alexalmazan.com

Postfix SPF

aalmazan@rackspace.com (alex almazan) — Wed, 30 Jul 2008 08:18:00 -0500

This article is to ouline the specifics for implementing SPF policy framework for Postfix provided in Redhat Enterprise Linux (es4/es5).

1.) First install all the necessary perl modules via RPM that you will require:

http://dag.wieers.com/rpm/packages/perl-Net-Address-IPv4-Local/ http://dag.wieers.com/rpm/packages/perl-NetAddr-IP/ http://dag.wieers.com/rpm/packages/perl-Mail-SPF/

(additional RPMs may be required) I would recommend that you refrain from installing via CPAN as a mix of RPM installed and CPAN installed modules can lead to issues in the future.

2.) Obtain and install the SPF perl script

cd /usr/src
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.001.tar.gz
tar xvfz postfix-policyd-spf-perl-2.001.tar.gz
cd postfix-policyd-spf-perl-2.001
cp postfix-policyd-spf-perl /usr/libexec/postfix/postfix-policyd-spf-perl
chomd o+x /usr/libexec/postfix/postfix-policyd-spf-perl

Ensure that you set the script to executable, or errors such as these are recieved

warning: command /usr/bin/perl exit status 2
postfix/smtpd: warning: premature end-of-input on private/policy while reading input attribute name

3.)Next, edit the postfix configuration file ’/etc/postfix/master.cf’ This line should be appended to the end of the configuration.

policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl

4.)Next open /etc/postfix/main.cf and find the directive “smtpd_recipient_restrictions” You should have reject_unauth_destination in that directive, and right after reject_unauth_destination add ‘check_policy_service unix:private/policy’

smtpd_recipient_restrictions =permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy

important ensure that you specify “check_policy_service” AFTER “reject_unauth_destination” or else you will have an open relay!

Plesk TLS

aalmazan@rackspace.com (alex almazan) — Mon, 21 Jul 2008 03:21:22 -0500

The following syntax will help determine any issues with the certificates loaded for TLS: -

openssl s_client -connect 127.0.0.1:25 -starttls smtp -debug

Your mileage will vary

EXT3 online resize

aalmazan@rackspace.com (alex almazan) — Tue, 03 Jun 2008 01:32:00 -0500

Introduction of an additional drive into a RAID array to expand capacity requires additional steps in the OS to expand the partition without data loss.

First, fdisk the device and delete the “EXTENDED” partition that you are looking to resize, in this instance partition 4.

[root@app1 ~]# fdisk /dev/sda

The number of cylinders for this disk is set to 53309.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/sda: 438.4 GB, 438489317376 bytes
255 heads, 63 sectors/track, 53309 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14         274     2096482+  83  Linux
/dev/sda3             275         405     1052257+  82  Linux swap
/dev/sda4             406       35539   282213855    5  Extended
/dev/sda5             406       35539   282213823+  83  Linux
Command (m for help): d
Partition number (1-5): 4

Command (m for help): p

Disk /dev/sda: 438.4 GB, 438489317376 bytes
255 heads, 63 sectors/track, 53309 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14         274     2096482+  83  Linux
/dev/sda3             275         405     1052257+  82  Linux swap

Once this has been removed the partition should be re-created as extended, then a primary partition introduced

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
e
Selected partition 4
First cylinder (406-53309, default 406): 
Using default value 406
Last cylinder or +size or +sizeM or +sizeK (406-53309, default 53309): 
Using default value 53309

Command (m for help): p

Disk /dev/sda: 438.4 GB, 438489317376 bytes
255 heads, 63 sectors/track, 53309 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14         274     2096482+  83  Linux
/dev/sda3             275         405     1052257+  82  Linux swap
/dev/sda4             406       53309   424951380    5  Extended

Now introduce a primary partition on the extended NOTICE- The cylinder in use of the removed partition should be noted as the subsequent introduction of the new partition will require this detail in order to preserve the data

Command (m for help): n
First cylinder (406-53309, default 406): 
Using default value 406
Last cylinder or +size or +sizeM or +sizeK (406-53309, default 53309): 
Using default value 53309

Command (m for help): p

Disk /dev/sda: 438.4 GB, 438489317376 bytes
255 heads, 63 sectors/track, 53309 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14         274     2096482+  83  Linux
/dev/sda3             275         405     1052257+  82  Linux swap
/dev/sda4             406       53309   424951380    5  Extended
/dev/sda5             406       53309   424951348+  83  Linux

write the changes and exit

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.

A reboot of the system is required. The final step is ‘ext2online’ of ’/’

[root@app1 ~]# ext2online /
ext2online v1.1.18 - 2001/03/18 for EXT2FS 0.5b

Partition expanded from this:

[root@app1 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5             265G  256G  9.9G  97% /
/dev/sda1              99M   12M   82M  13% /boot
none                  2.0G     0  2.0G   0% /dev/shm
/dev/sda2             2.0G   53M  1.9G   3% /tmp

to this

[root@app1 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5             399G  227G  173G  57% /
/dev/sda1              99M   12M   82M  13% /boot
none                  2.0G     0  2.0G   0% /dev/shm
/dev/sda2             2.0G   52M  1.9G   3% /tmp

IPTables and libwrap

aalmazan@rackspace.com (alex almazan) — Sat, 03 May 2008 01:02:00 -0500

Secruing Services

NOTE choose the easiest otions first such as TCPwrappers to control service connections.

/etc/hosts.allow
/etc/hosts.deny

man page syntax identical:

basic syntax is : : ex. to allow ssh connections for SSH

sshd: 192.168.2.200

These files are parse in the following order:

/etc/hosts.allow	If the configuration of this file permits the requested connection, the connection is immediately allowed
/etc/hosts.deny	If the configuration of this file does not permit the requested connection, the connection is immediately refused.

TCP wrappers can only be run on packages compiled agains libwrap. ldd can be used to check if it has been compiled against libwrap.

example for checking with ‘ldd’

[root@station home]# ldd /usr/sbin/sendmail.sendmail |grep wrap
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x006a8000)

portmap is another service , but it is a bit convoluted:

[root@station home]# strings /sbin/portmap |grep hosts
hosts_access_verbose
hosts_allow_table
hosts_deny_table
/etc/hosts.allow
/etc/hosts.deny

here are others configured against libwrap:

ssh,sendmail,xinetd,vsftpd,stunnel - Two choices when configuring hosts.allow|deny in the following example. permit connections for vsftp from 10.1.1.1, but block from 10.0.0.0/255.0.0.0

you can make seperate entries in both:

hosts.deny

vsftpd: 10.0.0.0/255.0.0.0

hosts.allow

vsftpd: 10.1.1.1

Or you can add this to just the deny file as suggested with the keyword

‘EXCEPT’

# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
#vsftpd: 10.0.0.0/255.0.0.0
vsftpd: 10.0.0.0/255.0.0.0 EXCEPT 10.1.1.1

‘ALL’ can be used in the config as the service or the connecting source:

ALL:ALL EXCEPT 192.168.1.1

In /etc/hosts.deny to block all service affected by libwrap, but open to the one source or

ALL:ALL

In hosts.deny, with explicit service permissions in /etc/hosts.allow.

‘DenyHosts is a script from sourceforge that you can run from cron to parse /var/log/secure to review those that have attempted multiple brute force attacks’ (‘swatch’-‘pamABL’ are similar scripts, but modify iptables)

IPTables

Permits packet filterring at the kernel level. Netfilter is the kernel module that does the dirty work, iptables helps define the rules/chains to permit/deny through the kernels ip stack.

INPUT	responsible for inbound destined for the server
OUTPUT	responsible for outbound traffic leaving the server
FORWARD	across the servers interfaces

iptables -L

lists or prints the current rules in place

iptables -L -n -v -t nat

iptables-save writes to /etc/sysconfig/iptables. (keeping rules persistent,they must be apart of this file)

Configuration parsed from top to bottom. IPTables will response based on the first match. If there is no specific match, the chain policy will apply.

IPtables uses targets to determine what action will be taken if traffic matches an existing rule.

DROP	will drop package and send no info to the user
REJECT	will send a connection refused notice back to the sender
ACCEPT	will permit the connection
LOG	will log the connection attempt

IPTables syntax rule formulation help:-

What chain will the rule apply to?

-A INPUT

What patterns(s) would you like to check for?

-s 192.168.2.100

To make the rule active, you can add the following info to /etc/sysconfig/iptables

-A INPUT -s 192.168.2.100 -j REJECT

You can also configure the rule from CLI with

iptables -A INPUT -s 192.168.2.100 -j REJECT

What should IPTables do when a matching pattern is found?

