Süsteemihaldus 2020/21 kevad

Edit the Zone # <vm_name>.sa.cs.ut.ee in bind9 configuration:

• Add a type A record for mail.<vm_name>.sa.cs.ut.ee pointing to your VM's external IP.
• In the same Zone file, add an # MX record pointing to the hostname mail.<vm_name>.sa.cs.ut.ee. Set the priority value to 10 .
  • Think about the order, how should the records be organized in the Zone files: MX first then A record or vice-versa? Is there a difference?
• Save the zone file
  • Should we change the serial before closing ?
• Test the Zone syntax
  • Remember named-checkzone command
• If everything is OK, restart the named service

Before you start, check the current clock and timezone info:

$ date
$ timedatectl 

• Update dnf (re-synchronize the package index files from their sources):
  • It is a good practice to do it each time you intend to install something with yum or dnf , because that makes sure you're installing the latest versions.

yum clean all
yum makecache

Use package manager and install chrony package

Edit /etc/chrony.conf :

• Add ntp.ut.ee into the list of the NTP servers
• Save the file
• Restart the chrony service
• Check if that fixed time using date command. The clock is probably not right, as the VM's created in the ETAIS come with UTC timezone by default. Let's fix the timezone mismatch next.
  • Use timedatectl list-timezones to identify Tallinn timezone option
  • With timedatectl and the correct set-timezone parameter set the timezone to Europe/Tallinn

Make sure your VM knows its FQDN:

$ hostname -f 

should return <vm_name>.sa.cs.ut.ee

• If it does not:
  • Configure /etc/hostname and /etc/hosts
  • Restart the machine

Before we continue, edit /etc/postfix/main.cf and set inet_protocols to ipv4

Modify postfix's main.cf file so that it meets the following criteria (Most of the variables are already defined in the config file. Try not to define them multiple times. You can search for a string in nano with Ctrl+W and in vi and vim by pressing /.):

• The output of postconf | grep -e "^myhostname" should return mail.<vm_name>.sa.cs.ut.ee . postconf returns all of the values of the current configuration and grep -e "^myhostname" searches for a line that starts with myhostname
  • The command will probably return <vm_name>.sa.cs.ut.ee , why?
  • Set the correct $myhostname manually in the config file
  • $mydomain parameter should not be specified and it will be derived from $myhostname
    • You can use postconf again to check the value of $mydomain
• The domain name for the outbound mail should be $mydomain
  • Name of outbound mail parameter is $myorigin
• Server has to listen on all interfaces ( inet_interfaces=all )
• Server should handle mail for following addresses (Read what $mydestination does): mail.<vm_name>.sa.cs.ut.ee , localhost.<vm_name>.sa.cs.ut.ee ,

localhost , <vm_name>.sa.cs.ut.ee

• You can use variables such as $mydomain , localhost.$mydomain ( $paramName means that we take content of paramName defined in the current conf file)

• Ensure that the trusted networks style ( mynetworks_style ) is host
  • Make sure that $relayhost and $mynetworks parameters are not used in the config and add $mynetworks_style parameter.
  • Set $mynetworks_style = host - that forces Postfix to "trust" only the networks the VM is directly attached to.

• Check the postfix service with systemctl
  • Start the service if not running (restart if running),
• Set postfix service to start automatically at system start-up if not set yet
  • systemctl is-enabled postfix.service
  • systemctl enable postfix.service
• To enable smtp traffic from the minuetais firewall:
  • Add the firewall rules to accept packets on ports tcp/25 . Don't forget to save the rules!
  • Create a new Security group in ETAIS called SMTP for tcp port 25 and add the security group to you Virtual machine

• Create a new user mailuser
  • Set a password that is secure and that you can remember.
    • Do not reuse any of your own passwords, as currently the traffic is insecure an can be listened to by anyone

• To pass Lab5: Test if mailuser has sent email to nagios@scoring.sa.cs.ut.ee Nagios check, send an email from mailuser@<vm_name>.sa.cs.ut.ee to nagios@scoring.sa.cs.ut.ee .
  • If the email From: header matches the format of mailuser@<vm_name>.sa.cs.ut.ee , the check will pass.
  • If you have sent an email, and this does not turn green soon, then check your postfix logs to find possible issues. ( /var/log/maillog )
• You can also send e-mail from terminal
  • echo -e "Subject: terminal email-01 \n\nHello! \nthis is a e-mail sent with sendmail command from terminal\nby $USER" from $HOSTNAME | /usr/sbin/sendmail aliastest
  • You can also read e-mails without alpine from command line cat /var/mail/$user
  • Try reading other user e-mail without root permission. Did it work? Why? Should it?

• You should already have an alias for postmaster->root . Change it to postmaster->mailuser
  • Create a (local) alias root->mailuser (as a result of this alias, e-mails sent to root@<vm_name>.sa.cs.ut.ee must be forwarded to mailuser 's mailbox)
  • You can also create an alias for non-existent users. To test it create a (local) alias aliastest->scoring (as a result of this alias, e-mails sent to aliastest@<vm_name>.sa.cs.ut.ee must be forwarded to scoring 's mailbox)
• Re-generate alias database with command newaliases
• Reload postfix configuration with command postfix reload

Configure the Dovecot IMAP server's logging module:

• Edit /etc/dovecot/conf.d/10-logging.conf file:
  • Set mail_debug to yes
• Save the file
• Restart the dovecot service

• Edit dovecot's main configuration file in /etc/dovecot/dovecot.conf and allow imap protocol ( protocols parameter)

Allow dovecot to use PLAIN and LOGIN authentication methods:

• Edit /etc/dovecot/conf.d/10-auth.conf file:
  • Set auth_mechanisms variable to allow plain and login
  • set auth_username_format to %n
  • Save the file

Setup the dovecot mail directory (~/mail) and mailbox (/var/mail).

• Edit /etc/dovecot/conf.d/10-mail.conf file:
  • Set mail_location variable to maildir:~/mail
• Check default mail folder permissions ls -ld /var/mail
  • This is where the incoming mail is stored.
• You can see that only root and the mail group have write permission to the /var/mail. You'll need to give dovecot's mail processes ability to belong to mail group by
  • Setting mail_privileged_group variable to mail
• Save the file
• Now make sure that user dovecot is in the mail group
  • You can use id $USER to see which groups a user belongs to
  • You can add user to groups using usermod command. Find the correct flags to add user to a group.

• Edit dovecot's mailboxes module /etc/dovecot/conf.d/15-mailboxes.conf
  • To each defined mailbox, add auto = create analougus to the following example:

  • mailbox Trash {
       auto = create
       special_use = \Trash
    }
    

• Also define a mailbox called "Spam" with special_use set to \Junk

Now that you have set up basic configuration for dovecot, it's time to test it.

• Make sure dovecot service is started (restarted if you have changed configurations in the meantime)
• Make sure mailuser has its password set and you know it.
• Using your package manager, install telnet
• Connect to the IMAP port using telnet
• If the connection is successful, try loging in as mailuser by connecting to port 143 of localhost using telnet

  • $ telnet 127.0.0.1 143
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '^]'.
    * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
    
    

• Use IMAP commands to authenticate as mailuser in the format of $COMMAND_ID login user password . Command ID can be any string.

  • A1 login mailuser mailuser
    A1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in
    

• Log out

  • A1 logout
    * BYE Logging out
    A1 OK Logout completed (0.001 + 0.000 secs).
    

• Check the default ports used by dovecot:
  • Take look into file 10-master.conf in the /etc/dovecot/conf.d/ configuration directory
  • Find the imap-login service block - the default ports should be stated there in commented blocks
    • tcp/143 (imap plain) and tcp/993 (imaps - imap over explicit SSL/TLS pipe) .
• Use netstat command with proper options (TCP, numeric, listening, program name) to discover if these ports are in use.
• Allow these ports in the firewall.
• Also, enable tcp/587 (submission) from the ETAIS firewall, which we will be configuring later.

• Edit dovecot's 10-auth.conf and set disable_plaintext_auth to no
• Edit dovecot's 10-ssl.conf and set ssl to no
• Restart dovecot and try to authenticate to mail.<vm_name>.sa.cs.ut.ee with telnet. It should work now.

• Add lmtp protocol to dovecot's main configuration file

• Now define the lmtp listener in /etc/dovecot/conf.d/10-master.conf
  • This creates an https://en.wikipedia.org/wiki/Local_Mail_Transfer_Protocol? socket through which postfix can comunicate with postfix. The socket is created as a file that postfix can read and write to.
  • Define the lmtp listener as follows:

  • service lmtp {
     unix_listener /var/spool/postfix/private/dovecot-lmtp { # unix_listener $PATH_TO_SOCKET
       mode = 0600                                           # Socket permissions
       user = postfix                                        # Socket owner
       group = postfix                                       # Socket group
      }
    }
    

• In /etc/postfix/main.cf
  • Set mailbox_transport to lmtp:unix:private/dovecot-lmtp
    • This tells postfix to hand all incoming mails to the lmtp socket we created before.
• Restart postfix

Set postfix to also listen on submission port 587

• In postfix's master.cf configure submission section as follows:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

#  -o syslog_name=postfix/submission: The name with which submission related events are logged
#  -o smtpd_sasl_auth_enable=yes:     Enable sasl authentication (`plain` in our case)
#  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject: Permit recepients outside of $mynetworks only to authenticated users
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject: Allow mail relaying only for authenticated users
#  -o smtpd_sasl_type=dovecot:      Set dovecot as the SASL provider
#  -o smtpd_sasl_path=private/auth: Set authentication socket location

You'll also have to configure dovecot to create a socket over which postfix can communicate login information to dovecot for mail submisssion

• In dovecot's 10-master.conf file create a unix listener for the auth service:

  • service auth {
        unix_listener /var/spool/postfix/private/auth {
          mode = 0600
          user = postfix
          group = postfix
        }
    }
    

• This creates a socket file into /var/spool/postfix/private/auth, where postfix can access it.
• Now that everything is configured, restart postfix and dovecot
  • Try sending a new e-mail from one user to another from within your system to test the setup.
    • If the mail doesn't reach its destination, you can find debug information from /var/log/maillog

First install epel-release and dnf-plugins-core and run dnf update. Then run dnf config-manager --set-enabled powertools.

• Now you can install the following packages: make, ImageMagick, ImageMagick-devel, ImageMagick-perl, pcre-devel, zlib, zlib-devel, libzip, libzip-devel, libmcrypt-devel, php, php-fpm, php-devel, php-pear, php-cli, php-gd, php-curl, php-xml, php-mysqlnd, php-mbstring, php-intl, php-ldap, mariadb, mariadb-server and httpd. Use your package manager to install them.
• Install imagick, mcrypt and zip extensions with pecl:

pecl install $package

• For each of the extensions installed with pecl, create a file named 20-<extension_name>.ini into /etc/php.d/ and into the file write extension=extension_name>.so

• Generate a random password for the database user with openssl rand -base64 16
• Connect to the database service
  • mysql -u root -p
• Now that you have entered the mariadb command line, Set up the database with the following commands:

 MariaDB [(none)]> CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
 MariaDB [(none)]> CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'the_random_password';
 MariaDB [(none)]> GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost';
 MariaDB [(none)]> FLUSH PRIVILEGES;
 MariaDB [(none)]> exit;

• Download the roundcube release

wget https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz -O /var/www/html/roundcube.tar.gz

• Since the downloaded file is compressed, you need to uncompress it with tar. Use man tar to learn the syntax of the program and the appropriate flags for uncompressing.
• Remove the compressed file
• Rename the uncompressed directory to roundcubemail with the mv command
• Set correct owner, group and permissions to /var/www/html/roundcubemail so that apache can access it. Make sure to use the recursive flag so the changes also apply to files and directories within the /var/www /html/roundcubemail directory.
• Run chcon -t httpd_sys_rw_content_t /var/www/html/roundcubemail -R to get correct selinux permissions for the directory

• Create a configuration file called mail.<vm_name>.sa.cs.ut.ee.conf in /etc/httpd/conf.d/
• Populate the file with the following information:

<VirtualHost *:80>
  ServerAdmin root@<vm_name>.sa.cs.ut.ee
  ServerName mail.<vm_name>.sa.cs.ut.ee
  DocumentRoot /var/www/html/roundcubemail 
  <Directory /var/www/html/roundcubemail>
      Allowoverride all
  </Directory>

  ErrorLog /var/log/httpd/mail.<vm_name>.sa.cs.ut.ee-error.log
  CustomLog /var/log/httpd/mail.<vm_name>.sa.cs.ut.ee-access.log combined
  ForensicLog /var/log/httpd/mail.<vm_name>.sa.cs.ut.ee-forensic.log
</VirtualHost>

