1 SCOoffice Server 4.1 Administration Brian Watrous President & CEO ATCS, Inc. .

1

SCOoffice Server 4.1

Administration

Brian WatrousPresident & CEOATCS, Inc.http://www.atcs.net

2

Modules

1. Overview of SCOoffice Server2. Installing and Upgrading to SCOoffice

Server3. Configuring and Managing SCOoffice

Server4. Managing a Distributed Environment5. Securing SCOoffice Server

3

Modules

6. Managing Recipients and Aliases7. Managing Mail Queues8. Managing Private and Public Folders9. Managing Email Routing10.Managing Virus Protection11.Managing Spam Filtering12.Performing Preventive Maintenance13.Planning for and Recovering from

Disasters

4

How this Course is Designed

Task oriented Hands-on exercises Certification exam Prerequisites

Windows SCO OpenServer TCP/IP PlaceWare training

5

How this Course is Designed

Course uses RFC2606 style domain names:

elmspruce

oak

rosedaisy

poppy

paperpen

staple

example.com

example.net

example.org

6

Module 1

Overview of SCOoffice Server

7

Overview

SCOoffice Server

SCOoffice Address Book™

Desktop components Server components

SCOoffice Connector™

Microsoft Outlook®

SCOoffice WebClient

Web Browser

8

Overview

SCOoffice Server Internet e-mail Real-time collaboration Integrated anti-virus Junk e-mail Prevention Easy Administration User Profile Management Server Side Filtering Migration Tools Single-click Configuration

9

Overview

WebClient Internet e-mail

client Meeting scheduling

capabilities Shares folders:

email, calendars, contacts, and tasks

Interface similar to Microsoft Outlook.

10

Overview

Connector Plug-in for Microsoft

Outlook®

Shared public and private folders

Supports special folder types

Fine grained folder access controls

11

Overview

Address Book Plug-in for Microsoft

Outlook Works with any LDAP

server Provides native

Outlook global-address book look and feel

12

SCOoffice Architecture

SCO OpenServer

Postfix

Ap

ach

e

Pro

FTP

Op

en

LD

AP

Cyru

s IM

AP AMaViS

SpamAssassin

ClamAV

13

SCOoffice Architecture

SCO OpenServer

Postfix

Ap

ach

e

Pro

FTP

Op

en

LD

AP

Cyru

s IM

AP AMaViS

SpamAssassin

ClamAV

14

Helpful URLs

Technology HomepagePostfix http://www.postfix.org

Apache http://www.apache.org

Cyrus IMAP http://asg.web.cmu.edu.cyrus

OpenLDAP http://www.openldap.org

ProFTPD http://www.proftpd.org

MON http://www.kernel.org/software/mon

AMaViS http://www.amavis.orghttp://www.ijs.si/software/amavisd

SpamAssassin http://www.spamassassin.org

Clam AntiVirus http://www.clamav.net

15

Starting SCOoffice Server

P86insightserver1

insightserver2

saslauthd3

slurpd3slapd3 clamd3 amavisd3 postfix3 cyrus3 apache3 proftpd3 mon3

mon19

mon.dscripts20*

alert.dscripts21*

clamd7slapd4 slurpd5 saslauthd6

amavisd8 postfix11cyrus

master13

imapd14 pop3d15

apachectl16

httpd17

proftpd18

clamscan9*

spamassassin10

*

qmgr12*

pickup12*

cleanup12*

trivial-rewrite12*

local12*

flush12*

smtpd12*

16

Starting SCOoffice Server (cont.)

P86insightserver1

insightserver2

saslauthd3

slurpd3slapd3 clamd3 amavisd3 postfix3 cyrus3 apache3 proftpd3 mon3

mon19

mon.dscripts20*

alert.dscripts21*

clamd7slapd4 slurpd5 saslauthd6

amavisd8 postfix11cyrus

master13

imapd14 pop3d15

apachectl16

httpd17

proftpd18

clamscan9*

spamassassin10

*

qmgr12*

pickup12*

cleanup12*

trivial-rewrite12*

local12*

flush12*

smtpd12*

17

Module 2

Installing and Upgrading SCOoffice Server

18

Planning and Installation

Planning a SCOoffice Server Overview System Requirements Kernel Tuning Changes Made to Your System Network Considerations Domain Layout Installing SCOoffice Server

