zoukankan      html  css  js  c++  java
  • RH253读书笔记(7)-Lab 7 Electronic Mail

    Lab 7 Electronic Mail

    Goal: To build common skills with MTA configuration

    Estimated Duration: 90 minutes

    System Setup: Ensure that SELinux and packet filtering are enabled. If you feel confident, then try to complete the lab based only on the specifications given below. The next few pages divide this complex project into manageable sequences.
    Following that are step-by-step sequence solutions to guide you through the process of configuring and verifying proper operation.

    As with other labs, stationX refers to your actual station as denoted by the last octet of your IPv4 address.

    Lab Setup: Instructor: Make sure server1.example.com can receive mail to security@example.com from other hosts.

    Situation: You have been asked to set up an email infrastructure for your organization. Your tasks include:

    • Create myuser1, myuser2, and compliance users, each with the password redhat

    • Users should have IMAPs and POP3s access to the server (using a selfsigned certificate) to check their messages

    • Install and configure Postfix

    • The MTA accepts connections only from hosts within the example.com or cracker.org subnets

    • myuser1 wants to send and receive email as myuser1.alias@stationX.example.com

    • Any message sent to mylist is distributed to myuser1, myuser2, and student

    • All electronic messages should be archived at /var/spool/mail/compliance

    • A copy of every message that mentions the organization's top secret project, "RHCE", should be forwarded to security@example.com

    Sequence 1: Dovecot Setup

    Scenario: Always divide major projects into discrete components. Installing and configuring Dovecot first allows you to use it for testing the MTA configuration in subsequent sequences.

    Deliverable: A working infrastructure for mail retrieval via POPs and IMAPs

    Instructions:

    1. Install Dovecot.

    yum -y install dovecot

    2. Confirm that your system date and time are correct.

    SSL certificates do not work well when created long before or after the actual time. Check your system's date:

    date

    You should see a reasonable time and date. If not, you should correct the system date and time before creating your SSL certificate.

    3. Generate a private key and self-signed digital certificate.

    The first step is to actually generate the private key and self-signed certificate. To avoid setting up a PKI infrastructure and certificate authority, use the Makefile that Red Hat provides:

    less /etc/pki/tls/certs/Makefile

    In the Makefile, notice the target for %.pem. This target generates a private key and places it in a PEM file. The script then generates a self-signed certificate and appends it to the same PEM file holding the private key.

    make checks timestamps when determining which files to process, so find and remove the out-of-box dovecot.pem files:

    find /etc/ -name dovecot.pem -exec rm {} ;

    Make a new dovecot.pem file containing a private key and self-signed certificate:

    make -C /etc/pki/tls/certs dovecot.pem
    ...output truncated...
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [GB]:US
    State or Province Name (full name) [Berkshire]:North Carolina
    Locality Name (eg, city) [Newbury]:Raleigh
    Organization Name (eg, company) [My Company Ltd]:Example, Inc.
    Organizational Unit Name (eg, section) []:Enter (leave blank)
    Common Name (eg, your name or your
    server's hostname) []:stationX.example.com
    Email Address []:root@stationX.example.com
    make: Leaving directory `/etc/pki/tls/certs'

    Double-check the location and permissions of your new dovecot.pem file:

    find /etc/pki -name dovecot.pem -ls
    7424004 8 -rw------- 1 root root 2145 Feb 18 22:05
    /etc/pki/tls/certs/dovecot.pem

    The ownership and permissions are appropriate for a new file containing a private key, but it would seem that the dovecot user would be unable to read its private key. However, perusing dovecot.conf finds a comment that the SSL key and cert are loaded before dropping root privileges, so these permissions are OK.

    Check /etc/dovecot.conf to see where dovecot expects to find its key and certificate:

    grep -e ssl_cert -e ssl_key /etc/dovecot.conf
    #ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
    #ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
    #ssl_key_password =

    You need to make the settings in dovecot.conf agree with the actual location. You could copy your new dovecot.pem file to both default locations and then adjust ownership and permissions. Alternatively, you can specify the location of the PEM file you just created.

