Difference between revisions of "OPS335 NIS Lab"

From CDOT Wiki
Jump to: navigation, search
(Part D: Adding autofs maps:)
 
(53 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
[[Category:OPS335]][[Category:OPS335 Labs]]
 
[[Category:OPS335]][[Category:OPS335 Labs]]
==NIS (Network Information Services)==
 
* NIS server is used to synchronize system files between machines in an NIS domain.
 
* The Network Information Service (NIS) is a system that provides
 
network information (login names, passwords, home directories, group
 
information) to all of the machines on a network. NIS can allow users
 
to log in on any machine on the network, as long as the machine has
 
the NIS client programs running and the user's password is recorded in
 
the NIS passwd database. NIS was formerly known as Sun Yellow Pages
 
(YP).
 
* In this lab you will set up your Fedora PC as both an NFS and NIS server. You will then use your VM's to serve as your NFS and NIS clients.
 
{{Admon/important|Prerequisites|Before you begin make sure your Fedora 16 host and virtual machines are up to date (yum update).
 
Ensure both host and VM's have firewalls set up according to prior labs and all labs have been completed.
 
Ensure that your NFS server is running on the host and exporting the '/home' directory. }}
 
  
===PART A: Setting up your NIS Server===
+
==OBJECTIVE & PREPARATION==
*Install the NIS server and client onto your f16 host PC
 
  yum install ypserv ypbind
 
*Add the following line to the bottom of the file /etc/sysconfig/network
 
  NISDOMAIN="<learn-id>.org"
 
  YPSERV_ARGS="-p 783"
 
*Edit the file /etc/yp.conf and set up your domain:
 
  domain <learn-id>.org server 127.0.0.1
 
*Edit the file /etc/nsswitch.conf and add "nis" to three lines:
 
  passwd:    files nis
 
  shadow:    files nis
 
  group:      files nis
 
  
*Create the file /var/yp/securenets:
+
{{Admon/important|Prerequistites|This lab depends on changes made in several previous labs.  You must have successfully completed labs 3, 4a, 4b, and 5 in order to be able to do this lab.}}
  host 127.0.0.1
 
  255.255.255.0  192.168.x.0
 
*Enable and start the NIS (ypserv) service.
 
systemctl start ypserv.service
 
systemctl enable ypserv.service
 
*Enable and start the NIS map transfer (ypxfrd) service.
 
systemctl start ypxfrd.service
 
systemctl enable ypxfrd.service
 
*Backup the configuration file for NIS databases
 
  cp /var/yp/Makefile /var/yp/Makefile.org
 
*Modify the following two lines in /var/yp/Makefile from
 
  MINUID=500
 
  MINGID=500
 
to
 
  MINUID=1000
 
  MINGID=1000
 
* Verify that your servers (NFS, ypserv) are running correctly with the following command:
 
  rpcinfo -p
 
*Now change to directory /var/yp and run this command
 
  make
 
*Enable and start the NIS binding (ypbind) service.
 
  systemctl start ypbind.service
 
*You may need to enable another boolean relating to NIS.
 
getsebool -a | grep yp
 
*Use the following command to verify your NIS server is working - you should see your learnid password record.
 
  ypcat passwd
 
*Add a new user named nis-user, with password "ops335".
 
*Run 'ypcat passwd' again.
 
*In order for the new user to show up you will need to recreate the map files- change directory to /var/yp and run the "make" command again.
 
*Now modify your firewall so that the VM's (client vm03 initially) will be able to access your NIS server. You will need to adjust your firewall - use netstat to determine what ports will be needed.
 
  
===PART B: Adding VM03 to your NIS domain===
+
Below is the same diagram that we referred to over the previous 2 email labs:
*Ensure you are still mounting your home directory from the host machine using autofs. If not revisit last weeks lab.
 
*SSH to vm03 using two terminals, following your logs with one using
 
tail -f /var/log/messages
 
*Use the other to edit /etc/yp.conf adding the following line:
 
domain <learnid>.org server 192.168.x.1
 
*Add the following line to the bottom of the file /etc/sysconfig/network
 
  NISDOMAIN="<learn-id>.org"
 
*Install and start the ypbind server with the command.
 
systemctl start ypbind.service
 
*Looking at your logs ensure that ypbind is registered with rpcbind, if it is unable your firewall may need to be adjusted.
 
*Now when you run the following command:
 
ypcat passwd
 
*You should be able to see the 'nis-user' entry added to the host machine.
 
  
===Part C: Adding the other VM's===
+
[[Image:Email-servers.png]]
*Many of you had an issue last week when using NFS as you had differing GID & UID's between systems - when attempting to mount the home directory from the host you received various permission issues. We will intentionally create this issue on vm02 and then correct it with NIS.
 
*SSH to the root account on vm02 and run the following command
 
cat /etc/passwd | grep home
 
*Look at the existing users and compare them with the same users on the host machine. Find one whose credentials differ.
 
*For example on vm02:
 
[root@<b>vm02</b> ~]# cat /etc/passwd | grep home
 
nis-user:x:1000:1000::/home/nis-user:/bin/bash
 
paul:x:1001:1001::/home/paul:/bin/bash
 
*And on the host:
 
[root@f16 yp]# cat /etc/passwd | grep home
 
paul:x:1000:1000:paul:/home/paul:/bin/bash
 
nis-user:x:1001:1001::/home/nis-user:/bin/bash
 
*While the two hosts share the same users, their UID and GID are different. This will cause a problem when mounting the home directory using NFS.
 
*Add an entry to your fstab so that you are mounting the home directories from the host machine, then mount and switch to your learnid (or other account where UID/GID differs between systems)
 
su <learnid>
 
cd ~
 
*You should recieve a permission denied error as the UID on the local system differs from the UID of the file owner on the remote server. Change back to your root account.
 
*Install ypbind, configure it to use your domain and NIS server and start the service.
 
*Edit the /etc/nsswitch file change the following lines as they appear below:
 
passwd:    nis files
 
shadow:    nis files
 
group:      nis files
 
initgroups: files
 
*Save and exit the file. Again try to change to your learnid account (or other account where UID/GID differs between systems).
 
*You should now be successful, cd to your home directory and do a listing. Below is some example output:
 
[paul@vm02 ~]$ ll
 
total 384
 
-rw-rw-r--. 1 nis-user nis-user      0 Mar 11 19:13 another_empty_file_from_vm03
 
drwxr-xr-x. 2 nis-user nis-user  4096 Mar 14 09:09 Desktop
 
drwxr-xr-x. 2 nis-user nis-user  4096 Feb 17 05:24 Documents
 
drwxr-xr-x. 2 nis-user nis-user  4096 Feb 17 05:45 Downloads
 
drwxr-xr-x. 2 nis-user nis-user  4096 Jan  4 10:12 Music
 
drwxr-xr-x. 2 nis-user nis-user  4096 Jan  4 10:12 Pictures
 
drwxr-xr-x. 2 nis-user nis-user  4096 Jan  4 10:12 Public
 
drwxr-xr-x. 2 nis-user nis-user  4096 Jan  4 10:12 Templates
 
drwxr-xr-x. 2 nis-user nis-user  4096 Jan  4 10:12 Videos
 
*Create an empty file and do a listing again
 
[paul@vm02 ~]$ touch empty_from_vm02
 
[paul@vm02 ~]$ ll
 
-rw-rw-r--. 1 nis-user nis-user      0 Mar 18 14:58 empty_from_vm02
 
*And finally
 
pwd
 
*Notice you are in your home directory, however files show they are owned by a different user, even when you create a new one.
 
*Ensure ypbind will start at boot and restart the vm.
 
*Again SSH to the machine, this time using your learnid account. You should now be able to see the files in your home directory with the correct mapping.
 
*Edit the fstab and remove the entry for NFS.
 
  
===Part D: Adding autofs maps:===
+
Note the two globes in the above diagram. Those globes represent the Internet that your emails travel through in order to be received by an e-mail recipient. The '''smaller globe (the one your workstation is connected to) cannot be trusted to send mail messages unencrypted'''. The '''larger globe usually involves inter-ISP traffic, often through an internet trunk line, so it is also unencrypted, but it cannot be easily accessed by hackers, pen-testers, or evildoers'''.
*Stop ypbind on the f16 host machine.
 
*Copy the autofs files from vm03 to your host machine
 
scp /etc/auto.{home,master} root@f16:/etc/
 
  
*Edit /etc/auto.master on the host and remove the 'etc' prefix from auto.home's path:
+
There are '''two important general truths you need to understand about email encryption''':
/home  auto.home  --timeout=60
 
*Regenerate your NIS maps and run:
 
ypcat auto.home
 
*You should receive the following:
 
No such map auto.home. Reason: No such map in server's domain
 
*You will need to look into the Makefile to determine how to add auto.home and auto.master to the list of files shared by NIS.
 
