Mail Server Configuration in Redhat Server using Mail transfer agent.pdf

8/10/2019 Mail Server Configuration in Redhat Server using Mail transfer agent.pdf

http://slidepdf.com/reader/full/mail-server-configuration-in-redhat-server-using-mail-transfer-agentpdf 1/21

NEXT GENERATION TECHNOCOMPVT. LTD.

2014

Mail ServerConfiguration on

Redhat LinuxMail Configuration

By Subrata Sarma Chowdhury



Contents:

1. Postfix and Dovecot configuration………………………………………………….2

2. Active directory integration……………………………………………………………17

3. Troubleshootin g…………………………………………………………………………



Mail Server Configuration in

Redhat Linux Server using Mailtransfer agent (Postfix)

Postfix and Dovecot configuration :

This documentation describes the installation and configuration on Redhatserver using Postfix mail transfer agent where our mail delivery client is outlook.

Here postfix used port number 25(default port for SMTP).The steps we follow toconfigure the mail server are given below:

1) Install the MTA package postfix using the following command :Yum install postfix –y

2) Edit postfix main.cf file command for this: vi /etc/postfix/main.cf.

3) We need to edit following lines( 75, 97, 111, 116, 262, 424 ) in main.cf file.Following screen shots are showing the edited format:



4) Linux DNS server BIND configuration :Following are the steps to configure Bind DNS:

I. Bind10 nameserver installation:

Install a bind nameserver with following commandYum install bind dnsutilsII. Creating a DNS zone file:

At this stage we will need to create a new zone file for my domain.Navigate to /etc/bind/ directory execute following sequence ofcommands to navigate to zones/master/

cd /etc/bind

mkdir -p zones/master

cd zones/master/

/etc/bind/zones/master directory will contain a zone file for mydomain. This zone file db.linuxconfig.org will hold a DNS record toassist a nameserver resolve a fully qualified domain name to an IPaddress. Create and save db.linuxconfig.org with a followingcontent:



Here is just a quick review of some lines from the above bind DNSzone file:

SOA record: nameserver authoritative for a zone

linuxconfig.org is ns1.linuxconfig.org andadmin.linuxconfig.org is an email address of a personresponsible for this DNS zone.

NS Records: two nameservers for a linuxconfig.org zone arens[1,2].linuxconfig.org

MX(Mail Exchange): linuxconfig.org mail exchange record.Number 10 means a preference for discarding a records A : Asimply means address in another words in linuxconfig.orgs’s

zone a ns1 would have a A (address) 192.168.0.10. CNAME record(canonical name record): restart the query

using the canonical name instead of the orginal name.

III. Address-to-name mappings:At this stage the bind DNS server can resolve an IP address mappedto a linuxconfig.org host. But for address to name mapping edit thefile db.192.168.0 with a following content:



;

; BIND reverse data file for 0.168.192.in-addr.arpa

;

$TTL 604800

0.168.192.in-addr.arpa. IN SOA ns1.linuxconfig.org.admin.linuxconfig.org. (

1 ; Serial

3h ; Refresh after 3 hours

1h ; Retry after 1 hour

1w ; Expire after 1 week

1h ) ; Negative caching TTL of 1 day

;

0.168.192.in-addr.arpa. IN NS ns1.linuxconfig.org.

0.168.192.in-addr.arpa. IN NS ns2.linuxconfig.org.

10.0.168.192.in-addr.arpa. IN PTR linuxconfig.org.

IV. Updating a BIND configuration file:At this point we should have two files ready :

/etc/bind/zones/master/db.linuxconfig.org /etc/bind/zones/master/db.192.168.0

All we need to do now is to insert both zone file names into a bind’sconfiguration file named.conf.local. to do that add following lines into this file:



zone "linuxconfig.org" {

type master;

file "/etc/bind/zones/master/db.linuxconfig.org";

};

zone "0.168.192.in-addr.arpa" {

type master;

file "/etc/bind/zones/master/db.192.168.0";

};

Last thing before we go ahead to check a configuration is to add an ip address ofa stable DNS server to a named.conf.options file. This IP address is used in casethat a local DNS server does not know the answer of a name resolution query. InIP address of a DNS server in many cases is provided by your Internet provider.