-j REJECT

You can also match on the following criteria:

-i	incoming interface
-p	protocol
-s	source ip address
-d	destination ip address
-dport	destination port

Saving the rules service iptables-save

iptables -D INPUT 3

This command will delete the third rule in the INPUT CHAIN A quick means of identifying line number is:

iptables -L --line-numbers

iptables -D INPUT <rule>

This command will delete the specific rule from the INPUT chain.

iptables -F

This command will flush the IPTables rulesets

system-config-securitylevel utility used to create the following config

[root@station sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT                             
---(permit the loopback)
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT                             
---(for ipsec)
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT                             
---(for ipsec)
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
---(multicast/Avahi)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT            ---(for cups)
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT            ---(for cups)
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 837 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

created the following chain to apply the rules in /etc/sysconfig/iptables:

RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

This and the allowed outlined rules above where automagically put in place. Considered a mostly closed configuration based on the ‘ACCEPT’ policy. If you need to use the rulesets generated by ‘system’ utlities comment out the last rule to keep from failing the test

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

service iptables panic changes to a default drop policy

[root@station sysconfig]# service iptables panic
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy DROP: filter                      [  OK  ]
[root@station13 sysconfig]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Put these back in place to permit connections

[root@station sysconfig]# iptables -P INPUT ACCEPT
[root@station sysconfig]# iptables -P OUTPUT ACCEPT

[root@station sysconfig]# iptables -L -v
Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

configure your mail server not to accept connections from the 192.168.1.0/24 network, EXCEPT for the 192.168.1.2 host:

iptables example

[root@station etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  10.0.0.0/8           anywhere            reject-with
icmp-port-unreachable
ACCEPT     tcp  --  192.168.1.2          anywhere            tcp dpt:smtp
REJECT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:smtp
reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@station etc]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug  9 16:08:07 2007
*filter
:INPUT ACCEPT [134:32679]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [47:4569]
-A INPUT -s 10.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 25 -j REJECT
--reject-with icmp-port-unreachable

tcp wrapper example ( since this said sendmail, it must be the MTA running, not postfix, as postfix is not compiled against libwrap)

alternatives—config mta

then /etc/hosts.deny:

[root@station etc]# cat /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
#vsftpd: 10.0.0.0/255.0.0.0
#vsftpd: 10.0.0.0/255.0.0.0 EXCEPT 10.1.1.1
sendmail: 192.168.1.0/24 EXCEPT 192.168.1.2

followed with rules for governing port 110/143: -

[root@station etc]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug  9 16:08:07 2007
*filter
:INPUT ACCEPT [134:32679]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [47:4569]
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 143 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 993 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 995 -j REJECT --reject-with icmp-port-unreachable

DoveCot SSL

aalmazan@rackspace.com (alex almazan) — Sat, 03 May 2008 00:42:00 -0500

In order to configure SSL for dovecot, the following is recommended

[root@station ]# cd /etc/pki/
[root@station pki]# ls
CA  dovecot  nssdb  rpm-gpg  tls
[root@station pki]# find . -name Makefile
./tls/certs/Makefile
[root@station pki]# cd tls/certs/
[root@station certs]# ls
ca-bundle.crt  localhost.crt  make-dummy-cert  Makefile
[root@station certs]# make
This makefile allows you to create:
  o public/private key pairs
  o SSL certificate signing requests (CSRs)
  o self-signed SSL test certificates

To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".

To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".

To create a test certificate with serial number other than zero, add
SERIAL=num

Examples:
  make server.key
  make server.csr
  make server.crt
  make stunnel.pem
  make genkey
  make certreq
  make testcert
  make server.crt SERIAL=1
  make stunnel.pem SERIAL=2
  make testcert SERIAL=3

Dovecot requires a pem, which consists of a key and a cert. Once generated, place in the location that is outlined in the server configuration.

[root@station certs]# make dovecot.pem
umask 77 ; \
        PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes
-x509 -days 365 -out $PEM2 -set_serial 0 ; \
        cat $PEM1 >  dovecot.pem ; \
        echo ""    >> dovecot.pem ; \
        cat $PEM2 >> dovecot.pem ; \
        rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to '/tmp/openssl.B21904'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank.

