« Posts under ISP

Complete Guide: Setup Mail Server on CentOS

Mail Server CentOS Postfix Dovecot SquirrelMail
Background
A few days back, I felt this need to have my own mail server setup on my VPS so that I can send and receive emails from my own email account (@AskTaimoor.com). One option I had was to setup CPanel on my VPS but it had its own issues. CPanel is costly and it comes with lots and lots of additional features. Its best for web hosting providers so its none of my use. If you are planning to setup lots of email accounts on lots of domains, you should consider buying CPanel or other commercial products. My requirement was just to setup a few email accounts on a few domains that I personally manage. Also, I always prefer Open Source solutions because of their security and community support.

I followed tutorials on many websites but most of them were outdated and so lead to errors and other issues. After spending hours, I found this one tutorial that was much recent as compared to others but lengthy as hell. Following the steps provided there, I was able to send and receive email from a nice and simple to use web interface. Here I am writing those steps without unnecessary discussion about each and every step, the problems I faced and how I managed to fix those problems.

Limitations
There are a few limitations of this setup that I should point out before I start:

  • Account Management
    You cannot create, delete or modify email accounts directly from the final interface you will get. All the mail accounts map to local user accounts on the underlying Linux system.

  • Password Change
    Passwords of accounts cannot be changed for the same reason. It has to be manually changed from console or using some postfix plugins.

  • Non-Fancy Interface
    The web interface you will get is not stylish yet pretty simple and straight forward. Don’t expect a fancy looking user interface like Hotmail or Gmail.

  • Security
    Although we will be running everything with limited permissions yet there are some security problems with this setup e.g; MITM attacks.

If you are OK with these limitations you can go ahead otherwise go for alternate solutions that I have mentioned above.

Prerequisites

  • Basic Linux Knowledge
    If you don’t know basic Linux terminologies or the basic commands used in Linux you might feel lost. If that’s the case, seek help from a Linux pro.

  • Static IP
    Most VPS and dedicated server providers allot Static IPs. In case you don’t have one or you are setting up on your home server, this simply wont work for you.

  • SSH Access
    You must have SSH access to your server using PuTTy or other means. This is a must so that so can run commands on your server.

  • root Access
    This tutorial assumes that you are the administrator of this server. So you must have root access on your server in order to install anything at all.

Installation Steps
Before you start, make sure you have logged in to SSH and changed to root.

  • Hostname
    Your server’s hostname or FQDN should be the same as your mail address domain name. If you are going for [email protected], your hostname should be mydomain.com.
    To know your current hostname, type hostname in SSH.
    If its not correctly set, change it by entering hostname mydomain.com

  • hosts File
    Enter vi /etc/hosts
    Append this at the file’s end (if its not there already):
    w.x.y.z mydomain.com mydomain www.mydomain.com

  • Reverse DNS
    Your servers’s Public IP address should point to your FQDN. This is not set by default. It has to be configured from your server’s control panel usually or you will need to contact your host provider. Look for rDNS or Reverse DNS or PTR Records or Network Settings in your Server Control Panel.
    Once configured, run the command host w.x.y.z, where w.x.y.z is your server’s public IP address and the result should be:
    z.y.w.x.in-addr.arpa domain name pointer mydomain.com.

  • Setup MX Domain Records
    Add these records in your DNS manually or from your domain control panel:

    mail A w.x.y.z
    mydomain.com. MX 10 mail.mydomain.com.

    Don’t forget your to restart your DNS server if you have entered the records manually.

  • EPEL Repository
    Some components of this setup are not present in default repository. To fix that, we have to add latest EPEL Repository by typing this:

    # make sure to add the proper repo version for your system
    wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
    rpm -ivh epel-release-6-8.noarch.rpm

  • Disable SELinux
    To avoid mysterious errors, I suggest turning of SELinux temporarily. Enter this command to do it:
    setenforce 0

  • Setup Mail Accounts
    As pointed out above, all mail accounts point to local Linux user accounts. That means we will need to setup users on our server:

    # for setting up [email protected]
    useradd contact
    passwd contact

  • Setup Postfix
    Postfix is the backbone of this whole setup. Hence it must be installed and configured properly before going any further.