Alternatively if you are google fan use 8.8.8.8 or 8.8.4.4.

Replace a following blog of text withing a named.conf.options file:

// forwarders {

// 0.0.0.0;

// };



with new stable DNS server IP address

forwarders {

8.8.4.4;

};

V. Checking bind’s zone files and configuration:

Before we start a bind nameserver with a new zone andconfiguration here are some tools to check if we have not donesome type or misconfiguration. To check a configuration files run afollowing command:

named-checkconf

To check a DNS zone files we can use named-checkzone command:

named-checkzone linuxconfig.org /etc/bind/zones/master/db.linuxconfig.org

zone linuxconfig.org/IN: loaded serial 1

OK



Reverse zone file check:

named-checkzone 0.168.192.in-addr.arpa /etc/bind/zones/master/db.192.168.0

zone 0.168.192.in-addr.arpa/IN: loaded serial 2

OK

VI. Start / restart bind server: At this point nothing can stop us to run bind9 dns server:

/etc/init.d/bind9 start

Starting domain name service...: bind9.

Alternatively, if your bind server is already running use a following command to to assistyou with its restart:

/etc/init.d/bind9 restart

Stopping domain name service...: bind9.

Starting domain name service...: bind9.

VII. Testing a bind server configuration

A dig command from dnsutils package will become handy to help us totest a new configuration of bind nameserver.

dig command can be used from any PC which has a network access theyour DNS server but preferably your should start your testing from a

localhost. In our this case the IP address of our name server is192.168.135.130. First we will test host-to-IP resolution:



;; MSG SIZE rcvd: 135

Next we test IP-to-host resolution:

dig @192.168.135.130 -x 192.168.0.10

; <<>> DiG 9.6-ESV-R1 <<>> @192.168.135.130 -x 192.168.0.10

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10810

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;10.0.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:

10.0.168.192.in-addr.arpa. 604800 IN PTR linuxconfig.org.

;; AUTHORITY SECTION:

0.168.192.in-addr.arpa. 604800 IN NS ns2.linuxconfig.org.

0.168.192.in-addr.arpa. 604800 IN NS ns1.linuxconfig.org.

;; ADDITIONAL SECTION:

ns1.linuxconfig.org. 10800 IN A 192.168.0.10

ns2.linuxconfig.org. 10800 IN A 192.168.0.11



;; Query time: 0 msec

;; SERVER: 192.168.135.130#53(192.168.135.130)

;; WHEN: Thu Aug 5 18:52:06 2010

;; MSG SIZE rcvd: 140

5) Now install Dovecot mail delivery agent in Redhat server. After installationone should configure dovecot.conf file as shown in the screen shot.

Uncomment the following lines i.e. 24 and 30. Also configure 10-auth.conf , 10-mail.conf and 10-master.conf for authentication ,mail_location and smtp authentication respectively.



Active directory integration :

Joining the Domain

Joining an Active Directory domain couldn’t be simpler in Fedora 20. First, install thedependencies.

#yum install oddjob oddjob-mkhomedir sssd adcli samba-common Once that is done, you can join the domain with the following command.

#realm join -U username da corp mydomain com Now reboot your machine or manually start all the services you just installed and youwill be able to login to your Fedora machine using an Active Directory account. If youwere to look one of your domain controllers in the Active Directory Users andComputers applet you would see a new machine account for your Fedora machine.This means that you don’ t have to manually create service accounts and passwords foryour Fedora machine to make LDAP queries and perform kerberos authentication.

You can see information about the domain now using

#realm list

Configuration

Now that you are joined to the domain, there are some security considerations andother configuration details you should probably take care of. First, decide what loginformat you want to use. Would you prefer to type in your full username in theformat [email protected] ? If so, there is nothing to be done. If youwould rather just login with username , then edit the sssd configuration file and do notrequire fully qualified names. In our examples, we will not be allowing any localaccounts on the Linux machine, so there is no worry about duplicate usernames.#vi /etc/sssd/sssd.conf Update the variable to

use_fully_qualified_names = True Domain administrators do not automatically have any special privileges on the Fedoramachine, so it is a good idea to allow them to sudo so they can perform system

administration tasks. In the sudoers file the % sign indicates group and the \ characterallows you to use spaces in the group names.

