How To Setup a Firewalled DMZ running Exim4 (MTA), Dovecot (IMAP), and using Thunderbird as a client (2014) Posted: March 29, 2014
This is a work in progress detailing the installation and setup of a Debian Stable (Wheezy, March 23, 2014) server in a Firewalled DMZ running Exim4 (MTA), Dovecot (IMAP), and using Thunderbird as a client. Preliminary testing
has all components working, with one issue with outbound to the net email-that issue may be the ISP blocking or delaying port 25 outbound, as all the local parts work (according to testing and the logs).
The firewall is not detailed here, but is presumed to be running Shorewall.
The DNAT and ACCEPT rules listed below will apply to any Linux firewall with proper tweaking.
!!!
************************************
* To Start: TEST OUTBOUND PORT 25
************************************
!!!
* FIRST: Pick a known working internet mail server. Substitute its name or IP address below, where you see"mail.goodexample.com",
then run this command from a machine that is not firewalled from port 25:
tcptraceroute mail.goodexample.com 25
* If that trace does not end with your known working mail server (e.g.: mail.goodexample.com),
port 25 outbound is blocked and you will NOT BE ABLE TO SEND INTERNET MAIL on port 25.
You can receive it, and manage local mail, but until that port is open, you cannot send out internet mail.
!!!
Example of a FAILED (blocked) trace on port 25 <== Results like this mean your port 25 outbound is
blocked and you will NOT be able to send internet email. The sent email will fail with little or no notice.
1 192.168.1.1 (192.168.1.1) 0.668 ms 0.652 ms 0.675 ms
2 123.123.123.123 (123.123.123.123) 2.487 ms 2.501 ms 2.507 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
...
28 * * *
29 * * *
30 * * *
************************************
* SHOREWALL FIREWALL & DYNAMIC IP MANAGEMENT
* Run on firewall
************************************
* dmzone is the DMZ internet available servers zone, firewalled from everything,
with explicit exceptions
* Edit /etc/shorewall/rules
#ddclient
ACCEPT<>$FW<--->net:123.123.123.123<---->tcp<--->https <=== Replace 123.123.123.123 with your
Domain Registry's Dynamic DNS Server IP Address, the address you set in the ddclient config
#### HTTP Port Forwards to DMZ #####
#inbound net http.
DNAT net dmzone:192.168.2.10:80<-->tcp<--->80...
DNAT net dmzone:192.168.2.10:80 udp 80
#************
#DMZ & Local1 visibility
#***********
#imap & imaps
#imap
DNAT net dmzone:192.168.2.10:143<->tcp<--->143...
#imaps
DNAT net dmzone:192.168.2.10:993<->tcp<--->993...
DNAT net dmzone:192.168.2.10:587<->tcp<--->587...
ACCEPT dmzone<-->net<--->tcp<--->587<--->-
ACCEPT<>dmzone<-->local1<-->tcp<--->143<--->-
ACCEPT<>dmzone<-->local1<-->tcp<--->993<--->-
ACCEPT<>local1<-->dmzone<-->tcp<--->143<--->-
ACCEPT<>local1<-->dmzone<-->tcp<--->993<--->-
ACCEPT<>dmzone<-->local1<-->tcp<--->587<--->-
ACCEPT<>local1<-->dmzone<-->tcp<--->587<--->-
#SMTP
ACCEPT dmzone<-->local1<-->tcp<--->25<---->-
ACCEPT local1<-->dmzone<-->tcp<--->25<---->-
ACCEPT dmzone<-->net<--->tcp<--->25<---->-
# SMTP mail server<---->
DNAT net dmzone:192.168.2.10:25<-->tcp<--->25
#SMTPS
ACCEPT dmzone<-->local1<-->tcp<--->465<--->-
ACCEPT local1<-->dmzone<-->tcp<--->465<--->-
ACCEPT dmzone<-->net<--->tcp<--->465<--->-
DNAT net dmzone:192.168.2.10:465<->tcp<--->465
#### EOF DMZ Port Forwards ####
#NNTP
#ACCEPT dmzone<->net<--->tcp<--->119<--->-
#ACCEPT net<-->dmzone<-->tcp <->119<--->-
ACCEPT dmzone<-->net<--->udp<--->123<--->-
ACCEPT net<--->dmzone<-->udp <->123<--->-
#NNTPS
ACCEPT dmzone<-->net<--->tcp<--->563<--->-
ACCEPT net<--->dmzone<-->tcp <->563<--->-
#ssh http ping dmzone <--> local1
ACCEPT dmzone<-->local1<-->icmp<-->8<----->-
ACCEPT local1<-->dmzone<-->tcp<--->ssh<--->-
