Skip to content

Week 06 - Email

Topic

Setting up email infrastructure with Postfix (SMTP/MTA). Configuring MX records, sending and receiving email, and basic mail server operations.

Company Requests

Ticket #601: Configure Email Receiving

"Customers are actively trying to contact us via email, but their messages are not being delivered. Set up an email server on our VM so that emails sent to <vm_name>.sysadm.ee are received on the VM."

Ticket #602: Setup MTA to Send Email Out

"The marketing team wants to send promotions to customers. Configure the email server so VM users can send emails to remote addresses."

Ticket #603: Set Up Mail Access (IMAP)

"Users need to access their email. Install and configure Dovecot to provide IMAP access to local mailboxes. Ensure system users can authenticate and read their mail."

Ticket #604: Webmail Interface (Roundcube)

"To make email access easier, deploy a web-based mail client. Install and configure Roundcube so users can log in via a browser and read/send email using your mail server."

Scoring Checks

  • Check 6.0: Timezone is set properly.
    • Method: Running date command in your VM.
    • Expected: Timezone EEST or EET in the command output.
    • Note: This check should be already green if you haven't modified your VM's timezone.
  • Check 6.1: Port 143/tcp is open and reachable from the scoring server.
    • Method: TCP connection to your VM on port 143.
    • Expected: Connection succeeds.
  • Check 6.2: Port 25/tcp is open and reachable from the scoring server.
    • Method: TCP connection to your VM on port 25.
    • Expected: Connection succeeds.
  • Check 6.3: SPF record is defined in DNS.
    • Method: Query DNS TXT records for the host’s domain using dig.
    • Expected: At least one valid SPF record present.
  • Check 6.4: marketing has sent email to nagios@scoring.sysadm.ee
    • Method: Looking for received email inside scoring server.
    • Expected: At least one email from marketing@<your_vm_name>.sysadm.ee exists.
  • Check 6.5: Roundcube UI is working
    • Method: Accessing mail.<your_vm_name>.sysadm.ee using curl.
    • Expected: Answers with a valid Roundcube login page.

Required Documentation

Before starting this lab, review the following documentation:

Tasks

Task 1: Set up an MX record in your DNS server

Configure your DNS to redirect emails sent to <your_vm_name>.sysadm.ee to mail.<your_vm_name>.sysadm.ee.

Complete

Edit the zone # <vm_name>.sysadm.ee in your DNS configuration.

  1. Add a type A record for mail.<vm_name>.sysadm.ee pointing to your VM's external IP.
  2. In the same Zone file, add an MX record pointing to the hostname mail.<vm_name>.sysadm.ee.
    • Set the priority value to 10.
    • Think about the order, how should the records be organized in the Zone files: MX first then A record or vice-versa? Is there a difference?
  3. Validate zone file syntax and reload knotd.
  4. Verify new DNS records using dig.

Reference: SOP: DNS Management — Add an MX record to a zone, Concepts: DNS — Key Terminology, Concepts: Email - MX Records and Mail Routing

Task 2: Set up Postfix

Set up Postfix as a mail transfer agent (MTA).

Complete

  1. Install postfix package using dnf.
  2. Configure postfix.
  3. Start and enable postfix service.
  4. Add service smtp to firewalld and open port 25/tcp in ETAIS firewall.
  5. Create user marketing with a secure password you can remember.
    • Note: Do not reuse any of your passwords, as currently, the traffic is insecure and can be listened to by anyone.
  6. Log into marketing (su - marketing), send a test email to centos@localhost and make sure it was delivered.

Reference: SOP: Package Management, SOP: Mail Server Management - Configure Postfix for a domain, SOP: User management - Create a User, SOP: Mail Server Management - Send a Test Email, SOP: Firewall Management - Add a Service to firewalld, Technologies: Postfix, Concepts: Email - SMTP and MTA

Task 3: Set up Dovecot IMAP server

Set up Dovecot IMAP server for mailbox access.

Complete

  1. Install dovecot package using dnf.
  2. Configure dovecot.
  3. Start and enable dovecot service.
  4. Add service imap to firewalld and open port 143/tcp in ETAIS firewall.
  5. Install telnet package and test IMAP login to marketing via telnet.
    • Note: You could also try accessing mail.<your_vm_name>.sysadm.ee port 143 remotely (from your personal computer or WSL). This should fail by default.

Reference: SOP: Package Management, SOP: Firewall Management - Add a Service to firewalld, SOP: Mail Server Management - Test IMAP login with telnet, Technologies: Dovecot

Task 4: Secure email sending and authentication

Configure the email system to support secure mail submission and improve trust of outgoing emails.

Complete

  1. Add an SPF record to the DNS Forward Zone that authorizes your VM to send emails for the domain.
  2. Add service smtp-submission to firewalld and open port 587/tcp in ETAIS firewall.
  3. Test mail submission by connecting to port 587 using telnet and authenticating with base64-encoded credentials.
    • Note: You should also be able to access mail.<your_vm_name>.sysadm.ee remotely (from your personal computer or WSL) using port 587 and base64-encoded credentials.
  4. Send an email from marketing@<your_vm_name>.sysadm.ee to nagios@scoring.sysadm.ee and make sure it was delivered.

Reference: SOP: Firewall Management - Add a Service to firewalld, SOP: Mail Server Management - Define an SPF record, Technologies: Postfix, SOP: Mail Server Management - Test SMTP Submission with telnet, Technologies: Dovecot

Task 5: Set up Roundcube web UI for email access

Install and configure Roundcube so users can access their mailbox from http://mail.<your_vm_name>.sysadm.ee.

Complete

  1. Install all dependencies and enable the crb repository.
  2. Download Roundcube release and unpack it to /var/www/html/roundcubemail.
  3. Create a virtualhost for mail.<your_vm_name>.sysadm.ee that serves /var/www/html/roundcubemail as DocumentRoot and restart httpd service.
  4. Create a database and a database user for roundcube.
  5. Open mail.<vm_name>.sysadm.ee/installer in your favourite web browser and complete Roundcube setup.

After this is all done, you should be able to access the mailboxes of the mail accounts you set up before by using the username and password of these users by going to the website you set up. You could also try sending emails to another student's marketing user if that student has already finished this lab.

Reference: Technologies: Roundcube

Ansible Tips

This section covers tips for automating the tasks in this lab with Ansible. You are not required to automate everything this week, but starting early will save you time later.

Tags

Use tags to run only email-related roles:

- { role: email, tags: email }

Run only the DNS role: ansible-playbook --tags=email playbook.yml

Handlers

Use handlers to restart services only when configuration changes:

# roles/dns/handlers/main.yml
- name: restart httpd
  systemd:
    name: httpd.service
    state: restarted
    enabled: yes

Notify the handler from tasks that modify config files:

- name: Create virtualhost for roundcube
  template:
    src: roundcube-vhost.j2
    dest: /etc/httpd/conf.d/mail.conf
  notify: restart httpd

Zone File Templates

Use Jinja2 templates for zone files so that the VM name and IP are substituted automatically.

Use a Unix timestamp as the zone serial

Instead of manually maintaining YYYYMMDDNN serials, use {{ ansible_date_time.epoch }} (Unix timestamp) as the serial. It's always increasing, guaranteed unique per run, and you never have to remember to bump it.

{# forward-zone.j2 #}
$TTL 900
@       IN  SOA  ns1.{{ hostname }}.sysadm.ee. admin.{{ hostname }}.sysadm.ee. (
                  {{ ansible_date_time.epoch }}  ; Serial (unix timestamp)
                  900           ; Refresh
                  300           ; Retry
                  7200          ; Expire
                  600 )         ; Negative Cache TTL

@              IN  NS   ns1.{{ hostname }}.sysadm.ee.
@              IN  A    {{ vm_ip }}
ns1            IN  A    {{ vm_ip }}
blog           IN  CNAME  {{ hostname }}.sysadm.ee.
inventory      IN  CNAME  {{ hostname }}.sysadm.ee.

Deploy it:

- name: Deploy forward zone file
  template:
    src: forward-zone.j2
    dest: "/var/lib/knot/zones/{{ hostname }}.sysadm.ee.zone"
    owner: knot
    group: knot
    mode: '0640'
  notify: reload knot

Useful Modules

  • dnf — install packages (pecl packages can be installed using pear module)
  • template — deploy updated zone file and configurations
  • systemd — manage systemd services
  • firewalld — open ports or add services
  • file — set ownership and permissions on files/directories
  • command — run commands that don't have a separate Ansible module
  • community.mysql.mysql_db - create a database in MariaDB
  • community.mysql.mysql_user - create a user in MariaDB