1

Module 5

Securing SCOoffice Server

2

Securing SCOoffice Server

3

Outlook

21*

2580/443*110/995143/993389/636

* Not used by Outlook Express

External Firewall Configuration

Internet

SCOofficeServer

SMTPServer

25

WebClient

80/443

Firewall

4

Internal Firewall Configuration

SCOofficeServer

Firewall

3268Active

DirectoryServer

5

Internal Firewall Configuration

SCOoffice(master)

SCOoffice(slave)

SCOoffice(slave)

Firewall

25389/636143/993

2003

6

Remote Office Firewall Configuration

SCOoffice(master)

SCOoffice(slave)

SCOoffice(slave)

Firewall

25389/636143/993

2003

Internet

SCOoffice(slave)

SCOoffice(slave)

SCOoffice(slave)

7

SCO OpenServer’s HTTP Servers

SCO OpenServer runs HTTP servers on ports: 80 – SCOoffice Server’s HTTP server 443 – SCOoffice Server’s HTTPS server 615 – Internet Configuration Manager 8457 – DocView: Access to SCO OpenServer

documentation

8

Other SCOoffice Server Related Ports

SCOoffice Server runs daemons on ports: 21 – ProFTP 25 – SMTP 110 – POP3 143 – IMAP 389 – OpenLDAP 993 – IMAP4 over TLS/SSL 995 – POP3 over TLS/SSL 2000 –Cyrusmaster (sieve) 2003 –Cyrusmaster (LMTP) 2583 – MON 4840 – SASLAUTHD 4844 – SASLAUTHD 10024 – AMaViS

9

Disallowing Open Relay

Don’t let server be used as an open relay

Numerous ways to prevent open relay

We will configure SASLAUTHD + TLS# telnet rose.example.net smtp220 rose.example.net ESMTP Postfix (2.0.20)HELO nuisance.spammer.net250 rose.example.netMAIL FROM: nice_guy@example.net250 OkRCPT TO: victim@example.com250 Ok...

10

Disallowing Open Relay

Useful for blocking unwanted SMTP sessions:

smtpd_client_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions

Stored in LDAP

11

Disallowing Open Relay

LOGIN authentication mechanismBase64 encoded username

bobBase64 encoded passwordbpasswd

PLAIN authentication mechanismBase64 encoded:user+NULL+user+NULL+passwordbob\0\bob\0bpasswd

Simple Authentication and Security Layer (SASL)

12

Disallowing Open Relay

smtpd

saslauthd

slapd …/etc/saslauthd.conf

ldap_servers: ldap://127.0.0.1/ldap_filter: login=%u

…/lib/sasl2/smtpd.conf

pwcheck_method: saslauthdmech_list: plain login

imapd/pop3d

…/etc/imapd.conf

sasl_pwcheck_method: saslauthd

cyrusmaster

…/etc/cyrus.conf

imap cmd=“imapd –p 2 …pop3 cmd=“pop3d” ……

SASL AUTHENTICATION

13

Disallowing Open Relay

SASL Configuration on the Server

smtpd_sasl_auth_enable = yessmtpd_sender_restrictions =

check_sender_access ldap:ldapSenderAccess,

permit_sasl_authenticatedsmtpd_recipient_restrictions =check_recipient_access ldap:ldapRecipientAccess,

permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

broken_sasl_auth_clients = yessmtpd_sasl_security_options = noanonymoussmtpd_delay_reject = yes

14

Disallowing Open Relay

SASL Configuration on the Client

smtp_sasl_auth_enable = yessmtp_sasl_password_maps =

hash:/opt/insight/etc/postfix/sasl_passwdsmtp_sasl_security_options = noanonymous

15

Disallowing Open Relay

Create /opt/insight/etc/postfix/sasl_passwd:

Run postmap(1) after creating (or modifying) file

example.net alice:apasswdexample.org bob:bpasswd

16

Disallowing Open Relay

TLS v1 is based on SSL v3 Encrypt SMTP traffic using TLS X.509 certificates

17

Disallowing Open Relay

TLS Configuration on the Server

smtpd_tls_cert_file = /opt/insight/etc/ssl/server.pemsmtpd_tls_key_file = /opt/insight/etc/ssl/server.pemsmtpd_tls_CAfile = /opt/insight/etc/ssl/server.pemsmtpd_use_tls = yes

18

Disallowing Open Relay

TLS Configuration on the Client

smtp_tls_cert_file = /opt/insight/etc/ssl/server.pemsmtp_tls_key_file = /opt/insight/etc/ssl/server.pemsmtp_tls_CAfile = /opt/insight/etc/ssl/server.pemsmtp_use_tls = yes

19

Disallowing Open Relay

Using a Certificate Authority’s Certificate

smtp_tls_CApath = /opt/insight/etc/ssl/ca_cert.pemsmtpd_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem

20

Disallowing Open Relay

To test to see if a mail server is an open relay: Log into the mail server telnet rt.njabl.org 2500

21

Exercise: Tracing TLS and SASL

TLS + SASL Authentication:

SASL Authentication Only:

22

Other Restrictions

Other useful restrictions: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions See www.postfix.org/uce.html

23

Using smtpd_client_restrictions

In main.cf:

In /opt/insight/etc/postfix/smtp_clients:

smtpd_client_restrictions =check_client_access

hash:/opt/insight/etc/postfix/smtp_clients,permit

192.168.1.1 OK192.168.1.2 PERMIT192.168.1.3 REJECT192.168.1.123 REJECT192.168.1.0/24 OKexample.net OKpaper.example.org DUNNOexample.org REJECT

24

Using smtpd_helo_restrictions

check_helo_access reject_invalid_hostname reject_non_fqdn_hostname reject_unknown hostname

In main.cf:

In /opt/insight/etc/postfix/helo:

smtpd_helo_restrictions = reject_invalid_hostname,check_helo_access hash:/opt/insight/etc/postfix/helo

example.org OKexample.net REJECT

25

Using smtpd_sender_restrictions

check_sender_access reject_unknown_sender_domain

26

Creating a Chroot Jail

A chroot jail adds a layer of protection Limits daemon(s) to /opt/insight/var/spool/postfix

Set the fifth field in master.cf to ‘y’