Secure Your E-Mail Server on IBM Eserver I5 with Linux

Total Page:16

File Type:pdf, Size:1020Kb

Secure Your E-Mail Server on IBM Eserver I5 with Linux IBM Front cover Secure Your E-mail Server on IBM Eserver i5 with Linux Understanding security issues for network and e-mail server Linux open source solutions to secure your e-mail server Linux-based ISV solutions to secure your e-mail server Yessong Johng Alex Robar Colin McNaught Senthil Kumar ibm.com/redbooks Redpaper International Technical Support Organization Secure Your E-mail Server on IBM Eserver i5 with Linux October 2005 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (October 2005) This edition applies to IBM i5/OS V5R3, SUSE LINUX Enterprise Server 9, and Red Hat Enterprise Linux AS Version 4. © Copyright International Business Machines Corporation 2005. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this Redpaper . ix Become a published author . xi Comments welcome. xi Part 1. Open Source Solutions for Network Security . 1 Chapter 1. Understanding and planning e-mail server security. 3 1.1 Concepts: Securing e-mail servers . 4 1.1.1 Linux-based firewall . 6 1.1.2 E-mail security . 7 1.2 Scenarios: Securing e-mail server . 8 1.2.1 Open source protection and open source mail delivery . 8 1.2.2 Open source protection and Domino . 9 1.2.3 ISV protection, open source filtering, and open source mail delivery . 10 1.3 Planning: Securing e-mail server . 11 1.3.1 OSS versus ISV solutions for network security mechanisms . 11 1.3.2 Direct I/O for firewall . 11 1.3.3 Choice of e-mail server . 12 1.3.4 Support contracts . 12 1.3.5 De-militarized zone . 13 1.3.6 Planning worksheet. 13 1.4 Types of attacks and protection mechanisms . 15 Chapter 2. Linux installation . 17 2.1 Linux installation overview . 18 2.1.1 Required or helpful tools . 18 2.1.2 Installation notes . 18 2.2 Setting up the partitions . 20 2.2.1 Creating a logical partition using the HMC . 20 2.2.2 Set up the i5/OS partition virtual I/O . 40 2.2.3 Working with network servers . 44 2.3 Installing Linux . 50 2.3.1 Installing SLES9 . 50 2.3.2 Installing RHEL4 . 80 Chapter 3. Locking down the Linux firewall partition . 107 3.1 Hardening Linux . 108 3.1.1 Bastille Linux. 108 3.1.2 Removing unnecessary servers . 156 3.1.3 Altering insecure defaults . 156 3.2 iptables rules . 159 3.2.1 Understanding iptables . 160 3.2.2 Initial iptables setup . 162 3.3 grsecurity kernel patch . 166 3.4 Security-Enhanced Linux (SELinux) . 171 © Copyright IBM Corp. 2005. All rights reserved. iii 3.5 Snort . 171 3.5.1 Installing libpcap 0.9.0-096 . 171 3.5.2 Installing Perl Compatible Regular Expressions (PCRE) 5.0 . 172 3.5.3 Installing Snort 2.3.1 . 172 3.5.4 Configuring Snort . 173 3.6 Rootkit hunter . 175 Chapter 4. E-mail Security tools installation and configuration. 177 4.1 Postfix . 178 4.1.1 Preparing to install Postfix . 178 4.1.2 Updating Postfix . 181 4.1.3 Postfix configuration files . 183 4.1.4 Configuring Postfix . 184 4.2 qmail . 185 4.2.1 Overview of qmail installation . 186 4.2.2 Preparing to install qmail. 186 4.2.3 Installing qmail . 188 4.2.4 Configuring qmail . 195 4.3 Clam AntiVirus . 202 4.3.1 Installing Clam Antivirus . 203 4.3.2 Configuring Clam AntiVirus for Postfix . 208 4.3.3 Configuring Clam Antivirus for qmail. 211 4.3.4 Adding Clam to system boot . 213 4.4 SpamAssassin . 213 4.4.1 Installing SpamAssassin . 214 4.4.2 Overview: Configuration of SpamAssassin. 219 4.4.3 Configuring SpamAssassin for Postfix . 222 4.4.4 Configuring SpamAssassin for qmail . 223 4.4.5 Adding SpamAssassin process.
