mail protocol, postfix and mail security postfix daemons to perform mail routing, on-demand ....
TRANSCRIPT
SANOG34 – Kolkata 3-7 August – 2019
Mail Protocol, Postfix and Mail security
SANOG34 – Kolkata 3-7 August – 2019
How Email Appears to Works
2
How Email Appears to Work
SANOG34 – Kolkata 3-7 August – 2019
How Email Really Works
3
How Email Really Works
SANOG34 – Kolkata 3-7 August – 2019
Message Format• Envelop
– Routing information for the "postman"
• Message Header – Sender– Recipients (simple, lists, copies, blind copies) – Other fields of control (date, subject)
• Message Body – Free text – Structured document (i.e.: MIME)
SANOG34 – Kolkata 3-7 August – 2019
Message Format From: GZ Kabir <[email protected]>
To: Diep Kong < [email protected] >
Cc: Moin < [email protected] >
Subject: How Internet mail works
Hi Kong,I'm going to be running a course on ...
ü Format was originally defined by RFC 822 in 1982 ü Now superseded by RFC 2822ü Message consists of
ü Header lines ü A blank line ü Body lines
SANOG34 – Kolkata 3-7 August – 2019
Message Format • Embedded MUA uses inter-process call to send to MTA
• Freestanding MUA uses SMTP to send mail
• Headers added by the MUA before sending
From: GZ Kabir <[email protected]>
To: Diep Kong < [email protected] >
Cc: Moin < [email protected] >
Subject: How Internet mail works
Hi Kong,I'm going to be running a course on ...
SANOG34 – Kolkata 3-7 August – 2019
• Headers added by MTAs
Mail Delivery Agent (MDA) / Mail Transfer Agent (MTA)
From: GZ Kabir <[email protected]> To: Diep Kong < [email protected] > Cc: Moin < [email protected] > Subject: How Internet mail works
…..
SANOG34 – Kolkata 3-7 August – 2019
A message in Transit • A message is transmitted with an envelope:
– MAIL FROM:<[email protected]>RCPT TO:<[email protected]>
• The envelope is separate from the RFC 2822 message • Envelope (RFC 2821) fields need not be the same as the
header (RFC 2822) fields • MTAs are (mainly) concerned with envelopes
– Just like the Post Office... • Error (“bounce”) messages have null senders or Postmaster’s
– MAIL FROM:<>
SANOG34 – Kolkata 3-7 August – 2019
An SMTP Session telnet mail7i.protonmail.ch 25 220 mail7i.protonmail.ch ESMTP Postfix ...
EHLO mail-pg0-f54.google.com 250- mail7i.protonmail.ch ... 250-SIZE 10485760 250-PIPELINING250 HELP
MAIL FROM:<[email protected]> 250 OK RCPT TO:<[email protected]> 250 Accepted DATA 354 Enter message, ending with “.”
(continued >>>>)
Received: from ...From: ... To: ...etc...250 OK id=10sPdr-00034H-00 quit221 mail-pg0-f54.google.com closing conn... SMTP return codes 2xx OK3xx send more data 4xx temporary failure 5xx permanent failure
SANOG34 – Kolkata 3-7 August – 2019
DNS Resolution and Transfer Process To find the recipient's IP address and mailbox, the MTA must drill down through the DNS system, which consists of a set of servers distributed across the Internet beginning with the root name servers
root servers refer requests for a given domain to the root nameservers that handle requests for that tld– MTA can bypass this step because it has already knows which domain nameservers handle requests
for these .tlds e.g. bofh.imasks the appropriate DNS server which Mail Exchange (MX) servers have knowledge of the subdomain or local host in the email address
DNS server responds with an MX record: a prioritized list of MX servers for this domain
To the DNS server, the server that accepts messages is an MX server. When is transferring messages, it is called an MTA.
MTA contacts the MX servers on the MX record in order of priority until it finds the designated host for that address domain
sending MTA asks if the host accepts messages for the recipient's username at that domain (i.e., [email protected]) and transfers the message
SANOG34 – Kolkata 3-7 August – 2019
Firewalls, Spam and Virus Filters • An email encountering a firewall may
be tested by spam and virus filters before it is allowed to pass inside the firewall
• filters test to see if the message qualifies as spam or malware
• If the message contains malware, the file is usually quarantined and the sender is notified
• If the message is identified as spam, it will probably be deleted without notifying the sender.
16
Firewalls, Spam and Virus Filters
An email encountering a firewallmay be tested by spam andvirus filters before it is allowedto pass inside the firewall
filters test to see if themessage qualifies as spam ormalware
If the message containsmalware, the file is usuallyquarantined and the sender isnotified
If the message is identified asspam, it will probably bedeleted without notifying thesender.
SANOG34 – Kolkata 3-7 August – 2019
Mail Transfer Agents (MTA)MTAs do the actual mail transfersMTAs are not meant to be directly accessed by users.Other MTA’s are:n Postfixn Qmailn MS Exchangen CC:Mailn Lotus Notesn ….etc.