#visudo Add the following line

%Domain\ Admins@ corp mydomain com ALL=(ALL) ALL Security



If regular users are not required to login to this server at all through ssh or any installedapplication, we can restrict logins to domain administrators at the sssd level.

#realm permit -g Domain\ Admins@ corp mydomain com

If regular users will need to authenticate to an installed application (like apache) usingtheir active directory accounts, but will not need ssh access, skip the above line andinstead we can use PAM to restrict just SSH

#vi /etc/pam.d/sshd Add the following line to the auth section. The square brackets allow us to use thespace in the group name.

auth required pam_succeed_if.so user ingroup [DomainAdmins]

Since the sshd can also allow GSSAPI authentication by default, which is not part of the

PAM stack, we will want to turn it off or anyone who is logged into a windows machineusing their domain account and putty could login to the server without a password.

#vi /etc/ssh/sshd_config Update the following line.

GSSAPIAuthentication no

Timekeeping

Since Active Directory logins rely on good timekeeping and Active Directory servers are

already ntp servers, we might as well make sure our clock stays in synch.#yum install chrony#vi /etc/chrony.conf

Assuming, you have created a dns cname called ntp that points to dc1 or dc2 updatethe following lines# Please consider joining the pool(http://www.pool.ntp.org/join.html).#server 0.fedora.pool.ntp.org iburst#server 1.fedora.pool.ntp.org iburst#server 2.fedora.pool.ntp.org iburst#server 3.fedora.pool.ntp.org iburstserver ntp



Troubleshooting :

Check that Dovecot is listening for connections : telnet localhost 110Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.+OK Dovecot ready.

If you got "connection refused", check that pop3 is included in protocols setting

in dovecot.conf . Also check that listen setting is * .

Next check that it also works from remote host:

# telnet imap.example.com 110Trying 1.2.3.4...Connected to imap.example.com.Escape character is '^]'.+OK Dovecot ready.

Check that it's allowing logins

# telnet localhost 110user usernamepass password

Replace the username and password with the ones you addedto passwd.dovecot in BasicConfiguration .

You should get an "+OK Logged in." reply. If you get "Authentication failed" error,set auth_verbose = yes and auth_debug = yes in dovecot.conf , restart Dovecot and tryagain. The log file should now show enough information to help you fix the problem.

http://wiki2.dovecot.org/BasicConfiguration






Check that it's allowing remote logins

You'll need to try this from another computer, since all local IPs are treated as secure:

# telnet imap.example.com 110user usernamepass password

If the connection is hanging instead of giving +OK Dovecot ready , you have a firewallthat's preventing the connections.

Otherwise, the only difference here compared to step above is that you might get:

-ERR Plaintext authentication disabled.

If this is the case, you didn't set disable_plaintext_auth = no . You could alternativelyuse OpenSSL to test that the server works with SSL (assuming you've already set it up):

# openssl s_client -connect imap.example.com:995+OK Dovecot ready.

Check that it finds the mails After logging in, check that it sees mails:

stat+OK 1 1532retr 1+OK 1532 octets<the mail's contents>.

It should contain the mail that you sent to yourself in FindMailLocation step.

If anything goes wrong, set mail_debug = yes and try again. The log file should nowcontain debugging information of where Dovecot is trying to find the mails.Fix mail_location setting and try again.

http://wiki2.dovecot.org/FindMailLocation






Check that real mail clients work:

Since mail clients can be configured in various ways, please check first if the problem iswith Dovecot configuration or with the client's configuration. You can rule out it beingDovecot's problem with the "telnet" methods described above.

If you can't log in,

Make sure SSL/TLS settings are correct. Make sure the client uses plaintext authentication method, unless you've

specifically configured Dovecot to accept others.

Many POP3 clients have been tested with Dovecot and they work.

Make a graceful exit :

To close the connection to Dovecot issue a logout:

quit+OK Logging out.

Mail Server Configuration in Redhat Server using Mail transfer agent.pdf

Documents

Transcript of Mail Server Configuration in Redhat Server using Mail transfer agent.pdf