    # to make sure everything is up-to-date.
    yum update

    yum install postfix -y

    # remove sendmail as it conflicts with postfix
    yum remove sendmail -y

    # use your favorite text editor. mine is vi
    vi /etc/postfix/master.cf

    # find this line, un-comment it and change it to look like this:
    submission inet n - n - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_wrappermode=no
    -o smtpd_tls_security_level = encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING

    # to tell postfix about your hostname
    vi /etc/postfix/main.cf

    # find these lines, un-comment them and change them to look like below:
    myhostname = mail.mydomain.com
    mydomain = mydomain.com
    myorigin = $mydomain
    inet_interfaces = all
    inet_protocols = all
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
    mynetworks = localhost, 127.0.0.0/8, w.x.y.z
    home_mailbox = Maildir/

    # to make sure postfix runs on startup
    chkconfig postfix on

    # restart postfix
    service postfix restart

    If you see any errors on starting postfix, that means you have missed something. For error details, enter this command:
    tail -f /var/log/maillog
    Once you are running postfix without any errors, run this command to send a test email to your other email:
    mail my_email@my_isp.com
    Press Ctrl+D to send the mail.
    Now open your mail and check the Inbox or Junk/Spam folder to confirm that your test email has arrived.

  • Setup Dovecot
    yum install dovecot -y

    vi /etc/dovecot/dovecot.conf

    # find this line, un-comment it and change it to look like this:
    protocols = imap pop3 lmtp

    vi /etc/dovecot/conf.d/10-mail.conf

    # find this line, un-comment it and change it to look like this:
    mail_location = maildir:~/Maildir

    vi /etc/dovecot/conf.d/10-auth.conf

    # find these lines, un-comment them and change them to look like below:
    disable_plaintext_auth = yes
    auth_mechanisms = plain login

    vi /etc/dovecot/conf.d/10-master.conf

    # find these lines, un-comment them and change them to look like below:
    user = postfix
    group = postfix

    # run dovecot on startup
    chkconfig dovecot on

    service dovecot start

  • Setup SquirrelMail

    # run squirrelmail wizard
    cd /usr/share/squirrelmail/config/
    ./conf.pl

    # enter 1 to setup your organization details
    # again enter 1 to edit the organization details
    # enter all your details and press S to save them and finally press R to return to main menu

    # enter 2 to setup mail server details
    # again enter 1 to set your domain name (mydomain.com)
    # enter 3 and then enter 2 to change from Sendmail to SMTP

    # finally press S followed by Q to save and exit the squirrelmail wizard

  • Setup Apache
    Apache is installed on most servers by default. If not, install it by typing:

    yum install apache -y

    Once Apache is properly installed, configure it to serve SquirrelMail front-end:

    vi /etc/httpd/conf/httpd.conf

    # add the below lines at the end of line:
    Alias /webmail /usr/share/squirrelmail

    Options Indexes FollowSymLinks
    RewriteEngine On
    AllowOverride All
    DirectoryIndex index.php
    Order allow,deny
    Allow from all

    # restart apache server
    service httpd restart

    Open http://w.x.y.z/webmail in your browser and you will be greeted by SquirrelMail login page like this:
    Mail Server SquirrelMail Frontend Login
    Login with the mail account you previously created.
    If you have reached this point without any errors, pat your self as you have completed 60% of the whole setup.

  • Setup Multiple Accounts
    Postfix allows us to send and receive emails using different email addresses on different domains using a single Linux user account.
    In order to make it work, enter the following commands:

    vi /etc/postfix/main.cf

    # find these lines, un-comment them and change them to look like below:
    virtual_alias_domains = mydomain.com mypersonaldomain.net myofficaldomain.org
    virtual_alias_maps = hash:/etc/postfix/virtual

    vi /etc/postfix/virtual

    # add as many accounts you want at the end of file in this format:
    [email protected] contact
    [email protected] contact
    [email protected] contact
    [email protected] contact
    [email protected] contact

    # every time you edit the virtual file, you must run these commands:
    postmap /etc/postfix/virtual
    postfix reload

    The emails received on the above email accounts will land in the inbox of contact user account. You can setup as many accounts as you wish by mapping them to the local Linux user accounts. But setting up too many accounts is not recommended.

  • Setup SPF Records
    SPF records are used by most Email servers to prevent SPAM. If you don’t have these records chances are that all your sent emails will land in recipient’s junk/spam folder.
    Add this record in your DNS manually or from your domain control panel:

    @ TXT "v=spf1 mx a ip4:w.x.y.z"

    Don’t forget your to restart your DNS server if you have entered the records manually.

  • Setup DKIM Keys
    Just like SPF, DKIM is a mechanism designed to fight email SPAM. Failing to setup these will cause your emails to be caught up by SPAM filters or never reaching the recipients at all. Perform the following to prevent this:

    yum install opendkim -y

    vi /etc/opendkim.conf

    # append the following lines at the file's end:
    AutoRestart Yes
    AutoRestartRate 10/1h
    UMask 002
    Syslog yes
    SyslogSuccess Yes
    LogWhy Yes

    Canonicalization relaxed/simple

    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
    InternalHosts refile:/etc/opendkim/TrustedHosts
    KeyTable refile:/etc/opendkim/KeyTable
    SigningTable refile:/etc/opendkim/SigningTable

    Mode sv
    PidFile /var/run/opendkim/opendkim.pid
    SignatureAlgorithm rsa-sha256

    UserID opendkim:opendkim

    Socket inet:12301@localhost

    vi /etc/default/opendkim

    # find this line, un-comment it and change it to look like this:
    SOCKET="inet:12301@localhost"

    # configure postfix to use DKIM as mail filter
    vi /etc/postfix/main.cf

    # find these lines, un-comment them and change them to look like below:
    milter_protocol = 2
    milter_default_action = accept
    smtpd_milters = inet:localhost:12301
    non_smtpd_milters = inet:localhost:12301

    # setup dkim directory structure
    mkdir /etc/opendkim
    mkdir /etc/opendkim/keys

    # specify which hosts should be trusted
    vi /etc/opendkim/TrustedHosts

    # append the follow lines at the end of the file:
    w.x.y.z
    *.mydomain.com

    # create a key table
    vi /etc/opendkim/KeyTable

    # append this line at the end of the file:
    mail._domainkey.mydomain.com mydomain.com:mail:/etc/opendkim/keys/mydomain.com/mail.private

    # create signing table
    vi /etc/opendkim/SigningTable

    # append this line at the end of the file:
    *@mydomain.com mail._domainkey.mydomain.com

    # setup public and private keys
    cd /etc/opendkim/keys
    mkdir mydomain.com
    cd mydomain.com
    opendkim-genkey -s mail -d mydomain.com
    chown opendkim:opendkim mail.private

    # open mail.txt and copy the domain record
    vi mail.txt

    # the domain record should look like this (do not use this its just a sample):
    mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5e4Yg/0fTwxDZlDB
    8MThaqhifXvrniu6AQfBd+11zucb7ZMtEGHrutlUXC4cHCe4Xj5NoU6
    DHQOJTd6DcOt3R88Ik40mpg98EWozAL3RGTb6FifGJEg7s7WFB0x2oE
    hT/yFTwHVMOCDOnQgGvr3iftmzKGy7kMyFbVKGWDHtx9QIDAQAB"

    # restart postfix and opendkim to update the latest changes
    service postfix restart
    service opendkim restart


    Add the above copied record in your DNS manually or from your domain control panel:

    mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5e4Yg/0fTwxDZlDB
    8MThaqhifXvrniu6AQfBd+11zucb7ZMtEGHrutlUXC4cHCe4Xj5NoU6
    DHQOJTd6DcOt3R88Ik40mpg98EWozAL3RGTb6FifGJEg7s7WFB0x2oE
    hT/yFTwHVMOCDOnQgGvr3iftmzKGy7kMyFbVKGWDHtx9QIDAQAB"

    Don’t forget your to restart your DNS server if you have entered the records manually.

Testing
Once all the above steps are completed, its time to test your newly born mail server.

  • DNS Records
    Verify that all your DNS records are setup properly by typing this command:
    nslookup -type=ANY mydomain.com
    The result should look like below:
    Mail Server Test Nslookup Type Any
    The MX, SPF and DKIM records must be present in the results.

