email services csci n321 – system and network administration copyright © 2007 by scott orr and...
TRANSCRIPT
Email Services
CSCI N321 – System and Network Administration
Copyright © 2007 by Scott Orr and the Trustees of Indiana University
Section Overview
Email Architecture
Postfix Configuration
Mail forwarding
CS Spam-Filtering Architecture
Procmail
References
Apache Site – http://www.postfix.org
RedHat Deployment GuideChapter 24 – Email
Email Server Architecture
smtp(s)smtp(s)
MTAMTA
smtpsmtp
(sendmai(sendmail)l)
MTAMTA(postfix)(postfix)
MDAMDA(procmail(procmail
))
MUAMUA(Outlook)(Outlook)
AAAA(imapd)(imapd)
(popd)(popd)
imap(s)imap(s)pop(s)pop(s)
SMTP Protocol[smo@sysadmin ~]$ telnet tempest.cs.iupui.edu 25Trying 134.68.140.202...Connected to tempest.cs.iupui.edu (134.68.140.202).Escape character is '^]'.220 tempest.cs.iupui.edu ESMTP Postfixhelo sysadmin250 tempest.cs.iupui.edumail from: <[email protected]>250 2.1.0 Okrcpt to: <[email protected]>250 2.1.5 Okdata354 End data with <CR><LF>.<CR><LF>Subject: HelloHi Scott.250 2.0.0 Ok: queued as B06375050618quit221 2.0.0 ByeConnection closed by foreign host.
Postfix MTA
More secure replacement for SendmailSuite of programs to handle emailpostfix <option> start stop reload flush
Configuration files /etc/postfix/master.cf /etc/postfix/main.cf
master.cf
Maps services to postfix daemonsFormat
Service Name Service Type (inet | fifo | unix) Private (y | n) Unprivileged (y | n) Chroot (y | n) Wakeup # Maxproc # command + args
Spam and Virus filtering
main.cf – Directories/Owner
Key Directories queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix
mail_spool_directory = /var/spool/mail
config_directory = /etc/postfix
Ownership - mail_owner = postfix
main.cf – Delivery Addesses
Address Configuration myhostname = tempest.cs.iupui.edu mydomain = cs.iupui.edu myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
Smart Host relayhost = mail-relay.iu.edu
main.cf – SMTPd
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
Authenticated Delivery
Only allow valid users to send emailmain.cf smtpd_sasl_auth_enable = yes smtpd_sasl_loglevel = 2 smtpd_sasl_received_header = yes
saslauthd Daemon /etc/sysconfig/saslauthd /usr/lib/sasl2/smtpd.conf
SSL Support
Authenticated access must be protectedmain.cf smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file =
/etc/postfix/certs/smtpd.key smtpd_tls_cert_file = /etc/postfix/certs/smtpd.crt smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s
Mail Forwarding
/etc/postfix/aliasesalias: real-address[,…]
alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases
~/.forwardMailing lists
alias: :include:<path_to_file> Majordomo & mailmain
Reading Email
IMAP/IMAPS Used to read messages online Should always use with via SSL Typically started via inetd/xinetd
Webmail Squirrelmail Horde
Opening Spam-dora’s Box
April 12, 1994 – Lawyers Laurence Canter and Martha Siegel sent message about upcoming Green Card lottery to some 6000+ Usenet News Groups in less than 90 minutesArizona ISP Internet Direct received so many email complaints, their email server(s) crashed more than 15 times.C&S account gets cancelled and threaten to sue (although never do)C&S publish How to Make a Fortune on the Information Superhighway (1995)
14 years later…
SPAM (Unsolicited Commercial Email) 60% - 94% of all email (1st Qtr. 2008)Phishing Attacks less than 1% of all email but growingSignificant increase in BotnetsTop Spam-Sending Countries United States (37.9%) China (4.6%) United Kingdom (4.3%) Germany (3.8%) Brazil (3.8%)