SANOG34 – Kolkata 3-7 August – 2019
ESMTP (RFC 2821)
To get around the problems with simple SMTP,extended SMTP has been defined in RFC2821.Clients wanting to use it should send an EHLOmessage instead of HELO initially. If this isrejected, then the server is a regular SMTPserver, and the client should proceed in theusual way. If the EHLO is accepted, then newcommands and parameters are allowed.
SANOG34 – Kolkata 3-7 August – 2019
POP3Mail access protocol:
POST OFFICE PROTOCOL [RFC 1939]
Simple and limited functionality,Consists of client software and Server software, Server performs user authorization
IMAP: Internet mail access protocol [Version 4]
SANOG34 – Kolkata 3-7 August – 2019
POP3Retrieves messages from a mail server
Typically, messages are downloaded to your mail client, and deleted from the server
Designed for use with dial-up connections when people were intermittently connected
Listens on Port 110 (with Secure POP generally on port 995)
SANOG34 – Kolkata 3-7 August – 2019
Webmail
SANOG34 – Kolkata 3-7 August – 2019
Webmail
Webmail (or web-based email) is any email client implemented as a web application running on a web server
• Online in nature• IMAP connections mostly• Secured HTTP (HTTPS) must• Can be hosted, e.g.: RoundCube, SquirrelMail, Horde, Zimbra, Rainloop, Kite,
MailPile,iRedMail, etc.• Webmail Service providers : Gmail, Outlook, AOL, Yahoo, etc.• Privacy and Security Concern• Easy to configure, easy to host.
SANOG34 – Kolkata 3-7 August – 2019
Common Threat Landscape• Eavesdropping
• Spamming and Phishing• Spoofing• Malicious Email Attachments
• Replying and Forwarding Issues• CC & BCC Issues
SANOG34 – Kolkata 3-7 August – 2019
Short History• Originally developed in the late 90s at IBM by Wietse
Venema, author of security software (SATAN, TCPwrappers, ...), as ”IBM Secure Mailer”
• Place under an Open Source license, and renamed ”Postfix”
• Intended as a replacement for then insecure mail systems, such as Sendmail
SANOG34 – Kolkata 3-7 August – 2019
Design Goals• Safety
• Robustness • Performance • Modularity
• Compatibility
SANOG34 – Kolkata 3-7 August – 2019
Safety• Postfix makes it very hard to lose mails – many checks to
ensure that mail has been written to disk or delivered • Back off mechanisms in case of repeated failure
SANOG34 – Kolkata 3-7 August – 2019
Security• Collection of daemons working together Doesn't use
environment for communication • Very paranoid about input checking, all allocation is dynamic
(avoiding buffer overflows) • chroot support out of the box for almost all processes &
daemons • No data is ever exchanged directly between processes – all is
done via IPC, and files on disk • Conservative resource usage
SANOG34 – Kolkata 3-7 August – 2019
Performance • Designed to be fast from the ground up
• Also behaves well with neighbors, doesn't flood them with mail, and instead uses a throughput adaptation
• Will not block delivery for a message if one recipient domain fails
SANOG34 – Kolkata 3-7 August – 2019
Modular• One program, one function
All programs controlled from ”master.cf” • Many small programs working together, with limited
privileges
• Compatible with Sendmail's /etc/aliases and .forward conventions
SANOG34 – Kolkata 3-7 August – 2019
Features• Virtual domains – domains and users are completely
independent of system (UNIX) users • Aliases – sendmail compatible
Rewriting – senders, recipients, globallyRBL support (Realtime Blackhole Lists) support Content filtering using pipes, SMTP or milter
• Support for arbitrary mail manipulation with policy services (custom programs talking to postfix)
SANOG34 – Kolkata 3-7 August – 2019
More Features• Restriction classes Conditional filtering
• Sender or recipient address verification (test email addresses before accepting mail from them)
• TLS support
SANOG34 – Kolkata 3-7 August – 2019
Basic Postfix Configuration• Two primary configuration files
– main.cf• Main configuration file where all the subsystems are configured (smtp, smtpd,
cleanup, routing, ...)
– master.cf• File controlling how the ”master” process of postfix will launch all the necessary
postfix daemons to perform mail routing, on-demand
SANOG34 – Kolkata 3-7 August – 2019
Other Configuration Details• Reside in ”maps” mentioned earlier
• Tables containing values and conditions, referred to from main.cf, controlling all aspects such as: – Virtual and local domains – Routing rules– Access control– Rewriting
– ...
SANOG34 – Kolkata 3-7 August – 2019
Configuration: postconf command• postconf – used to view and edit configuration parameters
• For changing the configuration, it is usually done vi editing ”main.cf” directly
SANOG34 – Kolkata 3-7 August – 2019
Some Basic main.cfsmtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = group1.group01.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = group1.group01.net, localhost.group01.net, , localhost
relayhost = group1.group01.net
mynetworks = 127.0.0.0/8 61.45.254.0/24 [2001:df0:a:4::]/64 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
SANOG34 – Kolkata 3-7 August – 2019
Some Basic main.cf# TLS parameterssmtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
SANOG34 – Kolkata 3-7 August – 2019
Some Basic main.cf## in the file /etc/mailname
group1.group01.net
## in the file /etc/aliasespostmaster: rootsysadm: apnic
SANOG34 – Kolkata 3-7 August – 2019