opensmtpd for the real world mail server tutorial...introduction–background softwaredeveloper...

OpenSMTPD for the Real WorldMail Server Tutorial

Aaron Poffenberger

2016-06-09 Thu

Aaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 1 38

Outline

1 Introduction

2 Tutorial Goals and Prerequisites

3 OpenSMTPD

4 PF

5 BGP-Spamd

6 Amavisd Overview

7 ClamAV

8 Dovecot

9 SpamAssassin

10 Conclusion

11 Resources


Introduction ndash Background

Software developer30+ years17+ years professionallySecurity software developerDesign and implementsecure APIsConsulting

IT BackgroundBoeingISP (dial-up land)ConsultingDevOps

Software DevelopmentExperience

PentaSafe TechnologiesNetIQTheAnimenetworkcomBRS LabsGiant Gray

InfoSecSoftware vulnerabilityassessmentAuditingCISSP 2005+US Army


Introduction ndash Other

OpenBSD userAmateur radio enthusiastElectronics hobbyist


Introduction ndash You

Enough about me letrsquos talk about you

Who runs

OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD

Anyone want to admit to

Debian GNUkFreeBSDUbuntuBSDWindows with Bash shell



Enough about me letrsquos talk about you Who runs







OpenBSD

FreeBSDNetBSDDragonFly BSDHardenedBSDMidnightBSD






OpenBSDFreeBSD

NetBSDDragonFly BSDHardenedBSDMidnightBSD






OpenBSDFreeBSDNetBSD

DragonFly BSDHardenedBSDMidnightBSD






OpenBSDFreeBSDNetBSDDragonFly BSD

HardenedBSDMidnightBSD






OpenBSDFreeBSDNetBSDDragonFly BSDHardenedBSD

MidnightBSDAnyone want to admit to


















Anyone want to admit toDebian GNUkFreeBSD

UbuntuBSDWindows with Bash shell





Anyone want to admit toDebian GNUkFreeBSDUbuntuBSD

Windows with Bash shell





Anyone want to admit toDebian GNUkFreeBSDUbuntuBSDWindows with Bash shell


Tutorial Goals

Configure smtpd as a Mail Transfer Agent (MTA) for single andmulti-domain useInstall a certificate and configure smtpd to provide or requireTLSAccept or reject mail based on criteria like recipient sourcesender and domainTag mailConfigure Spam AssassinConfigure ClamAVConfigure smtpd to work with Spam Assassin ClamAV andLocal-Mail-Transfer-Protocol (LMTP) services (in series orindividually)


Tutorial Goals

Deliver mail to DovecotTroubleshoot smtpd issues using smtpdrsquos syntax checker logsand by sending mail manually via telnet


Tutorial Prerequisites

One of the supported OSsUnless you want to port it to your OS -)NB - If you brought a Linux box to the tutorial you will beheckled -)

Amavisd (amavisd-new)ClamAVDovecotmailmailxOpenSMTPDOpenSSLLibreSSLSpamAssasinSpamdOptional but Recommended

OpenBGPDAaron Poffenberger OpenSMTPD for the Real World Mail Server Tutorial2016-06-09 Thu 8 38

OpenSMPTD Overview

man smtpd(8)History The smtpd program first appeared in OpenBSD 46

Started by Gilles Chehade in late 2008ISC licensePrimarily developed by

Gilles Chehade Eric Faurot Charles Longeau and SunilNimmagaddaAnd cast of others

Portable version begun by Charles LongeauFound on

NetBSD FreeBSD DragonFlyBSD Mac OS X Linux


OpenSMTPD Overview - Notes

OpenSMDTP scrupulously follows RFCs1 Itrsquos a good idea2 Spammers donrsquot extra layer of protection

If yoursquore trying a manual process (eg sending mail manuallyvia telnet) and it fails yoursquore probably doing it incorrectly Eg

Correct rcpt toltuserdomaingtIncorrect rcpt touserdomainIncorrect rcpt to ltuserdomaingtIncorrect rcpt to userdomain


Important Keywords

includeMacrostablepkilistentagaccept|rejectdeliveruserbase


Important Keywords - Macros

Expanded in contextNames must start with a letter digit or underscore and maycontain any of those charactersMay not be reserved wordsNB - Are not() expanded within quotation marks


