1,234
edits
Changes
→Andrew's sections
==OVERVIEW & PREPARATION==
{{Admon/important|Warning|Your lab 3 must be complete with a functioning DNS server for your domain before this lab will work.}}
You may not be aware of it as an user, but email is a very <u>complex</u> system to administer. In fact, the more modern e-mail systems (eg. web-based mail applications, etc) are more technically involved than the other archaic, hard-to-configure, and sometimes inter-operable mail systems.
[[Image:email-setup-simple.png]]
Although, you will not be able to receive mail messages from outside sources (such as your Seneca email account), this lab acts as a starting point in order to run a basic email server. You are NOT required you to go into tremendous depth (just the minimum requirements). For example, we will not go over every aspect of the Postfix MTA service, but you should know what it represents and what is its main purpose, as opposed to the following: [https://en.wikipedia.org/wiki/Postfix_%28software%29#Architecture complex diagram 1] , [https://www.credativ.de/blog/postfix-architecture-overview complex diagram 2].
===Online References:===
* [https://support.google.com/mail/answer/29436?hl=en Reading Full Email Headers] (Explanation of message header information)
* [http://wiki.dovecot.org/MailServerOverview Here's an overview] (common mail server terms)
==INVESTIGATION 1: INSTALL, SET-UP, AND USE THE MAIL USER AGENT ('''MUA''')==
We will be using a simple text-based '''Mail User Agent (MUA)''' called '''mailx''' in this lab to '''both send and receive''' mail messages within your '''vm2''' machine and to '''only send''' mail messages from your '''vm2''' machine to your Seneca e-mail account.
'''NOTE:''' Due to the simplicity of this mail server setup Because you're using private IP addresses and the lack of other no external DNS servers are pointing to your network, and the setup of Seneca College's mail server, you '''<u>cannot</u>''' send Seneca e-mail messages from outside your environment to your '''vm2''' machine.
=== Installing the Mail User Agent (MUA)===
#Make certain you are in your '''vm2''' machine.
#Issue the following command to install Install the '''mailx''' application (MUA):<br>'''using yum install mailx'''<br><br>
:'''NOTE:''' You can refer to the link below to acquaint yourself on how to send e-mail messages using '''mailx''' application:<br> [http://www.simplehelp.net/2008/12/01/how-to-send-email-from-the-linux-command-line/ Mail Send Command Examples]
===Sending a Mail Message from your vm2 Machine to your Seneca Email Account===
{{Admon/important|Note|These instructions no longer work reliably. You can still send email to your own email server, and look at the server logs to see that it did really get sent. But it probably won't be accepted for one of a multitude of good reasons.}}
We will now test to see if your MTA for your vm2 machine is correctly running by sending email messages from your vm2 machine to your Seneca e-mail account.
#Make certain you are still in your '''vm2''' machine.
#Test email from your machine by sending an email to your '''Seneca email account''' using the following command:<br>'''mail -s "Lab4a - test1" <Your Seneca email address>'''<br><br>'''NOTE:''' after you type in the body of the mail message, move to an empty line, type period "." and then press the ENTER key combination '''<ctrl><d>''' to send the message.<br><br>#Check your Seneca email account (Inbox / Junk Email Folder) to see if you got the email (note that it may take a <u>few minutes to arrive</u>, so you may also wish to try an alternate email account if you have one like gmail, etc). When you do receive that email, make a note of the return address.
#If you did not receive the mail, check the mail logs on your vm2 machine to determine any errors messages that would indicate a mail server setup problem.
#Once you have succeeded in sending the first email, send a second email to the same destination using the following command:<br>'''mail -r "someone@hacker.com (Canadian Revenue Agency)" -s "Lab4a - test2" <Your Seneca email address>
#Check your email to see if you got the email. If you did, make a note of the return address. How would you think that including the '''-r''' option could be used by penetration hackers to gain access to a computer system? What sort of steps do you think should be taken to help prevent this type of attack from happening?
#Once you have received the message, type the mail message number that is displayed in your e-mail message list in the prompt and press ENTER. You should be able to confirm the message body that you sent.
#Exit the mail program by typing the letter '''q''' and press ENTER.
#Re-issue the '''mail''' command. What happened? Issue the command: '''cat /var/spool/mail/<yourSenecaID>'''. What do you notice?
#Exit the mail command.
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
==INVESTIGATION 2: SETUP MTA TO SEND MAIL MESSAGES (NO ENCRYPTION)==
We will be using the '''Postfix''' application as the '''MTA''', and we will be setting it up on your '''vm2''' and '''vm3''' machines. They will act as the "sending" email servers for your internal network. You will be able to send email out of your network, and receive email from within your network, but you will '''<u>not</u>''' receive email from outside of your network due to the following reasons:
* Individuals outside of your domain will never find the MX records because there are no '''.org''' other DNS servers pointing to your DNS server (i.e. you haven't paid for it).
* Even if the individuals could read your MX records, your local network is using IP addresses on a '''private subnet''', which is not routeable on the Internet, so it cannot be reached from outside of your system.