19

Installing SCOoffice Server

SCOoffice Server 4.1 is CUSTOM installable

Consult the installation guide for kernel tuning parameters

Make sure your DNS is configured correctly

20

Changes Made to Your System

Directory Purpose/opt/insight SCOoffice Server installation

directory

/opt/insight/var/spool/imap

User mail storage directory

/opt/insight/etc Configuration file directory

/opt/insight/log Log file directory

21

1. Login as root

22

2. Click on Software Manager

23

3. Software Manager Opens

24

4. Install New Software

25

5. From Server Name

26

6. Select Media Images

CD-ROM Drive 0

27

7. Click Install

28

8. Click Continue to Upgrade Sendmail

29

9. Installation Continues

30

10. Input License Information

31

11. License Install – Success

32

12. Kernel Tuning for Unix Logins

33

13. Rollback Sendmail Patches

34

14. Installation Proceeds

35

15. Installation Complete

36

Module 3

Configuring and Managing SCOoffice Server

37

Migration Wizard

Migration Wizard Migrate mail from an

existing server (server-to-server)

Import mail from an existing PST file

Import mail from and existing MBOX file

Import from an RFC 2849 LDIF file

Import from an /etc/shadow file

38

SCOoffice Server Configuration

Default admin password is “admin”

Change this password immediately!

To change admin’s password: Click on AccountsView Accounts Click on the administrator Type in a new password Click Update at the end of the page

39

After Installing SCOoffice Server

The “admin” account is not allowed to use the WebClient

Can point mail aliases to other account(s)

40

SCOoffice Server Configuration

Working with accounts Creating domains Creating groups Creating users Creating resources

Working with Aliases Creating aliases System aliases

Working with Mail Folders Viewing User Mail Folders Creating Mail Folders

41

Creating Domains

Click on AccountsCreate Domain

42

Creating Domains (cont.)

Specify name for the domainAt the end of the page click Create

Creating domains is optional

43

Creating Groups

Click on AccountsCreate Group

44

Creating Groups

Select the distinguished name (DN) of the container in which the new group will reside

Fill in all required informationGroup name

At the end of the page, click Create

45

Creating Groups

46

Creating Groups

47

Creating Users

Click on AccountsCreate User

These hypertext links can also be used to create users, domains, groups, etc.

48

Creating Users

Select an organization or groupFill in all required information

LoginPasswordLast Name

At the end of the page click Create

User’s mailbox is created by defaultUser’s quota is not set by defaultAccess to WebClient is granted by default

49

Creating Resources

Click on AccountsCreate Resource

50

Creating Resources (cont.)

Select a containerFill in all required information

LoginPasswordLast Name

At the end of the page click Create

Resources mailbox is created by defaultResources quota is not set by defaultAccess to WebClient is granted by default

51

Creating Aliases

Click on AliasesCreate Alias

52

Creating Aliases (cont.)

Working with Aliases (cont)

Select a container/domain

Give it a name Is it Open or Restricted

Open: everyone can subscribe to the alias

Restricted: alias owner allows/restricts alias members

53

Creating Aliases (cont.)

Working with Aliases (cont)

Who owns the alias click on Browse to select

owners Who are the members

click on Browse to select the members

Click on Create

54

Working with System Aliases

Click on AliasesSystem Aliases

55

Working with System Aliases (cont.)

Check the select box you want to change

Then either:Type another user‘s email address, orType a comma-separated list of email addresses

56

WebClient Setup

Access Control Preferences

57

WebClient Setup

Scroll to the bottom Enabled by default To restrict access,

uncheck the “Access WebClient”

To control access to the WebClient when creating a user:

58

WebClient Setup

Click on WebClientAccess Controls

To control access to the WebClient for an existing user:

59

WebClient Setup

Check to grant WebClient access to a user

Uncheck to deny Webclient access to a user

Click on “Change Access”

To control access to the WebClient for an existing user:

60

WebClient Setup

Preferences As a user, run the WebClient Click preferences

61

WebClient Preferences

Viewing pane

62


63


64

Configuration Files

Technology Configuration File

Postfix /opt/insight/etc/postfix/main.cf/opt/insight/etc/postfix/master.cf

Apache /opt/insight/etc/apache/httpd.conf

Cyrus IMAP /opt/insight/etc/cyrus.conf/opt/insight/etc/imapd.conf

OpenLDAP /opt/insight/etc/openldap/ldap.conf

ProFTPD /opt/insight/etc/proftpd.conf

MON /opt/insight/mon/etc/mon.cf

AMaViS /opt/insight/etc/amavisd.conf

SpamAssassin /opt/insight/etc/mail/spamassassin/local.cf

Clam AntiVirus /opt/insight/etc/clamav.conf

65

Configuring Services

Services

Apache

Cyrus IMAP

OpenLDAP

Postfix

ProFTPD

66

Configuring Apache

All changes are saved to /opt/insight/etc/apache/httpd.conf

67

Configuring Cyrus IMAP

All changes are saved to/opt/insight/etc/cyrus.conf

68

Configuring OpenLDAP

All changes are saved to/opt/insight/etc/openldap/slapd.conf

69

Configuring Postfix

All changes are saved to/opt/insight/etc/postfix/main.cf

70

Configuring ProFTPD

All Changes are saved to/opt/insight/etc/proftpd.conf

71

Modifying Advanced Parameters

Apache, Cyrus, Postfix, etc. have numerous configurable parameters

Postfix, alone, has more than 300 parameters!

