Email servers with postfix on Linux | Into the Terminal 96

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] well hello everyone and welcome to end of the terminal today we're going to be taking a look at configuring the postfix mail server Nate yay to the terminal yeah so uh let's let's definitely get that terminal share up um I I'm going to share my past traumas with you all I have a very long history of uh running email servers that was one of the core things I did through most of my career as a systems administrator you you you might say it was a job skill um because I was the only one willing to actually deal with this stuff but um today we're going to show you some simple postfix stuff that you might run on real we'll talk about why you might care about this after we get through the the critical path here so first we're just going to install postfix and I'm going to install a quick little um command line mail client that we can use to just show you you know the delivery worked and whatnot so we G to throw this in here so we're going to install postfix and the command line utility that provides the mail utility is now on real called s- nail with an N I don't know why it's called that don't ask this is the evolution of mail the next one in the series is nail yeah right all right so now that it's installed of course we have to enable the service so we're going to do that and start it immediately that's what that DH Dash now is doing for us and then we're gonna actually just try to deliver an email I've done no other configuration to this thing out of the box postfix will handle local email with no trouble and if you're lucky it'll handle remote delivery as well without having to um without having to set up much of anything right although that's not necessarily A recommended configuration we'll talk about that later too so we're just going to use good old like command line redirection here to uh Echo just the word test now this would be like the body of the message so obviously you could make that longer than just the word test through the male uh command line client we're going to give it a subject with- s test local delivery and uh we're just going to send it to root okay now doesn't give us much in response but what we're going to do is we're going to look at the VAR log mail log as you might guess this is the system mail log anytime anything goes through postfix it'll end up in the mail log okay as you might expect there's not much going on in here there's just a little bit about uh kind of the startup of post fix and then if you look at the time stamps here you're going to see and this is basically how you group these things you just got to see how the time stamps are all within the same second here uh usually an email delivery will happen within a second or two so if you're looking through these logs to figure out what's going on with something um then that's that's basically how you got got to block these up now these message IDs here that you see are also a good way to get them so if you're like parsing through logs and you can find the message ID for the message you care about you can grip for it but again that's like more advanced log analysis stuff all right so you can see here um post fix's pickup process got a message from root and it basically took it and put it into into the Q here that's what this Q MGR process is you can see it says from root mta. loal that's what I called my system uh it tells me how big the message was how many recipients there were on it of course in this case there was only one and then the log says hey uh I know all about this local user called root says originally to root relay equals local that means that it's a local account right here it says delivered to mailbox and then right here look remove from the queue so if I now just run mail not main but mail uh again this is like command line stuff really simple real basic you're not going to get anything fancy formatting and whatnot out of this but it gives you look there's email for four roots that says testing local delivery if I hit number one that'll show me the message and there it is test from root at mta. local right now if we just want to delete that from the que here because we don't care about it anymore and then quit clear the screen again now you might say okay well that's not that great of an example um I also have another local user called gangri that's me right it's my local one of my local systems here that's my local user I send it to that you can see again right root doesn't get any mail because it wasn't sent to root but now if we look at that mail log again we'll see a similar deal here where it was delivered to gangri at mta. local all right so there you go I mean simple local mail delivery I could hop over to gangri and show you the message if you really wanted to uh to see it but I'm gonna hope that you trust me it's there so a couple of things Nate one uh you mentioned that when you're looking at logs often times the mail deliveries are very fast espe for local users um but I like how you highlighted the message ID because if you're having problems that message ID is going to be really important to be able to go through the logs to find um one that was not delivered successfully because a lot of times yes mail agents will like try to resend for a period of time before they give up and so it's not going to have all the messages together in the log because it's sitting there trying to resend periodically and so you'll get some errors much later in the day or maybe even the next day about the mail being def and in some of the examples we have after the break here um we I'll show you what some of those look like in the log too where where email delivery failed right yeah and then Nate have you ever worked with a command line mail client called mut mut I haven't used mut I used to use pine which was then replaced with what is that the one that was replaced with Elm or was it the other way around I think it was the other way around okay Pine was another command line uh based email utility but it was a full screen app instead of just a command line like that yeah so mut is if you wanted to do like actual email via the command line that would be my recommendation instead of mail because it just like the mail command it lets you do things like subject lines and do stuff via automated scripting but it also allows you to do things like attach attachments and do IMAP connections right so um so if you're looking for a command line mail client M where it's at it's funny that you bring up attachments because they were i i i the number of times I had to explain to people that email like in its original occurrence was really never designed to encapsulate attachments we just like tacked all that together with MIM encoding and whatever yeah crazy crazy stuff can happen sometimes with some crazy attachments yeah all right uh don't forget to like And subscribe my viewer friends stay with us after the transition as we go a little bit more deep into mail we're going to start by talking about some of the how do we use mail what are some common configurations to see and then Nate what uh additional examples are you g to take us through today uh so I actually have a second mail server set up in my lab here we're going to email from one to the other that's that'll be fun and I also have a smart relaying setup that we're going to talk about because that's really in my opinion a much more common use case for postfix on a server anyway excellent uh so stay with us as we continue our email postfix configuration after the transition yep welcome back welcome back so Nate uh this is our first episode episode in kind of our services uh ways to get started with Linux and why why did we choose mail server so um email delivery on a local system is something that used to be on by default and it was sort of taken for granted but it's gotten so complicated over the years that now it's off by default if you do a bare minimum uh uh server install on real it doesn't even include postfix so local messages delivery I don't think there's really any mechanism that makes that that happen so you need to add postfix to make that make that work so for something is simple as you know a Chron job failed and I want a message to be sent to the administrator about that like that doesn't work unless you set up post fix and if you want that to be delivered to a mailbox that you might check on your phone or something uh that's even more complicated because spammers ruin everything I'm just that's that's going to be the theme of today's uh today's uh episode but um email used to be really open it was a really simple protocol you go server to server really easily uh but spammers figured out that they could abuse that protocol and send a whole bunch of crap to everybody and they could do it almost anonymously right so now there's all kinds of blacklists to think about and IP spaces that aren't allowed to send email and if you get on a blacklist it's hard to get back off again so even if you're running a legitimate mail service and somebody like compromises an account and you get blacklisted it's a real headache um like I said I've got scars yeah and and actually as we were setting up for this episode uh we were talking about that because like somebody recently talked to me about running our own mail infrastructure we use a service uh to do mail today and I was like I think you underestimate the difficulty of running a mail server on your own absolutely I mean I was a huge proponent for running our own Mail system in my previous my previous role and it got to be such a burden because even if you do everything right it's so easy for you to get blacklisted and then it's just half your day is blown trying to get yourself off blacklists and whatever and that's the that's probably the easiest thing you have to deal with in a day right it's right there's a reason everybody's moved to the microsofts and the Googles you know the Gils and whatever of the world because running it yourself is just such a such a pain anymore but but that said like there are legitimate reasons to run mail server on a Linux box um yes and one of the examples that we had discussed was like um you want to run a website and there's user credential stuff on the website what how do you handle things like resetting someone's password on that website right right that is a legitimate so it's it's not just notification purposes but you know you run a simple website that has user registrations and people want to register for an account and you have to validate them somehow usually that's through an email they send an email back to theil address that they registered with that won't work unless you have a local mail agent set up to deliver that message somehow right and like I said that's not as easy as it used to be well and not even just that like let's say your website takes orders well how do you send people receipts how do you send them tracking information from the shipment that you sent them yep um so email is still really critical some web apps you can just plug in an email service and it'll handle it that way but others still very much depend on local email delivery they send it to your local uh you know postfix or whatever Damon is running on your server and they expect it to handle delivery to the outside world yeah and there's a lot of configurations where it's like it uh the Local web server ingests the information and then uh sends it to its local postpix who then emails it to another service which is how it gets redirected to the end user and you can kind of not have to deal with some of the complexities of mail we'll talk about that in in a in a little bit I had a quick demo of just how email delivery kind of was designed to work and this this will just take a minute if we want to bring my terminal back up we can do that quick but uh like I said I have a second box set up sorry go ahead are we gonna tell net We're not gonna tell net I actually avoided using tnet because I didn't want the hate all right this might be a little bit smaller I'm sorry we had some terminal issues earlier when we were starting the show let me see if I can make the windows smaller to make the font bigger how's that look a little better I think that looks good okay so I've got two systems here MTA zero and mta1 Scott do you know why I call them MTA you know what that stands for uh male transfer agent male transfer agent and that's that's commonly like an SMTP server would be called a maale transfer agent right MTA do you know what mua stands for mail user agent there you go that's like your email client these are this is all coming back to me Scott I'm telling you I'm Gonna Leave red hat and go be an email administrator again yeah Nate you that uh I was like one of the top rated Red Hat uh instructors for like a decade and did like all the rce training so I know about mtas and muas don't you worry all right so the first thing we need to do here is we have to disable a feature I should say change a feature of postfix and the main. CF here is where you do all your configuration for postfix um we're not changing relay host yet that's later in the demo in case you wonder why I have that in my search history but we're just going to go to the end and we're going to add a command that tells it not to do DNS lookups and I'll tell you why in a second that's because um mail depends very heavily on DNS and when you're doing something in a lab like this you don't have full-on DNS set up postfix is just going to fail out of the box because it tries to do a DNS look up for the thing you're trying to do and it it can't because well there's no DNS to look up so I have host entries here to point to mta1 because that's where we're going to try to deliver mail to normally you would not turn off that that DNS lookups piece I only did that for the sake of the lab okay so now we're just going to try to send oh I have to reload postfix hold on okay and assuming I didn't typo that command because I was busy typing and talking at the same time this should work now we're going to use the same old mail command this time we're going to do testing internal right then we're going to pipe that through mail again give it a set give it a subject testing to mta1 and then we're going to give it that's got so with your your subjects I would just say test two yeah well I'm trying to I'm trying to differentiate these so that if I did have crap still sitting in the other mailbox it's gonna be easy to spot all right now we're GNA go root at MTA one. local which is the DNS entry or the hosts entry that I had set up for this now this is the birth of how s how SMTP was working now Scott you may I may there may be history that I'm not aware of but my understanding is is SMTP came from like the old Unix to Unix copy protocol as a more Global way to deliver messages between systems like this right and then we all just expanded on that to make email services and whatnot this was almost like the first decentralized uh messaging think about it right okay so you can see there it uh it it accepted it if I now look at my mail log again you should see here see if I can highlight just that message you see again gave it the message ID yada yada yada where's the thing I'm looking for here uh you can see relaying to mta1 dolo because it realized this is not a local mailbox it's going to send it to 10177 because that's what it got from my host entry and uh it even gives you some statistical information about how long it took to process the message status equals sent now if I go over here back to root here why I wasn't root to begin with for Preparation here now I got type on my password a few times first this one has been set up for a while so you're going to see a bunch of other stuff in the mail log because I've been testing this a few times before we got here imagine that's SC I tested before the show started that's crazy town Crazy Town all right so I'm just trying to find the whole transaction here all right so here it says um it gave me a warning because it doesn't know what MTA Z is because there's no reverse entry for it that's one of those things that can cause mail delivery to be problematic my dogs are about to bark I'm very sorry if they start going crazy uh let's see here tells me the client says gives it the message ID and I believe these message IDs should match from postfix server to postfix server right um here it says that it it basically basically accepted the message and then the remote system disconnected and delivered to mailbox so now if I run mail here as root on mta1 which if you recall that's the address we sent it to there you go testing to mta1 Tada so this is kind of how that all how things were started right like this is how you would send messages amongst different Unix or or Linux systems so any questions on that one before we move ahead so I know that in the log there you can see the message ID um it is