Email services. Anders Wiehe IT department Gjøvik University College

Email services Anders Wiehe IT department Gjøvik University College

Topics Lessons learnt Planning a new email system Lab: Basic configuration Lab: SMTP:Postfix configuration Lab: POP3/IMAP:Dovecot configuration Lab: Webmail:SquirrelMail Lab extra: LDAP:OpenLDAP The current email system at GUC The next generation email system at GUC

Lessons learnt Automatic routines! Account and address creation, communication with other systems Configure new users clients with the correct servers, email address and address lookup less support Sending and receiving available from everywhere - TLS and SMTP authentication (VPN)

Planning a new (large) email system SMTP/POP3/IMAP/Webmail Authentication, user information Availability Server side filtering Mailbox format Filesystem Quota Backup and restore

Lab: Basic configuration Two CentOS virtual machines will become two email systems tar zxf centos-sysadm.tar.gz into two different locations and power them on Set hostnames in /etc/hosts, for example: <ip> vincent.hig.no <ip> vic.hig.no Challenge: configure bind Add two users: vincent on vincent, and vic on vic

Lab: Postfix yum install postfix, service postfix start, chkconfig level 35 postfix on Take a look at /etc/postfix, especially /etc/postfix/main.cf inet_interfaces=all, smtp_host_lookup=native Challenge: configure to receive email for domains configured in bind Extra1: Address lookup via LDAP Extra2: Antispam Extra3: TLS and SMTP authentication, no open relays or unencrypted passwords!

Lab: Dovecot yum install dovecot (/etc/dovecot.conf) Extra1: TLS (s_client) Extra2: Various mailbox formats (Postfix, dbox?) Extra9: Features in version 1.0/1.1): Mailbox indexing while delivering Quota plugin Sieve: Mail filtering Mail forwarding Vacation

Lab: SquirrelMail yum install squirrelmail, service httpd start Point your browser to http://<server IP 1>/webmail/ and send email to the other email system,... Configuration is also possible: /etc/squirrelmail/config.php Extra1: Configure it Extra2: Look at the possibilities with plugins: address lookup, vacation, spam filtering, forward,...

Lab extra: OpenLDAP yum install openldap openldap-clients openldap-servers database bdb suffix "dc=hig,dc=no" rootdn "cn=manager,dc=hig,dc=no" rootpw <output from slappasswd> sizelimit unlimited ldapadd -x -D "cn=manager,dc=hig,dc=no" -W -f <file> LDAP Browser/Editor (Java, freshmeat.net)

The current email system at GUC Outgoing email Internet MX 4 ratbert ratbert.hig.no Outgoing email ratbert.hig.no: MX for hig.no pat.hig.no: Mailboxes and relay for employees studenter.hig.no: Mailboxes and relay for students studenter.hig.no pat.hig.no

ratbert.hig.no (I) Software: Linux, Postfix 2.1.5, ClamAV 0.88.2, MySQL 3.23.58 Hardware: 2x2,8Ghz Pentium 4, 1GB RAM, 18GB mail spool ~15000 emails or 800-1000MB per day All antispam methods run on ratbert Load < 0.1

ratbert.hig.no (II) Uses AD LDAP searches to determine if an address is valid and the delivery address: 001234@hig.no -> 001234@studenter.hig.no fornavn.ettern@hig.no -> 001234@studenter.hig.no Uses AD LDAP searches to determine group members: s-imt@hig.no -> 001234@studenter, 002345@studenter... This may be changed soon! Mailman (Local file and) AD LDAP searches to determine employee addresses: anders.wiehe@hig.no -> anderswi@pat.hig.no

ratbert.hig.no (III) alias_maps = hash:/etc/aliases, ldap:/etc/postfix/aliases-ldap-student,... version=3 server_host=ldaps://hig1.hig.no:636 ldaps://hig2.hig.no:636 tls_ca_cert_file=/usr/share/ssl/inu.cer tls_require_cert=yes search_base=dc=hig,dc=no query_filter=proxyaddresses=smtp:%s@hig.no result_attribute=mail special_result_attribute=member exclude_internal=yes recursion_query_filter=(!(useraccountcontrol=514)) bind_dn=<ad read account DN> / bind_pw=<password>

pat.hig.no Software: Linux, Postfix 2.1.5, Dovecot 0.99.11 Hardware: 2Ghz Xeon, 1GB RAM Both POP3 and IMAP available ~250 users Email relay for employees, supports SMTP authentication over TLS POP3S and IMAPS with a signed certificate

studenter.hig.no Software: Windows 2003, Exchange 2003 SP1, Symantec AV for Exchange Hardware: 2,8Ghz Xeon, 4GB RAM Some other stuff also run on this server, domain controller Supports both POP3 and IMAP, other Exchanges functions are not used Relay server for students, supports SMTP authentication TLS communication now operational!

Antispam: RBL Real Time Black lists Organizations/persons/automatic routines maintain a list of IP addresses which are black listed List criteria: open relay, known spammer, doesn't follow standards,... ratbert checks incoming email against: ORDB, DSBL, Spamhaus, Abuseat, Njabl, Spamcop Few known false positives per year

Antispam: Greylisting ratbert runs gps, a grey list implementation for Postfix Stores envelope from address, envelope to address and the senders IP address, triplet Temporarily rejects triplets never seen before Later delivery attempts will be accepted Uses MySQL for triplet storage Few whitelisted IP addresses per year Generates some support

Antispam: ClamAV ClamAV is a GPL licensed antivirus software Can be plugged into Postfix to detect and remove viruses in emails Maintained virus definitions, around 163000 virus definitions today Many viruses are stopped by greylisting Also some support because of ClamAV, not perfectly configured

(Hopefully) The next generation email system at GUC Open, standards Platform independent Employees and student use the same system Uses FEIDE for authentication and user information New default client and webmail with automatic configuration, calendar Automatic routines: Forward, vacation, filtering, individual spam filter configuration,...

Email services Questions? Ask now or email me at anders.wiehe@hig.no The end!