Recommended publications
  • Unit 13 E-Mail and E-Messaging
    UNIT 13 E-MAIL AND E-MESSAGING Structure 13.0 Objectives 13.1 Introduction 13.2 E-mail 13.2.1 Defining Email 13.2.2 Need of Email 13.2.3 Email Address 13.3 Types of Email Services 13.3.1 Free Web-based Email Services 13.3.2 Priced Web-based Email Services 13.3.3 Private Email Services 13.4 Types of Email Account 13.4.1 POP/IMAP Account 13.4.2 Email Forwarder 13.4.3 Mailing List 13.4.4 Auto Responder 13.4.5 Email Bouncer 13.4.6 Email Blackhole 13.5 Structure and Features of Email 13.5.1 Header 13.5.2 Body 13.5.3 Features 13.6 Functioning of Email Systems 13.6.1 Protocols 13.6.2 Delivery Agent 13.6.3 Access Client 13.6.4 Setting up Account 13.6.5 Folder Management 13.7 Messaging 13.7.1 Instant Messaging 13.7.2 Unified Messaging 13.8 Issues with Messaging 13.8.1 Spamming 13.8.2 Privacy 13.8.3 Security 13.9 Widgets and Utilities 13.10 Summary 13.11 Answers to Self Check Exercises 13.12 Keywords 13.13 References and Further Reading 5 Internet Tools and Services 13.0 OBJECTIVES After reading this Unit, you will be able to: provide a detailed account about Email and Email service Providers; explain in detail various Protocols used in Email service; and discuss about Web 2.0 tools in Email. 13.1 INTRODUCTION Electronic Mail is one of the most prominent uses of networked communication technology.
    [Show full text]
  • Set up Mail Server Documentation 1.0
    Set Up Mail Server Documentation 1.0 Nosy 2014 01 23 Contents 1 1 1.1......................................................1 1.2......................................................2 2 11 3 13 3.1...................................................... 13 3.2...................................................... 13 3.3...................................................... 13 4 15 5 17 5.1...................................................... 17 5.2...................................................... 17 5.3...................................................... 17 5.4...................................................... 18 6 19 6.1...................................................... 19 6.2...................................................... 28 6.3...................................................... 32 6.4 Webmail................................................. 36 6.5...................................................... 37 6.6...................................................... 38 7 39 7.1...................................................... 39 7.2 SQL.................................................... 41 8 43 8.1...................................................... 43 8.2 strategy.................................................. 43 8.3...................................................... 44 8.4...................................................... 45 8.5...................................................... 45 8.6 Telnet................................................... 46 8.7 Can postfix receive?..........................................