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Texas
Locality Name (eg, city) [Newbury]:San Antonio
Organization Name (eg, company) [My Company Ltd]: SSL example 
Organizational Unit Name (eg, section) []:3rd shift
Common Name (eg, your name or your server's hostname)
[]:station.rhce.example.com
Email Address []:user@rhce.example.com
[root@station certs]# ls
ca-bundle.crt  dovecot.pem  localhost.crt  make-dummy-cert  Makefile

mailtips for checking email during the test utilize mutt

mutt -s imaps://user@@serverhost

mutt -f imaps://localhost for checking/displaying:

q:Exit  ?:Help
This certificate belongs to:
   station.rhce.example.com
   Unknown
   SSL example
   3rd shift
   San Antonio

This certificate was issued by:
   station.rhce.example.com
   Unknown
   SSL example
   3rd shift
   San Antonio

This certificate is valid
   from Aug  9 16:52:18 2008 GMT
     to Aug  8 16:52:18 2009 GMT

Fingerprint: B247 62D4 197F 401B 61EA BC83 8733 8D9A

Telnet test to port 110 and SSL mutt foo.

[root@station etc]# telnet 0 110
Trying 0.0.0.0...
Connected to 0 (0.0.0.0).
Escape character is '^]'.
+OK Dovecot ready.
user mike
+OK
pass redhat
+OK Logged in.
list
+OK 1 messages:
1 472
.
retr 472
-ERR There's no message 472.
retr 1
+OK 472 octets
Return-Path: <root@station.example.com>
X-Original-To: ru@station.example.com
Delivered-To: user@station.example.com
Received: by station.example.com (Postfix, from userid 0)
        id CFB341988BE; Thu,  9 Aug 2007 13:09:10 -0500 (CDT)
To: ru@station.example.com
Subject: maildirdelivery
Message-Id: <20070809180910.CFB341988BE@station13.example.com>
Date: Thu,  9 Aug 2007 13:09:10 -0500 (CDT)
From: root@station.example.com (root)

maildir lab example

additional notes post lab

edits to /etc/dovecot.conf

protocols = imap imaps pop3 pop3s

the pem copied into these locations

##
## SSL settings
##

# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =

# Disable SSL/TLS support.
ssl_disable = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened
before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

Postfix Maildir

aalmazan@rackspace.com (alex almazan) — Fri, 02 May 2008 16:59:00 -0500

Rhel5 Postfix installations support the ‘mbox’ mailbox typically found in ’/var/spool/mail’ This default behavior can be changed to ‘Maildir’ if desired.

(You cannot revert back to ‘mbox’ once you have opted to change to Maildir, and you cannot switch back to Sendmail without losing all messages stored and delivered.)

postconf -e home_mailbox="Maildir/" 
postconf -e local_recipient_maps="unix:passwd.byname $alias_maps" 
postfix reload

These changes are required as per the following settings outlined in “/etc/postfix/main.cf”

---# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
#   For example, you define $mydestination domain recipients in
#   the $virtual_mailbox_maps files.

Locals Only Postfix

aalmazan@rackspace.com (alex almazan) — Fri, 02 May 2008 16:56:00 -0500

The default Rhel5 Postfix installation does not have an interface assigned for use. This is similar to the default Rhel5 Sendmail defaulting to only serve localhost.

To over come this behavior, you can use the Postfix installed postconf utility as opposed to a direct edit to the file ’/etc/postfix/main.cf’

 
postconf -e "inet_interfaces=all"

Next issue either ‘postfix reload’ or ‘service postfix restart| stop | start’ as root.

Locals Only

aalmazan@rackspace.com (alex almazan) — Fri, 02 May 2008 15:46:00 -0500

Sendmail default installations are established solely on localhost, please ensure that initial ‘.mc’ edits should include changes to the following line in the file ‘/etc/mail/sendmail.mc’

From this:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

To this:

DAEMON_OPTIONS(`Port=smtp,Name=MTA')dnl

Considerations for SMTP authentication should also be put forth in the initial edits. Remove each ‘dnl’ from the front of the lines in the file ‘/etc/mail/sendmail.mc’ that impact these listed configuration options:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN'')dnl
define(`confAUTH_MECHANISMS'', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN 
PLAIN'')dnl

Once your edits are in place, regenerate the configuration

[root@station mail]# service sendmail restart
Shutting down sm-client:                                   [  OK  ]
Shutting down sendmail:                                    [  OK  ]
Starting sendmail:                                         [  OK  ]
Starting sm-client:                                        [  OK  ]
[root@station mail]# telnet 192.168.0.1 25
Trying 192.168.0.1...
Connected to station.example.com (192.168.0.1).
Escape character is '220 station.example.com ESMTP Sendmail 8.13.8/8.13.8; Thu, 9 Aug 2008
10:36:18 -0500
quit
221 2.0.0 station.example.com closing connection

Connection closed by foreign host.

