OPS345 Lab 7: Difference between revisions

From Littlesvr Wiki
Jump to navigation Jump to search
No edit summary
(39 intermediate revisions by the same user not shown)
Line 1: Line 1:
= THIS PAGE IS A DRAFT, NOT READY FOR USE YET =
= Email services components =
*webmail
Originally there was only one "email" protocol: SMTP. It was designed to address, route, and receive messages for a destination user on a destination server. Later an extra couple of protocols (POP3 and IMAP) were developed so that people wouldn't have to read their email on the command-line on the SMTP server. Now there are many components, making a powerful, reliable, but complex system. Here's a simplified diagram of what typically happens when you send an email to someone else:


* set up thunderbird for myseneca
[[File:Email-servers.png|800px|border|center]]
* can't use the same keys generated in www lab, they're for the wrong FQDN
<source>
andrew@p51:~/prog/seneca/ops345/new$ sudo su -
root@p51:~# certonly --manual --preferred-challenges dns
certonly: command not found
root@p51:~# certbot certonly --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): email.asmith15.ops345.ca
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for email.asmith15.ops345.ca


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
By the end of this course you should be familiar enough with all these components to be able to speak about them comfortably.
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.


Are you OK with your IP being logged?
We'll set up an SMTP server in this lab and an IMAP server in the next lab.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
= New VM: email =
Please deploy a DNS TXT record under the name
_acme-challenge.email.asmith15.ops345.ca with the following value:


PdK1vlZnYMdBO7untofSCkfXH2ejk3EE019R7A90x7Q
* Create a new VM, similar to the www VM you created earlier. Make sure that it:
** Named '''email'''
** AMI version '''Amazon Linux 2023'''
** Is in '''vpc-ops345''' (where no public IP address should be assigned by default).
** In the subnet '''subnet-ops345'''
** Is in a new security group named '''ops345emailsg''', which will allow SSH acccess from the router only and SMTP access from anywhere.
** Has the IP address '''10.3.45.12'''
** Gets an extra '''4GB EBS''' volume.
* After it starts: do some configuration you should be very comfortable with by now:
** Set up port forwarding on the router so you can SSH to email via port 2212 on the router. The email server is going to have its own public IP, but remember we're pretending that we're monitoring all SSH traffic using special software on the router machine.
** Create a new user and delete ec2-user.
** Set the hostname to '''email.yoursenecaid.ops345.ca'''
** Allocate a new, permanent static IP named '''email_public_ip''' and associate it with your email server.


Before continuing, verify the record is deployed.
== DNS records ==
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges


IMPORTANT NOTES:
Email used as you're used to it requires a couple of DNS entries. One A record for the server, and on MX record for your domain.
- Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/email.asmith15.ops345.ca/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem
  Your cert will expire on 2022-02-28. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
- If you like Certbot, please consider supporting our work by:


  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
* Log in to your [http://ops345.ca Bindistrar].
  Donating to EFF:                    https://eff.org/donate-le
* Create an A record for email.yoursenecaid.ops345.ca with the static IP you assigned to your email server. This is just a typical A record.
* Create an MX record with the value email.yoursenecaid.ops345.ca.
** This record is for other people's email servers who want to send email to anyone@yoursenecaid.ops345.ca
** It specifies that the receiving SMTP server for yoursenecaid.ops345.ca is email.yoursenecaid.ops345.ca
** The priority is there for when you have one or more backup email servers. You would if this email server were important, but in this course you don't so you can pick any number for the priority.


root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.cert.pem
Remember that DNS records are cached, so if you make a mistake: you'll need for the TTL to expire before you can test your updated records. One way too give yourself two chances to get it right is to first test your MX record on the router. Then if it's wrong: you can test your second attempt on your workstation before the TTL expires on the router's caching DNS server.
root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.key.pem
 
root@p51:~# chown andrew ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.*
* Test your MX record on the router:
</source>
 
* Put keys on the email server:
[[File:AWSDigEmail.png|border|center]]
<source>
 
scp -P 2212 -i keys/ssh/ops345-all-aws-machines.pem keys/email.asmith15.ops345.ca.* andrew@34.202.103.43:~
== Storage ==
[root@email andrew]# cp email.asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
 
