto gorgo Quota with Dovecot LDA Quota is implemented using the Dovecot LDA See the Postfix and Dovecot configuration Temp gt overquota should be implimented on fron end so that backscatteer is not produced This requires maildir and th epolicy service gt temporarily this is done with the overquota file on both front end and back end reason aliases will pass through Migrating from maildir to mdbox Replication you need to specify Domain cs ucy ac cy in etc idmapd conf E Mail Software Setup A large number of software modules is required to implement a properly secure and robust email system Most of these subsystems are optional They are not necessary to have a working email system They are however necessary if we are to build a system that will be secure fault tolerant and user friendly Each of these modules has a large number of configuration parameters that if combined together will produce an extremely large combination list The system depicted in Figure 2 provides a basis for a concrete target system The system
5. Appendix D Helper SclpiSta aaa di eri 50 Temporary user management scriptS nnee en ennnenennenneneererenseneneenenennnnenene neren enenneneeneen ennn 50 Mail cleam p scripts tuinen nani a dE 50 Appendix E Configuration Listings reana aaaea a ela aa a aa A CAE AETR Eaa 52 EA E ec E E aig des E NE E ed eend deer O E seel 52 SSHD etc sshd cONfIG otitis a EEE A Sen 52 Appendix F Referentes ahei ni sensed rand neet deren ed Ten el tent dalen ee A Waleed dekh 53 Relevant REGC refef nce tc ria recia 53 Appendix G Random NOTES pripen Eos n tl rente earns aaant stand anale tates aea AGEE 54 THOUDIESHOOTMG EFCOIFS EEE 54 Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 4 Introduction THIS MANUAL CONTAINS ESSENTIAL INFORMATION FOR ADMINISTRATORS TO GUIDE IN THE INSTALLATION OPERATION AND TROUBLESHOOTING OF THE MAIL SYSTEM AT THE DEPARTMENT OF COMPUTER SCIENCE THIS IS NOT A COMPLETE MANUAL OF EITHER MAIL SYSTEMS OR THE SOFTWARE USED SEE THE BIBLIOGRAPHY FOR LINKS ON MORE INFORMATION ABOUT THE SYSTEMS AND SOFTWARE USED Email systems in the academic computing environment are unique For one they are in a constant state of flux Students come and go at a relatively steady rate all year round with peaks around semester starts These users are not all at the same level of expertise This manual shows how primarily Postfix Dovecot and a group of popular Open Source Software OSS can be use
6. receive email mail LDAP attribute Manually configured LDAP lists are useful when the number of members for the list is rather small for example less than 10 OR the list is set up temporarily for testing purposes These lists are defined similarly to virtual users in file CS mailing lists file Note etc aliases is no longer used by the mail system to resolve user or group aliases It is only used for system specific local aliases as define by the OS For example mysql gt root ie the mysql user on each server is forwarded to the root user etc aliases plays an important role in system monitoring See the Linux Installation Guide Mailman Lists e Mailman lists are created using the methods of the Mailman software e The necessary aliases information for these lists generated by Mailman are placed in file CS mailman lists e List memberships are taken from LDAP groups uniqueMember It is also possible to create entirely independent from LDAP lists See Mailman in Wiki e List message forwarding and redirection is taken from LDAP mailForwardingAddress Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 20 Proxy Directors Back end Storage SMTP SMTP server SHIP LMTP gt thalia if KEE Me lt List gt listserv lt e mailman list processing svg very draft Files LDAP NOTE See the section in mailman mailing lists on how the mailing lists are created
7. 42 2 0 24 194 42 34 0 24 SASL configuration See Postfix SASL Howto Dovecot SASL SASL Simple Authentication and Security Layer is an SMTP extension to enable authentication of a client to the SMTP server This authentication is necessary to allow a remote client to gain higher privileges ex to send mail to remote users We use the Dovecot SASL implementation over a TCP connection to back end servers that hold the user data See also the back end server Dovecot configuration for this SHRP HEE TE HE TE PETE HEE HE EEE AEE TE PERO PERO BT HH HH EP HH SASL configuration PEPE TERE TEE TE ETE ETE EAE HEE AEE PETE PETE PET PT ET HT EP PE EE PPB EOIRERIE REI REINAR smtpd_sasl_auth_enable yes smtpd_sasl_type dovecot smtpd_sasl_path inet gorgo in cs ucy ac cy 12345 Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 25 smtpd_sasl_security_options noanonymous SSL TLS configuration See 1 Postfix TLS Support 2 CentOS HowTo on Postfix Dovecot TLS SSL PEPER TEE TE AE TE PETE ETE TEA EEE ETE ETE ETE PT PT BT HT HT PP PPP PP BP TLS configuration PEPER TEE TE EEE PETE TEE TE EEE EE EE ETE PT PT ET EH EP PPB AAA smtpd_tls_security_level may smtpd_tls_key_file etc pki tls private mail cs ucy ac cy key smtpd_tls_cert_file etc pki tls certs mail cs ucy ac cy cert smtpd_tls_loglevel 1 smtpd_tls_session_cache_timeout 3600s smtpd_tls_session_cache_database btree var lib postfix smtpd_tl1s_c
8. Install ucompress configure with dovecot usr local lib dovecot make make test make install Copy sieve conf sieve extprogs conf managesieve conf from lusr local share docs dovecot example config conf d usr local etc Dovecot conf d Use these files to configure Pigeonhole managesieve and sieve Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 46 Appendix B Future Work Future Storage E e Chase 1 Ei e fy AE ca T ad _ La_ Cura sue cot Cra L asma Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 47 Mme S roerce Ghore 2 Illustration 5 Mail Storage Phase 2 Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 48 Appendix C Notes and Pending Issues 1 Also solve the issue of failed mounts check Dovecots alternative location feature Mau sroeace PHASE 3 Illustration 6 Storage Phase 3 2 How to solve the problem of giving access to the external relay to the users DB internal 1 check the verify 8 Postfix facility Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 49 2 The scenario is a classic one 1 one or more relay SMTP servers in DMZ 2 one or more backend SMTP servers on the inside network 3 There may or may not be separate incoming or outgoing designated SMTP servers Now the desired functionality is of cours
9. Setup eee teeter reer eee eerie neee eenn se eeeeeeenennn nennen 10 General OS Setup and Software annae nenene renee nennen rennen ne neeneeeernenenneeeennnannnnnnnneneeenee ennen 11 Preredilsit6Snnnnnen antr ment tet ee AA 11 Setup on All Servel Sic vanen edentate ene waant tee enaar bes 11 LOGIN eenn gerne eee derne eneen doek 12 OS Sec Veis senaat aon dare inenen dear rata iaa 12 DNS COnfiG uration cocine er bananen a Reana daalden eee 12 LN CE 12 PTR records att anneer auntie ea ee a bee el eA Sea 13 MX recordsa unn a a a E A ea et ee A daan 13 SPEISCOMAS onanoi A as Herter 13 TES SSL CEM ii tte a ei ee tet beendet A le 13 Mall Services Descriptio Nes actions Rect Aer eee lele Aida 14 Types Of Mall SEVE S ol iaa cees banden kenen 14 Front End Systems cas gutta AATE AARAA 14 Back end YM aio as A teed aed 14 Client SysteMS oi A ta 14 Functionality Summary Set UP eren dao asa a EA Aa e 14 Access Control Modelo ro 16 Authentication Names Aliases Groups LISES nnen ennnenenneneeneereeneereenenenenennnnnnnnnneeeeeneenenenen ven 17 General Description nic Seater aannemen deren EE 17 AUTH EMU CA OM aici senen nnen teniet NA 18 Names and Alla iia E A nende A eaten 18 Groups andiLiStS ia A Rie 19 LDAP SCHEMA a Es 22 MAIS nenten A cae 22 Quota With Dovecot LDA ii A ee vane deet ad eoa Zealand 23 E Mail Software SQtups tes nerven erna o ne e tao 23 Setting UP POS Discs daden evnern aire i e aa dents an deden ea hanen nn ve
10. each alias points to ex andreas kasenides gt ank or cspg gt all pg students This is possible through both the lists maintained manually or from the LDAP DB to which they have direct access Back end systems provide verification services to the relay servers as described above Authentication Authentication and authorization gives users privileges that enable them to make use of the system in a controlled manner It also allows administrative users to access the OS Note that authetication exists only on back end systems Front end systems VERIFY existence of users or proxy authentication to back end systems It is currently based on e SSSD which is configured to make use of the central LDAP these are the so called system users Home directories are available for these users e Setup on SMTP back end and IMAP POP back end gorgo mirto o Install sssd configure e Jetc sssd sssd conf e etc pam d system auth e etc pam d password auth o LDAP Authentication system make sure that authentication works before proceeding see the Wiki pages our authentication for now is based on SSSD therefore a correct configuration of sssd pam Idap is a must install sssd With this setup users are considered system users as far as Dovecot is concerned which means that there are home directories on the local scale ie NFS mounts o Mail Storage Mount the mail storage area Mail o HOME storage Mount the Home Directories
11. george SPAM cur yanos SPAM cur skevos SPAM cur savvasn SPAM cur kekkos SPAM cur ank test SPAM new antonis SPAM new george SPAM new yanos SPAM new skevos SPAM new savvasn SPAM new kekkos SPAM new OLDSPAM 5 OLDSPAM 20 OLDSPAM 10 OLDVIRUS 7 Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 51 OLDTRASH 10 cd mail echo s sssssesssssssessssssssssessesssssesssssssessseessessessss ss LOGFILE echo This log is produced by Mail common scripts cleanup Mail See this file for details gt gt SLOGFILE echo date gt gt LOGFILE echo Starting Spamassassin learning gt gt LOGFILE for i in LEARNFROM do echo Learning from i gt gt LOGFILE usr bin sa learn spam showdots i gt gt LOGFILE 2 gt amp 1 sleep 3 done echo gt gt LOGFILE echo Starting cleanup of SPAM and VIRUS folders gt gt LOGFILE echo I am deleting the following files gt gt LOGFILE for i in do find i SPAM cur type f mtime OLDSPAM print exec rm gt gt LOGFILE 2 gt amp 1 done for i in do find i SPAM new type f mtime OLDSPAM print exec rm Y gt gt LOGFILE 2 gt amp 1 done HHH for i in do find i VIRUS cur type f mtime OLDVIRUS print exec rm gt gt LOGFILE 2 gt amp 1 done for i in do find i VIRUS new type f mtime OLDVIRUS print exec rm gt gt L
