Professional Documents
Culture Documents
www.supinfo.com
Copyright © SUPINFO. All rights reserved
Mail Services
Course objectives
By completing this course, you will:
Course topics
Course’s plan (Or : These are the parts that we will approach :)
How it works
Nowadays
Common setup
Mail providers
mailbox on a domain
addr@domain.com
No link between
addresses and system
users
No login on the server
Dedicated protocols
IMAP
POP
SMTP
How it works
Mail storage
Two major formats:
Mailbox
Per-user
All mails in one file
Locking issues
Legacy
Maildir
Per-user
One file per mail
Locking done at fs level
Quite recent
How it works
Protocols at work
SMTP : Simple Mail Transfert Protocol
How it works
Protocols at work
How fluent is your SMTP ?
supinfo@debian-master:~$ telnet 192.168.82.156 smtp
220 mangus.utopia.net ESMTP Postfix
EHLO workstation
250-mangus.utopia.net
250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 PLAIN NTLM
250-ENHANCEDSTATUSCODES
AUTH PLAIN AHN1cGluZm8Ac3VwaW5mbw==
235 2.7.0 Authentication successful
MAIL FROM: supinfo@utopia.net
250 2.1.0 Ok
RCPT TO: 40793@supinfo.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test mail
Authenticated
.
250 2.0.0 Ok: queued as 22603530DA
How it works
Protocols at work
POP : Post Office Protocol version 3 (POP3)
Protocols at work
How fluent is your POP ?
supinfo@mangus:~$ telnet localhost pop3
+OK Hello there.
USER supinfo
+OK Password required.
PASS supinfo
+OK logged in.
LIST
+OK POP3 clients that break here, they violate STD53.
1 895
.
RETR 1
+OK 895 octets follow.
Return-Path: <supinfo@debian-master.localdomain>
X-Original-To: supinfo@utopia.net
[..]
How it works
Protocols at work
IMAP : Internet Message Access Protocol
Protocols at work
How fluent is your IMAP ?
samuel@chickamauga ~ $ telnet 192.168.82.156 143
* OK [CAPABILITY IMAP4rev1 ...] Courier-IMAP ready.
01 LOGIN supinfo supinfo
01 OK LOGIN Ok.
02 LIST "" *
* LIST (\Unmarked \HasNoChildren) "." "INBOX"
02 OK LIST completed
03 SELECT INBOX
* FLAGS (\Draft \Answered \Flagged \Deleted \Seen \
Recent)
* OK [PERMANENTFLAGS (\* \Draft \Answered \Flagged \
Deleted \Seen)] Limited
* 1 EXISTS
* 1 RECENT
* OK [UIDVALIDITY 1338302965] Ok
* OK [MYRIGHTS "acdilrsw"] ACL
03 OK [READ-WRITE] Ok
04 FETCH 1 ALL
How it works
Stop-and-think
Stop-and-think
A client can fetch mail using:
POP
UUCP
IMAP
SMTP
How it works
Stop-and-think
A client can fetch mail using:
POP
UUCP
IMAP
SMTP
Mail Services
Postfix
Secure Mailer
Say goodbye to the good ol’ sendmail.
Features
Say goodbye to the good ol’ sendmail.
SMTP Authentication
SMTPS
Virtual domains
Virtual users
Aliases
Mail delivery format
Maildir
Mailbox
...
Postfix
Who am I ?
I’m the endpoint
of ...
Where do I listen
Who do I relay ?
Machines of the
network ?
Authenticated
clients
What to do with
outgoing mail
Postfix
Sample configuration
Local only mail delivery
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
inet_interfaces = loopback-only
mynetworks_style = host
default_transport = error: Local delivery only!
alias_maps = hash:/etc/aliases
Aliases
Redirecting mail
root: postmaster@supinfo.com
ftp-bugs: joe,eric,paul
bit.bucket: /dev/null
annoy: | wall
Where is my Mail?
Where local delivers the mail
Mail spool
mail_spool_directory
Defaults to mbox
End with a / to get mdir
You need to create the
user directory yourself
At-home delivery
home_mailbox
Delivery format: idem
Postfix
SMTP Authentication
When to accept relaying
Default settings
Relay mail from
mynetwork
IP-based filtering
Not always relevant
Alternative
User authentication
Many options
Most used:
login/passwd
Postfix
SMTP Authentication
How it works ?
