In this project you will build and use a SOHO Mail server. Your mail service will include SMTP service with the postfix MTA, POP3/ IMAP service with the Dovecot MAA, and Web mail access with the Squirrelmail MUA. Your email service will use the Maildir mail storage system rather than the more traditional mbox format.
Actually Dovecot supports Maildir++ format, an extension that adds sub-folders and mail quota. Most systems (MUAs and MDAs) that claim they support “Maildir” actually mean they support “Maildir++”. (Note while the author of the format spells it with a lowercase “m” most of the world uses “Maildir” or “Maildir++”.)
A proper mail service (as with most services) generally requires a static IP setup and additional DNS records. However you would need to learn more about networking to do this properly, so we will save this for another project.
(Time permitting, mail service configuration continues in a CTS-2311 (Unix/Linux Security) course project to add full functionality, including virus and spam scanning and authentication.)
Note!
Fedora may not have correct SELinux policy rules for
Dovecot or other servers.
It is strongly suggested you make sure SELinux is run
in permissive mode for this project.
One way to always boot up in permissive mode is to edit
the file /etc/selinux/config
and follow the
comments to change the mode.
Squirrelmail is a collection of PHP generated HTML forms that can either directly access mailboxes (MBOX but not Maildir!), or more commonly use an MAA, typically IMAP. Thus you will need to have your mail service (including IMAP) setup and working before you can setup Squirrelmail.
Although Squirrelmail can be configured to use IMAPS, the user enters usernames and passwords (and composed email) in HTML forms. The resulting HTTP packet is sent in plain text form to your MAA. This is clearly a security problem! In this assignment we will use the same server for web-mail and the MAA, so no sensitive data is transmitted across a network. In general, you should only configure web-mail from secure HTTPS connections. (This will be done in a project for the Unix/Linux Security course, but you might not complete that project in time to work on this one, so there is no requirement for that.)
Install, configure, and test a mail service suitable for SOHO use. Unlike some previous projects the steps will not include specific commands to run. At this point you are expected to be able to locate relevant commands and documentation using the skills you have learned. (But don't panic! The resources section includes a copy of email lecture notes you can use, and the Internet resources for email setup are very good.)
Perform the following tasks and answer the following questions (optional steps appear in italics in a gray box and start with the phrase “(optional)”):
gcaw.org
.
Edit the HostNameList page found in our class wiki at
YborStudent.hccfl.edu/UnixWiki/.
You need to add your name and chosen hostnames to the list,
along with the static IP address for your host.
Network address: | 10.142.255.0 |
---|---|
Mask: | 255.255.255.0 |
Gateway: | 10.142.255.1 |
Range for static use: | 10.142.255.11–127 |
Range for DHCP use: | 10.142.255.128–254 |
Remember the contents of the configuration files is documented
in /usr/share/doc/initscripts*/sysconfig.txt
;
scroll down for the entries for “network
” and
“ifcfg-
”.
While your textbook contains excellent directions on how to
set up your host with a static IP address, you
may have a couple of additional issues to deal with.
Modern versions of Fedora don't enable the traditional
“network
” service by default.
Instead you may find “NetworkManager
” used.
This is a replacement networking service daemon designed to handle
wireless networking automatically.
Although this service uses the same configuration files, the contents can
be slightly different.
You need to see if “NetworkManager
” is running.
If so, feel free to turn it off and turn on “network
”
legacy service instead.
Make sure the change persists across a reboot!
Otherwise, make sure your config files are correct for the newer service.
The other issue is that the systems are configured by default
to have no “eth0” NIC.
On these systems, udev
and/or systemd
is renaming the
interface at boot time to something else.
If this is the case on your host, you will need to configure
the correct NIC instead of eth0
shown in the examples.
The steps and files are all the same except for this change
in the file name and in the configuration files where
“eth0
” is referenced.
What changes did you make to turn off DHCP, provide a static IP address, and a hostname that works?
Use ping
to verify your hostname can be found.
(Other tools such as dig
, host
, or
nslookup
only use DNS to resolve names.
You could use “getent hosts name-or-IP
”
but ping
is easier to remember.)
gcaw.org
domain.
Or you can set your caching name server to forward all requests
to the instructor's host.
Add all the names found on the class wiki “HostNameList” page
for our class to your /etc/hosts
file.
Configure nsswitch.conf
to use files
before dns
.
(You can set your wiki account to “watch” this page, so
as other students add to the page you will be automatically
notified.
You can then update your /etc/hosts
file as
needed.)
What is the final version of your
/etc/hosts
file?
Also note you won't be configuring any MX
or other email related records —
you only have a singe host to use in our class and
not a whole domain.
But suppose your mail server was the only one for the entire
gcaw.org
domain and that you had to add email
related DNS records to your (primary) name server.
What DNS records should you add?
alternatives
command to switch all shared
commands to your chosen MTA (if set to, say,
sendmail).
