RH253

Red Hat Network Services

and Security Administration
Welcome!
2
Objectives

Understanding and Managing Squid Proxy Server

Understanding Squid Proxy Server

Squid Proxy Server on!iguration

A""owing and #isa""owing $e%&Sites

Squid "ient on!iguration

Accessing 'nternet (ia Squid Server

Understanding and Managing Mai" Servers

)asic Mai" once*ts

Understanding Sendmai" and Post!ix Server

on!iguring Sendmai" Server

on!iguring Post!ix Server

on!iguring Mai" "ients

3
Understanding and Managing
Squid Proxy Server
4
What is Squid Proxy Server?
Squid is a +ig+&*er!ormance H,,P and -,P cac+ing *roxy server. 't is
a"so known as a $e% *roxy cac+e. 't can make your network
connections more e!!icient.
5
Main Configuration File and Service

Main Configuration File Main Configuration File

/etc/squid/squid.conf /etc/squid/squid.conf

Main Service Main Service

squid squid
6
Configuring Squid Server
Ste* /0 1dit Main on!iguration -i"e
vi /etc/squid/squid.conf vi /etc/squid/squid.conf
Ste* 20 ,est on!iguration
squid squid
Ste* 30 Start Service ,em*orary And Permanent
service squid start service squid start
chkconfig level !"# squid on chkconfig level !"# squid on
7
Configuring Content Filtering squid

#o not want users to down"oad a"" o! t+e !o""owing !i"es0 MP32 MP132 MP32 A(32 A('2 141

5 vi 6etc6squid6squid.con!

acl $lockfiles url%ath&regex '/etc/squid/$locks.files.acl(

$e want dis*"ay custom error message w+en a !i"e is %"ocked0

) *eny all $locked extension
deny&info +,,&-./C0+*&F1.+S $lockfiles
htt%&access deny $lockfiles

Create custo2 error 2essage 34M. file called +,,&-./C0+*&F1.+S in /etc/squid/error/ directory or
/usr/share/squid/errors/+nglish directory.

) vi +,,&-./C0+*&F1.+S

A**end !o""owing content0

534M.6 53+7*6 5414.+6

+,,/,8 -locked file content5/414.+6 5/3+7*6

5-/*96

53:6File is $locked due to 14 %olicy5/3:6

5%6Please contact ad2inistrator85/%6

5$r6 +2ail8 info;net<orknuts.net5$r6

Caution8 *o not include 34M. close tags </HTML> </BODY> as it <ill $e closed $y squid.
8
Configuring Content Filtering squid

5 vi 6etc6squid6%"ocks.!i"es.ac"

7%%end follo<ing text8

=.>+e?>@x?>+e?A
=.>7a?>Bv?>1i?A
=.>M2?>P%?>Cg?A
=.>M2?>P%?>+e?>Cg?A
=.>M2?>P%?!A

Save and c"ose t+e !i"e. Restart Squid0

9
*eny access to sites squid

,o %"ock site ca""ed sex.com you need to add !o""owing two "ines to your squid
con!iguration !i"e.
) vi /etc/squid/squid.conf

Searc+ !or 7Access ontro"s8 and a**end !o""owing two "ines0

acl $locksites dstdo2ain .sex.co2
htt%&access deny $locksites

Save and c"ose t+e !i"e. Restart Squid0

5 6etc6init.d6squid restart

#eny access !or anyone w+o %rowses to a UR9 wit+ t+e word :%ar; in it.
A**end !o""owing A90
acl $lockregexurl url&regex i $ar
htt%&access deny $lockregexurl
10
Understanding and Managing
Mail Servers
11
-asics of Mail Server

,+e %irt+ o! e"ectronic mai"

<email= occurred in t+e ear"y
/>?@s. ,+e !irst network
trans!er o! an e"ectronic mai"
message !i"e took *"ace in
/>A/ w+en a com*uter
engineer named ,ay
4o2linson sent a test
message %etween two
mac+ines.

,oday2 emai" systems %ased

on standardiBed network
*rotoco"s +ave evo"ved into
some o! t+e most wide"y
used services on t+e
'nternet.
12
+2ail Protocols

1mai" Protoco"s are categoriBed in two ty*es0

Mail 4rans%ort Protocols Mail 4rans%ort Protocols

,+e *rimary *ur*ose is to trans!er emai" %etween mai" servers.

Mail 7ccess Protocols Mail 7ccess Protocols

used %y emai" c"ient a**"ications to retrieve emai" !rom mai" servers

13
Mail 4rans%ort Protocols

,+e *rimary *ur*ose o! SM,P <Simple Mail Transfer Protocol = is to

trans!er emai" %etween mai" servers. However2 it is critica" !or emai"
c"ients as we"". ,o send emai"2 t+e c"ient sends t+e message to an
outgoing mai" server2 w+ic+ in turn contacts t+e destination mai" server
!or de"ivery.

Cne im*ortant *oint to make a%out t+e SM,P *rotoco" is t+at it does not
require aut+entication. ,+is a""ows anyone on t+e 'nternet to send emai"
to anyone e"se or even to "arge grou*s o! *eo*"e. 't is t+is c+aracteristic
o! SM,P t+at makes Dunk emai" or spam *ossi%"e.
14
Mail 7ccess Protocols

,+ere are two *rimary *rotoco"s used %y emai" c"ient a**"ications to

retrieve emai" !rom mai" servers0 t+e Post Office Protocol <POP= and t+e
Internet Message Access Protocol <IMAP=.

Un"ike SM,P2 %ot+ o! t+ese *rotoco"s require connecting c"ients to

aut+enticate using a username and *assword.
15
P/P

,+e de!au"t PCP server under Red Hat 1nter*rise 9inux. $+en using a
PCP server2 emai" messages are down"oaded %y emai" c"ient
a**"ications. )y de!au"t2 most PCP emai" c"ients are automatica""y
con!igured to de"ete t+e message on t+e emai" server a!ter it +as %een
success!u""y trans!erred2 +owever t+is setting usua""y can %e c+anged.

PCP is !u""y com*ati%"e wit+ im*ortant 'nternet messaging standards2

suc+ as Multipurpose nternet Mail !"tensions DMM!E2 w+ic+ a""ow
!or emai" attac+ments.

PCP works %est !or users w+o +ave one system on w+ic+ to read emai".

,+e most current version o! t+e standard PCP *rotoco" is PCP3

PCP uses ,P *ort //@ and PCP3s uses SS9 encry*tion over ,P
*ort >>5.
16
1M7P

,+e de!au"t 'MAP server under Red Hat 1nter*rise 9inux . $+en using
an 'MAP mai" server2 emai" messages remain on t+e server w+ere
users can read or de"ete t+em. 'MAP a"so a""ows c"ient a**"ications to
create2 rename2 or de"ete mai" directories on t+e server to organiBe and
store emai".

'MAP is *articu"ar"y use!u" !or t+ose w+o access t+eir emai" using
mu"ti*"e mac+ines.

'MAP2 "ike PCP2 is !u""y com*ati%"e wit+ im*ortant 'nternet messaging

standards2 suc+ as M'M12 w+ic+ a""ow !or emai" attac+ments.

'MAP uses ,P *ort /E3 and 'MAPs uses SS9 encry*tion over ,P
*ort >>3.
17
+2ail Progra2 Classifications

'n genera"2 a"" emai" a**"ications !a"" into at "east one o! t+ree
c"assi!ications

Mail 4ransfer 7gent Mail 4ransfer 7gent

Mail *elivery 7gent Mail *elivery 7gent

Mail User 7gent Mail User 7gent

18
Mail 4ransfer 7gent

A Mail Transfer Agent <MTA= trans!ers emai" messages %etween +osts

using SM,P. A message may invo"ve severa" M,As as it moves to its
intended destination.

Send2ailF PostfixF G2ailF Sun /H+ Messaging ServerF Microsoft I

+xchangeF 1-M I *o2inoF Hovell I Crou%<ise and Send2ail
S<itch etc.
19
Mail *elivery 7gent

A Mail Delivery Agent <MDA= is invoked %y t+e M,A to !i"e incoming

emai" in t+e *ro*er userFs mai"%ox. 'n many cases2 t+e M#A is actua""y
a Local Delivery Agent <LDA=2

Mail and Proc2ail Mail and Proc2ail

20
Mail User 7gent

A Mail User Agent <MUA= is synonymous wit+ an emai" c"ient

a**"ication. An MUA is a *rogram t+at2 at t+e very "east2 a""ows a user
to read and com*ose emai" messages. Many MUAs are ca*a%"e o!
retrieving messages via t+e PCP or 'MAP *rotoco"s2 setting u*
mai"%oxes to store messages2 and sending out%ound messages to an
M,A.

