[Sussex] Securing Mail Servers

Ronan Chilvers ronan at thelittledot.com
Sun Apr 16 20:12:43 UTC 2006 

Hi Paul

On Sun, 16 Apr 2006 17:01:32 +0100 (BST)
paul.morriss at tokenbay.co.uk wrote:

Lots of other answers about SMTP-AUTH / TLS, etc, but just for
reference:-

> Hi all
> I have been testing a new mail server setup (atm it's on a private
> network, but will be public when configuration finished), I have
> noticed that anyone can telnet into the mail server and issue:
> helo, from, to, data and then send.... I see this as a large security
> hole as it means hacker X could send a malicious email from
> webmaster at whatever.com without any authorisation.

SMTP is a text based, human readable protocol.  You telneting to the
SMTP port and talking to the server is almost exactly what other SMTP
servers will do once the machine is in production, in order to pass
mail through. This is normal behaviour and not, in itself, insecure.  In
fact it can be a very useful tool.

> 
> We have added security that it will be bounced if the from address is
> not valid but is there a way so that only authorised users can send
> mail..

Some other stuff to think about:-

* Make sure only local recipient accounts can accept mail - bounce the
rest.
* If possible avoid catchall address, unless they're spam holes.
* Maintain a local set of header and body checks that will check
incoming mail before queueing which will let you reject in-protocol
rather than post-queue.
* Implement SPF checking and set up SPF records for your domain(s).
* Get yourself a good spam filtering system (I like Amavisd-new but
there are loads)
* Get yourself a good virus scanning system (ditto with ClamAV)
* (Controversially) discard spam that you're sure about (eg: above a
set score level) and virusified emails, don't bounce them - trashing
email is not a pleasant thing for an MTA to do, but stops your server
sending DSNs to non-existent or innocent addresses.
* As well as SMTP-AUTH, think about moving email submission to another
port (587 is usually used for this IIRC) which will allow you to
restrict client submission by things like IP address range, etc.

There's lots to think about.  Grab a good book for your mail server
(O'Reilly do several excellent books, including the seminal Bat book
for sendmail and Dove book for Postfix).

Email server administration can be very complex, but is also
tremendously interesting and satisfying for a sysadmin.  Enjoy!

Cheers

-- 
Ronan
e: ronan at thelittledot.com
t: 01903 739 997

This email has been digitally signed using GNUPG to verify the identity
of the sender. Please see http://www.gnupg.org/ for further information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20060416/ccfe9e16/attachment.pgp

More information about the Sussex mailing list