    Modify /etc/dovecot.conf to specify:

    ssl_cert_file = /etc/pki/tls/certs/dovecot.pem
    ssl_key_file = /etc/pki/tls/certs/dovecot.pem

    4. Specify the correct imaps and pop3s protocols.

    Modify /etc/dovecot.conf to specify only the secure mail retrieval protocols:

    protocols = imaps pop3s

    5. Test your configuration.

    Start dovecot and enable boot-time startup:

    service dovecot restart
    chkconfig dovecot on

    Send a message to root for testing:

    echo 'this is a test' | mail -s test root

    Wait a few seconds, then check root's email (warning: this will fail):

    mutt -f imaps://root@stationX.example.com

    You should see a SASL authentication failure. Perusing /etc/dovecot.conf reveals the following comments:

    # Note that denying root logins is hardcoded to dovecot binary and can't
    # be done even if first_valid_uid is set to 0.

    Repeat your test using the student account:

    echo 'this is a test' | mail -s test student
    mutt -f imaps://student@stationX.example.com

    Examine the certificate carefully before accepting it. In particular, check that the hostname is fully-qualified and that the certificate date looks sane. The time is usually expressed in Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT).

    Sequence 2: Initial MTA Setup

    Scenario: This is a complex configuration, so divide it into smaller tasks. For this sequence, concentrate on creating the necessary users and enabling postfix in its default configuration.

    Refer to the step-by-step sequence solutions if you need help or wish to compare your solution to the one provided.

    Deliverable: User accounts and a Postfix server that starts at boot-time

    Instructions:

    1. Create the users myuser1, myuser2, and compliance, each with the password redhat.

    Add the users and assign passwords:

    for NAME in myuser1 myuser2 compliance; do
      useradd $NAME
      echo redhat | passwd --stdin $NAME
    done
    Changing password for user myuser1.
    passwd: all authentication tokens updated successfully.
    ...output truncated

    2. Install Postfix.

    Install the specified MTA and a packet sniffer:

    yum -y install postfix wireshark

    You will use wireshark to observe network traffic.

    3. Set Postfix as your preferred MTA using alternatives.

    Stop and disable sendmail,

    service sendmail stop
    chkconfig sendmail off

    Select postfix as your preferred MTA:

    alternatives --config mta
    There are 2 programs which provide 'mta'.

    Selection Command
    -----------------------------------------------
    *+ 1 /usr/sbin/sendmail.sendmail
    2 /usr/sbin/sendmail.postfix

    Enter to keep the current selection[+], or type selection number: 2enter

    4. Start Postfix and enable it for boot-time startup.

    service postfix start
    chkconfig postfix on

    Confirm that postfix will start at the next reboot:

    chkconfig --list postfix
    postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off

    This is a good time to back up the original Postfix configuration.

    cp -a /etc/postfix /tmp/postfix.orig

    Sequence 3: Configuring the MTA to receive mail

    Scenario: In this sequence you will configure network access and host-based access controls for your MTA.

    Ask your instructor for help if you are unclear on the suggested solution.

    Deliverable: A mail server that is available on the classroom subnet and has essential hostbased access controls in place.

    Instructions:

    1. Use Netfilter to limit access to the specified subnets.

    Confirm that you are using stateful inspection for your host firewall:

    iptables -nvL | grep -i established
    62 4904 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state
    RELATED,ESTABLISHED

    If your output does not include a rule similar to the one above, then insert that rule into the kernel at this time:

    iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

    Add rules allowing new connections to the MTA and save your configuration:

    iptables -I INPUT -p tcp --dport 25 -s 192.168.0.0/24 -m state --state NEW -j ACCEPT

    iptables -I INPUT -p tcp --dport 25 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT

    service iptables save; restorecon -R /etc/sysconfig

    2. Configure Postfix to listen on the classroom interface.

    Edit /etc/postfix/main.cf to specify the listening interface:

    #inet_interfaces = localhost
    inet_interfaces = 192.168.0.X

    Restart postfix and confirm that it's listening on the proper interface:

    service postfix restart
    netstat -tulpn | grep master
    tcp 0 0 192.168.0.X:25 0.0.0.0:* LISTEN 16179/master

    3. 

    Test network connectivity from another station. Remote testing is necessary in order to confirm the effectiveness of your firewall rules.

    Start the packet sniffer so that you can observe network traffic in case of a problem with your firewall rules:

    tshark -ni eth0 -R "tcp.dstport eq 25 or tcp.srcport eq 25"

    The above command will show bidirectional traffic between your server and the remote host after the next step. You may use Ctrl-c to break out of tshark at any time. For now, leave it running.