  • Compliance
    To make sure your email server meets the standards and follows the best practices, send an empty email to [email protected] from your SquirrelMail.
    Open http://www.allaboutspam.com/email-server-test-report/index.php in your browser and enter the email from which you sent the empty email ([email protected]) and press enter.
    All the results should be shown in green except the BATV and Greylist check. Like for SPF test, you should see this:
    Mail Server SPF Compliance Test
    Within 10 to 15 minutes, a mail will arrive in your SquirrelMail inbox containing a link ensuring your email server is using the best practices.

  • Gmail, Hotmail and Yahoo!
    Try sending email from your SquirrelMail to the most used email services to test email delivery.
    Do not enter words like “test email” “mail testing” in the subject field or email body. Doing this increases the chances of your emails landing in SPAM folder.
    Enter something creative that doesn’t look like SPAM and your emails will land safely in Gmail’s and Yahoo!’s inbox!
    However in case of Hotmail this isn’t true. Hotmail’s SmartFilter uses IP reputation in addition to other methods to identify potential SPAM. It takes take for SmartFilter before it whitelist your IP. Until then your associates will have to check their Junk folder to find your email.
    Other than that, it works fine with most email services providers worldwide.

  • Debugging
    Following the above steps, if something doesn’t work, you will need to check the following to find the culprit:
    For mail server related problems: tail -f /var/log/maillog
    For DNS server related problems: tail -f /var/named/log/queries.log
    For user authentication related problems: tail -f /var/log/secure
    For other problems: tail -f /var/log/messages

    In case you are having problems following this tutorial, just write in comments and we will sort out the problem!

  • Hacking and Securing DSL Routers

    Introduction:
    (Note: If you know how DSL works, you can jump to the next section!)
    Most of the internet users nowadays are using DSL connections. DSL stands for Digital Subscriber Line which provides internet over telephone lines. DSL uses ADSL Routers or ADSL Modems. Here is a layman diagram of how DSL works:
    how_dsl_works

    Whenever a user turns on their DSL modem, they are connected to the DSLAM which is usually placed inside ISP Exchange. Each DSLAM has the capacity to connect with thousands of DSL users. In above image, it looks like a small box but actually it is much bigger:
    dslam_backside

    DSLAM is responsible for checking the condition of telephone line and assures that a stable connection can be maintained. It also holds some properties for each telephone line. The Download and Upload Rate you see in your modem status page are also set by DSLAM. Once the DSLAM connection is established, the DSL light on some modems is turned on.
    modem_adsl_light_off

    Now the modem sends Internet Access request to the BRAS server. This request contains the DSL username and password which is saved in the DSL modem settings. The login is usually set by the lineman when they install a new DSL connection. The BRAS server is directly connected with the central RADIUS server which contains login information of all DSL users. The RADIUS server also contains a list of IP Addresses which are not used by others. If the login sent by modem is valid, RADIUS server responds with one IP Address from the IP Address list. Once the modem receives the IP Address, an internet connection is established and the internet light on modem is turned on:
    modem_adsl_internet_on

    That was some lengthy introduction about DSL and its working for non-technical people!

    How to Hack:
    After reading the above introduction we know that each DSL connection is assigned a unique Public IP address from a list. This list is basically a range of IP Addresses which is assigned to the ISP by the RIR. We can check our IP Address from here: http://myip.counterstrike.com.pk/. I assume my IP Address is 66.150.150.10. The IP Address we see is basically the IP Address assigned to our modem. What will happen if we change the last part of our IP Address and enter 66.150.150.11 it in web browser?
    ip_connect_error

    Oh. It looks like that IP Address does not belong to any DSL user. Lets try 66.150.150.11:
    router_basic_auth_page
    (Keep increasing the last number of IP Address until you hit a login page. Don’t give up too soon!)

    Looks like we have reached the login page of another DSL users’s modem. The default login for most modems is admin:admin. More default logins are given in next section. Once we login successfully, we have full control over that modem.
    For example:

    • We can steal their DSL login and use their bandwidth:
      modem_wan_ppp_settings

    • Change their DNS Servers and hijack their DNS Requests:
      modem_wifi_key_wpa_psk

    • Steal their Wi-Fi keys:
      modem_wifi_key_wpa_psk

    • Enable DMZ to remotely access internal LAN computers:
      modem_dmz_pic

    • Replace ACS with our own for remote configuration of modem:
      modem_acs_server_attacker

    • Replace modem’s firmware with our own backdoored firmware:
      modem_firmware_backdoor_update

    As you can see, we can do pretty much anything we want with that DSL Router we just owned.

