Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
25 juillet 2013 4 25 /07 /juillet /2013 16:42

We'll see here how to setup a lightweight mail server ( hMailServer ), with public access. We'll see the networking and DNS setup, with a special focus over IPv6. I'm installing the hMailServer on a Windows Server 2008 R2, but hMailServer works with any Windows OS ( Client or Server ).
Here is the network map :

WS7b.gif

hMailServer can't provide both IPv4 and IPv6 service. So here, we'll only see an IPv6 setup.
hMailServer doesn't support starttls, but it does support SSL/TLS. As we don't want to use and plain-text logging ( no encryption of password exchange, no encryption of mail exchanges ) which is totally insecure, we'll use SSL/TLS.

 

Previous post is about Creating a Self Signed SSL certificate, it takes just 15 minutes to install the software and generate the couple Certificate/Private Key : How to create a self-signed SSL certificate

 

We'll be using a self-signed certificate, so we'll have to use temporary or permanent exceptions when there are Thunderbird or Antivirus warnings.

 

 

hmail server installation and setup

hMailServer is very easy to install, leaving the default options. A password is created to access the management interface.

 

once installed, we login into the management interface, and first add a domain :

 

WS7a.gif

 

we add the domain example.com

( the Names tab is optionnal, it creates an alias for dual internal/external domain and loging, like example.net/example.com network design. we can add name example.net here :

  WS7f.gif)

 

We then add e.mail accounts :

 

WS7e.gif

 

( accounts : add )




We have to setup the Server IP/port servicing :

 

SMTP                 2001:db8:4b17:1::200          port : 465
POP3                 2001:db8:4b17:1::200          port : 995

WS7r.gif

 

WS7q.gif

 

 

We set the hMailServer own IP ( ::1 ) :

 

WS7t.gif

 

We next have to change the allowed client IP address range, to allow IPv6 :

0:0:0:0:0:0:0:0        FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

 

WS7p.gif

 

 

( This is a allow all, so the Mail Server is accessible by anybody on the Internet. To limit the Mail Server use to our /48 subnet hosts only, we can narrow it down to 2001:db8:4b17:2:0:0:0:0             2001:db8:4b17:ffff:ffff:ffff:ffff:ffff :

WS7o.gif)


we allow logging ( usefull at the beginning, for troubleshooting ) :

 

WS7s.gif

 

We finally copy our SSL Private Key / Public Certificate in the folder :

 

C:\Program Files (x86)\hMailServer\Externals\CA\

 

and add these certificates in hMailServer management interface :

 

WS7k.gif

 

WS7l.gif

 

We're done to the hMailServer Setup for now. We'll see the SPAM-prevention further down this post

 

 

Windows OS and Network Routers Firewall settings

 

 

We have to create two incoming rules in our Windows OS Firewall, using the Advanced Firewall :

 

WS7h.gif

 

 

We have to create too the same incoming rules in our Internet Gateway IPv6 Firewall :

 

WS7u.gif

 

The :: is a 'allow-all'.

 

 

Mail Clients setup

 

Using Thunderbird, the clients configuration is very easy and straightforward.

We just add a new account using this settings :

 

WS7n.gif

 

The username has to be the full something@example.com, for the logging to work. Here are the POP3 and SMTP settings for reference :

 

WS7i.gif

 

WS7j.gif

 

And we're done with the Email Client setup

 

 

DNS Setup

 

For our hMailServer to be accessible from the outside, we need to have it registered in the Internet DNS.

We have to create a two AAAA records :

 

2001:db8:4b17:1::200                      pop3.example.com

2001:db8:4b17:1::200                      smtp.example.com

 

We too have to create a MX record ( Mail Exchange record ) pointing to our smtp server :

 

smtp.example.com                           preference=1

 

why do we need a MX record ? Because someone mailing to john@example.com doesn't know what is is Mail Server FQDN or IP address. So he first queries the example.com domain for a MX record, which returns smtp.example.com.

He can then make a DNS querry to smtp.example.com to get its IP.

 

So we have to make these three DNS records, at our registrar's level :

 

WS7d.gif

 

( for why we do it at the registrar's level, see this posts on this blog : post1 post2 post3 )

 

we have to wait for the DNS changes to propagate, checking out :

nslookup pop3.example.com

nslookup smtp.example.com

 

until we get the right answer ( ie 2001:db8:4b17:1::200 here )

 

 

Reverse DNS for inter-domain mail exchanges

 

If we want to have our hMailServer able to exchange mails with Mail Servers from other domains ( ISPs webmails, etc ...) we need to have a working reverse DNS to smtp.example.com : this is a security feature.

 

for this, we have to make a PTR record ( ie a Reverse DNS record ) at the ISP / Tunnel Broker level. Not all ISPs allow to do this, or to have the reverse DNS delegated. The Network / DNS map looks like this then :

 

WS7m.gif

 

to test the good working reverse DNS, type :

nslookup 2001:db8:4b17:1::200

 

you should get smtp.example.com as answer

 

please make sure to read the last part of this post, about SPAM prevention settings, for a working inter-domains mails exchange, with example.com e.mails being accepted by other domains mail servers

 

 

SPAM prevention settings

 

We want our hMailServer to be protected from outside SPAM, and we want other domains Mail Servers to accept our e.mails as legitimate. Here is how we do this :

 

To prevent out hMailServer to receive SPAM, we can tick the ' Use SPF ' and ' Check that senders has DNS-MX records' :

 

WS7v.gif

This provides a basic SPAM prevention.

 

To have other domains Mail Servers to accept our e.mails as legitimate, we need :

. a DNS-MX record

. a working reverse DNS of our Server IPv6 address pointing to smtp.example.com

. a DNS-SPF record.

 

The first two have been explained higher on this post, so we just have the DNS-SPF record left to see.

 

SPF ( SPAM Prevention Framework ) is a DNS record, aimed at avoiding the use of spoofed domain names by SPAMs.

It is registered at the domain name DNS ( example.com in this case ) and clarifies which Mail Servers have to be considered as validly acting in the name of this domain name ( example.com here ).

 

Let's say our hMailServer received an e.mail written by john@example.com and sent to tim@example.org

 

example.com Mail Server contacts example.org Mail Server

example.org Mail Server checks for any example.com SPF record in the Internet DNS

if a SPF record is found, example.org Mail server checks if there is a valid entry for Example.com Mail Server IP address in the SPF record

if so, Example.com Mail Server is considered valid, and the e.mail is accepted by example.org Mail Server

 

here are some basics SPF records here :

 

record :                          example.com in spf "v=spf1 -all"

effect :                            no mail should be accepted by other domains Name Servers

 

record :                          example.com in spf "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"

effect :                            only mail originating from IP address 2001:db8:4b17:1::200 should be accepted by other

                                        domains Mail Servers

 

here is the the network / DNS map using the second example :

 

WS7w.gif

 

a few more notes about the SPF records :

 

1. historically, a TXT record was used before a SPF record was specified and RFCed. Some Mail Servers still check for TXT 'SPF' records, so the best practice is to register both a TXT and a SPF record. ex :

 

example.com in txt "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"

example.com in spf "v=spf1 ip6:2001:db8:4b17:1::200/128 -all"

 

2. the SPF record syntax is quite subtle. Please see www.openspf.org/SPF_Record_Syntax for complete details.

As an example : the SPF record can refer to FQDNs or MX records instead of plain IP addresses for more flexibility, they'll get resolved to IP addresses.

Or you can explicit a looser policy.

 

3. registering the TXT ' SPF ' and the SPF records prevents our domain name to be spoofed, and thus considered dubious and blacklisted by other domains Mail Servers.

 

4. There are some scripted SPF records generation tools on the Internet. Microsoft's one is interesting. Just google ' Sender ID framework SPF Recor wizard '

 

 

hMailServer tips

 

e.mail folder location :


C:\Program Files (x86)\hMailServer\Data

 

 

 

client mail messages deletion :

 

if thunderbird settings are right, deleted messages are deleted at the next pop3/smtp request

 

.

to clear all messages of an account in the server :

 

hMailServer Manager ) account ) advanced ) empty account

 

 

to screen a particular port communication using Wireshark, type in the filter box :

tcp.port eq 995        filters tcp port 995
tcp.port eq 465        filters tcp port 465

 

Partager cet article

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens