How To Setup a Firewalled DMZ running Exim4 (MTA), Dovecot (IMAP), and using Thunderbird as a client (2014) Posted: March 29, 2014 This is a work in progress detailing the installation and setup of a Debian Stable (Wheezy, March 23, 2014) server in a Firewalled DMZ running Exim4 (MTA), Dovecot (IMAP), and using Thunderbird as a client. Preliminary testing has all components working, with one issue with outbound to the net email-that issue may be the ISP blocking or delaying port 25 outbound, as all the local parts work (according to testing and the logs). The firewall is not detailed here, but is presumed to be running Shorewall. The DNAT and ACCEPT rules listed below will apply to any Linux firewall with proper tweaking. !!! ************************************ * To Start: TEST OUTBOUND PORT 25 ************************************ !!! * FIRST: Pick a known working internet mail server. Substitute its name or IP address below, where you see"mail.goodexample.com", then run this command from a machine that is not firewalled from port 25: tcptraceroute mail.goodexample.com 25 * If that trace does not end with your known working mail server (e.g.: mail.goodexample.com), port 25 outbound is blocked and you will NOT BE ABLE TO SEND INTERNET MAIL on port 25. You can receive it, and manage local mail, but until that port is open, you cannot send out internet mail. !!!
Example of a FAILED (blocked) trace on port 25 <== Results like this mean your port 25 outbound is blocked and you will NOT be able to send internet email. The sent email will fail with little or no notice. 1 192.168.1.1 (192.168.1.1) 0.668 ms 0.652 ms 0.675 ms 2 123.123.123.123 (123.123.123.123) 2.487 ms 2.501 ms 2.507 ms 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * ... 28 * * * 29 * * * 30 * * *
************************************ * SHOREWALL FIREWALL & DYNAMIC IP MANAGEMENT * Run on firewall ************************************ * dmzone is the DMZ internet available servers zone, firewalled from everything, with explicit exceptions
* Edit /etc/shorewall/rules #ddclient ACCEPT<>$FW<--->net:123.123.123.123<---->tcp<--->https <=== Replace 123.123.123.123 with your Domain Registry's Dynamic DNS Server IP Address, the address you set in the ddclient config
#### HTTP Port Forwards to DMZ ##### #inbound net http. DNAT net dmzone:192.168.2.10:80<-->tcp<--->80... DNAT net dmzone:192.168.2.10:80 udp 80
#************ #DMZ & Local1 visibility #***********
#imap & imaps #imap DNAT net dmzone:192.168.2.10:143<->tcp<--->143... #imaps DNAT net dmzone:192.168.2.10:993<->tcp<--->993... DNAT net dmzone:192.168.2.10:587<->tcp<--->587... ACCEPT dmzone<-->net<--->tcp<--->587<--->-
ACCEPT<>dmzone<-->local1<-->tcp<--->143<--->- ACCEPT<>dmzone<-->local1<-->tcp<--->993<--->-
ACCEPT<>local1<-->dmzone<-->tcp<--->143<--->- ACCEPT<>local1<-->dmzone<-->tcp<--->993<--->-
ACCEPT<>dmzone<-->local1<-->tcp<--->587<--->- ACCEPT<>local1<-->dmzone<-->tcp<--->587<--->-
#SMTP ACCEPT dmzone<-->local1<-->tcp<--->25<---->- ACCEPT local1<-->dmzone<-->tcp<--->25<---->- ACCEPT dmzone<-->net<--->tcp<--->25<---->-
# SMTP mail server<----> DNAT net dmzone:192.168.2.10:25<-->tcp<--->25
#SMTPS ACCEPT dmzone<-->local1<-->tcp<--->465<--->- ACCEPT local1<-->dmzone<-->tcp<--->465<--->- ACCEPT dmzone<-->net<--->tcp<--->465<--->- DNAT net dmzone:192.168.2.10:465<->tcp<--->465
#### EOF DMZ Port Forwards ####
#NNTP #ACCEPT dmzone<->net<--->tcp<--->119<--->- #ACCEPT net<-->dmzone<-->tcp <->119<--->- ACCEPT dmzone<-->net<--->udp<--->123<--->- ACCEPT net<--->dmzone<-->udp <->123<--->-
