Difference between revisions of "HowTos/ScalixSecurity"
(→Change Apache information) |
(→Change Apache information) |
||
| Line 87: | Line 87: | ||
Connection to host lost. | Connection to host lost. | ||
| − | As you can see the Apache error message reveals sensative information. You can change this by ... | + | Or from the Linux command line (just read the RFC2616 and googled a bit) just ask for the header information. |
| + | |||
| + | $ telnet server-em1 80 | ||
| + | Trying 192.168.100.11... | ||
| + | Connected to mail.yourdomain.net (192.168.100.11). | ||
| + | Escape character is '^]'. | ||
| + | HEAD / HTTP | ||
| + | |||
| + | HTTP/1.1 200 OK | ||
| + | Date: Tue, 29 Aug 2006 22:32:32 GMT | ||
| + | '''Server: Apache/2.0.52 (CentOS)''' | ||
| + | Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT | ||
| + | ETag: "44f1f-9bd-998d1340" | ||
| + | Accept-Ranges: bytes | ||
| + | Content-Length: 2493 | ||
| + | Vary: Accept-Encoding | ||
| + | Connection: close | ||
| + | Content-Type: text/html; charset=UTF-8 | ||
| + | Connection closed by foreign host. | ||
| + | |||
| + | As you can see the Apache (error) message reveals sensative information. You can change this by ... | ||
=== Running tomcat as non-root user=== | === Running tomcat as non-root user=== | ||
Revision as of 22:52, 29 August 2006
Contents
Introduction
Securing your Scalix server is a way to provide your users with a stable platform that can be reached all the time. It prevents unauthorized access by people, trying to gain control over it or gather sensitive information stored on it. Last but not least it prohibits your machine to be used for other usages like scanning/attacking other hosts and spamming through relaying.
This How-To describes how to secure Scalix based mail servers. If you see any gaps or have comments please take some time and add them to this document, it helps others to implement secure servers that behave well on the internet.
The systems used to test the solutions presented in this How-To were based on:
- CentOS 4.x with Scalix version 10.0.1
- Fedora Core 4 with Scalix version 10.0.1
Note: This is work in progress and still incomplete. Add to this document as you like but try to preserve the layout.
Hardening services
Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information.
Change SMTP greeting
See http://www.scalix.com/wiki/index.php?title=HowTos/SMTP_Greeting
Change POP greeting
Standard POP session:
$ telnet mail 110 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. +OK Scalix POP3 interface ready on: mail.yourdomain.net quit +OK POP3 Server connection terminated Connection closed by foreign host.
As you can see the greeting line reveals sensative information. However, it is not currently possible to configure the greeting line, an enhancement request has been entered on 28 AUG 2006.
Change IMAP greeting
Standard IMAP session:
$ telnet mail 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK Scalix IMAP server 10.0.1.3 ready on mail.yourdomain.net a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
As you can see both the greeting and goodbye line reveal sensative information. You can change the greeting by setting the IMAP_GREETING tag in general.cfg, e.g. by adding "IMAP_GREETING=IMAPd" to the file.
Restart the IMAP daemon:
# omoff -d0 -w imap # omon imap
Custom IMAP session:
$ telnet mail 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK IMAPd a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
It is not currently possible to configure the goodbye line, therefore the IMAP session still reveals the Scalix server (but not the version number anymore). An enhancement request has been entered on 28 AUG 2006.
Change Apache information
By default Appache supplies a lot of information about the system. In this section we will minimize the information provided.
- Replace default page
When you surf to http://mail.yourdomain.net you get the default page. This will tell you something like 'Apache 2 Test Page powered by CentOS'. Replace this with your own page or a blank page.
- Change error information
Telnet from the Windows command line (couldn't get it to display on the Linux command line) to your mail server on port 80. Then break the connection (Ctrl+C & Enter) to get Apache to display an error message.
C:\>telnet mail.yourdomain.net 80 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <hx>Method Not Implemented</hx> <x>♥ to /index.html not supported.<bx/></x> <hx> <address>Apache/2.0.52 (CentOS) Server at mail.yourdomain.net Port 80</address> </body></html> Connection to host lost.
Or from the Linux command line (just read the RFC2616 and googled a bit) just ask for the header information.
$ telnet server-em1 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP
HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 22:32:32 GMT Server: Apache/2.0.52 (CentOS) Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
As you can see the Apache (error) message reveals sensative information. You can change this by ...
Running tomcat as non-root user
See http://www.scalix.com/wiki/index.php?title=HowTos/Tomcat
Usage of secure protocols
Force to use https
Force your users to use the https protocol instead of the http protocol when they want to use webmail or sac. This way the information they supply won't be send in plain text over the internet.
You achive this by adding a VirtualHost section at the bottom of the Apache ssl.conf file (mod_ssl has to be installed for this to work).
<VirtualHost *:80>
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>
Setting up stunnel
t.b.d. - anyone???
Let SMTP guests authenticate themselves
t.b.d. - anyone???
Set up a firewall
Available services
t.b.d.
Iptables firewall
t.b.d.
Hardening system
Set up SELinux in a controlled way
t.b.d. - anyone???