SCOoffice Server optimizes these parameters

Some parameters can be adjusted in the web console by clicking on ConfigurationServices

72

/opt/insight/htdocs/is4web/xml/SCOconfig.xml:

Modifying Advanced Parameters (cont.)

<item> tags in SCOconfig.xml specify which parameters are configurable

73

Modifying Advanced Parameters (cont.)

Use the web console to change parameters!

Do not edit these files directly: /opt/insight/etc/imapd.conf /opt/insight/etc/openldap/slapd.conf /opt/insight/etc/etc/postfix/main.cf /opt/insight/etc/apache/httpd.conf /opt/insight/etc/etc/proftpd.conf

74

Adding Cyrus Partitions

SCO OpenServer

Postfix

Ap

ach

e

Pro

FTP

Op

en

LD

AP

Cyru

s IM

AP AMaViS

SpamAssassin

ClamAV

75


Administrators add Cyrus partitions to: Increase disk space Spread I/O

76


Add and mount disk drive(s)

Create directory: mkdir –p /some/other/directory/users

In /opt/insight/etc/imapd.conf:

partition-default: /opt/insight/var/spool/imappartition-1: /some/other/directorydefaultpartition: default

Restart Cyrus: /opt/insight/etc/rc/cyrus restart

77


Backup scripts back up the default partition Backup scripts do not back up new Cyrus

partitions

78

Reclaiming Ports 80 and 443

SCO OpenServer

Postfix

Ap

ach

e

Pro

FTP

Op

en

LD

AP

Cyru

s IM

AP AMaViS

SpamAssassin

ClamAV

79

Reclaiming Ports 80 and 443

By default, SCOoffice Server utilizes ports 80 (http) and 443 (https)

SCOoffice Server’s http and https servers can be relocated

Modifying Apache parameters Reactivating rc scripts

Reclaiming Ports 80 and 443 involves:

80

Reclaiming Ports 80 and 443 (cont.)

Click on ConfigurationServices Click Apache Change Port and Listen to the new port number

for http (e.g. 880) Change Define SSLPort to the new port number for

https (e.g. 4443) Click on Restart

81

Reclaiming Ports 80 and 443 (cont.)

To re-enable SCO OpenServer’s Apache web server

Rename /etc/rc0.d/_P90apache Rename /etc/rc2.d/_P90apache Start SCO OpenServer’s Apache web server

82

Reclaiming Port 21

SCO OpenServer

Postfix

Ap

ach

e

Pro

FTP

Op

en

LD

AP

Cyru

s IM

AP AMaViS

SpamAssassin

ClamAV

83

Reclaiming Port 21

By default, SCOoffice Server utilizes port 21 for ProFTP

SCOoffice Server’s ftp server can be relocated

Modifying ProFTP parameters Reactivating ftp in /etc/inetd.conf

Reclaiming Port 21 involves:

84

Reclaiming Port 21 (cont.)

Click on ConfigurationServices Click ProFTP Change Port to the new port number for ftp (e.g.

221) Click on Restart

Uncomment the ftp line in /etc/inetd.conf Send a SIGHUP to inetd

To relocate ProFTP:

To reactivate SCO OpenServer’s ftp server:

85

Module 4

Managing a Distributed Environment

86

Active Directory Authentication Process

I want to read my email.

Client

I’m configured to use Active Directory

authentication.

I decide who is

authenticated.

So I’ll forward the user’s

authentication request.

SCOofficeServer1

ActiveDirectory

Server

2

4 3

87

Active Directory Authentication

88

Distributed Mail – Single Server

SCOofficeServer

Alice Bob

Single Server Role• Stores all mail user accounts in local LDAP

directory• Stores all users’ email locally• Handles all email authentication requests

89

Master Role• Stores the master LDAP user accounts database• No local email storage for users• Can handle mail authentication requests• Redirects clients to slave for email retrieval

Distributed Mail – Master Server

Master

Slave

Alice

Internet

Slave

Bob Carl

90

Distributed Mail – Slave Server

Master

Slave

Alice

Internet

Slave

Bob Carl

Slave Role• Stores a local copy of the master LDAP user account

database• Stores email locally for each user defined on this server• Can handle email authentication requests

91

Sharing in a Distributed Environment

Master

Slave

Alice

Internet

Slave

Bob Carl

Contacts

Calendar

Folders

Contacts

Calendar

Folders

92

Sharing in a Distributed Environment

Master

Slave

Alice

Internet

Slave

Bob Carl

Contacts

Calendar

Folders

Contacts

Calendar

Folders

93

Duties in a Distributed Environment

MASTER SLAVE

Stores email No Yes

Maintains LDAP directory

YesYes, but only

a copy

Handles email authentication requests

Yes Yes

94

Configuring Distributed Mail

On the master server:

1. Click ConfigurationDistributed Mail

2. Select Master3. Click “Set”

95

Configuring Distributed Mail (cont.)

On the master server:

1. Enter the slave server’s fully qualified domain name

2. Enter “admin”3. Enter the admin

password4. Click “Add”

96


LDAP notice

List of slave servers

New slave servers added here

This server’s role

97

Configuring Distributed Mail

On the slave server(s):

1. Click ConfigurationDistributed Mail.

2. Select Slave.3. Click Set.

98


On the slave server(s):

1. Enter the master server’s fully qualified domain name.

2. Enter “admin”.3. Enter the admin

password.4. Click Add.

99

Reading Mail in a Distributed Environment

Master

Slave Slave Slave

Client

I want to read my mail.

You need to contact your slave server

100

Mail Delivery in a Distributed Environment

Master

Slave Slave Slave

SMTPServer

DNSServer

101

Module 5

Securing SCOoffice Server

102

Securing SCOoffice Server

103

Outlook

21*

2580/443*110/995143/993389/636

* Not used by Outlook Express

External Firewall Configuration

Internet

SCOofficeServer

SMTPServer

25

WebClient

80/443

Firewall

104

Internal Firewall Configuration

SCOofficeServer

Firewall

3268Active

DirectoryServer

105

Internal Firewall Configuration

SCOoffice(master)

SCOoffice(slave)

SCOoffice(slave)

Firewall

25389/636143/993

2003

106

Remote Office Firewall Configuration

SCOoffice(master)

SCOoffice(slave)

SCOoffice(slave)

Firewall

25389/636143/993

2003

Internet

SCOoffice(slave)

SCOoffice(slave)

SCOoffice(slave)

107

SCO OpenServer’s HTTP Servers

SCO OpenServer runs HTTP servers on ports: 80 – SCOoffice Server’s HTTP server 443 – SCOoffice Server’s HTTPS server 615 – Internet Configuration Manager 8457 – DocView: Access to SCO OpenServer

documentation

108

Other SCOoffice Server Related Ports

SCOoffice Server runs daemons on ports: 21 – ProFTP 25 – SMTP 110 – POP3 143 – IMAP 389 – OpenLDAP 993 – IMAP4 over TLS/SSL 995 – POP3 over TLS/SSL 2000 –Cyrusmaster (sieve) 2003 –Cyrusmaster (LMTP) 2583 – MON 4840 – SASLAUTHD 4844 – SASLAUTHD 10024 – AMaViS

109

Disallowing Open Relay

Don’t let server be used as an open relay

Numerous ways to prevent open relay

We will configure SASLAUTHD + TLS# telnet rose.example.net smtp220 rose.example.net ESMTP Postfix (2.0.20)HELO nuisance.spammer.net250 rose.example.netMAIL FROM: [email protected] OkRCPT TO: [email protected] Ok...

110


Useful for blocking unwanted SMTP sessions:

smtpd_client_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions

Stored in LDAP

111


LOGIN authentication mechanismBase64 encoded username

bobBase64 encoded passwordbpasswd

PLAIN authentication mechanismBase64 encoded:user+NULL+user+NULL+passwordbob\0\bob\0bpasswd

Simple Authentication and Security Layer (SASL)

112


smtpd

saslauthd

slapd …/etc/saslauthd.conf

ldap_servers: ldap://127.0.0.1/ldap_filter: login=%u

…/lib/sasl2/smtpd.conf

pwcheck_method: saslauthdmech_list: plain login

imapd/pop3d

…/etc/imapd.conf

sasl_pwcheck_method: saslauthd

cyrusmaster

…/etc/cyrus.conf

imap cmd=“imapd –p 2 …pop3 cmd=“pop3d” ……

SASL AUTHENTICATION

113


SASL Configuration on the Server

smtpd_sasl_auth_enable = yessmtpd_sender_restrictions =

check_sender_access ldap:ldapSenderAccess,

permit_sasl_authenticatedsmtpd_recipient_restrictions =check_recipient_access ldap:ldapRecipientAccess,

permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

broken_sasl_auth_clients = yessmtpd_sasl_security_options = noanonymoussmtpd_delay_reject = yes

114


SASL Configuration on the Client

smtp_sasl_auth_enable = yessmtp_sasl_password_maps =

hash:/opt/insight/etc/postfix/sasl_passwdsmtp_sasl_security_options = noanonymous

115


Create /opt/insight/etc/postfix/sasl_passwd:

Run postmap(1) after creating (or modifying) file

example.net alice:apasswdexample.org bob:bpasswd

116


TLS v1 is based on SSL v3 Encrypt SMTP traffic using TLS X.509 certificates

117


TLS Configuration on the Server

smtpd_tls_cert_file = /opt/insight/etc/ssl/server.pemsmtpd_tls_key_file = /opt/insight/etc/ssl/server.pemsmtpd_tls_CAfile = /opt/insight/etc/ssl/server.pemsmtpd_use_tls = yes

118


TLS Configuration on the Client

smtp_tls_cert_file = /opt/insight/etc/ssl/server.pemsmtp_tls_key_file = /opt/insight/etc/ssl/server.pemsmtp_tls_CAfile = /opt/insight/etc/ssl/server.pemsmtp_use_tls = yes

119


Using a Certificate Authority’s Certificate

smtp_tls_CApath = /opt/insight/etc/ssl/ca_cert.pemsmtpd_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem

120


To test to see if a mail server is an open relay: Log into the mail server telnet rt.njabl.org 2500

121

Exercise: Tracing TLS and SASL

TLS + SASL Authentication:

SASL Authentication Only:

122

Other Restrictions

Other useful restrictions: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions See www.postfix.org/uce.html

123

Using smtpd_client_restrictions

In main.cf:

In /opt/insight/etc/postfix/smtp_clients:

smtpd_client_restrictions =check_client_access

hash:/opt/insight/etc/postfix/smtp_clients,permit

192.168.1.1 OK192.168.1.2 PERMIT192.168.1.3 REJECT192.168.1.123 REJECT192.168.1.0/24 OKexample.net OKpaper.example.org DUNNOexample.org REJECT

124

Using smtpd_helo_restrictions

check_helo_access reject_invalid_hostname reject_non_fqdn_hostname reject_unknown hostname

In main.cf:

In /opt/insight/etc/postfix/helo:

smtpd_helo_restrictions = reject_invalid_hostname,check_helo_access hash:/opt/insight/etc/postfix/helo

example.org OKexample.net REJECT

125

Using smtpd_sender_restrictions

check_sender_access reject_unknown_sender_domain

126

Creating a Chroot Jail

A chroot jail adds a layer of protection Limits daemon(s) to /opt/insight/var/spool/postfix

Set the fifth field in master.cf to ‘y’

127

Module 6

Managing Recipients and Aliases

128

Address Rewriting

[email protected]@[email protected]


/opt/insight/etc/postfix/canonical_sender:



/opt/insight/etc/postfix/canonical_recipient:

sender_canonical_maps =hash:/opt/insight/etc/postfix/canonical_sender

recipient_canonical_maps = hash:/opt/insight/etc/postfix/canonical_recipient

/opt/insight/etc/postfix/main.cf:

129

Hiding Host Names

Masquerading intentionally hides internal hostnames

[email protected] [email protected]

In main.cf:masquerade_domains = example.org

130

Hiding Host Names

Masquerading intentionally hides internal hostnames

[email protected] [email protected]

In main.cf:masquerade_domains = example.com, example.net,

example.org,!sales.example.com

masquerade_exceptions = alice, bob

131

Directing Email Sent to Unknown Users

Email sent to unknown users: Returned to sender by default Can be directed to an email user or alias

Beware of spammers

In main.cf:luser_relay = alicelocal_recipient_maps =

132

Relocating Users and Domains

Relocation maps used when users or domains move

Configure relocation rules in main.cf:

relocated_maps = hash:/opt/insight/etc/postfix/relocated

Define relocation rules in lookup table:

[email protected]@example.net

@example.org example.net

133

Relocating Users and Domains

Relocated User

Relocated Domain

134

Types of Aliases

Postfix supports numerous types of aliases

SCOoffice Server stores aliases two ways

Stored in LDAPStored in a file

135

Types of Aliases

From /opt/insight/etc/postfix/main.cf:alias_maps = hash:/opt/insight/etc/mail/aliasesalias_database = hash:/opt/insight/etc/mail/aliaseslocal_recipient_maps = $alias_maps ldap:ldapsource