#NNTPS ACCEPT dmzone<-->net<--->tcp<--->563<--->- ACCEPT net<--->dmzone<-->tcp <->563<--->-
#ssh http ping dmzone <--> local1 ACCEPT dmzone<-->local1<-->icmp<-->8<----->- ACCEPT local1<-->dmzone<-->tcp<--->ssh<--->- ACCEPT local1 dmzone<-->udp <->ssh<--->- ACCEPT local1<-->dmzone<-->tcp<--->http<-->- ACCEPT local1 dmzone<-->udp <->http<-->- ACCEPT local1<-->dmzone<-->icmp<-->8<----->-
#spamd ##ACCEPT dmzone<-->net<--->tcp<--->2703<--> #
#ssh http ping dmzone <--> net ACCEPT dmzone<-->net<--->tcp<--->ssh<--->- ACCEPT dmzone net<--->udp <->ssh<--->- ACCEPT dmzone<-->net<--->tcp<--->http<-->- ACCEPT dmzone net<--->udp <->http<-->- ACCEPT dmzone<-->net<--->tcp<--->https<->- ACCEPT dmzone<-->net<--->udp <->https<->- ACCEPT dmzone<-->net<--->icmp<-->8<----->- ACCEPT dmzone<-->net<--->udp<--->53<---->-
************************************ * Edit /etc/ddclient.conf: <===This example shows namecheap.com, replace it with your own Dynamic DNS service, and set their IP in the line "#ddclient ACCEPT<>$FW<--->net:123.123.123.123<---->tcp<--->http" above protocol=namecheap use=if, if=ppp0 pid=/var/run/ddclient.pid cache=/tmp/ddclient.cache daemon=300 syslog=yes ssl=yes server=dynamicdns.park-your-domain.com login=example.org password=[A_String_You_Get_From_NameCheap] @,mail,www
==============================
on Firewall: /var/log/syslog Mar 20 06:54:42 YourFirewall ddclient[4888]: SUCCESS: updating @: good: IP address set to 123.321.132.321 <+Your current IP address from your ISP Mar 20 06:54:42 YourFirewall ddclient[4888]: SUCCESS: updating mail: good: IP address set to 123.321.132.321 Mar 20 06:54:42 YourFirewall ddclient[4888]: SUCCESS: updating www: good: IP address set to 123.321.132.321
************************************ * Setting up Email * Run on the DMZ_1 box ************************************ *DDClient manages the dynamic DNS IP settings *Apache2 web server *Exim4 is the MTA/mail server, set to use maildir — each message is stored in a separate file within a directory *Dovecot is the IMAP server *Various Shorewall rules need to be set. *Versions used here: * exim4 V: 4.80-7 * dovecot * OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e
=============================== Namecheap.com example.org Mail settings: =============================== Check the box: "user (Mail server's host name rqd" host name = "@", mail server host name "mail.example.org" MX pref="10" ttl=1800 Sub-Domain setting ="mail" ip address = current one = "123.123.123.123" <==will get updated by ddclient A record ttl = 600 <= main example.org record ditto for host name = "www"
============================ * Install diagnostic tools ============================ apt-get install swaks libnet-ssleay-perl swaks -a -tls -q HELO -s localhost -au Debian_exim -ap '<>' <== example test message (won't work yet use freely to test once exim4 has been installed).
=============================== https://wiki.debian.org/Exim ===============================
!!! READ /usr/share/doc/exim4-base/README.Debian.gz or https://pkg-exim4.alioth.debian.org/README/README.Debian (same doc) !!!
Add a user "test3" and record the password. The adduser must create a home dir /home/test3.
Debian's exim4 package has two mutually exlusive config file methods, a monolithic template file and a split array of files. The monolithic template single file method is used here. Translate the split files like 00_abc.conf to the macros, or to the rules in the template to apply examples for the split file method.
/etc/exim4/exim4.conf.localmacros is read before /etc/exim4/exim4.conf.template
First pass: apt-get install exim4-daemon-heavy dpkg-reconfigure exim4-config This writes the configuration to /etc/exim4/update-exim4.conf.conf
https://wiki.debian.org/MaildirConfiguration
============================ dpkg-reconfigure exim4-config ============================ General type of mail configuration: internet site; mail is sent and received directly using SMTP. System mail name: yourdomain.com IP-addresses to listen on for incomming SMTP connections: // 0.0.0.0 for all, or leave blank Other destinations for which mail is accepted: @.example.org, mail.example.org, example.org Domains to relay mail for: // leave blank Machines to relay mail for: // leave blank Keep number of DNS-queries minimal (Dial-on-Demand) ?: No Delivery method for local mail: Maildir format in home directory <== appearently required for imap Split configuration into small files ? :No
============================ Generate exim.crt and exim.key in /etc/exim4/ ============================ * Create a self signed SSL certificate for Exim, sufficient for secure encrypted connections. Buy a trusted certificate for secure identification. bash /usr/share/doc/exim4-base/examples/exim-gencert * Enter the hostname of your MTA at the Common Name (CN) prompt! Generating a 1024 bit RSA private key .................++++++ .......................++++++ writing new private key to '/etc/exim4/exim.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Code (2 letters) [US]: State or Province Name (full name) []:YourState Locality Name (eg, city) []:YourCity Organization Name (eg, company; recommended) []:example Organizational Unit Name (eg, section) []:exim_example Server name (eg. ssl.domain.tld; required!!!) []:example.org Email Address []:exim@example.org * Done generating self signed certificates for exim. Refer to the documentation and example configuration files
*********************** * Test basic installation *********************** *exim -bV will show the configuration file in use is /var/lib/exim4/config.autogenerated exim4 -bV Exim version 4.80 #2 built 02-Jan-2013 18:59:17 Copyright (c) University of Cambridge, 1995 - 2012 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012 Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated
*Use awaks to generate a test email swaks -f test3@example.org -t To: test3@example.org === Trying mail.example.org:25... === Connected to mail.example.org. <- 220 DmzServerBox1 ESMTP Exim 4.80 Fri, 21 Mar 2014 19:16:54 -0400 -> EHLO DmzServerBox1 <- 250-DmzServerBox1 Hello example.org [192.168.2.10] <- 250-SIZE 52428800 <- 250-8BITMIME <- 250-PIPELINING <- 250 HELP -> MAIL FROM: <- 250 OK -> RCPT TO: <- 250 Accepted -> DATA <- 354 Enter message, ending with "." on a line by itself -> Date: Fri, 21 Mar 2014 19:16:53 -0400 -> To: test3@example.org -> From: test3@example.org -> Subject: test Fri, 21 Mar 2014 19:16:53 -0400 -> X-Mailer: swaks v20120320.0 jetmore.org/john/code/swaks/ -> -> This is a test mailing -> -> . <- 250 OK id=1WR8gI-00041z-4k -> QUIT <- 221 DmzServerBox1 closing connection === Connection closed with remote host.
Without TLS, the local mail works. The Maildir receives the test3 emails sent by 'mail' or 'swaks' on the LOCAL machine (DmzServerBox1), but NOT using 'mail' as a local send from another local workstation to test3@example.org
============================ * handy exim4 debug command ============================ /etc/init.d ./exim4 stop exim4 -bd -d
!!! * DO NOT DO THIS PART UNTIL EXIM IS WORKING WITHOUT TLS !!! {{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
============================ * Enable TLS support in mail transfer agent * Use exim4.conf.localmacros, per /usr/share/doc/exim4-base/ ============================ nano /etc/exim4/exim4.conf.localmacros * add the following lines (the tls_on_connect_ports... supports borked MS mailer tls) MAIN_TLS_ENABLE = yes tls_on_connect_ports = 465 nano /etc/default/exim4 * add the line (supports borked MS mailer tls) SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid' update-exim4.conf cd /etc/init.d ./exim4 restart exim4 -bV <== will show the generated config file, ususally /var/lib/exim4/config.autogenerated grep tls_on /var/lib/exim4/config.autogenerated <== will show "tls_on_connect_ports = 465" * /var/log/exim4/mainlog should now contain a line like: exim 4.80 daemon started: pid=17599, -q30m, listening for SMTP on port 25 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4) ============================ * SMTP authentication to access to the sending capabilities of Exim4. ============================ * Set an SMTP username and password in the mail clients (Outlook 2007, Thunderbird etc.) To authenticate against system passwords (e.g. /etc/shadow) add the exim-user (Debian-exim) to the sasl group. <== This is not a great idea, you may want to implement user passwords another way, but for testing this works. Remove the users from group sasl in that case. groupadd sasl Debian-exim dovecot
