Mail Server
DEMO

Simple

Useful

Powerful

Send Mail

Don't Be Afraid. It's Friendly!

yum install mailx

echo "mama is god" | \

mail -s "Subject" \
 [e-mail addr.]

That's All :) 

Receive Mail

Hold it...

You have new mail!

example: ouo -✉-> owo

Send

Notification

Retrieve your mail

So...

Why Mail Server?

Aggressive missionary...?

for (( int i = 0 ; i < 100 ; i+=1 )); do

    echo "<(_ _)>" | \
    mail -s "MAMA IS GOD!!!!"  \

    b05902xxx@ntu.edu.tw

done

WASAY!!

SPAM!!

spam-script

So, safety?

SMTP

(Simple Mail Transfer Protocol)

NOT SO SIMPLE

HELO [who am i?]

MAIL FROM: [e-mail addr.]

DATA

RCPT TO: [e-mail addr.]

five steps:

telnet [server] smtp

If 麻麻(mama)
wants to play a prank...

MAIL FROM:
b05902008@csie.ntu.edu.tw

RCPT TO:
hsinmu@csie.ntu.edu.tw

DATA

我NASA想要被當!! Plz!!

I Actually Like This Idea

example:
counterfeit mail 

step1 : telnet

step2 : who am i?

step3 : MAIL FROM

step4 : RCPT TO

step5 : type "DATA" and start your context

use a single line with . as EOF

However,
I'm not 008

He will get an counterfeit mail!

**[SPAM] tag:
The mail server we built
thought this is spam.
(details later)

So, we need SASL
Authentication!
(Simple Authentication and Security Layer)

SMTP + Auth

EHLO [who am i?]

 AUTH PLAIN/LOGIN [secret]

 

 

Note that: password should encrypt

(EHLO (Extended HeLlo): find supported mechanism)

printf "\0[account]\0password" | base64
to encrypt, and copy it.

But, If Piepie wants to
eavesdrop...

PiePie is Python master, aka PPP.

Auth but being Eavesdrop

(Use Wireshark, we can intercept the data.)

Use encrypt string to login

(Encrypt String) username: vmail password vmail

We can eavesdrop the data.

We also need TLS!​

(Transport Layer Security)

>STARTTLS

<250-STARTTLS

<220 2.0.0 Ready to start TLS

Simply use SMTPS!

(More Secure!!)

(SSL Encytption)

Using SSL...

Use SMTPs to Deliever:

openssl s_client -connect [server]:smtps

Use SMTP + openssl TLS mech.

openssl s_client -connect [server]:smtp
-starttls smtp

Not So Good Service and Our Difficulty

That's what Postfix does!

How about recieving mail with mail server?

Two Popular Protocols:
imap & pop3

POP3

1 login [username] [pw]

2 select INBOX

3 fetch 1 body[]
4 logout

Commands are too Starburst(星爆) to demo.

user [username]
pass [password]
list  (list all mails)

retr [num] (retrieve %d mail)
quit
EASY! Huh?

IMAP

User-friendly but

Function is
not complete

Function is complete
but it's too hard for me.

cmd:

cmd:

Also, We need Safety!

Use SSL, too!

Pop3s

openssl s_client -connect [server]:pop3s

Imaps

openssl s_client -connect [server]:imaps

DEMO:
Pop3s

MAIL
DATA

LOGIN

SSL
title

That's what Dovecot does!

Why Postfix can
communicate with Dovcot?

Use LMTP to connect
(Local Mail Transfer Protocol)

If Users Information
is not right here...

Let dovecot to listen
remote ldap's infromation
 

(Lightweight Directory Access Protocol)

If we already know 行健 is spam...

1. reject_rbl_client

popular blacklist!

2. Postgrey

trash usually delivered only once.

DEMO: postgrey

the first Addr. we meet
will greylisted
for 60 seconds.

Greylisted After 60 sec...

OK!

3. SpamAssassin

Looks like trash?

3. SpamAssassin

Trash will be add [SPAM] tag

If you really really
hate someone...

e.g.  b05902008

4. Alias ACL

Set Alias as blacklist!

If set rules to reject...

In MailLog...

REJECT!

If someone's hands are dirty...

Like this one

If he guess right the password,
what things will happen?

sudo rm -rf /*

Fail2ban

IP has lots of failed login attempt

will be banned.

Fail2ban:
Wrong Tries == 3 will be banned

and inform manager.
 

Notification

3 wrong tries

Connection refused

That's a Lots of command!

don't be scared, because...

Web Mail Server 

Ultimately user-friendly!

Friendly GUI!

Overfail Postfix

Why only postfix?

Postfix Queue mech.

Ansible

Script: www.csie.ntu.edu.tw/~b05902127/playbook.yml

Made with Slides.com