Difference between revisions of "HowTos/ScalixSecurity"
m (→Introduction) |
m (→Hardening services) |
||
| Line 15: | Line 15: | ||
== Hardening services == | == Hardening services == | ||
Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information. | Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information. | ||
| + | |||
=== Change SMTP greeting === | === Change SMTP greeting === | ||
See http://www.scalix.com/wiki/index.php?title=HowTos/SMTP_Greeting | See http://www.scalix.com/wiki/index.php?title=HowTos/SMTP_Greeting | ||
| + | |||
=== Change POP greeting === | === Change POP greeting === | ||
| Line 31: | Line 33: | ||
As you can see the greeting line reveals sensative information. However, it is not currently possible to configure the greeting line, an enhancement request has been entered on 28 AUG 2006. | As you can see the greeting line reveals sensative information. However, it is not currently possible to configure the greeting line, an enhancement request has been entered on 28 AUG 2006. | ||
| + | |||
=== Change IMAP greeting === | === Change IMAP greeting === | ||
| Line 63: | Line 66: | ||
It is not currently possible to configure the goodbye line, therefore the IMAP session still reveals the Scalix server (but not the version number anymore). An enhancement request has been entered on 28 AUG 2006. | It is not currently possible to configure the goodbye line, therefore the IMAP session still reveals the Scalix server (but not the version number anymore). An enhancement request has been entered on 28 AUG 2006. | ||
| + | |||
=== Change Apache information === | === Change Apache information === | ||
t.b.d. | t.b.d. | ||
| + | |||
=== Running tomcat as non-root user=== | === Running tomcat as non-root user=== | ||
Revision as of 21:08, 29 August 2006
Contents
Introduction
Securing your Scalix server is a way to provide your users with a stable platform that can be reached all the time. It prevents unauthorized access by people, trying to gain control over it or gather sensitive information stored on it. Last but not least it prohibits your machine to be used for other usages like scanning/attacking other hosts and spamming through relaying.
This How-To describes how to secure Scalix based mail servers. If you see any gaps or have comments please take some time and add them to this document, it helps others to implement secure servers that behave well on the internet.
The systems used to test the solutions presented in this How-To were based on:
- CentOS 4.x with Scalix version 10.0.1
- Fedora Core 4 with Scalix version 10.0.1
Note: This is work in progress and still incomplete. Add to this document as you like but try to preserve the layout.
Hardening services
Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information.
Change SMTP greeting
See http://www.scalix.com/wiki/index.php?title=HowTos/SMTP_Greeting
Change POP greeting
Standard POP session:
$ telnet mail 110 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. +OK Scalix POP3 interface ready on: mail.yourdomain.net quit +OK POP3 Server connection terminated Connection closed by foreign host.
As you can see the greeting line reveals sensative information. However, it is not currently possible to configure the greeting line, an enhancement request has been entered on 28 AUG 2006.
Change IMAP greeting
Standard IMAP session:
$ telnet mail 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK Scalix IMAP server 10.0.1.3 ready on mail.yourdomain.net a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
As you can see both the greeting and goodbye line reveal sensative information. You can change the greeting by setting the IMAP_GREETING tag in general.cfg, e.g. by adding "IMAP_GREETING=IMAPd" to the file.
Restart the IMAP daemon:
# omoff -d0 -w imap # omon imap
Custom IMAP session:
$ telnet mail 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK IMAPd a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
It is not currently possible to configure the goodbye line, therefore the IMAP session still reveals the Scalix server (but not the version number anymore). An enhancement request has been entered on 28 AUG 2006.
Change Apache information
t.b.d.
Running tomcat as non-root user
See http://www.scalix.com/wiki/index.php?title=HowTos/Tomcat
Usage of secure protocols
Force to use https
Force your users to use the https protocol instead of the http protocol when they want to use webmail or sac. This way the information they supply won't be send in plain text over the internet.
You achive this by adding a VirtualHost section at the bottom of the Apache ssl.conf file (mod_ssl has to be installed for this to work).
<VirtualHost *:80>
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>
Setting up stunnel
t.b.d.
Let SMTP quests autenticate themselves
t.b.d.
Set up a firewall
Available services
t.b.d.
Iptables firewall
t.b.d.
Hardening system
Set up SELinux in a controlled way
t.b.d.
