Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version History

Version
Date
Author
Description
0.1 09/14/2016Daniel Fernandez Initial Version
0.209/23/2016Minh NguyenUpdate sections
0.309/28/2016Sovann HuynhProvide purpose/details of each mail server instance

Overview

The CONNECT team uses two different email servers (Postfix and Dovecot) for its CONNECT-DIRECT implementation testing. There are two instances (one internal, one external) of each mail server – four instances in total to provide the following roles and functions:

Mail Server / RolePurpose/Details
Dovecot / internal imap

The purpose of this instance is to provide the actual storage of email in a Dovecot internal mailbox and the functions required to access the mailbox via an email client such as Sylpheed.

  • When an email is composed, it is placed here so it can be detected and picked up by a Direct poller. From here, CONNECT takes the email, authenticates it and encrypts it.
  • When receiving a Direct message, this is the final delivery destination
  • How does this alert CONNECT that it has accepted the Direct message?
Postfix / internal smtp

The purpose of an this instance is to act as a mail transfer agent (MTA) that will transfer mail from a Dovecot internal mailbox to a Dovecot external mailbox

  • When sending a Direct message, this provides the SMTP mechanism to move the encrypted Direct message from Dovecot internal to Dovecot external
  • When receiving a Direct message, this provides the SMTP mechanism to move the decrypted Direct message from Dovecot external to Dovecot internal
Dovecot / external imap

The purpose of this instance is to provide the actual storage of email in an unsecured external mailbox and the functions required to access the mailbox via an email client such as Sylpheed.

  • When sending a Direct message, this is where the encrypted Direct message is moved to so it can be sent out via SMTP (Postfix external)
  • When receiving a Direct message, the message is placed here so it can be detected and picked up by a Direct poller. From here, CONNECT takes the message, authenticates it, decrypts it and "creates" a processed MDN.
Postfix / external smtp

The purpose of an this instance is to act as a mail transfer agent (MTA) that will transfer mail from an unsecured external mailbox to a target unsecured mailbox (the Direct recipient)

  • When sending a Direct message, this provides the SMTP mechanism to send the Direct message to the receiving STA
  • When processed and/or dispatched MDNs are created, this provides the SMTP mechanism to send the Direct message back to the sending STA


Info
titleMail server selection and security reuirements

The number of STAs and edge systems used in a complete CONNECT Direct implementation is up to the implementer. Please refer to the Implementation Guide for Direct Edge Protocols for more details on the required Direct transport security layers. /wiki/spaces/CONNECTWIKI/pages/93061134 require four mail server configurations but these can include reiterative mail server instances.

Internal Email Server Installation

Postfix Installation instructions (Red Hat Linux 6.3/Centos 6.3)

  1. Remove SendMail
    yum remove sendmail

  2. Set up the Simple Authentic Security Layer (SASL) to authenticate users.

    Note

    This step is omitted for the CONNECT Direct test implementation


    Code Block
    yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain


  3. Create CERTS for Transport Layer Security (TLS):

    Code Block
    mkdir /etc/postfix/ssl
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
    chmod 600 smtpd.key
    openssl req -new -key smtpd.key -out smtpd.csr
    openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
    openssl rsa -in smtpd.key -out smtpd.key.unencrypted
    mv -f smtpd.key.unencrypted smtpd.key
    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 8650


  4. Edit /etc/postfix/main.cf.  This file specifies a set of the parameters that control the operation of the Postfix mail system ← Replace direct.connectopensource.org with your actual domain.

    Code Block
    mydomain = direct.connectopensource.org
    inet_interfaces = all
    #inet_interfaces = localhost
    mynetworks =127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, 10.153.16.182, 208.247.58.12, 174.26.117.134, 68.226.125.231, 173.73.155.188, 69.140.155.130, 98.204.48.47,  208.247.58.27, 216.14.93.210, 216.14.93.209, 208.114.203.134, 107.23.198.44, 173.66.78.99, 208.247.58.12, 172.31.43.181
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = no
    smtpd_sasl_type = cyrus
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    home_mailbox = Maildir/


  5. Edit /etc/postfix/master.cf.  This file defines how a client program connects to a service, and what daemon program runs when a service is requested,

    Code Block
    smtp inet n            - - - - smtpd
    submission inet n - - - - smtpd
    # -o smtpd_tls_security_level=encrypt
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    smtps inet n - - - - smtpd
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_reject_unlisted_sender=yes
    # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    # -o broken_sasl_auth_clients=yes
    smtps inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING


Dovecot Installation Instructions

  1. Run this to install dovecot

    Code Block
    yum install dovecot


  2. Update /etc/dovecot/conf.d/10-mail.conf

    Code Block
    mail_location =maildir:~/Maildir


  3. Update /etc/dovecot/conf.d/10-ssl.conf

    Code Block
    ssl_cert = </etc/postfix/ssl/smtpd.crt
    ssl_key = </etc/postfix/ssl/smtpd.key


  4. Add all the recipient domains that we want to communicate using direct should be redirected to the internal user mail account in /etc/postfix/virtual. For example, if you want to send a direct message to direct.sitenv.org, the below entry should be added to the virtual file. (ONLY FOR INTERNAL EMAIL SERVER)

    Code Block
    @direct.sitenv.org  internal


  5. Rebuild the virtual database

    Code Block
    postmap /etc/postfix/virtual


  6. All the domains that we want to communicate or exchange messages using Direct should have an entry in /etc/postfix/virtual_domains.

    Code Block
    direct.sitenv.org
    direct.max.org


  7. Add the below in /etc/postfix/transport ← Replace direct.connectopensource.org with your actual domain

    Code Block
    direct.connectopensource.org :
    .direct.connectopensource.org :
    * discard:


  8. Create email accounts/mailboxes. CONNECT requires the two email IDs direct and internal to run DIRECT. The following are steps to create and configure email accounts. 

    Code Block
    adduser direct
    passwd <some password>
    mkdir /home/direct/Maildir
    chown direct:direct /home/direct/Maildir
    chmod -R 700 /home/direct/Maildir


  9. Add the email users and virtual users to the OS alias table /etc/aliasses

    Code Block
    #OS accounts
    direct: direct
    internal: internal
    # virtual account…whenever emails comes to sovann@direct.connectopensource.org it gets redirected to direct
    sovann : direct


  10. Rebuild the aliasses DB 

    Code Block
    newalisasses


  11. Enable auto start of postfix, dovecot, and saslauthd
  12. Test to make sure postfix, dovecot, and saslauthd are running.  You should be able to see these ports: SMTP:25, SMTP:465, IMAPS:993, POP3S:995, STARTLS:587.

    Code Block
    netstat –ntpl
    telnet localhost 25 & ehlo localhost


External Email Server Installation

Follow the steps under Internal Server to configure External Email Server except the following:

  1. Copy the same CERTS generated in Internal Email Server to /etc/postfix/ssl/
  2. Add the following in /etc/postfix/virtual ← Replace direct.connectopensource.org with your actual domain

    Code Block
    @direct.connectopensource.org direct


  3. Add the email users and virtual users to the OS alias table /etc/aliases

    Code Block
    internal: internal 
    direct:direct