03 - Mail Services

Mail Services
Hosting mail domains
www.supinfo.com
Copyright © SUPINFO. All rights reserved
Mail Services
Course objectives
By completing this course, you will:
 Be able to explain how mailing

works. Users and mail
addresses.
 Speak mail protocols. POP,
IMAP, SMTP.
 Host mail domains. Canonical
domains, local users or virtual
mail.
 Remote access. POP and IMAP.
 Explain how everything plugs
together. Draw schematics.
Mail Services
Course topics
Course’s plan (Or : These are the parts that we will approach :)
 How it works. About mail

servers, SMTP, POP, IMAP.
 Postfix. The core component.
 Courier. The courier suite.
Mail Services
How it works
About mail servers, SMTP, POP, IMAP,...

How it works
Original mail systems

The original paradigm.
 Large computers
 Terminals
 Users logged in
 Mail delivery
 To the computer
address
 To the user account
 user@machine
 Direct relation
 Mail address
 system user account
How it works

 Local mail
 Between users
 Local transport
 “Remote” mail
 Between sites
 From user1@machine1
to user2@machine2
 UUCP, SMTP
 Domain mail
 user@domain.tld
 MX record in the DNS
How it works

 Sending mail
 mail command
 /usr/bin/sendmail
 Uses the local SMTPd
 No direct SMTP
involved
 Reading mail
 From interactive
session
 Various readers
 mail, mutt, ...
How it works
Nowadays
Common setup
 Mail providers
 mailbox on a domain
 addr@domain.com
 No link between
addresses and system
users
 No login on the server
 Dedicated protocols
 IMAP
 POP
 SMTP
How it works
Mail storage
Two major formats:
 Mailbox
 Per-user
 All mails in one file
 Locking issues
 Legacy
 Maildir
 Per-user
 One file per mail
 Locking done at fs level
 Quite recent
How it works
Protocols at work
SMTP : Simple Mail Transfert Protocol
How it works
Protocols at work
How fluent is your SMTP ?
supinfo@debian-master:~$ telnet 192.168.82.156 smtp
220 mangus.utopia.net ESMTP Postfix
EHLO workstation
250-mangus.utopia.net
250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 PLAIN NTLM
250-ENHANCEDSTATUSCODES
AUTH PLAIN AHN1cGluZm8Ac3VwaW5mbw==
235 2.7.0 Authentication successful
MAIL FROM: supinfo@utopia.net
250 2.1.0 Ok
RCPT TO: 40793@supinfo.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test mail
Authenticated
.
250 2.0.0 Ok: queued as 22603530DA
How it works
Protocols at work
POP : Post Office Protocol version 3 (POP3)
Messages are stored locally on computer.

Once downloaded, they’re removed from server
and can’t be viewed from another location.
How it works
Protocols at work
How fluent is your POP ?
supinfo@mangus:~$ telnet localhost pop3
+OK Hello there.
USER supinfo
+OK Password required.
PASS supinfo
+OK logged in.
LIST
+OK POP3 clients that break here, they violate STD53.
1 895
.
RETR 1
+OK 895 octets follow.
Return-Path: <supinfo@debian-master.localdomain>
X-Original-To: supinfo@utopia.net
[..]
How it works
Protocols at work
IMAP : Internet Message Access Protocol
Messages are stored centrally and can be

viewed from any configured computer.
How it works
Protocols at work
How fluent is your IMAP ?
samuel@chickamauga ~ $ telnet 192.168.82.156 143
* OK [CAPABILITY IMAP4rev1 ...] Courier-IMAP ready.
01 LOGIN supinfo supinfo
01 OK LOGIN Ok.
02 LIST "" *
* LIST (\Unmarked \HasNoChildren) "." "INBOX"
02 OK LIST completed
03 SELECT INBOX
* FLAGS (\Draft \Answered \Flagged \Deleted \Seen \
Recent)
* OK [PERMANENTFLAGS (\* \Draft \Answered \Flagged \
Deleted \Seen)] Limited
* 1 EXISTS
* 1 RECENT
* OK [UIDVALIDITY 1338302965] Ok
* OK [MYRIGHTS "acdilrsw"] ACL
03 OK [READ-WRITE] Ok
04 FETCH 1 ALL
How it works
Stop-and-think
Do you have any questions ?