    In a third shell, follow the in-kernel connection tracking table. For optimal viewing, arrange your shells so that you can view both tshark and the connection tracking table side-byside. The following command displays the table, where Y is the last octet of your peer's IP address.

    watch -n1 'grep 192.168.0.Y /proc/net/ip_conntrack'

    Ask one of your peers to telnet to your MTA while you watch the tshark output to confirm that your firewall rules allow traffic. You should see traffic in both directions. You should see the new connection appear in /proc/net/ip_conntrack, as well. Leave tshark running.

    Reciprocate by connecting to a peer host. If connectivity is good, you can expect to see an exchange similar to the following, where Y is the peer's station number.

    telnet stationY.example.com 25
    Trying 192.168.0.Y...
    Connected to stationY.example.com (192.168.0.Y).
    Escape character is '^]'.

    Type Ctrl-] and then quit to exit the telnet session. It is not necessary to test the full SMTP conversation at this point; you merely want to verify two-way communication through your respective firewalls.

    4. Add smtpd_client_restrictions to main.cf to supplement firewall rules.

    Sometimes an administrator will temporarily disable a firewall during troubleshooting, or perhaps the firewall rules are not as effective as the administrator believes. Therefore it's prudent to add an additional layer of protection.

    Review the configuration man page for postconf to familiarize yourself with the proper host-based restrictions. Make sure to use the man page from section 5!

    man 5 postconf

    Before implementing your changes, check the current configuration. Either look in main.cf or use the following command:

    postconf smtpd_client_restrictions
    smtpd_client_restrictions = blank

    The above output indicates that there is nothing to preserve in the configuration when making changes.

    Edit main.cf to include your new restriction. Recall that any line beginning with one or more whitespace characters is considered a continuation of the preceding line.

    smtpd_client_restrictions = check_client_access hash:/etc/postfix/access

    Now edit /etc/postfix/access, adding the following lines to the bottom:

    127.0.0.1 OK
    192.168.0.0/24 OK
    192.168.1.0/24 OK
    0.0.0.0/0 REJECT

    The above restrictions allow localhost, example.com, and cracker.org, but reject connections from all networks. Postfix looks for the most specific match in access files, so order within the access file does not matter.

    It is a good practice to include IPv6 restrictions despite listening only on the IPv4 address. This ensures that IPv6-to-IPv4 transitional addresses such as ::ffff:192.168.0.X do not slip past an access control mechanism.

    Rehash the access file and restart postfix:

    postmap /etc/postfix/access
    service postfix restart

    If your MTA fails to restart, then examine /var/log/messages for errors.

    5. Configure the MTA's destination names for incoming mail.

    In many deployments, you would need to edit main.cf to modify mydestination, but the specs for this lab require only that your server receive mail addressed to it by the full hostname. It is therefore sufficient to confirm that the current key/value pair specifies the various hostnames for this machine.

    postconf mydestination
    mydestination = $myhostname, localhost.$mydomain, localhost

    Double-check your own hostname:

    hostname
    stationX.example.com

    Make sure the output is a fully-qualified domain name or else your system has a hostname problem that needs to be corrected, possibly with the help of the instructor.

    6. Configure the MTA's origin names for outgoing messages.

    The specs for this lab do not require domain masquerading. Nevertheless, you should confirm that myorigin is set appropriately:

    postconf myorigin
    myorigin = $myhostname

    You have already verified that your hostname is correct, so no further action is needed.

    7. Test SMTP connectivity from another station. Remote testing is necessary in order to confirm the effectiveness of your access controls.

    For practice reading the logs, follow the maillog:

    tail -f /var/log/maillog

    Ask another person in class to send a message to root@stationX.example.com and watch the maillog. If you see messages indicating that mail has been rejected, then look again at /etc/postfix/access or even main.cf in case of typos.

    After the maillog shows that a message has been received, check your mail locally using any one of the following commands.

    mutt -f /var/spool/mail/root
    -OR-
    mail
    -OR
    cat /var/spool/mail/root

    Sequence 4: Configuring User-Based Settings

    Scenario: In this sequence you will create a distribution list and configure address rewriting. You will also set up the organizational mail archive and test your settings.

    Deliverable: Message archival and address rewriting.

    Instructions:

    1. Set up message archiving.

    Search for bcc in man 5 postconf to find the exact syntax for the always_bcc directive.

    Edit /etc/postfix/main.cf and add the following line:

    always_bcc = compliance

    2. Set up inbound aliases. An alias can also be used for distribution lists, which makes this step easy.

    Edit /etc/aliases

    myuser1.alias: myuser1
    mylist: myuser1, myuser2, student

    Rehash the aliases by running

    service postfix restart
    -OR-
    newaliases
    -OR-
    postalias /etc/aliases

    3. Set up outbound address rewriting for myuser1.

    Begin by searching for "generic" in man 5 postconf. You should find the directive for smtp_generic_maps along with supporting instructions. The instructions provide a reference to man 5 generic, so feel free to explore that page, as well. Specific Examples are provided in /usr/share/doc/postfix-*/README_FILES/ADDRESS_REWRITING_README.

    Edit /etc/postfix/main.cf and add the following line:

    smtp_generic_maps = hash:/etc/postfix/generic

    Edit /etc/postfix/generic and add the following line:

    myuser1 myuser1.alias@stationX.example.com

    Since postfix is configured to use a hash of this file, you'll need to create one:

    # postalias hash:/etc/postfix/generic

    This should create a generic.db file, which postfix will use. Note that this file must be regenerated every time generic is updated.

    4. Test user-based configuration settings.

    Switch to myuser1 and send an email message to mylist at another workstation.

    su - myuser1
    echo "test message" | mail -vs 'alias test' mylist@stationY.example.com

    Ask your peer at stationY to check their incoming messages for verification, then do the same for that person:

    mutt -f imaps://myuser1@stationX.example.com

    On stationY, the message should be from myuser1.alias@stationX.example.com

    On stationX, the message should be from myuser1.alias@stationY.example.com

    Sequence 5: Procmail

    Scenario: Configure Procmail to capture messages that refer to the organization's secret project, RHCE.

    Deliverable: A working Procmail recipe

    Instructions:

    1. Ensure that Procmail is installed.

    rpm -q procmail

    Use yum to install Procmail if necessary.

    yum -y install procmail

    2. Configure Postfix to use Procmail for local delivery. 

    Postfix includes hooks to enable its built-in, local delivery agent to run a specified command. Locate this option by searching the man page for mailbox_command:

    man 5 postconf

    Confirm the location of the procmail binary:

    which procmail
    /usr/bin/procmail

    Edit /etc/postfix/main.cf:

    mailbox_command = /usr/bin/procmail

    Restart your MTA:

    service postfix restart

    Confirm that your setting was effective:

    postconf mailbox_command
    mailbox_command = /usr/bin/procmail

    3. Test procmail locally using a simple recipe.

    Review the Procmail man pages before creating a simple recipe for local testing.

    man procmail
    man procmailrc
    man procmailex

    Create /etc/procmailrc and add a simple recipe to make sure that Procmail is working as you expect:

    cat > /etc/procmailrc << EOF
    LOGFILE=/var/spool/mail/procmail.log
    VERBOSE=yes

    :0 c
    * ^Subject.*rhce
    /var/spool/mail/procmail.test
    EOF

    The simple file above directs Procmail to log its actions verbosely to /var/spool/mail/procmail.log for testing. Recipes start with the "colon zero" line. This recipe includes the c flag to indicate that procmail should continue processing even after a successful match. The star line (*) indicates a regular expression match filter. Procmail ignores case by default, so the regex matches any message with RHCE in any combination of case within the subject line. The last line is the action and instructs procmail to store the message in the file /var/spool/mail/procmail.test.

    It's a continuing recipe as indicated by the c flag, so the message will still go into the intended recipient's mailbox even if it matches the regex and is therefore placed into the indicated file.

    Placing the procmail output files in /var/spool/mail is essential since both Postfix and Procmail are in the default targeted policy.

    With /etc/procmailrc in place, test the recipe by sending a matching message on your machine.

    mail -vs test-RHCE student
    This is a test
    .
    Cc:Enter
    Mail Delivery Status Report will be mailed to <root>.

    The dot on a line by itself terminates input.

    Review the mail log:

    tail -f /var/log/maillog

    You'll find a line containing the following error:

    can't create user output file. Command output:
    procmail: Couldn't create "/var/mail/nobody" procmail: [7313] Wed Feb 20:41:02 2007 procmail: Assigning "LOGFILE=/tmp/procmail.log" procmail:
    Opening "/tmp/procmail.log" procmail: Error while writing to
    "/tmp/procmail.log" procmail

    Start with a long listing on /var/mail, then follow up as shown:

    ls -ld /var/mail
    lrwxrwxrwx 1 root root 10 Nov 26 13:49 /var/mail -> spool/mail
    ls -ld /var/spool/mail
    drwxrwxr-x 2 root mail 4096 Feb 21 20:58 /var/spool/mail/

    Noting that only root and members of the mail group have write access to the mail spool directory, consider:

    • You could add the nobody user to the mail group, but that would give wide access to the mail spool. Don't do this.

