Süsteemihaldus - Kursused - Arvutiteaduse instituut

0.Make sure you did finish all the tasks of the previous weeks.

We expect here all personal domains are configured, VM is referable by its FDQN internally and externally from UT network (172.17.0.0/16) as well as from over VPN.

Check that VPN is active in your personal machine
From your personal machine command line ping <vm_name>.sa.cs.ut.ee should give positive response.
Make sure you are using University DNS servers on your personal computer/laptop. Otherwise it might take time for DNS to propagate.

PS! There's a short example of everything we are going to do today: https://www.google.com/search?client=firefox-b-d&q=centos+email+guide.

1.Setting up personal mail server

Now our DNS domain sa.cs.ut.ee is ready and populated with individual sub-domains inside, VMs are reachable by FDQN. Moreover each student has full control of his own domain, which means we can add as many names as we wish into our domain. Ideally each service has conventional names, like www for web, mail for smtp or ftp for FTP server. As we start here with e-mail service, let's add the mail host name as well as Mail Exchanger pointer to our DNS configuration.

Understanding MX Records

DNS type MX (Mail eXchange) records are used to specify the mail server(s) responsible for accepting e-mail messages on behalf of an entire domain. If there is no MX record for the domain, type A record will be queried for instead. If there is no A record either, it is not possible to send e-mails to the domain. Our goal is to set up the MX records so that the e-mails for the <vm_name>.sa.cs.ut.ee domain will be directed to mail.<vm_name>.sa.cs.ut.ee, which in turn points to our IP. So you will need to create a new type A record, too. If AAAA IPv6 records are present the postfix will use them by default, since we have no IPv6 setup we will not use AAAA records.

Here are some extra materials for type MX records. The minimum you will need to know is: what are the priority values of MX records and how to set them in the zone file.

Edit the Zone <vm_name>.sa.cs.ut.ee in bind9 configuration:

Add a type A record for mail.<vm_name>.sa.cs.ut.ee with your VM's external IP as a value.
In the same Zone file, add an MX record pointing to the hostname mail.<vm_name>.sa.cs.ut.ee . Set the priority value to 10.
- Think about the order, how the records should be organized in the Zone files ?
  - MX first then A record or vice-versa? Is there a difference?
Save the zone file
- Should we change the serial before closing ?
Test the Zone syntax
- Remember named-checkzone command
If everything is OK, restart the named service

To test, query for the A and MX records you have just created:

dig mail.<vm_name>.sa.cs.ut.ee
dig <vm_name>.sa.cs.ut.ee MX
- NB! The names might take time to propagate

The query should give the answer like (works only if you have set your DNS servers to be the Lab's ones):


[root@scoringserver ~]# dig scoring.sa.cs.ut.ee -t MX

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> scoring.sa.cs.ut.ee -t MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6694
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;scoring.sa.cs.ut.ee.		IN	MX

;; ANSWER SECTION:
scoring.sa.cs.ut.ee.	604800	IN	CNAME	sa.cs.ut.ee.
sa.cs.ut.ee.		604800	IN	MX	10 mail.scoring.sa.cs.ut.ee.

;; AUTHORITY SECTION:
sa.cs.ut.ee.		604800	IN	NS	ns.sa.cs.ut.ee.

;; ADDITIONAL SECTION:
ns.sa.cs.ut.ee.		604800	IN	A	172.17.66.134

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: E apr   06 05:56:23 EEST 2020
;; MSG SIZE  rcvd: 116

Setting up NTP

Before you start, check current clock and timezone info,

$ date
$ timedatectl

update the yum (re-synchronize the package index files from their sources):

# yum clean all
# yum makecache
- It is a good practice to do it each time you intend to install something with yum or dnf , because this makes sure you're installing the latest versions.

Before we setup the SMTP service let's make sure our VM's time is in sync with the world time. As the mail delivery system stamps each mail with sent-out date and delivery-date it is very important that all servers have the timezone specified and the clock kept in sync. The Network Time Protocol (NTP) is used for that purpose, the details you may read here.

In CentOS 8 the NTP is handled by the package called chrony , so let's install it.

Use package manager and install chrony package

Understanding ntp client configuration

By default the chrony package comes with the list of predefined servers to sync against the following serves (according to /etc/chrony.conf :

...
pool 2.centos.pool.ntp.org iburst
...

Let's make sure our VMs do also rely on university's NTP server:

ntp.ut.ee

Edit the /etc/chrony.conf :

Add the ntp.ut.ee into list of the NTP servers
Save the file
Restart the chrony service
Check if that fixed time using date command. Probably the clock is not right, as VM's created in the ETAIS cloud come with a UTC timezone by default. Let's fix the timezone mismatch next.
- use timedatectl list-timezones to identify Tallinn timezone option
- set with timedatectl command and correct set-timezone parameter timezone to Europe/Tallinn

Check if the time is sync using date command:

$ timedatectl
$ date

Prepare for VM for mail service related packages

For the mail delivery services will want the hostname -f to return the FQDN of the VM. One option is to keep the line in /etc/hosts file:

<external_IP> <vm_name>.sa.cs.ut.ee <vm_name>

... we did this in the beginning.

Now we have our DNS fully functional and therefore there is no point of keeping these line in /etc/hosts as the local DNS should resolve it anyway. Moreover there is more intelligent way to keep the FQDN information. If you specify the FQDN into /etc/hostname explicitly - the OS will be always provisioned with its FQDN regardless of the entries in /etc/hosts and the Zone records in DNS configuration.

Make sure your VM knows its FQDN

$ hostname -f

should return your ''<vm_name>.sa.cs.ut.ee'

If it does not:

Fix the /etc/hostname correspondingly
Update the /etc/hosts correspondingly
Restart the machine

Setting up software

In this lab you will need programs that are not installed by default. Start by installing Postfix, Dovecot, SpamAssassin and Alpine packages. As we mentioned during the first lab session there are other package management tools. dnf can be very handy when you know exact package names and don't expect any complicated troubles with dependencies.

You can use dnf search to find package names.

Install packages: Postfix, Dovecot and SpamAssassin with dnf :

# dnf install postfix dovecot procmail spamassassin https://www.rpmfind.net/linux/fedora/linux/releases/30/Everything/x86_64/os/Packages/a/alpine-2.21-9.fc30.x86_64.rpm

It will offer you to install given packages and all their dependencies. Postfix will also require to remove exim since there cannot be two mail systems.

After packages are installed, you would be asked to specify some configuration parameters:

We will use SMTP and IMAP based mechanisms to exchange messages and to access mailboxes. In "plain" versions, these mechanisms send user names and passwords in clear text across the Internet. We will first set up our system in "plain" mode, and in next lab we will secure your installations with TLS (Transport Layer Security), which will encrypt the traffic.

Setting Up SMTP Service Using the Postfix Software

Postfix is an SMTP server (Mail Transfer Agent) that is relatively easy to configure. However, you must still read and understand the "Postfix Configuration- Basics" document before you proceed.

The locations of the Postfix configuration and log file:

Configuration file: /etc/postfix/main.cf
Log file for e-mail related log messages: /var/log/maillog
also, keep on monitoring the /var/log/messages log file

In postfix the $mydomain parameter specifies the parent domain of $myhostname. By default, it is derived from $myhostname by stripping off the first part (unless the result would be a top-level domain).

Modify the Postfix configuration file so that it meets the following criteria (most of the variables already exist, modify them instead of adding new lines):

myhostname parameter should be set to mail.<vm_name>.sa.cs.ut.ee
- mydomain parameter should not be specified and it will be derived from myhostname
The domain name for the outbound mail is <vm_name>.sa.cs.ut.ee a.k.a $mydomain
- myorigin parameter should set to $mydomain
Server listens on all the interfaces (inet_interfaces=all)
Server should handle mail for following addresses (Read what mydestinations does): <vm_name>.sa.cs.ut.ee, mail.<vm_name>.sa.cs.ut.ee, localhost.<vm_name>.sa.cs.ut.ee, localhost
- Better use variables like $mydomain, localhost.$mydomain ($paramName means that we take content of paramName defined in the current conf file; in postfix configuration file order is not important)
Trusted networks style (mynetworks_style) is "host"
- Remove (add comment character in front of line) relayhost and mynetworks parameters and add mynetworks_style parameter.
- Set mynetworks_style = host and that forces Postfix to "trust" only the networks the VM is directly attached to.
The Internet protocols Postfix will attempt to use when making or accepting connections.
- inet_protocols = ipv4