MUAs may %e gra*+ica"2 suc+ as Microsoft /utlook / /utlook

+x%ressF 1-M I .otus HotesF .inux I +volution / 4hunder$irdF
MoJilla Mail2 or +ave a very sim*"e2 text&%ased inter!ace2 suc+ as 2utt
21
Send2ail
22
What is Send2ail?

Sendmai"Fs core *ur*ose2 "ike ot+er M,As2 is to sa!e"y trans!er emai"

among +osts2 usua""y using t+e SM,P *rotoco". However2 Sendmai" is
+ig+"y con!igura%"e2 a""owing contro" over a"most every as*ect o! +ow
emai" is +and"ed2 inc"uding t+e *rotoco" used. Many system
administrators e"ect to use Sendmai" as t+eir M,A due to its *ower and
sca"a%i"ity
23
Send2ail *elivery 2ethods

'! t+e reci*ient receives mai" on t+e same mac+ine as t+e sender2
sendmai" uses :/usr/sbin/mail#local; *rogram.

'! t+e reci*ient mac+ine is connected to t+e sending mac+ine using

UUP2 it uses :uu"; <Unix to Unix e4ecute= to send t+e mai" message.

'! t+e reci*ient mac+ine is over t+e 'nternet2 t+e sending mac+ine
trans*orts t+e mai" using SMTP.
24
Send2ail 1nstallation and Configuration

Sendmai"Fs "engt+y and detai"ed con!iguration !i"e is

/etc/2ail/send2ail.cf. Avoid editing t+e sendmai".c! !i"e direct"y.
'nstead2 to make con!iguration c+anges to Sendmai"2 edit t+e
/etc/2ail/send2ail.2c !i"e2 %ack u* t+e origina" 6etc6mai"6sendmai".c!2
and t+en use t+e inc"uded 2" 2acro %rocessor to create a new
6etc6mai"6sendmai".c!.
25
-asic Parts of Send2ail8

4he Configuration File8

6etc6mai"6sendmai".c!
6etc6mai"6sendmai".mc

4he Gueue8 $+en de"ivery o! message is de"ayed2 sendmai" must %e

a%"e to save messages !or "ater transmission. ,+e mai" can %e queued
w+en0

,+e destination mac+ine is not reac+a%"e.

,+e mai" +as many reci*ients. Some mai" mig+t %e success!u""y

de"ivered ot+ers mig+t not.

Mai" message may %e ex*ensive i.e. Send over "ong distance

*+one "ine. ,+ey wi"" %e send w+en rates are "ower.

Security oncern. Sendmai" queues a"" t+e messages %y de!au"t2

t+us minimiBing risk o! "oss s+ou"d t+e mac+ine cras+

7liases and Mailing .ist8 A"iases a""ow mai" redirection.

26
Send2ail role in Filesyste28

When send2ail is runF it first reads8

6etc6mai"6sendmai".c!
and t+en ot+er !i"es or directories t+at sendmai" needs
gre% K/ /etc/2ail/send2ail.cf

4he Gueue8 $+en de"ivery o! message is de"ayed2 sendmai" must %e

a%"e to save messages !or "ater transmission. ,+e mai" can %e queued
w+en0

,+e destination mac+ine is not reac+a%"e.

,+e mai" +as many reci*ients. Some mai" mig+t %e success!u""y

de"ivered ot+ers mig+t not.

Mai" message may %e ex*ensive i.e. Send over "ong distance

*+one "ine. ,+ey wi"" %e send w+en rates are "ower.

Security oncern. Sendmai" queues a"" t+e messages %y de!au"t2

t+us minimiBing risk o! "oss s+ou"d t+e mac+ine cras+

7liases and Mailing .ist8 A"iases a""ow mai" redirection.

27
Configuring Mail Server Send2ail

Ste* /0 Modi!y t+e main con!iguration !i"e

vi /etc/2ail/send2ail.2c

omment out t+e !o""owing "ine %y using dnl

*7+M/H&/P41/HS DLPortKs2t%F7ddrK:MN.O.O.:F Ha2eKM47PE

dnl *7+M/H&/P41/HS DLPortKs2t%F7ddrK:MN.O.O.:F Ha2eKM47PE

Ste* 20 )ui"d a new sendmai".c! in t+e same directory.