    • You could change procmail to run setgid, in which case it would run as the postfix user. Presumably, postfix is a member of the mail group.

    Test this assumption:

    grep mail /etc/group
    mail:x:12:mail,postfix,exim
    ll `which procmail`
    -rwxr-xr-x 1 root mail 92452 Jul 12 2006 /usr/bin/procmail

    Yes, it's a valid assumption, so try making procmail run setgid so that it will run with the privileges of postfix instead of nobody.

    chmod g+s /usr/bin/procmail
    ll `which procmail`
    -rwxr-sr-x 1 root mail 92452 Jul 12 2006 /usr/bin/procmail
    mail -vs test-RHCE student
    This is a test
    .
    Cc:Enter
    Mail Delivery Status Report will be mailed to
    <root>.
    tail /var/log/maillog
    ...output truncated...
    delivered to command: /usr/bin/procmail

    Confirm that procmail was able to write the files specified in your recipe:

    ll /var/spool/mail/procmail*
    -rw------- 1 nobody mail 901 Feb 21 21:14 /var/spool/mail/procmail.log
    rw------- 1 nobody mail 995 Feb 21 21:14 /var/spool/mail/procmail.test

    Excellent! Check the contents of both files.

    less /var/spool/mail/procmail.*

    4. Extend your recipe to search the entire message. procmailrc (5) indicates that without a specific flag to instruct Procmail otherwise, it will search only the header of messages. Your specification must search the entire message.

    Edit /etc/procmailrc and add two flags to the :0 line. Also remove "^Subject" from the regex so that your expression will match all lines and not just the subject. Your completed recipe should appear as:

    :0 cHB
    * .*rhce
    /var/spool/mail/procmail.test

    Test again using three messages. The first will test the header match. The second will test the body match. The third will test a message that should not match.

    mail -vs test-RHCE student
    This is a test that matches the subject keyword.
    .
    Cc:Enter
    Mail Delivery Status Report will be mailed to <root>.
    mail -vs test student
    This is a test that should match RHCE in the body.
    .
    Cc:Enter
    Mail Delivery Status Report will be mailed to <root>.
    mail -vs test student
    This is a test that should not match.
    .
    Cc:Enter
    Mail Delivery Status Report will be mailed to <root>.

    Check the contents of /var/spool/mail/procmail.test to ensure that it has the first two test messages. The last message should not be present.

    mutt -f /var/spool/mail/procmail.test

    5. Extend your recipe to forward matching messages to security@example.com.

    Search procmailrc (5) for the second occurence of !. The man page explains that this
    forwards the message to the indicated address.

    Edit /etc/procmailrc once again to make your change. Your recipe should be:

    :0 cHB
    * .*rhce
    ! security@example.com

    Test again:

    mail -vs test root
    This test should match rhce in the body.
    .
    Cc:Enter
    Mail Delivery Status Report will be mailed to <root>.

    Check your mail log to see if it forwarded the message to the security email address:

    grep security /var/log/maillog

    You should see a log message indicating that a message has been sent to security@example.com.

    • If not, then review /etc/procmailrc or the mail log for errors and try again.
    • If yes, then ask the instructor to check the mail for security to confirm that your message was received.

    Once you are satisfied that your recipe is working as specified, then remove the logging and verbose directives from /etc/procmailrc.

    6. Challenge: why does each matching message result in three forwards to security?

    Review the actual messages and your mail log for the answer. One copy of the messsage is delivered to compliance, which triggers procmail. Another copy is delivered to your recipient, which also triggers procmail.

  • 相关阅读:
    java算法:树遍历
    java算法:图遍历(深度优先和广度优先)
    Google禁止继续研发开源的"盖亚计划"
    Vc编程调试入门
    访著名Linux内核程序员大鹰
    访著名Linux内核程序员大鹰
    百度玩"精准搜索" 个人隐私保护问题值得商榷
    Google禁止继续研发开源的"盖亚计划"
    加密CMD使电脑溢出也拿不到CMD权限
    百度玩"精准搜索" 个人隐私保护问题值得商榷
  • 原文地址:https://www.cnblogs.com/thlzhf/p/3477977.html
Copyright © 2011-2022 走看看