#The '''postfix''' application should be installed by default. If it isn't, install it.
#Postfix is capable of sending email with the default configuration, so start and enable this service, and verify that the postfix service is running.
#Look for the running postfix service in the list of listening ports by issuing the following command:<br><source lang="bash">ss -atnp</source>
#Which service is postfix running? Locate the port used by SMTP, and look for connections with the state LISTEN (i.e. currently listening).
#Write your observations in your lab logbook.
'''Perform the following steps:'''
# If the '''nc''' command is not installed on your vm2 machine, install it (install '''nc''' command for your '''vm3''' as well).# Connect from your '''vm2''' to itself using the '''nc''' command by issuing the following command:<br><source lang="bash">nc localhost 25</source># You should see a response: <br><source lang="bash">220 vm2.yourdomain.org ops ESMTP Postfix</source>
# You could theoretically use SMTP commands to send an email here, but this would be a very unusual use of your mail server. You have an '''MUA''' for a reason.
#Enter the command '''QUIT''' to close the connection to the server, then '''<ctrl>-c''' to terminate the nc command.
::'''NOTE:''' If it worked, this indicates that the postfix service is running, listening, and responding to connections.
<ol><li value="4">Let's see if it works from other machines. Use '''nc''' to connect to '''vm2''' from '''vm3''' and see if it works. If your firewall is set up properly, the nc command should not permit a connection(i.e. ''no route to host'').</li><li>Create an iptables rule to allow incoming connections to your '''SMTP''' serveron your '''vm2'''.</li><li>Once you open the port in the firewall, retry the '''nc''' command. You should get a different error this time(e.g. ''connection refused''). This time the problem is that your service isn't listening on the outside interface, it's currently configured to listen only on the loopback (lo) interface.</li><li>Add Make sure the new iptables rule to your gets saved script so that it will be loaded automatically from startup.</li>
</ol>
=== Listening on all interfaces ===
'''Perform the following steps:'''
# Launch In your '''vm2''' machine, launch in editing session for the postfix configuration file called: '''/etc/postfix/main.cf'''# Our first editing change to the Postfix configuration will be to make the service "listen" for incoming connections on the external interface (i.e '''eth0''' from the VMs point of view).<br>Change the value of the following parameter to what is displayed below:<br><source lang="bash">inet_interfaces = all</source># We should also set the string that will end up in the '''From:''' header in messages sent by this server.<br>Change the '''mydomain''' option to YOUR domain name (shown below):<source lang="bash">mydomain = yoursenecaid.orgops</source># Also you must set the '''hostname''' for this server so that will correctly specify the hostname in the '''From:''' head in a sent mail message.<br>Make certain the following parameter only appears once (shown below):<source lang="bash">myorigin = $myhostname</source>
#Ensure that your '''hostname''' and '''DOMAIN''' name is properly set on your machine, otherwise you will need to set the '''myhostname''' parameter.
<br>
{{Admon/important|Warning|Make sure there are no other un-commented copies of those above-mentioned parameters in the Postfix configuration file.}}
<br><ol><li value="6">Restart the postfix service (using , then use the '''ss''' command) to confirm that the your MTA is now listening on <u>all</u> interfaces (not just loopback)</li>
<li>Test by connecting to it (using the '''nc''' command) from your '''vm3''' machine.</li></ol>
'''Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book'''
==INVESTIGATION 3: SENDING EMAIL BETWEEN MTAs for vm2 and vm3 (NO ENCRYPTION)==
# Repeat the configuration from investigation 2 on '''vm3''' (swap vm2 and vm3 when issuing command so that you are configuring vm3, and using your vm2 server to test the connections).
# Once that is complete, send an email from '''root on vm2''' to '''root on vm3''', and then reply '''from vm3 to vm2'''.
# If both messages arrive, both MTAs are working. If not, use the troubleshooting tools and techniques you have already learned to diagnose and fix the problem.<br><br>
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}
<br>
'''Record steps, commands, and your observations in INVESTIGATION 3 in your OPS335 lab log-book'''
===Online Submission (Peter Callaghan's Classes only)===
Follow the instructions for lab 4a on moodleblackboard. ===Andrew's sections=== You may choose to:* Submit screenshots of your work on Blackboard, in which case you don't need to come to the lab.* Or come to the lab, show me your work, and talk to me about it. I want to hear what you've learned and answer any questions you have. You'll get the same grade regardless of how you choose to submit your work.
::<span style="color:green;font-size:1.5em;">✓</span>Arrange proof that you can send e-mail from your '''vm2''' machine to your '''Seneca College e-mail account''', and than you can '''send and receive e-mail messages between on your vm2 and vm3 machines'''.
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck4a.bash checking bash shell script by issuing the command:<br><br>and run '''wget httphttps://matrixict.senecac.onsenecacollege.ca/~peterandrew.callaghan/filessmith/OPS335ops335/labcheck4a.bash'''<br><br>set execute permission and run the shell script on your '''c7hosthost''' machine. ::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
::<span style="color:green;font-size:1.5em;">✓</span>Completed Lab4a log-book notes.
