Wednesday, April 27, 2016

Restricting specific users from sending email to external domains in Postfix

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail, intended as an alternative to Sendmail MTA.
When configuring mail server especially for small companies there sometime a requirement to restrict some of the users from sending email to the Internet, and allowing them to send email only to local domain or some domains.
This howto is going to show you how to achieve that extra functionality, this howto is assuming you have working mail server already where by the users are able to send and receive emails.Below are steps,

a. Create a file to catch specific email address which should be restricted.
i. Change to root and open the main Postfix configuration file.

 ~$ sudo su -
 ~# vim /etc/postfix/main.cf
ii. Add rule that will catch limited addresses.
The rule should be added as the first line in smtpd_sender_restrictions as below.

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
as below:

If you put the rule below any permit rule there possibly it won't work as required.

b. Create specific rule and add the address which should be restricted, am using jarasyola.co.tz domain for the sake of demonstration only, you're going to use you're actual domain in real implementation.
vim /etc/postfix/restricted_senders
Add the email address which should be restricted on above created file and save;

james@jarasyola.co.tz  local_only
vanessa@jarasyola.co.tz local_only

as below


c.i.The rule above says to route restricted emails to a ruleset called "local_only". You need to define it, before you can add rules to it. Open main.conf file and add local_only ruleset as restriction class.

smtpd_restriction_classes = local_only
ii. Then create the restriction class "local_only" and add rules. They are executed top to bottom - first match wins:
local_only=
check_recipient_access hash:/etc/postfix/local_domains,
reject
The two lines should look as below on postfix main.conf configuration file.



d. Lastly, define the local domains where restricted users should be allowed to send, here i allow my local domain only.
Create a file

vim /etc/postfix/local_domains

add the domain(s)

jarasyola.co.tz   OK

If the recipient domain is not in /etc/postfix/local_domains Postfix will look for the next rule.In "local_only" I wrote "reject".This is a static action, which always is true if Postfix tests it. It gives you what you want. Either the recipient domain is on /etc/postfix/local_domains or the request action (send a message) will be rejected.

Drop a comment if you face any difficult in implementing the setup, tuonane kwenye post nyingine.

Friday, April 22, 2016

CSF firewall installation and configuration for VOIP/PBX systems-Part 1

During installation of any PBX/VOIP systems, security is one of the first thing you should consider in mind as compromising the system may bring greater loss especially interms of Money. There are different ways of securing voip/pbx systems but this how to is going to explain how to lock it down completely by blocking all standard ports not accessible from the Internet and being only accessible via the specified subnet while allowing only specified ports to allow users being able to call and receive the calls.
This howto's is divided into two main parts, part 1 (involves firewall installation) and part 2 will concentrate on configuration of your firewall to meet your needs,below are steps.

a. Webmin installation
b. Csf Installation
c. Firewall configuration

a. Webmin Installation
Webmin is a web-based graphical tool for unix . It is used to manage services like User management, Disk managemet, Network, Iptables ( Firewall ), Cron, Apache, DNS, File sharing and much more.Webmin is a web hosting control panel like cpanel which provides easy to use interface for managing Unix like systems.

i. Install required packages first.
# yum -y install perl perl-Net-SSLeay openssl perl-IO-Tty

ii. Install Webmin.

Make sure to check for the latest version here (http://www.webmin.com/download.html). As the time of writting of this document the latest version is 1.791.
# yum -y install http://prdownloads.sourceforge.net/webadmin/webmin-1.791-1.noarch.rpm


The installation will be done automatically to the directory /usr/libexec/webmin, the administration username set to root and the password to your current root password. You should now be able to login to Webmin at the URL http://localhost:10000/. Or if accessing it remotely, replace localhost with your system's IP address.




More tweaks:
-Starting and restarting the service use:
# /etc/init.d/webmin start
# /etc/init.d/webmin stop
# /etc/init.d/webmin restart
# /etc/init.d/webmin status
-Changing webmin root password

In order to change webmin root account password use following command. ( Note: It will not change your systems root password )

-Change webmin default port
If you do not want to run webmin with default port, use below steps to change the default port.

