Versions Compared

Old Version 1

changes.mady.by.user Tran Tang (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Tran Tang (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version History

Version
Date
Author
Description
0.1 09/14/2016Daniel Fernandez Initial Version
0.209/23/2016Minh NguyenUpdate sections
0.309/28/2016Sovann HuynhProvide purpose/details of each mail server instance

Overview

The CONNECT team uses two different email servers (Postfix and Dovecot) for its CONNECT-DIRECT implementation testing. There are two instances (one internal, one external) of each mail server – four instances in total to provide the following roles and functions:

Mail Server / RolePurpose/Details
Dovecot / internal imap

The purpose of this instance is to provide the actual storage of email in a Dovecot internal mailbox and the functions required to access the mailbox via an email client such as Sylpheed.

  • When an email is composed, it is placed here so it can be detected and picked up by a Direct poller. From here, CONNECT takes the email, authenticates it and encrypts it.
  • When receiving a Direct message, this is the final delivery destination
  • How does this alert CONNECT that it has accepted the Direct message?
Postfix / internal smtp

The purpose of an this instance is to act as a mail transfer agent (MTA) that will transfer mail from a Dovecot internal mailbox to a Dovecot external mailbox

  • When sending a Direct message, this provides the SMTP mechanism to move the encrypted Direct message from Dovecot internal to Dovecot external
  • When receiving a Direct message, this provides the SMTP mechanism to move the decrypted Direct message from Dovecot external to Dovecot internal
Dovecot / external imap

The purpose of this instance is to provide the actual storage of email in an unsecured external mailbox and the functions required to access the mailbox via an email client such as Sylpheed.

  • When sending a Direct message, this is where the encrypted Direct message is moved to so it can be sent out via SMTP (Postfix external)
  • When receiving a Direct message, the message is placed here so it can be detected and picked up by a Direct poller. From here, CONNECT takes the message, authenticates it, decrypts it and "creates" a processed MDN.
Postfix / external smtp

The purpose of an this instance is to act as a mail transfer agent (MTA) that will transfer mail from an unsecured external mailbox to a target unsecured mailbox (the Direct recipient)

  • When sending a Direct message, this provides the SMTP mechanism to send the Direct message to the receiving STA
  • When processed and/or dispatched MDNs are created, this provides the SMTP mechanism to send the Direct message back to the sending STA


Info
titleMail server selection and security reuirements

The number of STAs and edge systems used in a complete CONNECT Direct implementation is up to the implementer. Please refer to the Implementation Guide for Direct Edge Protocols for more details on the required Direct transport security layers. /wiki/spaces/CONNECTWIKI/pages/93061134 require four mail server configurations but these can include reiterative mail server instances.

Internal Email Server Installation

Postfix Installation instructions (Red Hat Linux 6.3/Centos 6.3)

  1. Remove SendMail
    yum remove sendmail

  2. Set up the Simple Authentic Security Layer (SASL) to authenticate users.

    Note

    This step is omitted for the CONNECT Direct test implementation


    Code Block
    yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain


  3. Create CERTS for Transport Layer Security (TLS):

    Code Block
    mkdir /etc/postfix/ssl
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 8650


  4. Edit /etc/postfix/main.cf.  This file specifies a set of the parameters that control the operation of the Postfix mail system ← Replace direct.connectopensource.org with your actual domain.

    Code Block
    mydomain = direct.connectopensource.org
inet_interfaces = all
#inet_interfaces = localhost
mynetworks =127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, 10.153.16.182, 208.247.58.12, 174.26.117.134, 68.226.125.231, 173.73.155.188, 69.140.155.130, 98.204.48.47,  208.247.58.27, 216.14.93.210, 216.14.93.209, 208.114.203.134, 107.23.198.44, 173.66.78.99, 208.247.58.12, 172.31.43.181
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = no
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/


  5. Edit /etc/postfix/master.cf.  This file defines how a client program connects to a service, and what daemon program runs when a service is requested,

    Code Block
    smtp inet n            - - - - smtpd
submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_sender=yes
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o broken_sasl_auth_clients=yes
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING


Dovecot Installation Instructions

  1. Run this to install dovecot

    Code Block
    yum install dovecot


  2. Update /etc/dovecot/conf.d/10-mail.conf

    Code Block
    mail_location =maildir:~/Maildir


  3. Update /etc/dovecot/conf.d/10-ssl.conf

    Code Block
    ssl_cert = </etc/postfix/ssl/smtpd.crt
ssl_key = </etc/postfix/ssl/smtpd.key


  4. Add all the recipient domains that we want to communicate using direct should be redirected to the internal user mail account in /etc/postfix/virtual. For example, if you want to send a direct message to direct.sitenv.org, the below entry should be added to the virtual file. (ONLY FOR INTERNAL EMAIL SERVER)

    Code Block
    @direct.sitenv.org  internal


  5. Rebuild the virtual database

    Code Block
    postmap /etc/postfix/virtual


  6. All the domains that we want to communicate or exchange messages using Direct should have an entry in /etc/postfix/virtual_domains.

    Code Block
    direct.sitenv.org
direct.max.org


  7. Add the below in /etc/postfix/transport ← Replace direct.connectopensource.org with your actual domain

    Code Block
    direct.connectopensource.org :
.direct.connectopensource.org :
* discard:


  8. Create email accounts/mailboxes. CONNECT requires the two email IDs direct and internal to run DIRECT. The following are steps to create and configure email accounts. 

    Code Block
    adduser direct
passwd <some password>
mkdir /home/direct/Maildir
chown direct:direct /home/direct/Maildir
chmod -R 700 /home/direct/Maildir


  9. Add the email users and virtual users to the OS alias table /etc/aliasses

    Code Block
    #OS accounts
direct: direct
internal: internal
# virtual account…whenever emails comes to sovann@direct.connectopensource.org it gets redirected to direct
sovann : direct


  10. Rebuild the aliasses DB 

    Code Block
    newalisasses


  11. Enable auto start of postfix, dovecot, and saslauthd

  12. Test to make sure postfix, dovecot, and saslauthd are running.  You should be able to see these ports: SMTP:25, SMTP:465, IMAPS:993, POP3S:995, STARTLS:587.

    Code Block
    netstat –ntpl
telnet localhost 25 & ehlo localhost


External Email Server Installation

Follow the steps under Internal Server to configure External Email Server except the following:

  1. Copy the same CERTS generated in Internal Email Server to /etc/postfix/ssl/

  2. Add the following in /etc/postfix/virtual ← Replace direct.connectopensource.org with your actual domain

    Code Block
    @direct.connectopensource.org direct


  3. Add the email users and virtual users to the OS alias table /etc/aliases

    Code Block
    internal: internal 
direct:direct