*Modify your firewall to allow NFS connections{{Admon/important|Prerequistites|This lab depends on changes made in several previous labs. NFS uses port 2049.*Start your NFS server with the command service nfs start===PART B: Setting up your NIS Server===*Install the NIS server You must have successfully completed labs 3, 4a, 4b, and client onto your f13 host PC yum install ypserv ypbind*Add the following line 5 in order to the bottom of the file /etc/sysconfig/network NISDOMAIN="foo.bar" YPSERV_ARGS="-p 783"*Edit the file /etc/yp.conf and set up your domain: domain foo.bar server 127.0.0be able to do this lab.1*Edit the file /etc/nsswitch.conf and add "nis" to three lines: passwd: files nis shadow: files nis group: files nis}}

*Create Below is the file /var/yp/securenetssame diagram that we referred to over the previous 2 email labs: host 127.0.0.1 255.255.255.0 192.168.122.0

*Enable and start the NIS password (yppasswdd) service.*Enable and start the NIS (ypserv) service.*Enable and start the NIS map transfer (ypxfrd) service.*Verify that your servers are running correctly with the following command[[Image: rpcinfo Email-p*Now change to directory /var/yp and run this command makeEnable and start the NIS binding (ypbind) service.Use the following command to verify your NIS server is working - you should see joker's password recordservers.ypcat passwdpng]]

Add a new user named clown, with password "seneca99"Note the two globes in the above diagram.Repeat step 12Those globes represent the Internet that your emails travel through in order to be received by an e-mail recipient. If you donThe 't see both joker's and clown's password records then cd to /var/yp and run smaller globe (the "make" command again.Now modify one your firewall so that the guest VM (client vm01workstation is connected to) will cannot be able trusted to access your NIS serversend mail messages unencrypted'''. YouThe '''larger globe usually involves inter-ISP traffic, often through an internet trunk line, so it is also unencrypted, but it cannot be easily accessed by hackers, pen-testers, or evildoers'''ll have to open port 111 as well as port 783 (see step 2 above).PART C: Setting up your VM to be an NFS clientLogin to your VM guest (vm01) and enable and start your ssh server with these commands

Use iptables to allow ssh connections to your VM guest machine.If you still have autofs installed :* '''Email (from last week) then uninstall the way the vast majority of people use it (yum remove autofs).Reboot your VM guest machine, login and use ifconfig travels from SMTP server to determine its IP addressSMTP server uncencrypted'''. Log out of your VM guest.From your Fedora host, ssh (as root) into your VM guest.Edit your guest's /etc/fstab file and insert this line

192:: That means that nothing sent over email is <u>truly</u> secure.168But attempting to continually intercept SMTP server to SMTP server traffic is difficult and expensive, not worth doing for the little bit of money most of us have in our bank account.122.1:/home /home nfs defaults 0 0

Use the "mount -a" command to mount the /home directory.Check that /home is mounted by running and recording the output of the "df -Th" command.Install ypbind.Logout of your VM guest.PART D: Setting up your VM to be an NIS clientOpen your VM guest graphical login window and login as joker.Verify that joker is using the /home directory imported from your Fedora host.Now modify your authentication to include NIS. You can do this by selecting System->Administration->Authentication from the GNOME menu. You* '''ll have to set the following:NIS server address Email travelling over a LAN (192.168.122.1especially Wifi, but any local network)NIS domain name (foois always encrypted'''.bar)

Now :: If e-mail traffic on a LAN was not encrypted, it would be easy and inexpensive to intercept (in order to obtain your username and password). These days, unencrypted connections from your client to your SMTP/IMAP/POP3 server very rarely exist. You see in our diagram that one of the SMTP connections is supposed to be encrypted (this is the one that would be "LAN" traffic) and the IMAP connection as well (this one is either LAN-like traffic or is connecting to localhost, which is a different scenario altogether). We're going to secure the two connections that we left to be in plain text previously. Unfortunately encrypting things is rarely a straighforward process. Fortunately we have a whole week to spend on it. === Online Resources===* [https://en.wikipedia.org/wiki/Transport_Layer_Security TSL, SSL Definition]* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]  == INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE == According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security), '''Transport Layer Security''' (TLS) and its predecessor, '''Secure Sockets Layer''' (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network. Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statement but that is mainly how public key encryption works on the Internet today. We will be generating our own public keys, mainly in order to avoid paying for a certificate. We will not have enough time to get into the details of what all the following commands do in this section. They are from [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix this blog post]. If you don't understand what the blog post refers to but would like to understand in more details, a good recommended book for interest, called Crypto by Steven Levy, provides a more in-depth discussion of encryption and security. The public key cryptography concepts in this lab are the same in a previous lab ([http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_1#SSH_Keys Lab1: SSH]), although the terminology is slightly different. A simple way to summarize the differences is::* The '''.key''' file is your private key.:* The '''.crt''' file is your public key.  === Encrypting Postfix with Transport Layer Security (TLS) === '''Perform the following steps:''' #Let's start with the ypbind "sending" SMTP server we have on VM2. Run the following, replacing <u>andrewsmith.org</u> with the command '''<u>your</u> domain name''': <source lang="service ypbind startbash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}cd /root/postfix-keysopenssl genrsa -des3 -out vm2.andrewsmith.org.key 2048chmod 600 vm2.andrewsmith.org.keyopenssl req -new -key vm2.andrewsmith.org.key -out vm2.andrewsmith.org.csropenssl x509 -req -days 365 -in vm2.andrewsmith.org.csr -signkey vm2.andrewsmith.org.key -out vm2.andrewsmith.org.crtopenssl rsa -in vm2.andrewsmith.org.key -out vm2.andrewsmith.org.key.nopassTest mv vm2.andrewsmith.org.key.nopass vm2.andrewsmith.org.keyopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650chmod 600 vm2.andrewsmith.org.key cakey.pemcp vm2.andrewsmith.org.key cakey.pem /etc/ssl/privatecp vm2.andrewsmith.org.crt cacert.pem /etc/ssl/certs</source> ::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and sign your configuration certificate with your certificate authority.<br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own. <ol><li value="ypcat passwd2" command>Now, configure Postfix to use the generated certificate, by adding the following to your '''main. You should see both jokercf'''s file:</li></ol> <pre># Settings to enable secure SMTP using my self-signed certificate:smtpd_tls_auth_only = nosmtpd_use_tls = yessmtp_use_tls = yessmtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.org.keysmtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.org.crtsmtpd_tls_CAfile = /etc/ssl/certs/cacert.pemtls_random_source = dev:/dev/urandomsmtpd_tls_loglevel = 1</pre> === Setting Up and clownTesting Encryption with Thunderbird === 's password records. NOTE''Perform the following steps: Clown's record is coming from '' #Currently your Fedora host because there Thunderbird is set up to use '''vm2.yoursenecaid.org''' for an SMTP server, with <u>no clown </u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').# We haven't set up any user on your VM guestauthentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.Logout of joker and login as clown on #When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your VMcertificate so you can tell Thunderbird to trust it:  [[Image:SMTP-certificate-warning. png]]  ::'''NOTE: You ''' Your message may have to login as look slightly different (This author, that created the diagram above, made a little mistake when generating the certificate). <ol><li value="other4" >After you confirm that security exception, send another email to yourself and make sure you receive it.</li><li> Notice that from the user's point of view nothing is different. But if clownyou were an evildoer trying to steal an identity (the difference is huge). Before it was trivial and now it's name does not show up on the login screencomputationally prohibitive.</li></ol> ==Completing the Lab= Encryption Dovecot with Secure Socket layer (SSL) ===Answer Now we will ensure that our '''Dovecot''' connection is secure, and enforce that policy. With SMTP, you will need to allow plain text connections since that is the only method to pass email from server-to-server. With IMAP, there is no server-to-server interaction, but rather only client-to-server interaction. The reason to have an unencrypted IMAP connection would be if your '''IMAP server''' and '''IMAP client''' were the <u>same</u> machine. '''Perform the following questions.steps:''' #What is Let's start by generating a new certificate for Dovecot on your full name and 9vm3 machine by issuing the following commands:<source lang="bash">mkdir /etc/ssl/{private,certs}openssl genrsa -des3 -out vm3.andrewsmith.org.key 2048chmod 600 vm3.andrewsmith.org.keyopenssl req -new -key vm3.andrewsmith.org.key -out vm3.andrewsmith.org.csropenssl x509 -req -days 365 -in vm3.andrewsmith.org.csr -signkey vm3.andrewsmith.org.key -out vm3.andrewsmith.org.crtopenssl rsa -in vm3.andrewsmith.org.key -out vm3.andrewsmith.org.key.nopassmv vm3.andrewsmith.org.key.nopass vm3.andrewsmith.org.keyopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -digit Seneca student ID?days 3650chmod 600 vm3.andrewsmith.org.key cakey.pemcp vm3.andrewsmith.org.key cakey.pem /etc/ssl/privatecp vm3.andrewsmith.org.crt cacert.pem /etc/ssl/certs</source> #What ::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine you can share the certificate between them. In our case, they are not on the function same machine. <ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''10-auth.conf''', <u>and</u> '''10-ssl.conf''' files and change the following settings (note: these parameters already exist in those files, just find them and set them to the correct value):</etcli></ol> <source lang="bash">ssl = requiredssl_cert = <path_to_your_crt_filessl_key = <path_to_your_key_filedisable_plaintext_auth = yes</nsswitchsource>  <ol><li value="3">Now, we will disable normal imap connections, leaving only imaps (secured imap) allowed. Edit the '''10-master.conf ''' file and set the port number in '''inet_listener imap''' to '''0'''.