12. in figure 2 will be presented Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 23 below Details on what is needed and how to properly configure software modules to create the system in Fig 2 are presented below In order for a system to become operational is is necessary to install all its software The complete e mail system is based on the following suite of applications and utilities software e Postfix MTA e Dovecot o IMAP server o POPS server o LMTP service o LDA service o Pigeonhole Sieve and Managesieve plug in e Amavisd new o ClamAV o SpamAssassin e SASL for submission e OpenSSL openssl software e TLS LDAP e Webmail clients o Horde o Roundcube Setting up Postfix Postfix is compiled from sources for this set up 1 To compile and install Postfix See Postfix Compile and InstallPostfix Compile and Install in Appendix A for install and configuration details 2 Enable logging as soon as installation is successful on each server Watch your logs for problems See the Administration section The SMTP servers are divided into two groups front end relay back end storage Front End Relay theano elysso Front end or Relay SMTP servers are outward facing They receive AND send messages to the bad Internet They are the entry point of all incoming messages and the exit point of all outgoing messages They also are the first line of defense of the mail system against any p
13. is just a matter of user convenience than a system choice Other web interfaces can be used Fig 3 show the functional view of the system Two distinct perspectives are shown on how the system works user and server clients The user perspective shows what happens when an email is sent or retrieved by a user including the web mail application The server perspective shows how the system works when a message is received or sent by the server components For both views hardware and software involved are shown including the processes and the message storage systems are accessed Proxy Directors Back end Storage SMTP server Mail Storage Index Control B HOME functional svg preliminary Fig 3 Functional Server Groups Arrangement The system is split into two groups of services servers the front end servers and the back end servers Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 8 Table 1 Server groups general configuration Functionality Server VHOST Notes name 1 SMTP relay 1 theano iraklis 194 42 17 130 DMZ 2 Dovecot front end director 1 2 SMTP relay 2 elysso danae 194 42 17 141 DMZ 2 Dovecot front end director 2 3 SMTP back end 1 gorgo iraklis 10 16 1 113 Dovecot back end 1 4 SMTP back end 2 mirto danae 10 16 1 114 Dovecot back end 2 5 WebMail thalia danae 194 42 17 136 DMZ 2 Mailing List server Dovecot and SMTP client
14. mailaliases aliases csresearch csfaculty include etc mailaliases aliases csfaculty csvisiting include etc mailaliases aliases csvisiting csmsc include etc mailaliases aliases csmsc csphd include etc mailaliases aliases csphd csstaff include etc mailaliases aliases csstaff support include etc mailaliases aliases support cssupport include etc mailaliases aliases support cstspecial include etc mailaliases aliases cstspecial csall include etc mailaliases aliases csall csstudents include etc mailaliases aliases undergrad include etc mailaliases aliases cspg cssecretaries include etc mailaliases lists secretaries evoting include etc mailaliases lists evoting egee users include etc mailaliases lists egee users etaps10_satellite_events include etc mailaliases lists etaps10 satellite events graduates include etc mailaliases lists graduates scrat group include etc mailaliases lists scrat group smartp2p include etc mailaliases lists smartp2p smartlib include etc mailaliases lists smartlib socialelectricity include etc mailaliases lists socialelectricity smartlab include etc mailaliases lists smartlab personaweb include etc mailaliases lists personaweb commonsense2013 include etc mailaliases lists commonsense2013 reconlife include etc mailaliases lists reconlife LDAP Groups With the LDAP system lists are configured as groups in the repository and are given the ability to
15. o OR make upgrade if installing an upgrade e Prevent installation of Postfix RPM in the future In etc yum conf do o exclude postfix e chown postfix root usr local var lib postfix e chmod 700 usr local var lib postfix Add Postfix to the reboot start up procedures Centos 6 Use the chkconfig system e cp p root postfix init d to etc init d postfix e chkconfig add postfix e chkconfig postfix on e chkconfig list check it Centos 7 Use the systemd system cp p root systemd postfix to etc systemd system The procedures above when successful allow us to stop and start Postfix with the familiar e service postfix start syste for Centos 7 e service postfix stop etc e we need to disable sendmail and switch to the new Postfix software o USE THE alternatives system the following command to switch to the new Postfix related software there is no need to do this during upgrade usr sbin alternatives install usr sbin sendmail mta usr local sbin sendmail 25 slave usr bin mailq mta mailq usr local bin mailg Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 44 slave usr bin newaliases mta newaliases usr local bin newaliases slave usr share man man1 mailq 1 gz mta mailqman usr local share man man1 mailg 1 slave usr share man mani newaliases 1 gz mta newaliasesman usr local share man mani newaliases 1 slave usr share man man8 sendmail 8 gz mta
16. postfix usr local sbin postmap overquota users 24 4 cd usr local etc postfix usr local sbin postmap virtual users HHH 22 cd usr local etc postfix usr local sbin postmap virtual users cs 2 A cd usr local etc postfix usr local sbin postmap CS virtual alias 2 e cd usr local etc postfix usr local sbin postmap UCY virtual alias OO 04 05 70 Ot 86 20 76 50 50 A FF OF A FF FH HF gt e See crontab lI on nireas Backup Directory Server every day at 2am 0 2 etc cron d backupdirsrv Send files to theano elysso O 1 root sendfile Send etc mailalaises to gorgo mirto 05 6 root sendmailaliases 0 70 O 00 00 0 O 10 Mail clean up script Currently on hermes mail common Mail scripts cleanup Mail bin bash The purpose of this file is to maintain the e mail system and its associated storage filesystem This includes automatic spam learning and the clean up of all the VIRUS and SPAM and Trash user folders in user directories It must be run from the Mail directory to have practical effect The clean up happens on messages that are older than 15 days for SPAM 7 days for VIRUS and 20 days for Trash These can be adjusted using the OLDSPAM and OLDVIRUS and OLDTRASH variables This is run daily via cron on the entire Mail storage area HEAR LOGFILE var log mailcleanup log LEARNFROM ank test SPAM cur antonis SPAM cur
17. storage all o Install keys certificates The certificates will be used by both Postfix for TLS SMTP submission of SASL authentication and Dovecot for encrypted IMAP sessions See the section below Do we use the same keyw for DKIM o Disable authconfig application to avoid destroying setup by accident chmod x usr sbin authconfig o test authentication getent passwd lt user gt It should be noted that the system does not make use of virtual users ie users that exist only for the purposes of email All CS users are defined in the LDAP repository Also all groups will eventually be defined in the LDAP repository Names and Aliases Aliases are extensively used in mail systems This is an easy way to receive messages on more Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 18 humanly readable addresses ex george andreou cs ucy ac cy rather than gandre01 cs ucy ac cy Aliases have a on to one correspondence ie an alias points to one user name For the CS department each user e has a default user name that is identical to his her log in name ex gandre01 This cannot be changed and it corresponds to his her log in name given by the University registration system The user can receive messages at gandre01 cs ucy ac cy e automatically gets an alias as defined at the central University systems ie andreou george cs ucy ac cy Note that the user also has a corresponding alias andreou georg
18. this every time a yum upgrade is done and remove move CentOS Base repo o tesh with link from usr bin tesh to bin tesh o development software to compile software postfix dovecot etc gcc make o ntp See Administration NTP for setup o cronie NOTE PROBLEM cronie requires sendmail procmail hesiod make sure you disable sendmail when you install postfix See the POSTFIX install below o sysstat tcpdump traceroute troubleshooting software o wget vim man rsync o logwatch o syslog rsyslog initial setup syslog shuld be enabled at this realy stage to get messages that help in debugging See the Administration section for more elaborate configuration o logrotate See Administration Logging for setup openssh clients Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 11 o fail2ban jwhois do restorecon sbin iptables to fix an selinux problem See Administration fail2ban for setup nsswitch configurations aliases files automount files comment out publickey setting o crypto utils if generating keys locally openssl is better and does not require additional packages openldap clients ldapsearch for debugging purposes only on back ends o Arrange for OS back ups see also administration o create a local user lt x gt system as described in Linux installation useradd home home lt x gt system lt x gt system Note that further user authentication i