    [Show full text]
  • Linux E-Mail Set Up, Maintain, and Secure a Small Office E-Mail Server
    Linux E-mail Set up, maintain, and secure a small office e-mail server Ian Haycox Alistair McDonald Magnus Bäck Ralf Hildebrandt Patrick Ben Koetter David Rusenko Carl Taylor BIRMINGHAM - MUMBAI This material is copyright and is licensed for the sole use by Jillian Fraser on 20th November 2009 111 Sutter Street, Suite 1800, San Francisco, , 94104 Linux E-mail Set up, maintain, and secure a small office e-mail server Copyright © 2009 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: June 2005 Second edition: November 2009 Production Reference: 1051109 Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK. ISBN 978-1-847198-64-8 www.packtpub.com
    [Show full text]
  • Groupware Enterprise Collaboration Suite
    Groupware Enterprise Collaboration Suite Horde Groupware ± the free, enterprise ready, browser based collaboration suite. Manage and share calendars, contacts, tasks and notes with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition ± the complete, stable communication solution. Combine the successful Horde Groupware with one of the most popular webmail applications available and trust in ten years experience in open source software development. Extend the Horde Groupware suites with any of the Horde modules, like file manager, bookmark manager, photo gallery, wiki, and many more. Core features of Horde Groupware Public and shared resources (calendars, address books, task lists etc.) Unlimited resources per user 40 translations, right-to-left languages, unicode support Global categories (tags) Customizable portal screen with applets for weather, quotes, etc. 27 different color themes Online help system Import and export of external groupware data Synchronization with PDAs, mobile phones, groupware clients Integrated user management, group support and permissions system User preferences with configurable default values WCAG 1.0 Priority 2/Section 508 accessibility Webmail AJAX, mobile and traditional browser interfaces IMAP and POP3 support Message filtering Message searching HTML message composition with WYSIWIG editor Spell checking Built in attachment viewers Encrypting and signing of messages (S/MIME and PGP) Quota support AJAX Webmail Application-like user interface Classical
    [Show full text]
  • Subnet Routing Replace Logo
    Outline INFOTECH Lecture IP Based Networks and Applications Manuscript: Edition Summer 2004 Additional material and information on the course is available at http://www.jcho.de/jc/IPNA/ Dr.-Ing. Joachim Charzinski [email protected] © Joachim Charzinski This slide set is distributed to support students of the University of Stuttgart who attend the IPNA lecture http://www.jcho.de/IPNA/ during summer term 2004. All other use requires written permission by Joachim Charzinski. IPNA – IP based Networks and Applications IPNA – IP based Networks and Applications Table of Contents (2) 2004 Edition Table of Contents 2004 Edition 4. Applications and Application Layer Protocols 4-1 4.1 Introduction 4-5 4.1.1 Design Principles 4-5 1. Introduction 1-1 4.1.2 Contents Delineation 4-6 1.1 Overview of the lecture 1-6 4.1.3 Client-Server Paradigm 4-9 4.1.4 Reply Codes 4-11 1.2 Internet History 1-26 4.1.5 Socket Concept 4-15 1.3 IP Standardisation 1-46 4.2 DNS 4-20 1.4 Networking Basics Refresher 1-55 4.3 E-Mail 4-28 1.4.1 Reference Model 1-56 4.3.1 SMTP 4-32 1.4.2 Circuit Switching and Packet Switching 1-59 4.3.2 MIME 4-37 1.4.3 Local Area Networks 1-65 4.3.3 POP3 4-39 1.4.4 Network Elements 1-76 4.3.4 IMAP 4-42 Questions 1-94 4.4 HTTP 4-43 4.5 Telnet 4-55 2. Network Layer et.
    [Show full text]
  • Computer System Administration. Topic 11. Secure E-Mail Service
    Computer System Design and Administration Topic 11. Secure e-Mail service: SMTP Postfix, IMAP Dovecot (over SSL) José Ángel Herrero Velasco Department of Computer and Electrical Engineering This work is published under a License: Creative Commons BY-NC-SA 4.0 Computer System Design and Administration Topic 11. Secure e-Mail service: SMTP Postfix, IMAP Dovecot (over SSL) Puzzle Secure Information Server Clients Active ISC Directory DHCP Open ISC client SSL SSL LDAP DNS OpenLDAP DB LDAP ISC SSL NTP SSH IMAP (mail client) NFSv4 CIFS Secure MAIL Server Network file server/ MS Windows-Linux/UNIX interoperability SMTP IMAP (Postfix) (Dovecot) RAID/LVM SAMBA NFSv4 SSL Secure Web Server Ganglia Apache2 Hosts Core (web data) User (web data) Virtual MailLISTs Webmail pool pool (MailMan) (squirrelmail) (public_html) SSL Webmin Nagios 2 (.html, php …) WordPress José Ángel Herrero Velasco Computer System Design and Administration Topic 11. Secure e-Mail service: SMTP Postfix, IMAP Dovecot (over SSL) Target: e-Mail services • Deployment and development of an INTERNET secure e-MAIL service based on SMTP/IMAP protocols: – Sending mail using SMTP protocol: Pos(ix. – Receiving mail using IMAP protocol: Dovecot. – Management of Maildrop: Maildirs. – MUA-MTA secure communicaon (encrypted): TLS/SSL. • Installaon, configuraon and start up of a Webmail client: – Roundcube. – Mailmain. José Ángel Herrero Velasco Computer System Design and Administration Topic 11. Secure e-Mail service: SMTP Postfix, IMAP Dovecot (over SSL) The e-Mail system HTTP SMTP IMAP • Definions and basics: TCP TCP UDP – E-Mail: the electronic mail system: • Network service that enables 2 users from different computers IP to send and receive (exchange) digital messages.