Canonical sender aliases

By default the the postfix will supplement FDQN of the machine it is running in From/To: field's host part. For example if user teacher is sending out and receiving mail from host05.teacher.sa.cs.ut.ee machine - the From: will look like:

teacher@host05.teacher.sa.cs.ut.ee

The canonical email addresses however should contain only the domain information after the @ sign. Therefore we have to force the postfix to remove the undesired host information from the From field when sending out. This is done using canonical sender alias maps (or canonical table). According the documentation, the canonical map should contain the rewrite rules, as follows:

<original> <alias>

Here original is the original is the <real user>@<sender host> and the alias is what should be shown instead in the from field. For example if we would need to hide the real user teacher behind the alias SA.Teacher when sending out, the canonical map should contain following:

teacher@host05.teacher.sa.cs.ut.ee SA.Teacher@teacher.sa.cs.ut.ee

The postfix would rewrite the From field correspondingly for each mail that is sent out by teacher user.

In our setup we first of all will focus on rewriting the host part of the email addresses specified in From field. And the user names we take later (will hide the using both virtual and local aliases). In case only the host part needs to be replaced the canonical file will look like:

@host05.teacher.sa.cs.ut.ee @teacher.sa.cs.ut.ee

And with this setup any user sending an email from host host05.teacher.sa.cs.ut.ee will have his From field rewritten with @teacher.sa.cs.ut.ee (leaving his user name untouched).

In /etc/postfix directory:

Create the empty file called canonical
Edit the canonical file:
- Add configuration telling postfix to rewrite the From field as follows:
  - mail.<vm_name>.sa.cs.ut.ee -> <vm_name>.sa.cs.ut.ee
  - If you have specified <vm_name>.<vm_name>.sa.cs.ut.ee in DNS: <vm_name>.<vm_name>.sa.cs.ut.ee -> <vm_name>.sa.cs.ut.ee
- Only the host part of the e-mail address has to be rewritten, the user part we currently leave as it is
Save the canonical file:
Compile the canonical file into binary hash table:
- # postmap /etc/postfix/canonical
Check if the canonical.db file was properly created during the compilation process
- canonical.db will be stored besides the textual canonical file

Now add the configuration to postfix telling to use canonical map

Edit the main configuration file of the postfix

Add the following line:
- canonical_maps = hash:/etc/postfix/canonical

If everything is Ok, you can start up the Postfix server. If you did not specify allow-all when creating the VM, SMTP port will need to be opened from the firewall on minu.etais.ee, too.

Do also open ports for service smtp with firewall-cmd .

Check the postfix service systemctl status postfix.service
- Start if not running (restart if running),
Set postfix service to start automatically at system start-up if not set yet
- systemctl is-enabled postfix.service
- systemctl enable postfix.service
  - You can also use legacy update-rc.d command (i.e. update-rc.d postfix enable ) .
If you did not specify allow-all when creating the VM:
- Add the firewall rules to accept packets on ports tcp/25. Don't forget to save the rules!
- Create a new Security group in ETAIS called SMTP for tcp port 25 and add it to you Virtual machine

Mail server can now be tested by sending mails from/to the different user accounts on your machine.

You can add new user account using following command:
- # adduser newUserName

Create a new user with login mailuser
- Set a password that is secure and that you can remember.

Change your user to mail testing user (sudo su - mailuser).
Run alpine mail client. Send an email to your main user account.
- Make sure the main user account has run alpine before sending email. Otherwise the emails will not go to the proper folder, and will be not visible from the Message Index screen.
- Furthermore, do not use root as your receiving user. Due to the underlying email service in postfix running as the user nobody, email sent to root will actually be sent to the user nobody. Once you set up an alias for the root user the emails will be forwarded correctly.
Return to your previous session (and if not there) log in as user and check your mailbox.
If sending e-mails between the local users works, try to exchange e-mails with other lab systems (ask for their e-mail addresses).

To pass the Lab7: Test if mailuser has sent email to nagios@scoring.sa.cs.ut.ee Nagios check, send an email from mailuser@<vm_name>.sa.cs.ut.ee to nagios@scoring.sa.cs.ut.ee .
- If the email From: header matches format of mailuser@<vm_name>.sa.cs.ut.ee, the check will pass.
- If you have sent an email, and this does not turn green soon, then check your postfix logs to find possible issues. (/var/log/maillog)

Mail Aliases

Mail aliases are used to forward all e-mails sent to some address to some other address. Using aliases, you can also create an e-mail address that is not in strict connection with any of the system's user accounts. Aliases are configured in the /etc/aliases file. You can read more about aliases and its file format with command $ man aliases .

You should already have an alias for postmaster->root. Change it to postmaster -> mailuser
- Create a (local) alias root -> mailuser (as a result of this alias, e-mails sent to root@<vm_name>.sa.cs.ut.ee must be forwarded to mailuser's mailbox)
- You can also create an alias for non-existent users. To test it create a (local) alias aliastest -> scoring (as a result of this alias, e-mails sent to aliastest@<vm_name>.sa.cs.ut.ee must be forwarded to scoring's mailbox)
Re-generate alias database with command # newaliases
Reload postfix configuration with command # postfix reload

If you might have noticed alpine can autocomplete e-mail addresses so you could just write username and it will automatically add your hostname to complete the address. The problem here is that you don't want to send out e-mails with your hostname in the header (i.e X-Original-To: aliastest@host06.teacher.sa.cs.ut.ee). In each users' home folder there is alpine configuration file (i.e /home/<user>/.pinerc ), but editing it will make changes only to particular user alpine environment. Therefore we must create centralized an alpine configuration file and modify it to achieve our goal.

Create alpine configuration file # alpine -conf > /etc/pine.conf
- make sure its readable to everyone but writable only to root
set parameter user-domain to to equal your <vm_name>.sa.cs.ut.ee (i.e. student-test.sa.cs.ut.ee) so alpine will automatically add <vm_name>.sa.cs.ut.ee instead of hostname.<vm_name>.sa.cs.ut.ee to e-mail header.

Now you can test the alias by sending some e-mails:

Send an e-mail to root@<vm_name>.sa.cs.ut.ee, and check if this mail ends up in mailuser's mailbox.
Send e-mail to aliastest from user user (but write only "aliastest" into To : line and then hit <DOWN> arrow key.
- Aliastest e-mail should end up in scoring user INBOX)
You can send e-mail also from command line
- # echo -e "Subject: Command line email-01 \n\nHello! \nThis is a e-mail sent with sendmail command from command line\nby $USER" from $HOSTNAME | /usr/sbin/sendmail aliastest
- You can also read e-mails without alpine program from command line # cat /var/mail/scoring
- Try reading other user e-mail without root permission. Did it work? Why? Should it?

General check of the Postfix configuration

The following commands are useful to review the active configuration. Here active configuration means - the configuration from main.cf loaded once service is restarted.

The postconf command is used to print the active configuration variables loaded. If we refer to manual man postconf we may discover couple of useful features:

You may notice that till now we ask you to read man pages or manual, but if you try man postconf you get an error man: command not found...
so lets install man with dnf install man
try now man postconf

-n switch: Prints only the configuration alternated by user (omits default values)
-d switch: Prints only the default configuration not alternated by user (good to check what was the initial value of the variable)

IMAP Service Using Dovecot Software

We did use a "local mailbox" model for testing the e-mail service, but nowadays most of the e-mail reading is done over the network protocols such as IMAP and POP3. Actually, web-based solutions are the most popular by far, but these also usually use IMAP behind the scenes.

We will now set up an easy-to-configure IMAP server called Dovecot (the package should be installed already).

Again, you should read and understand the configuration part of the Dovecot manual. Dovecot Wiki. Main configuration file for Dovecot is /etc/dovecot/dovecot.conf and because of the modular design each module has separate configuration file under /etc/dovecot/conf.d directory.
Details about Dovecot configuration files:
Dovecot Wiki

Configuring dovecot logging module

Configure the Dovecot IMAP server's logging module:

Edit /etc/dovecot/conf.d/10-logging.conf file:
- Set log_path to /var/log/dovecot/dovecot.log
- Set mail_debug to yes
Save file
In /var/log directory
- Create dovecot directory
- Set ownership and permissions correctly (you should be able to figure them out on your own)
  - hint: which user is running the dovecot process ?
  - As a reminder ps -aux | grep dovecot and systemctl cat dovecot
Restart the dovecot service

Make sure dovecot writes its logs into /var/log/dovecot/dovecot.log file

Configuring dovecot authentication module

The simplest authentication mechanism is PLAIN. The client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism, but obviously there's the problem that anyone listening on the network can steal the password. For that reason (and some others) other mechanisms were implemented. But this week, for the sake of learning, we will set it up without any security mechanisms.