*After making changes to your Makefile, regenerate your maps again and run the same command as above. You should now see the file and its contents when you run ypcat auto.home.
 
[root@f16 yp]# ypcat auto.home
 
-fstype=nfs,rw,nosuid,soft      192.168.70.1:/home/&
 
*SSH to vm02 and edit the /etc/nsswitch.conf file and make changes so autofs consults NIS. Reboot the machine.
 
*When the VM comes back up, SSH and ensure auto mounting of home occurred.
 
*When you have successfully made this change on vm02, repeat the steps needed for vm01.
 
  
==Completing the Lab==
+
:* '''Email (the way the vast majority of people use it) travels from SMTP server to SMTP server uncencrypted'''.
Answer the following questions in your log book.
+
 
#What is the function of the /etc/nsswitch.conf file?
+
:: That means that nothing sent over email is <u>truly</u> secure. But attempting to continually intercept SMTP server to SMTP server traffic is difficult and expensive, not worth doing for the little bit of money most of us have in our bank account.
#What is the purpose of the rpcinfo command?
+
 
#Explain the purpose of the make command in the lab - what does it do?
+
:* '''Email travelling over a LAN (especially Wifi, but any local network) is always encrypted'''.
#Explain the purpose of the /var/yp/securenets file.
+
 
#What is the function of the portmapper service?
+
:: If e-mail traffic on a LAN was not encrypted, it would be easy and inexpensive to intercept (in order to obtain your username and password). These days, unencrypted connections from your client to your SMTP/IMAP/POP3 server very rarely exist.
#What ports did you need to open on your firewall?
+
 
#What changes did you need to make to SE Linux?
+
You see in our diagram that one of the SMTP connections is supposed to be encrypted (this is the one that would be "LAN" traffic) and the IMAP connection as well (this one is either LAN-like traffic or is connecting to localhost, which is a different scenario altogether).
 +
 
 +
We're going to secure the two connections that we left to be in plain text previously. Unfortunately encrypting things is rarely a straighforward process. Fortunately we have a whole week to spend on it.
 +
 
 +
=== Online Resources===
 +
* [https://en.wikipedia.org/wiki/Transport_Layer_Security TSL, SSL Definition]
 +
* [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Create a self signed SSL key for Postfix]
 +
* [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration]
 +
 
 +
 
 +
== INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE ==
 +
 
 +
According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security), '''Transport Layer Security''' (TLS) and its predecessor, '''Secure Sockets Layer''' (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.
 +
 
 +
Normally (in production), you would need to pay a "certificate authority" to issue a '''certificate''' for you. That is essentially '''a "signed" public key''' that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statement but that is mainly how public key encryption works on the Internet today.
 +
 
 +
We will be generating our own public keys, mainly in order to avoid paying for a certificate. We will not have enough time to get into the details of what all the following commands do in this section. They are from [https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix this blog post]. If you don't understand what the blog post refers to but would like to understand in more details, a good recommended book for interest, called Crypto by Steven Levy, provides a more in-depth discussion of encryption and security.
 +
 
 +
The public key cryptography concepts in this lab are the same in a previous lab ([http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_1#SSH_Keys Lab1: SSH]), although the terminology is slightly different.
 +
 
 +
A simple way to summarize the differences is:
 +
:* The '''.key''' file is your private key.
 +
:* The '''.crt''' file is your public key.
 +
 
 +
 
 +
=== Encrypting Postfix with Transport Layer Security (TLS) ===
 +
 
 +
'''Perform the following steps:'''
 +
 
 +
#Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing <u>andrewsmith.org</u> with '''<u>your</u> domain name''':
 +
 
 +
<source lang="bash">mkdir -p /root/postfix-keys /etc/ssl/{private,certs}
 +
cd /root/postfix-keys
 +
openssl genrsa -des3 -out vm2.andrewsmith.org.key 2048
 +
chmod 600 vm2.andrewsmith.org.key
 +
openssl req -new -key vm2.andrewsmith.org.key -out vm2.andrewsmith.org.csr
 +
openssl x509 -req -days 365 -in vm2.andrewsmith.org.csr -signkey vm2.andrewsmith.org.key -out vm2.andrewsmith.org.crt
 +
openssl rsa -in vm2.andrewsmith.org.key -out vm2.andrewsmith.org.key.nopass
 +
mv vm2.andrewsmith.org.key.nopass vm2.andrewsmith.org.key
 +
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
 +
chmod 600 vm2.andrewsmith.org.key cakey.pem
 +
cp vm2.andrewsmith.org.key cakey.pem /etc/ssl/private
 +
cp vm2.andrewsmith.org.crt cacert.pem /etc/ssl/certs</source>
 +
 
