(RHCA)Red Hat Enterprise Linux RHS333: Red Hat Enterprise Security: Network Services

                                                                        Unit 8

Electronic Mail with Sendmail

Objectives

Upon completion of this unit, you should be able to:
  • Server topologies and service security
  • Encryption of email messages
  • Securing user access to the mail spool
  • Connection filtering
Vulnerabilities

  • Denial of service attacks
  • Users need access to the mail spool
    • Users have local account on mail server or need to access the server externally
  • E-mail is sent as clear text
  • Need to control transmission of "spam"
    • May still need to let legitimate hosts relay
Resolutions
  • Protect and tune the Sendmail service
  • Require users to access the mail server through a secure IMAP or POP service
  • Encrypt e-mail messages
  • Filter e-mail with a blacklist, blackhole, and/or procmail configuration
Server Topologies

  • In-only
  • Out-only
  • Relay-only
    • Firewalls may separate the MTAs
  • Mail system components
    • MUA (Mail User Agent)
    • MTA (Message Transfer Agent)
    • MDA (Mail Delivery Agent)
User Mail Access

  • Mail-only accounts
    • On server vs. off server
  • NFS exported mail spool is bad idea
    • Potential for userX on client to authenticate as userY on server
  • Use dovecot (pop or imap)
    • Unencrypted imap or pop not recommended
User Mail Privacy and Security

  • Encryption of message before submission to mail system most secure
  • Two popular solutions
    • GNU Privacy Guard (GnuPG)
    • Secure Multipurpose Internet Mail Extensions (S/MIME)
GnuPG or S/MIME?

  • GnuPG
    • Sign and encrypt
    • Widely available in Linux MUAs
    • Based on a “Web of Trust” PKI
  • S/MIME
    • Sign and encrypt
    • Integrates easily in mixed enviroment
    • Hierarchical Public Key Infrastructure PKI
Other Security Concerns

  • Dangers of HTML mail and automatic MIME execution
    • Web bugging
    • Viruses
Service Profile: Sendmail

  • Type: System V-launched service
  • Packages: sendmail, sendmail-cf, sendmail-doc
  • Daemons: sendmail
  • Script: sendmail
  • Ports: 25/tcp (smtp), 465/tcp (tls)
  • Configuration: /etc/mail/sendmail.cf, /etc/mail/submit.cf, /etc/aliases, /etc/mail/
  • Related: procmail, dovecot
  • Alternative: postfix, exim
Server Security

  • confSMTP_LOGIN_MSG
    • Change version banner
  • confPRIVACY_FLAGS
    • Suppress information leakage
Server Security: DoS

  • sendmail.mc options to control DoS attacks
    • confMAX_MESSAGE_SIZE
    • confMAX_DAEMON_CHILDREN
    • confCONNECTION_RATE_THROTTLE
    • confMIN_FREE_BLOCKS
Server Security: File Permissions

  • Restrict write access to root only
    • Configuration files
    • Database files
  • confSAFE_FILE_ENV
    • Only deliver to regular files
  • confDONT_BLAME_SENDMAIL
    • Turns off safety checks, avoid using
smrsh

  • Restricted shell for local mail delivery
  • Limits which commands .forward files or /etc/aliases can pipe mail into
    • Programs must be installed in /etc/smrsh
    • Built-ins: echo, exec, exit
  • Strips off initial pathnames on programs
  • Restricted special characters
    • No I/O redirection or subshells
STARTTLS

  • TLS protection for SMTP communication
  • If offered by the remote server, Sendmail will always attempt to use TLS
  • Very useful, but there are limitations
    • Only protects the next hop; no guarantee of end-to-end protection if relayed
    • Messages not protected in queues or spool
Anti-Spam Mechanisms

  • Local mechanisms
    • /etc/mail/access and blacklisting
  • Remote mechanisms
    • dnsbl: MAPS and other DNS blackholes
  • Local delivery filtering
    • procmail and SpamAssassin
/etc/mail/access

  • Used to accept or deny incoming email
REJECT
Connect:spamRus.net
REJECT
Connect:10.3
OK
Connect:virtualdom.com
RELAY
ERROR:500 disabled
Connect:nobody@
ERROR: 550 bad name
  • By default, can not send or receive messages for entries resulting in ERROR or REJECT
    • FEATURE(`blacklist_recipients')
Authenticated Relay

  • Clients may be authorized to relay using other methods besides an address
    • Useful for laptop users and other stations with variable IP addresses or hostnames
  • STARTTLS client certificates
  • SMTP AUTH and SASL mechanisms
DNS Blackhole Lists

  • DNS can be used as a database to store information about sources of “spam”
    • FEATURE(`dnsbl',`nospam.example.com')
  • DNS lookup using reversed octets of sender IP address, with the domain of the blackhole list appended
  • Can implement locally or use public or subscription-based blackhole services
End of Unit 8

  • Questions and Answers
  • Summary
    • Server security
    • Data security
    • Securing user email
    • Blocking spam

你可能感兴趣的:(linux,red,hat,rhca,RHS333,linux认证)