136

Types of Aliases

From /opt/insight/etc/mail/aliases:

MAILER-DAEMON:[email protected]: [email protected]:[email protected]:[email protected]: [email protected]:[email protected]: [email protected]:[email protected]: [email protected]

137

Types of Aliases

Process alias files with postalias(1):

# postalias hash:/opt/insight/etc/mail/aliases

Reload Postfix if a new alias lookup table is added to main.cf:

# postfix reload

138

Exercise: Adding a New Alias File

Edit /opt/insight/etc/postfix/aliases Process the alias file Reload Postfix

139

Module 7

Managing Mail Queues

140

Postfix Mail Delivery

sendmail

postdrop

pickup

smtpd cleanup

trivial-rewrite

qmgr

local

smtp

pipe

active

inco

min

gm

ess

ages

incoming

maildrop

bounce

141


To display mail queue, select Mail DeliveryMail Queue:

142


For more information, use postqueue -p:

ActiveOn hold

143

Module 8

Managing Private and Public Folders

144

Creating Mail Folders

Click on Mail FoldersCreate Folder

145

Creating Mail Folders (cont.)

Name the folder Specify where to

create the folder Specify the type of

folder Click on “Create”

User’s view:

146

Location of Mail Folders in Filesystem

Advantages Each email message

is stored as a separate file

If one file becomes corrupted, the whole data store is not corrupted

Easy to restore a single email message

Can rebuild a single users inbox

147

Working with Mail Folders

Click on AccountsView Accounts

Select the users whose mail folders you want to see

148

Working with Mail Folders (cont.)

While viewing the user’s account information, click on “View Mail Folders”

149

Reconstructing Mail Folders

To reconstruct the user’s mail folders, click on the “Reconstruct all mail folders” button

150

Setting Access Control Lists

Select a user or a group (e.g. Anyone)

Define the ACLs (default is l,r,s)

Click on “Add ACL”

To set ACLs for a specific mail folder:

151

Setting Access Control Lists (cont.)

A new ACL appears

152

Module 9

Managing Email Routing

153

Configuring MX Records

MX records in DNS instruct mail servers where to direct email messages

example.com IN MX 10 elm.example.com.example.com IN MX 20spruce.example.com.example.com IN MX 30 oak.example.com.

domain name class type preference hostname

154

Querying MX Records

When debugging problems exchanging email with other domains, query MX records

Use nslookup(1) Specify “set querytype=MX”

12

3

4

155

Configuring a Relay Host

A relay host enables email delivery to be centralized

In main.cf:

relay_host = oak.example.com

or

relay_host = 192.168.1.17

156

Module 10

Managing Virus Protection

157

ClamAV

SCO OpenServer

Postfix

Ap

ach

e

Pro

FTP

Op

en

LD

AP

Cyru

s IM

AP AMaViS

SpamAssassin

ClamAV

158

Updating ClamAV Virus Definitions

Virus definitions are updated automatically

Cron job runs /opt/insight/bin/freshclam Virus definition files:

/opt/insight/share/clamav/main.cvd /opt/insight/share/clamav/daily.cvd

See freshclam(1)

159

Exercise: Updating Virus Definitions

Consult the freshclam(1) manual page Instruct freshclam(1) to download latest

virus definitions into a directory View the contents of the directory See the latest virus definitions at

www.clamav.net.

160

Adding 3rd Party Anti-Virus Scanners

SCO OpenServer

Postfix

Ap

ach

e

Pro

FTP

Op

en

LD

AP

Cyru

s IM

AP AMaViS

SpamAssassin

ClamAVC

lam

AV

Sop

hos

Sophos

161

Adding 3rd Party Anti-Virus Scanners (cont.)

To replace ClamAV with Sophos: Download and install Sophos Comment out ClamAV lines in

/opt/insight/etc/amavisd.conf Uncomment Sohpos lines in

/opt/insight/etc/amavisd.conf Restart AMaViS

162

Exercise: 3rd Party Anti-Virus Scanners

View amavisd.conf comments which explain:

The syntax of @av_scanners entries The relationship between @av_scanners

and @av_scanners_backup

163

Exercise: 3rd Party Anti-Virus Scanners

Examine usage message from /usr/local/bin/sweep.

