Setting Up an Email Server for the Direct Email Spooling Attack (How-to Guide)

This is a multi-part article. In Part 1., we revealed how big law firms in Australia are susceptible to direct email spool attacks and what the implications had been. In a nutshell, we discovered that the e-mail safety resolution at one-third of the legislation corporations assessed might be circumvented with a easy trick. Part 2. reveals how we used a handful of open-source intelligence (OSINT) data sources to identify misconfigured email servers.

Prerequisites of the Proof of Concept Server

Although it was straightforward to arrange a primary e-mail server, it was essential to configure the whole lot appropriately to make sure most deliverability of the outgoing emails.

Our e-mail supply infrastructure was:

  • A digital server operating Postfix mail server on Ubuntu 18.04 LTS;
  • A site identify; and
  • An e-mail shopper.

Virtual Server

We picked certainly one of the common low-end VPS suppliers to host our e-mail server. We most well-liked to run our Postfix e-mail server on Ubuntu 18.04 LTS, however different working programs and mail transport brokers may additionally work nice.

We discovered that the digital server supplier (VPS) was blocking the outgoing TCP port 25 to stop any e-mail abuse. To resolve this, we needed to increase a ticket for asking the technical assist to depart the community port unblocked.

The second most necessary factor was the pristine fame of the IP handle. As our most well-liked VPS supplier assigns the IP handle mechanically to the new digital server, we needed to manually test if the IP handle is on a blacklist wherever. We used the IP reputation lookup tool at MXToolbox to question the IP handle towards the hottest DNSBL block record. Luckily, the IP handle was ‘clear’.

Once we bought a site identify and our digital server was operating, we needed to create the obligatory ahead and reverse DNS data, in any other case, spam filters would have flagged our emails as suspicious and moved them to the junk e-mail folder.

Note: We will use as the area identify all through this configuration information. Replace this with your personal area identify as relevant.

First of all, we needed to create an A report for our brand-new mail server used for the evaluation. A

Then we created an MX report to begin accepting mail on our area: MX 10

The PTR report was additionally important as spam filters could reject emails coming from SMTP servers with a lacking reverse report.

We additionally added the following TXT report for creating our SPF report: TXT “v=spf1 a mx ~all”

As for the DKIM report, we created it afterward as a part of the Postfix configuration course of.

Finally, we created a DMARC report to tie the SPF and future DKIM data collectively. We added the following DMARC coverage: TXT v=DMARC1; p=none;

Configuring the Postfix SMTP Service

Once the IP handle, area identify, DNS data and the VM had been all sorted, we logged into the server through SSH.

To set up and configure Postfix e-mail server, we had to ensure the working system was updated:

# apt replace && apt improve

Then we put in the Postfix and OpenDKIM packages:

# apt set up postfix mailutils opendkim opendkim-tools

Once the set up was full, we opened /and many others/postfix/ file in our favorite textual content editor and added (or modified) the following parameters as the following:

myhostname =   # This is the identical host identify as the A report we created earlier
mydomain =  # This is the area identify we bought
myorigin = $mydomain
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = non-public/auth
smtpd_sasl_auth_enable = sure
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = sure
smtpd_sasl_local_domain = $mydomain
smtpd_recipient_restrictions =
smtp_header_checks = regexp:/and many others/postfix/smtp_header_checks
# We will specify right here the place we wish to feed our emails
transport_maps = hash:/and many others/postfix/transport
# OpenDKIM settings for DKIM-signing our outgoing emails
milter_default_action = settle for
milter_protocol = 2
smtpd_milters = native:opendkim/opendkim.sock
non_smtpd_milters = native:opendkim/opendkim.sock

We added the following entries to /and many others/postfix/smtp_header_checks to guard our privateness. This setting removes numerous e-mail headers from the outgoing emails.

/^Received: .*/		IGNORE
/^User-Agent: .*/	IGNORE
/^X-Originating-IP:/    IGNORE
/^X-Mailer:/            IGNORE
/^Mime-Version:/        IGNORE
/^User-Agent:/          IGNORE
/^Subject:/		WARN

We ran the following command to confirm that the Postfix configuration information had been free from any errors:

# postfix test

Then we added our first e-mail consumer. The ‘myuser’ on this instance was the username half earlier than the ‘@’ image in our e-mail handle.

# adduser myuser

The command was asking us to enter a password for the new consumer. We needed to save the password for later as this password was the SMTP and IMAP login credentials as effectively.

Configuring the DKIM Signing

To configure OpenDKIM for digitally signing each outgoing e-mail, we had so as to add the opendkim consumer to the postfix group first:

# gpasswd -a postfix opendkim

Then we opened the /and many others/opendkim.conf file and altered the following strains like the following:

Canonicalization        relaxed/easy
Mode                    sv
SubDomains              no

We additionally added the following strains to the configuration file:

AutoRestart             sure
AutoRestartRate         10/1M
Background              sure
DNSTimeout              5
SignatureAlgorithm      rsa-sha256

We modified the Socket parameter to the following:

Socket                  native:/var/spool/postfix/opendkim/opendkim.sock

Finally, we added the following strains to the finish of the configuration file:

KeyTable           /and many others/opendkim/key.desk
SigningDesk       refile:/and many others/opendkim/signing.desk
ExternalIgnoreList  /and many others/opendkim/trusted.hosts
InternalHosts       /and many others/opendkim/trusted.hosts

We saved opendkim.conf and created a listing construction for OpenDKIM then:

# mkdir -p /and many others/opendkim/keys
# chown -R opendkim:opendkim /and many others/opendkim
# chmod go-rw /and many others/opendkim/keys
# mkdir /var/spool/postfix/opendkim
# chown opendkim:postfix /var/spool/postfix/opendkim

We opened /and many others/opendkim/signing.desk file and added the following line:


We saved the file and opened /and many others/opendkim/key.desk for including the following: many others/opendkim/keys/

Finally, we up to date /and many others/opendkim/trusted.hosts with the following strains:*

It was time to generate your DKIM keys. We created the following listing:

# mkdir -p /and many others/opendkim/keys/

Then we created the signing keys:

# opendkim-genkey -b 2048 -d -D /and many others/opendkim/keys/ -s p1 -v

We set the permissions:

# chown opendkim:opendkim /and many others/opendkim/keys/

Creating the DKIM Record

Then we took the contents of the /and many others/opendkim/keys/ file and created the DNS report holding our DKIM public key.
For instance, our file featured the following entry:

p1._domainkey	IN	TXT	( "v=DKIM1; h=sha256; okay=rsa; "
	  "DJPklskxg+qinrPh58EZBGKOzzJ+6sJlUUHacr3oaMhnaxiQzKLwySjsEIlyuJwu/CgUMlF1smTCq4djpuv5OwgUOHpGcuqoftJAzsdPtIOxGrE1tFOOHar9NI+L8tUdFy2eW9ewIDAQAB" )  ; ----- DKIM key p1 for

After eradicating the newlines and whitespaces, we added the following to our DNS report:	TXT v=DKIM1; h=sha256; okay=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ds4zLgOQammxc6NUOOuGtMZBbpefjkjFmui+EmBR5zybOqZfSxjfVY59AsO0sqYsr6QhOChr8co230wBwjcDOGhCHxX3ifxks0l6XkdRtwBHP2Cr8wWAAzRMek/tIvchWWy6NEzGTpR1cQvwWpHPsR2iP+DQlqqOAQ6FUY/bVqAEU4JdKGXv2kZU4lSMvGj7IC0L7VVvOw9DsDJPklskxg+qinrPh58EZBGKOzzJ+6sJlUUHacr3oaMhnaxiQzKLwySjsEIlyuJwu/CgUMlF1smTCq4djpuv5OwgUOHpGcuqoftJAzsdPtIOxGrE1tFOOHar9NI+L8tUdFy2eW9ewIDAQAB

Once the DNS report was created, we might check it by operating the following command:

# opendkim-testkey -d -s p1 -vvv

The following response advised us that the key was added appropriately:

opendkim-testkey: key OK

We ran a ultimate check of the configuration information, then restarted the OpenDKIM and Postfix providers to use the new adjustments:

# postfix test
# systemctl restart opendkim
# systemctl restart postfix

Installing Dovecot IMAP Service

The following step was putting in and configuring the IMAP service operating on Dovecot. We needed to set up certbot first for acquiring a legitimate SSL certificates for the SMTP and IMAP providers.

# apt set up certbot dovecot-imapd

We requested a brand new certificates for Dovecot and Postfix with the following command:

# letsencrypt certonly --standalone -d

We added the following strains to /and many others/postfix/ for enabling SSL/TLS on Postfix:

smtpd_tls_cert_file=/and many others/letsencrypt/dwell/
smtpd_tls_key_file=/and many others/letsencrypt/dwell/
smtp_tls_security_level = could
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

We verified the configuration file once more and reloaded Postfix to use the adjustments:

# postfix test
# systemctl reload postfix

Now we moved on to the configuration of Dovecot. We opened /and many others/dovecot/conf.d/10-ssl.conf for changing the self-signed certificates with the one we received from Let’s Encrypt:

ssl_cert = 

We opened /and many others/dovecot/conf.d/10-master.conf and appended the following beneath the # Postfix smtp-auth line:

  unix_listener /var/spool/postfix/non-public/auth {
    mode = 0660
    consumer = postfix
    group = postfix

We opened /and many others/dovecot/conf.d/10-mail.conf to exchange the `mail_location` stanza as the following:

mail_location = maildir:~/Maildir

We edited /and many others/dovecot/conf.d/10-auth.conf then and commented out the following:

disable_plaintext_auth = sure

We added `login` to the `auth_mechanisms` possibility:

auth_mechanisms = plain login

We situated the auth_username_format possibility and altered the setting as the following:

auth_username_format = %n

We completed the configuration by reloading Dovecot:

# systemctl reload dovecot

Configuring Your Email Client

We fired up our favorite e-mail shopper for including our new e-mail account. The configuration particulars had been the following:

SMTP server:
IMAP server:
Enable encryption: sure
Username: [email protected]  
Password: *******  

The username and password are the particulars we entered when operating adduser earlier.
Once your e-mail server was up and operating, we made certain to ship just a few check emails at for verifying that the whole lot is operating appropriately.

Deploying the First Email Transport Rule

Once the e-mail server was operating, it was time to check out with an actual e-mail. Let us assume we're assessing whether or not is prone to direct e-mail spooling assault. MyCompany subscribed to a preferred e-mail safety resolution a yr in the past and runs its personal Microsoft Exchange e-mail server to handle the organisation’s emails.

To implement our e-mail server utilizing a selected e-mail server to ship emails, we have to deploy a transport rule first. In this instance, we used one of the OSINT methods to disclose that MyCompany is exposing its Microsoft Exchange server on to the web.

In this case, we now have to open /and many others/postfix/transport and add the following line: :[]

Then we now have to run the following command to use the adjustments:

# postmap /and many others/postfix/transport

The transport file specifies that each e-mail despatched to the area needs to be delivered by as a substitute of the e-mail safety resolution specified by the MX data of Now, all we have to is firing up the e-mail shopper and sending a check e-mail to [email protected].

If the distant server accepts the e-mail, we must always see the same line in /var/log/mail.log:

Sep 1 03:00:10 mail postfix/smtp[15079]: 13EA3814F1: to=<[email protected]>,[]:25, delay=514, delays=507/0.02/2.2/5.2, dsn=2.0.0, standing=despatched (250 2.0.0 Ok: queued as 7A823C44B17 UID 5b9a75b434fb78cf)

If the distant server doesn't settle for emails from us (i.e. not weak to direct e-mail spool assault), the supply ought to generate an error like this:

Sep  1 05:39:54 mail postfix/smtp[15817]: AF2577F231: to=<[email protected]>,[]:25, delay=3.1, delays=0.05/0/2.8/0.22, dsn=5.0.0, standing=bounced (host[]:25 stated: 550 Invalid recipient <[email protected]> (#5.1.1) (in reply to RCPT TO command))

Any undelivered messages in the supply queue might be listed with the following command:

# postqueue -p


Email safety is a sophisticated matter, and because of this, organisations continuously depart their native e-mail servers wide-open for cybercriminals. This oversight leaves organisations prone to phishing assaults as our latest report on direct email spool attacks demonstrates.

This easy how-to information demonstrates how straightforward it's to arrange an e-mail server for circumventing costly e-mail safety options defending giant organisations. All we would have liked is a digital server, a site identify, roughly $20 and a few free time to construct our infrastructure able to finishing up direct e-mail spool assaults.

Considering the rising number of Business Email Compromise (BEC) fraud, we urge you to evaluate the safety of your e-mail gateways to stop abuse.

This article was co-written by Gabor Szathmari and Nicholas Kavadias.

Related Posts