410 likes | 535 Views
Unix Linux Administration II. Class 9: Introduction to Postfix. Spam filtering. Agenda. discuss Homework. Adding your MX records Testing sendmail script using read and printf Review last class Unit 1: Introduction to postfix Unit 2: Spam filtering. Unit 3:. Homework review.
E N D
Unix Linux Administration II Class 9: Introduction to Postfix. Spam filtering.
Agenda • discuss Homework. • Adding your MX records • Testing sendmail • script using read and printf • Review last class • Unit 1: Introduction to postfix • Unit 2: Spam filtering. • Unit 3:
Homework review • Adding your MX Resource Record (RR). • Sendmail configuration • Sending mail using manually • Scripting • Read • Printf • Usage • Using $$ for file names.
Review: Default MTA in CentOS 6.x is postfix. Installing sendmail provides two MTA options (Sendmail and postfix). Mail delivery requires DNS support. MX records are just another DNS Resource Record (RR). Three primary roles for mail include: • MUA • MTA • MSA primary sendmail configuration file /etc/mail/sendmail.cf. This file is not typically edited directly.
Review: • Mail is store in the Queue directory before/until delivered • Aliases allow mail to be redirected between accounts or services as required. • sendmail is based on rules and rulesets. • messages are processed by these rulesets before being accepted or denied. • The three primary parts of a message are: header: received, date body: everything after the first blank line. envelope: meta data about the message
Review read variable echo $variable read var0 var1 var2 read exit code zero or true unless end of file detected while true or while read input; do ... read answer if [ "$answer" = X ] ; then using process id for file names: file.txt.$$ printf used for formatting output. printf "%-20s%-20s\n" ColumnA ColumnB
Class 9, Unit 1 What we are going to cover: • Postfix What you should leave this session with: • Basic Postfix setup • Understanding of TLS and mail.
Postfix Was developed by Wietse Venema while at the IBM Research Center. Postfix was developed as a simpler but still secure alternative to sendmail. It was released under the IBM Public License in 1999 when it was known as “Secure Mailer”.
Supported platforms Postfix like Sendmail supports a wide array operating systems, including Linux, Solaris, AIX, BSD etc. Postfix requires the ANSI C and POSIX.1 libraries
Installing Postfix Postfix is the default MTA installed. We will be able to switch back to postfix using: sudo /usr/sbin/alternatives --config mta This can also be accomplished using sudo /sbin/chkconfig postfix on|off
Configuration points The vast majority of the postfix config files exist under /etc/postfix The primary configuration file is main.cf, back this file up before making any changes. We will be updating values like mydomain, myhostname and myorigin. master.cf is used to manages communication between postfix and other processes used to manage mail, e.g. anti spam and virus solutions. The postfix aliases definition is the same config file sendmail leverages which is maintained in /etc/aliases.
Sending mail with postfix. Mail servers are either configured to send mail directly or via another host often referred to as relay or smart host. You configure the name of the mail server in main.cf by removing the comment from the myhostname value. myhostname = FQDN
The mail origin value myorigin, will define where mail will defined as coming from. As before this is found in the main.cf file. myorigin = FQDN After any changes have been made you will need to restart postfix. • sudo /sbin/service postfix reload You can use postconf –n to review any changes made.
Receiving mail. By default postfix will only listen for mail in the local loopback address. Meaning any external mail will be dropped even if you have updated your firewall and your DNS zone. We will change this by editing the inet_interfaces value in /etc/postfix/main.cf
Who uses a smarthost Mail is typically either sent via a dedicated mail server or through what is referred to as a smart host. In order to control SPAM many ISPs and corporate networks block outbound port 25 traffic or inbound traffic and force mail through a smarthost. If we wanted to use a smart host we would update the main.cf and define the relayhost value • relayhost = mailhost.company.com If the smart host requires authentication then there are more steps involved.
Mail accounts. In our simple design and because we are only hosting mail for one domain users with local accounts can receive mail. You can also setup aliases for mail accounts. If you setup accounts just for mail they do not need to have home directories or shell access.
aliases How to find the postfix alias file in use. • /usr/sbin/postconf alias_maps The format of this file is Source: destination <user>: <user> e.g. Info: myaccount. It can also be redirected externally Info: myaccount@mail.com Once the file is updated run postmap against the aliases file to update the map file /usr/sbin/postmap /etc/aliases
Encrypting mail Mail is by default a clear text protocol. However mail can be sent over encrypted channels similar to how ssl and ssh work. In this case it is referred to as TLS (transport layer security). To enable TLS we will add the following lines. # TLS config smtpd_tls_security_level = may # tls optional tls_random_source = dev:/dev/urandom smtpd_tls_cert_file = /opt/myca/mail.ulcert.crt smtpd_tls_key_file = /opt/myca/mail.ulcert.key
Review: switch between postfix and sendmail using /usr/sbin/alternatives --config mta Config files under /etc/postfix • primary config file main.cf postfix leverages the same alisese file as sendmail /etc/aliases smarthost, central host for managing mail delivery. postfix like sendmail only listens on the loopback address by default. postfix like sendmail supports TLS for encrypting mail transport.
In class lab 9a • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Class 9, Unit 2 What we are going to cover: • SPAM prevention What you should leave this session with: • Mail class restrictions • Grey listing
Preventing spam There are lots of tools to manage and control spam. We are going to look at some of those solutions. Some of the simplest solutions revolve around enforcing mail standards. If these standards are not meet we can discard the mail.
SPAM or UBE/UCE UBE Unsolicited Bulk Email UCE Unsolicited Commercial Email Otherwise referred to as spam. Spam accounts for 80% if not more of all mail today.
Postfix class restrictions We are going to look at 3 types of restrictions • smtpd_helo_restrictions • smtpd_sender_restrictions • smtpd_recipient_restrictions These settings are defined in /etc/postfix/mail.cf
smtpd HELO restrictions When a client initially connects to a mail server it must identify itself using the smtp command HELO. This step is often skipped, obscured, or the data provided is invalid when completed by those with questionable objectives.
smtpd HELO restrictions smtpd_delay_reject = yes # required if you want to implement helo restrictions. smtp comm continued until messages actually received. smtpd_helo_required = yes # reject mail from systems that don’t provided id info smtpd_helo_restrictions= # start actual helo restrictions here permit_mynetworks, # allow connections for systems within trusted networks. reject_non_fqdn_helo_hostname, # if hostname provided is not FQDN reject. reject_invalid_helo_hostname #reject messages with invalid HELO syntax permit # any messages not blocked continue to the next filter stage.
smtpd SENDER restrictions These may seem obvious but simply requiring connections from a host defined to send mail or that include an FQDN can exclude much of the SPAM.
Smtpd SENDER restrictions smtpd_sender_restrictions = permit_mynetworks, # allow senders from our network reject_non_fqdn_sender, # reject mail if sourced from a non-FQDN host reject_unknown_sender_domain, # reject mail that lacks either an A record or MX record or the record is malformed. reject_rhsbl_sender dsn.rfc-ignorant.org, # reject mail from domain that don’t conform to rfc standards. permit # any messages not blocked continue to the next filter stage.
smtpd recipient restrictions Often spammers want to send large amounts of messages and try to do this in bulk. We can restrict this function. We can also enforce messages to comply with standards and be able to provide valid names and DNS records. We can also control who can and cannot deliver mail to us.
Smtpd recipient restrictions Smtpd_recipient_restrictions = reject_unath_piplining, # disables bulk deliveries of email, can be used to send multiple smtpd commands at once. Often abused by spammers. reject_non_fqdn_recipient, # reject mail without a FQDN for recipient. reject_unknown_recipient_domain, # reject mail without a valid DNS A or MX record or if it is malformed. permit_mynetworks, # allow permitted networks reject_unauth_destination, # critical line, blocks mail at domains that are not hosted locally, without this your server can become an open relay.
smtpd recipient restrictions: check_sender_address hash:/etc/postfix/sender_access, This shows the location of the access list. Defining the sender_access allows for the use of whitelist and blacklists. This can be used to define full or partial email addresses and domains as specified in the MAIL FROM field against the defined table. Do not whitelist your own domain as spammers will spoof the sender to be your domain After updating your sender_access file run postmap against it. postmap /etc/postfix/sender_access
smtpd recipient restrictions cont. Sample sender_access file # /etc/postfix/sender_access # Black/Whitelist for senders matching # the 'MAIL FROM' field. # angus@books.ulcert.uw.edu OK loans@refi.loans.com REJECT sales@ REJECT ceo@ OK send-save.com REJECT pce.uw.edu OK
Smtpd recipient restrictions cont. recject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net These are real time blacklist (RBL) used to check mail against. These are also referred to as DNS black lists (DNSBL). Using these can automate your SPAM management but this does come with the risk of blocking legitimate mail.
Postgrey Postgrey is a policy server used to provide greylisting filters for MTA including Postfix. Postgrey is a perl based solution and can be installed using yum. check_policy_service unix:postgrey/socket, Here we are using the policy_service function to call postgrey which is bound to a socket.
Postgrey cont. Postgrey reviews the client ip, sender and recipient. If a message is received which has a combination of this values not seen by postgrey before the mail is rejected with a temporary error. After 5 minutes it will be accepted. This delay caused most spam and virus related mail to fail as they will not try again. The delay message type is 450 “try again later”.
Installing postgrey Postgrey is available in the standard yum repositories however a more recent version can be installed from the RPMForge repositories. To use rpmforge you must update your yum configs. This has been greatly simplified as you can install an rpm that will add all the configs for you.
Review: class restrictions ube, unsolicited bulk email uce, unsolicited commercial email or SPAM smtpd helo restrictions: force connections to identify themselves. smtpd sender restrictions, reject mail from non-FQDN hosts, reject mail without an A or MX record, reject non standard mail smtpd recipient restrictions, disable bulk deliveries, reject mail without a fqdn for recipient,
Review: black/white/grey listing White list: user allowed Black list: account rejected Real time blacklist or DNS black lists • bl.spamcop.net Grey listing: delay mail. • Postgrey: a policy server used to greylist for the MTA. Postgrey reviews the request and temporarily rejects mail not seen before.
In class lab 9b • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->
Homework Homework for this week will be posted later tonight.