Source: Commtouch Software Source: Commtouch Software Online LabsOnline Labs
Costs of Spam
Spammers Great ROI!!! Malware writer partnerships Phishing
Recipent Time Bandwidth Storage space
SPAM Filtering Techniques
Black listsWhite listsContent (keyword blocking)Invalid addresses/header valuesHeuristicsBayesian Filtering
Greylisting
Each message identified by a triplet Envelope recipient Envelope sender IP address of delivering host
Delivery based on following rules: If IP address or recipient on whitelist – send msg to
recipient If not seen triplet before – send tempfail msg and record
triplet If time limit on triplet not expired – send tmpfail msg If time limit on triplet expired – send msg to recipient and
update last seen time. Remove triplet from database after not seen for set period
of time
Sender Policy Framework (SPF)
Receiving host verifies sender is legitimate mail server for originating domainAdd TXT (SPF) records to Domain DNS
Domain specific Each host with MX record (also A, PTR, IP addr,
external hosts) cs.iupui.edu. IN TXT "v=spf1 mx
a:storm.cs.iupui.edu"
Issues Breaks email forwarding Spammers can still send messages if they have an
account on domain Most major ISPs do not support SPF (yet)
postfixpostfix
CS Email Architecture
smtpsmtp Maia-Mailguard (Amavisd)Maia-Mailguard (Amavisd)
clamavclamav spamassasinspamassasin
ProcmailProcmail
Mail spoolMail spool
QuarantineQuarantine(MySQL)(MySQL)
GreylistGreylist??
Clam Antivirus
Open SourceIf signature match… Added header fields:
Delivered-To: virus-quarantine X-Quarantine-Id: <zzWB7-YxAXsI> X-Amavis-Alert: INFECTED, message contains virus: <virus signature ID>
Moved to quarantine area Email sent to [email protected]
Hourly checks for signature updatesPhishing signatures included
Spamassassin
Open Source (Part of Apache project)Weighted Heuristic tests Full Message Header Body URI
Third party plugins
SA: Full Message Tests
Message found in hashed Spam databasesEntries contributed by Spam recipientsUses statistical and randomized signaturesDistributed Checksum Clearinghouse (DCC)Vipul’s Razor
SA: Message Header Tests
Header Anomalies (length, sender, etc.)Subject ObfuscationRealtime Blackhole Lists (RBL) Open Relays/Proxy (SORBS) Address/Domain Abuse lists
Sender Policy Framework (SPF)DomainKeys
SA: Message Body Tests
Common Spam content checksHTML obfuscation*Locale specific checksURLs in RBLsBayesian Filters Calculates probability message is Spam (- score) < 50% / (+ score) > 50% Must be trained using Spam and “Ham”
*The Spammers' Compendium
SA: URI Message Tests
Focuses on embedded URLsKeywords in URLsAddress obfuscationTLD checksCGIs and Authentications
Spam Thresholds
Spam check [header] tagging (-999) Spam Status Score & breakdown by test Spam-level histogram
Spam detected (6.3)Quarantine Level (-)
Header Tagging Example
X-Spam-Status: No, hits=6.069 tagged_above=3 required=6.3tests=[DNS_FROM_RFC_ABUSE=0.374, DNS_FROM_RFC_POST=1.376, HTML_50_60=0.095, HTML_FONT_BIG=0.232, HTML_IMAGE_ONLY_24=1.003, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.158, MSGID_FROM_MTA_HEADER=0, RCVD_IN_BL_SPAMCOP_NET=1.832, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]X-Spam-Level: ******
Procmail (MDA)
Handles were incoming messages are storedProcmail “recipes”
System-wide: /etc/procmail User: ~/.procmailrc
Single recipe & recipe chainingRecipe Example::0:* ^Subject: Broker Alert$SPAMMAYBE
Also great for managing email lists/foldersVacation-Away messages