Download presentation
Presentation is loading. Please wait.
1
Copyright © 2007 by Scott Orr and the Trustees of Indiana University
Services CSCI N321 – System and Network Administration Copyright © 2007 by Scott Orr and the Trustees of Indiana University
2
Section Overview Email Architecture Postfix Configuration
Mail forwarding CS Spam-Filtering Architecture Procmail
3
References Apache Site – http://www.postfix.org
RedHat Deployment Guide Chapter 24 –
4
Email Server Architecture
MTA MTA MDA (sendmail) (postfix) (procmail) smtp imap(s) pop(s) smtp(s) MUA AA (Outlook) (imapd) (popd)
5
SMTP Protocol [smo@sysadmin ~]$ telnet tempest.cs.iupui.edu 25
Trying Connected to tempest.cs.iupui.edu ( ). Escape character is '^]'. 220 tempest.cs.iupui.edu ESMTP Postfix helo sysadmin 250 tempest.cs.iupui.edu mail from: Ok rcpt to: Ok data 354 End data with <CR><LF>.<CR><LF> Subject: Hello Hi Scott . Ok: queued as B quit Bye Connection closed by foreign host.
![SMTP Protocol ~]$ telnet tempest.cs.iupui.edu 25](http://slideplayer.com/slide/6656932/23/images/5/SMTP+Protocol+%7E%5D%24+telnet+tempest.cs.iupui.edu+25.jpg "Trying Connected to tempest.cs.iupui.edu ( ). Escape character is ^] tempest.cs.iupui.edu ESMTP Postfix. helo sysadmin. 250 tempest.cs.iupui.edu. mail from: Ok. rcpt to: Ok. data. 354 End data with <CR><LF>.<CR><LF> Subject: Hello. Hi Scott Ok: queued as B quit Bye. Connection closed by foreign host.")
6
Postfix MTA More secure replacement for Sendmail
Suite of programs to handle postfix <option> start stop reload flush Configuration files /etc/postfix/master.cf /etc/postfix/main.cf
7
master.cf Maps services to postfix daemons Format
Service Name Service Type (inet | fifo | unix) Private (y | n) Unprivileged (y | n) Chroot (y | n) Wakeup # Maxproc # command + args Spam and Virus filtering
8
main.cf – Directories/Owner
Key Directories queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_spool_directory = /var/spool/mail config_directory = /etc/postfix Ownership - mail_owner = postfix
9
main.cf – Delivery Addesses
Address Configuration myhostname = tempest.cs.iupui.edu mydomain = cs.iupui.edu myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain Smart Host relayhost = mail-relay.iu.edu
10
main.cf – SMTPd smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
11
Authenticated Delivery
Only allow valid users to send main.cf smtpd_sasl_auth_enable = yes smtpd_sasl_loglevel = 2 smtpd_sasl_received_header = yes saslauthd Daemon /etc/sysconfig/saslauthd /usr/lib/sasl2/smtpd.conf
12
SSL Support Authenticated access must be protected main.cf
smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/certs/smtpd.key smtpd_tls_cert_file = /etc/postfix/certs/smtpd.crt smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s
13
Mail Forwarding /etc/postfix/aliases newaliases
alias: real-address[,…] newaliases main.cf alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases ~/.forward Mailing lists alias: :include:<path_to_file> Majordomo & mailmain
14
Reading Email IMAP/IMAPS Webmail Used to read messages online
Should always use with via SSL Typically started via inetd/xinetd Webmail Squirrelmail Horde
15
Opening Spam-dora’s Box
April 12, 1994 – Lawyers Laurence Canter and Martha Siegel sent message about upcoming Green Card lottery to some Usenet News Groups in less than 90 minutes Arizona ISP Internet Direct received so many complaints, their server(s) crashed more than 15 times. C&S account gets cancelled and threaten to sue (although never do) C&S publish How to Make a Fortune on the Information Superhighway (1995)
16
14 years later… SPAM (Unsolicited Commercial ) 60% - 94% of all (1st Qtr. 2008) Phishing Attacks less than 1% of all but growing Significant increase in Botnets Top Spam-Sending Countries United States (37.9%) China (4.6%) United Kingdom (4.3%) Germany (3.8%) Brazil (3.8%) Source: Commtouch Software Online Labs
17
Costs of Spam Spammers Recipent Great ROI!!!