</li><li>Your key/certificate doesn't have a '''.pem''' extension but they are PEM-encoded files. You can confirm that using the '''file?''' command. If you're interested, learning more about configuring Dovecot for SSL, refer to the following documentation: [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration].</li></ol> === Verifying that Mail Messages are Encrypted=== '''Perform the following steps:''' #Use the '''ss''' command to confirm you're only listening on the '''imaps''' port, and not the plain imap port.#What is Next, reconfigure your account settings in Thunderbird to use the purpose of '''SSL/TLS''' connection security with your IMAP server, leaving the "password as '''Normal Password'''. ::'''NOTE:''' When you send your test email, you will get another warning because you're using a self-p" option signed certificate on '''vm3'''. Make certain to authorize the rpcinfo command?exception. #Explain'''Record steps, commands, and your observations on this investigation in your own wordsOPS335 lab log-book''' == INVESTIGATION 2: INSTALL, CONFIGURE &amp; RUN WEBMAIL APPLICATION (Roundcube Mail) =={|cellpadding="15" width="40%" align="right" |- valign="top" |width="10%" | [[Image:Roundcube.png|thumb|right|200px|'''Roundcube''' webmail application Logo<br>GPL,<br> https://commons.wikimedia.org/w/index.php?curid=1772791]] |width="10%" |[[Image:roundcube-pic.png|thumb|right|300px|Screencapture of '''roundcube''' webmail application running in order to send and receive mail messages via a web-browser.]]  |} In the investigation, we will simply install, what configure and run the '''roundcube''' webmail application. '''Perform the following steps on vm1:''' *Perform a search on the roundcube application in order to access the website.*Either Download the "makezipped tarball" from their website from a direct link or use the wget command did in PART B step 10to download directly from a download link (This part may take some effort depending on the Sourceforge website).*Extract the "zipped tarball" and rename the generated directory that contains download source code to: '''webmail'''.::* Use the '''--no-same-owner''' option when extracting the tar achive to ensure that the files do not keep the original owner (who will not exist on your system).#Explain *Change the syntax/meaning ownership of the two records '''temp''' and '''logs''' directories so they belong to apache.*This service needs to be able to write to several directories ('''temp''' and '''logs''') that SELinux prevents write access to. If you are in a section that has SELinux set to '''enforcing''', run the following commands to let it know that apache should be allowed to write to files in those directories.<source lang="bash">semanage fcontext -a -t httpd_log_t '/var/ypwww/html/webmail/temp(/securenets file.*)?'semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/logs(/.*)?'restorecon -v -R /var/www/html/webmail</source>::*If your machine does not have the semage command, use yum to install the policycoreutils-python package.#What was *In the directory now named "webmail", there will be a file named '''INSTALL''' which will walk you through the output rest of the Roundcube installation.<br /><br />Some installation tips to consider: ::* Be careful about copying &amp; pasting the MySQL setup part: take time and pay attention to detail: do not try to "ypcat passwdrush it" .::* You will need to install additional Apache modules including: '''php-xml''' and '''php-mbstring'''.::* Don't forget to set the password in the roundcube configuration. *Note that both of your IMAP and SMTP servers are on different machines (i.e. not on vm1). Therefore, you will need to set the following options for Roundcube: ::* '''$config['smtp_server']'''::* '''$config['default_host']'''::* '''$config['default_port']''' :::'''NOTE:''' The last <u>two</u> entries above refer to your IMAP server *You should be able to test the configuration in your Roundcube installer after completing Step 3.</li><li>Try to test if the roundcube webmail application is working by sending and receiving e-mail messages.* {{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command from PART D, step 5?and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}} #Explain'''Record steps, commands, and your observations on this investigation in your own wordsOPS335 lab log-book''' ==COMPLETING THE LAB==In completing this lab you have gained experience... '''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the function appropriate set of instructions below.''' ===Online Submission (Peter Callaghan's Classes only)===Follow the portmapper service as seen in instructions for lab 8 on moodle. ===In Class Submission==='''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:''' ::<span style="rpcinfo color:green;font-psize:1.5em;">&#x2713;</span>Thunderbird with a message sent and received using encrypted channels.::<span style="color:green;font-size:1.5em;" command>&#x2713;</span>New Thunderbird server configuration for your account. Hint::<span style="color:green;font-size: Use Wikipedia1.5em;">&#x2713;</span>Logs on vm2 and vm3 showing the message has been sent and received.::<span style="color:green;font-size:1.5em;">&#What did x2713;</span>Your webmail showing your final firewall inbox::<span style="color:green;font-size:1.5em;">&#x2713;</span>Your webmail sending an email out::<span style="color:green;font-size:1.5em;">&#x2713;</span>You receiving that mail on an exernal account::<span style="color:green;font-size:1.5em;">&#x2713;</span>Download the labcheck8.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck8.bash'''<br><br>set execute permission and run the host look likeshell script on your '''c7host''' machine. ::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.::<span style="color:green;font-size:1. Use iptables5em;">&#x2713;</span>Completed Lab8 log-savebook notes.  ==EXPLORATION QUESTIONS== #Briefly define the term '''TSL'''.#Briefly define the term '''SSL'''.#List the steps to setup Encryption for Postfix with TLS.#List the steps to setup Encryption for Dovecot with SSL.#List the steps to setup Encryption for the Thunderbird application.#Provide a brief description of the following terms as they relate to mail servers:#*'''Open Relay'''#*'''SPF'''#*'''DKIM'''# How does a webmail application differ from using another MUA like Thunderbird?# List the additional Apache modules that are required in order to run the Roundcube web application?