Login Webmin as root >> Webmin >> Webmin Configuration >> Ports and Addresses… you can change port there.


b. Csf Installation

CSF(Config Server Firewall) is generally considered a more advanced firewall as there are more configuration options compared to other firewalls, while still being simple enough to install and configure that even novice administrators can use it.An alternative firewall to CSF is the Advanced Policy Firewall or APF.
Installing CSF should be as simple as downloading the source file to your server and installing it, follow the following steps to install it.

i. Migrate to src directory and remove any existed csf file.
# cd /usr/src
# rm -fv csf.tgz
ii. Download the firewall and extract the downloaded file
# wget https://download.configserver.com/csf.tgz
# tar -xzf csf.tgz
iii. Change to csf directory and run installation script
# cd csf
# sh install.sh
iv.Test whether you have the required iptables modules:
# perl /usr/local/csf/bin/csftest.pl
Don't worry if you cannot run all the features, so long as the script doesn't
report any FATAL errors

v. Remove old CSF/APF firewalls

You should not run any other iptables firewall configuration script. For
example, if you previously used APF+BFD you can remove the combination (which
you will need to do if you have them installed otherwise they will conflict):
# sh /usr/local/csf/bin/remove_apf_bfd.sh
vi. Integrating CSF with webmin

Inorder to manage csf firewall on web browser via webmin you're required to Integrate it to webmin.
Install the csf webmin module in:
  Webmin > Webmin Configuration > Webmin Modules >
  From local file > /usr/local/csf/csfwebmin.tgz > Install Module

To access CSF configuration file via Webmin go to System System > Security & Firewall



vii. Uninstallation CSF firewall

Removing csf and lfd is even more simple:
# cd /etc/csf
# sh uninstall.sh
viii. Removing Warning

In case you get this warning below:

*WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny

When accessing CSF firewall via Webmin, install perl module using command below.
# yum install perl-libwww-perl
That's it, check out part 2 for voip firewall configuration.



Friday, April 15, 2016

How to stream movies on Samsung smart TV using Popcorn Time in Linux

If you're movies and torrent lovers, you might have heard of Popcorn Time. For those new to this technology Popcorn Time is  a multi-platform, free software BitTorrent client that includes an integrated media player. The applications provide a free alternative to subscription-based video streaming services (such as Netflix). Popcorn Time uses sequential downloading to stream video listed by several torrent websites (although other trackers can be added and used manually).
The software has been closed several times due to copyright issues, but now is available again, am going to explain step by step on how to stream movies on smart TV from Popcorn Time software running on Linux Machine (Deepin Linux which is based on Ubuntu 14) in the following easy steps.

a. Download the Popcorn software from its current offical site.

The current site is  https://popcorntime.sh/


Save the file in any of your preferred place, for mine it goes to Downloads.

b. Extract the downloaded file.

The extracted file will be called Linux but you may name it to any name of your preference.

c. Open the extracted folder and run the file called Popcorn-Time.

Inside the extracted folder you're going to find 3 folders and 8 files as seen below.


Below is the next screen after running Popcorn-Time file.

d. Choose movie,series, anime etc of your choice and start streaming.

Below is what i choose for demonstration.


e. Connect Popcorn-Time to To Samsung smart TV.

If your smart TV is connected in the same network where your computer is connected, you will see it when you click Watch now icon on selected movie as seen below,


As you can see above the watch now icon shows which media you can stream the movie from, which are TV (my Samsung LED smart TV), VLC (because is installed on my machine) and butter (default Popcorn Time media) players.Choose Samsung TV for streaming and press Watch now.

f. Allow Popcorn-Time to stream on your TV and Enjoy.

If it the first time to connect Popcorn to your TV you may have to allow it to access your TV.


After connecting and while the downloading is on progress also the streaming will be on progress.

  
Endelea kumovika, tuonane mara nyingine.



Saturday, April 9, 2016

Configuring Mikrotik router to allow traffic from mail server running on LAN

Its normal to run mail server within the LAN if you have reliable power system but also because it is because is one of the best method for security of your mail server. This how to is going to explain how to configure Mikrotik router to allow traffic going and leaving the mail server which is running in the LAN.

This how to assumes the following

  • X.X.X.X being your public IP,
  • mail.jarasyola.co.tz being MX records of your server domain and 
  • 192.168.1.200 being IP address of mail server.

The setup will have only three simple steps as below.


Step 1
Create firewall to allow inbound TCP traffic from any IP address to these ports on the server.

25 (SMTP)
110 (POP3)
143 (IMAP)
443 (HTTPS)
465 (SMTPS)
587 (Submission)
993 (IMAPS)
995 (POP3S)

I here assume access to webmail and any web access on the server is done on port 443(https) as port 80 will be used by mikrotik web access.

Copy the following on notepad and edit by changing the mail server IP (192.168.1.200) and mikrotik public IP (X.X.X.X)  and paste the following firewall rules on mikrotik terminal.

/ip firewall nat
add action=dst-nat chain=dstnat comment="Email server port forwarding" \
    dst-address=X.X.X.X dst-port=25 protocol=tcp to-addresses=\
    192.168.1.200 to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=22 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=22
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=110 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=110
add action=dst-nat chain=dstnat dst-address= dst-port=143 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=143
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=443 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=443
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=465 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=465
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=587 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=587
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=993 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=993
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=995 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=995

Step 2
Create DNS redirect to allow creating static DNS entry for the server for local access

Copy and paste the following in the terminal.
/ip firewall nat
add action=redirect chain=dstnat comment="Dns redirect" dst-port=53 protocol=\
    udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
The setting above will force all dns entry being replied by router before being redirected to provider DNS server.

Step 3
Create the static entry for mail server MX records, so that traffic within the LAN should not be redirected to public IP but going direct to mail server local IP.
Copy and paste the following in mikrotik terminal and change only mail server IP and domain MX records to reflect your mail server.
/ip dns static
add address=192.168.1.200 name=mail.jarasyola.co.tz
That's all, the server will work perfectly within your LAN, to avoid blacklist to spam generated by other users in the network you should block port 25 not being used by other computers in the network for sending unauthorized emails, the howto is found here.


Blocking rogue mail server from LAN using Mikrotik

Rogue mail server is any unauthorized mail server which can be used to send emails usually SPAMS. These are mostly compromised computers in the network which are used by spammers via your public IP's to send SPAM to the rest of the world. The main problem of this is your public IP will be frequently listed in world blacklist database and blocking good operation of legitimate mail servers running within your network.
If you're running mail server inside your LAN its good practice to create a firewall that will allow only your mail server IP to send and receive emails and blocking the rest of IP's.
In mikrotik this can be done by simple 3 firewall lines, the firewall lines are below.

Copy and paste the following on mikrotik terminal.
/ip firewall filter
add chain=forward comment="Allowing mail server" dst-port=25 out-interface=\
    ether1-gateway protocol=tcp src-address=192.168.1.200
add chain=forward comment="Allowing mail server" dst-address=192.168.1.200 \
    dst-port=25 in-interface=ether1-gateway log=yes protocol=tcp
add action=drop chain=forward comment="Blocking Spammers" dst-port=25 log=yes \
    protocol=tcp

The first two lines of the firewall allow traffic going and leaving the mail server where the last line block any traffic leaving the LAN via port 25 which which is mainly used to mail traffic.
In this firewall 192.168.1.200 is mail server IP so if you're copy and pasting that firewall you should change that IP.
After that sit and relax because if you find your public IP being blacklisted is because the spam is originated from your mail server and that is easy to troubleshooting if the server is well configured and secured.