Docstoc

View Training Module - SCO

Document Sample
View Training Module - SCO Powered By Docstoc
					SCOoffice Server 4.1   Brian Watrous
                       President & CEO
  Administration       ATCS, Inc.
                       http://www.atcs.net


                                             1
Modules


 •   Overview of SCOoffice Server
 •   Installing and Upgrading to SCOoffice Server
 •   Configuring and Managing SCOoffice Server
 •   Managing a Distributed Environment
 •   Securing SCOoffice Server




                                                    2
Modules


 6.    Managing Recipients and Aliases
 7.    Managing Mail Queues
 8.    Managing Private and Public Folders
 9.    Managing Email Routing
 10.   Managing Virus Protection
 11.   Managing Spam Filtering
 12.   Performing Preventive Maintenance
 13.   Planning for and Recovering from Disasters




                                                    3
How this Course is Designed


 §   Task oriented
 §   Hands-on exercises
 §   Certification exam
 §   Prerequisites
     §   Windows
     §   SCO OpenServer
     §   TCP/IP
     §   PlaceWare training




                              4
How this Course is Designed


 §   Course uses RFC2606 style domain names:

         elm
      spruce   example.com
         oak

        rose
       daisy   example.net
      poppy

      paper
        pen    example.org
      staple


                                               5
        Module 1




Overview of SCOoffice Server


                               6
Overview



        Microsoft Outlook®                 Web Browser

      SCOoffice Connector™
                                     SCOoffice WebClient
     SCOoffice Address Book™



                        SCOoffice Server




           Desktop components              Server components


                                                               7
    Overview


§   SCOoffice Server
§   Internet e-mail
§   Real-time collaboration
§   Integrated anti-virus
§   Junk e-mail Prevention
§   Easy Administration
§   User Profile Management
§   Server Side Filtering
§   Migration Tools
§   Single-click Configuration

                                 8
Overview


 § WebClient
    § Internet e-mail client
    § Meeting scheduling
      capabilities
    § Shares folders: email,
      calendars, contacts,
      and tasks
    § Interface similar to
      Microsoft Outlook.




                               9
Overview


 § Connector
 § Plug-in for Microsoft
   Outlook®
 § Shared public and
   private folders
 § Supports special folder
   types
 § Fine grained folder
   access controls




                             10
Overview


 § Address Book
    § Plug-in for Microsoft
      Outlook
    § Works with any LDAP
      server
    § Provides native Outlook
      global-address book look
      and feel




                                 11
SCOoffice Architecture




                                                Spam



                                  Cyrus IMAP
                       OpenLDAP
                                                          ClamAV
     Apache

              ProFTP

                                               Assassin

                                                    AMaViS


                                      Postfix


                             SCO OpenServer

                                                                   12
SCOoffice Architecture




                                                Spam



                                  Cyrus IMAP
                       OpenLDAP
                                                          ClamAV
     Apache

              ProFTP

                                               Assassin

                                                    AMaViS


                                      Postfix


                             SCO OpenServer

                                                                   13
Helpful URLs


  Technology       Homepage
  Postfix          http://www.postfix.org
  Apache           http://www.apache.org
  Cyrus IMAP       http://asg.web.cmu.edu.cyrus
  OpenLDAP         http://www.openldap.org
  ProFTPD          http://www.proftpd.org
  MON              http://www.kernel.org/software/mon
  AMaViS           http://www.amavis.org
                   http://www.ijs.si/software/amavisd
  SpamAssassin     http://www.spamassassin.org
  Clam AntiVirus   http://www.clamav.net

                                                        14
Starting SCOoffice Server


         clamscan9* spamassassin10*               qmgr12*           imapd14      pop3d15
                                                  pickup12*
                                                 cleanup12*
                                             trivial-rewrite12*
                                                   local12*                                 mon.d        alert.d
                                                   flush12*                     httpd17
                                                                                           scripts20*   scripts21*
                                                  smtpd12*


                                                                   cyrus
slapd4   slurpd5 saslauthd6 clamd7 amavisd8 postfix11             master13    apachectl16 proftpd18      mon19



slapd3    slurpd3   saslauthd3   clamd3   amavisd3   postfix3      cyrus3      apache3     proftpd3       mon3




                                              insightserver2



                                             P86insightserver1

                                                                                                               15
Starting SCOoffice Server (cont.)


         clamscan9* spamassassin10*               qmgr12*           imapd14      pop3d15
                                                  pickup12*
                                                 cleanup12*
                                             trivial-rewrite12*
                                                   local12*                                 mon.d        alert.d
                                                   flush12*                     httpd17
                                                                                           scripts20*   scripts21*
                                                  smtpd12*


                                                                   cyrus
slapd4   slurpd5 saslauthd6 clamd7 amavisd8 postfix11             master13    apachectl16 proftpd18      mon19



slapd3    slurpd3   saslauthd3   clamd3   amavisd3   postfix3      cyrus3      apache3     proftpd3       mon3




                                              insightserver2



                                             P86insightserver1

                                                                                                               16
              Module 2




Installing and Upgrading SCOoffice Server


                                            17
Planning and Installation


  §   Planning a SCOoffice Server Overview
  §   System Requirements
  §   Kernel Tuning
  §   Changes Made to Your System
  §   Network Considerations
  §   Domain Layout
  §   Installing SCOoffice Server



                                             18
Installing SCOoffice Server



  § SCOoffice Server 4.1 is CUSTOM installable
  § Consult the installation guide for kernel tuning
    parameters
  § Make sure your DNS is configured correctly




                                                       19
Changes Made to Your System




 Directory                     Purpose
 /opt/insight                  SCOoffice Server installation directory
 /opt/insight/var/spool/imap   User mail storage directory

 /opt/insight/etc              Configuration file directory
 /opt/insight/log              Log file directory




                                                                         20
1. Login as root




                   21
2. Click on Software Manager




                               22
3. Software Manager Opens




                            23
4. Install New Software




                          24
5. From Server Name




                      25
6. Select Media Images




                  CD-ROM Drive 0




                                   26
7. Click Install




                   27
8. Click Continue to Upgrade Sendmail




                                        28
9. Installation Continues




                            29
10. Input License Information




                                30
11. License Install – Success




                                31
12. Kernel Tuning for Unix Logins




                                    32
13. Rollback Sendmail Patches




                                33
14. Installation Proceeds




                            34
15. Installation Complete




                            35
              Module 3




Configuring and Managing SCOoffice Server


                                            36
Migration Wizard

Migration Wizard
·   Migrate mail from an
    existing server (server-
    to-server)
·   Import mail from an
    existing PST file
·   Import mail from and
    existing MBOX file
·   Import from an RFC
    2849 LDIF file
·   Import from an
    /etc/shadow file




                               37
SCOoffice Server Configuration


 § Default admin password is “admin”

 § Change this password immediately!

 § To change admin’s password:
   §   Click on AccountsàView Accounts
   §   Click on the administrator
   §   Type in a new password
   §   Click Update at the end of the page




                                             38
After Installing SCOoffice Server



§ The “admin” account is
  not allowed to use the
  WebClient
§ Can point mail aliases
  to other account(s)




                                    39
SCOoffice Server Configuration


  § Working with accounts
    §   Creating   domains
    §   Creating   groups
    §   Creating   users
    §   Creating   resources
  § Working with Aliases
    § Creating aliases
    § System aliases
  § Working with Mail Folders
    § Viewing User Mail Folders
    § Creating Mail Folders


                                  40
Creating Domains


              §Click on AccountsàCreate Domain




                                                 41
Creating Domains (cont.)


§Specify name for the domain
§At the end of the page click
Create

§Creating domains is optional




                                42
Creating Groups


              Click on AccountsàCreate Group




                                               43
Creating Groups


§Select the distinguished name (DN)
of the container in which the new
group will reside

§Fill in all required information
   §Group name

§At the end of the page, click Create




                                        44
Creating Groups




                  45
Creating Groups




                  46
Creating Users


                 § Click on AccountsàCreate User




                            These hypertext links can also be used
                            to create users, domains, groups, etc.

                                                                47
Creating Users


§Select an organization or group
§Fill in all required information
   §Login
   §Password
   §Last Name
§At the end of the page click Create


§User’s mailbox is created by default
§User’s quota is not set by default
§Access to WebClient is granted by
default


                                        48
Creating Resources


              Click on AccountsàCreate Resource




                                                  49
Creating Resources (cont.)


§Select a container
§Fill in all required information
   §Login
   §Password
   §Last Name
§At the end of the page click Create

§Resources mailbox is created by
default
§Resources quota is not set by
default
§Access to WebClient is granted by
default


                                       50
Creating Aliases


               Click on AliasesàCreate Alias




                                               51
Creating Aliases (cont.)


                           § Working with Aliases
                             (cont)
                           §   Select a container/domain
                           §   Give it a name
                           §   Is it Open or Restricted
                                § Open: everyone can
                                  subscribe to the alias
                                § Restricted: alias owner
                                  allows/restricts alias
                                  members




                                                            52
Creating Aliases (cont.)


                           § Working with Aliases
                             (cont)
                           §   Who owns the alias
                                § click on Browse to select
                                  owners
                           §   Who are the members
                                § click on Browse to select the
                                  members

                           §   Click on Create




                                                              53
Working with System Aliases


              Click on AliasesàSystem Aliases




                                                54
Working with System Aliases (cont.)


  §Check the select box you
  want to change

  §Then either:
     §Type another user‘s email
     address, or
     §Type a comma-separated list
     of email addresses




                                      55
WebClient Setup


  § Access Control
  § Preferences




                     56
WebClient Setup


To control access to the WebClient
when creating a user:
§ Scroll to the bottom
§ Enabled by default
§ To restrict access,
  uncheck the “Access
  WebClient”




                                     57
WebClient Setup


              To control access to the WebClient for an
              existing user:
              § Click on WebClientàAccess Controls




                                                          58
WebClient Setup


To control access to the
WebClient for an existing user:


§ Check to grant WebClient
  access to a user

§ Uncheck to deny Webclient
  access to a user

§ Click on “Change Access”


                                  59
WebClient Setup


  § Preferences
    § As a user, run the WebClient
    § Click preferences




                                     60
WebClient Preferences




                        Viewing pane




                                       61
WebClient Preferences




                        62
WebClient Preferences




                        63
Configuration Files

  Technology       Configuration File
  Postfix          /opt/insight/etc/postfix/main.cf
                   /opt/insight/etc/postfix/master.cf
  Apache           /opt/insight/etc/apache/httpd.conf

  Cyrus IMAP       /opt/insight/etc/cyrus.conf
                   /opt/insight/etc/imapd.conf
  OpenLDAP         /opt/insight/etc/openldap/ldap.conf

  ProFTPD          /opt/insight/etc/proftpd.conf

  MON              /opt/insight/mon/etc/mon.cf

  AMaViS           /opt/insight/etc/amavisd.conf

  SpamAssassin     /opt/insight/etc/mail/spamassassin/local.cf

  Clam AntiVirus   /opt/insight/etc/clamav.conf

                                                                 64
Configuring Services


Services
Apache
Cyrus IMAP
OpenLDAP
Postfix
ProFTPD




                       65
Configuring Apache


                     All changes are saved to
                     /opt/insight/etc/apache/httpd.conf




                                                          66
Configuring Cyrus IMAP


                         All changes are saved to
                         /opt/insight/etc/cyrus.conf




                                                       67
Configuring OpenLDAP


                       All changes are saved to
                       /opt/insight/etc/openldap/slapd.conf




                                                              68
Configuring Postfix


                      All changes are saved to
                      /opt/insight/etc/postfix/main.cf




                                                         69
Configuring ProFTPD



                      All Changes are saved to
                      /opt/insight/etc/proftpd.conf




                                                      70
Modifying Advanced Parameters


 §   Apache, Cyrus, Postfix, etc. have numerous
     configurable parameters
 §   Postfix, alone, has more than 300 parameters!
 §   SCOoffice Server optimizes these parameters
 §   Some parameters can be adjusted in the web
     console by clicking on ConfigurationàServices




                                                     71
Modifying Advanced Parameters (cont.)

                           /opt/insight/htdocs/is4web/xml/SCOconfig.xml:




             <item> tags in SCOconfig.xml
             specify which parameters are
             configurable

                                                                           72
Modifying Advanced Parameters (cont.)


 §   Use the web console to change parameters!

 §   Do not edit these files directly:
     §   /opt/insight/etc/imapd.conf
     §   /opt/insight/etc/openldap/slapd.conf
     §   /opt/insight/etc/etc/postfix/main.cf
     §   /opt/insight/etc/apache/httpd.conf
     §   /opt/insight/etc/etc/proftpd.conf



                                                 73
Adding Cyrus Partitions




                                                Spam



                                  Cyrus IMAP
                       OpenLDAP
                                                          ClamAV
     Apache

              ProFTP

                                               Assassin

                                                    AMaViS


                                      Postfix


                             SCO OpenServer

                                                                   74
Adding Cyrus Partitions


Administrators add Cyrus partitions to:
§ Increase disk space
§ Spread I/O




                                          75
Adding Cyrus Partitions


Add and mount disk drive(s)

Create directory: mkdir –p /some/other/directory/users

In /opt/insight/etc/imapd.conf:

     partition-default: /opt/insight/var/spool/imap
     partition-1: /some/other/directory
     defaultpartition: default


Restart Cyrus: /opt/insight/etc/rc/cyrus restart

                                                         76
Adding Cyrus Partitions


§   Backup scripts back up the default partition
§   Backup scripts do not back up new Cyrus partitions




                                                         77
Reclaiming Ports 80 and 443




                                                Spam



                                  Cyrus IMAP
                       OpenLDAP
                                                          ClamAV
     Apache

              ProFTP

                                               Assassin

                                                    AMaViS


                                      Postfix


                             SCO OpenServer

                                                                   78
Reclaiming Ports 80 and 443


 § By default, SCOoffice Server utilizes ports 80 (http) and
   443 (https)
 § SCOoffice Server’s http and https servers can be
   relocated

 Reclaiming Ports 80 and 443 involves:
 § Modifying Apache parameters
 § Reactivating rc scripts




                                                               79
Reclaiming Ports 80 and 443 (cont.)


 § Click on ConfigurationàServices
 § Click Apache
 § Change Port and Listen to the new port number for http
   (e.g. 880)
 § Change Define SSLPort to the new port number for https
   (e.g. 4443)
 § Click on Restart




                                                            80
Reclaiming Ports 80 and 443 (cont.)


 §   To re-enable SCO OpenServer’s Apache web server
 §   Rename /etc/rc0.d/_P90apache
 §   Rename /etc/rc2.d/_P90apache
 §   Start SCO OpenServer’s Apache web server




                                                       81
Reclaiming Port 21




                                                Spam



                                  Cyrus IMAP
                       OpenLDAP
                                                          ClamAV
     Apache

              ProFTP

                                               Assassin

                                                    AMaViS


                                      Postfix


                             SCO OpenServer

                                                                   82
Reclaiming Port 21


 § By default, SCOoffice Server utilizes port 21 for ProFTP
 § SCOoffice Server’s ftp server can be relocated

 Reclaiming Port 21 involves:
 § Modifying ProFTP parameters
 § Reactivating ftp in /etc/inetd.conf




                                                              83
Reclaiming Port 21 (cont.)


 To relocate ProFTP:
 § Click on ConfigurationàServices
 § Click ProFTP
 § Change Port to the new port number for ftp (e.g. 221)
 § Click on Restart

 To reactivate SCO OpenServer’s ftp server:
 § Uncomment the ftp line in /etc/inetd.conf
 § Send a SIGHUP to inetd



                                                           84
           Module 4




Managing a Distributed Environment


                                     85
Active Directory Authentication Process

        I’m configured to                      So I’ll forward the
       use Active Directory                   user’s authentication
          authentication.                            request.



 I want to                    SCOoffice
  read my                      Server                    I decide who is
                     1                           2
   email.                                                authenticated.


      Client

                          4               3                  Active
                                                            Directory
                                                             Server

                                                                           86
Active Directory Authentication




                                  87
Distributed Mail – Single Server


                                    SCOoffice
                                     Server




                        Alice                         Bob

Single Server Role
• Stores all mail user accounts in local LDAP directory
• Stores all users’ email locally
• Handles all email authentication requests

                                                            88
Distributed Mail – Master Server

 Master           Slave                                  Slave




          Alice                                    Bob           Carl

                                  Internet



Master Role
• Stores the master LDAP user accounts database
• No local email storage for users
• Can handle mail authentication requests
• Redirects clients to slave for email retrieval
                                                                        89
Distributed Mail – Slave Server

 Master           Slave                                          Slave




          Alice                                          Bob             Carl

                                   Internet



Slave Role
• Stores a local copy of the master LDAP user account database
• Stores email locally for each user defined on this server
• Can handle email authentication requests

                                                                                90
Sharing in a Distributed Environment

 Master              Slave                    Slave




          Alice                         Bob           Carl

                             Internet


          Contacts                                    Contacts
          Calendar                                    Calendar
           Folders                                     Folders


                                                             91
Sharing in a Distributed Environment

 Master              Slave                    Slave




          Alice                         Bob           Carl

                             Internet


          Contacts                                    Contacts
          Calendar                                    Calendar
           Folders                                     Folders


                                                             92
Duties in a Distributed Environment




                             MASTER      SLAVE
  Stores email                 No         Yes
                                      Yes, but only
  Maintains LDAP directory    Yes
                                         a copy

  Handles email
                              Yes         Yes
  authentication requests




                                                      93
Configuring Distributed Mail


§ On the master server:

§ Click Configurationà
  Distributed Mail
§ Select Master
§ Click “Set”




                               94
Configuring Distributed Mail (cont.)


§ On the master
  server:

§ Enter the slave
  server’s fully qualified
  domain name
§ Enter “admin”
§ Enter the admin
  password
§ Click “Add”


                                       95
Configuring Distributed Mail (cont.)




§ LDAP notice

§ List of slave servers

§ New slave servers
  added here

§ This server’s role



                                       96
Configuring Distributed Mail


§ On the slave
  server(s):

§ Click Configurationà
  Distributed Mail.
§ Select Slave.
§ Click Set.




                               97
Configuring Distributed Mail (cont.)


§ On the slave
  server(s):

§ Enter the master
  server’s fully
  qualified domain
  name.
§ Enter “admin”.
§ Enter the admin
  password.
§ Click Add.

                                       98
Reading Mail in a Distributed Environment




                                                You need to
                                                contact your
                                                slave server
           I want to
           read my mail.               Master
  Client




                           Slave        Slave             Slave




                                                                  99
Mail Delivery in a Distributed Environment




              DNS
             Server


                                        Master



 SMTP
 Server



                           Slave         Slave   Slave




                                                         100
      Module 5




Securing SCOoffice Server


                            101
Securing SCOoffice Server




                            102
External Firewall Configuration


    SMTP       25
    Server




                                        Firewall
              80/443
                        Internet

  WebClient                                           SCOoffice
                                                       Server
              21*
              25
              80/443*
              110/995
              143/993
  Outlook     389/636              *
                                       Not used by Outlook Express

                                                                  103
Internal Firewall Configuration




                        Firewall


     SCOoffice                      Active
      Server              3268     Directory
                                    Server




                                               104
Internal Firewall Configuration




                      Firewall
                                  SCOoffice
                                   (slave)

        SCOoffice
        (master)
                        25
                      389/636
                      143/993     SCOoffice
                       2003        (slave)




                                              105
Remote Office Firewall Configuration


                          25
                        389/636
 SCOoffice              143/993
  (slave)                2003
                        Firewall
                                               SCOoffice
             Internet                           (slave)

 SCOoffice                         SCOoffice
  (slave)                          (master)

                                               SCOoffice
                                                (slave)

 SCOoffice
  (slave)
                                                       106
SCO OpenServer’s HTTP Servers


 §   SCO OpenServer runs HTTP servers on ports:
     §   80 – SCOoffice Server’s HTTP server
     §   443 – SCOoffice Server’s HTTPS server
     §   615 – Internet Configuration Manager
     §   8457 – DocView: Access to SCO OpenServer
         documentation




                                                    107
Other SCOoffice Server Related Ports


 §   SCOoffice Server runs daemons on ports:
     §   21 – ProFTP
     §   25 – SMTP
     §   110 – POP3
     §   143 – IMAP
     §   389 – OpenLDAP
     §   993 – IMAP4 over TLS/SSL
     §   995 – POP3 over TLS/SSL
     §   2000 –Cyrusmaster (sieve)
     §   2003 –Cyrusmaster (LMTP)
     §   2583 – MON
     §   4840 – SASLAUTHD
     §   4844 – SASLAUTHD
     §   10024 – AMaViS
                                               108
Disallowing Open Relay


 § Don’t let server be used as an open relay
 § Numerous ways to prevent open relay
 § We will configure SASLAUTHD + TLS
        # telnet rose.example.net smtp
        220 rose.example.net ESMTP Postfix (2.0.20)
        HELO nuisance.spammer.net
        250 rose.example.net
        MAIL FROM: nice_guy@example.net
        250 Ok
        RCPT TO: victim@example.com
        250 Ok
        ...

                                                      109
Disallowing Open Relay


 § Useful for blocking unwanted SMTP
   sessions:
 § smtpd_client_restrictions
 § smtpd_sender_restrictions
 § smtpd_recipient_restrictions


  Stored in LDAP



                                       110
Disallowing Open Relay


 Simple Authentication and Security Layer (SASL)



                             PLAIN authentication mechanism
                             Base64 encoded:
                             user+NULL+user+NULL+password
                             bob\0\bob\0bpasswd




                             LOGIN authentication mechanism
                             Base64 encoded username     bob
                             Base64 encoded password     bpasswd

                                                                   111
Disallowing Open Relay


SASL AUTHENTICATION                    slapd       …/etc/saslauthd.conf
                                                   ldap_servers: ldap://127.0.0.1/
                                                   ldap_filter: login=%u




                                   saslauthd
…/lib/sasl2/smtpd.conf                             …/etc/imapd.conf
pwcheck_method: saslauthd                          sasl_pwcheck_method: saslauthd
mech_list: plain login


                               smtpd     imapd/pop3d
…/etc/cyrus.conf
imap       cmd=“imapd –p 2 …
pop3       cmd=“pop3d” …                   cyrusmaster
…

                                                                                     112
Disallowing Open Relay


 §   SASL Configuration on the Server

           smtpd_sasl_auth_enable = yes
           smtpd_sender_restrictions =
               check_sender_access ldap:ldapSenderAccess,
               permit_sasl_authenticated
           smtpd_recipient_restrictions =
           check_recipient_access ldap:ldapRecipientAccess,
               permit_sasl_authenticated,
               permit_mynetworks,
               reject_unauth_destination
           broken_sasl_auth_clients = yes
           smtpd_sasl_security_options = noanonymous
           smtpd_delay_reject = yes

                                                              113
Disallowing Open Relay


 §   SASL Configuration on the Client


       smtp_sasl_auth_enable = yes
       smtp_sasl_password_maps =
          hash:/opt/insight/etc/postfix/sasl_passwd
       smtp_sasl_security_options = noanonymous




                                                      114
Disallowing Open Relay


 §   Create /opt/insight/etc/postfix/sasl_passwd:

         example.net       alice:apasswd
         example.org       bob:bpasswd


 §   Run postmap(1) after creating (or modifying)
     file




                                                    115
Disallowing Open Relay


 §   TLS v1 is based on SSL v3
 §   Encrypt SMTP traffic using TLS
 §   X.509 certificates




                                      116
Disallowing Open Relay


 §   TLS Configuration on the Server

           smtpd_tls_cert_file = /opt/insight/etc/ssl/server.pem
           smtpd_tls_key_file = /opt/insight/etc/ssl/server.pem
           smtpd_tls_CAfile = /opt/insight/etc/ssl/server.pem
           smtpd_use_tls = yes




                                                                   117
Disallowing Open Relay


 §   TLS Configuration on the Client

           smtp_tls_cert_file = /opt/insight/etc/ssl/server.pem
           smtp_tls_key_file = /opt/insight/etc/ssl/server.pem
           smtp_tls_CAfile = /opt/insight/etc/ssl/server.pem
           smtp_use_tls = yes




                                                                  118
Disallowing Open Relay


 §   Using a Certificate Authority’s Certificate

           smtp_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem
           smtpd_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem




                                                                 119
Disallowing Open Relay


 §   To test to see if a mail server is an open relay:
     §   Log into the mail server
     §   telnet rt.njabl.org 2500




                                                         120
Exercise: Tracing TLS and SASL


SASL Authentication Only:




TLS + SASL Authentication:




                                 121
Other Restrictions


 §   Other useful restrictions:
 §   smtpd_client_restrictions
 §   smtpd_helo_restrictions
 §   smtpd_sender_restrictions
 §   See www.postfix.org/uce.html




                                    122
Using smtpd_client_restrictions


 §     In main.cf:
     smtpd_client_restrictions =
            check_client_access hash:/opt/insight/etc/postfix/smtp_clients,
            permit

 §     In /opt/insight/etc/postfix/smtp_clients:
         192.168.1.1                 OK
         192.168.1.2                 PERMIT
         192.168.1.3                 REJECT
         192.168.1.123               REJECT
         192.168.1.0/24              OK
         example.net                 OK
         paper.example.org           DUNNO
         example.org                 REJECT

                                                                          123
Using smtpd_helo_restrictions


 §   check_helo_access
 §   reject_invalid_hostname
 §   reject_non_fqdn_hostname
 §   reject_unknown hostname

 §   In main.cf:
      smtpd_helo_restrictions = reject_invalid_hostname,
      check_helo_access hash:/opt/insight/etc/postfix/helo

 §   In /opt/insight/etc/postfix/helo:
          example.org         OK
          example.net         REJECT

                                                             124
Using smtpd_sender_restrictions


 §   check_sender_access
 §   reject_unknown_sender_domain




                                    125
Creating a Chroot Jail


 §   A chroot jail adds a layer of protection
 §   Limits daemon(s) to /opt/insight/var/spool/postfix

 §   Set the fifth field in master.cf to ‘y’




                                                          126
         Module 6




Managing Recipients and Aliases


                                  127
Address Rewriting


/opt/insight/etc/postfix/main.cf:
sender_canonical_maps =
         hash:/opt/insight/etc/postfix/canonical_sender
 recipient_canonical_maps =
         hash:/opt/insight/etc/postfix/canonical_recipient

/opt/insight/etc/postfix/canonical_sender:
alice@example.com                  Alice.Adams@example.com
bob@example.com                    Bob.Barnes@example.com
carl@example.com                   Carl.Carson@example.com

/opt/insight/etc/postfix/canonical_recipient:
Alice.Adams@example.com            alice@example.com
Bob.Barnes@example.com             bob@example.com
Carl.Carson@example.com            carl@example.com

                                                             128
Hiding Host Names


§   Masquerading intentionally hides internal hostnames
§   carl@paper.example.org à carl@example.org

In main.cf:
     masquerade_domains = example.org




                                                          129
Hiding Host Names


§   Masquerading intentionally hides internal hostnames
§   carl@paper.example.org à carl@example.org

In main.cf:
     masquerade_domains = example.com, example.net, example.org,
       !sales.example.com
     masquerade_exceptions = alice, bob




                                                                   130
Directing Email Sent to Unknown Users


Email sent to unknown users:
§ Returned to sender by default
§ Can be directed to an email user or alias

§   Beware of spammers

In main.cf:
    luser_relay = alice
    local_recipient_maps =



                                              131
Relocating Users and Domains


§   Relocation maps used when users or domains move

§   Configure relocation rules in main.cf:

    relocated_maps = hash:/opt/insight/etc/postfix/relocated


§   Define relocation rules in lookup table:

    carl@example.com                         carl@example.net
    @example.org                             example.net



                                                                132
Relocating Users and Domains


Relocated User




Relocated Domain




                               133
Types of Aliases


 §   Postfix supports numerous types of aliases
 §   SCOoffice Server stores aliases two ways




                               Stored in LDAP

                               Stored in a file

                                                  134
Types of Aliases


 §   From /opt/insight/etc/postfix/main.cf:
        alias_maps = hash:/opt/insight/etc/mail/aliases
        alias_database = hash:/opt/insight/etc/mail/aliases
        local_recipient_maps = $alias_maps ldap:ldapsource




                                                              135
Types of Aliases


 §   From /opt/insight/etc/mail/aliases:
         MAILER-DAEMON:      admin@example.com
         abuse:              admin@example.com
         postmaster:         admin@example.com
         webmaster:          admin@example.com
         root:               admin@example.com
         virusalert:         admin@example.com
         spam.police:        admin@example.com
         apache:             admin@example.com
         uucp:               admin@example.com




                                                 136
Types of Aliases


 §   Process alias files with postalias(1):

     § # postalias hash:/opt/insight/etc/mail/aliases


 §   Reload Postfix if a new alias lookup table is
     added to main.cf:

     § # postfix reload



                                                        137
Exercise: Adding a New Alias File


 §   Edit /opt/insight/etc/postfix/aliases
 §   Process the alias file
 §   Reload Postfix




                                             138
    Module 7




Managing Mail Queues


                       139
   Postfix Mail Delivery


                      postdrop

                                  pickup    trivial-
           sendmail                         rewrite
                                                                 local
messages
incoming




                       maildrop

            smtpd                 cleanup               qmgr     smtp

                                            incoming


                                                                 pipe



                                               active   bounce
                                                                         140
Managing Mail Queues


 §   To display mail queue, select Mail DeliveryàMail
     Queue:




                                                        141
Managing Mail Queues


 §     For more information, use postqueue -p:




     On hold
     Active
                                                 142
           Module 8




Managing Private and Public Folders


                                      143
Creating Mail Folders


               §Click on Mail FoldersàCreate Folder




                                                      144
Creating Mail Folders (cont.)


§   Name the folder
§   Specify where to
    create the folder
§   Specify the type of
    folder
§   Click on “Create”


§   User’s view:



                                145
Location of Mail Folders in Filesystem




      Advantages
· Each email message is
  stored as a separate file
· If one file becomes
  corrupted, the whole
  data store is not
  corrupted
· Easy to restore a single
  email message
· Can rebuild a single
  users inbox
                                         146
Working with Mail Folders


               § Click on AccountsàView Accounts


               § Select the users whose mail
                 folders you want to see




                                                   147
Working with Mail Folders (cont.)


§ While viewing the
  user’s account
  information, click on
  “View Mail Folders”




                                    148
Reconstructing Mail Folders


§ To reconstruct the user’s
  mail folders, click on the
  “Reconstruct all mail
  folders” button




                               149
Setting Access Control Lists


To set ACLs for a
specific mail folder:

§ Select a user or a
  group (e.g. Anyone)


§ Define the ACLs
  (default is l,r,s)




§ Click on “Add ACL”


                               150
Setting Access Control Lists (cont.)




A new ACL
appears




                                       151
     Module 9




Managing Email Routing


                         152
Configuring MX Records


 §     MX records in DNS instruct mail servers where
       to direct email messages


     example.com   IN      MX     10           elm.example.com.
     example.com   IN      MX     20           spruce.example.com.
     example.com   IN      MX     30           oak.example.com.




     domain name   class   type   preference   hostname



                                                                     153
Querying MX Records


§   When debugging problems exchanging email
    with other domains, query MX records
§   Use nslookup(1)
§   Specify “set querytype=MX”

    1
    2



    3


    4

                                               154
Configuring a Relay Host


 §   A relay host enables email delivery to be
     centralized

 §   In main.cf:
     relay_host = oak.example.com
            or
     relay_host = 192.168.1.17




                                                 155
      Module 10




Managing Virus Protection


                            156
ClamAV




                                               Spam



                                 Cyrus IMAP
                      OpenLDAP
                                                         ClamAV
    Apache

             ProFTP

                                              Assassin

                                                   AMaViS


                                     Postfix


                            SCO OpenServer

                                                                  157
Updating ClamAV Virus Definitions


 §   Virus definitions are updated automatically
 §   Cron job runs /opt/insight/bin/freshclam
 §   Virus definition files:
     § /opt/insight/share/clamav/main.cvd
     § /opt/insight/share/clamav/daily.cvd
 §   See freshclam(1)




                                                   158
Exercise: Updating Virus Definitions


 §   Consult the freshclam(1) manual page
 §   Instruct freshclam(1) to download latest virus
     definitions into a directory
 §   View the contents of the directory
 §   See the latest virus definitions at
     www.clamav.net.




                                                      159
Adding 3rd Party Anti-Virus Scanners




                                                          ClamAV



                                                                   Sophos
                                                Spam



                                  Cyrus IMAP
                       OpenLDAP
                                                          Sophos
                                                          ClamAV
     Apache

              ProFTP

                                               Assassin

                                                    AMaViS


                                      Postfix


                             SCO OpenServer

                                                                            160
Adding 3rd Party Anti-Virus Scanners
(cont.)


 §   To replace ClamAV with Sophos:
     § Download and install Sophos
     § Comment out ClamAV lines in
       /opt/insight/etc/amavisd.conf
     § Uncomment Sohpos lines in
       /opt/insight/etc/amavisd.conf
     § Restart AMaViS




                                       161
Exercise: 3rd Party Anti-Virus Scanners


 §   View amavisd.conf comments which explain:
 §   The syntax of @av_scanners entries
 §   The relationship between @av_scanners and
     @av_scanners_backup




                                                 162
Exercise: 3rd Party Anti-Virus Scanners


 §   Examine usage message from
     /usr/local/bin/sweep.




                                          163
     Module 11




Managing Spam Filtering


                          164
SpamAssassin




                                               Spam



                                 Cyrus IMAP
                      OpenLDAP
                                                         ClamAV
    Apache

             ProFTP

                                              Assassin

                                                   AMaViS


                                     Postfix


                            SCO OpenServer

                                                                  165
SpamAssassin


 §   SpamAssassin uses numerous tests
 §   SpamAssassin is configured in:
     §   /opt/insight/etc/mail/local.cf
     §   /opt/insight/share/spamassassin/*.cf
 §   Do not modify files in share/spamassassin
 §   After modifying configuration files, run:
     §   spamassassin --lint
     §   /opt/insight/etc/rc/amavisd restart




                                                 166
SpamAssassin


 §   Every SpamAssassin administrator should know:
     §   required_hits
     §   report_contact
     §   report_safe
     §   Whitelisting
     §   Blacklisting




                                                     167
SpamAssassin


 §   Customizing headers
 §   SpamAssassin headers begin “X-Spam”
 §   X-Spam-Checker-Version is mandatory
 §   Modify headers with:
     §   remove_header
     §   clear_headers
     §   add_header




                                           168
SpamAssassin

Report message:
  Spam detection software, running on the system "_HOSTNAME_", has
  identified this incoming email as possible spam. The original message
  has been attached to this so you can view it (if it isn't spam) or block
  similar future email. If you have any questions, see
  _CONTACTADDRESS_ for details.

  Content preview: _PREVIEW_

  Content analysis details: (_HITS_ points, _REQD_ required)

  " pts rule                name                           description"
   ---- ---                 ------------------ --------------------------------------------
  _SUMMARY_



                                                                                              169
SpamAssassin

Spamtrap message:
  Subject: this address is no longer available

        [this message has been automatically generated]

        Please note that this address is no longer in use, and nowadays
        receives nothing but unsolicited commercial mail. Accordingly,
        any mail sent to it is added to several spam-tracking databases,
        then automatically deleted.

        If you genuinely want to contact the owner of the address, please
        re-check your contact lists, or search the web, to find their
        current e-mail address.

        The mail you sent is reproduced in full below, for resending to
        the correct address. Sorry for the inconvenience!

        [-- Signed: the SpamAssassin mail filter]


                                                                            170
SpamAssassin

Unsafe_report message:

 §   The original message was not completely plain text, and may be unsafe to
 §   open with some email clients; in particular, it may contain a virus,
 §   or confirm that your address can receive spam. If you wish to view
 §   it, it may be safer to save it to a file and open it with an editor.




                                                                                171
SpamAssassin


 §   Areas tested:
     §   header
     §   body
     §   rawbody
     §   full
     §   uri




                     172
SpamAssassin


    Header test example:

                                                   Perl regex
Name of                                             operator
  rule


  header NO_REAL_NAME   From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/



 Header to
                                                  Perl regular
  match
                                                  expression




                                                                 173
SpamAssassin


 §   Header test definitions only define the test
 §   Header test definitions don’t define:
     §   The test’s description
     §   The test’s score


 §   20_head_tests.cf specifies:
         header NO_REAL_NAME      From =~
         /^["\s]*\<?\S+\@\S+\>?\s*$/
         describe NO_REAL_NAME    From: does not include a real name

                                                           SCOoffice uses
 §   50_scores.cf specifies:                                 this score
     score NO_REAL_NAME 0.339 0.285 0.339 0.160

                                                                        174
SpamAssassin


 §    Meta-match (boolean expression)

     body CLICK_BELOW_CAPS     /CLICK\s.{0,30}(?:HERE|BELOW)/s
     describe CLICK_BELOW_CAPS Asks you to click below (in capital letters)

     body __CLICK_BELOW            /click\s.{0,30}(?:here|below)/is
     meta CLICK_BELOW              (__CLICK_BELOW && !CLICK_BELOW_CAPS)
     describe CLICK_BELOW          Asks you to click below




                                                                              175
SpamAssassin


 §   Meta-match (boolean arithmetic expression)

     body __NIGERIAN_CODE_CONDUCT   /\bcode of conduct\b/i
     body __NIGERIAN_CIV_SERVICE    /\bcivil service\b/i
     body __NIGERIAN_TOP_SECRET     /\btop secret\b/I
     body __NIGERIAN_HONESTY        /\btransparent honesty\b/i
     meta NIGERIAN_BODY_GOVT        ((__NIGERIAN_CODE_CONDUCT +
                                    __NIGERIAN_CIV_SERVICE +
                                    __NIGERIAN_TOP_SECRET +
                                    __NIGERIAN_HONESTY) >= 2)
     describe NIGERIAN_BODY_GOVT    Message body has many
                                    indications of nigerian scam
     score NIGERIAN_BODY_GOVT       2.900 2.800 2.800 2.700




                                                                   176
Quaranting Viruses and Spam


 §   By default, SCOoffice Server:
     §   Quarantines messages containing viruses
     §   Does not quarantine messages containing spam




                                                        177
Quaranting Viruses and Spam


 §   Messages containing viruses are quarantined by
     AMaViS.




                                                      178
Quaranting Viruses and Spam


 §   Headers added to messages containing spam:
     §   X-Virus-Scanned
     §   X-Spam-Status
     §   X-Spam-Level
     §   X-Spam-Flag
     §   Subject




                                                  179
Quaranting Viruses and Spam


 §   AMaViS can be configured to quarantine spam
 §   Configured in amavisd.conf
     §   $final_spam_destiny
     §   $QUARANTINEDIR
     §   $spam_quarantine_to




                                                   180
Quaranting Viruses and Spam


 §   To quarantine spam to a directory, configure
     amavisd.conf:
          $final_spam_destiny = D_PASS
          $QUARANTINEDIR = /opt/insight/var/virusmails
          $spam_quarantine_to = ‘spam-quarantine’




                                                         181
Header Checks


To block emails based on headers:

In /opt/insight/etc/postfix/main.cf:
     header_checks = pcre:/opt/insight/etc/postfix/header_checks


In /opt/insight/etc/postfix/header_checks:
     /^subject: known_message_subject/ REJECT




                                                                   182
Blocking Attachments by Extension


To block emails containing .exe, .bat, etc. attachments:

In /opt/insight/etc/postfix/main.cf:
     header_checks = pcre:/opt/insight/etc/postfix/header_checks


In /opt/insight/etc/postfix/header_checks:
     /^content-type:.*name[[:space:]]*=.*\.(exe|bat)/
        REJECT Rejected file extension: $1




                                                                   183
          Module 12




Performing Preventive Maintenance


                                    184
Mon Overview


 § What is Mon?
    §   Mon   is a general purpose service monitor
    §   Mon   schedules monitors
    §   Mon   provides a multitude of alert methods
    §   Mon   is extensible


 § SCOoffice Server uses Mon to monitor:
    §   HTTP
    §   LDAP
    §   FTP
    §   SMTP
    §   IMAP
    §   Pop3



                                                      185
Mon Monitor facilities


 § Monitor scripts provided by Mon:
    §   dns.monitor
    §   ftp.monitor
    §   http.monitor
    §   imap.monitor
    §   ldap.monitor
    §   ping.monitor
    §   pop3.monitor
    §   smtp.monitor
    §   tcp.monitor
    §   telnet.monitor


 § Monitor scripts are stored in /opt/insight/mon/mon.d


                                                          186
Mon Alert Methods


 § Alert scripts provided by Mon:
    § file.alert
    § mail.alert
    § remote.alert


 § Alert scripts are stored in /opt/insight/mon/alert.d




                                                          187
The MON configuration file


 MON is configured in /opt/insight/mon/etc/mon.cf

     •   maxprocs      = 20
     •   randstart     = 60s

     •   hostgroup building1 elm.example.com oak.example.com
     •   hostgroup building2 spruce.example.com maple.example.com

     •   watch building1
     •        service ftp
     •              interval 1m
     •              monitor ftp.monitor
     •              period wd {Sun-Sat}
     •                    alert file.alert /opt/insight/logs/mon_ftp.log
     •                    alert mail.alert admin@example.com
     •                    alertevery 1h



                                                                           188
The MON configuration file (cont.)


 MON is configured in /opt/insight/mon/etc/mon.cf

     •   maxprocs      = 20
     •   randstart     = 60s

     •   hostgroup building1 elm.example.com oak.example.com
     •   hostgroup building2 spruce.example.com maple.example.com

     •   watch building1
     •        service ftp
     •              interval 1m
     •              monitor ftp.monitor
     •              period wd {Sun-Sat}
     •                    alert file.alert /opt/insight/logs/mon_ftp.log
     •                    alert mail.alert admin@example.com
     •                    alertevery 1h



                                                                           189
The MON configuration file (cont.)


 MON is configured in /opt/insight/mon/etc/mon.cf

     •   maxprocs      = 20
     •   randstart     = 60s

     •   hostgroup building1 elm.example.com oak.example.com
     •   hostgroup building2 spruce.example.com maple.example.com

     •   watch building1
     •        service ftp
     •              interval 1m
     •              monitor ftp.monitor
     •              period wd {Sun-Sat}
     •                    alert file.alert /opt/insight/logs/mon_ftp.log
     •                    alert mail.alert admin@example.com
     •                    alertevery 1h



                                                                           190
The MON configuration file (cont.)


 MON is configured in /opt/insight/mon/etc/mon.cf

     •   maxprocs      = 20
     •   randstart     = 60s

     •   hostgroup building1 elm.example.com oak.example.com
     •   hostgroup building2 spruce.example.com maple.example.com

     •   watch building1
     •        service ftp
     •              interval 1m
     •              monitor ftp.monitor
     •              period wd {Sun-Sat}
     •                    alert file.alert /opt/insight/logs/mon_ftp.log
     •                    alert mail.alert admin@example.com
     •                    alertevery 1h



                                                                           191
Managing Disk Space


 §   Strategies for managing disk space usage:
 §   Setting maximum message size
 §   Restricting attachments
 §   Imposing quotas
 §   Setting mailbox expire values
 §   Setting logging levels
 §   Pruning log files




                                                 192
Managing Disk Space


 §   Strategies for managing disk space usage:
 §   Setting maximum message size
 §   Restricting attachments
 §   Imposing quotas
 §   Setting mailbox expire values
 §   Setting logging levels
 §   Pruning log files




                                                 193
Guarding Backups


 § Backups are stored in /opt/insight/htdocs/is4web/tar
 § Protected by .htaccess in that directory
 § Beware of:
    § Missing .htaccess
    § Modified .htaccess
    § World writable .htaccess




                                                          194
Configuration File Sanity Checks


 § spamassassin --lint
 § postfix check
 § apachectl configtest




                                   195
Log Files


 §   SCOoffice uses the following log files:
 §   /var/adm/syslog
 §   /opt/insight/logs/amavis.log
 §   /opt/insight/logs/freshclam.log
 §   /opt/insight/logs/access_log
 §   /opt/insight/logs/error_log




                                               196
Log Files


  Component             Syslogd Facility

  Cyrus IMAP and POP3   local6

  Postfix               mail

  SASLAUTHD             auth

  ProFTPD               authpriv

  slapd/slurpd          local4

                                           197
Log Files


Where to specify logging levels:
§ /etc/syslog.conf
§ /opt/insight/etc/postfix/master.cf
§ /opt/insight/etc/postfix/main.cf
§ /opt/insight/etc/amavisd.conf
§ /opt/insight/etc/clamav.conf
§ /opt/insight/etc/freshclam.conf
§ /opt/insight/etc/apache/httpd.conf




                                       198
Log Files


Events to monitor in syslog:
§ Monitor SMTPD connections:
    egrep “[^s]connect from|client=“ /var/adm/syslog
§   Monitor bounced messages:
    grep status=bounced /var/adm/syslog
§   Monitor deferred messages:
    grep status=deferred /var/adm/syslog
§   Monitor address rewriting:
    grep orig_to /var/adm/syslog
§   Monitor SASLAUTHD failures:
    grep “auth failure” /var/adm/syslog


                                                       199
              Module 13




Planning for and Recovering from Disasters


                                             200
Creating Backups


Administrators can backup:
§ SCOoffice Server
   configuration
§ LDAP directory
§ IMAP datastore

Backup scripts stored in:
§   /opt/insight/htdocs/is4web/cron


Restore scripts stored in:
§   /opt/insight/htdocs/is4web/bin

                                      201
Restoring and Uploading Backup Files



§   Restore backups
§   Download backups
    from server to local
    hard drive
§   Upload backups from
    local hard drive to
    server
§   Delete backups




                                       202
Creating Backups


§   Backup scripts: /opt/insight/htdocs/is4web/cron
§   Restore scripts: /opt/insight/htdocs/is4web/bin

§   Backups are compressed cpio archives

§   Third party backup software can be integrated into the
    web console




                                                             203
SCOoffice Server 4.1




      Thank You


                       204
Microsoft Outlook® Setup


  §   Single Click configuration
  §   Manual Connector installation
  §   Sharing folders
  §   Manual Address Book installation
  §   Automated Installation




                                         205
Why I wish we used Postfix 2.1


 §   XCLIENT support
 §   main.cf supports ldap:/some/file/name (instead
     of putting ldap parameters in publicly readable
     main.cf)

 §   Versions we’re running (see notes)




                                                       206

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:13
posted:2/17/2014
language:English
pages:206