Open main menu

CDOT Wiki β

Changes

OPS335 Lab 4d

4,467 bytes added, 16:36, 5 March 2016
Dovecot + SSL
Your key/certificate don't have a .pem extension but they are PEM-encoded files. You can confirm that using the '''file''' command. If you're interested - here's some documentation about [http://wiki2.dovecot.org/SSL/DovecotConfiguration Dovecot SSL configuration].
 
=== Test ===
 
Use netstat to confirm you're only listening on the imaps port, and not the plain imap port. Then reconfigure your account settings in Thunderbird to use SSL/TLS connection security with your IMAP server. You'll get a warning because you're using a self-signed certificate, authorise the exception.
 
= Things we didn't cover =
 
If you got to this point and everything worked (and you understand what you've done) - congratulations, you have set up a working email server and you can now have an intelligent conversation with an employer about this hugely important system.
 
But be aware that even though we spent three weeks on it - we've only done the simplest possible setup. In the rest of the section we'll list other commonly-needed services/tools/concepts that we just don't have time for this semester.
 
== Open Relays ==
 
Your SMTP servers are open relays. That means if they were accessible on the internet - anyone could use them to send spam. This would very quickly get your server blacklisted and you'd have a very hard time getting yourself off that blacklist.
 
There are two common solutions for that:
 
# Restrict your "sending" SMTP server to only work on your network. ISPs commonly do this. This doesn't work very well if you have mobile clients (laptops, phones) which are not always connected to your ISPs network.
# Use SASL or some other means of checking that the person trying to use the SMTP server has a valid user on the system. This way only your users will be able to use your server to relay email.
 
== SPF ==
 
SPF uses DNS to publish a list of server IP addresses that are allowed to send email for your domain. That way a receiving server can check whether the sending server is authorized (message is likely not spam) or not (message is probably spam).
 
SPF is a pretty cool system, but it's not perfect. It works very well for single servers but if you send mail for your domain from multiple servers (and perhaps a varying number of them) - you have to put in wildcards which lower the effectiveness of this system.
 
== DKIM ==
 
One popular spam-prevention measure that uses encryption to sign messages originating from your server so that receiving servers can verify that the messages really did come from your server (the keys are published in DNS).
 
It's a neat idea but the strength of the encryption is pretty pathetic. So it's a good deterrent against mass amounts of spam, but it doesn't really guarantee anything.
 
== Address Books ==
 
An address book has nothing to do with email, even though you might think they are related systems. Typically an address book is a completely separate system - using either a CardDav server (one easy to set up comes with OwnCloud) or an LDAP server. Even tightly integrated services like Microsoft's Active Directory keep the address book separate from the email.
 
== Vacation Responders ==
 
If you think about it - it's not really clear what service should be responsible for sending out vacation messages. Your receiving SMTP server? Do you really want your users to be able to control that? The client? It's probably not running.
 
It's usually yet another separate service. Even though the settings to enable vacation response will usually be next to your other email settings - they will be controlling a separate system that's hooked into your MTA.
 
== Other Stuff ==
 
There are countless other features and extensions for email. Not to mention propietary ones like Gmail, Yahoo mail, Office 365, etc. But having mastered the email portion of this course - you will be qualified to evaluate capabilities, design integrated systems, and customise the email service for you organization like no regular email user can even understand.
 
= Completing the Lab =
 
Students should be prepared with '''all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff'''.
 
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
 
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Thunderbird with a message sent and received using encrypted channels.
::<span style="color:green;font-size:1.5em;">&#x2713;</span>New Thunderbird server configuration for your account.
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Logs on vm2 and vm3 showing the message has been sent and received.