included in the header when the message is sent to the recipient machine but once it goes on the recipient machine um it is a different ID I'm looking at it now yeah and that's because like if you're a high volume mail server and all these other mail servers are bombarding you with messages how do you make sure there's no conflict in your message ID right right you have to own the message ID then yep and you talk about headers that's that's interesting we we don't have a good example of that here because this isn't relaying through several systems but the headers every male system that this message touches will get a new header added to the message so if you're an email administrator and you're like you have to figure out where a message came from or why message delivery failed you look at those headers and the headers will tell you I accepted this I delivered it I accepted this I delivered this I accepted it I rejected it right and then that's that's how you know uh kind of the the chain that this particular message went through to get to its recipient really helpful sometimes where I use that a lot is when Trace backing um scam emails like fishing emails or Y like one where we're not sure exactly where it came from or it appears to have been masqueraded as one user or another we can look back at the headers to figure out what servers it has bounced off to decide whether it's real or not real there's also if you're uh trying to figure out why an email was delayed you can see which which system you know based on the time stamps which system held on to the message for a long time and then you can try to figure out why based on that information oh no oh thank goodness you didn't leave the room Nate otherwise trying to get the dog to leave before she gets into a barking fit because the other dogs are barking but she won't she just sits there yeah I see you anyway she wants to be part of the live stream today I guess all right so um I do have some more demos here I can move right into the next one if there's no questions or anything I don't even have chat open sorry folks if anybody's streaming messages into the chat so so before uh before we started somebody else suggest to tell that it wasn't even me um and and so that was fun uh so I mean that's the fun thing with especially older protocols like SMTP you can literally tell that to your postfix Port which should be Port 25 unless you've moved it um and you can issue plain text commands to uh to craft and deliver an email an email to an address as long as you know the syntax so I I would like to point out that the outof thebox configuration for every mail server that has come from Red Hat uh for the last I don't know 10 years maybe longer um is that it will not accept unknown so yes you can but because you're not coming from a trusted verifiable Source it won't actually accept the mail that you've typed into it and try to deliver it ah hold on trying to show this here right uh Vincent in chat points out that telting with TCP dump is an excellent combination to do troubleshooting uh to kind of figure out what's happening between two male servers trying to find it here okay so here you can see on the right hand terminal versus the leftand terminal the leftand terminal this is the this is the one I just installed at the beginning of the show see inet interfaces says Local Host and this was something I was going to show later in the show anyway but since it's topical we'll do it now so inet interfaces says Local Host on this one that means it only listens on 1271 so for local mail delivery it works perfect as soon as anything remote tries to connect to this machine it'll be like I don't even have a service on that Port because it's only on local on this one I said uh on interfaces equals all and this tells it to listen on all interfaces you can be a lot more specific than that for the sake of this demo this was is good enough but if you have a system that has several interfaces you might specify specifically this interface is where I want it to listen on right so in this case inid interfaces equals all means it'll listen on Port 25 on any interface on this machine so I connect to it on local host or on the ethernet port right the the public IP address okay yeah but I think what we were talking about was the relay settings and I know that our next demo talks some about that so um y well you were saying about how it won't listen on anything but Local Host and that's why I want to show that quick okay so let me kind of reset for the next demo here and Nate we may need relay size a little bit big bigger again is it too small again let me see what I can do here making the font bigger makes the window bigger so you didn't see any change in that at all did you there now it should look look a little bigger okay so smart relaying Scott what's smart relaying do you know what smart relaying is Mr I know all the instructor stuff uh smart relaying is that you make decisions before you decide to accept an email and send it out to another mail server right so um we talked earlier about relaying and how things are blacklisted and whatnot uh so I just have a quick demo here to show you what that's going to look like let's just try the use mail again we're just going to send it to no reply at Red hat.com which obviously is not a place that should accept mail but it'll for the sake of our test uh this will work just fine because what it's going to happen is we're going to tell postfix hey I want to send an email to something that's not a local mailbox and then postfix should not be able to uh deliver that so what we're going to do now is look at that mail log again and we should