    [Show full text]
  • Oracle Communications Unified Communications Suite Certificate Authentication Guide, Release 7.0.6
    Oracle® Communications Unified Communications Suite Certificate Authentication Guide Release 7.0.6 July 2015 Oracle Communications Unified Communications Suite Certificate Authentication Guide, Release 7.0.6 Copyright © 2007, 2015, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • Postfixpostfix 2 /Usr/Ports/Mail/Postfix • • Postfix V2.9.2 Postfix   Postfix Postfix
    PostfixPostfix 2 /usr/ports/mail/postfix http://www.postfix.org/documentation.html • • http://www.postfix.org Postfix v2.9.2 Postfix Postfix Postfix Computer Center, CS, NCTU 2 http://www.postfix.org/OVERVIEW.html Receive and deliverover email the network via SMTP Local delivery directly or use deliveryother agentmail • • • MTA that MTA Role Postfix of Role Postfix of Computer Center, CS, NCTU 3 C o m Postfix Architecture p Postfix Architecture u t e r C Modular-design MTA e n • Not like sendmail of monolithic system t e • Decompose into several individual program that each one handle r , specific task C S • The most important daemon: master daemon , Reside in memory N Get configuration information from master.cf and main.cf C T Invoke other process to do jobs U Major tasks • Receive mail and put in queue • Queue management • Delivery mail from queue 4 C o m PostfixPostfix ArchitectureArchitecture –– p u t MessageMessage ININ e r C Four ways e • Local submission n t postdrop command e r maildrop queue , C pickup daemon S cleanup daemon Local submission , – Header validation N – address translation C T incoming queue U • Network submission smtpd daemon • Local forwarding Resubmit for such as .forward Envelope “to” is changed • Notification 5 Network submission C o m PostfixPostfix ArchitectureArchitecture –– p u t QueueQueue e r C Five different queues e • incoming n t The first queue that every incoming email will stay e r • active , C Queue manager will move message into active queue whenever there is enough S system
    [Show full text]
  • How Qmail Works
    APPENDIX A How qmail Works You DON'T NEED TO UNDERSTAND how qmail works to install or use qmail. And you don't have to be an auto mechanic to operate a car or a watchmaker to tell time. Eut if you really want to master qmail, knowing exactly how it does what it does is crucial. Luckily, qmail's simple, modular design makes understanding how it works easy for a system as complex as a Mail Transfer Agent (MTA). This appendix takes a top-down approach: first looking at how the modules interact with each other, then looking at how each module does its job. High-Level Overview The grand division in qmail is between the modules that accept new messages and place them into the queue and the modules that deliver them from the queue. We'll call these functions receivingand sending. The separation between receiving and sending is complete: Either of these functions can be fully oper­ ational while the other is shut down. Figure A-l shows the high-level organization of qmail. Incoming Receiving Queue Sending Delivered Messages Messages Figure A -1. High-level qmail organization Receiving Messages enter the queue through two main routes: local injection using qmail-inject or sendmail and network injection using qmail-smtpd, qmail-qmtpd 417 AppendixA or qmail-qmqpd. Both ofthese routes use qmail-queue to actually inject their mes­ sages into the queue. Figure A-2 shows the organization ofthe receiving function. QMQP tcpserver QMTP tcpserver SMTP tcpserver Queue Local------------­ MUA Figure A-2. The receivingfunction Sending Messages are delivered from the queue through two main routes: local delivery using qma il-loca 1 and remote delivery using qma il-remote.