NB! Do not reuse any passwords you already have used somewhere else - they can be sniffed and found from the network, as we will set up systems without TLS.

Allow dovecot to use PLAIN and LOGIN authentication methods:

Edit /etc/dovecot/conf.d/10-auth.conf file:
- Set auth_mechanisms variable to allow plain and login
Save the file

Configuring dovecot mail module

Setup the dovecot mail directory (~/mail) and mailbox (/var/mail).

Edit /etc/dovecot/conf.d/10-mail.conf file:
- Set mail_location variable to mbox:~/mail:INBOX=/var/mail/%u
Check default mail folder permissions ls -ld /var/mail
It means only the root and the mail group has write permission to the directory. You'll need to give Dovecot's mail processes ability to belong to this mail group by
- Setting mail_privileged_group variable to mail
Save the file

Restart the dovecot service,
- Check the logs, make sure the dovecot is running
Set dovecot to autostart using systemctl or update-rc.d command

General check of the Dovecot configuration

Similar to postconf there is a doveconf command for checking Dovecot configuration. The manual man doveconf suggest that most of the switches are similar to the ones of the postconf command (-n, -d, -P).

Firewall Configuration

If everything was set up properly the dovecot service should now listen for 2 port in TCP stack. What are these ports ?

Check the default ports used by dovecot:
- Take look into file 10-master.conf in the /etc/dovecot/conf.d/ configuration directory
- Find the imap-login service block - the default ports should be stated there in commented blocks
  - tcp/143 (imap plain) and tcp/993 (imaps - imap over explicit SSL/TLS pipe).
Use netstat command with proper options (TCP, numeric, listening, program name) to discover if these ports are in use.

Declare the ports in firewall configuration:

Add the firewall-cmd rules to accept the packets on ports used by dovecot (TCP ports: 25, 143, 993)
- Don't forget to make the rules permanent!
Create a new Security Group with name IMAPS and add ports 143 and 993 to it.
- Dont forget to add it to Virtual Machine!

Thunderbird configuration

In order to verify Dovecot functionality we can use popular e-mail client called Thunderbird https://www.mozilla.org/en-US/thunderbird/.

In Linux hosts you can just install the corresponding package using package manager

In your own/personal machine download and install Thunderbird
Verify that you can access <vm_name>.sa.cs.ut.ee i.e. ping mail.student-test.sa.cs.ut.ee from own machine.
- If not try:
  - nslookup mail.student-test.sa.cs.ut.ee and nslookup mail.<vm_name>.sa.cs.ut.ee if WRONG ANSWER but ping is OK your host machine networking is messed up -> try: ipconfig /flushdns or setting in c:/Windows/System32/drivers/etc/hosts file mappings of IP addresses to host names manually. Restart might also help :)!
Add a new e-mail address: Thunderbird -> ALT key -> Tools -> Account settings -> Add mail account -> email address username@<vm_name>.sa.cs.ut.ee i.e. mailuser@scoring.sa.cs.ut.ee@@ -> add Name and NO password -> verify settings (Thunderbird should automatically find configuration)
Now when you open the inbox, insert the password you created the mailuser with.
If you have either forgotten your password or need to reset it sudo passwd <username>
Check if you can see e-mail in your INBOX
Try to send e-mails to other users in your domain

SMTP Authentication

You may have noticed while configuring the Thunderbird client, that the SMTP client was configured automatically along with IMAP client. The mail sending (submission) from Thunderbird is still partial as the SMTP is not authenticated by default as opposed to IMAP. The disadvantage of the unauthenticated SMTP is that it only allows the SMTP client to submit mails to the same domain the SMTP server is serving for. The cross-domain submission will be however impossible.