How it works
Stop-and-think
A client can fetch mail using:
POP
UUCP
IMAP
SMTP
How it works
Stop-and-think
A client can fetch mail using:
POP
UUCP
IMAP
SMTP
Mail Services
Postfix
The core component

Postfix
Secure Mailer
Say goodbye to the good ol’ sendmail.
 The Unix way of mailing

 Hurd of deamons
 One for each task
 spawned by master
 Communicating using
 Sockets
 pipes
 ...
 Security by isolation
 individual chroot
Postfix
Features
Say goodbye to the good ol’ sendmail.
 SMTP Authentication
 SMTPS
 Virtual domains
 Virtual users
 Aliases
 Mail delivery format
 Maildir
 Mailbox
 ...
Postfix
The master process

Tie them together in /etc/postfix/master.cf:
Postfix
Configuring the SMTPd

Main configuration topics
 Who am I ?
 I’m the endpoint
of ...
 Where do I listen
 Who do I relay ?
 Machines of the
network ?
 Authenticated
clients
 What to do with
outgoing mail
Postfix
Configuring the SMTPd

A wild mail appears...
Postfix
Sample configuration
Local only mail delivery
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.

append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail"

warnings
#delay_warning_time = 4h
inet_interfaces = loopback-only
mynetworks_style = host
default_transport = error: Local delivery only!
alias_maps = hash:/etc/aliases
mydestination = magnus, localhost,

localhost.localdomain, magnus.localdomain
Postfix
Aliases
Redirecting mail
root: postmaster@supinfo.com
ftp-bugs: joe,eric,paul
bit.bucket: /dev/null
annoy: | wall
Re-hash with newaliases

Postfix
Where is my Mail?
Where local delivers the mail
 Mail spool
 mail_spool_directory
 Defaults to mbox
 End with a / to get mdir
 You need to create the
user directory yourself
 At-home delivery
 home_mailbox
 Delivery format: idem
Postfix
SMTP Authentication
When to accept relaying
 Default settings
 Relay mail from
mynetwork
 IP-based filtering
 Not always relevant
 Alternative
 User authentication
 Many options
 Most used:
login/passwd
Postfix
SMTP Authentication
How it works ?
 “External” processing
 sasl library
 Defaults to cyrus-sasl
 Configuration
 Enable in postfix config
 smtp_sasl_auth_en
able = yes
 Configure SASL
Postfix
SMTP Authentication
How it works ?
Postfix
Cyrus SASL
How it works?
 Multi-purpose authentication
library
 Modular
 Per-application config
 Backends
 pwcheck_method
 passwd,shadow,...
 runs as service’s
euid/egid
– saslauthd
Postfix
Cyrus SASL
SASL and the privilege problem
Postfix
Cyrus SASL
SASL and the privilege problem
Postfix
Cyrus SASL
SASL and the privilege problem: Solution
Postfix
Cyrus SASL
Configuration files
 Core sasl
 /etc/sasl2
 Per-application .conf file
 Debian’s Postfix
patched
– /etc/postfix/sasl/
smtpd.conf
 saslauthd
 Debian:
/etc/default/saslauthd
Postfix
SMTP Authentication & relay

Postfix directives:
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
Postfix
SMTP over SSL: SMTPS

Configuration files
 Files needed:
 Service certificate
 Include “intermediate”
CA cert.
 Service key
 Set SSL behavior
 None (none)
 Opportunistic (may)
 Mandatory (encrypt)
Postfix
SMTP over SSL: SMTPS

Postfix directives:
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_security_level = may
Postfix
Virtual domains?
Virtual vs Canonical
 Canonical
 One or more
 mail “users” are Unix
users
 Create a mailbox:
Create a user
 No separation between
domains
 user@domain1 <=>
user@domain
Postfix
Virtual domains ?
Virtual vs Canonical
 Virtual
 One or more
 Map addresses to
directories
 No real “users”
 Need to maintain the
mapping
 Delivery must be done
as a system user
– Use a dedicated
account
Postfix
Virtual domains
Postfix directives:
virtual_mailbox_domains = utopia.net
virtual_mailbox_base = /var/spool/mail
virtual_mailbox_maps = hash:/etc/postfix/vmailboxes
virtual_uid_maps = static:107
virtual_gid_maps = static:111
Postfix
Virtual domains
Mapping addresses to directories
user@domain.tld utopia.net/user/
user@domain2.tld domain2.tld/user/
Re-hash with postmap

Postfix
Stop-and-think

Postfix
Stop-and-think
Virtual-hosted domains are declared using:
mydestination
mynetworks
virtual_mailbox_domains
virtual_mailbox_maps
mynetworks_style
Postfix
Stop-and-think
Virtual-hosted domains are declared using:
mydestination
mynetworks
virtual_mailbox_domains
virtual_mailbox_maps
mynetworks_style
Mail Services
Courier
The courier suite

Courier
What’s courier?
Courier MTA
 Flexible mail system

 Modular components
 SMTP
 IMAP,POP
 Authentication
 Most used for
 IMAP, POP
 Authentication
 SMTPd rarely used
Courier
How it works?
Courier daemons
Courier
Configuration
What do you need to set?
 Protocol handlers
 Where to get the mail
 MAILDIRPATH
 $PROTO over SSL?
 TLS_CERTFILE
 Auth daemon
 Which backend to use
 authmodulelist
– pam,ldap,...
 Default settings? Works OOB
Courier
Configuration
Which file to edit?
 Protocol handlers
 /etc/courier/${proto}d
 SSL
 courier-tls wrapper
 /etc/courier/${proto}d-ssl
 Authentication
 /etc/courier/authdaemonrc
Courier
Virtual users
The authuserdb module
 Virtual users
 Bind strings to uid/gid
 Strings
 Unix-like usernames
 mail addresses
 uid/gid
 Map to a system user
 And more
 “home dir”
 mail box -> Supersede
MAILDIRPTAH
Courier
Virtual users
The userdb command
userdb login set param=value parm2=value2 ...
Argument Definitions
The account name. Can be a unix-like login or a full
login
mail address.
param=value The value to set
Examples:
userdb supinfo@utopia.net set uid=107 gid=111

home=/var/spool/mail/utopia.net/supinfo
mail=/var/spool/mail/utopia.net/supinfo
Courier
Virtual users
The userdbpw command
userdbpw -md5 | userdb supinfo@utopia.net set systempw
Argument Definitions
-md5 Algorithm to use
systempw The value to set
Examples:
userdbpw -md5 | userdb supinfo@utopia.net set systempw

Password:
Reenter password:
root@mangus:~# makeuserdb
Courier
Stop-and-think

Courier
Stop-and-think
Postfix can use Cyrus-SASL that in turn can use
courier-imap to auhtenticate clients.
True
False
Courier
Stop-and-think
Postfix can use Cyrus-SASL that in turn can use
courier-imap to auhtenticate clients.
True
False
Courier
Stop-and-think
Mail Services
Course summary
Tie them
Courier suite together
Mail and users
SASL and
Let’s talk authentication
IMAP! mechs
Mail Services
For more
If you want to go into these subjects more deeply, …
Publications Courses
Cisco CCNA
Web sites Conferences
www.supinfo.com RMLL
www.labo-linux.org FOSDEM
www.postfix.org Solution Linux
Congratulations
You have successfully completed
the SUPINFO course module
n°03
Mail Services
Mail Services
The end
 Log messages. Read them. Really.

 You don’t get it? Draw it!

03 - Mail Services

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

03 - Mail Services

Uploaded by

Copyright:

Available Formats

Mail Services

Hosting mail domains

 Be able to explain how mailing

 How it works. About mail

About mail servers, SMTP, POP, IMAP,...

Original mail systems

Original mail systems

Original mail systems

Messages are stored locally on computer.

Messages are stored centrally and can be

Do you have any questions ?

The core component

 The Unix way of mailing

The master process

Configuring the SMTPd

Configuring the SMTPd

# appending .domain is the MUA's job.

# Uncomment the next line to generate "delayed mail"

mydestination = magnus, localhost,

Re-hash with newaliases

SMTP Authentication & relay

SMTP over SSL: SMTPS

SMTP over SSL: SMTPS

Re-hash with postmap

Do you have any questions ?

The courier suite

 Flexible mail system

userdb login set param=value parm2=value2 ...

param=value The value to set

userdb supinfo@utopia.net set uid=107 gid=111

userdbpw -md5 | userdb supinfo@utopia.net set systempw

-md5 Algorithm to use

systempw The value to set

userdbpw -md5 | userdb supinfo@utopia.net set systempw

Do you have any questions ?

Web sites Conferences

 Log messages. Read them. Really.

You might also like