============================ *Dovecot setup ============================ viz: https://wiki2.dovecot.org/PasswordDatabase/PAM & https://wiki2.dovecot.org/RunningDovecot https://help.ubuntu.com/community/Dovecot
* verify that /etc/pam.d/dovecot contains: auth required pam_unix.so account required pam_unix.so
============================ Edit /etc/exim4/update-exim4.conf.template ============================ *Insert near the bottom of the file
dovecot_login: driver = dovecot public_name = LOGIN # server_socket = /var/run/dovecot/auth-userdb server_socket = /var/run/dovecot/auth-client server_set_id = $auth1
dovecot_plain: driver = dovecot public_name = PLAIN # server_socket = /var/run/dovecot/auth-userdb server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 ============================ *Edit the dovecot config files. ============================ * Edit the file /etc/dovecot/conf.d/10-master.conf and in the service auth { stanza, add #SASL (Dovecot auth-client) unix_listener auth-client { mode = 0666 <==if you sort out the right users and add them to the right groups, you can use 0660 user = mail }
* Edit the file /etc/dovecot/conf.d/10-auth.conf and set auth_mechanisms = plain login
* Edit the file /etc/dovecot/conf.d/10-mail.conf and uncomment (comment out the current setting first) mail_location = maildir:~/Maildir
* Edit the file /etc/dovecot/conf.d/10-logging and enable (uncomment & set to yes) authentication, verbose and debug logs <== Once working, return to this file and disble logging
* Edit the file /etc/dovecot/conf.d/10-ssl.conf ssl = yes
*Report where Dovecot logging files are located: doveadm log find *Automatically create the Maildir for future users: <=== This may be uneccessary, if it proves so, simply delete the /etc/skel/Maildir files later maildirmake.dovecot /etc/skel/Maildir maildirmake.dovecot /etc/skel/Maildir/.Drafts maildirmake.dovecot /etc/skel/Maildir/.Sent maildirmake.dovecot /etc/skel/Maildir/.Trash maildirmake.dovecot /etc/skel/Maildir/.Templates
* Manually create the Maildir for existing users (e.g."myuser"): cp -r /etc/skel/Maildir /home/myuser/ chown -R myuser:usergroup /home/myuser/Maildir chmod -R 700 /home/myuser/Maildir
============================ * Testing TLS, SMPT-AUTH, & Dovecot ============================
*Handy debugging and information tools: telnet localhost imap2 <== Shows IMAP is working and capabilities Trying ::1... Connected to localhost. Escape character is '^]'. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. ^] telnet> q Connection closed.
*Run Exim in the foreground with debugging and assert the config file: <== Very Handy exim4 -db -d -C /var/lib/exim4/config.autogenerated * Add a new user, "test3" (don't set the login to anything, it is safer). You shouldn't need to hand fix any mail directories. Record the password and use it below.
* Create a new account in Thunderbird, name='test3', email='test3@example.org, password=user account pw, Thunderbird will reply "configuration found by trying common server names", "incoming: IMAP,mail.example.org, STARTTLS", "outgoing: SMTP, mail.example.org, STARTTLS"
* Add a new user, "test4", Record the password and use it below.
* Create a new account in Thunderbird, name='test4', email='test4@example.org, password=user account pw
* Use Thunderbird to send an email from test4@example.org to test3@example.org This should work.The account may first warns of the insecure outbound connection, and after accepting the self-signed certificate, reports that it can send email. * Use the test3 account made above in thunderbird, and 'get mail'. Inspect /home/test3/Maildir/new, the email has arrived to the /home/test3/Maildir/new dir and the sent copy was written to /home/test3/mail/Sent.
/var/log/exim4/mainlog contains lines like: 2014-03-22 10:23:15 1WRMpP-0004d3-Ky <= test4@example.org H=([192.168.1.2]) [192.168.1.2] P=esmtps X=TLS1.0: DHE_RSA_AES_128_CBC_SHA1:128 S=569 id=532D9CD2.2090308@example.org 2014-03-22 10:23:15 1WRMpP-0004d3-Ky => test3 R=local_user T=maildir_home
/var/log/mail.info shows something like: Mar 22 11:24:18 DmzServerBox1 dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.1.2, lip=192.168.2.10, mpid=19225, TLS, session=
*Look at the verbose logging in the console where you ran "exim4 -db -d -C /var/lib/exim4/config.autogenerated", you should see in the long list something like "250-AUTH PLAIN LOGIN CRAM_MD5", the "AUTH" tells you that exim4 is advertising Authentication. Absent that line, outbound email to the net fails with a 550 Relay error.
* When you are done debugging, kill the "Exim4 -db -d -C /var/lib/exim4/config.autogenerated" instance with ^C, and from /etc/init.d invoke "./exim4 start" to restart exim4. Invoke "./dovecot stop" and edit the /etc/dovecot/conf.d/10-logging file to comment out the Authentication, Debugging and verbose lines to disable dovecot logging. Now from /etc/init.d invoke "./dovecot start" to restart dovecot. You should be in production. !!! * EOF DO NOT DO THIS PART UNTIL EXIM IS WORKING WITHOUT TLS !!! }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
|