[root@email andrew]# cp email.asmith15.ops345.ca.key.pem /etc/pki/tls/private/
For the www VM we have set up an external storage device so that we wouldn't lose our website if the server was damaged or deleted. We'll do the same for the email VM. You can look back at lab 3 if you need a reminder for how to do the following steps.
</source>
 
* configure postfix to enable encrypted connections from client software. add this to the bottom of main.cf:
* Create a volume group '''vg_email''' with the second drive as the only physical volume.
<source># Settings to enable secure SMTP using my self-signed certificate:
* Create a logical volume '''lv_email'''
smtpd_tls_auth_only = no
 
smtpd_use_tls = yes
{{Admon/important|Don't get locked out|With the setup we're building all the emails will be stored in each user's home directory. That means '''lv_email''' will need to be mounted on '''/home'''. That makes it tricky because other important things (like your SSH keys) are stored under /home as well, so be careful with the following steps, you may end up locking yourself out of your VM, and you'll have to rebuild it.}}
smtp_use_tls = yes
 
smtpd_tls_key_file = /etc/pki/tls/private/email.asmith15.ops345.ca.key.pem
* Create a temporary directory /tmp/home and mount lv_email there.
smtpd_tls_cert_file = /etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
* Move all the contents of /home to /tmp/home
tls_random_source = dev:/dev/urandom
* Edit your fstab to make sure lv_email gets mounted automatically on /home when your system boots.
smtpd_tls_loglevel = 1
* Hold your breath and reboot. If you did it right: you should be able to ssh back in and everything will look the same, except now there's a lost+found directory in /home, which tells you that there's a filesystem mounted on there.
</source>
 
* test with telnet/EHLO: should say 250-STARTTLS
== SMTP server: Postfix ==
* complete test will be done with thunderbird later
 
* dovecot installed in previous lab, it needs very little configuration for our simple setup
There are many SMTP server software on Linux to choose from. Postfix is the most used commonly used so that's the one we're going to use. It can be configured to do all sorts of advanced and interesting things, but we'll keep it simple. Once you feel less overwhelmed with all the exotic configuration options: it will help you to read the description of what those options do, over time the meaning of those comments will become more and more clear.
* /etc/dovecot/dovecot.conf:
 
* Modify the protocols option so that Dovecot will work with IMAP connections, no POP3 or LMTP.
* Postfix is not installed by default on Amazon Linux 2023, install it using yum.
* 10-ssl.conf:
* Then start it and make sure it starts automatically on boot.
<source>ssl_cert = </etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
 
ssl_key = </etc/pki/tls/private/email.asmith15.ops345.ca.key.pem</source>
In the default configuration Postfix only listens on localhost, it will not accept inbound connections to port 25 even if the firewall allows access to that port.
* ss should show port 993, no 995 or 110
 
* there's no iptables running on email, so just open port 993 in ops345sgemail
* Use the '''ss''' command to see what ports are open (i.e. there is a service listening on that port):
* configure thunderbird:
[[File:AWSssSMTPlocalhost.png|800px|border|center]]
** IMAP: email.asmith15.ops345.ca, SSL 993, normal password, username without @domain
* Edit '''/etc/postfix/main.cf''' and change four of the options:
** SMTP: email.asmith15.ops345.ca, STARTTLS 25, normal password, username without @domain
** Set '''mydomain''' to yoursenecaid.ops345.ca  
* tail -f /var/log/maillog and send a message from thunderbird
** Set '''myorigin''' to $mydomain. This is appended to your username when you send email directly from the server. It doesn't have to be the same as $mydomain, but it makes sense for it to be the same in most cases.
* The message is not sent, because postfix is not configured to authenticate users. encryption alone is not enough.
** Set '''inet_interfaces''' to all. This will configure Postfix to listen for external incomming connections, rather than just connections from localhost.
* https://www.xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
** Change '''mydestination''' to include $mydomain. This will tell postfix that when it sees an email for anyone@yoursenecaid.ops345.ca: it should deliver it rather than forward it to a different SMTP server.
** except the SSL/TLS parameters part.
* Restart the Postfix service. Check the service status, and the postfix logs using '''journalctl -u postfix -e''' to confirm that it restarted successfully.
* Send email again. Note the messages about connection timed out. We can't do anything about that in AWS Academy:
* Run '''ss''' again, learn to see the difference between a service that listens on localhost and a service that listens on all interfaces:
** https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/
[[File:AWSSsSMTPOpen.png|800px|border|center]]
* There's more to do anyway to set up a real sending server, as a minimum DKIM/SPF but reverse DNS for the domain also helps.
 