 +
::'''NOTE:''' Those commands will create a certificate, a certificate signing request, a certificate authority, and sign your certificate with your certificate authority.<br>This would be the same as in the real world except there you would contact a real CA, here you're making up your own.
 +
 
 +
<ol><li value="2">Now, configure Postfix to use the generated certificate, by adding the following to your '''main.cf''' file:</li></ol>
 +
 
 +
<pre># Settings to enable secure SMTP using my self-signed certificate:
 +
smtpd_tls_auth_only = no
 +
smtpd_use_tls = yes
 +
smtp_use_tls = yes
 +
smtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.org.key
 +
smtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.org.crt
 +
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
 +
tls_random_source = dev:/dev/urandom
 +
smtpd_tls_loglevel = 1</pre>
 +
 
 +
=== Setting Up and Testing Encryption with Thunderbird ===
 +
 
 +
'''Perform the following steps:'''
 +
 
 +
#Currently your Thunderbird is set up to use '''vm2.yoursenecaid.org''' for an SMTP server, with <u>no</u> security. Change that to use '''STARTTLS''' instead (you can change it under '''account settings --> Outgoing Server''').
 +
# We haven't set up any user authentication, just an encrypted channel;therefore, leave the '''authentication method''' at the value: '''none'''.
 +
#When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:
 +
 
 +
 
 +
[[Image:SMTP-certificate-warning.png]]
 +
 
 +
 
 +
::'''NOTE:''' Your message may look slightly different (This author, that created the diagram above, made a little mistake when generating the certificate).
 +
 
 +
<ol><li value="4">After you confirm that security exception, send another email to yourself and make sure you receive it.</li><li> Notice that from the user's point of view nothing is different. But if you were an evildoer trying to steal an identity (the difference is huge). Before it was trivial and now it's computationally prohibitive.</li></ol>
 +
 
 +
=== Encryption Dovecot with Secure Socket layer (SSL) ===
 +
 
 +
Now we will ensure that our '''Dovecot''' connection is secure, and enforce that policy. With SMTP, you will need to allow plain text connections since that is the only method to pass email from server-to-server. With IMAP, there is no server-to-server interaction, but rather only client-to-server interaction. The reason to have an unencrypted IMAP connection would be if your '''IMAP server''' and '''IMAP client''' were the <u>same</u> machine.
 +
 
 +
'''Perform the following steps:'''
 +
 
 +
# Let's start by generating a new certificate for Dovecot on your vm3 machine by issuing the following commands:
 +
<source lang="bash">mkdir /etc/ssl/{private,certs}
 +
openssl genrsa -des3 -out vm3.andrewsmith.org.key 2048
 +
chmod 600 vm3.andrewsmith.org.key
 +
openssl req -new -key vm3.andrewsmith.org.key -out vm3.andrewsmith.org.csr
 +
openssl x509 -req -days 365 -in vm3.andrewsmith.org.csr -signkey vm3.andrewsmith.org.key -out vm3.andrewsmith.org.crt
 +
openssl rsa -in vm3.andrewsmith.org.key -out vm3.andrewsmith.org.key.nopass
 +
mv vm3.andrewsmith.org.key.nopass vm3.andrewsmith.org.key
 +
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
 +
chmod 600 vm3.andrewsmith.org.key cakey.pem
 +
cp vm3.andrewsmith.org.key cakey.pem /etc/ssl/private
 +
cp vm3.andrewsmith.org.crt cacert.pem /etc/ssl/certs</source>
 +
 
 +
::'''NOTE:''' This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine you can share the certificate between them. In our case, they are not on the same machine.
 +
 
 +
<ol><li value="2">Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the '''10-auth.conf''', <u>and</u> '''10-ssl.conf''' files and change the following settings (note:  these parameters already exist in those files, just find them and set them to the correct value):</li></ol>
 +
 
 +
<source lang="bash">ssl = required
 +
ssl_cert = <path_to_your_crt_file
 +
ssl_key = <path_to_your_key_file
 +
disable_plaintext_auth = yes
 +
</source>
 +
 