You may test it as follows:

Using the Thunderbird application on client machine:

Compose the message to some user inside your domain
Send the message

Example in teacher.sa.cs.ut.ee domain:

teacher and teacher2 accounts were in use
email sent from teacher2@teacher.sa.cs.ut.ee to teacher@teacher.sa.cs.ut.ee The message header was as follows:

...
From: teacher2@teacher.sa.cs.ut.ee
To: teacher@teacher.sa.cs.ut.ee
Subject: Test SMTP
...

Now destination user should have received the email (you may check it using the alpine command of the destination user, or alternatively you may setup another IMAP/SMTP client in Thunderbird.

Now if you try to address mail to the destination in different domain, the SMTP server will respond with a message:

Let's fix the error by adding the authentication to SMTP, like we did with the IMAP, by enabling PLAIN authentication.

The differences are however in authentication backend:

Dovecot relies by default on system PAM when authenticating clients, therefore all the user accounts in the host do have IMAP accounts automatically.
- The other authentication back-ends possible for Dovecot are: Database, LDAP, Plain password file, etc.
Postfix suggests using SASL protocol for authentication and the system PAM doesn't suggest any SASL implementation to use by default (should be configured separately by installing and configuring Cyrus SASL for example).
- Alternatively a SASL implementation of the Dovecot may be used (in this case we do not have to install any additional software)
- In this case however the SASL needs to be enabled in the Dovecot

The SMTP authentication chain looks like:

SMTP client -> SMTP server (postfix) -> Dovecot SASL -> System PAM

Let's start step by step enabling these features:

Configure Dovecot enabling SASL protocol

In /etc/dovecot/conf.d directory:

Edit 10-master.conf file:
- Find the smtp-auth block:

# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
#  mode = 0666
#}

Enable the block (uncomment)
- Add the following variables user and group with the value postfix assigned to both of them.

Save the file
Restart the dovecot service

Configure Postfix to use Dovecot's SASL back-end

In /etc/postfix directory:

Edit the main.cf file
- Add the following lines:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Configure Postfix to enable submission port (587) for MUAs

SMTP communication between mail servers uses port 25. Mail clients on the other hand, often submit the outgoing emails to a mail server on port 587. Despite being deprecated, mail providers sometimes still permit the use of historic nonstandard port 465 for this purpose (i.e University of Tartu).

First let's enable the submission port with SASL authentication. We also allow some certain limitations on email submission:

Disable anonymous submission noanonymous
Restrict SMTP clients: only allow SASL authenticated
Restrict Relaying: only allow SASL authenticated
Restrict Originators: From may only contain the "domain" of the SMTP server
- SMTP client cannot put random values into From field

In /etc/postfix directory:

Edit the master.cf file:
- Find the submission port declaration:

#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

(It is disabled by default)

Enable the submission block (uncomment the header line)
- In the options list (lines starting with -o ) in the submission block make sure the following options are enabled:
  - -o smtpd_sasl_auth_enable=yes
  - -o smtpd_sasl_path=private/auth
  - -o smtpd_sasl_security_options=noanonymous
  - -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  - -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  - -o milter_macro_daemon_name=ORIGINATING

(In case some of the options are missing, you should add them)

Enable the submission block (uncomment the header line)
- The rest of the options you may configure as in the submission block
  - -o smtpd_sasl_auth_enable=yes
  - -o smtpd_sasl_path=private/auth
  - -o smtpd_sasl_security_options=noanonymous
  - -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  - -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  - -o milter_macro_daemon_name=ORIGINATING
Save the file
Restart the postfix service

Enable the submission port in firewall

Do not forget to enable the submission port on firewall (tcp/587) on firewall and in ETAIS

Testing

How to test: In Thunderbird compose an email to the domain other then yours:

you may use:
- nagios@scoring.sa.cs.ut.ee
SMTP should ask for user name and password (may be stored in Thunderbird already)
There should be no more error messages like Relay Access Denied and you should get an positive auto-reply from teacher@teacher.sa.cs.ut.ee addresses.

Spam Filtering with SpamAssassin and Procmail

Apache SpamAssassin is one of the best open source spam filters. It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. We will use SpamAssassin spamd/spamc model through procmail software. spamd is a SpamAssassin service that calculates "spam scores" for the messages. spamc is a client for the spamd. procmail is a rule-based mail processing tool. We will use procmail to do the real filtering based on the spam scores set by SpamAssassin.