    [Show full text]
  • Network Security & Auditing BSD Magazine
    CONTENTS Dear Readers, The January issue opens another year with BSD Magazine. We hope you enjoyed the last few. We start with a second part of our new light-hearted and non- Editor in Chief: technical column. Its aim is not to learn but to entertain and to Ewa Dudzic [email protected] inspire some reflection and (maybe) action. In Developers Corner Dru Lavigne reviewed the 2012 of BSD. Supportive Editor Read it to recall the most important events, publications and Patrycja Przybyłowicz releases of the last year. [email protected] This time the flag article is about panoramic photography. You Contributing: will have an opportunity to try it out with tools available under a Dru Lavigne, Rob Somerville, Luca Ferrari, William Olson, BSD or any Unix like system, using only free open source software. Carlos E. G. Carvalho In the ‘How To’ section you have a chance to read another part Top Betatesters & Proofreaders: of PostgreSQL series about users and permissions managements. Barry Grumbine, Darren Pilgrim, Eric Geissinger, From the tutorials you will also learn how to ignore spam in Henrik Andersén, Imad Soltani, Luca Ferrari, Luiz Claudio 2013, since we get it more and more with each year. Pacheco, Mani Kanth, Rob Cabrera, Zander Hill Especially for administrators we start a new series, where Rob Somerville will look at the tools, processes and methods involved Special Thanks: in writing software, including developing a Content Management Denise Ebery System (CMS) which will run under an AMP stack on FreeBSD, Art Director: OpenBSD and Linux. Ireneusz Pogroszewski We wish you a good read! DTP: Ireneusz Pogroszewski [email protected] Post Scriptum Senior Consultant/Publisher: Many thanks to iXsystems Company and its employees for their Paweł Marciniak [email protected] support and contribution.
    [Show full text]
  • Mini-HOWTO Install Qmail with MH
    mini−HOWTO install qmail with MH mini−HOWTO install qmail with MH Table of Contents mini−HOWTO install qmail with MH..............................................................................................................1 Christopher Richardson ([email protected]).......................................................................................1 1. Introduction..........................................................................................................................................1 2. My System Details...............................................................................................................................1 3. Qmail Installation................................................................................................................................1 4. MH Installation....................................................................................................................................1 5. Fetchmail.............................................................................................................................................1 6. Exmh....................................................................................................................................................1 7. Procmail...............................................................................................................................................1 8. ISDN....................................................................................................................................................1
    [Show full text]
  • Mail Server for a VPS: Postfix, Dovecot, Spamassassin, Policyd-Weight
    Mail server for a VPS: Postfix, Dovecot, Spamassassin, policyd-weight Full featured mail server with memory footprint small enough even for a VPS, with dovecot, postfix, spamassassin, clamav, policyd-weight with all the configs you need. UPDATE, 2014-12-18 I've recently wrote an updated version of a similar, better setup[^1]. UPDATE, 2012-02-25 I've updated my system to Dovecot 2, and removed ClamAV from the whole line. I haven't received any virus mails in the last 4 years, also they usually end up as spam, and ClamAV was eating up ~300 MB memory total (50 RAM, 250 swap). For nearly 5 years, I always used Virtualmin GPL[^2] everywhere I could, because I did not had to configure many features myself, it came with pre-configs and really good backend scripts. But as always, it had a price: memory and CPU usage, what is luxury in the world of VPS[^3]'. I tried to look for the best solution to handle emails, filtering them for spam and virus, and the only system I came across with was always Amavisd[^4]. amavisd is basically a wrapper for spam and virus filtering: it can simultaneously use more than one for both purpose, and most people say it's a nice program. Unfortunately, I tried to configure it, not just use it, and for me it was hell. I've known that Perl is somewhat evil[^5], but configuring amavisd is a mess at all, so I searched for a way to bypass it. It wasn't easy, but in the depth of the postfix forums, I've found out, that postfix is able to pass the mail to a program than catch the output and pass to another program and so on.
    [Show full text]