 +
 
 +
<ol><li value="3">Now, we will disable normal imap connections, leaving only imaps (secured imap) allowed. Edit the '''10-master.conf''' file and set the port number in '''inet_listener imap''' to '''0'''.</li>
 +
<li>Your key/certificate doesn't have a '''.pem''' extension but they are PEM-encoded files. You can confirm that using the '''file''' command. If you're interested, learning more about configuring Dovecot for SSL, refer to the following documentation: [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration].</li></ol>
 +
 
 +
=== Verifying that Mail Messages are Encrypted===
 +
 
 +
'''Perform the following steps:'''
 +
 
 +
#Use the '''ss''' command to confirm you're only listening on the '''imaps''' port, and not the plain imap port.
 +
#Next, reconfigure your account settings in Thunderbird to use the '''SSL/TLS''' connection security with your IMAP server, leaving the password as '''Normal Password'''.
 +
 
 +
::'''NOTE:''' When you send your test email, you will get another warning because you're using a self-signed certificate on '''vm3'''.  Make certain to authorize the exception.
 +
 
 +
'''Record steps, commands, and your observations on this investigation in your OPS335 lab log-book'''
 +
 
 +
== INVESTIGATION 2: INSTALL, CONFIGURE &amp; RUN WEBMAIL APPLICATION (Roundcube Mail) ==
 +
{|cellpadding="15" width="40%" align="right"
 +
 
 +
|- valign="top"
 +
 
 +
|width="10%" | [[Image:Roundcube.png|thumb|right|200px|'''Roundcube''' webmail application Logo<br>GPL,<br> https://commons.wikimedia.org/w/index.php?curid=1772791]]
 +
 
 +
|width="10%" |[[Image:roundcube-pic.png|thumb|right|300px|Screencapture of '''roundcube''' webmail application running in order to send and receive mail messages via a web-browser.]]
 +
 
 +
 
 +
|}
 +
 
 +
In the investigation, we will simply install, configure and run the '''roundcube''' webmail application.
 +
 
 +
'''Perform the following steps on vm1:'''
 +
 
 +
*Perform a search on the roundcube application in order to access the website.
 +
*Either Download the "zipped tarball" from their website from a direct link or use the wget command to download directly from a download link (This part may take some effort depending on the Sourceforge website).
 +
*Extract the "zipped tarball" and rename the generated directory that contains download source code to: '''webmail'''.
 +
::* Use the '''--no-same-owner''' option when extracting the tar achive to ensure that the files do not keep the original owner (who will not exist on your system).
 +
*Change the ownership of the '''temp''' and '''logs''' directories so they belong to apache.
 +
*This service needs to be able to write to several directories ('''temp''' and '''logs''') that SELinux prevents write access to.  If you are in a section that has SELinux set to '''enforcing''', run the
 +
following commands to let it know that apache should be allowed to write to files in those directories.
 +
<source lang="bash">
 +
semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/temp(/.*)?'
 +
semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/logs(/.*)?'
 +
restorecon -v -R /var/www/html/webmail
 +
</source>
 +
::*If your machine does not have the semage command, use yum to install the policycoreutils-python package.
 +
*In the directory now named "webmail",  there will be a file named '''INSTALL''' which will walk you through the rest of the Roundcube installation.<br /><br />Some installation tips to consider:
 +
 
 +
::* Be careful about copying &amp; pasting the MySQL setup part: take time and pay attention to detail: do not try to "rush it".
 +
::* You will need to install additional Apache modules including: '''php-xml''' and '''php-mbstring'''.
 +
::* Don't forget to set the password in the roundcube configuration.
 +
 
 +
*Note that both of your IMAP and SMTP servers are on different machines (i.e. not on vm1). Therefore, you will need to set the following options for Roundcube:
 +
 
 +
::* '''$config['smtp_server']'''
 +
::* '''$config['default_host']'''
 +
::* '''$config['default_port']'''
 +
 
 +
:::'''NOTE:''' The last <u>two</u> entries above refer to your IMAP server
 +
 
 +
*You should be able to test the configuration in your Roundcube installer after completing Step 3.</li><li>Try to test if the roundcube webmail application is working by sending and receiving e-mail messages.*
 +
 
 +
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, and you should use  the Bash shell script that you were adviced to create in order to backup all of your VMs.}}
 +
 
 +
'''Record steps, commands, and your observations on this investigation in your OPS335 lab log-book'''
 +
 
 +
==COMPLETING THE LAB==
 +
In completing this lab you have gained experience...
 +
 
