DFIR.Dog

If you have been following along – the other previous three posts in this series outlined what I’ve developed (and some of the reasoning behind this) and then we have gone into some of the setup and configuration of the environment.

To recap, we have a system running on Ubuntu Server and a Wi-Fi access point connected and configured for participants to connect. Our system is providing DNS resolution through bind, and some domains are already configured. At the moment, both cyberchef.local and ctf.local are available on the network. With both of these available, it’s easy to host locally-hosted capture the flag type exercises without the need of an internet connection.

In this post – we will go over the configuration of email using a combination of postfix, dovecot and roundcube (for the webmail client).

First, we will need to install postfix

sudo apt install postfix

This will start the postfix install process. When it comes to choosing the mail configuration type select Local only. Part of the setup will also require you choose a hostname – I’m using intramail.local in this example. This will also need to be configured in DNS.

With postfix now installed, we will need to do some additional configuration to make sure it works how we want it to.

vi /etc/postfix/main.cf

This file contains the majority of the configuration for postfix itself. The following changes / additions will need to be made:

Change inet_interfaces from loopback to all

Additions:

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

smtpd_sasl_auth_enable = yes
smtpd_sasl_auth_type = dovecot
smtpd_sasl_path = private/auth

virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
virtual_transport = lmtp:unix:private/dovecot/lmtp
virtual_mailbox_base = /var/mail/vhosts

Next we will need to create and start to populate the list of virtual domains

sudo vi /etc/postfix/virtual_mailbox_domains

You can add each entry as a new line like so:

example1.local #example1.local
example2.local #example2.local

Once that’s been filled out, you will need to run the following command so that postfix can read it

sudo postmap /etc/postfix/virtual_mailbox_domains

This command will also need to be run any time you update the file (like when new domains are added, etc).

Next, we need to enable the postfix SMTP service.

sudo vi /etc/postfix/master.cf

Uncomment the following line:

#submission inet n        -       y      -      -     smtpd

With postfix configured, it’s time to install dovecot

sudo apt install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd

Once it’s installed there will be some further configuration required. The first of these will be to setup where dovecot looks for mail on the system.

sudo vi /etc/dovecot/conf.d/10-mail.conf

In this file, you need to find the following entry:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

And change it to the following

mail_location = maildir:/var/mail/vhosts/%d/%n

This change will require the creation of virtual host folders for each domain we need to use for email.

sudo mkdir -p /var/mail/vhosts/example.local

Run the above command for each domain you want to setup for mail. Next, create a virtual mail user and group for Dovecot to use.

sudo groupadd -g 5000 vmail
sudo useradd -r -g vmail -u 5000 vmail -d /var/mail/vhosts -c "Virtual mail user"

sudo chown -R vmail:vmail /var/mail/vhosts/

The next step is to enable IMAP, POP3 and LMTP.

sudo vi /etc/dovecot/conf.d/10-master.conf

The following you will need to ensure that the following sections are uncommented by deleting the # at the beginning of each line (NOTE: Because this is only being used for internal delivery for exercise / testing purposes we won’t need to enable TLS/SSL).

...
inet_listener imap{
    port = 143
}
...
inet_listener pop3 {
    port = 110
}
...

Next, the lmtp service needs to be enabled. Look for the following section:

...
service lmtp {
   unix_listener lmtp {
     #mode = 0666
   }

   # Create inet listener only if you can't use the above UNIX socket
   #inet_listener lmtp {
     # Avoid making LMTP visible for the entire internet
     #address =
     #port =
   #}
}
...

And change it to:

...
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     mode = 0600
     user = postfix
     group = postfix
   }
}
...

Next, locate the Dovecot authentication configurations.

...
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
#  mode = 0666
#}
...

And change this to:

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
  mode = 0666
  user = postfix
  group = postfix
}

Dovecot authentication will also require some tweaks to the configuration (Once again, since we’re only using this on a local network not connected to the internet, these settings should be OK).

sudo vi /etc/dovecot/conf.d/10-auth.conf

Find the entry disable_plaintext_auth and change to the following (Uncommenting the line in the process):

disable_plaintext_auth = no

Next, find the entry auth_mechanisms and change it to the below:

auth_mechanisms = plain login

Next, we want to disable Dovecots default behaviour that requires users to have a system account in order to use email services. To do that, we need to comment out the following line so it read as follows:

#!include auth-system.conf.ext

Now that we’re not using system accounts to authenticate mail, the following line will need to be uncommented:

!include auth-passwdfile.conf.ext

With this completed, the configration will continue by editing auth-passwdfile.conf.ext

sudo vi /etc/dovecot/conf.d/auth-passwdfile.conf.ext

The contents of this file will need to be updated to the following:

passdb {
  driver = passwd-file
  args = scheme=PLAIN username_format=%u /etc/dovecot/dovecot-users
}

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

The final piece of the authentication setup is to create the passwd-like file to be used for authenticating users.

sudo vi /etc/dovecot/dovecot-users

The file should then take the following format for authenticating users (replacing the bolded text with your required emails and passwords)

admin@example.local:{plain}password
info@example.local:{plain}password
admin@example2.local:{plain}password

Passwords will be stored here in plaintext – once again, because this isn’t a production environment, it’s good enough for our purposes.

With both postfix and dovecot installed and configured, the final piece of this puzzle is to install and configure roundcube for webmail access.

This is the first time that we will be using a PHP application in this environment. To help facilitate this, we’re going to install php-fpm along with some other packages that will be required.

sudo apt install -y php-mysql php-mbstring php-bcmath php-zip php-curl php-xml php-fpm

With those requirements out of the way – it’s time to install roundcube

sudo apt install -y roundcube

When the install is displayed select Yes for configuring a database. On the next screen, if you have a choice, select MySQL. Next, you will be prompted to enter and confirm a password to use for thee MySQL connection. Make a note of this for your reference later, but we won’t be needing it for now.

There are two finale steps that need to be completed to get this working. The first is to add the entry for the webmail website into DNS.

sudo vi /etc/bind/zones/.local

Add the following entry (Where intramail.local is the website you want to use for webmail, and 192.168.1.100 is the IP address of the system you’re working on).

intramail.local A 192.168.1.100

The final steup is to configure nginx to serve the site.

sudo vi /etc/nginx/sites-available/intramail.local

The contents of this file should be similar to the below – change intramail.local to your domain, and php7.4-fpm to match the version of PHP you have installed.

server {
       listen 80;
       listen [::]:80;

       server_name intramail.local;

       root /var/lib/roundcube;
       index index.html index.htm index.php;

       location / {
                try_files $uri $uri/ =404;
       }

       location ~ \.php$ {
                 include snippets/fastcgi-php.conf;
        
                 fastcgi_pass unix:/run/php/php7.4-fpm.sock
      }
}

The final roundcube configuration will require setting a default host so that users don’t need to enter a server name when logging in.

sudo vi /etc/roundcube/config.inc.php

The default_host key will need to be updated to the following:

$config['default_host'] = 'localhost';

Finally, we will add some firewall rules before restarting all the things

sudo ufw allow 25/tcp
sudo ufw allow 110/tcp
sudo ufw allow 143/tcp

sudo systemctl restart nginx apache2 bind9 dovecot postfix

All going well, you should now be able to see the rouncube login page when you visit http://intramail.local from your web browser. Simply login using one of those previously created usernames and passwords to send and receive emails across your local domains.

The final post in this series will go through how to setup further dynamic websites using WordPress as a CMS.