Important Keywords - table

Use to provide additional configuration informationLists or key-value mappings

Types db or fileMay also be inlined with comma-separated values (list orkey=value)


Important Keywords - pki

Several uses for this keywordSpecify a given hostname with a specific certileSpecify a key file for a specific certfileSpecify which certificate to present in a listen directiveSpecify which certificate to present in a relay directive


Important Keywords - listen

Specify a socket or an interface for incoming connectionsMultiple listeners may be specifiedMay specify

hostname to present in the greeting bannerdefault is server name or name in $ETCmailmailname

porttlsssl requirementsaddress family (inet4 | inet6)directives to tag traffic


Important Keywords - accept|reject

Accept or reject messages based on SMTP session infoCriteria for evaluation

tagged [] tag-name tag applied as part of client session fromany match allfrom [] local match only local connections (default notnecessary)from [] source lttablegt match connections from clients whoseaddress is declared in the specified tablesender [] ltsendersgt match senders email address found intable senders Address may specify entire domain with exampleorg



Criteria for evaluationfor any [alias ltaliasesgt] Match regardless of the domain sentto If an alias table is specified lookup alternative destinationfor all addressesfor any virtual ltvmapgt match regardless of domain sent tolookup virtual-domain mapping in table vmapfor [] domain domain [alias ltaliasesgt] Match based onspecified domain If an alias table is specified lookup alternativedestination for all addressesfor [] domain ltdomaingt [alias ltaliasesgt] Match based ondomains specified table domain If an alias table is specifiedlookup alternative destination for all addresses



Criteria for evaluationvirtual ltusersgt may be used with each of the above rather thanalias ltaliasesgtrecipient [] ltrecipientsgt Match only if the recipientrsquos emailaddress is found table recipients[userbase lttablegt] Look-up users in table table instead oflooking users up using getpwnam(3)


Important Keywords - deliver

Specify where the mail is to be delivereddeliver to lmtp [hostport | socket] [rcpt-to] [as user] Delivermail via lmtp protocol

lmtp - queue-less version of SMTP protocol Useful for sendingto MDAs or filter applications like amavisd

deliver to maildir [path] Deliver to maildir directory Default is~Maildirdelivery to mbox Deliver mail to system mailbox in varmaildeliver to mda program [as user] Pipe mail to specifiedprogram Optionally run mda as specified user


OpenSMTPD Configuration

man smtpdconf(5)Simple English-like syntax very similar to PF and otherOpenBSD-projectsTypical $ETCmailsmtpdconfMay reference other configuration files

include etcmailsmtpdconflocal

See example in etcmailsmtpdconf in tarball


PF Overview

man pf(4)History The pf packet filtering mechanism first appeared inOpenBSD 30

Packet Filter (PF) is OpenBSDrsquos system for filtering TCPIPtraffic and doing Network Address Translation PF is alsocapable of normalizing and conditioning TCPIP traffic as wellas providing bandwidth control and packet prioritizationOriginally written by Daniel Hartmeier and is now maintainedand developed by the entire OpenBSD teamPorted to

FreeBSD (somewhat incompatible now) NetBSD Mac OS XOracle (seriously and doing really good work on SMP)


PF Configuration

Need to add a few rulesSee rules subset in etcpfconf in tarball


BGP-Spamd - Overview

Distribution of whitelist and blacklist IPs using bgp protocolBGP purpose is to exchange information concerning networkreachability with other BGP systemsProject run by Peter Hessler (phessler OpenBSD)Receives blacklist and whitelist data from several sourcesincluding Peter HansteenWorks with pf and spamd

pf by modifying a specific white-list tablespamd by creating file create by a cron job


BGP-Spamd - Configuration

$ETCbgpdconfSelect a private AS id (autonomous system) default == 65001Un-comment a neighbor close to youAdd pass rule to $ETCpfconfSee rules subset in etcpfconf in tarball



Add source to $ETCmailspamdconfSee example in etcmailsmtpdconf in tarball


BGP-Spamd Cron Job

Add line to root crontab

0 sleep $((RANDOM 1800)) ampamp usrlocalsbinbgp-spamdblacksh


Amavisd Overview

amavisd-new is a high-performance interface between mailer(MTA) and content checkers virus scanners andorSpamAssassinRuns as a serviceManages sending email through multiple services like ClamAVand SpamAssassinSupports LMTP or (E)SMTPLMTP is a queue-less counterpart to SMTP

