Difference between revisions of "OPS345 Lab 7"

From CDOT Wiki
Jump to: navigation, search
(Replaced content with "[http://wiki.littlesvr.ca/wiki/OPS345_Lab_7 This page has moved.]")
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
* webmail
+
[http://wiki.littlesvr.ca/wiki/OPS345_Lab_7 This page has moved.]
 
 
* set up thunderbird for myseneca
 
* can't use the same keys generated in www lab, they're for the wrong FQDN
 
<source>
 
andrew@p51:~/prog/seneca/ops345/new$ sudo su -
 
root@p51:~# certonly --manual --preferred-challenges dns
 
certonly: command not found
 
root@p51:~# certbot certonly --manual --preferred-challenges dns
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
Plugins selected: Authenticator manual, Installer None
 
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
 
to cancel): email.asmith15.ops345.ca
 
Obtaining a new certificate
 
Performing the following challenges:
 
dns-01 challenge for email.asmith15.ops345.ca
 
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
NOTE: The IP of this machine will be publicly logged as having requested this
 
certificate. If you're running certbot in manual mode on a machine that is not
 
your server, please ensure you're okay with that.
 
 
 
Are you OK with your IP being logged?
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
(Y)es/(N)o: y
 
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Please deploy a DNS TXT record under the name
 
_acme-challenge.email.asmith15.ops345.ca with the following value:
 
 
 
PdK1vlZnYMdBO7untofSCkfXH2ejk3EE019R7A90x7Q
 
 
 
Before continuing, verify the record is deployed.
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Press Enter to Continue
 
Waiting for verification...
 
Cleaning up challenges
 
 
 
IMPORTANT NOTES:
 
- Congratulations! Your certificate and chain have been saved at:
 
  /etc/letsencrypt/live/email.asmith15.ops345.ca/fullchain.pem
 
  Your key file has been saved at:
 
  /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem
 
  Your cert will expire on 2022-02-28. To obtain a new or tweaked
 
  version of this certificate in the future, simply run certbot
 
  again. To non-interactively renew *all* of your certificates, run
 
  "certbot renew"
 
- If you like Certbot, please consider supporting our work by:
 
 
 
  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
 
  Donating to EFF:                    https://eff.org/donate-le
 
 
 
root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/cert.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.cert.pem
 
root@p51:~# cp /etc/letsencrypt/live/email.asmith15.ops345.ca/privkey.pem ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.key.pem
 
root@p51:~# chown andrew ~andrew/prog/seneca/ops345/new/keys/email.asmith15.ops345.ca.*
 
</source>
 
* Put keys on the email server:
 
<source>
 
scp -P 2212 -i keys/ssh/ops345-all-aws-machines.pem keys/email.asmith15.ops345.ca.* andrew@34.202.103.43:~
 
[root@email andrew]# cp email.asmith15.ops345.ca.cert.pem /etc/pki/tls/certs/
 
[root@email andrew]# cp email.asmith15.ops345.ca.key.pem /etc/pki/tls/private/
 
</source>
 
* configure postfix to enable encrypted connections from client software. add this to the bottom of main.cf:
 
<source># Settings to enable secure SMTP using my self-signed certificate:
 
smtpd_tls_auth_only = no
 
smtpd_use_tls = yes
 
smtp_use_tls = yes
 
smtpd_tls_key_file = /etc/pki/tls/private/email.asmith15.ops345.ca.key.pem
 
smtpd_tls_cert_file = /etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
 
tls_random_source = dev:/dev/urandom
 
smtpd_tls_loglevel = 1
 
</source>
 
* test with telnet/EHLO: should say 250-STARTTLS
 
* complete test will be done with thunderbird later
 
* dovecot installed in previous lab, it needs very little configuration for our simple setup
 
* /etc/dovecot/dovecot.conf:
 
* Modify the protocols option so that Dovecot will work with IMAP connections, no POP3 or LMTP.
 
* 10-ssl.conf:
 
<source>ssl_cert = </etc/pki/tls/certs/email.asmith15.ops345.ca.cert.pem
 
ssl_key = </etc/pki/tls/private/email.asmith15.ops345.ca.key.pem</source>
 
* ss should show port 993, no 995 or 110
 
* there's no iptables running on email, so just open port 993 in ops345sgemail
 
* configure thunderbird:
 
** IMAP: email.asmith15.ops345.ca, SSL 993, normal password, username without @domain
 
** SMTP: email.asmith15.ops345.ca, STARTTLS 25, normal password, username without @domain
 
* tail -f /var/log/maillog and send a message from thunderbird
 
* The message is not sent, because postfix is not configured to authenticate users. encryption alone is not enough.
 
* https://www.xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html
 
** except the SSL/TLS parameters part.
 
* Send email again. Note the messages about connection timed out. We can't do anything about that in AWS Academy:
 
** https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/
 
* There's more to do anyway to set up a real sending server, as a minimum DKIM/SPF but reverse DNS for the domain also helps.
 
* https://aws.amazon.com/premiumsupport/knowledge-center/route-53-reverse-dns/
 
* http://littlesvr.ca/grumble/2014/01/26/setting-up-sendmail-on-a-dynamic-ip-part2-spf/
 

Latest revision as of 02:41, 28 February 2022