ACCEPT local1 dmzone<-->udp <->ssh<--->-
ACCEPT local1<-->dmzone<-->tcp<--->http<-->-
ACCEPT local1 dmzone<-->udp <->http<-->-
ACCEPT local1<-->dmzone<-->icmp<-->8<----->-
#spamd
##ACCEPT dmzone<-->net<--->tcp<--->2703<-->
#
#ssh http ping dmzone <--> net
ACCEPT dmzone<-->net<--->tcp<--->ssh<--->-
ACCEPT dmzone net<--->udp <->ssh<--->-
ACCEPT dmzone<-->net<--->tcp<--->http<-->-
ACCEPT dmzone net<--->udp <->http<-->-
ACCEPT dmzone<-->net<--->tcp<--->https<->-
ACCEPT dmzone<-->net<--->udp <->https<->-
ACCEPT dmzone<-->net<--->icmp<-->8<----->-
ACCEPT dmzone<-->net<--->udp<--->53<---->-
************************************
* Edit /etc/ddclient.conf: <===This example shows namecheap.com,
replace it with your own Dynamic DNS service, and set their IP in the line "#ddclient ACCEPT<>$FW<--->net:123.123.123.123<---->tcp<--->http" above
protocol=namecheap
use=if, if=ppp0
pid=/var/run/ddclient.pid
cache=/tmp/ddclient.cache
daemon=300
syslog=yes
ssl=yes
server=dynamicdns.park-your-domain.com
login=example.org
password=[A_String_You_Get_From_NameCheap]
@,mail,www
==============================
on Firewall: /var/log/syslog
Mar 20 06:54:42 YourFirewall ddclient[4888]: SUCCESS: updating @: good: IP address set to 123.321.132.321 <+Your current IP address from your ISP
Mar 20 06:54:42 YourFirewall ddclient[4888]: SUCCESS: updating mail: good: IP address set to 123.321.132.321
Mar 20 06:54:42 YourFirewall ddclient[4888]: SUCCESS: updating www: good: IP address set to 123.321.132.321
************************************
* Setting up Email
* Run on the DMZ_1 box
************************************
*DDClient manages the dynamic DNS IP settings
*Apache2 web server
*Exim4 is the MTA/mail server, set to use maildir — each message is stored in a separate file within a directory
*Dovecot is the IMAP server
*Various Shorewall rules need to be set.
*Versions used here:
* exim4 V: 4.80-7
* dovecot
* OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e
===============================
Namecheap.com example.org Mail settings:
===============================
Check the box: "user (Mail server's host name rqd"
host name = "@",
mail server host name "mail.example.org"
MX pref="10"
ttl=1800
Sub-Domain setting ="mail"
ip address = current one = "123.123.123.123" <==will get updated by ddclient
A record ttl = 600 <= main example.org record
ditto for host name = "www"
============================
* Install diagnostic tools
============================
apt-get install swaks libnet-ssleay-perl
swaks -a -tls -q HELO -s localhost -au Debian_exim -ap '<>' <== example test message (won't work yet use freely to test once exim4 has been installed).
===============================
https://wiki.debian.org/Exim
===============================
!!!
READ /usr/share/doc/exim4-base/README.Debian.gz or https://pkg-exim4.alioth.debian.org/README/README.Debian (same doc)
!!!
Add a user "test3" and record the password. The adduser must create a home dir /home/test3.
Debian's exim4 package has two mutually exlusive config file methods, a monolithic
template file and a split array of files. The monolithic template single file method is
used here. Translate the split files like 00_abc.conf to the macros, or to the rules
in the template to apply examples for the split file method.
/etc/exim4/exim4.conf.localmacros is read before /etc/exim4/exim4.conf.template
First pass:
apt-get install exim4-daemon-heavy
dpkg-reconfigure exim4-config
This writes the configuration to /etc/exim4/update-exim4.conf.conf
https://wiki.debian.org/MaildirConfiguration
============================
dpkg-reconfigure exim4-config
============================
General type of mail configuration: internet site; mail is sent and received directly using SMTP.
System mail name: yourdomain.com
IP-addresses to listen on for incomming SMTP connections: // 0.0.0.0 for all, or leave blank
Other destinations for which mail is accepted: @.example.org, mail.example.org, example.org
Domains to relay mail for: // leave blank
Machines to relay mail for: // leave blank
Keep number of DNS-queries minimal (Dial-on-Demand) ?: No
Delivery method for local mail: Maildir format in home directory <== appearently required for imap
Split configuration into small files ? :No
============================
Generate exim.crt and exim.key in /etc/exim4/
============================
* Create a self signed SSL certificate for Exim, sufficient for secure encrypted connections. Buy a trusted certificate for secure identification.
bash /usr/share/doc/exim4-base/examples/exim-gencert
* Enter the hostname of your MTA at the Common Name (CN) prompt!
Generating a 1024 bit RSA private key
.................++++++
.......................++++++
writing new private key to '/etc/exim4/exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code (2 letters) [US]:
State or Province Name (full name) []:YourState
Locality Name (eg, city) []:YourCity
Organization Name (eg, company; recommended) []:example
Organizational Unit Name (eg, section) []:exim_example
Server name (eg. ssl.domain.tld; required!!!) []:example.org
Email Address []:exim@example.org
* Done generating self signed certificates for exim.
Refer to the documentation and example configuration files
***********************
* Test basic installation
***********************
*exim -bV will show the configuration file in use is /var/lib/exim4/config.autogenerated
exim4 -bV
Exim version 4.80 #2 built 02-Jan-2013 18:59:17
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch
cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis
nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
*Use awaks to generate a test email
swaks -f test3@example.org -t
To: test3@example.org
=== Trying mail.example.org:25...
=== Connected to mail.example.org.
<- 220 DmzServerBox1 ESMTP Exim 4.80 Fri, 21 Mar 2014 19:16:54 -0400
-> EHLO DmzServerBox1
<- 250-DmzServerBox1 Hello example.org [192.168.2.10]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250 HELP
-> MAIL FROM:
<- 250 OK
-> RCPT TO:
<- 250 Accepted
-> DATA
<- 354 Enter message, ending with "." on a line by itself
-> Date: Fri, 21 Mar 2014 19:16:53 -0400
-> To: test3@example.org
-> From: test3@example.org
-> Subject: test Fri, 21 Mar 2014 19:16:53 -0400
-> X-Mailer: swaks v20120320.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
-> .
<- 250 OK id=1WR8gI-00041z-4k
-> QUIT
<- 221 DmzServerBox1 closing connection
=== Connection closed with remote host.
Without TLS, the local mail works. The Maildir receives the test3 emails sent by 'mail' or 'swaks' on the LOCAL machine (DmzServerBox1), but
NOT using 'mail' as a local send from another local workstation to test3@example.org
============================
* handy exim4 debug command
============================
/etc/init.d
./exim4 stop
exim4 -bd -d
!!!
* DO NOT DO THIS PART UNTIL EXIM IS WORKING WITHOUT TLS
!!!
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
============================
* Enable TLS support in mail transfer agent
* Use exim4.conf.localmacros, per /usr/share/doc/exim4-base/
============================
nano /etc/exim4/exim4.conf.localmacros
* add the following lines (the tls_on_connect_ports... supports borked MS mailer tls)
MAIN_TLS_ENABLE = yes
tls_on_connect_ports = 465
nano /etc/default/exim4
* add the line (supports borked MS mailer tls)
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
update-exim4.conf
cd /etc/init.d
./exim4 restart
exim4 -bV <== will show the generated config file, ususally /var/lib/exim4/config.autogenerated
grep tls_on /var/lib/exim4/config.autogenerated <== will show "tls_on_connect_ports = 465"
* /var/log/exim4/mainlog should now contain a line like:
exim 4.80 daemon started: pid=17599, -q30m, listening for SMTP on
port 25 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
============================
* SMTP authentication to access to the sending capabilities of Exim4.
============================
* Set an SMTP username and password in the mail clients (Outlook 2007, Thunderbird etc.)
To authenticate against system passwords (e.g. /etc/shadow) add the exim-user (Debian-exim) to the sasl group. <== This is not a great idea, you
may want to implement user passwords another way, but for testing this works. Remove the users from group sasl in that case.
groupadd sasl Debian-exim dovecot
============================
*Dovecot setup
============================
viz: https://wiki2.dovecot.org/PasswordDatabase/PAM &
https://wiki2.dovecot.org/RunningDovecot
https://help.ubuntu.com/community/Dovecot
* verify that /etc/pam.d/dovecot contains:
auth required pam_unix.so
account required pam_unix.so
============================
Edit /etc/exim4/update-exim4.conf.template
============================
*Insert near the bottom of the file
dovecot_login:
driver = dovecot
public_name = LOGIN
# server_socket = /var/run/dovecot/auth-userdb
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
dovecot_plain:
driver = dovecot
public_name = PLAIN
# server_socket = /var/run/dovecot/auth-userdb
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
============================
*Edit the dovecot config files.
============================
* Edit the file /etc/dovecot/conf.d/10-master.conf and in the service auth { stanza, add
#SASL (Dovecot auth-client)
unix_listener auth-client {
mode = 0666 <==if you sort out the right users and add them
to the right groups, you can use 0660
user = mail
}
* Edit the file /etc/dovecot/conf.d/10-auth.conf and set
auth_mechanisms = plain login
* Edit the file /etc/dovecot/conf.d/10-mail.conf and uncomment (comment
out the current setting first)
mail_location = maildir:~/Maildir
* Edit the file /etc/dovecot/conf.d/10-logging and enable (uncomment & set to yes) authentication,
verbose and debug logs <== Once working, return to this file and disble logging
* Edit the file /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
*Report where Dovecot logging files are located:
doveadm log find
*Automatically create the Maildir for future users: <=== This may be uneccessary, if it proves so, simply delete the /etc/skel/Maildir files later
maildirmake.dovecot /etc/skel/Maildir
maildirmake.dovecot /etc/skel/Maildir/.Drafts
maildirmake.dovecot /etc/skel/Maildir/.Sent
maildirmake.dovecot /etc/skel/Maildir/.Trash
maildirmake.dovecot /etc/skel/Maildir/.Templates
* Manually create the Maildir for existing users (e.g."myuser"):
cp -r /etc/skel/Maildir /home/myuser/
chown -R myuser:usergroup /home/myuser/Maildir
chmod -R 700 /home/myuser/Maildir
============================
* Testing TLS, SMPT-AUTH, & Dovecot
============================
*Handy debugging and information tools:
telnet localhost imap2 <== Shows IMAP is working and capabilities
Trying ::1...
Connected to localhost.
Escape character is '^]'.
OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
^]
telnet> q
Connection closed.
*Run Exim in the foreground with debugging and assert the config file: <== Very Handy
exim4 -db -d -C /var/lib/exim4/config.autogenerated
* Add a new user, "test3" (don't set the login to anything, it is safer). You shouldn't need to hand fix any mail directories. Record the password and use it below.
* Create a new account in Thunderbird, name='test3', email='test3@example.org, password=user account pw,
Thunderbird will reply "configuration found by trying common server names",
"incoming: IMAP,mail.example.org, STARTTLS", "outgoing: SMTP, mail.example.org,
STARTTLS"
* Add a new user, "test4", Record the password and use it below.
* Create a new account in Thunderbird, name='test4', email='test4@example.org, password=user account pw
* Use Thunderbird to send an email from test4@example.org to test3@example.org
This should work.The account may first warns of the insecure outbound connection,
and after accepting the self-signed certificate, reports that it can send email.
* Use the test3 account made above in thunderbird, and 'get mail'.
Inspect /home/test3/Maildir/new, the email has arrived to
the /home/test3/Maildir/new dir and the sent copy was written to /home/test3/mail/Sent.
/var/log/exim4/mainlog contains lines like:
2014-03-22 10:23:15 1WRMpP-0004d3-Ky <= test4@example.org H=([192.168.1.2]) [192.168.1.2] P=esmtps X=TLS1.0:
DHE_RSA_AES_128_CBC_SHA1:128 S=569 id=532D9CD2.2090308@example.org
2014-03-22 10:23:15 1WRMpP-0004d3-Ky => test3 R=local_user T=maildir_home
/var/log/mail.info shows something like:
Mar 22 11:24:18 DmzServerBox1 dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.1.2,
lip=192.168.2.10, mpid=19225, TLS, session=
*Look at the verbose logging in the console where you ran "exim4 -db -d -C /var/lib/exim4/config.autogenerated",
you should see in the long list something like "250-AUTH PLAIN LOGIN CRAM_MD5", the "AUTH" tells you that
exim4 is advertising Authentication. Absent that line, outbound email to the net fails with a 550 Relay error.
* When you are done debugging, kill the "Exim4 -db -d -C /var/lib/exim4/config.autogenerated" instance with ^C, and
from /etc/init.d invoke "./exim4 start" to restart exim4.
Invoke "./dovecot stop" and edit the /etc/dovecot/conf.d/10-logging file to
comment out the Authentication,
Debugging and verbose lines to disable dovecot logging.
Now from /etc/init.d invoke "./dovecot start" to restart dovecot.
You should be in production.
!!!
* EOF DO NOT DO THIS PART UNTIL EXIM IS WORKING WITHOUT TLS
!!!
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
|