19. to the outside network while back end systems are internal to the network Front end systems SMTP SMTP relays IMAP proxies Message Filters SPAM Virus etc Back end systems SMTP storage servers IMAP storage servers Client systems Webmail Mailman Functionality Summary Set up For our set up we use four virtual machines for mail services and an additional host for the Webmail and Mailman applications which also functions as an active mail server See Table 1 and Appendix E Server Functionality This is a comprehensive high level detail record of how each system is set up Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 14 Function TCPIP Front end Back end Webmail Comment port theano gorgo MMailman elysso mirto 1 SMTP Server 25 v 2 SMTP Submission 587 v 3 SMTP Over quota check v 4 IMAP 143 5 SASL auth 10001 v 6 Amavisd 10024 v 7 12340 8 12341 9 12342 10 12343 11 12344 12 12345 Table 3 Server Function Listing SMTP Relay front end theano elysso sit in the DMZ receive mail on port 25 MX from other SMTPs receives mail on port 587 Submissions from OUR users Email Security o before queue filtering reject mail from unknown no reverse IP hosts reject mail destined to unknown local users verify o after queue filtering SPAM and VIRUS detection o Blacklisting Greylisti
20. 16 2015 10 network via the individual virtual hosts and proper access to Internet Each virtual machine is placed in its proper network as indicated in figure 3 and detailed in Table 1 Of particular importance for any email server are the following Proper network access provided to the server especially if behind a firewall See the Security section for the required TCP UDP ports that need to be open on the firewall and their functionality for proper communication between servers The server has a proper DNS entry both forward A record and reverse PTR record especially for outward facing systems Debug utilities dig nslookup telnet etc are available General OS Setup and Software Prerequisites It is assumed that the latest CentOS is available Follow the wiki instructions for setting it up Below are specific software that need to be addressed Setup on All Servers The general set up is based on the CentOS minimal install Follow the instructions in https wiki cs ucy ac cy index php OTY_Internal Linux_Installation_from_Minimalinstall and https wiki cs ucy ac cy index php OTY_Internal Linux_Installation in order to install and setup the software File systems should be changed to o var 10GB o Isys data 10GB General Software to install and configure on all systems Services should be started using chkconfig lt service gt on o yum repositories set up Note need to check
21. Dovecot and Pigeonhole Sieve See Appendix A Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 26 2 Enable logging as soon as installation is successful 10 logging conf Watch your logs See the Administration section The Dovecot IMAP POP3 Sieve ManageSieve servers are divided into two groups front end directors back end storage Front End IMAP PROXY or Dovecot Director Configuration theano elysso Proxy lt auth config gt for statis proxying 10 auth conf linclude auth static ext conf Back end Configuration gorgo mirto TLS SSL configuration In 10 ssl conf ssl yes ssl_cert lt etc pki tls certs mail cs ucy ac cy cert pem ssl key lt etc pki tls private mail cs ucy ac cy key pem Summary table Service Front End Back end theano elysso gorgo mirto IMAP IMAP POP3 Managesieve Managesieve Sieve Director Table 5 Dovecot Services Setup Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 27 TCP port Front End Back end theano elysso gorgo mirto 110 tcp udp from all 143 tcp udp from all 4190 tcp from all 9090 director communication 10001 SASL authentication Mirto only 12345 SASL authentication Gorgo only 12340 quota status service Mirto gorgo Table 6 Dovecot TCP ports usage Dovecot Storage Mail storage comes from Mail INDEX
22. EMAIL SYSTEM ADMINISTRATOR MANUAL FOR EMAIL NG Postfix Dovecot Amavisd Spamassassin ClamAV openLDAP THIS MANUAL IS STILL IN DEVELOPMENT By Andreas Kasenides ank cs ucy ac cy Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 Revision History 0 9 Redefined the way mailing lists are created and managed to take Mailman into consideration CentOS 7 considerations in several places 0 8 Mailman and Webmail description Many other description enhancements 0 7 EmailNG officially launched with mail cs ucy ac cy moved to theano 18 06 2014 0 6 New generation set up with relay virtual hosts etc started 0 5 Greatly expanded and restructured 0 4 Dual server appendix start added more material to almost everysection 0 3 General system description 0 2 Minimal explanation of the basic concepts 0 1 Started from the user manual Last revision 16 Feb 2015 Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 A Complete and Secure E Mail Infrastructure system Table of Contents Introduction nmr Arnen et nr A wees tabe 5 The TargetEnVION Macia arseen daad tanende derde daan 5 STA O tende dln Veselin nee A Be 5 General System Description erisaates 7 Server Groups Arrangement onser eeternt teelden eternet 8 Sewer TUNCUONAlIY ranselen de Aad ade dan E AT Haldern deden cet oe HEREN sedudavasastgnesatesteshds 10 Operating System Software
23. IME 250 DSN Problems with authentication o check if ESMTP is spoken between client and server telnet lt server gt 25 EHLO lt client gt o Should receive a reply similar to above If not then ESMTP is blocked by firewall then Fixup protocol SMTP On CISCO PIX Testing IMAP Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 40 telnet gt telnet imap example com imap telnet telnet telnet server client server client server server client server server server server server server server server client server server server server server server server server server server server server server server client server server Trying 192 0 2 2 Connected to imap example com Escape character is OK Dovecot ready al LOGIN MyUsername MyPassword al OK Logged in a2 LIST LIST HasNoChildren INBOX a2 OK List completed a3 EXAMINE INBOX FLAGS Answered Flagged Deleted Seen Draft OK PERMANENTFLAGS Read only mailbox 1 EXISTS 1 RECENT OK UNSEEN 1 First unseen OK UIDVALIDITY 1257842737 UIDs valid OK UIDNEXT 2 Predicted next UID a3 OK READ ONLY Select completed a4 FETCH 1 BODY 1 FETCH BODY 405 Return Path sender example com Received from client example com 192 0 2 1 by mxl example com with ESMTP id lt 20040120203404 CCCC18555 mx1 example com client example com gt for lt re
24. OGFILE 2 gt amp 1 done HHH HHH echo Starting cleanup of Mail tmp folders gt gt LOGFILE usr sbin tmpwatch verbose 72 Mail tmp tmp gt gt LOGFILE 2 gt amp 1 Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 52 Appendix E Configuration Listings A complete listing of the systems configuration will eventually be found on platon Custom differences only Fail2ban Filter dovecot pop3imap conf Definition failregex pop3 login imap login Authentication failure Aborted login auth failed Aborted login tried to use disabled Disconnected proxy dest auth failed rip P lt host gt S ignoreregex SSHD etc sshd_config HERA PermitRootLogin no PRR PRR RPE RPE RRE REE ERR Live for 6 hours ClientAliveInterval 21600 ClientAliveCountMax 5 HERA Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 53 Appendix F References www redhat com www centos org www postfix org www dovecot org www amavisd org www clamav net www spamassassin apache org www sieve org www roundcube org www horde org Relevant RFC reference RFC Subject 2822 SMTP 4954 3463 2554 SASL authentication 5230 Sieve vacation extension obsolete in parentheses Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 54 Appendix G Random Notes SSL certifica
25. a Taaa e aei EA ANAAL 37 EGO GING E aes E E E S E E EE E EE EE A E E 37 Mall MESSAGES iaee iiaeie eter eaaa a vangnetten delven tunnel aaa aED a e demanded aade 38 NAGIOS Monito NO cost aia 38 SS pacta e 39 Message cleanups ineca atna aaea aa a nop leina ni 39 Synchronizing a Dual server configuration nnn enennenennnnneneenerenrereneenenenennenennnnne nerven 39 Upgrades Zaar neaten a trad serdar toa 40 mroublesheOtn0 aten A mt snusoashtecntase nik eas detguabadaedudvated aidideccanate enn 40 TESUNGESMT Piraten tarita Dede Ane Rnd benden inde aida anne 40 TES IMA Poca dd AA andel tene Enl daarden Eide dase 40 Testing POPS annae nadat a edna ene nd ee ane 40 Appendix A Compiling and Installing from Sources nnen eenen enennennnnnnneneere vereer enen neeee renee 42 Prerrequisito tante eten en toa cause tha eee iia 42 Postfix Compile and Install nanne aaie a a aa a a aaa ea imania 42 Add Postfix to the reboot start up procedures nnn nennen enenennnennnnereernneree neren nnn neenen vennen 43 Dovecot Complle Install eneen a iden a nennen nn oO 44 Prerequisites cers sect tn enne A 44 Pigeonhole Compile and Install nanne enen nnnneneneeneeeereneeeenenonnnnnnnnnnnneneeerenenvennnnnnenen venen 45 Appendix B Future Work ozon erkennen Betten end alteren enten aah ee 46 F ture StordD nrs eure td aduk IA S eea ba eed lelie alan daa bifa deena ans 46 Appendix C Notes and Pending ISSU S i nnn nn a ennen nennen 48
26. ache tls_random_source dev dev urandom smtpd_tls_auth_only yes Back End gorgo mirto Back end or Storage SMTP servers are inside the CS network They do not interract with outside servers or services They receive messages from front end SMTP servers for delivery to user mailboxes To deliver messages they use a Local Delivery Agent Dovecot LDA Functions e keep records and have knowledge of all valid users e keep records of banned non delivery users ex Over quota e use above records to answer ability to deliver requests from front end servers e receive mail from front end SMTP servers as a destination of a relay action e use an LDA to deliver messages to user mailboxes Software Setup General access control etc postfix access Authentication is via LDAP Virtual users are enabled etc postfix virtual_users Virtual users control is enabled via etc postfix virtual_users_access Over quota users are denied access etc postfix overquota_users Internal mailing lists and aliases are enabled with etc aliases This can also be done with virtual users Note there is room of improvement here in order to properly set up aliases per person groups small mail lists that are now created with system accounts via LDAP Open ports e 25 tcp from front end servers Set up 1 edit main cf 2 edit master cf 3 edit transport 4 virtual users Setting up Dovecot 1 To compile and install
27. and CONTROL files go in sys data mail dovecot index control where these files are not subject to quota controls sys data mail is an NFS mounted system from csfs11 orfeas and exists ONLY on back end systems Quota Quota is implemented with the Dovecot Quota plug in See file 90 quota conf Sieve Filtering and ManageSieve Dovecot s Pigeonhole extension implements the Sieve and Managesieve protocols Sieve filtering is installed on the back end IMAP machines to do the filtering before the Dovecot LDA LMTP delivers each message to the user mailbox The Managesieve protocol is enabled on both the proxy servers and the back end servers Proxies simply work as font end machines that proxy users to the back end services Very much like IMAP proxying Sieve is part of Dovecot The scripts are called by the Dovecot LDA during its message delivery process Therefore it runs ONLY on the back end systems gorgo mirto where delivery is happening Compile and install dovecot pigeonhole extension See Appendix A Default script run for all users usr local var lib dovecot default sieve root gorgo dovecot more default sieve require fileinto envelope editheader if header contains subject SPAM fileinto SPAM if header contains subject SPAM fileinto SPAM Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 28 if header contains subject SPAM fileint
28. ates for reference Key are kept as above for protection Certificates and keys are created and signed by the Terena CA via the Cynet procedures See the Setting up Postfix and Setting up Dovecot sections on how to install them for each one Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 13 Mail Services Description Generally speaking the hardware plays only a minor role in the management of the email infrastructure Unless we are trying to set up an extremely high volume mail system there is no need for exotic and ultra fast hardware Of course the faster the systems employed the better Often memory availability plays a much more crucial role than the the CPU speed Also email systems are I O intensive and therefore good storage subsystems help greatly Having said that it is obvious that inadequate hardware systems for the job will suffer under load and produce unacceptable delays The software employed in the email infrastructure is characterized by spawning multiple processes to achieve their tasks Examples of these are Postfix Dovecot Amavisd ClamAV Spamassassin Especially during high loads the system should be capable to spawn thousands of processes and service them in an efficient manner Therefore memory and I O are quite important Types of Mail Servers There are two types of servers They are characterized by their location but also by their functionality Front end systems are exposed
29. ator Manual 0 9 odt Version 0 9 39 Feb 16 2015 38 Entity Nagios plug in Type Notes CPU load check_load Local nrpe gorgo mirto w 25 20 15 c 35 30 25 Postfix SMTP check_smtp Remote triton Dovecot IMAP check_imap Remote triton Postfix queue check_postfix_queue Local nrpe the script was changed so that it responds to 8 characters of queue_id instead of 10 See the script at usr 1ib64 nagios cs plugins Checking the queues on internal systems gorgo mirto keep values small w 50 c 100 since thse systems should deliver messages immediately on relays theano elysso w 300 c 1000 Note the best approach would be to do a time based check ie Check the queue record values and check a fixed amount of time later several times if queues exceed a value remain or keep increasing issue a warning Do the same for critical value This will require change of the check script amavisd process only on relays clamd amavisd only on relays Table 7 Summary of Nagios monitoring for Mail Servers Statistics Message cleanup Mailcleanup operations cleanup scripts See the Appendix D Helper Scripts Script hermes mail common Mail scripts cleanup Mail cleans up mailboxes of old messages according to the following criteria OLDSPAM 10 days from SPAM folders e OLDVIRUS 7 days from Virus folders e OLDTRASH 10 days from Trash folders The script curre
30. cipient example com gt Tue 20 Jan 2004 22 34 24 0200 From sender example com Subject Test message To recipient example com Message Id lt 20040120203404 CCCC18555 mx1 example com client example com gt This is a test message a4 OK Fetch completed a5 LOGOUT BYE Logging out a5 OK Logout completed Testing POP3 telnet telnet telnet telnet server client server client server client server server server client server server server server server server server server server server server server server client gt telnet pop example com pop3 Trying 192 0 2 2 Connected to pop example com Escape character is 0K InterMail POP3 server ready USER MyUsername 0K please send PASS command PASS MyPassword 0K MyUsername is welcome here LIST 0K 1 messages 1 1801 RETR 1 0K 1801 octets Return Path sender example com Received from client example com 192 0 2 1 by mx1 example com with ESMTP id lt 20040120203404 CCCC18555 mx1 example com client example com gt for lt recipient example com gt Tue 20 Jan 2004 22 34 24 0200 From sender example com Subject Test message To recipient example com Message Id lt 20040120203404 CCCC18555 mx1 example com client example com gt This is a test message DELE 1 Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 41 server 0K client qui
31. d to set up a fast and secure mail system It should be noted that this is a relatively complex system and there are countless ways to install such an environment The description here concerns the Computer Science department mail system only The reader is expected to extract enough information from this document to understand in sufficient detail the set up in order to be able to operate troubleshoot and possibly customize it The reader is expected to be at an advanced stage of Unix knowledge Postfix and Dovecot make up the the basic nucleus of software and Amavisd Spamassassin ClamAV Sieve the Horde IMP web mail suite and the RoundCube Webmail application provide important facilities for a modern mail system The Target Environment The target environment is a complicated multi user environment It is complicated because users are at various expertise levels their primary location is not well defined moving in and out of their primary location often based in remote locations such as home offices and on trips in far away lands for many days They are sometimes stranded in strange lands with nothing more than a slow Internet connection and mostly a browser to work with Users use their own favorite e mail devices and clients not just web mail and use them in the strangest ways possible and on the strangest machines and OS combination available Welcome to the academic environment Objectives The objectives of the e mail infras
32. dependent 5 Installation of the relevant RPMs is disabled in etc yum conf to avoid confusion This strategy helps in case we decide for whatever reason to revert back to the original CentOS packages but also to make each machine independent Prerequisites e Install gcc Postfix Compile and Install NOTE Compilation of front end and back end systems is slightly different Instructions based on version 2 10 x e install necessary software db4 devel openldap devel only on back end systems e cd root download source see www postfix org unpack e In root there is a postfix make lt host gt sh where host is the host being used to build Postfix Each host has been optimized with its own build Copy it to the new source directory e cd the new source directory Run postfix make lt host gt sh o this file customizes the compilation installation for our purposes o To start from scratch do a make clean Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 43 e Create user accounts and related groups if not available already These user setting are the same with CentOS default UID GID etc passwd postfix x 89 89 var spool postfix sbin nologin etc group postfix x 89 e Create a group postdrop etc group postdrop x 90 Install new postfix o make install you should take the defaults on the options given since the compilation has already determined the place of install
33. e 1 relay machines receive messages from outside AND inside 2 relays check for all the bad things spam viruses etc 3 for incoming messages relays check for valid local users and reject messages for invalid users Such scenario allows all checks to be done at the entry point allowing back ends to function with the real nice messages and at a much reduced load But there is a problem If you are a DMZ admin or a security hawk 3 functionality above is not possible without violating the DMZ policy especially if you are dealing with internal LDAP and DB servers which essentially house personal information Have a look at verify 8 and the address verify variables in main cf With this you can dynamically verify recipients on your backend SMTP servers Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 50 Appendix D Helper Scripts These may change Look at the locations indicated below for exact configuration Temporary user management scripts e See crontab I on theano elysso root theano postfix crontab 1 15 cp tmp overquota users usr local etc postfix overquota users 17 cp tmp virtual users usr local etc postfix virtual users HHH 18 cp tmp virtual users cs usr local etc postfix virtual user cs 19 cp tmp CS virtual alias usr local etc postfix CS virtual alias Lo ck cp tmp UCY virtual alias usr local etc postfix UCY virtual alias 20 cd usr local etc
34. e ucy ac cy which can receive messages through the central email systems At the CS dept email system ONLY the user can have one additional alias with a minimum of 10 characters this is done to ensure that here is no conflict with central system names which is only valid on the CS local systems and is user defined provided it does not conflict with already existing aliases or user names For example george andreou cs ucy ac cy Aliases used to be in legacy text files but are now being transferred to LDAP repository as explained above Groups and Lists For the the mail system groups and mailing lists are almost identical since an alias a different name is established that is used to redirect messages to a group of people rather than a single one There are three ways to configure mailing groups lists e the legacy way this method used plain text files etc aliases and scripts to retrieve list memberships from our user DB either system defined or from LDAP This method is becoming obsolete See below for a minimal description e LDAP based definitions Groups Lists are defined in LDAP and the Postfix server retrieves the definitions when needed e Mailman Lists This method is described below e For our purposes there are system groups which are defined in the LDAP system and the corresponding information is obtained from there Example csstaff The Legacy method The following configuration exists on back end machine
35. e Mailman to define them With Mailman a list can be configured such that only members of the list can send to it Additional senders are also possible Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 21 ex Administrative staff LDAP schema Currently we use e etc aliases o on the incoming servers to resolve aliases o this file contains a variety of things including aliases groups lists of people actually and lists again a list of people o which makes use of the legacy etc mailaliases directory o both of these are copied from Mail common e usr local etc postfix virtual users o that contains a full list of users on cs uc ac cy and ucy ac cyc as before o note that this also has the ability and it does to resolve aliases e Mailman mailing lists which are handled by a different server for creating aliases Eventually this will migrate to LDAP in the following way LDAP Attributes used mail lt original user name gt cs ucy ac cy mailalternateaddress lt default alias gt cs ucy ac cy mailalternateaddress lt additional alias gt cs ucy ac cy user option mailforwardingaddress forward of email mailquota quota of user T Mail Storage The Mail servers use a reliable scale able consolidated storage based on iSCSI technology already in place Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 22 mirto gorgo Mail storage NFS
36. er pid 2 gt dev null 2 gt dev null true endscript root gorgo pam d more dovecot PAM 1 0 auth required pam_nologin so auth include password auth account include password auth session include password auth Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 29 root gorgo logrotate d more dovecot dovecot SIGUSR1 Re opens the log files var log dovecot log var log dovecot info log missingok notifempty delaycompress sharedscripts size 20M postrotate bin kill USR1 cat var run dovecot master pid 2 gt dev nul1 2 gt dev null true endscript Advanced Dovecot Features e dsync A general overview of the functionality of the system is presented in the figure below Installing the software The method we use in setting up the software is the top down approach This approach builds work its way from the top software postfix and builds around it the functionality of the system required Another approach might be the bottom up approach where we build the functionality required on top of a working operating system testing the software at every step to verify its functionality These methods are summarized in the table below The top down approach is described below Virus and SPAM Control Setup AMAVISD NEW is used as the front end for VIRUS and SPAM control http www ijs si software amavisd Amavis can use a variety of software and facilities to operate We use a
37. k ends Server OS security e Harden the OS e Protect at the border FW2 e _ root protection e var protection e sudo e ssh permissions e fail2ban local Intrusion Detection software o enables the ssh iptables jail o custom jail postfix dns bans SMTP port for clients that have no reverse resolution IP and repeatedly try to send messages possibly DOS or mis configured SPAM servers e OS files all files except mounted file systems clamav scanning Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 32 Network Protection The network is protected from the mail servers by having them in the DMZ Only absolutely necessary and very directed permissions are given from the DMZ to the internal network violation Server protection Fail2ban SSH jail SMTP jail Dovecort jail IMAP POP3 Session security Security MUST be looked at every process 1 IMAP access 2 POP3 access 3 SMTP access 4 HTTP for WebMail IMAP4 User to server SSL protected session POP3 user to server SSL protected session SMTP user to server submissions SSL protected session SMTP smtp to smtp SSL protected session WebMail user to webmail HTTPS Webmail webmai client to smtp SSL webmail webmail to IMAP SSL Setting up HTTPS for encryption of web mail sessions SASL for authentication with the SMTP AUTH method Port list that need to be blocked opened and are required by the software Port Actio
38. ke sure all services will be restarted upon reboot chkconfig list The following list relates to email only but the usual OS service should be started ex NTP There are differences between back end and front end servers e Postfix e Dovecot amavisd e clamd e clamd amavisd e fail2ban e Spamassassin C Other software that need to be configured e idap back end only D Make sure that your etc fstab will mount all the required directories for the mail system to function This is highly dependent on the configuration ex Mail repository sys data mail or other temporary file systems set up Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 35 OS upgrades e stop postfix e stop dovecot e upgrade e reboot Postfix Administration Before making any serious configuration changes that may impact the delivery of messages on any Postfix system first do soft_bounce yes in the configuration This will prevent the loss of messages due to possible configuration errors Messages that are likely to bounce because of mis configuration will be retried Some useful commands e display the queue o mailq o postqueue p e view messages in the queue o postcat q lt queue id gt e process the queue o postqueue f o postfix flush e delete messages from queue o delete all m postsuper d ALL o delete all from deferred postsuper d ALL deferred Dovecot Back end system main
39. kes use of it by default via library calls See below for Spamassassin configuration Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 31 Postfix Integration Edit master cf see the config examples SpamAssassin Spamassassin is installed as an amavisd prerequisite There is no need to start spamassassin as a service since AMAVIS uses it by direct library calls to access its functionality Here we describe any customization placed after the installation and explanations where things are not obvious ClamAV Clamav is installed as an amavisd prerequisite Here we describe any customization placed after the installation and explanations where things are not obvious Message Quarantine Every time the system detects a message that contains objectionable content Spam Virus Bad content or messages that do not confrom to standards it ssends a message to the administrator The administrator in our case is supporthelp cs ucy ac cy All quarantined notifications are stored in the Quarantine folder of user supporthelp Releasing Messages Check the notification of a line like o The message has been quarantined as spam MGRKENTKdz4w gz o The message has been quarantined as banned 2IvQ04s5M0Lq On the machine reporting the quarantine do for example theano o amavisd release spam MGRkEnTKdz4w gz Managing cleaning the quarantine folder Security Outside facing systems front ends Inside systems bac
40. l redirecting folders etc e Interface independence Support a variety of clients in both POP and IMAP configurations Support for the largest possible number of E Mail clients including IMAP POP and Web mail in their plain and secure versions must be tested with Thunderbird Outlook Live Pine Horde IMP Roundcube e Low cost Based on Commodity off the shelf Hardware Virtual Severs and 100 Open Source Software e Eliminate the use of custom scripts like Mail common Mail scripts we used in the past and replace them with native software Postfix Dovecot Sieve LDAP operations e Vendor independence OSS provide the ability to be free from custom applications No lock in with any vendor Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 6 General System Description The general hardware setup of the previous mail system is presented in figure 1 This system made use of storage in external and internal devices mostly via simple network file system NFS mounts It consisted of Postfix Dovecot MailScanner ClamAV and Spamassassin software It also made use of external SPAM databases Mail servers AA CS users iolaos CS users boris away from CS mailman Fig 1 The previous email system The new generation email system hardware set up is presented in Fig 2 A functional presentation of the sam system is shown in Fig 3 The server machines shown are fully virtualized hosts
41. ler tadaa 24 Front End Relay theano elyssO annnnnnnnnnnnenneneenereerenenennnnennnenneneneenne nee venenenennnnnnn ennen eenen nen 24 Back End GOrgO MIMO 22 07e re a vaneen lo Aaa reales ab Sia shaded pride tetall danke de dele 26 Setting p DOVE COL aes iid antennen dater riada chanss sabes garant erana dede Ren satan ETRA nennen EL 26 Front End IMAP PROXY or Dovecot Director Configuration theano elySsO neen 27 Back end Configuration gorgo mirtO on eneennnnenneeeereneeeenenenennenennenneneereee ennen eee venennnnnnennn nnen 27 SUMMALY taDIE Arran deere rentie vasa cha renderen stage eed raed arn daarden led enn eeb bedden kak 27 OLE RENEE TEATER EPE OENE 28 Sieve Filtering and ManageSieve nnee ee eenennennnnnnneneeeeeeeeneneereenennnnnnnnnnneneeenenne nennen 28 The Dovecot Configuration dovecot n enneneneneereeeeereeeenenennenennnnennnnneeeeeeneneneeveneene nennen 29 Virus and SPAM Control SetUp ooocccccccnnnnnonononononcnnnnnnnnnnnnnn conan nn nn nn nn nn nn enn ene enenenenenennnnennnnnnneneeenennneene eee nnnnn 30 MACAO A A AA A A dd 30 AMAVISU ip ias 31 Install and CONTQUTS c idea 31 Postfix Integrations zt neven aarda reset A Ge tele tai oe RA 32 SPAMASSASSIN Ante netten AAA ii 32 CAMAN es aea ie at et ee ih evens betere Sy et odette hed ered Me ee Glee 32 Message Quarantine oi aan eveneens nea dv a tee ote Gee eee a 32 Email System Administrator Manual 0 9 odt Version 0 9 39
42. lr make e make install into usr local by default e Create necessary users if required Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 45 o dovecot dovecot x 97 97 Dovecot Local IMAP server usr local libexec dovecot sbin nologin dovenull x 498 498 Dovecot s unauthorized user usr libexec dovecot sbin nologin groupadd g 97 dovecot groupadd g 496 dovenull useradd g 97 u 97 c Dovecot Local IMAP server d usr local libexec dovecot M N s sbin nologin dovecot useradd g 496 u 496 c Dovecot Local unauthorized user d usr local libexec dovecot M N s sbin nologin dovenull default uid and gid change from time to time but are not critical e to uninstall make uninstall e Disable install from CentOS repositories so that we do not end up with two different installs In etc yum conf e exclude dovecot Transfer the example configs to usr local etc dovecot from lusr local share doc dovecot example configs Add Dovecot to the boot start up procedures Centos 6 there is a root dovecot init d o cp p dovecot init d etc init d dovecot o chkconfig add dovecot o chkconfig on dovecot o chkconfig list dovecot Centos 7 cp p root systemd dovecot to etc systemd system o lusr lib systemd system dovecot service o lusr lib systemd system dovecot socket Start Restart procedures go to Dovecot configuration service dovecot start Pigeonhole Compile and
43. mail services Horde and Roundcube Web mail client and server configuration Incoming Server configuration o Horde current setup e mailer type sendmail e sendmail_path usr lib sendmail e sednmail_args ci imp e imap mail Outgoing server configuration SMTP o to local server first Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 34 o relayed to mail cs ucy ac cy Thalia uses a local SMTP server to communicate with the mail system relay Mailing List Server See also Authentication Names Aliases Groups Lists Mailman is on system thalia 194 42 17 136 See mailman web site and documentation for details on Mailman Administration Administration guidelines and procedures General Be very careful with what you are changing It is possible to break the system entirely including loosing mail messages if you break things Follow the instruction carefully below See Table 2 Server services summary and Table 2 Server services summary for the functionality and configuration of each server and server group While Postfix is a critical part of the entire mail system most of the time troubleshooting concentrates on the Dovecot part is is directly accessed by the users Critical OS checks A Make sure that all software and services needed are installed and configured as explained in the previous chapters If in doubt follow the relevant chapter B Ma
44. mavis with spamassassin http spamassassin apache org clamav www clamav net The strategy below is designed to guard against false SPAM positives giving the chance to the user to scan special folders in case such a positive occurs This has been found beneficial in the past especially in the case of SPAM since determination of whether a message is SPAM or not is statistical Strategy Overall Description e Every incoming and every outgoing message is scanned for viruses spam and banned content Scanning is done on the entry point servers SMTP relays theano elysso Note that these servers are entry points for both incoming mail from outside sources and outgoing mail from inside sources Inside here means our users whether on the local network or not e Messages found to contain viruses are immediately quarantined and NOT forwarded to the user The user is notified and can request a release from the quarantine e Messages found to be SPAM with a very high degree of certainty score of gt 20 from Spamassassin are immediately quarantined and NOT forwarded to the user The user is Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 30 notified and can request a release from the quarantine e Messages found to be SPAM below the score of 20 are NOT discarded but are marked as such with special Subject header additions SPAM or SPAM and are then forwarded for delivery to the user e Me
45. n Mask Description 25 enabled tcp udp SMTP 109 for POP2 blocked tcp udp POP2 not supported 110 for POP3 enabled tcp udp Theano 143 for IMAP enabled tcp udp 587 enabled Postfix Relays SMTP submission 4190 enabled From Dovecot front end to Dovecot back end Managesieve protocol 1234 SASL authentication from Postfix relays to Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 33 back end Dovecot 9090 enabled tcp Dovecot Director communications theano elysso 5666 enabled tcp udp ALL NRPE Mail server protection Back Scatter E Mail Mail System Clients Some machines which provide mail services are actually clients to the mail system and not part of it We currently have three client email services Pine system ada Webmail and Mailman hosted on thalia Basically the mail system supports all clients that are IMAP POP3 or SMTP compliant Even some departure from the standards can be tolerated The configuration has been tested to work with Thunderbird Microsoft Outlook Other IMAP and POP3 clients mainly from mobile devices Pine Webmail clients Horde Roundcube Mailman A large array of other SMTP IMAP clients Pine is available from system ada Pine uses IMAP and SMTP like every other client to communicate with the email system WebMail Servers There are two software suites providing web
46. ng rate limiting o Postfix PolicyD Check for local user over quota and reject receipt If everything is OK Relay to destination back end SMTP servers for delivery Internal SMTP back end gorgo mirto receives incoming messages from SMTP relays theano elysso answers user verification requests from front end SMTPs uses Dovecot LDA to deliver local messages to the message store o Dovecot LDA uses Sieve to implement server filtering o Dovecot LDA indexes messages at delivery stores and manages messages in the message store s Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 15 e uses the SMTP front end as a smart host relay when needed to send messages to external destinations for example in case of failure to deliver messages ie message storage problems IMAP Director front end theano elysso e sits in the DMZ as a widely accessible system e IMAP proxy o receives IMAP connection requests from inside or outside o proxies IMAP forwards requests to the inside IMAP back end servers implements IMAP load balancing Dovecot Director e Managesieve proxy o receives Managesieve protocol connection requests port 4190 from inside or outside o proxies forwards requests to the inside IMAP back end servers Internal IMAP back end gorgo mirto e sits in the internal network services requests from the IMAP proxies e manages the message store s for users e manages the Managesieve protocol for
47. ntly runs on hermes since this machine is the closest to the file system that needs to be cleaned Synchronizing a Dual server configuration In a dual server configuration many options must be synchronized The synchronization of many aspects of both the relay and back end systems is necessary in order to achieve a consistent operaton for th Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 39 esystems Some preliminary things to synchronize 1 same 2 access file on relay systems 3 etc aliases 4 SpamAssassin 5 ClamAV 6 7 Crontab entries 8 LDAP options and configuration 9 Nagios monitor configuration nrpe conf Upgrades Troubleshooting main cf must have some same options like restrictions the two main cf files are not the i protect internal mailing lists either LDAP or manual e When scheduled for upgrades or down times note that queues will remain the machine Testing SMTP e If upon o telnet lt smtpserver gt 25 or o telnet lt smtpserver gt 587 we get nothing then it means the server did not start correctly Look in var log maillog for errors in the the config file ex main cf root mirto telnet elysso 587 Trying 194 42 17 141 Connected to elysso Escape character is 2 220 elysso cs ucy ac cy ESMTP Postfix EHLO mirto 250 elysso cs ucy ac cy 250 PIPELINING 250 SIZE 25600000 250 VRFY 250 ETRN 250 STARTTLS 250 ENHANCEDSTATUSCODES 250 8BITM
48. o SPAM addheader X CS UCY Information Please contact support cs ucy ac cy for help addheader X CS UCY Information Report abuse to abuse cs ucy ac cy Compile manually at set up and when changing gt sievec default sieve to avoid giving permissions to users on the directory Otherwise users will not be able to compile at run time Sieve directory enabled sieve_dir sieve Default user script HOME dovecot sieve This can be a link to the directory HOME sieve where multiple scripts can be saved The Dovecot Configuration dovecot n root gorgo log dovecot n 2 2 4 usr local etc dovecot dovecot conf OS Linux 2 6 32 358 14 1 e16 x86_64 x86_64 CentOS release 6 4 Final nfs mail location maildir newmail u INDEX sys data dovecot indexes u CONTROL sys data dovecot control u namespace inbox inbox yes location mailbox Drafts special_use Drafts mailbox Junk special_use Junk mailbox Sent special_use Sent mailbox Sent Messages special_use Sent mailbox Trash special_use Trash prefix passdb driver pam ssl cert lt etc pki dovecot certs dovecot pem ssl key lt etc pki dovecot private dovecot pem syslog facility localo userdb driver passwd root iolaos logrotate d more dovecot var log dovecot log missingok notifempty delaycompress sharedscripts postrotate bin kill USR1 cat var run dovecot mast
49. onfiguration for Dovecot on all systems letcllogrotate d dovecot var log dovecot log var log dovecot info log var log dovecot lda log missingok notifempty delaycompress sharedscripts size 20M postrotate bin kill USR1 cat var run dovecot master pid 2 gt dev nul1 2 gt dev null true endscript Mail messages The operating system and many applications have the ability to send email messages usually to system user root when predetermined events are encountered ex non delivery of messages will generate a report to the postmaster These messages should go to the special user supporthelp for CS Make sure that in the system etc aliases HH support postmaster root supporthelp cs ucy ac cy Nagios Monitoring These are basic instructions to Nagios monitoring On all servers yum install nrpe yum install nagios plugins yum install nagios plugins load e custom Nagios plug in s go into usr lib64 nagios cs plugins o mkdir usr lib64 nagios cs plugins o create the check _postfix_ queue e chkconfig nrpe on e service nrpe start e Port 5666 needs to open for the Nagios server NRPE service 10 16 0 1 1 yum install nrpe yum install nagios plugin load Get check_postfix_queue from http exchange nagios org directory Plugins Email and Groupware Postfix and install in cs_ plugins w N Table 7 gives a summary of Nagios monitoring for the mail server components Email System Administr
50. operating from two different virtual hardware hosts The system design is based on a split front end back end design In this design there are front end relay proxy filter servers and back end mail storage management servers All servers and services are active at all times The hardware is based on dual server system total of four servers with every function found in two places Both system couples are active at the same time The objective is to create a dual server system where failure or scheduled unavailability of any of the servers will not affect the operation of the entire system The major characteristics of the system is its enormous flexibility its attention to security and fault tolerance Figure 3 presents the system from an email protocol functionality perspective It shows how each protocol traffic SMTP IMAP etc are routed through the email network to reach its destination Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 7 Mail servers away from CS E _ Relay Webmail theano SMP mirto IMAP POP Fig 2 General View Physical and Functional Description The system software continues the previous strategy of being interface independent The choice of interface is left to the user The system just provides the necessary interfaces for the user to make use of it The only interface provided is the web mail applications which are installed on independent servers This
51. roblems or malicious activity Functions e receive mail from outside CS and relay it to the back end servers for final delivery and storage e receive mail from inside CS that needs to be forwarded to the outside of CS e implement a variety of protection mechanisms validity checks and filters o reject email from non privileged networks see mynetworks that are trusted and can Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 24 relay messages through the system See below the trusted networks o check the validity of a receiving user by requesting a confirmation from the back end servers o check the ability to deliver messages to users of incoming messages ex overquota o uses amavisd to do virus and spam filtering with spamassassin and clamav Open ports e 25 tcp from all e 587 tcp from all e 10001 for SASL from back end servers Set up 1 install amavisd clamd see below 2 edit main cf 3 edit master cf 4 edit transport 5 virtual users 7 Trusted Networks Trusted networks can relay messages through Postfix These will eventually be severely limited so that clients cannot relay without authorization Current configuration mynetworks 194 42 16 0 24 194 42 17 0 24 194 42 18 0 24 194 42 27 0 24 110 16 3 0 24 110 16 5 0 24 110 16 6 0 24 110 16 7 0 24 110 16 8 0 24 110 16 9 0 24 110 16 10 0 24 110 16 20 0 24 110 16 21 0 24 10 16 0 0 16 194 42 0 0 24 194
52. s required and described int the o Debugging and testing software telnet bind utils dig etc Logging Producing proper logs is of critical importance in setting up a complex system Logs will discover mundane errors like mistyping and save your day Enable logging at this early stage See also the Administration section Make sure that you have enabled the syslog rsyslog service facilities since it is being used extensively Make sure that logrotate package is installed and optionally logwatch is installed Pay particular attention to the logging configuration for each application installed since each one has different configuration parameters In the initial phases of the installation enable debug logging to produce maximum information This can be disabled when operations are satisfactorily stable OS Security As soon as the OS is working enable security for the OS This is particularly important for outward facing systems exposed to all k inds of threats Visit Server OS security Do not overlook or postpone this DNS Configuration DNS plays a crucial role in mail systems Without proper naming the email system will not work properly By its nature mail servers make extensive use of the DNS services Consider a DNS caching server on each mail server A records e theano e elysso Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 12 e mail cs ucy ac cy 194 42 16 130 theano eventuall
53. s which resolve the automatically generated groups for Postfix This is the legacy configuration that is slowly being migrated toa more dynamic set up with the LDAP repository as explained above The respective etc mailaliases aliases files are generated on nireas by etc cron daily autoaliases and transferred HEE HEE HAE HAE HEE HE HE HE EH ERROR ERROR RARE RE RO RRORE RARA ARIANE A Temporary aliases and groups eventually these will migrate to a better set up like LDAP support include etc groups aliases support HAE HEE HAE HAE HE AE HET HE AP HE AREA ERROR REE REE RARA RAR RERR AENA A Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 19 helpdesk support representatives include etc mailaliases representatives taassists include etc mailaliases taassists healthware include etc mailaliases lists healthware labsupervisor include etc mailaliases lists labsupervisor cyta announce include etc mailaliases lists cyta announce freshmen include etc mailaliases aliases freshmen sophomores include etc mailaliases aliases sophomores juniors include etc mailaliases aliases juniors seniors include etc mailaliases aliases seniors undergrad include etc mailaliases aliases undergrad cspg include etc mailaliases aliases cspg raadmin include etc mailaliases aliases raadmin csassist include etc mailaliases aliases csassist csresearch include etc
54. sendmailman usr local share man mani sendmail 1 slave usr share man man5 aliases 5 gz mta aliasesman usr local share man man5 aliases 5 initscript postfix Remove sendmail and Postfix RPMs We need to remove the Postfix RPMs to avoid confusion as to which software is runninf Postfix has several packages dependancies cronie etc To remove do See what is installed rpm qa grep sendmail rpm qa grep postfix Then Remove without touching the dependencies rpm e nodeps sendmail rpm e nodeps postfix Go to the Postfix configuration Without proper configuration Postfix will usually not start successfully Dovecot Compile Install Prerequisites Install e Zlib devel openssl devel e pam devel e quota devel quota e tcp_wrappers devel e openldap devel Download sources e expand into its directory ex tar zxvf dovecot 2 2 4 tar gz e cd into directory e _ configure with pam with Idap with ssl openssl with zlib with libwrap with mysql o Install prefix usr local o File offsets 64bit o I O polling epoll o I O notifys inotify E yes OpenSSL o GSSAPI no o passdbs static passwd passwd file shadow pam checkpassword Idap sql o bsdauth sia sql vpopmail o Userdbs static prefetch passwd passwd file checkpassword Idap sql nss o sql vpopmail o SQL drivers o mysql pgsql sqlite o Full text search squat o lucene so
55. ssages found to have banned content ex executable files are immediately quarantined The user is notified and can request a release from the quarantine e The delivery software Dovecot LDA LMTP with the help of the Sieve language plug in scans the subject and delivers SPAM messages into SPAM special IMAP user folder SPAM folders are automatically cleaned every night with aging criteria as follows o messages are allowed to remain in the SPAM folder for 14 days A list of systems and procedures used SPF DNS records are both checked and advertised e DKIM signing is both enforced and checked by Spamassassin AMAVISD The overall SPAM software structure and interrelationships are presented in the figure below Postfix Amavisd A Queue i SpamAssassin Manager amavis svg Fig 4 Conceptual software interconnection in receive mode Install and configure Amavisd new is in the EPEL directory and should be installed from there note that the software required is in the CENTOS CSEXTRAS repo so a simple yum install amavisd new should be enough The configuration here describes the customization of the system over the CentOS default installation e start amavisd service o chkconfig amavisd on o configure in etc amavisd amavisd conf e clamav configuration o use clamd amavisd service which start with user amavis instead of clamd o chkconfig clamd amavisd on e There is no need to configure Spamassassin in amavisd since it ma
56. summary hte email application use the following e Dovecot Syslog Facility local gt var log dovecot log LDA delivery gt var log dovecot lda log Information Log gt var log dovecot info log Debug gt var log dovecot debug log e these are not always enabled Enable only when debugging or need to obtain extra information See usr local etc dovecot conf d 10 logging conf file to determine if these are enabled on not e The verbosity of logging is kept at minimum in regular operational mode See 10 logging conf e Postfix Syslog Facility mail gt var log maillog o See the notify_classes parameter to increase reporting capability e Amavisd Spamassassin gt var log spamd log ClamAV gt var log clamav clamav log or clamd log or freshclam log Log rotation Rotating the logs and determining that this works well is a MUST operation If not done properly log files will overrun the file system log file will overflow with the result of OS crash and loss of information Some applications ex dovecot do not automatically provide logrotate scripts during install to facilitate log rotations and must be created manually Example below General logrotate set up daily Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 37 compress rotate 21 e _3 weeks of log files for all system logs size IM e this establishes a default that can be overridden if required Example logrotate c
57. t server 0K MyUsername InterMail POP3 server signing off Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 42 Appendix A Compiling and Installing from Sources Compiling all used packages from sources is chosen to mainly take advantage of the new features that appear but also to act quickly on possible bugs or security problems CentOS usually lags behind these features and past experience has shown that there is clear advantage of compiling from sources Compilation and installation strategy is 1 Compilation and most importantly installation is done in a way such that it is compatible with the stock RPM installs Where necessary ex creation of users and groups start up scripts etc the installation follows the original CentOS conventions This helps in case we later decide to convert to the original RPMs int he OS We can do a preliminary install of Dovecot Postfix to get all the defaults in place These will need to be revised when the custom compilation is complete and of course the RPMs removed to avoid confusion 2 Configuration compilation is done on each machine independently in the root home directory 3 All new files including configuration files are installed in usr local to make them independent of RPM files packages 4 runtime files are kept in their default place ex queues lock files etc These files are described for each application separately since they are application
58. tenance To move all user sessions to a different back end From the front end Director server 1 Disable any system that will undo changes you make to back end server weights such as poolmon or any crons that make such chnages 2 Set the weight of the back end server to be worked on to 0 o doveadm director add lt backend server ip gt 0 3 Flush current assignments to disable new connections to this server o doveadm director flush lt backend server ip gt 2 4 From the backend server close all open sessions o doveadm kick 0 0 0 0 0 Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 36 Performance Fault tolerance Backup backup how an to do an archive for permanent storage For how long to expire Monitoring the Mail system There are several ways to monitor the activity of both the OS and the E Mail system e log files with syslog or direct e mail messages generated by the OS and the different modules e nagios e supporthelp account Nagios is an active method of monitoring while the rest are passive Generated log messages are generally affected by various configuration parameters on each system Statistics can also provide valuable information on how the system is functioning Logging with syslog and files Log files are an invaluable resource when things do not work as expected See the logging section for each application setup to understand in more detail the way logs are kept In
59. tes View openssl x509 in lt certificate gt text noout To tail and highlight a selections do e tail f var log maillog perl pe s keyword e 1 31 43m amp e Om g e or tail h lt file gt lt keyword gt on any of the mail servers Certificate Mgmt e View o openssl x509 in lt cert gt noout text ChangeLog 0 6 Original EmailNG administration manual the start 0 7 Changeover to the EmailNG project by the department There is still much work to be done 18 06 2014http hcmportal vi ucy ac cy Troubleshooting Errors imap ank Debug Namespace Mail ank Trash Parking doesn t exist yet using default permissions Thunderbird CANNOT Renaming not supported across conflicting directory permissions This most probably is related to conflicting permissions like trying to move or delete a folder that has different permissions than its destination folder Dovecot is picky about that even though such Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 55
60. th a non receipt reply producing back scatter email Any address not verified as local and not belonging to a different domain is rejected as an invalid user Since theano elysso are exposed to the outside world the decision has been mode NOT to give them direct access to the list of names LDAP but to allow them to verify the existence of the names via the Posfix VERIFY facility Front end systems do not care about resolving the aliases just the fact that it is a valid name for CS Our user name DB and the preparation of aliases groups are internal LDAP and custom scripts There are two ways to allow access from relay systems e the legacy way the names and aliases are prepared on internal systems nireas and forwarded via a system of cron scripts so that we do not expose our LDAP DB This system is not described in any detail since it is being phased out e anew verification system names and aliases are verified by the relay systems via the VERIFY Postfix facility essentially using the LDAP remotely and indirectly o smtpd_recipient_restrictions These two systems will work simultaneously until the legacy system becomes obsolete For now the legacy system takes precedence over the LDAP system but this will eventually change Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 17 Back end SMTP hosts have complete access to both the legacy lists and the LDAP DB and authentication services Therefore they know where
61. tructure system are e Create an email environment with advanced capabilities fit to support a complex and mobile user environment geared towards the academic environment e Robustness fault tolerance and availability are crucial for an e mail system Ability to respond to failures in less than a few hours and ability to service systems without loss of functionality Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 5 e Expand ability ability to add more servers or to split functionality among servers mail delivery functionality users access SPAM filtering virus filtering etc e Security at every level SMTP operations users access internal communications will be encrypted e Speed is of great importance due to the present day large mailboxes generated by multimedia messages and the necessity for clients to query servers at very small and regular intervals e Particular attention is paid to robustness availability and control No email should be lost Ability to track server actions as soon as remote clients or Servers contact it e Support the email functions of regular and advanced users e Support a diverse community of entry level students and expert faculty and staff e Integrate with it virus and spam control measures e Give the ability to the user to control some email functionality like SPAM control filtering password changes vacation auto replies mail sorting using filters emai
62. user requests to set up Sieve filters WebMail and Mailman list server receives message from the front end relays ONLY e relays messages SMTP client to outgoing servers ONLY e uses Mailman to manage mailing lists Access Control Model The access control model specifies the high level concepts of how the entire system allows access to its functions It specifies how messages are either accepted for further processing and delivery or rejected This is very preliminary postfix access postfix user verification reject_unverified_recipient postfix overquota Email System Administrator Manual 0 9 odt Version 0 9 39 Feb 16 2015 16 Proxy Directors Back end Storage SMTP server CS User Authentication Names Aliases Groups Lists Email delivery cannot exist without user names which form together with the domain the final delivery address destination User names have a dual role a to authenticate the user and provide proper access to the system b to form the final address which serves as the destination of messages General Description Relay SMTP hosts theano elysso need to have access either to the list of valid users or be able to verify the existence of all the names and aliases for single or multiple users ie groups we support This is essential in order to reject incoming mail at the very early stage ie entry point such that messages will not need to be rejected at a later stage on back end machines wi
63. y this will resolve to two e maill cs ucy ac cy 194 42 16 130 e _mail2 cs ucy ac cy 194 42 16 141 mirto e mail3 cs ucy ac cy 194 42 16 130 194 42 16 141 o this is for testing purposes only users should not make use of it e _gorgo in e mirto in o these are only used internally no user usage PTR records A must for outgoing servers per RFC MX records MX records tell SMTP delivery agents which machines receive mail for our domain Load balance MX records by giving the same weight o IN MX 100 mail1 cs ucy ac cy o IN MX 100 mail2 cs ucy ac cy SPF records 1 Add the following SPF records to the cs ucy ac cy domain IN TXT y spf1 mx ip4 194 42 17 130 all IN SPF y spf1 mx ip4 194 42 17 130 all 2 In every other domain we are authorized hosting for ex in cs ucy ac cy IN TXT v spfl all IN SPF v spfl all TLS SSL certificates TLS SSL certificates are used by both Postfix and Dovecot to enable the TLS SSL software to encrypt sessions Encryption is used throughout the communications sessions It provides security for both the user and the transfer of data especially when there is a need to transfer user names and passwords over the network The same certificates are used by Postfix and Dovecot All certificates keys are placed in etc pki tls certs private respectively Related files are kept under root certs Also under root certs or root mail certs we keep the original certific
Download Pdf Manuals
Related Search