Which raises the question How do I ensure my mail isnrsquot lostwhile itrsquos in the LMTP receiverSeveral solutions possible Amavisd does not return success tothe caller until it has delivered the mail to the next hophttpswwwijssisoftwareamavisdsec-loss


Amavisd - Configuration

Amavisd configuration file is a dogrsquos breakfastFortunately just a few changes are necessary

Lots of optional dials and knobs

See example in etcamavisdconf in tarball


ClamAV - Overview

ClamAV is an open source antivirus engine for detecting trojansviruses malware amp other malicious threatsRuns as a service or can be called ad-hocIncludes freshclam service to download up-to-date definitions


ClamAV - Configuration

Just a few changes are necessaryLots of optional dials and knobs

See example in etcclamdconf in tarballSee example in etcfreshclamconf in tarballNB - Must comment out word Example near top of file

Already done in example in tarball


Dovecot - Overview

Dovecot is an open source IMAP and POP3 email server forLinuxUNIX-like systems written with security primarily in mindHigh performanceStandards compliantPlugin architecture


Dovecot - Configuration

Very easy to configureEdit file $ETCdovecotlocalconf to override default settingsVirtual user password algorithm option identical to OpenSMTPDSee example in etcdovecotlocalconf in tarballSee example in etcdovecotpasswd in tarball


SpamAssassin - Overview

Open Source anti-spam platform giving system administrators afilter to classify email and block spam (unsolicited bulk email)It uses a robust scoring framework and plug-ins to integrate awide range of advanced heuristic and statistical analysis tests onemail headers and body text including text analysis Bayesianfiltering DNS blocklists and collaborative filtering databases


SpamAssassin - Configuration

Not many necessary changesLots of optional dials and knobs

Most notably the option trusted_networksNot critical but will exclude mail from listed addresses fromchecking


Conclusion

You have questions I may have answers


Contact Details

Aaron PoffenbergerakphypernotecomhttpakpoffcomakpoffThis presentation look for blog post on httpakpoffcomKG5DQJ


Resources

NB - Most of these are linksAmavisdBGP-Spamd - Peter HesslerClamAVDovecotOpenBSD PF FAQSpamAssassin


Blogs and Other Information

Other Blogs and Posts about BSD Mail ServingFrozen GeekHugo Osvaldo Barrera - Good discussion about using Sqlite forVirtual Users

That Grump BSD Guy - Peter HansteenSpamdBSDly - Blog about OpenBSD PF and greytrapping


Introduction

Tutorial Goals and Prerequisites

OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources

Outline

1 Introduction

2 Tutorial Goals and Prerequisites

3 OpenSMTPD

4 PF

5 BGP-Spamd

6 Amavisd Overview

7 ClamAV

8 Dovecot

9 SpamAssassin

10 Conclusion

11 Resources














Who runs













OpenBSD







OpenBSDFreeBSD






















































Tutorial Goals



Tutorial Goals







OpenSMPTD Overview












Important Keywords






































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources













Who runs













OpenBSD







OpenBSDFreeBSD






















































Tutorial Goals



Tutorial Goals







OpenSMPTD Overview












Important Keywords






































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources









OpenBSD







OpenBSDFreeBSD






















































Tutorial Goals



Tutorial Goals







OpenSMPTD Overview












Important Keywords






































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources



OpenBSDFreeBSD






















































Tutorial Goals



Tutorial Goals







OpenSMPTD Overview












Important Keywords






































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources


















































Tutorial Goals



Tutorial Goals







OpenSMPTD Overview












Important Keywords






































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources

Tutorial Goals







OpenSMPTD Overview












Important Keywords






































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources





OpenSMPTD Overview












Important Keywords






































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources






Important Keywords






































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources




































PF Overview





PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources

PF Configuration













BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources











BGP-Spamd Cron Job




Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources

Amavisd Overview









ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources






ClamAV - Overview








Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources






Dovecot - Overview













Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources











Conclusion



Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources

Contact Details



Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources

Resources







Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources





Introduction


OpenSMTPD

PF

BGP-Spamd

Amavisd Overview

ClamAV

Dovecot

SpamAssassin

Conclusion

Resources

opensmtpd for the real world mail server tutorial...introduction–background softwaredeveloper...

Documents