 +
'''Depending on your professor you will either be asked to submit the lab in class, or online.  Follow the appropriate set of instructions below.'''
 +
 
 +
===Online Submission (Peter Callaghan's Classes only)===
 +
Follow the instructions for lab 8 on moodle.
 +
 
 +
===In Class Submission===
 +
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
 +
 
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Thunderbird with a message sent and received using encrypted channels.
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>New Thunderbird server configuration for your account.
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Logs on vm2 and vm3 showing the message has been sent and received.
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Your webmail showing your inbox
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Your webmail sending an email out
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>You receiving that mail on an exernal account
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Download the labcheck8.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck8.bash'''<br><br>set execute permission and run the shell script on your '''c7host''' machine.
 +
::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.
 +
::*For '''Murray's classes''', run command  (piping to the '''more''' command) and show output to instructor.
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Completed Lab8 log-book notes.
 +
 
 +
 
 +
==EXPLORATION QUESTIONS==
 +
 
 +
#Briefly define the term '''TSL'''.
 +
#Briefly define the term '''SSL'''.
 +
#List the steps to setup Encryption for Postfix with TLS.
 +
#List the steps to setup Encryption for Dovecot with SSL.
 +
#List the steps to setup Encryption for the Thunderbird application.
 +
#Provide a brief description of the following terms as they relate to mail servers:
 +
#*'''Open Relay'''
 +
#*'''SPF'''
 +
#*'''DKIM'''
 +
# How does a webmail application differ from using another MUA like Thunderbird?
 +
# List the additional Apache modules that are required in order to run the Roundcube web application?

Latest revision as of 07:48, 12 March 2017


OBJECTIVE & PREPARATION

Important.png
Prerequistites
This lab depends on changes made in several previous labs. You must have successfully completed labs 3, 4a, 4b, and 5 in order to be able to do this lab.

Below is the same diagram that we referred to over the previous 2 email labs:

Email-servers.png

Note the two globes in the above diagram. Those globes represent the Internet that your emails travel through in order to be received by an e-mail recipient. The smaller globe (the one your workstation is connected to) cannot be trusted to send mail messages unencrypted. The larger globe usually involves inter-ISP traffic, often through an internet trunk line, so it is also unencrypted, but it cannot be easily accessed by hackers, pen-testers, or evildoers.

There are two important general truths you need to understand about email encryption:

  • Email (the way the vast majority of people use it) travels from SMTP server to SMTP server uncencrypted.
That means that nothing sent over email is truly secure. But attempting to continually intercept SMTP server to SMTP server traffic is difficult and expensive, not worth doing for the little bit of money most of us have in our bank account.
  • Email travelling over a LAN (especially Wifi, but any local network) is always encrypted.
If e-mail traffic on a LAN was not encrypted, it would be easy and inexpensive to intercept (in order to obtain your username and password). These days, unencrypted connections from your client to your SMTP/IMAP/POP3 server very rarely exist.

You see in our diagram that one of the SMTP connections is supposed to be encrypted (this is the one that would be "LAN" traffic) and the IMAP connection as well (this one is either LAN-like traffic or is connecting to localhost, which is a different scenario altogether).

We're going to secure the two connections that we left to be in plain text previously. Unfortunately encrypting things is rarely a straighforward process. Fortunately we have a whole week to spend on it.

Online Resources


INVESTIGATION 1: GENERATING A SELF-SIGNED CERTIFICATE

According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security), Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.

Normally (in production), you would need to pay a "certificate authority" to issue a certificate for you. That is essentially a "signed" public key that will tell strangers on the internet that your server is really yours (i.e. the certificate authority says so). There is an obvious problem with the previous statement but that is mainly how public key encryption works on the Internet today.

We will be generating our own public keys, mainly in order to avoid paying for a certificate. We will not have enough time to get into the details of what all the following commands do in this section. They are from this blog post. If you don't understand what the blog post refers to but would like to understand in more details, a good recommended book for interest, called Crypto by Steven Levy, provides a more in-depth discussion of encryption and security.

The public key cryptography concepts in this lab are the same in a previous lab (Lab1: SSH), although the terminology is slightly different.

A simple way to summarize the differences is:

  • The .key file is your private key.
  • The .crt file is your public key.


