Linux Mail Server Basics

Linux Mail Server Basics

An MUA (Mail User Agent) or MSP (Mail Submission Program) composes a message and then connects to an MTA (Mail Transport Agent) via SMTP to relay the message out to a recipient.  The MTA queries DNS for the corresponding domains MX record and attempts to use the record with the lowest weight (typically 10).  The MTA originates an outbound connection via SMTP to the target MTA which will either accept, defer, or reject the message.  If the message is accepted the target MTA assumes responsibility for delivery; however, if it rejects or defers then the originating MTA must requeue the message for another attempt.  When the target MTA accepts the message it then must hand it off to the MDA (Message Delivery Agent) which will write the message to the mail spool in either mbox format, maildir format or into a database in advanced setups.  On the client side the recipient utilizes an MUA to query a MRA (Mail Retrieval Agent) for new mail.  The primary protocols for internet mail are POP3 and IMAP or their SSL counterparts.  On Linux dovecot is a popular MRA.  The MRA accesses the clients mail spool and returns messages/headers to the MUA of the client.

IPTABLES for SMTP
Edit /etc/sysconfig/iptables and add the following after ESTABLISHED, RELATED entry:
    -A Firewall-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

     service iptables restart

SMTP Troubleshooting:
    find your mail server to troubleshoot
    dig -t mx sysxperts.com |grep MX

    telnet to it
    telnet mx1.sysxperts.com 25

    HELO pvalentino.com
    MAIL From: paul@pvalentino.com
    RCPT To: pvalentino@sysxperts.com
    DATA
    test
    .
    QUIT

Always test MTA from a remote machine so that you can verify intervening firewalls, application layer access, and ensure that you are testing SMTP rather than LMTP

Reading mail for testing options:
    mutt -f pop://user@computer
    mutt -f imap://user@computer
    or within a shell
    mutt -f /var/spool/mail/user
    mail

To display smtp exchange between MSP and MTA
    mail -v user
To view the mail queue
    mailq
    mailq -Ac #will show the local MSP to MTA queue - name resolution problems can cause this queue to pile up
    sendmail -q #to reprocess the mail queue

Note that smtp does not check TCP Wrappers until after the HELO connection so do not get confused when troubleshooting security and rule out TCP Wrappers issue just because you made it to the HELO step...
Note that LMTP is often used to deliver messages on localhost and therefore some settings that apply to SMTP will not apply to LMTP

Some choices for MTA include Sendmail, Postfix, & Exim

Virtual hosting is typically supported by rewriting the user portion of the email address, the domain portion of the email address or both.

SENDMAIL

    yum -y install m4 sendmail sendmail-cf

Edit the /etc/mail/sendmail.mc file to update config #remember that dnl<space> is the syntax for a comment
then
    make -C /etc/mail  #to rebuild the config
    service sendmail restart #to apply the new config

you may also update the timestamps to force a rebuild
    touch /etc/mail/sendmail.mc

To configure sendmail to listen on all interfaces comment out the loopback DAEMON_OPTIONS entry:
    dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA`)dnl 
    service sendmail restart
    netstat -tupln |grep sendmail #should return 0.0.0.0:25 entry

Check if sendmail recognizes hostname:
    sendmail -d0 < /dev/null  #if you see localhost references it's time to check /etc/hosts and /etc/sysconfig/network to make sure they are configured properly

Edit /etc/mail/local-host-names and add your host names (make sure all valid names are included so that DSN's (Delivery Status Notifications) work properly, for example:
    sysxperts.com
    mx1.sysxperts.com
    mail.sysxperts.com

Configure outgoing mail with /etc/mail/submit.cf

To masquerade as a domain instead of a host uncomment:
    EXPOSED_USER(`root')dnl
    FEATURE(masquerade_envelope)dnl
    MASQUERADE_AS(`sysxperts.com')dnl
    FEATURE(masquerade_entire_domain)dnl