    How to Secure:
    Now that we have learned about the various tricks to exploit the router, lets go through the different ways to secure it:

    • Change Default Router Configuration Password:
      If you have installed a new DSL connection, chances are that your login and password combination is one of the following default logins:
      admin:admin
      support:support
      user:user
      admin:ISP NAME
      admin:LAST 5 HEX CHARACTERS OF MODEM MAC ADDRESS+1
      Always use a strong password that does not include dictionary words.
      Some modems have multiple login accounts so make sure you have changed passwords for all of them:
      modem_default_login_pass

    • Change Default DSL Connection Password:
      Call your ISP helpline and ask them to change your DSL or Broadband or PPP account password.
      If you do not change it, someone else might use it and you will be billed for their download usage.

    • Disable Remote Access to Modem:
      This is to make sure no one can connect to your router from outside your network.
      modem_acl_services_lan_wan_ftp_tftp_snmp_http_icmp_telnet_ssh

    • Disable TR-069 Client:
      If you know how to configure your router, you don’t need your ISP to remotely access your router.
      So you can simply disable it.
      modem_acs_tr069_disable

    • Use Strong Wi-FI Password:
      Always use a strong WPA/PSK key for password. If the attacker is on LAN, means they have your Wi-Fi password, they can easily sniff your router credentials using MITM on your local network.

    • Be Smart:
      If you connect to your Wi-Fi network and the browser opens a page asking for your Wi-Fi password, beware! Someone is trying to hack your Wi-Fi password using Wi-Fi Phishing. This is a new technique and it cannot be prevented directly. All you can do is educate your friends and family about how this works so they should be cautious about these attacks.

    If you follow the above steps, no one can break in to your router remotely or locally.

    Conclusion:
    The sole purpose of writing this post was to spread awareness about security and to educate the internet users and the ISP operators about the different threats they are exposed to.
    So if you suspect that your router might be vulnerable, now is the right time to secure it.

    Better safe than sorry!

    Cyber Crime Bill in Pakistan: The Bright Side

    Cyber Crime Laws in Pakistan
    If you belong to Pakistan you might have seen the recent fuss about the “Controversial Cyber Crime Bill” that will snatch the basic rights of internet users.
    This bill will take away everything including your internet privacy, freedom of speech and liberty. Once passed, it will be a cyber apocalypse for Pakistan.
    At least this is what the media is projecting about that bill.

    bolobhi-pasha-cybercrime-bill-update
    Below are a few texts quoted from various social and mainstream media sources:

    • If you send someone a message or email without their permission, you are a criminal.
    • Posting someones image online without their consent will land you in jail.
    • It will be a crime to write anything online against government or politicians.
    • Police or any other agency will be allowed to pick anyone without arrest warrants.
    • Government will block any website they want for any reason.
    • Internet in hotels and cafes will be banned.

    A few facts to keep in mind before I go any further:

    • Criminals are now using internet as a weapon for blackmailing the vulnerable. Victims often commit suicide in serious cases. If these criminals are ever caught, they are released most of the times because there are no laws that properly define those crimes.
    • Criminals mostly use open WiFi networks and cybercafés.
    • Pakistan government has already deployed a nationwide web filter which blocks adult websites, blasphemous material and anything that seems inappropriate to them. Government has used this system to block many legitimate websites without revealing any reasons. So this is nothing new that is going to happen.
    • Government agencies have powers to arrest anyone without requiring any arrest warrants but only when it is necessary. When they have solid intelligence about illegal activities and when national security at stake.

    mind_control
    Well, this media is a paid mind control machine. They are a modern form of black magic. You pay them good and they will turn everything in your favor. From spoiling someones reputation using scandals to violent strikes, this media plays the role of a positive catalyst. I am talking about mainstream media, the TV channels and the newspapers. Social media is not that mature yet. In our case it looks like some people don’t want to see these Cyber Crime Laws implemented.
    Power of media

    More details about mind manipulation by media and the methods used can be found on these links:

    10 Strategies of Manipulation” by the Media

    Silent Weapons for Quiet Wars

    The whole point of this post is that we should not blindly believe in what we are shown by media. We must research at our own before supporting or opposing anything.