Upload
dennis-kelly
View
219
Download
4
Embed Size (px)
Citation preview
1
Module 5
Securing SCOoffice Server
2
Securing SCOoffice Server
3
Outlook
21*
2580/443*110/995143/993389/636
* Not used by Outlook Express
External Firewall Configuration
Internet
SCOofficeServer
SMTPServer
25
WebClient
80/443
Firewall
4
Internal Firewall Configuration
SCOofficeServer
Firewall
3268Active
DirectoryServer
5
Internal Firewall Configuration
SCOoffice(master)
SCOoffice(slave)
SCOoffice(slave)
Firewall
25389/636143/993
2003
6
Remote Office Firewall Configuration
SCOoffice(master)
SCOoffice(slave)
SCOoffice(slave)
Firewall
25389/636143/993
2003
Internet
SCOoffice(slave)
SCOoffice(slave)
SCOoffice(slave)
7
SCO OpenServer’s HTTP Servers
SCO OpenServer runs HTTP servers on ports: 80 – SCOoffice Server’s HTTP server 443 – SCOoffice Server’s HTTPS server 615 – Internet Configuration Manager 8457 – DocView: Access to SCO OpenServer
documentation
8
Other SCOoffice Server Related Ports
SCOoffice Server runs daemons on ports: 21 – ProFTP 25 – SMTP 110 – POP3 143 – IMAP 389 – OpenLDAP 993 – IMAP4 over TLS/SSL 995 – POP3 over TLS/SSL 2000 –Cyrusmaster (sieve) 2003 –Cyrusmaster (LMTP) 2583 – MON 4840 – SASLAUTHD 4844 – SASLAUTHD 10024 – AMaViS
9
Disallowing Open Relay
Don’t let server be used as an open relay
Numerous ways to prevent open relay
We will configure SASLAUTHD + TLS# telnet rose.example.net smtp220 rose.example.net ESMTP Postfix (2.0.20)HELO nuisance.spammer.net250 rose.example.netMAIL FROM: [email protected] OkRCPT TO: [email protected] Ok...
10
Disallowing Open Relay
Useful for blocking unwanted SMTP sessions:
smtpd_client_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions
Stored in LDAP
11
Disallowing Open Relay
LOGIN authentication mechanismBase64 encoded username
bobBase64 encoded passwordbpasswd
PLAIN authentication mechanismBase64 encoded:user+NULL+user+NULL+passwordbob\0\bob\0bpasswd
Simple Authentication and Security Layer (SASL)
12
Disallowing Open Relay
smtpd
saslauthd
slapd …/etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1/ldap_filter: login=%u
…/lib/sasl2/smtpd.conf
pwcheck_method: saslauthdmech_list: plain login
imapd/pop3d
…/etc/imapd.conf
sasl_pwcheck_method: saslauthd
cyrusmaster
…/etc/cyrus.conf
imap cmd=“imapd –p 2 …pop3 cmd=“pop3d” ……
SASL AUTHENTICATION
13
Disallowing Open Relay
SASL Configuration on the Server
smtpd_sasl_auth_enable = yessmtpd_sender_restrictions =
check_sender_access ldap:ldapSenderAccess,
permit_sasl_authenticatedsmtpd_recipient_restrictions =check_recipient_access ldap:ldapRecipientAccess,
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
broken_sasl_auth_clients = yessmtpd_sasl_security_options = noanonymoussmtpd_delay_reject = yes
14
Disallowing Open Relay
SASL Configuration on the Client
smtp_sasl_auth_enable = yessmtp_sasl_password_maps =
hash:/opt/insight/etc/postfix/sasl_passwdsmtp_sasl_security_options = noanonymous
15
Disallowing Open Relay
Create /opt/insight/etc/postfix/sasl_passwd:
Run postmap(1) after creating (or modifying) file
example.net alice:apasswdexample.org bob:bpasswd
16
Disallowing Open Relay
TLS v1 is based on SSL v3 Encrypt SMTP traffic using TLS X.509 certificates
17
Disallowing Open Relay
TLS Configuration on the Server
smtpd_tls_cert_file = /opt/insight/etc/ssl/server.pemsmtpd_tls_key_file = /opt/insight/etc/ssl/server.pemsmtpd_tls_CAfile = /opt/insight/etc/ssl/server.pemsmtpd_use_tls = yes
18
Disallowing Open Relay
TLS Configuration on the Client
smtp_tls_cert_file = /opt/insight/etc/ssl/server.pemsmtp_tls_key_file = /opt/insight/etc/ssl/server.pemsmtp_tls_CAfile = /opt/insight/etc/ssl/server.pemsmtp_use_tls = yes
19
Disallowing Open Relay
Using a Certificate Authority’s Certificate
smtp_tls_CApath = /opt/insight/etc/ssl/ca_cert.pemsmtpd_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem
20
Disallowing Open Relay
To test to see if a mail server is an open relay: Log into the mail server telnet rt.njabl.org 2500
21
Exercise: Tracing TLS and SASL
TLS + SASL Authentication:
SASL Authentication Only:
22
Other Restrictions
Other useful restrictions: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions See www.postfix.org/uce.html
23
Using smtpd_client_restrictions
In main.cf:
In /opt/insight/etc/postfix/smtp_clients:
smtpd_client_restrictions =check_client_access
hash:/opt/insight/etc/postfix/smtp_clients,permit
192.168.1.1 OK192.168.1.2 PERMIT192.168.1.3 REJECT192.168.1.123 REJECT192.168.1.0/24 OKexample.net OKpaper.example.org DUNNOexample.org REJECT
24
Using smtpd_helo_restrictions
check_helo_access reject_invalid_hostname reject_non_fqdn_hostname reject_unknown hostname
In main.cf:
In /opt/insight/etc/postfix/helo:
smtpd_helo_restrictions = reject_invalid_hostname,check_helo_access hash:/opt/insight/etc/postfix/helo
example.org OKexample.net REJECT
25
Using smtpd_sender_restrictions
check_sender_access reject_unknown_sender_domain
26
Creating a Chroot Jail
A chroot jail adds a layer of protection Limits daemon(s) to /opt/insight/var/spool/postfix
Set the fifth field in master.cf to ‘y’