Switching Rhel5 MTA

aalmazan@rackspace.com (alex almazan) — Fri, 02 May 2008 15:22:00 -0500

Rhel alternatives script

Rhel5 as with Enterprise 3 and 4 comes with a scripted mechanism for establishing some very important symbolic links in the system. This functionality permits you to transtion your system into using the MTA of your choice. The scripted utility is called ‘alternatives’

Notes on the utilities usage:

“alternatives—display mta“

[root@station13 RHEL5RPMS]# alternatives --display mta
mta - status is auto.
 link currently points to /usr/sbin/sendmail.sendmail
/usr/sbin/sendmail.sendmail - priority 90
 slave mta-pam: /etc/pam.d/smtp.sendmail
 slave mta-mailq: /usr/bin/mailq.sendmail
 slave mta-newaliases: /usr/bin/newaliases.sendmail
 slave mta-rmail: /usr/bin/rmail.sendmail
 slave mta-sendmail: /usr/lib/sendmail.sendmail
 slave mta-mailqman: /usr/share/man/man1/mailq.sendmail.1.gz
 slave mta-newaliasesman: /usr/share/man/man1/newaliases.sendmail.1.gz
 slave mta-aliasesman: /usr/share/man/man5/aliases.sendmail.5.gz
 slave mta-sendmailman: /usr/share/man/man8/sendmail.sendmail.8.gz
/usr/sbin/sendmail.postfix - priority 30
 slave mta-pam: /etc/pam.d/smtp.postfix
 slave mta-mailq: /usr/bin/mailq.postfix
 slave mta-newaliases: /usr/bin/newaliases.postfix
 slave mta-rmail: /usr/bin/rmail.postfix
lave mta-mailqman: /usr/share/man/man1/mailq.postfix.1.gz
 slave mta-newaliasesman: /usr/share/man/man1/newaliases.postfix.1.gz
 slave mta-aliasesman: /usr/share/man/man5/aliases.postfix.5.gz
 slave mta-sendmailman: /usr/share/man/man1/sendmail.postfix.1.gz
Current `best' version is /usr/sbin/sendmail.sendmail.

The output reveals that this system is set for Sendmail usage. Take note of the listed item ‘link currently points to /usr/sbin/sendmail.sendmail’ Redhat is equipped with two versions of ‘sendmail’ for use, the file(s) /usr/sbin/sendmail.postfix and /usr/sbin/sendmail.sendmail. The script alternatives switches the system links to permit the use of either MTA.

Swap system MTA to Postfix via alternatives—config mta

[root@station13 RHEL5RPMS]# alternatives --config mta
  Selection    Command
-----------------------------------------------
*+ 1           /usr/sbin/sendmail.sendmail
   2           /usr/sbin/sendmail.postfix

Select the number presented to change the MTA in use. Complete all the dialog on the screen and the alternatives script does all the heavy lifiting.

(Once this is performed, it is important to review the startup scripts to ensure the appropriate MTA starts at server boot time.

[root@station13 ]# chkconfig --list |egrep 'sendmail|postfix'
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
postfix         0:off   1:off   2:on    3:off    4:off    5:off    6:off

Change this to ‘Postfix’ with

[root@station13 ]#chkconfig --level 345 sendmail off
[root@station13 ]#chkconfig --level 345 postfix on

Recheck the preferred MTA

[root@station13 ]# chkconfig --list |egrep 'sendmail|postfix'
sendmail       0:off   1:off   2:on    3:off    4:off    5:off    6:off
postfix         0:off   1:off   2:on    3:on    4:on    5:on    6:off

notice the change once sendmail/postfix is changed. It is imperative that these be reviewed if you are transitioning the MTA with ‘alternatives‘

Rhel5 MTA options

aalmazan@rackspace.com (alex almazan) — Tue, 29 Apr 2008 15:31:00 -0500

Which MTA? Differences reviewed

A Mail Transfer Agent (MTA) is a program that delivers mail and transports it between machines. Usually, there is only one MTA running on a machine at any particular time.

MUA vs. MTA – A Mail User Agent (MUA) is a program that users run to read, reply, to , compose and dispose of emails ( such as outlook, mozilla) You can have many different MUA’s installed and running on one machine.

Sendmail is an extremely popular mail transfer agent (MTA) used by default on many distributions to handle SMTP messaging.

The default Sendmail directory set in Rhel5 is ‘/etc/mail’. (this does not differ from prior enterprise versions a.k.a AS2.1,rhel3,& rhel4)

The file /etc/mail/sendmail.mc serves as the configuration framework. (BSD {free,open,net} Sendmail renames this file hostname.mc post ‘make install’ in /etc/mail as root)

Regenerate sendmail.mc

The file /etc/mail/sendmail.cf is the cryptic assembly built from the framework ‘.mc’ file with the following syntax as root.

# make -C4 /etc/mail

You can also perform the following for generating the configuration, as well as a ‘service sendmail restart‘

m4 < sendmail.mc>sendmail.cf

Once you have made an attempt to regenerate the Sendmail configuration, you should check that the corresponding ‘.cf’ file has been updated. To do so quickly, list the contents of ‘/etc/mail’ with ‘ls -lrt’, the file should appear at the bottom of the output recieved.

[root@station ]# ls -lrt
total 356
-r--r--r-- 1 root root 41286 Nov 28  2006 submit.cf.bak
-rw-r--r-- 1 root root  5521 Nov 28  2006 helpfile
-rw-r--r-- 1 root root     0 Nov 28  2006 virtusertable
-rw-r--r-- 1 root root   127 Nov 28  2006 trusted-users
-rw-r--r-- 1 root root   940 Nov 28  2006 submit.mc
-rw-r--r-- 1 root root  1048 Nov 28  2006 Makefile
-rw-r--r-- 1 root root     0 Nov 28  2006 mailertable
-rw-r--r-- 1 root root    64 Nov 28  2006 local-host-names
-rw-r--r-- 1 root root     0 Nov 28  2006 domaintable
-rw-r--r-- 1 root root   355 Nov 28  2006 access
-rw-r----- 1 root root 12288 Aug  6 15:43 virtusertable.db
-rw-r--r-- 1 root root 58205 Aug  6 15:43 sendmail.cf.bak
-rw-r----- 1 root root 12288 Aug  6 15:43 mailertable.db
-rw-r----- 1 root root 12288 Aug  6 15:43 domaintable.db
-rw-r----- 1 root root 12288 Aug  6 15:43 access.db
-rw-r--r-- 1 root root  7202 Aug  9 10:33 sendmail.mc
-rw-r--r-- 1 root root 40239 Aug  9 10:34 submit.cf
-rw-r--r-- 1 root root 58240 Aug  9 10:34 sendmail.cf

Regeneration of the Sendmail configuration files should incorporate any and all configuration details put into the default sendmail.mc

Start up and shutdown of the Sendmail service can be achieved with the syntax ‘service sendmail stop|start|restart’. You can also interact with the service, as you do for BSD based Sendmail from the directory ’/etc/mail’. To do so, issue ‘make start’ or ‘make install start‘

Upon service startup, especially after changes to the framework file /etc/mail/sendmail.mc, a quick connection test to port 25 should confirm success or failure of the changes put forth into the file ‘/etc/mail/sendmail.cf’. Receipt of 200 series response codes are usually enough to confirm successful service operation.

Here is a telnet test example for a generic system ‘user’

[root@station mail]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 station.example.com ESMTP Sendmail 8.13.8/8.13.8; Thu, 9 Aug 2008
10:40:29 -0500
ehlo localhost
250-station.example.com Hello localhost.localdomain [127.0.0.1], pleased
to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
mail from:root@localhost
250 2.1.0 root@localhost... Sender ok
rcpt to:user@rhce.example.com
250 2.1.5 user@rhce.example.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject:using telnet
from:root
this is a body test good config
.
250 2.0.0 l79FeTOX020441 Message accepted for delivery
quit
221 2.0.0 station.example.com closing connection
Connection closed by foreign host.