Encrypting Postfix with Transport Layer Security (TLS)

Perform the following steps:

  1. Let's start with the "sending" SMTP server we have on VM2. Run the following, replacing andrewsmith.org with your domain name:
mkdir -p /root/postfix-keys /etc/ssl/{private,certs}
cd /root/postfix-keys
openssl genrsa -des3 -out vm2.andrewsmith.org.key 2048
chmod 600 vm2.andrewsmith.org.key
openssl req -new -key vm2.andrewsmith.org.key -out vm2.andrewsmith.org.csr
openssl x509 -req -days 365 -in vm2.andrewsmith.org.csr -signkey vm2.andrewsmith.org.key -out vm2.andrewsmith.org.crt
openssl rsa -in vm2.andrewsmith.org.key -out vm2.andrewsmith.org.key.nopass
mv vm2.andrewsmith.org.key.nopass vm2.andrewsmith.org.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm2.andrewsmith.org.key cakey.pem
cp vm2.andrewsmith.org.key cakey.pem /etc/ssl/private
cp vm2.andrewsmith.org.crt cacert.pem /etc/ssl/certs
NOTE: Those commands will create a certificate, a certificate signing request, a certificate authority, and sign your certificate with your certificate authority.
This would be the same as in the real world except there you would contact a real CA, here you're making up your own.
  1. Now, configure Postfix to use the generated certificate, by adding the following to your main.cf file:
# Settings to enable secure SMTP using my self-signed certificate:
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtp_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/vm2.andrewsmith.org.key
smtpd_tls_cert_file = /etc/ssl/certs/vm2.andrewsmith.org.crt
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 1

Setting Up and Testing Encryption with Thunderbird

Perform the following steps:

  1. Currently your Thunderbird is set up to use vm2.yoursenecaid.org for an SMTP server, with no security. Change that to use STARTTLS instead (you can change it under account settings --> Outgoing Server).
  2. We haven't set up any user authentication, just an encrypted channel;therefore, leave the authentication method at the value: none.
  3. When you try to send an email Thunderbird will warn you about the self-signed certificate. You obviously know it's your certificate so you can tell Thunderbird to trust it:


SMTP-certificate-warning.png


NOTE: Your message may look slightly different (This author, that created the diagram above, made a little mistake when generating the certificate).
  1. After you confirm that security exception, send another email to yourself and make sure you receive it.
  2. Notice that from the user's point of view nothing is different. But if you were an evildoer trying to steal an identity (the difference is huge). Before it was trivial and now it's computationally prohibitive.

Encryption Dovecot with Secure Socket layer (SSL)

Now we will ensure that our Dovecot connection is secure, and enforce that policy. With SMTP, you will need to allow plain text connections since that is the only method to pass email from server-to-server. With IMAP, there is no server-to-server interaction, but rather only client-to-server interaction. The reason to have an unencrypted IMAP connection would be if your IMAP server and IMAP client were the same machine.

Perform the following steps:

  1. Let's start by generating a new certificate for Dovecot on your vm3 machine by issuing the following commands:
mkdir /etc/ssl/{private,certs}
openssl genrsa -des3 -out vm3.andrewsmith.org.key 2048
chmod 600 vm3.andrewsmith.org.key
openssl req -new -key vm3.andrewsmith.org.key -out vm3.andrewsmith.org.csr
openssl x509 -req -days 365 -in vm3.andrewsmith.org.csr -signkey vm3.andrewsmith.org.key -out vm3.andrewsmith.org.crt
openssl rsa -in vm3.andrewsmith.org.key -out vm3.andrewsmith.org.key.nopass
mv vm3.andrewsmith.org.key.nopass vm3.andrewsmith.org.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 vm3.andrewsmith.org.key cakey.pem
cp vm3.andrewsmith.org.key cakey.pem /etc/ssl/private
cp vm3.andrewsmith.org.crt cacert.pem /etc/ssl/certs
NOTE: This process is identical to what you've done for the vm2 certificate. In fact if your IMAP and SMTP servers are on the same machine you can share the certificate between them. In our case, they are not on the same machine.
  1. Next, we need to configure Dovecot to use this for encrypted connections and not allow any kind of plain text connections. Edit the 10-auth.conf, and 10-ssl.conf files and change the following settings (note: these parameters already exist in those files, just find them and set them to the correct value):
ssl = required
ssl_cert = <path_to_your_crt_file
ssl_key = <path_to_your_key_file
disable_plaintext_auth = yes


  1. Now, we will disable normal imap connections, leaving only imaps (secured imap) allowed. Edit the 10-master.conf file and set the port number in inet_listener imap to 0.
  2. Your key/certificate doesn't have a .pem extension but they are PEM-encoded files. You can confirm that using the file command. If you're interested, learning more about configuring Dovecot for SSL, refer to the following documentation: Dovecot SSL configuration.