* https://aws.amazon.com/premiumsupport/knowledge-center/route-53-reverse-dns/
=== Test receiving email ===
* http://littlesvr.ca/grumble/2014/01/26/setting-up-sendmail-on-a-dynamic-ip-part2-spf/
 
* Eventually the email you tried to send will bounce because that's a temporary error
People often think of SMTP servers as "sending" servers, but they are responsible for receiving email too. Since setting up a full email client involves many steps, and at least two services: we'll test access to the SMTP server manually.
 
* See if you can connect from your workstation to your SMTP server using telnet. If the connection is successful: run a single SMTP protocol command just because you can:
{{Admon/important|Lame ISPs and VPNs|I used to only know one ISP lame enough to block outgoing connections to port 25 for their customers (Rogers). But that plague is spreading. Some students tell me Bell has the same problem, and I've even experienced this block using a VPN. If you're having a problem establishing the following connection: try connecting to Seneca's SMTP server first. If that doesn't work: just skip this test.}}
[[File:AWSTelnet25-2023.png|border|center]]
* You can use the '''quit''' command or the escape sequence ^] to get out of that session.
* Now use whatever email service you want (e.g. myseneca, or your personal account) to send an email to yourusername@yourusername.ops345.ca. Note that you don't need any special configuration on the sender's email client or server. All someone needs to know to send email to you is in your server's MX record.
** Before you send it: run '''journalctl -u postfix -f''' in a terminal so you can see what happens when a message arrives. You can press enter a few times to insert some blank lines so you can more easily separate unrelated messages.[[File:AWSMaillogReceivedMail-2023.png|800px|border|center]]
** There's a lot of log for a single email. I typically look for '''from''', '''to''', and '''status=sent'''. If the status is something different: I start looking at other information.
* "Delivered to mailbox" means that Postfix decided it is the destination for this particular message and saves it where it was configured to save it.
 
=== Use Maildir and dovecot-lda ===
 
By default Postfix saves emails in the file '''/var/mail/username''' in the MBOX format. That means all the emails you get will be appended to this file. That works fine under normal circumstances but most people don't use MBOX for serious email servers. We'll configure Postfix to save messages in the Maildir format, under each user's home directory.
 
We'll use dovecot-lda as a LDA. It's an application that comes with the Dovecot package.
 
* Install dovecot, but don't start or enable the service. Leave the Dovecot configuration for the next lab.
* Edit /etc/postfix/main.cf and add the following mailbox_command, to tell Postfix to deliver using dovecot-lda:<pre>mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"</pre>
* Restart postfix.
* Edit /etc/dovecot/conf.d/10-mail.conf and add the following mail_location parameter, to tell dovecot-lda where to store emails it is asked to store and in which format:<pre>mail_location = maildir:~/Maildir</pre>
* No need to restart any service after changing that, dovecot-lda is executed as an application for every email that Postfix wants delivered.
* Send yourself another email and find where it ended up. The maildir format isn't meant for reading on the command-line, but you should be able to find a newly received message so that you can troubleshoot when it's not working properly.
 
=== Aliases ===
 
Sometimes you want to receive emails which are sent to different addressed. For example the system administrator typically receives emails sent to postmaster, webmaster, hostmaster, and root. Also dovecot-lda will not deliver email to root at all as a security measure.
 
Create an alias to deliver emails meant for root to andrew instead:
 
* Edit /etc/aliases (it's a text file).
* Uncomment the bottom line and change "mark" to your username.
* Run "newaliases".
* Send an email to root@yourusername.ops345.ca and make sure it ends up in your user's Maildir
 
= Submit evidence of your work =
 
For this lab, please submit screenshots that show you've completed the work, unless your professor has given you different instructions. As a minimum that's:
 
* Your email VM details in the AWS console.
* A dig query for your two new DNS records.
* The output of the mount command.
* The received emails in your Maildir.


[[Category:OPS345]]
[[Category:OPS345]]

Revision as of 09:25, 11 November 2024

Email services components

Originally there was only one "email" protocol: SMTP. It was designed to address, route, and receive messages for a destination user on a destination server. Later an extra couple of protocols (POP3 and IMAP) were developed so that people wouldn't have to read their email on the command-line on the SMTP server. Now there are many components, making a powerful, reliable, but complex system. Here's a simplified diagram of what typically happens when you send an email to someone else:

Email-servers.png

By the end of this course you should be familiar enough with all these components to be able to speak about them comfortably.

We'll set up an SMTP server in this lab and an IMAP server in the next lab.

New VM: email

  • Create a new VM, similar to the www VM you created earlier. Make sure that it:
    • Named email
    • AMI version Amazon Linux 2023
    • Is in vpc-ops345 (where no public IP address should be assigned by default).
    • In the subnet subnet-ops345
    • Is in a new security group named ops345emailsg, which will allow SSH acccess from the router only and SMTP access from anywhere.
    • Has the IP address 10.3.45.12
    • Gets an extra 4GB EBS volume.
  • After it starts: do some configuration you should be very comfortable with by now:
    • Set up port forwarding on the router so you can SSH to email via port 2212 on the router. The email server is going to have its own public IP, but remember we're pretending that we're monitoring all SSH traffic using special software on the router machine.
    • Create a new user and delete ec2-user.
    • Set the hostname to email.yoursenecaid.ops345.ca
    • Allocate a new, permanent static IP named email_public_ip and associate it with your email server.

DNS records

Email used as you're used to it requires a couple of DNS entries. One A record for the server, and on MX record for your domain.

  • Log in to your Bindistrar.
  • Create an A record for email.yoursenecaid.ops345.ca with the static IP you assigned to your email server. This is just a typical A record.
  • Create an MX record with the value email.yoursenecaid.ops345.ca.
    • This record is for other people's email servers who want to send email to anyone@yoursenecaid.ops345.ca
    • It specifies that the receiving SMTP server for yoursenecaid.ops345.ca is email.yoursenecaid.ops345.ca
    • The priority is there for when you have one or more backup email servers. You would if this email server were important, but in this course you don't so you can pick any number for the priority.

Remember that DNS records are cached, so if you make a mistake: you'll need for the TTL to expire before you can test your updated records. One way too give yourself two chances to get it right is to first test your MX record on the router. Then if it's wrong: you can test your second attempt on your workstation before the TTL expires on the router's caching DNS server.

  • Test your MX record on the router:
AWSDigEmail.png

Storage

For the www VM we have set up an external storage device so that we wouldn't lose our website if the server was damaged or deleted. We'll do the same for the email VM. You can look back at lab 3 if you need a reminder for how to do the following steps.

  • Create a volume group vg_email with the second drive as the only physical volume.
  • Create a logical volume lv_email
Important.png
Don't get locked out
With the setup we're building all the emails will be stored in each user's home directory. That means lv_email will need to be mounted on /home. That makes it tricky because other important things (like your SSH keys) are stored under /home as well, so be careful with the following steps, you may end up locking yourself out of your VM, and you'll have to rebuild it.
  • Create a temporary directory /tmp/home and mount lv_email there.
  • Move all the contents of /home to /tmp/home
  • Edit your fstab to make sure lv_email gets mounted automatically on /home when your system boots.
  • Hold your breath and reboot. If you did it right: you should be able to ssh back in and everything will look the same, except now there's a lost+found directory in /home, which tells you that there's a filesystem mounted on there.

SMTP server: Postfix

There are many SMTP server software on Linux to choose from. Postfix is the most used commonly used so that's the one we're going to use. It can be configured to do all sorts of advanced and interesting things, but we'll keep it simple. Once you feel less overwhelmed with all the exotic configuration options: it will help you to read the description of what those options do, over time the meaning of those comments will become more and more clear.

  • Postfix is not installed by default on Amazon Linux 2023, install it using yum.
  • Then start it and make sure it starts automatically on boot.

In the default configuration Postfix only listens on localhost, it will not accept inbound connections to port 25 even if the firewall allows access to that port.