Create local aliases in /etc/aliases and reload with the newaliases command
    root:  unixteam@sysxperts.com
    support:  | remedyticket

    ln -s  /support/remedy/remedyticket  /etc/smrsh/remedyticket #prevents damage to system by linking the program under the sendmail restricted shell
    newaliases

Create virtual aliases in /etc/mail/virtusertable and use make to rebuild
    hr@mynet.net    payday  #obvious
    jenny@hernet.net    shopping #obvious again
    @pvalentino.com    paul@pvalentino.com #everything to pvalentino.com is forwarded to paul@pvalentino.com
    @hisnet.net            %1@theirnet.net  #everything with a matching user is forwarded i.e. paul@histnet.net goes to paul@theirnet.net

To enable outbound rewriting in sendmail comment out the following in sendmail.mc:
    FEATURE(genericstable)dnl
    FEATURE(`always_add_domain')dnl
    GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl

Populate /etc/mail/genericstable:
    paul@jethro.com    paul@ellymay.com
    amy@darin.com    amy.valentino@geanie.com #all these domains must be in local-host-names file

Address rewrites work for smtp but not lmtp

Adding Restrictions:
    uncomment in sendmail.mc:
        FEATURE(`blacklist_recipients')dnl

    edit /etc/mail/access:
        From:spammer@spam.com    REJECT
        Connect:spammers.net          REJECT
        Connect:10.1.4                    OK
        To:user@xxx4fun.com           ERROR:550 mail discarded
        To:nobody@                        ERROR:550 bad name
Tags are now required for all sendmail access files now (untagged) is no longer supported

Using alternatives to swap your default MTA
    alternatives --display mta  #shows you what you're using
    alternatives --config mta  #lets you choose from available mta's
    alternatives --set mta /usr/sbin/sendmail.postfix  # will set up Postfix as the default MTA
    #GUI tools system-switch-mail from yum -y install system-switch-mail system-switch-mail-gnome are available

POSTFIX

yum -y install postfix
Edit /etc/postfix/main.cf to configure

postconf -d #shows default settings
postconf -n  #shows current non-default settings
postconf -e key=value #modifies the main.cf file
postconf -m #shows supported map types
postmap -s /etc/postfix/access #shows all access entries
postmap -q exactkey /etc/postfix/access #query a specific access key

postqueue -f or postsuper -r ALL #will flush the mail queue
postqueue -p #view deferred messages

mail -v user and same troubleshooting steps as sendmail are appropriate

man 5 postconf is your buddy

    smtpd 
    pickup - moves messages sent by Postfix from maildrop to incoming queue
    nqmgr - passes messages from incoming to processes for transmission, relay, or local delivery

Incoming postfix config:
    inet_interfaces = all
    #inet_interfaces = localhost
    mydestination = $myhost, localhost, $mydom, $mydom2
service postfix restart

Enabling archiving of all messages in and out:
    always_bcc = address

netstat -tupln |grep master #should return a 0.0.0.0:25 entry or your IP if you specified one

For domain masquerading uncomment:
    myorigin = $mydomain  #confirm $mydomain with the hostname command, verify /etc/sysconfig/network and /etc/hosts are correct
    masquerade_exceptions = root

Local aliases are treated the same as sendmail above using /etc/aliases and newaliases or postalias

Enable virtual aliases in main.cf with:
    virtual_alias_maps = hash:/etc/postfix/virtual

Populate /etc/postfix/virtual in same format as sendmail then rehash the file with:
    postmap /etc/postfix/virtual

Outbound rewriting is enabled with:
    smtp_generic_maps = hash:/etc/postfix/generic
    then populate /etc/postfix/generic
        paul@sysxperts.com    paul@sysxperts2.com
    postmap /etc/postfix/generic
    service postfix restart

Adding restrictions by creating /etc/postfix/access using same syntax as /etc/mail/access shown above for sendmail except untagged and rehashed using postmap.
    in /etc/postfix/main.cf
    smtpd_TAG_restrictions =     #where TAG is either sender, recipient, or client
        check_TAG_access hash:/etc/postfix/access,
        permit_mynet, reject_unauth_destination

No comments: