mardi 28 juin 2016

Connecting a postfix to a corporate outlook server


You may wish to test the sending of a mail in an unauthenticated way, but if you are in company working with outlook having some strong security constraints, the relay of unauthenticated mail will be forbidden. Here is a way to transform a postfix server into an unauthencated mail relay. 

You should modify the file /etc/postfix/main.cf and add the following line. 

# This line means mail directed to someone@mydomainname wont be relayed on the other server. 

relay_domains = mydomainname

sender_canonical_classes = envelope_sender, header_sender
# This rewrite rules will make the mail seems like issued by you (always). 
sender_canonical_maps =  regexp:/etc/postfix/sender_canonical_maps

# this Enable postfix to use smtp relay with authentication. 
smtp_sasl_auth_enable = yes
# This is the firsl ine used to initiate the dialog. 

smtp_sasl_mechanism_filter = login ntlm
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
# Set your password here 
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

#It is preferable to refrain to your network

smtpd_recipient_restrictions =    permit_mynetworks   reject_unauth_destination   permit

myhostname = toulouse.infosys.com
mydomain = toulouse.infosys.com
relayhost = [my.outlook.corporateserver.com]:587
myorigin = $myhostname

# mydestination = $myhostname, localhost.$mydomain, localhost
# To enable all the interfaces

inet_interfaces = all
mydestination =
mynetworks = 10.161.86.0/24 127.0.0.0/8


The file /etc/postfix/sender_canonical_maps
Contains and rewrite all header so that all mails appear to be issued by my.email@mycompany.com

/.+/    my.email@mycompany.com

File /etc/postfix/sasl_passwd contains 
[my.outlook.corporateserver.com]:587    my.email:My-P4ssw0rD


You should then hash this file
postmap /etc/postfix/sasl_passwd

Restart postfix 


service postfix restart

Dont forget to open firewall on port 25. All the mail you will send to thepostfix server will be relyed to the corporate server with your name.


 

Desactivate Selinux on centos



You could have a lot of mean issue with the security component selinux. In my experience, you want to run something in behind your apache2 httpd server, it is best to put selinux in permissive mode. Typically, Selinux can
- prevent a tomcat AJP connector to run on a port like 8019, supporting only the default port  8009
- prevent to access some files in that are not under /var/www for svn DAV module
-Prevent samba file sharing to see files in a directory (But the directory itself can be seen


All of these effect are very weird when you first see it, that is why, I recommend to desactivate selinux when you set up a new server. If your server will go on internet, you may harden your server afterwards by activating selinux.

The principle behind  Selinux is to perform a check that one process should go throught a set of rule before accessing a resource. The resource can be
- Socket
- Processes
- Files

For instance, it could put some rules so that httpd cannot not access to any resource on computer and this goes on top of the OS security rules.

The big issue with selinux is that nothing goes into the classical error logs. It is q very dry denial. So if you face an issue that you dont understand on httpd server, it is good to try to desactivate selinux and see what happens.

You can switch the system into permissive mode with the following command:

 

setenforce
To check what mode the system is in,
cat /selinux/enforce
 

The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it. In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted


To get you current status you could type
sestatus

Start a program when os start up Centos 7


When you have a server, this is good that a program is up at boot time. In order to do this, you should have a script to start the application/server in the /etc/init.d/ folder 

To create a script of your own, best is to copy some existing files and adapt it. The main idea is that the script should allow to start, stop and give the status of the application

For instance, lets consider a program starting a apache-ds LDAP. 


!/bin/bash
# Source function library.
. /etc/rc.d/init.d/functions
# Can specify the run levels on the chkconfig line where the program is activated here the program is activated at level 3, 4 and 5 
# Where the run level are the standard linux 3 is multi user, 4 is rarely used, 5 multi user with graphic.
# Then 99 is the start priority (99 is the least, in that case  Apache LDAP will be started after all other program has been started. 
# Then 99 is the stop priority (01 is the highest priority, in that case  Apache LDAP will be stopped the first . 
# chkconfig: 345 99 01
# description:  LDAP startup script
 
start() {
runuser -  ldap -c "cd /home/ldap/apacheds-2/;bin/apacheds.sh default start"
}
 
stop() {
runuser -  ldap -c "cd /home/ldap/apacheds-2/;bin/apacheds.sh default stop"
}
 
 
status() {
runuser -  ldap -c "cd /home/ldap/apacheds-2/;bin/apacheds.sh default status"
}
 
 
# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status
        ;;
  *)
        echo $"Usage: $0 {start|stop|status}"
        exit 2
esac
 
exit $?

Once you have created this script, you should add it to the list of service 
 
# chkconfig --add apacheds

It will create some files in /etc/rc3.d, /etc/rc4.d, /etc/rc5.d

To check this you can pass the command. 
 # chkconfig --list apacheds
 
apacheds        0:off   1:off   2:off   3:on    4:on    5:on    6:off