  • Use the ss command to see what ports are open (i.e. there is a service listening on that port):
AWSssSMTPlocalhost.png
  • Edit /etc/postfix/main.cf and change four of the options:
    • Set mydomain to yoursenecaid.ops345.ca
    • Set myorigin to $mydomain. This is appended to your username when you send email directly from the server. It doesn't have to be the same as $mydomain, but it makes sense for it to be the same in most cases.
    • Set inet_interfaces to all. This will configure Postfix to listen for external incomming connections, rather than just connections from localhost.
    • Change mydestination to include $mydomain. This will tell postfix that when it sees an email for anyone@yoursenecaid.ops345.ca: it should deliver it rather than forward it to a different SMTP server.
  • Restart the Postfix service. Check the service status, and the postfix logs using journalctl -u postfix -e to confirm that it restarted successfully.
  • Run ss again, learn to see the difference between a service that listens on localhost and a service that listens on all interfaces:
AWSSsSMTPOpen.png

Test receiving email

People often think of SMTP servers as "sending" servers, but they are responsible for receiving email too. Since setting up a full email client involves many steps, and at least two services: we'll test access to the SMTP server manually.

  • See if you can connect from your workstation to your SMTP server using telnet. If the connection is successful: run a single SMTP protocol command just because you can:
Important.png
Lame ISPs and VPNs
I used to only know one ISP lame enough to block outgoing connections to port 25 for their customers (Rogers). But that plague is spreading. Some students tell me Bell has the same problem, and I've even experienced this block using a VPN. If you're having a problem establishing the following connection: try connecting to Seneca's SMTP server first. If that doesn't work: just skip this test.
AWSTelnet25-2023.png
  • You can use the quit command or the escape sequence ^] to get out of that session.
  • Now use whatever email service you want (e.g. myseneca, or your personal account) to send an email to yourusername@yourusername.ops345.ca. Note that you don't need any special configuration on the sender's email client or server. All someone needs to know to send email to you is in your server's MX record.
    • Before you send it: run journalctl -u postfix -f in a terminal so you can see what happens when a message arrives. You can press enter a few times to insert some blank lines so you can more easily separate unrelated messages.
      AWSMaillogReceivedMail-2023.png
    • There's a lot of log for a single email. I typically look for from, to, and status=sent. If the status is something different: I start looking at other information.
  • "Delivered to mailbox" means that Postfix decided it is the destination for this particular message and saves it where it was configured to save it.

Use Maildir and dovecot-lda

By default Postfix saves emails in the file /var/mail/username in the MBOX format. That means all the emails you get will be appended to this file. That works fine under normal circumstances but most people don't use MBOX for serious email servers. We'll configure Postfix to save messages in the Maildir format, under each user's home directory.

We'll use dovecot-lda as a LDA. It's an application that comes with the Dovecot package.

  • Install dovecot, but don't start or enable the service. Leave the Dovecot configuration for the next lab.
  • Edit /etc/postfix/main.cf and add the following mailbox_command, to tell Postfix to deliver using dovecot-lda:
    mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
  • Restart postfix.
  • Edit /etc/dovecot/conf.d/10-mail.conf and add the following mail_location parameter, to tell dovecot-lda where to store emails it is asked to store and in which format:
    mail_location = maildir:~/Maildir
  • No need to restart any service after changing that, dovecot-lda is executed as an application for every email that Postfix wants delivered.
  • Send yourself another email and find where it ended up. The maildir format isn't meant for reading on the command-line, but you should be able to find a newly received message so that you can troubleshoot when it's not working properly.

Aliases

Sometimes you want to receive emails which are sent to different addressed. For example the system administrator typically receives emails sent to postmaster, webmaster, hostmaster, and root. Also dovecot-lda will not deliver email to root at all as a security measure.

Create an alias to deliver emails meant for root to andrew instead:

  • Edit /etc/aliases (it's a text file).
  • Uncomment the bottom line and change "mark" to your username.
  • Run "newaliases".
  • Send an email to root@yourusername.ops345.ca and make sure it ends up in your user's Maildir

Submit evidence of your work

For this lab, please submit screenshots that show you've completed the work, unless your professor has given you different instructions. As a minimum that's:

  • Your email VM details in the AWS console.
  • A dig query for your two new DNS records.
  • The output of the mount command.
  • The received emails in your Maildir.