2" /etc/2ail/send2ail.2c 6 /etc/2ail/send2ail.cf

Ste* 30 Start sendmai" service

service send2ail restart

chkconfig send2ail on
28
/ther Configuration Files
access 8 S*eci!ies w+ic+ systems can use Sendmai" !or out%ound emai"
virtuserta$le 8 S*eci!ies a domain&s*eci!ic !orm o! a"iasing2 a""owing
mu"ti*"e virtua" domains to %e +osted on one mac+ine.
aliases 8 A con!igura%"e "ist required %y t+e mai" *rotoco"
29
Using *ovecot Configuration File

$e can 6etc6dovecot.con! con!iguration !i"e !or receiving mai"s

Uncomment !o""owing 9ine !rom 6etc6dovecot.con! !i"e

vi /etc/dovecot.conf

)%rotocols K %o%! %o%!s i2a% i2a%s

%rotocols K %o%! %o%!s i2a% i2a%s

service dovecot restart

chkconfig dovecot on
30
/etc/2ail/access

You can make sure that only trusted PCs on your network have the
ability to relay mail via your mail server by using the
/etc/mail/access file.

The /etc/mail/access file has two columns.

The first lists IP addresses and domains from which the mail is
coming or going.

The second lists the type of action to be taken when mail from
these sources or destinations is received. Keywords include
!"#Y$ !%!CT$ &K and 'I(C#'.
lConnect8localhost.localdo2ain ,+.79
Connect8localhost ,+.79
Connect8:MN.O.O.: ,+.79
Connect8exa2%le.co2 /0
Connect8$ads%a22er.co2 ,+Q+C4
Fro28tux;$ads%a22er.co2 /0
4o8$adguy;exa2%le.co2 ,+Q+C4
31
/etc/2ail/access

GouF"" t+en +ave to convert t+is text !i"e into a sendmai" reada%"e data%ase !i"e
named 6etc6mai"6access.d%.

) cd /etc/2ail
) 2ake
32
/etc/2ail/virtuserta$le

ontains a set o! sim*"e instructions on w+at to do wit+ received mai".

-irst co"umn "ists t+e target emai" address.

Second co"umn "ists t+e "oca" userFs mai" %ox2 a remote emai" address2
or a mai"ing "ist entry in t+e /etc/aliases !i"e to w+ic+ t+e emai" s+ou"d %e
!orwarded.

'! t+ere is no matc+ in t+e virtuserta%"e !i"e2 sendmai" c+ecks !or t+e !u"" emai"
address in t+e 6etc6a"iases !i"e.
<e$2aster;anothersite.co2 <e$2asters
;anothersite.co2 2arc
sales;2ysite.co2 sales;anothersite.co2
%aul;2ysite.co2 alok
finance;2ysite.co2 %aul
;2ysite.co2 error8nouser User unkno<n
33
/etc/2ail/virtuserta$le

'n t+is exam*"e2 mai" sent to0

we%masterHanot+er&site.com wi"" go to "oca" user <or mai"ing "ist=

we%masters

A"" ot+er mai" to anot+er&site.com wi"" go to "oca" user marc.

sa"es at my&site.com wi"" go to t+e sa"es de*artment at my&ot+ersite.com.

*au" and !inance at my&site.com goes to "oca" user <or mai"ing "ist= *au"

A"" ot+er users at my&site.com receive a %ounce %ack message stating

IUser unknownI.

A!ter editing t+e 6etc6mai"6virtuserta%"e !i"e2 you +ave to convert it into a

sendmai"&reada%"e data%ase !i"e named 6etc6mai"6virtuserta%"e.d% wit+ two
commands0
)cd /etc/2ail
) 2ake
34
/etc/aliases

Gou can t+ink o! t+e 6etc6a"iases !i"e as a mai"ing "ist !i"e.

-irst co"umn +as t+e mai"ing "ist name <sometimes ca""ed a virtua"
mai"%ox=

Second co"umn +as t+e mem%ers o! t+e mai"ing "ist se*arated %y

commas.

,o start2 sendmai" searc+es t+e !irst co"umn o! t+e !i"e !or a matc+. '! t+ere is
no matc+2 t+en sendmai" assumes t+e reci*ient is a regu"ar user on t+e "oca"
server and de*osits t+e mai" in t+eir mai"%ox.

'! it !inds a matc+ in t+e !irst co"umn2 sendmai" notes t+e nickname entry in
t+e second co"umn. 't t+en searc+es !or t+e nickname again in t+e !irst
co"umn to see i! t+e reci*ient isnFt on yet anot+er mai"ing "ist.

'! sendmai" doesnFt !ind a du*"icate2 it assumes t+e reci*ient is a regu"ar user
on t+e "oca" server and de*osits t+e mai" in t+eir mai"%ox.
35
/etc/aliases

Mai" to IdirectorsHmy&site.comI goes to users I*eterI2 I*au"I and ImaryI.

) *irectors of 2y S/3/ co2%any
directors8 %eterF%aulF2ary

Mai" sent to I!ami"yHmy&site.comI goes to users IgrandmaI2 I%rot+erI and

IsisterI
) My fa2ily
fa2ily8 grand2aF$rotherFsister

Mail sent to ad2inlist gets sent to all the users listed in the file
/ho2e/2ailings/ad2inlist.
) My 2ailing list file
ad2inlist8 R8include8/ho2e/2ailings/ad2inlistR
3'(1 : ne$aliases; or :/usr/lib/sen%mail &bi; to a**"y c+anges
36
Masquerading

Sendmai" server must masquerade t+e mac+ine names on t+e com*any

network so t+at t+eir return address is userHexam*"e.com instead o!
userH+ost.exam*"e.com.

Uncomment t+e !o""owing "ines to && 6etc6mai"6sendmai".mc

14PCS1#JUS1R <7rootF= dn"
-1A,UR1<masqueradeJenve"o*e= dn"
MASKU1RA#1JAS<7exam*"e.comF= dn"
-1A,UR1<masqueradeJentireJdomain= dn"

1dit vi /etc/2ail/localhostna2es
exam*"e.com
37
4esting Send2ail8

/usr/li$/send2ail v userna2e 5 filena2e

38
Configuring Mail Clients
39
What is Postfix?

Post!ix Crigina""y deve"o*ed at ')M %y security ex*ert and *rogrammer

Wietse Bene2a2 Post!ix is a Sendmai"&com*ati%"e M,A t+at is
designed to %e secure2 !ast2 and easy to con!igure.
40
Main Configuration File

,+e con!iguration !i"es !or Post!ix are +uman reada%"e and su**ort
u*ward o! 25@ directives. Un"ike Sendmai"2 no macro *rocessing is
required !or c+anges to take e!!ect .

/etc/%ostfix/2ain.cf /etc/%ostfix/2ain.cf
41
Configuring Mail Server Postfix

Ste% :0 -irst c+eck w+ic+ M,A is in use

alternatives dis%lay 2ta alternatives dis%lay 2ta

Ste% M0 '! Sendmai" is running %y de!au"t2 t+en c+ange it to Post!ix

alternatives set 2ta /usr/s$in/send2ail.%ostfix alternatives set 2ta /usr/s$in/send2ail.%ostfix

42
-asic Postfix Configuration

)y de!au"t2 Post!ix does not acce*t network connections !rom any +ost ot+er
t+an t+e "oca" +ost. Per!orm t+e !o""owing ste*s as root to ena%"e mai"
de"ivery !or ot+er +osts on t+e network0

vi 6etc6*ost!ix6main.c!

Uncomment t+e 2ydo2ain "ine %y removing t+e +as+ mark <5=2 and re*"ace
%omain#tl% wit+ t+e domain t+e mai" server is servicing2 "ike exa2%le.co2.

Uncomment t+e 2yorigin K A2ydo2ain "ine.

Uncomment t+e 2yhostna2e "ine2 and re*"ace 'ost#%omain#tl% wit+ t+e

+ostname !or t+e mac+ine "ike serverone.exa2%le.co2

Uncomment 2ydestination K A2yhostna2eF localhost.A2ydo2ain "ine.

Uncomment t+e 2ynet<orks "ine2 and re*"ace "#"#"#"/() wit+ a va"id

network setting !or +osts t+at can connect to t+e server.

Uncomment t+e inet&interfaces K all "ine.

,estart the %ostfix service.

Cnce t+ese ste*s are com*"ete2 t+e +ost acce*ts outside emai"s !or de"ivery.
43
Configuring Mail Clients
)
Questions