have a find that message here here's 52 1752 no not 52 1758 so we should have should tell us there's a bounce message or did it uh tell me it worked it can't have worked it's not supposed to work oh so much for the trusting yeah right right no I don't see the message at all here maybe it just rejected it out right no what went wrong here oh is it because I still have that and Vincent suggests running post q- P to see if it's queed not engine x what am I thinking here q- what was it p as in Papa p as in Papa there it is oh yeah okay connection timed out to try to get there all right so this this is similar I was what I was trying to get it to do and this is what it did in my test yesterday is it actually rejected it because my the IP address that it would have relayed through externally is just my home cable modem and those are blacklisted they're blacklisted on purpose because residential um cable modems should not be sending email like this and what should then happen is you get a non- delivery uh back to the message the place that you sent it from and the reason I wanted to show that as an example is because if you're either running in your home lab or even if you're running on like a cloud provider or even an ISP like wherever you're hosting your site you'll have similar mail deliver problems simply because especially Cloud providers um they're all blacklisted because they're not supposed to be sending mail right because it's too common for spammers to spin up a cloud box use it to relay a bunch of junk mail for six hours and then just turn it off right because that way they're that much less traceable so the way to get around that is to have your local postfix system deliver mail through a trusted system and that's what we call Smart relaying or relaying right uh I relaying is kind of a general term for my mail server is delivering through another one it also you saw it use the word relay when we just delivered that message to MTA 1's root account right because it relayed to the second to a second box smart relaying is if it meets certain criteria it will send it to the external system otherwise it will handle it locally right that's why it's called smart relaying instead of just like 100% relay everything so uh the best way I can demo that without getting really complicated is to relay messages through my other mail server right so we're going to do hang on here clear the screen first Here and Now is where we want that relay host all right so you can see there's a bunch of examples here for how to set up a relay host I'm going to use it I'm going to do it by IP address because again I don't have DNS resolution set up here normally you'd use a host name of whatever the uh the sending mail server you want to go through and there's a lot more complicated ways to set this up um normally an email relay will require authentication and there's ways to configure that but I didn't want to get that complicated for this example which is why I did this with a local system here yeah and so a relay host is typically used or a place where we would really see it used like what we're talking about earlier you have a application that needs to send email to somebody but that application is running on a machine that doesn't natively send email right because of all the complexities of managing a mail server so you have your application server use a local postfix instance to then relay the mail to your actual mail infostructure that handles all the uh blacklisting and uh other stuff um and so that's what we're talking about here is we're going to take this mail we're going to send it to that intermediary mail server who will then send it out for delivery the first test I'm going to do here is we're going to send it to MTA 1. local again um which you might think is just the exact same example we used before but this time postfix is configured to use that relay host instead right now I could have gotten more complicated had a third system to try to show this better but let's let's be honest here I only want so many mail servers in my my home lab so look at mail log again we're going to see that the message should have been handed off yeah right here see it says relay 10177 and what this will do is anything that we send to any address that isn't local will also get relayed through there so if I try that no reply rat.com again it should do this very similar thing in the mail log there again it related to 10177 so anything that goes through postfix that isn't recognized as a local account will relay back out through mta1 so if I go to log over here we should see the messages in the the log here because they were relayed ah here's the here's the thing I was looking for oh let's make this bigger so you can see it better here you see this message here where it says no reply at redhead.com relay equals mimecast.com that must be who we use for our internal email filtering um status equals bounced right and it tells me why it's bounced listed on the public Blacklist see so check spamhouse post CU over here again and we may need to clear so we can see it above our heads it's not in the queue here I must have already rejected it So eventually there will be a bounce message generated and I think it'll come back to where I sent it from although because email delivery here is like barely working because of my basically like very basic demo setup here I may never see the bounce because it may not be able to deliver it but um in a normal email setup you you'd get a bounce message and it would tell you why and it would say it was blocked by spam house and now the dog wants to get out it's a fun day today all right so um that's basically how relaying works now personally for my uh web setups and whatnot I relay through Amazon's um simple email service which requires that you set up authentication and you have to make a a key and all that stuff within Amazon and it's a much more complicated setup but you have to basically Define all that within your postfix config and I didn't want to go through all that for today's demo yeah and Gmail Google domains have a similar setup where you can send them email from services and they have to use U multiple Factor authentication and other stuff to work through their API yep yep uh the only other thing I wanted to talk about was open relaying it's an important thing to think about when you're setting up a postfix system especially if you're doing a really basic setup like I just demonstrated uh out of the box your system will be configured that it will not relay anything at all right so if I tried to set up that that relay host and then I tried to send that message it would have just flat out rejected me said nope I'm not allowed to relay and um I can show that configuration quick here if we bring up terminal again uh that is called my networks get underscore oh helps if I spell networks properly okay so my networks and there's a couple way to configure this there a couple ways to configure this there's a my network style which I'm showing on the screen right now you can tell it to accept based on class subnet or host right I've never really worked with it that way I usually go with these IP block setups because I'm really familiar with how to do CER notation right so in my case my networks is 10.0.0.0 24 which means anything in the 10.0.0.0 network is allowed to relay through my system normally this is basically set to don't relay anything right and I could probably show no I think it's just commented out which basically says don't relay stuff um so that's a thing you're going to want to be aware of if you set this to relay everything then you've made what's called an open relay open relays are bad that's the that's I don't want to go too deep in the effort of time here but open relays basically means anything that if you connect to this server it'll relay anywhere in the world now obviously there'll be Blacklist and stuff to contend with but if you're running an actual legit email service and you have an open relay very bad stuff you will you will get blacklisted very quickly so you need to pay attention to that if you're trying to set up a post fix box that does more than just local mail delivery and that's all the demos I had for today so only a few minutes over oh don't worry a lot of information producer Eric has told us about being over oh yeah I see you that there now uh sorry so next week we're actually gonna take a week off because there's a red hat uh company holiday but the week after that and we'll be talking about everyone's favorite service NFS the network file service NFS another service that has given me scars over the years but yeah I hope I hope everybody has Has Come Away Learning a little bit about postfix and how to set it up and uh it's not so uh I don't know was was post was postfix scary before if it if it was I hope it's not anymore I mean postfix was the was the nicer gentler alternative to send mail oh send mail yeah yeah I used I send mail was like you actually had to build the config in a special like macro definition and then you then it would compile it into it was format yeah know I am horribly familiar I used to run I used to run qmail that was that's how that's how far back my email Administration goes qmail was kind of like the defacto standard for ISP style email for a long time and then Zimbra which was another good one which had a lot of postfix in it Zimbra leveraged postfix very heavily which is why I am familiar with all the post fix stuff so in two weeks we will be doing NFS um also don't forget about real presents uh producer Eric will be hosting that show since that's his show uh and he's G doing a Dan the life of a Solutions architect uh which is the like uh pre- sales technical person at red hat so usually when you talk to somebody at red hat and they're technical uh if you're a customer this is probably one of the the types of people you talk to right he'll be having uh I'm guessing he's going to be having a Solutions architect on the show um and we'll continue our additional Services um after NFS I don't know that we've really structured which ones are coming next but we'll keep going we've we've batted around a number of them so something something good we'll we'll figure it out before the NFS episode airs yeah and hopefully uh I'll I'll actually test the NFS setup before we show up and do it live in front of people what could possibly go wrong yeah right I me NFS is so simple right it's so easy just it's like setting up pseudo easy oh I see shantanu is uh is advocating for nfsv4 I mean of course with the kerros clearly that's what we do uh on a 30 minute show are you going to do autom Mount and like uh remote home directories and everything everything Scott I mean autofs is sure but probably not for autofs is probably its own show or at least part of its own show H produce to Eric we understand we're over a lot so don't forget to mash that like And subscribe um and we'll keep making into the terminal content Nate any part of wisdom so many scars running yes running a mail server is hard all right everyone uh until next time see you in the terminal

Info

Channel: Red Hat Enterprise Linux

Views: 1,191

Rating: undefined out of 5

Keywords:

Id: RKpNKzziiN4

Channel Id: undefined

Length: 39min 48sec (2388 seconds)

Published: Sat Feb 17 2024