Here is the message generated confirming local delivery

[root@station mail]# tail -f /var/spool/mail/user
Received: from localhost (localhost.localdomain [127.0.0.1])
        by station.example.com (8.13.8/8.13.8) with ESMTP id l79FeTOX020441
        for user@rhce.example.com; Thu, 9 Aug 2008 10:41:48 -0500
Date: Thu, 9 Aug 2008 10:40:29 -0500
From: root <root@station.example.com>
Message-Id: <200708091541.l79FeTOX020441@station.example.com>
subject: using telnet

this is a body test good config

Virtual Hosting with Sendmail

The file virtusertable serves as a mechanism for building a virtual user environment for multiple domain hosting as well as message forwarding. The file format employs a dual column setup. The leftmost column defines the virtual hosted user at domain ‘user@FQDN‘

The right hand column can be represented by a system user, or a forwarding email address. The first delivery condition is always utilized.

sales@rhce.example.com        user
sales@demo.example.com        auser@example.com
@demo.example.com             student
script@rhce.example.com        |/path/to/file

Notice – the last listed examples highlights that you can use the virtusertable to forward incoming messages to custom scripts.If file is a txt field, it will append messages. If file is a script then the script will execute with the messages as stndin.

Once the virtusertable is created/editted, it has to be regenerated to incorporate the changes much like the MTA’s main configuration file. A service restart of Sendmail will do it, as will the following syntax as root from the command line shell

[root@station ]#makemap hash virtusertable <virtusertable

This action will rebuild the table without a service restart.

The file /etc/mail/local-host-names serves as a list of domains the server will be responsible or accept messaging on behalf of. The acceptable file format is a listing of single domains per-line.

Sendmail differs from Postfix in that ‘/etc/aliases’ should be used to send to groups or multiple recipients for Sendmail

Postfix performs ‘group’ delivery with a listing in a file such as as /etc/postfix/virtual:

The file format of /etc/mail/virtusertable does NOT support comma delimited recpients. This should be handled in the file /etc/aliases as deomonstrated in this example:

# Person who should get root's mail
root:            user
team:           user,student
team2:          chris,jamie

Additional information or rules on Sendmail Virtual Hosting. can be reviewed at the official site

Postfix was designed from the ground up to be a replacement for Sendmail.

The Postfix development group had the following four goals in mind when developing the service:

it should be more efficient than Sendmail

it should be more secure that Sendmail

it should be easier to administer than Sendmail

it should be 100% Sendmail compatible

To accomplish all the development group set out to do,Postfix is composed of many individual programs which each handle a particular aspect of mail transfer.

All spawned processes are managed by a supervisory master daemon. This master daemon inherits its configuration/operation characteristics through the use of the combined files ‘/etc/postfix/main.cf’ and ‘/etc/postfix/master.cf’.

The file ‘main.cf’ contains configuration statements, where as the file ‘master.cf’ has parameters related to the individual spawned processes connectivity to the system, to include such things as connection time out and service type and overall ‘smtpd’ operation of the Postfix service.

Provided is a list of the most essential configuration parameters are required for basic operation of Postfix.These items comprise the core elements of the file ‘/etc/postfix/main.cf‘

‘mydestination’	is equivalent to its Sendmail counterpart ’/etc/mail/local-host-names’ This should not be used for virtual domains
‘mynetworks’	NOTE Postfix will act as a relay to any of the addresses specified with this parameter
‘inet_interfaces’	Default setting with Rhel5 is localhost,This configuratoin paramter tells the service which interface to monitor

Other essential Postfix configuration parameters:

‘myorigin’	This name is added all locally originating email. The default behavior is to assume ‘myhostname’
‘myhostname’	The name of the system to include the domain. It is used to specify the Internet address scheme of the server
‘mydomain’	Specifies the current domain the server represents,in accord with configured DNS.This parameter should be used in place of ‘myhostname’ when in use to recieve hosted domain messaging
‘local_recipient_maps’	This setting informs the MTA where to find the names of local usersto accept mail for.It confirms user validity for message delivery/relay. (removing altogether will generate errors, blank is OK)
‘empty_address_recipient’	Defines the mail address where bounce notifications should be returned to for messages that bounce but have no sender address defined
‘smtpd_banner’	Banner provided to connecting SMTP servers.It is recommended that this FQDN value be properly defined in DNS, to include matching reverse mapping entries
‘message_size_limit’	Sets the maximum size of a message.Default settings reject all messages larger that 20MB
‘mailbox_size_limit’	Sets the maximum size of local mailbox files
‘queue_minfree’	This setting adjusts when the MTA will no longer accept messaging due to disk resource limits
‘transport_maps’	Specifies which protocol the MTA should use to send mail to particular hosts.This tables lists each remote host and protocol the MTA can use to send messages to that host
‘virtual_maps’	Sets the type and location of the ‘virtual’ lookup table.The lookup table lists each address or domain to be redirected on a seperate line. Each then points to a local address that holds messages destined for that domain/address
‘smtpd_helo_restrictions’	Can be used to subscribe to RBLs in an effort to combat bulk UCE
‘smptd_sender_restrictions’	Used to limit or restrict sending hosts. Used in conjuction with ‘helo_restrictions’ to combat bulk UCE
‘smtp_recipient_restrictions’	Prevents the server from being used as an open relay, as well as aids in fighting spam
‘content_fliter’	redirect all messaging to a content filter such as ‘Amavisd’ or ‘AMavisd-new’
‘smtpd_recipient_limit’	limits the number of recipients allows in a single incoming message.Default is 1000
‘smtpd_timeout’	Amount of time the MTA waits for an STMP client request after sending a response. This value can be set in minutes, hours, days, or weeks, the default is seconds
‘queue_run_delay’	Interval in seconds in which the MTA scans the deferred message queue for re-delivery. Default value is 1000
‘maximal_queue_lifetime’	interval in days that a message remains in the deferred queue. Default is 5 days

Here is all that is required to get messaging started

[root@station ]#postconf -e "myorigin-example.com" 
[root@station ]#postconf -e "mydestination=example.com,mail.example.com" 
[root@station ]#postconf -e "my networks=192.168.0.0/24,127.0.0.1" 
[root@station ]#postconf -e 'inet_interfaces=all
[root@station ]#postfix reload

Once you have put forth configuration changes, you can call up all differences with the postconf utility through the use of switch ‘n’

[root@station ]#postconf -n 
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = ,localhost.,localhost,hash:/etc/postfix/localhostnames
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550

In order to split the RS configured ‘mydomains’ and default virtual Postfix file the following is needed in the configuration hash:/etc/postfix/mydomains at the end of the parameter ‘mydestinations’. The following steps outline how the domains are split off into their own seperate listing

[root@station ]#postconf -e mydestination="$myhostname,localhost.$mydomain,localhost,hash:/etc/postfix/localhostnames"

Create the file /etc/postfix/mydomains and add the domains:

[root@station postfix]# cat mydomains
rhce.example.com      OK
demo.example.com      OK

issue

[root@station ]#postmap mydomains
[root@station ]#postfix reload

Next test the changes to Postfix

[root@station ]# echo postfix test | mail -s "postfix rocks" 
user@demo.example.com
[root@station ]# tail -f /var/spool/mail/user
Received: by station.example.com (Postfix, from userid 0)
        id D2AFD1988B6; Thu,  9 Aug 2008 11:25:01 -0500 (CDT)
To: user@demo.example.com
Subject: postfix socks
Message-Id: <20070809162501.D2AFD1988B6@station.example.com>
Date: Thu,  9 Aug 2008 11:25:01 -0500 (CDT)
From: root@station.example.com (root)

postfix test

This is also needed to mimic the RS version of postfix

virtual_alias_maps=hash:/etc/postfix/virtual

Postfix has a similar alias mechanism to Sendmail.The file ‘/etc/postfix/aliases’ should be edited to support the handling of mail for non-existent system accounts that may receive messaging such as ‘webmaster/postmaster’ and of course handling of the systems ‘root’ messaging.

When switching to Postfix you should replace the existing system provided ‘aliases’ file in ‘/etc’ overwriting the existing format, as it is likely in place for Sendmail by default. (I would also recommend that you backup all of ‘/etc/postfix’ to ‘/etc/postfix-orig’ .etc prior to implementing changes contrary to the default)

A touch or edit to /etc/aliases with Postfix requires the issuance of the command ‘newaliases’

small samples

virtual
@domain        catch-all
aliases
catch-all: "/dev/null"

Additional information or rules on Postfix Virtual Hosting. can be reviewed at the official site