Difference between revisions of "HowTos/ScalixSecurity"
(→Change POP greeting) |
m (→Introduction) |
||
| Line 8: | Line 8: | ||
The systems used to test the solutions presented in this How-To were based on: | The systems used to test the solutions presented in this How-To were based on: | ||
| − | * CentOS 4.x with Scalix version 10.0.1 | + | * CentOS 4.x with Scalix version 10.0.1 (RHEL 4 and Fedora Core 4 should behave simalar) |
| − | + | ||
''Note: This is work in progress and still incomplete. Add to this document as you like but try to preserve the layout.'' | ''Note: This is work in progress and still incomplete. Add to this document as you like but try to preserve the layout.'' | ||
| − | <br> | + | <br> |
| + | |||
== Hardening services == | == Hardening services == | ||
Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information. | Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information. | ||
Revision as of 09:12, 30 August 2006
Contents
Introduction
Securing your Scalix server is a way to provide your users with a stable platform that can be reached all the time. It prevents unauthorized access by people, trying to gain control over it or gather sensitive information stored on it. Last but not least it prohibits your machine to be used for other usages like scanning/attacking other hosts and spamming through relaying.
This How-To describes how to secure Scalix based mail servers. If you see any gaps or have comments please take some time and add them to this document, it helps others to implement secure servers that behave well on the internet.
The systems used to test the solutions presented in this How-To were based on:
- CentOS 4.x with Scalix version 10.0.1 (RHEL 4 and Fedora Core 4 should behave simalar)
Note: This is work in progress and still incomplete. Add to this document as you like but try to preserve the layout.
Hardening services
Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information.
Change SMTP greeting
See http://www.scalix.com/wiki/index.php?title=HowTos/SMTP_Greeting
Change POP greeting
Standard POP session:
$ telnet mail 110 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. +OK Scalix POP3 interface ready on: mail.yourdomain.net quit +OK POP3 Server connection terminated Connection closed by foreign host.
As you can see the greeting line reveals the Scalix server (but not its version number). However, it is not currently possible to configure the greeting line, an enhancement request has been entered on 28 AUG 2006.
Change IMAP greeting
Standard IMAP session:
$ telnet mail 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK Scalix IMAP server 10.0.1.3 ready on mail.yourdomain.net a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
As you can see both the greeting and goodbye line reveal sensative information. You can change the greeting by setting the IMAP_GREETING tag in general.cfg, e.g. by adding "IMAP_GREETING=IMAPd" to the file.
Restart the IMAP daemon:
# omoff -d0 -w imap # omon imap
Custom IMAP session:
$ telnet mail 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK IMAPd a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
It is not currently possible to configure the goodbye line, therefore the IMAP session still reveals the Scalix server (but not the version number anymore). An enhancement request has been entered on 28 AUG 2006.
Change Apache information
By default Appache supplies a lot of information about the system. In this section we will minimize the information provided.
- Replace default page
When you surf to http://mail.yourdomain.net you get the default page. This will tell you something like 'Apache 2 Test Page powered by CentOS'. Replace this with your own page or a blank page.
- Change error/header information
Telnet from the Linux command line to mailserver port 80 and ask for the header information (HEAD / HTTP).
$ telnet mail.yourdomain.net 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP
HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 22:32:32 GMT Server: Apache/2.0.52 (CentOS) Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
As you can see the telnet session reveals sensative information. You can change this by editing the httpd.conf file, make directives ServerTokens read Prod and ServerSignature read Off. The last directive is outdated after Apache version 2.0.44, see http://www.sans.org/top20/2003/#u3 for more information.
Restart the HTTP daemon:
# service httpd restart
Telnet again to the mail server:
$ telnet mail.yourdomain.net 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 23:04:44 GMT Server: Apache Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
The telnet session still contains the product name but the version number and OS name are gone. You can change the product name by getting the Apache source code, edit the file httpd.h, compile and reinstall Apache. However keep in mind that you can't use the Apache (and associated modules) security updates for your system anymore. That might impose an even bigger security risk.
- Remove version numbers from the Webmail and SAC logon pages
...
Running tomcat as non-root user
See http://www.scalix.com/wiki/index.php?title=HowTos/Tomcat
Usage of secure protocols
Force to use https
Force your users to use the https protocol instead of the http protocol when they want to use webmail or sac. This way the information they supply won't be send in plain text over the internet.
You achive this by adding a VirtualHost section at the bottom of the Apache ssl.conf file (mod_ssl has to be installed for this to work).
<VirtualHost *:80>
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>
Setting up stunnel
t.b.d. - anyone???
Let SMTP guests authenticate themselves
t.b.d. - anyone???
Set up a firewall
Available services
t.b.d.
Iptables firewall
t.b.d.
Hardening system
Set up SELinux in a controlled way
t.b.d. - anyone???
