testing
The Let's Encrypt page has additional resources for TLS testing.
Keep all the testing stuff in a jail.
. mail-toaster.sh && provision mailtestSend an email with swaks:
jexec mailtest swaks -to postmaster@$TOASTER_MAIL_DOMAIN -server $(get_jail_ip haraka)
=== Trying 172.16.15.9:25...
=== Connected to 172.16.15.9.
<- 220 haraka ESMTP Haraka 2.7.2 ready
-> EHLO mailtest
<- 250-haraka Hello mailtest [172.16.15.11], Haraka is at your service.
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 26214400
<- 250 STARTTLS
-> MAIL FROM:<root@mailtest>
<- 250 sender <root@ mailtest > OK
-> RCPT TO:<[email protected]>
<- 250 recipient <[email protected]> OK
-> DATA
<- 354 go ahead, make my day
-> Date: Mon, 14 Dec 2015 20:45:18 -0800
-> To: [email protected]
-> From: root@ mailtest
-> Subject: test Mon, 14 Dec 2015 20:45:18 -0800
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
-> .
<- 250 ok 1450154720 qp 21123 (E0CD6466-E60A-42A2-8612-2F7FF334D884.1)
-> QUIT
<- 221 haraka closing connection. Have a jolly good day.
=== Connection closed with remote host.Voila, Haraka accepted the message.
Make sure encryption is set up properly:
jexec mailtest swaks -to postmaster@$TOASTER_MAIL_DOMAIN -server $(get_jail_ip haraka) -tls
<snip>
<- 250 STARTTLS
-> STARTTLS
<- 220 Go ahead.
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/C=US/ST=Wash/L=Seat/O=TNPI/CN=imac27.simerson.net"
~> EHLO mailtest
<~ 250-haraka Hello mailtest [172.16.15.11], Haraka is at your service.
<snip>The connection was TLS encrypted and the message was again delivered.
cat $ZFS_JAIL_MNT/haraka/var/log/maillogSee the output.
Upon reading the haraka logs, we can see that the message was scanned by spamassassin, clamav, avg, and a few other Haraka plugins. After passing all the filter checks, it was forwarded to the vpopmail jail.
We can also see what happened to the messages next:
cat $ZFS_JAIL_MNT/vpopmail/var/log/maillog
Dec 14 20:45:20 vpopmail qmail: 1450154720.929402 new msg 28724
Dec 14 20:45:20 vpopmail qmail: 1450154720.930006 info msg 28724: bytes 1066 from <root@ mailtest > qp 21123 uid 89
Dec 14 20:45:20 vpopmail qmail: 1450154720.934323 starting delivery 2: msg 28724 to local [email protected]
Dec 14 20:45:20 vpopmail qmail: 1450154720.934696 status: local 1/10 remote 0/20
Dec 14 20:45:20 vpopmail qmail: 1450154720.938745 delivery 2: success: did_0+0+1/
Dec 14 20:45:20 vpopmail qmail: 1450154720.938842 status: local 0/10 remote 0/20
Dec 14 20:45:20 vpopmail qmail: 1450154720.938875 end msg 28724Qmail accepted the message and piped it to vdelivermail (part of vpopmail) which then dropped it into the postmaster's Maildir format mailbox. We can see the message file itself:
# ls $ZFS_JAIL_MNT/vpopmail/usr/local/vpopmail/domains/imac27.simerson.net/postmaster/Maildir/new/
1450154720.21125.vpopmail,S=1132 1450156139.21436.vpopmail,S=1203Those are the messages we just sent.
# nc $(get_jail_ip dovecot) 110
+OK Mail Toaster (Dovecot) ready.
user [email protected]
+OK
pass %99#7DRTyb1eLk
+OK Logged in.
list
+OK 2 messages:
1 1158
2 1230
.
quit
+OK Logging out.# nc $(get_jail_ip dovecot) 143
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Mail Toaster (Dovecot) ready.
. login [email protected] %99#7DRTyb1eLk
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE QUOTA] Logged in
. EXAMINE INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 2 EXISTS
* 0 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1450156592] UIDs valid
* OK [UIDNEXT 3] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
. OK [READ-ONLY] Examine completed (0.000 + 0.000 secs).
. logout
* BYE Logging out
. OK Logout completed.I've got two messages in my inbox.
Same as above but with TLS encryption:
openssl s_client -connect $(get_jail_ip dovecot):993Get the URL to your server to copy/paste into your web browser:
get_public_ip && echo http://$PUBLIC_IP4/Point a web browser at your servers public IP and you should be treated to a HTML 5 index page with links to the web interfaces of installed applications.
