Email Services CSCI N 321 System and Network
![SMTP Protocol [smo@sysadmin ~]$ telnet tempest. cs. iupui. edu 25 Trying 134. 68. 140.](https://slidetodoc.com/presentation_image_h2/dd15543c7634db61ef1cc7289876f924/image-5.jpg "SMTP Protocol [smo@sysadmin ~]$ telnet tempest. cs. iupui. edu 25 Trying 134. 68. 140.")
![Mail Forwarding /etc/postfix/aliases alias: real-address[, …] newaliases postmaster@cs. iupui. edu main. cf n n](https://slidetodoc.com/presentation_image_h2/dd15543c7634db61ef1cc7289876f924/image-13.jpg "Mail Forwarding /etc/postfix/aliases alias: real-address[, …] newaliases postmaster@cs. iupui. edu main. cf n n")
![Spam Thresholds Spam check [header] tagging (-999) n n n Spam Status Score &](https://slidetodoc.com/presentation_image_h2/dd15543c7634db61ef1cc7289876f924/image-28.jpg "Spam Thresholds Spam check [header] tagging (-999) n n n Spam Status Score &")
- Slides: 30
Email Services CSCI N 321 – System and Network Administration Copyright © 2007 by Scott Orr and the Trustees of Indiana University
Section Overview Email Architecture Postfix Configuration Mail forwarding CS Spam-Filtering Architecture Procmail
References Apache Site – http: //www. postfix. org Red. Hat Deployment Guide Chapter 24 – Email
Email Server Architecture MTA MDA (sendmail) (postfix) (procmail) smtp(s) imap(s) pop(s) MUA AA (Outlook) (imapd) (popd)
SMTP Protocol [smo@sysadmin ~]$ telnet tempest. cs. iupui. edu 25 Trying 134. 68. 140. 202. . . Connected to tempest. cs. iupui. edu (134. 68. 140. 202). Escape character is '^]'. 220 tempest. cs. iupui. edu ESMTP Postfix helo sysadmin 250 tempest. cs. iupui. edu mail from: <smorr@indiana. edu> 250 2. 1. 0 Ok rcpt to: <sorr@cs. iupui. edu> 250 2. 1. 5 Ok data 354 End data with <CR><LF> Subject: Hello Hi Scott. 250 2. 0. 0 Ok: queued as B 06375050618 quit 221 2. 0. 0 Bye Connection closed by foreign host.
Postfix MTA More secure replacement for Sendmail Suite of programs to handle email postfix <option> n n start stop reload flush Configuration files n n /etc/postfix/master. cf /etc/postfix/main. cf
master. cf Maps services to postfix daemons Format n n n n Service Name Service Type (inet | fifo | unix) Private (y | n) Unprivileged (y | n) Chroot (y | n) Wakeup # Maxproc # command + args Spam and Virus filtering
main. cf – Directories/Owner Key Directories n n n queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_spool_directory = /var/spool/mail config_directory = /etc/postfix Ownership - mail_owner = postfix
main. cf – Delivery Addesses Address Configuration n n myhostname = tempest. cs. iupui. edu mydomain = cs. iupui. edu myorigin = $mydomain mydestination = $myhostname, localhost. $mydomain, localhost, $mydomain Smart Host n relayhost = mail-relay. iu. edu
main. cf – SMTPd smtpd_banner = $myhostname ESMTP $mail_name smtpd_helo_required = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
Authenticated Delivery Only allow valid users to send email main. cf n n n smtpd_sasl_auth_enable = yes smtpd_sasl_loglevel = 2 smtpd_sasl_received_header = yes saslauthd Daemon n n /etc/sysconfig/saslauthd /usr/lib/sasl 2/smtpd. conf
SSL Support Authenticated access must be protected main. cf n n n n smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/certs/smtpd. key smtpd_tls_cert_file = /etc/postfix/certs/smtpd. crt smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600 s
Mail Forwarding /etc/postfix/aliases alias: real-address[, …] newaliases postmaster@cs. iupui. edu main. cf n n alias_maps = hash: /etc/postfix/aliases alias_database = hash: /etc/postfix/aliases ~/. forward Mailing lists n n alias: : include: <path_to_file> Majordomo & mailmain
Reading Email IMAP/IMAPS n n n Used to read messages online Should always use with via SSL Typically started via inetd/xinetd Webmail n n Squirrelmail Horde
Opening Spam-dora’s Box April 12, 1994 – Lawyers Laurence Canter and Martha Siegel sent message about upcoming Green Card lottery to some 6000+ Usenet News Groups in less than 90 minutes Arizona ISP Internet Direct received so many email complaints, their email server(s) crashed more than 15 times. C&S account gets cancelled and threaten to sue (although never do) C&S publish How to Make a Fortune on the Information Superhighway (1995)
14 years later… SPAM (Unsolicited Commercial Email) 60% 94% of all email (1 st Qtr. 2008) Phishing Attacks less than 1% of all email but growing Significant increase in Botnets Top Spam-Sending Countries n n n United States (37. 9%) China (4. 6%) United Kingdom (4. 3%) Germany (3. 8%) Brazil (3. 8%) Source: Commtouch Software Online Labs
Costs of Spammers n n n Great ROI!!! Malware writer partnerships Phishing Recipent n n n Time Bandwidth Storage space
SPAM Filtering Techniques Black lists White lists Content (keyword blocking) Invalid addresses/header values Heuristics Bayesian Filtering
Greylisting Each message identified by a triplet n n n Envelope recipient Envelope sender IP address of delivering host Delivery based on following rules: n n n If IP address or recipient on whitelist – send msg to recipient If not seen triplet before – send tempfail msg and record triplet If time limit on triplet not expired – send tmpfail msg If time limit on triplet expired – send msg to recipient and update last seen time. Remove triplet from database after not seen for set period of time
Sender Policy Framework (SPF) Receiving host verifies sender is legitimate mail server for originating domain Add TXT (SPF) records to Domain DNS n n n Domain specific Each host with MX record (also A, PTR, IP addr, external hosts) cs. iupui. edu. IN TXT "v=spf 1 mx a: storm. cs. iupui. edu" Issues n n n Breaks email forwarding Spammers can still send messages if they have an account on domain Most major ISPs do not support SPF (yet)
CS Email Architecture smtp Maia-Mailguard (Amavisd) postfix clamav spamassasin Greylist? Procmail Mail spool Quarantine (My. SQL)
Clam Antivirus Open Source If signature match… n Added header fields: w Delivered-To: virus-quarantine w X-Quarantine-Id: <zz. WB 7 -Yx. AXs. I> w X-Amavis-Alert: INFECTED, message contains virus: <virus signature ID> n n Moved to quarantine area Email sent to virusalert@cs. iupui. edu Hourly checks for signature updates Phishing signatures included
Spamassassin Open Source (Part of Apache project) Weighted Heuristic tests n n Full Message Header Body URI Third party plugins
SA: Full Message Tests Message found in hashed Spam databases Entries contributed by Spam recipients Uses statistical and randomized signatures Distributed Checksum Clearinghouse (DCC) Vipul’s Razor
SA: Message Header Tests Header Anomalies (length, sender, etc. ) Subject Obfuscation Realtime Blackhole Lists (RBL) n n Open Relays/Proxy (SORBS) Address/Domain Abuse lists Sender Policy Framework (SPF) Domain. Keys
SA: Message Body Tests Common Spam content checks HTML obfuscation* Locale specific checks URLs in RBLs Bayesian Filters n n n Calculates probability message is Spam (- score) < 50% / (+ score) > 50% Must be trained using Spam and “Ham” *The Spammers' Compendium
SA: URI Message Tests Focuses on embedded URLs Keywords in URLs Address obfuscation TLD checks CGIs and Authentications
Spam Thresholds Spam check [header] tagging (-999) n n n Spam Status Score & breakdown by test Spam-level histogram Spam detected (6. 3) Quarantine Level (-)
Header Tagging Example X-Spam-Status: No, hits=6. 069 tagged_above=3 required=6. 3 tests=[DNS_FROM_RFC_ABUSE=0. 374, DNS_FROM_RFC_POST=1. 376, HTML_50_60=0. 095, HTML_FONT_BIG=0. 232, HTML_IMAGE_ONLY_24=1. 003, HTML_MESSAGE=0. 001, MIME_HTML_ONLY=1. 158, MSGID_FROM_MTA_HEADER=0, RCVD_IN_BL_SPAMCOP_NET=1. 832, SPF_HELO_PASS=-0. 001, SPF_PASS=-0. 001] X-Spam-Level: ******
Procmail (MDA) Handles were incoming messages are stored Procmail “recipes” n n System-wide: /etc/procmail User: ~/. procmailrc Single recipe & recipe chaining Recipe Example: : 0: * ^Subject: Broker Alert $SPAMMAYBE Also great for managing email lists/folders Vacation-Away messages