Email Services

CSCI N321 – System and Network Administration

Copyright © 2007 by Scott Orr and the Trustees of Indiana University

Section Overview

Email Architecture

Postfix Configuration

Mail forwarding

CS Spam-Filtering Architecture

Procmail

References

Apache Site – http://www.postfix.org

RedHat Deployment GuideChapter 24 – Email

Email Server Architecture

smtp(s)smtp(s)

MTAMTA

smtpsmtp

(sendmai(sendmail)l)

MTAMTA(postfix)(postfix)

MDAMDA(procmail(procmail

))

MUAMUA(Outlook)(Outlook)

AAAA(imapd)(imapd)

(popd)(popd)

imap(s)imap(s)pop(s)pop(s)

SMTP Protocol[smo@sysadmin ~]$ telnet tempest.cs.iupui.edu 25Trying 134.68.140.202...Connected to tempest.cs.iupui.edu (134.68.140.202).Escape character is '^]'.220 tempest.cs.iupui.edu ESMTP Postfixhelo sysadmin250 tempest.cs.iupui.edumail from: <smorr@indiana.edu>250 2.1.0 Okrcpt to: <sorr@cs.iupui.edu>250 2.1.5 Okdata354 End data with <CR><LF>.<CR><LF>Subject: HelloHi Scott.250 2.0.0 Ok: queued as B06375050618quit221 2.0.0 ByeConnection closed by foreign host.

Postfix MTA

More secure replacement for SendmailSuite of programs to handle emailpostfix <option> start stop reload flush

Configuration files /etc/postfix/master.cf /etc/postfix/main.cf

master.cf

Maps services to postfix daemonsFormat

Service Name Service Type (inet | fifo | unix) Private (y | n) Unprivileged (y | n) Chroot (y | n) Wakeup # Maxproc # command + args

Spam and Virus filtering

main.cf – Directories/Owner

Key Directories queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix

mail_spool_directory = /var/spool/mail

config_directory = /etc/postfix

Ownership - mail_owner = postfix

main.cf – Delivery Addesses

Address Configuration myhostname = tempest.cs.iupui.edu mydomain = cs.iupui.edu myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

Smart Host relayhost = mail-relay.iu.edu

main.cf – SMTPd

smtpd_banner = $myhostname ESMTP $mail_name

smtpd_helo_required = yes

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

Authenticated Delivery

Only allow valid users to send emailmain.cf smtpd_sasl_auth_enable = yes smtpd_sasl_loglevel = 2 smtpd_sasl_received_header = yes

saslauthd Daemon /etc/sysconfig/saslauthd /usr/lib/sasl2/smtpd.conf

SSL Support

Authenticated access must be protectedmain.cf smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file =

/etc/postfix/certs/smtpd.key smtpd_tls_cert_file = /etc/postfix/certs/smtpd.crt smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s

Mail Forwarding

/etc/postfix/aliasesalias: real-address[,…]

newaliasespostmaster@cs.iupui.edumain.cf

alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases

~/.forwardMailing lists

alias: :include:<path_to_file> Majordomo & mailmain

Reading Email

IMAP/IMAPS Used to read messages online Should always use with via SSL Typically started via inetd/xinetd

Webmail Squirrelmail Horde

Opening Spam-dora’s Box

April 12, 1994 – Lawyers Laurence Canter and Martha Siegel sent message about upcoming Green Card lottery to some 6000+ Usenet News Groups in less than 90 minutesArizona ISP Internet Direct received so many email complaints, their email server(s) crashed more than 15 times.C&S account gets cancelled and threaten to sue (although never do)C&S publish How to Make a Fortune on the Information Superhighway (1995)

14 years later…

SPAM (Unsolicited Commercial Email) 60% - 94% of all email (1st Qtr. 2008)Phishing Attacks less than 1% of all email but growingSignificant increase in BotnetsTop Spam-Sending Countries United States (37.9%) China (4.6%) United Kingdom (4.3%) Germany (3.8%) Brazil (3.8%)

Source: Commtouch Software Source: Commtouch Software Online LabsOnline Labs

Costs of Spam

Spammers Great ROI!!! Malware writer partnerships Phishing

Recipent Time Bandwidth Storage space

SPAM Filtering Techniques

Black listsWhite listsContent (keyword blocking)Invalid addresses/header valuesHeuristicsBayesian Filtering

Greylisting

Each message identified by a triplet Envelope recipient Envelope sender IP address of delivering host

Delivery based on following rules: If IP address or recipient on whitelist – send msg to

recipient If not seen triplet before – send tempfail msg and record

triplet If time limit on triplet not expired – send tmpfail msg If time limit on triplet expired – send msg to recipient and

update last seen time. Remove triplet from database after not seen for set period

of time

Sender Policy Framework (SPF)

Receiving host verifies sender is legitimate mail server for originating domainAdd TXT (SPF) records to Domain DNS

Domain specific Each host with MX record (also A, PTR, IP addr,

external hosts) cs.iupui.edu. IN TXT "v=spf1 mx

a:storm.cs.iupui.edu"

Issues Breaks email forwarding Spammers can still send messages if they have an

account on domain Most major ISPs do not support SPF (yet)

postfixpostfix

CS Email Architecture

smtpsmtp Maia-Mailguard (Amavisd)Maia-Mailguard (Amavisd)

clamavclamav spamassasinspamassasin

ProcmailProcmail

Mail spoolMail spool

QuarantineQuarantine(MySQL)(MySQL)

GreylistGreylist??

Clam Antivirus

Open SourceIf signature match… Added header fields:

Delivered-To: virus-quarantine X-Quarantine-Id: <zzWB7-YxAXsI> X-Amavis-Alert: INFECTED, message contains virus: <virus signature ID>

Moved to quarantine area Email sent to virusalert@cs.iupui.edu

Hourly checks for signature updatesPhishing signatures included

Spamassassin

Open Source (Part of Apache project)Weighted Heuristic tests Full Message Header Body URI

Third party plugins

SA: Full Message Tests

Message found in hashed Spam databasesEntries contributed by Spam recipientsUses statistical and randomized signaturesDistributed Checksum Clearinghouse (DCC)Vipul’s Razor

SA: Message Header Tests

Header Anomalies (length, sender, etc.)Subject ObfuscationRealtime Blackhole Lists (RBL) Open Relays/Proxy (SORBS) Address/Domain Abuse lists

Sender Policy Framework (SPF)DomainKeys

SA: Message Body Tests

Common Spam content checksHTML obfuscation*Locale specific checksURLs in RBLsBayesian Filters Calculates probability message is Spam (- score) < 50% / (+ score) > 50% Must be trained using Spam and “Ham”

*The Spammers' Compendium

SA: URI Message Tests

Focuses on embedded URLsKeywords in URLsAddress obfuscationTLD checksCGIs and Authentications

Spam Thresholds

Spam check [header] tagging (-999) Spam Status Score & breakdown by test Spam-level histogram

Spam detected (6.3)Quarantine Level (-)

Header Tagging Example

X-Spam-Status: No, hits=6.069 tagged_above=3 required=6.3tests=[DNS_FROM_RFC_ABUSE=0.374, DNS_FROM_RFC_POST=1.376, HTML_50_60=0.095, HTML_FONT_BIG=0.232, HTML_IMAGE_ONLY_24=1.003, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.158, MSGID_FROM_MTA_HEADER=0, RCVD_IN_BL_SPAMCOP_NET=1.832, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]X-Spam-Level: ******

Procmail (MDA)

Handles were incoming messages are storedProcmail “recipes”

System-wide: /etc/procmail User: ~/.procmailrc

Single recipe & recipe chainingRecipe Example::0:* ^Subject: Broker Alert$SPAMMAYBE

Also great for managing email lists/foldersVacation-Away messages