“External” processing
sasl library
Defaults to cyrus-sasl
Configuration
Enable in postfix config
smtp_sasl_auth_en
able = yes
Configure SASL
Postfix
SMTP Authentication
How it works ?
Postfix
Cyrus SASL
How it works?
Multi-purpose authentication
library
Modular
Per-application config
Backends
pwcheck_method
passwd,shadow,...
runs as service’s
euid/egid
– saslauthd
Postfix
Cyrus SASL
SASL and the privilege problem
Postfix
Cyrus SASL
SASL and the privilege problem
Postfix
Cyrus SASL
SASL and the privilege problem: Solution
Postfix
Cyrus SASL
Configuration files
Core sasl
/etc/sasl2
Per-application .conf file
Debian’s Postfix
patched
– /etc/postfix/sasl/
smtpd.conf
saslauthd
Debian:
/etc/default/saslauthd
Postfix
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
Postfix
Files needed:
Service certificate
Include “intermediate”
CA cert.
Service key
Set SSL behavior
None (none)
Opportunistic (may)
Mandatory (encrypt)
Postfix
smtpd_tls_security_level = may
Postfix
Virtual domains?
Virtual vs Canonical
Canonical
One or more
mail “users” are Unix
users
Create a mailbox:
Create a user
No separation between
domains
user@domain1 <=>
user@domain
Postfix
Virtual domains ?
Virtual vs Canonical
Virtual
One or more
Map addresses to
directories
No real “users”
Need to maintain the
mapping
Delivery must be done
as a system user
– Use a dedicated
account
Postfix
Virtual domains
Postfix directives:
virtual_mailbox_domains = utopia.net
virtual_mailbox_base = /var/spool/mail
virtual_mailbox_maps = hash:/etc/postfix/vmailboxes
virtual_uid_maps = static:107
virtual_gid_maps = static:111
Postfix
Virtual domains
Mapping addresses to directories
user@domain.tld utopia.net/user/
user@domain2.tld domain2.tld/user/
Stop-and-think
Stop-and-think
Virtual-hosted domains are declared using:
mydestination
mynetworks
virtual_mailbox_domains
virtual_mailbox_maps
mynetworks_style
Postfix
Stop-and-think
Virtual-hosted domains are declared using:
mydestination
mynetworks
virtual_mailbox_domains
virtual_mailbox_maps
mynetworks_style
Mail Services
Courier
What’s courier?
Courier MTA
How it works?
Courier daemons
Courier
Configuration
What do you need to set?
Protocol handlers
Where to get the mail
MAILDIRPATH
$PROTO over SSL?
TLS_CERTFILE
Auth daemon
Which backend to use
authmodulelist
– pam,ldap,...
Default settings? Works OOB
Courier
Configuration
Which file to edit?
Protocol handlers
/etc/courier/${proto}d
SSL
courier-tls wrapper
/etc/courier/${proto}d-ssl
Authentication
/etc/courier/authdaemonrc
Courier
Virtual users
The authuserdb module
Virtual users
Bind strings to uid/gid
Strings
Unix-like usernames
mail addresses
uid/gid
Map to a system user
And more
“home dir”
mail box -> Supersede
MAILDIRPTAH
Courier
Virtual users
The userdb command
Argument Definitions
The account name. Can be a unix-like login or a full
login
mail address.
Examples:
Virtual users
The userdbpw command
Argument Definitions
Examples:
Stop-and-think
Stop-and-think
Postfix can use Cyrus-SASL that in turn can use
courier-imap to auhtenticate clients.
True
False
Courier
Stop-and-think
Postfix can use Cyrus-SASL that in turn can use
courier-imap to auhtenticate clients.
True
False
Courier
Stop-and-think
Mail Services
Course summary
Tie them
Courier suite together
Mail and users
SASL and
Let’s talk authentication
IMAP! mechs
Mail Services
For more
If you want to go into these subjects more deeply, …
Publications Courses
Cisco CCNA
www.supinfo.com RMLL
www.labo-linux.org FOSDEM
www.postfix.org Solution Linux
Congratulations
You have successfully completed
the SUPINFO course module
n°03
Mail Services
Mail Services
The end