• Restart the httpd service and ensure it restarted successfully

• product_name should be Webmail - <vm_name>.sa.cs.ut.ee
• In database setup:
  • Set Database type to MySQL
  • Set Database server to localhost
  • Set Database user name to roundcube
  • Set Database password to the random password you generated before
  • Set db_prefix to rc
• In Logging & Debugging:
  • Set log_dir to /var/log/roundcube
  • Also ensure the /var/log/roundcube directory exists
• In IMAP settings:
  • Set default_host to localhost
  • Set default_port to 143
• In SMTP settings:
  • Set smtp_server to localhost
  • Set smtp_port to 587
• Click on Create config
• This generates a text box with the configuration php inside it. Copy the config and save it into a file called config.inc.php into /var/www/html/roundcubemail/config
  • Make sure the file permissions are correct
  • The same outpput file could be used with ansible to automatically configure the roundcube installation
• Review the configuration on the Test config page
• If everything else is okay, you can initialize the database
• If the configuration tests are good, make sure to remove the installer directory from /var/www/html/roundcubemail/

• Download and install Thunderbird into your personal computer
• Verify that you can access <vm_name>.sa.cs.ut.ee i.e. ping mail.student-test.sa.cs.ut.ee from own machine.
• Add a new e-mail address: Thunderbird -> ALT key -> Edit -> Account settings -> Account Actions -> Add mail account i
  • mailuser as Your name
  • mailuser@<vm_name>.sa.cs.ut.ee as Email address
  • Password of your mailuser account as the password
  • Click continue
  • Click Conficure manually
  • Set SMTP SSL to "None"
  • Clock Done
  • If Thunderbird warns you about no encryption, click "I understand the risks" and Done
• Check if you can see e-mail in your INBOX
• Try to send e-mails to other users in your domain
• Try to send e-mails to other users in other .sa.cs.ut.ee domains

• After you have done that, edit postfix's main.cf file and add the following lines at the end:

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock
non_smtpd_milters = $smtpd_milters

• Edit /etc/sysconfig/spamass-milter and set EXTRA_FLAGS to "-m -r 10 -g sa-milt -- --max-size=51200000"
  • -r flag tells spamassass-milter to reject mails with higher score than 10
  • -g flag sets spamass-milter socket writable by the sa-milt group
  • -- tells spamass-milter to pass remaining options to spamc
  • --max-size=5120000 tells spamassassin not to check e-mails larger than 50MB to reduce the server load.
• Using usermod add postfix to sa-milt group
• Uses systemctl to restart postfix and spamass-milter

Now let's edit some scores and also add a custom rule. Custom scores and rules can be defined in /etc/mail/spamassassin/local.cf

• For the syntax, consult SpamAssassin's configuration documentation
• Set required_score to 4.0
• Set the score of MISSING_FROM to 1.0
• Create a rule to test if spamassassin works. Read the

documentation for the correct syntax.

• Create a body rule and name it SPAMASSASSIN_TEST_SORTING. Set the /pattern/mofiers part to /this is a test text for spamassassin sorting rule/is.
  • As the rule description set Test if Spam sorting with dovecot sieve works
  • Set the rule's score to 5.0
• Create a body rule and name it SPAMASSASSIN_TEST_REJECT. Set the /pattern/mofiers part to /this is a test text for spamassassin reject rule/is.
  • As the rule description set Test if milter spam rejection works
  • Set the rule's score to 11.0

• Restart spamassassin

Enable sieve:

• Add sieve to protocols in dovecot's main configuration file.
• Set mail_plugins = $mail_plugins sieve in dovecot's 15-lda.conf's lda protocol definition
• Set mail_plugins = $mail_plugins sieve in dovecot's 20-lmtp.conf's lmtp protocol definition
• Restart dovecot

As a mail test user ( mailuser), create a .dovecot.sieve file in the users home directory and add the following:

require ["fileinto"];
if header :contains "X-Spam-Flag" "YES" {
  fileinto "Spam";
  stop;
}

After you have saved the file, run sievec .dovecot.sieve to compile the sieve file Restart dovecot

Now let's start creating the autoreply

• Add "vacation", "date" and "variables" to the requred extensions in .dovecot.sieve.
• Using the examples provided here create an autoreply that replies to e-mails

with subject and body both containing E-mail received at: YYYY-mm-dd HH:MM:SS where:

• YYYY is the year of the receiving date
• mm is the month of the receiving date
• dd is the day of the receiving date
• HH is the hour of the receiving time
• MM is the minute of the receiving time
• SS is the second of the receiving time

• Figure out, how to use currentdate extension from the examples
• You can also see an example on the usage of the vacation extension in the examples.

• Compile the sieve again and ensure there are no errors

If the extension replies to sent e-mails as expected, it is time to restrict the auto replies to only root@scoring.sa.cs.ut.ee.

• Check wether the header contains a from field and that that the field is set to root@scoring.sa.cs.ut.ee. Figure out how to do it using sieve examples.