Malware writer partnerships Phishing Recipent Time Bandwidth Storage space
18
SPAM Filtering Techniques
Black lists White lists Content (keyword blocking) Invalid addresses/header values Heuristics Bayesian Filtering
19
Greylisting Each message identified by a triplet
Envelope recipient Envelope sender IP address of delivering host Delivery based on following rules: If IP address or recipient on whitelist – send msg to recipient If not seen triplet before – send tempfail msg and record triplet If time limit on triplet not expired – send tmpfail msg If time limit on triplet expired – send msg to recipient and update last seen time. Remove triplet from database after not seen for set period of time
20
Sender Policy Framework (SPF)
Receiving host verifies sender is legitimate mail server for originating domain Add TXT (SPF) records to Domain DNS Domain specific Each host with MX record (also A, PTR, IP addr, external hosts) cs.iupui.edu. IN TXT "v=spf1 mx a:storm.cs.iupui.edu" Issues Breaks forwarding Spammers can still send messages if they have an account on domain Most major ISPs do not support SPF (yet)
21
Maia-Mailguard (Amavisd)
CS Architecture smtp postfix Maia-Mailguard (Amavisd) clamav spamassasin Greylist? Procmail Quarantine (MySQL) Mail spool
22
Clam Antivirus Open Source If signature match…
Added header fields: Delivered-To: virus-quarantine X-Quarantine-Id: <zzWB7-YxAXsI> X-Amavis-Alert: INFECTED, message contains virus: <virus signature ID> Moved to quarantine area sent to Hourly checks for signature updates Phishing signatures included
23
Spamassassin Open Source (Part of Apache project)
Weighted Heuristic tests Full Message Header Body URI Third party plugins
24
SA: Full Message Tests Message found in hashed Spam databases
Entries contributed by Spam recipients Uses statistical and randomized signatures Distributed Checksum Clearinghouse (DCC) Vipul’s Razor
25
SA: Message Header Tests
Header Anomalies (length, sender, etc.) Subject Obfuscation Realtime Blackhole Lists (RBL) Open Relays/Proxy (SORBS) Address/Domain Abuse lists Sender Policy Framework (SPF) DomainKeys
26
SA: Message Body Tests Common Spam content checks HTML obfuscation*
Locale specific checks URLs in RBLs Bayesian Filters Calculates probability message is Spam (- score) < 50% / (+ score) > 50% Must be trained using Spam and “Ham” *The Spammers' Compendium
27
SA: URI Message Tests Focuses on embedded URLs Keywords in URLs
Address obfuscation TLD checks CGIs and Authentications
28
Spam Thresholds Spam check [header] tagging (-999) Spam detected (6.3)
Spam Status Score & breakdown by test Spam-level histogram Spam detected (6.3) Quarantine Level (-)
![Spam Thresholds Spam check [header] tagging (-999) Spam detected (6.3)](http://slideplayer.com/slide/6656932/23/images/28/Spam+Thresholds+Spam+check+%5Bheader%5D+tagging+%28-999%29+Spam+detected+%286.3%29.jpg "Spam Status. Score & breakdown by test. Spam-level histogram. Spam detected (6.3) Quarantine Level (-)")
29
Header Tagging Example
X-Spam-Status: No, hits=6.069 tagged_above=3 required=6.3 tests=[DNS_FROM_RFC_ABUSE=0.374, DNS_FROM_RFC_POST=1.376, HTML_50_60=0.095, HTML_FONT_BIG=0.232, HTML_IMAGE_ONLY_24=1.003, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.158, MSGID_FROM_MTA_HEADER=0, RCVD_IN_BL_SPAMCOP_NET=1.832, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] X-Spam-Level: ******
30
Procmail (MDA) Handles were incoming messages are stored
Procmail “recipes” System-wide: /etc/procmail User: ~/.procmailrc Single recipe & recipe chaining Recipe Example: :0: * ^Subject: Broker Alert $SPAMMAYBE Also great for managing lists/folders Vacation-Away messages
Similar presentations
