2024 NA HW3

HW3

Install Package

sudo apt update && sudo apt upgrade -y
sudo apt install -y postfix postfix-pcre dovecot-imapd rsyslog

Add user for judge

sudo adduser ta
sudo adduser cool-ta
# password:
# 5E842AEEEDB8F6EA8857E6D1FB72E76E

Set hostname

hostnamectl hostname mail.14.nasa
vim /etc/postfix/main.cf
# myhostname = mail.14.nasa
# mydestination = $myhostname, localhost, localhost.localdomain, 14.nasa, mail
# mynetworks = 127.0.0.0/8 192.168.14.0/24

STARTTLS

sudo vim /etc/postfix/main.cf
# smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
# smtpd_tls_key_file  = /etc/ssl/private/mail.key

user authentication

sudo vim /etc/dovecot/conf.d/10-master.conf
# service auth {
#   # Postfix smtp-auth
#   unix_listener /var/spool/postfix/private/auth {
#     mode = 0660
#     user = postfix
#     group = postfix
#   }
# }

sudo vim /etc/dovecot/conf.d/10-ssl.conf
# ssl_cert = </etc/ssl/certs/mail.pem
# ssl_key  = </etc/ssl/private/mail.key

sudo vim /etc/dovecot/conf.d/10-auth.conf
# auth_mechanisms = plain login

sudo systemctl restart dovecot

sudo vim /etc/postfix/main.cf
# smtpd_sasl_auth_enable = yes
# smtpd_sasl_type = dovecot
# smtpd_sasl_path = private/auth

# smtpd_sender_restrictions = reject_unauthenticated_sender_login_mismatch reject_authenticated_sender_login_mismatch reject_unlisted_sender check_sender_access hash:/etc/postfix/sender_access
# smtpd_sender_login_maps = hash:/etc/postfix/login_maps
# smtpd_recipient_restrictions = reject_unknown_recipient_domain check_policy_service inet:127.0.0.1:10023

sudo vim /etc/postfix/login_maps
# cool-TA cool-ta
# ymlai   ymlai
# TA      ta

sudo postmap /etc/postfix/login_maps

NULL sender block

sudo vim /etc/postfix/sender_access
# <>    REJECT

sudo postmap /etc/postfix/sender_access

Restart service

sudo postfix reload
sudo systemctl restart postfix
sudo systemctl restart dovecot

DNS Records

Add record / resigned DNSSEC

sudo vim /etc/bind/db.14.nasa
# mail    IN   A   192.168.14.25
#         IN  MX   10 mail.14.nasa.

sudo vim /etc/bind/db.14.168.192
# 25      IN  PTR  mail.14.nasa.

sudo dnssec-signzone -a -K /etc/bind/key -o 14.nasa -S -t db.14.nasa
sudo dnssec-signzone -a -K /etc/bind/key -o 14.168.192.in-addr.arpa -S -t db.14.168.192
sudo systemctl restart bind9

Email Accounts

pcre note pcre practice

Alias

sudo vim /etc/postfix/main.cf
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_alias_maps = pcre:/etc/postfix/virtual

sudo vim /etc/aliases 
# NASATA: ta
# TA:     ta
# cool-TA:        cool-ta

sudo postalias /etc/aliases

sudo vim /etc/postfix/virtual
# /^([\w-]+)\+[\w-]+\@([\.\w-]+)$/ $1@$2

sudo postmap /etc/postfix/virtual

Sender rewrite

sudo vim /etc/postfix/main.cf
# smtp_generic_maps = pcre:/etc/postfix/generic_maps
# masquerade_domains = 14.nasa

sudo vim /etc/postfix/generic_maps
# /^([\w-]*)@mail.14.nasa$/ $1@14.nasa
# /^cool-TA@([\w-.]*)$/ supercooool-TA@$1

sudo postmap /etc/postfix/generic_maps

Greylisting

Intsall package

sudo apt install postgrey

Setting whitelist

sudo vim /etc/postgrey/whitelist_clients.local
# ta@ta.nasa

Setting delay

sudo vim /etc/default/postgrey
# POSTGREY_OPTS="--inet=10023 --delay=15"