164

Module 11

Managing Spam Filtering

165

SpamAssassin

SCO OpenServer

Postfix

Ap

ach

e

Pro

FTP

Op

en

LD

AP

Cyru

s IM

AP AMaViS

SpamAssassin

ClamAV

166

SpamAssassin

SpamAssassin uses numerous tests SpamAssassin is configured in:

/opt/insight/etc/mail/local.cf /opt/insight/share/spamassassin/*.cf

Do not modify files in share/spamassassin After modifying configuration files, run:

spamassassin --lint /opt/insight/etc/rc/amavisd restart

167

SpamAssassin

Every SpamAssassin administrator should know: required_hits report_contact report_safe Whitelisting Blacklisting

168

SpamAssassin

Customizing headers SpamAssassin headers begin “X-Spam” X-Spam-Checker-Version is mandatory Modify headers with:

remove_header clear_headers add_header

169

SpamAssassin

Spam detection software, running on the system "_HOSTNAME_", hasidentified this incoming email as possible spam. The original messagehas been attached to this so you can view it (if it isn't spam) or blocksimilar future email. If you have any questions, see_CONTACTADDRESS_ for details.

Content preview: _PREVIEW_

Content analysis details: (_HITS_ points, _REQD_ required)

" pts rule name description" ---- --- ------------------ --------------------------------------------_SUMMARY_

Report message:

170

SpamAssassin

Subject: this address is no longer available

[this message has been automatically generated]

Please note that this address is no longer in use, and nowadaysreceives nothing but unsolicited commercial mail. Accordingly,any mail sent to it is added to several spam-tracking databases,then automatically deleted.

If you genuinely want to contact the owner of the address, pleasere-check your contact lists, or search the web, to find theircurrent e-mail address.

The mail you sent is reproduced in full below, for resending tothe correct address. Sorry for the inconvenience!

[-- Signed: the SpamAssassin mail filter]

Spamtrap message:

171

SpamAssassin

The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.

Unsafe_report message:

172

SpamAssassin

Areas tested: header body rawbody full uri

173

SpamAssassin

header NO_REAL_NAME From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/

Perl regular

expression

Header to match

Name of rule

Perl regex operator

Header test example:

174

SpamAssassin

Header test definitions only define the test Header test definitions don’t define:

The test’s description The test’s score

20_head_tests.cf specifies:

50_scores.cf specifies:SCOoffice uses this

score

header NO_REAL_NAME From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/describe NO_REAL_NAME From: does not include a real name

score NO_REAL_NAME 0.339 0.285 0.339 0.160

175

SpamAssassin

Meta-match (boolean expression)

body CLICK_BELOW_CAPS /CLICK\s.{0,30}(?:HERE|BELOW)/sdescribe CLICK_BELOW_CAPS Asks you to click below (in capital letters)

body __CLICK_BELOW /click\s.{0,30}(?:here|below)/ismeta CLICK_BELOW (__CLICK_BELOW && !CLICK_BELOW_CAPS)describe CLICK_BELOW Asks you to click below

176

SpamAssassin

Meta-match (boolean arithmetic expression)

body __NIGERIAN_CODE_CONDUCT /\bcode of conduct\b/ibody __NIGERIAN_CIV_SERVICE /\bcivil service\b/ibody __NIGERIAN_TOP_SECRET /\btop secret\b/Ibody __NIGERIAN_HONESTY /\btransparent honesty\b/imeta NIGERIAN_BODY_GOVT((__NIGERIAN_CODE_CONDUCT +

__NIGERIAN_CIV_SERVICE +

__NIGERIAN_TOP_SECRET +

__NIGERIAN_HONESTY) >= 2)describe NIGERIAN_BODY_GOVT Message body has many

indications of nigerian scamscore NIGERIAN_BODY_GOVT 2.900 2.800 2.800 2.700

177

Quaranting Viruses and Spam

By default, SCOoffice Server: Quarantines messages containing viruses Does not quarantine messages containing spam

178


Messages containing viruses are quarantined by AMaViS.

179


Headers added to messages containing spam: X-Virus-Scanned X-Spam-Status X-Spam-Level X-Spam-Flag Subject

180


AMaViS can be configured to quarantine spam Configured in amavisd.conf

$final_spam_destiny $QUARANTINEDIR $spam_quarantine_to

181


To quarantine spam to a directory, configure amavisd.conf:

$final_spam_destiny = D_PASS$QUARANTINEDIR = /opt/insight/var/virusmails$spam_quarantine_to = ‘spam-quarantine’

182

Header Checks

To block emails based on headers:

In /opt/insight/etc/postfix/main.cf:header_checks =

pcre:/opt/insight/etc/postfix/header_checks

In /opt/insight/etc/postfix/header_checks:/^subject: known_message_subject/ REJECT

183

Blocking Attachments by Extension

To block emails containing .exe, .bat, etc. attachments:

In /opt/insight/etc/postfix/main.cf:header_checks =

pcre:/opt/insight/etc/postfix/header_checks

In /opt/insight/etc/postfix/header_checks:/^content-type:.*name[[:space:]]*=.*\.(exe|bat)/

REJECT Rejected file extension: $1

184

Module 12

Performing Preventive Maintenance

185

Mon Overview

What is Mon? Mon is a general purpose service monitor Mon schedules monitors Mon provides a multitude of alert methods Mon is extensible

SCOoffice Server uses Mon to monitor: HTTP LDAP FTP SMTP IMAP Pop3

186

Mon Monitor facilities

Monitor scripts provided by Mon: dns.monitor ftp.monitor http.monitor imap.monitor ldap.monitor ping.monitor pop3.monitor smtp.monitor tcp.monitor telnet.monitor

Monitor scripts are stored in /opt/insight/mon/mon.d

187

Mon Alert Methods

Alert scripts provided by Mon: file.alert mail.alert remote.alert

Alert scripts are stored in /opt/insight/mon/alert.d

188

1. maxprocs = 202. randstart = 60s

3. hostgroup building1 elm.example.com oak.example.com4. hostgroup building2 spruce.example.com maple.example.com

5. watch building16. service ftp7. interval 1m8. monitor ftp.monitor9. period wd {Sun-Sat}10. alert file.alert /opt/insight/logs/mon_ftp.log11. alert mail.alert [email protected]. alertevery 1h

The MON configuration file

MON is configured in /opt/insight/mon/etc/mon.cf

189

The MON configuration file (cont.)





190






191






192

Managing Disk Space

Strategies for managing disk space usage: Setting maximum message size Restricting attachments Imposing quotas Setting mailbox expire values Setting logging levels Pruning log files

193

Managing Disk Space

Strategies for managing disk space usage: Setting maximum message size Restricting attachments Imposing quotas Setting mailbox expire values Setting logging levels Pruning log files

194

Guarding Backups

Backups are stored in /opt/insight/htdocs/is4web/tar

Protected by .htaccess in that directory Beware of:

Missing .htaccess Modified .htaccess World writable .htaccess

195

Configuration File Sanity Checks

spamassassin --lint postfix check apachectl configtest

196

Log Files

SCOoffice uses the following log files: /var/adm/syslog /opt/insight/logs/amavis.log /opt/insight/logs/freshclam.log /opt/insight/logs/access_log /opt/insight/logs/error_log

197

Log Files

Component Syslogd Facility

Cyrus IMAP and POP3 local6

Postfix mail

SASLAUTHD auth

ProFTPD authpriv

slapd/slurpd local4

198

Log Files

Where to specify logging levels: /etc/syslog.conf /opt/insight/etc/postfix/master.cf /opt/insight/etc/postfix/main.cf /opt/insight/etc/amavisd.conf /opt/insight/etc/clamav.conf /opt/insight/etc/freshclam.conf /opt/insight/etc/apache/httpd.conf

199

Log Files

Events to monitor in syslog: Monitor SMTPD connections:

egrep “[^s]connect from|client=“ /var/adm/syslog

Monitor bounced messages:grep status=bounced /var/adm/syslog

Monitor deferred messages:grep status=deferred /var/adm/syslog

Monitor address rewriting:grep orig_to /var/adm/syslog

Monitor SASLAUTHD failures:grep “auth failure” /var/adm/syslog

200

Module 13

Planning for and Recovering from Disasters

201

Creating Backups

Administrators can backup: SCOoffice Server configuration LDAP directory IMAP datastore

Backup scripts stored in: /opt/insight/htdocs/is4web/cron

Restore scripts stored in: /opt/insight/htdocs/is4web/bin

202

Restoring and Uploading Backup Files

Restore backups Download backups

from server to local hard drive

Upload backups from local hard drive to server

Delete backups

203

Creating Backups

Backup scripts: /opt/insight/htdocs/is4web/cron Restore scripts: /opt/insight/htdocs/is4web/bin

Backups are compressed cpio archives

Third party backup software can be integrated into the web console

204

SCOoffice Server 4.1

Thank You

205

Microsoft Outlook® Setup

Single Click configuration Manual Connector installation Sharing folders Manual Address Book installation Automated Installation

206

Why I wish we used Postfix 2.1

XCLIENT support main.cf supports ldap:/some/file/name

(instead of putting ldap parameters in publicly readable main.cf)

Versions we’re running (see notes)

1 SCOoffice Server 4.1 Administration Brian Watrous President & CEO ATCS, Inc. .

Documents

configuration slide

ldap server

cyrus master

cyrus openldaphttp

cyrus imaphttp

d scripts

overview address book

overview connector plugin