You can read about SpamAssassin here: https://en.wikipedia.org/wiki/Apache_SpamAssassin

As a mail test user (mailuser), create a .procmailrc file (in the home directory), read the SpamAssassin/procmail tutorial on what rules to add to this file. Alternatively you can just take the content of the example procmailrc file and copy its content to mailuser's home folder into file .procmailrc. The example configuration you may find in:
/usr/share/doc/spamassassin/examples/procmailrc.example

After you copied the content, edit the file:

in the first rule, replace |spamassassin with |spamc
as the spam folders, use:
- mail/almost-certainly-spam instead of almost-certainly-spam
- mail/probably-spam instead of probably-spam

Enable and start the "spamassassin" service (restart if running). Be sure spamassassin will be started at system start-up.
Make sure the procmail package is installed:
- dnf install procmail
Verify the procmail as the default mail delivery routine in postfix:
- In directory /etc/postfix edit the main.cf file (postfix main configuration file):
  - verify that the following line exists:
    - mailbox_command = procmail -a "$EXTENSION"
- Save the file
Restart both postfix and spamassassin services

Test the spam filter by sending some e-mails:

Send e-mails to user for which you have just created the .procmailrc configuration file
Look at the e-mail headers, SpamAssassin should add some extra headers with spam score ( # cat /var/mail/mailuser)
Read /usr/share/doc/spamc/sample-spam.txt on how to create a spam test message. Send such message to mailuser
- Check /var/log/mail.info (should be smth like this "spamd: identified spam (999.4/5.0) for mailuser")
- If everything is correct, you'll see your spam message in:
```
$ cat mail/almost-certainly-spam 
```
  in mailuser home directory.

Sometimes you need to modify SpamAssassin and its rules to customize its action. You can read more aboud how scores are calculated from here. https://www.clickz.com/understand-spamassassin-for-better-delivery-rates/69157/ Following example has been taken from http://www.informit.com/articles/article.aspx?p=375704&seqNum=6 with modifications but it has some more explanation of how it works.

Take a look at files and rules in /usr/share/spamassassin/ folder
- Good file to start with is /usr/share/spamassassin/50_scores.cf
Modify /etc/spamassassin/local.cf file and make SpamAssassin more strict by modifying required_score parameter to value 4
Also uncomment line rewrite_header Subject *****SPAM*****
At the end of file /etc/spamassassin/local.cf add custom SpamAssassin rule by adding following lines.

body MY_SPAMASSASSIN_RULE        /this is a test text for custom spamassassin rule/is
describe MY_SPAMASSASSIN_RULE    Test of my spamassassin rule
score MY_SPAMASSASSIN_RULE       10

Reload postfix and spamassassin services
- # service postfix reload
- # service spamassassin reload

Send e-mail to mailuser with a text "this is a test text for custom spamassassin rule" as e-mail content, you can add more text before and/or after it.
Check its spam score and that it ended in spam folder.

Add auto-reply for scoring account

If everything worked till now lets make it easy for our automated scoring scripts to white-box test your e-mail server functionality.

Enable spamassassin for user scoring with default rules and custom rule you created in previous task.
Modify file with name .procmailrc in scoring home folder.
- add following lines at the end of it and change teacher@teacher.sa.cs.ut.ee e-mail to scoring@<yourdomain>.sa.cs.ut.ee

LOGFILE=/home/scoring/procmailrc.log
VERBOSE=on
#Autoreply for every incoming mail
:0 c
* !^FROM_DAEMON
* !^X-Loop: teacher@teacher.sa.cs.ut.ee
| (formail -rk -A "Precedence: junk" -A "X-Loop: teacher@teacher.sa.cs.ut.ee" ; echo "E-mail received at : " `date`) | /usr/sbin/sendmail -t -oi -oe

Save the file

Ask a fellow student to send test e-mail to scoring@<yourdomain>.sa.cs.ut.ee
- Check that it will get correct auto-response from your mail server
Ask a fellow student to send test e-mail to scoring@<yourdomain>.sa.cs.ut.ee with a text "this is a test text for custom SpamAssassin rule" as e-mail content
- This e-mail should get NO automatic response as you dont want to respond to spam messages.

Süsteemihaldus 2019/20 kevad