Securing Mail Service

Install package

sudo apt install opendkim

Configure opendkim

vim /etc/opendkim.conf
# Mode            sv
# Socket          inet:8891@localhost
# RequireSafeKeys False
# Domain          14.nasa
# KeyFile         /etc/dkim/mail.private
# KeyTable        /etc/opendkim/KeyTable
# SigningTable    refile:/etc/opendkim/SigningTable
# ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
# InternalHosts    refile:/etc/opendkim/TrustedHosts

cd /etc/dkimkeys
sudo opendkim-genkey -s mail -d 14.nasa
sudo chown opendkim:opendkim mail.private

sudo vim /etc/opendkim/SigningTable
# *@14.nasa mail._domainkey.14.nasa

sudo vim /etc/opendkim/KeyTable
# mail._domainkey.14.nasa 14.nasa:mail:/etc/dkimkeys/mail.private

sudo vim /etc/opendkim/TrustedHosts
# 127.0.0.1
# 192.168.14.0/24
# *.mail.14.nasa
# *.14.nasa

sudo vim /etc/postfix/main.cf
# smtpd_milters = inet:localhost:8891
# non_smtpd_milters = $smtpd_milters
# milter_default_action = accept

Setting DNS server

sudo vim /etc/bind/db.14.nasa
# @       IN    TXT    "v=spf1 ip4:192.168.14.0/24 a mx -all"
# _dmarc  IN    TXT    "v=DMARC1;p=reject;aspf=s;adkim=s;rua=mailto:dmarc-report-rua@14.nasa"
# mail._domainkey    IN    TXT    "v=DKIM1; h=sha256; k=rsa; p=..."

sudo dnssec-signzone -a -K /etc/bind/key -o 14.nasa -S -t db.14.nasa
sudo systemctl restart bind9

Test

dig txt +short mail._domainkey.14.nasa
dig txt +short 14.nasa
dig txt +short _dmarc.14.nasa

Spam Filters

Outgoing filter

sudo vim /etc/postfix/main.cf
# header_checks = pcre:/etc/postfix/header_checks

sudo vim /etc/postfix/header_checks
/^(?i)SUBJECT(?-i):.*(Graduate\ School|博士班|=\?UTF-8\?B\?5Y2a5aOr54\+t\?=).*$/    REJECT

Note:
The incoming filter part may not work correctly.

Install package

sudo apt-get install -y lsb-release wget gpg  # for install
CODENAME=`lsb_release -c -s`
sudo mkdir -p /etc/apt/keyrings
wget -O- https://rspamd.com/apt-stable/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/rspamd.gpg > /dev/null
echo "deb [signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main" | sudo tee /etc/apt/sources.list.d/rspamd.list
echo "deb-src [signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main"  | sudo tee -a /etc/apt/sources.list.d/rspamd.list
sudo apt-get update
sudo apt-get --no-install-recommends install rspamd

Conf

sudo vim /etc/rspamd/actions.conf
# actions {
#     reject = null;
#     greylist = null;
    
#     subject = "**SPAM**%s"
# }

sudo vim /etc/rspamd/options.inc
# gtube_patterns = "disable"

sudo vim /etc/postfix/main.cf
# content_filter = rspamd:[127.0.0.1]:11332
# receive_override_options = no_address_mappings

sudo vim /etc/postfix/master.cf
# rspamd unix -      -       n       -       -       smtp
#   -o smtp_send_xforward_command=yes
#   -o syslog_name=postfix/rspamd

Mail queue

# show current queue
postqueue -p
# Force delete all mail
postsuper -d ALL

Test the mail server

sudo apt install swaks

swaks --from TA@14.nasa --to ymlai@14.nasa --server mail.14.nasa \
--tls --data "Subject: Hello\n\nThis is the email body."

swaks --from TA@14.nasa --to ymlai@mail.14.nasa --server mail.14.nasa \
--auth LOGIN --auth-user TA --auth-password 5E842AEEEDB8F6EA8857E6D1FB72E76E \
--tls --data "Subject: Hello\n\nThis is the email body."

swaks --from TA@mail.14.nasa --to ymlai@14.nasa --server mail.14.nasa \
--auth LOGIN --auth-user TA --auth-password 5E842AEEEDB8F6EA8857E6D1FB72E76E \
--tls --data "Subject: Hello\n\nThis is the email body."

swaks --from TA@mail.14.nasa --to cool-TA@14.nasa --server mail.14.nasa \
--auth LOGIN --auth-user TA --auth-password 5E842AEEEDB8F6EA8857E6D1FB72E76E \
--tls --data @spam.txt

swaks --from ymlai@mail.14.nasa --to TA@14.nasa --server mail.14.nasa --auth LOGIN --auth-user ymlai --auth-password 0000 --tls --data @test.eml

rspamc < testmail.eml

HW3#

DNS Records#

Email Accounts#

Greylisting#

Securing Mail Service#

Spam Filters#

HW3

DNS Records

Email Accounts

Greylisting

Securing Mail Service

Spam Filters