I have a virtual CentOS machine, and I need to configure sendmail for integration testing. I need sendmail to accept all e-mail from anywhere, and not do any user validation. I just need it to accept all incoming valid e-mails and not complain nor reject for any reason. And sendmail should not forward the mail to anywhere else.
All of the setup documentation I have read pertains to making a "working" server as opposed to a "dummy" or "stub" server.
How can I configure this?
Thanks
Sendmail configuration for software testing environment
Choose your mix of the fixes below:
sendmail.mc : To redirect all outgoing message to local mailbox of user1
define(`SMART_HOST',`local:user1')dnl
sendmail.mc : To redirect messages to all addresses in local email domains (normally delivered to local mailboxes) to mailbox of `user1'
define(`MAIL_HUB',`local:user1')dnl
access file : To allow relaying (accepting message to non local email addresses) from specific IP addresses:
# relay from 192.168.0.1
connect:192.168.0.1 RELAY
# relay from 192.168.1.0/24
connect:192.168.1 RELAY
# relay from 172.32.0.0/16
connect:172.32 RELAY
Releasing more test do not make sense in most testing environments
(e.g. no checks existence of envelope sender domain)
sendmail.mc must be compiled into sendmail.cf
access file must be compiles usually into access.db file
More goodies possible:
* storing ALL envelope recipients in message headers (message to multiple recipients not mentioned in email headers)
Related
I am working on the wireshark project for school. And need to analyze POP3 packets over the network. I have tried capturing traffic over the network and have sent the mail from my phone to my pc using gmail. All protocols are enabled in the Wwireshark. But when filtering through the packets there wasn't POP or SMTP or IMAP packets to be shown, but I do not know why. Then I have tried using Thunderbird and hMailServer to capture the traffic, but I can not manage them to work together, since thunderbird doesn't allow me to create mail account from the hMailServer.
What I want to ask is for advice how to capture POP3 over the network, does it need special configuration when capturing for Gmail and Hotmail accounts. Or something else.
Some background for you to understand the process. Whenever anyone (including yourself) sends mail to your mail address, it's delivered to Gmail server and rests there. You have number of options to access it:
View mail on server web interface by opening "mail.google.com" in your browser. Browser uses HTTP (actually HTTPS) to get site content as it usually do with other sites. The fact, that site represents server's state doesn't mean "receiving mail" neither it uses POP/IMAP/anything else.
Download email to your PC via mail client such as Thunderbird. It requires proper configuration to point client at server address/port/protocol/credentials/etc. Protocol used for downloading is the part of configuration, you're free to use POP whenever server supports it.
So all you need is to configure your Thunderbird to download mails from Gmail via desired protocol and enjoy capturing. Instructions for POP mail clients from Gmail perspective.
When I create the Hello World example in C++ from The Guide on ZeroMQ found here:
http://zguide.zeromq.org/page:all#Ask-and-Ye-Shall-Receive
and run the application, I get a Windows Security Alert that asks if I would like to allow the application to communicate on public or private networks.
It looks like this:
Here is where things get interesting.
I only need my program to listen on port 5555 for connections from localhost and I do NOT need to allow incoming connections on port 5555. This is because I only want to communicate between applications on the localhost.
Client and server are both running on the same machine.
Here is my current process. I start the server, the Windows Security Alert comes up, since I am running the application as a non-administrator account, I only have standard permissions. Then I click Cancel on the Alert.
Clicking cancel on the alert puts an explicit deny inbound rule on all ports for HelloWorldServer.exe. This is totally fine.
Then I start the client. Since the client is connecting to the localhost. I actually does not need to send messages outside of the local machine, and all of its messages arrive at the server just fine.
Given an explicit deny rule on incoming connections to HelloWorldServer.exe, the messages can still arrive from the client on the local host. This is a desirable result.
Now the question becomes is there anyway to automatically respond to the Windows Security Alert to click cancel? Is there any way to suppress it from popping up since the allow is not needed?
The prompt is undesirable because it implies that the application needs to create a vulnerability when it does not.
Please assume that Named Pipes are not a valid alternative to tcp as a means of inter-process communication.
When binding the socket the caller may specify the IP address the socket is bound to. The coding samples provided by ZeroMQ specify
socket.bind ("tcp://*:5555");
where * appears to be specify all possible addresses (INADDR_ANY in BSD socket-derived parlance) which will trigger the Windows firewall as it allows remote and local addresses.
Calling socket.bind with the localhost address 127.0.0.1
socket.bind ("tcp://127.0.0.1:5555");
limits the sockets allowed to connect to the local machine and should silence the firewall warning for most Windows firewall configurations.
We are using squid proxy along with the GreasySpoon ICAP server to modify responses for development purposes. We have a need to allow different developers to have different modifications to the responses because they are working on things relevant to different modifications. Initially, when we installed this setup insider our LAN, we were able to accommodate this by using the user_id script parameter inside the GreasySpoon response scripts. This parameter is populated with the local IP of the developer, and so we could base things upon the different IPs.
When we moved the setup to the cloud, everyone had our shared WAN IP for the user_id parameter, and so our scheme broke.
The comments in the default GreasySpoon script indicate that the user_id can be a user login:
// user_id : (String)user id (login or user ip address)
I configured authentication with the squid server, but the user_id is still set to our shared WAN IP. Is it possible to populate this script parameter in GreasySpoon with a proxy user's username using squid?
The GreasySpoon (1.0.10) configuration file service.properties contains a setting: SpoonScript.icapuserheader=x-authenticated-user. This is the header that GreasySpoon inspects to find the user_id. If this value is not found, then GreasySpoon falls back to the IP address. So you must configure squid to send the authenticated user's username in the same header as is configured in the properties file.
// in squid.conf:
icap_client_username_header x-authenticated-user
I am about to setup SmarterMail v9.0 on our Windows 2008 server (IIS7) and would first like to know what some security considerations are when opening up port 25 and/or 587 - ie how to prevent relaying, etc.
Thank you.
You must not accept email from untrusted users/sources which is not bound for domains you control.
An open relay is a mail server which allows anyone on the Internet to email anyone else, without verifying that either the source or the destination is known - thus, a relay.
You can check that the source is known by looking for a trusted IP subnet, or by requiring authentication before mail can be sent (via LOGIN over TLS, GSSAPI [called "Integrated Windows Authentication" or whatever], X.509 client certs, or the like).
You can check that the destination is known by comparing it to the list of domains for which your mail server will be the "last stop" (or a relay to another domain you control).
Either a known source or a known destination should be sufficient, but you may also want to make sure that mail inbound for your domains is at least borderline valid (originates from a domain with an MX server, for instance).
Separately, you must be conscious of DoS issues (rate limit inbound mail), and the ability to use your server to send backscatter spam. Backscatter is when I connect to your mail server and say, "why yes, I am unsuspecting_target#not_my_domain.com, please queue up this message for not_an_address#yourdomain.com". Then your mail server delivers a "bounce" message to the unsuspecting target. To mitigate this, you can verify that the recipient is known before accepting mail, or limit the rate at which mail can be accepted from one host, or try to check that the host delivering a message is authorized to use that envelope sender.
These are all well-solved problems.
I want to use Postfix to accept incoming emails and have it send them to an external Python script which parse them and add them to a database.
I read that this could be done via a Policy file.
My first question is what should the policy file return to have Postfix delete the email from the queue with a success message to the sender.
My second question is can I use the Policy file to validate the SMTP authentication that was sent by the client? If not, is there any way of having it use an external script to validate the login?
Thanks!
Christian
If you need SMTP authentication anyway and just want a script to act as MDA, I think you can do it simply by
setting mailbox_command = /path/to/my/script in /etc/postfix/main.cf and configuring an authentication scheme. If you have dovecot running, too, I can recommend having postfix authenticate via dovecot, which is very configurable when it comes to SASL authentication.
Update
Since you will be having plaintext passwords going over the wire (assuming this service is reachable from the network), I recommend permitting authentication only over an encrypted line. The configuration I'm going to show will still accept mails for which the server is the destination without authentication. As far as I know, that behaviour is mandated by an RFC for SMTP servers which are reachable from the internet.
Announce SASL authentication only over encrypted connections
smtpd_tls_auth_only=yes
Don't require everyone to talk to you over an encrypted channel
smtpd_tls_security_level=may
SASL boilerplate
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
For whom to accept mail. This is worked left to right, until a permitting or denying rule is encountered. Fallback behaviour would be to permit.
smtpd_recipient_restrictions = permit_auth_destination, reject_plaintext_session, permit_sasl_authenticated, reject
permit_auth_destination as first rule would make sure that clients may deliver mail to users for which I feel responsible unauthenticated. The clients may choose whether to use TLS or not.
reject_plaintext_session as second rule makes sure that all other rules further down the line can assume an ecrypted channel.
permit_sasl_authenticated is self-explanatory
reject as last rule basically changes the default policy to "deny".
If you don't want to accept mails without SMTP authentication, you may want to drop the first rule of smtpd_recipient_restrictions.
Not shown is the configuration of the SSL certificate and how to tell postfix about it (the latter of which is easy).