If there was no alternatives
system (or some equivalent) what would you do if you need to switch
MTAs (or another subsystem that uses conflicting
pathnames)?
alternatives
command and the Postfix
MTA.
(You can install other software as needed later.)
Be sure to install the alternatives system first.
What packages are needed?
How did you determine this?
/etc/postfix/main.cf
to accept
email from other hosts (or at least the others in our
class network).
Use the system default mailbox (an mbox)
for now.
Check the syntax, and then start (or reload) the
MTA and test the result.
What changes did you make (show
diff
output comparing the original and
modified file(s))?
How do you check that the email service is working correctly (be
specific)?
mutt
to send and read email to your non-root account
on your host, from your host.
Then try to send and read email to your non-root account on your
host, from a different host.
(You should ask a fellow student or your instructor to send you
the email; note that sending email from the wireless network or
other hosts not connected to the classroom LAN may not work.)
Examine the log files for any problems.
What extra steps, if any did you need
to perform?
What log entries were generated, and in which log files?
aliases
file,
there may be several on the system!
Read the Postfix configuration file to see which file gets
used.)
What email-related aliases should always be
present?
Why is it important to set root
as an alias to
a real person on a server?
~/Maildir/
”.
Now reload the mail server and test the changes.
Send email to some user and check their home directory (and the
log files) to verify this works (the new mail files and folders
were created).
What changes did you make? pine
, but there is a patch if you have the
source).
Configure the mutt
MUA to use
Maildirs.
(Sample configurations for MUAs can be found in
the lecture notes found on-line in the email resources.)
Make sure you can send and receive emails with mutt
.
What changes did you make to your
MUA configuration?
mailx
(formally known as
nail
) replacement package for mail
.
(Personally I have set a shell alias for mail to mailx).
Now configure mailx
MUA to use Maildirs
and test the result.
Finally, repeat for any other MUAs you use including
GUI
MUAs.
Report any changes made.
For POP3S and IMAPS (the secure versions)
you must have a valid PKI certificate for your
site.
(We will learn about this in CTS-2311 class.)
Dovecot includes a self-signed certificate for
localhost.localdomain
that will be fine for this
project.
However to generate a real certificate you would need to edit
the file /etc/pki/dovecot/dovecot-openssl.cnf
.
What edits would you make to this
file?
mail_location
parameter in
the file 10-mail.conf
.
Be sure to make a copy first of any file(s) you edit.)
Make sure it is running correctly now.
What changes did you make?
(Show diff
output.) telnet localhost pop3
(or imap
).
To test if the secure ports are working use
openssl s_client -connect localhost:pop3s
,
(or imaps
).
mutt
and alpine
can read email
from IMAP if you change
the (incoming) mailbox to this URL
(instead of the normal pathname):
imap://userName@localhost/INBOX
.
You can set this as the default by “exporting” the
MAIL
environment variable in a login script.
Now test by sending some mail to your account from your
MUA, and try reading it using the MUA
configured for IMAP.
Examine the log files to make sure there were no problems.
squirrelmail
package.
What other packages (if any) does this
require?
cd
to the Squirrelmail directory
(/usr/share/squirrelmail
)
Here you will find the Squirrelmail configuration
program, config/conf.pl
.
Run this program (from the Squirrelmail directory),
and record the choices you make.
(If you see a blank screen, it is likely the text color
is the same as the background color.
Use the command “C
” (and hit enter)
to turn off colors.)
http://server-name/webmail/src/configtest.php
(You can use localhost
for server-name.)
That will run some tests, and at the bottom of the page will report
the results, hopefully that your configuration is working.
If not, re-run the configuration program and change the incorrect
setting(s).
Repeat until this works.
Don't forget to record all configuration changes as you
make them!
By default, the Apache config for Squirrelmail re-writes URLs
from http://
to
https://
.
Since Apache may not be configured for that, nothing is listening on port
443, and you will get a “connection refused” message when you
try.
You will need to comment-out these three lines in Apache's
squirrelmail.conf
config file, then restart Apache:
RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
To trouble-shoot any issues, look at the
error_log
(and possibly the ssl_error_log
)
file(s).
getenforce
command to see, and setenforce 0
command to set to “Permissive”.
When working, try turning SE Linux back on. named
or nscd
(hopefully you're
not running both at once!). alternatives --config mta
” to make sure you are
really using Postfix and not Sendmail or some other MTA. rcs
”, or at least
make a backup copy of the original.
(I use “cp foo foo-orig
”.)
Then you can use “diff foo-orig foo
”
to see what you changed, and that can be copied into your system journal. A copy of your project-rellated journal entries and the answers to the questions asked above. You can send as email to (preferred). If email is a problem for some reason (!), you may turn in a hard-copy. In this case the pages should be readable, dated, and stapled together. Your name should appear on the first page.
Don't turn in your whole journal, you will need to add to it every day in class! It is common in fact to keep the journal as a text file on the system (with a paper backup of course).
Please see your syllabus for more information about submitting projects.