Verifying that Mail Messages are Encrypted

Perform the following steps:

  1. Use the ss command to confirm you're only listening on the imaps port, and not the plain imap port.
  2. Next, reconfigure your account settings in Thunderbird to use the SSL/TLS connection security with your IMAP server, leaving the password as Normal Password.
NOTE: When you send your test email, you will get another warning because you're using a self-signed certificate on vm3. Make certain to authorize the exception.

Record steps, commands, and your observations on this investigation in your OPS335 lab log-book

INVESTIGATION 2: INSTALL, CONFIGURE & RUN WEBMAIL APPLICATION (Roundcube Mail)

Roundcube webmail application Logo
GPL,
https://commons.wikimedia.org/w/index.php?curid=1772791
Screencapture of roundcube webmail application running in order to send and receive mail messages via a web-browser.


In the investigation, we will simply install, configure and run the roundcube webmail application.

Perform the following steps on vm1:

  • Perform a search on the roundcube application in order to access the website.
  • Either Download the "zipped tarball" from their website from a direct link or use the wget command to download directly from a download link (This part may take some effort depending on the Sourceforge website).
  • Extract the "zipped tarball" and rename the generated directory that contains download source code to: webmail.
  • Use the --no-same-owner option when extracting the tar achive to ensure that the files do not keep the original owner (who will not exist on your system).
  • Change the ownership of the temp and logs directories so they belong to apache.
  • This service needs to be able to write to several directories (temp and logs) that SELinux prevents write access to. If you are in a section that has SELinux set to enforcing, run the

following commands to let it know that apache should be allowed to write to files in those directories.

semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/temp(/.*)?'
semanage fcontext -a -t httpd_log_t '/var/www/html/webmail/logs(/.*)?'
restorecon -v -R /var/www/html/webmail
  • If your machine does not have the semage command, use yum to install the policycoreutils-python package.
  • In the directory now named "webmail", there will be a file named INSTALL which will walk you through the rest of the Roundcube installation.

    Some installation tips to consider:
  • Be careful about copying & pasting the MySQL setup part: take time and pay attention to detail: do not try to "rush it".
  • You will need to install additional Apache modules including: php-xml and php-mbstring.
  • Don't forget to set the password in the roundcube configuration.
  • Note that both of your IMAP and SMTP servers are on different machines (i.e. not on vm1). Therefore, you will need to set the following options for Roundcube:
  • $config['smtp_server']
  • $config['default_host']
  • $config['default_port']
NOTE: The last two entries above refer to your IMAP server
  • You should be able to test the configuration in your Roundcube installer after completing Step 3.</li>
  • Try to test if the roundcube webmail application is working by sending and receiving e-mail messages.*
Important.png
Backup your VMs!
You MUST perform a full backup of ALL of your VMs whenever you complete your OPS335 labs or when working on your OPS335 assignments. You should be using the dump command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.

Record steps, commands, and your observations on this investigation in your OPS335 lab log-book

COMPLETING THE LAB

In completing this lab you have gained experience...

Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below.

Online Submission (Peter Callaghan's Classes only)

Follow the instructions for lab 8 on moodle.

In Class Submission

Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:

Thunderbird with a message sent and received using encrypted channels.
New Thunderbird server configuration for your account.
Logs on vm2 and vm3 showing the message has been sent and received.
Your webmail showing your inbox
Your webmail sending an email out
You receiving that mail on an exernal account
Download the labcheck8.bash checking bash shell script by issuing the command:

wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck8.bash

set execute permission and run the shell script on your c7host machine.
  • For Peter's classes, follow his Online Submission instructions in Moodle.
  • For Murray's classes, run command (piping to the more command) and show output to instructor.
Completed Lab8 log-book notes.


EXPLORATION QUESTIONS

  1. Briefly define the term TSL.
  2. Briefly define the term SSL.
  3. List the steps to setup Encryption for Postfix with TLS.
  4. List the steps to setup Encryption for Dovecot with SSL.
  5. List the steps to setup Encryption for the Thunderbird application.
  6. Provide a brief description of the following terms as they relate to mail servers:
    • Open Relay
    • SPF
    • DKIM
  7. How does a webmail application differ from using another MUA like Thunderbird?
  8. List the additional Apache modules that are required in order to run the Roundcube web application?