Difference between revisions of "HowTos/ScalixSecurity"
(→Extra Stunnel Instructions) |
(→Extra Stunnel Instructions) |
||
| Line 421: | Line 421: | ||
==== Extra Stunnel Instructions ==== | ==== Extra Stunnel Instructions ==== | ||
| + | ''' ''Step by Step'' ''' | ||
| + | '''Added By: jgravert''' (You may contact me for Help. Look at the bottom of this documentation) | ||
| − | |||
I am Running '''Scalix 11.4.3 on CentOS 5.2 x86_64bit'''. Since stunnel isn't well documented I decided to write this '''Step by Step''' to assist others in their setups. | I am Running '''Scalix 11.4.3 on CentOS 5.2 x86_64bit'''. Since stunnel isn't well documented I decided to write this '''Step by Step''' to assist others in their setups. | ||
Revision as of 22:49, 13 February 2009
Scalix Wiki -> How-Tos -> Scalix Security
Contents
Introduction
Securing your Scalix server is a way to provide your users with a stable platform that can be reached all the time. It prevents unauthorized access by people, trying to gain control over it or gather sensitive information stored on it. Last but not least it prohibits your machine to be used for other usages like scanning/attacking other hosts and spamming through relaying.
This How-To describes how to secure Scalix based mail servers and hot to keep them secure.
The systems used to test the solutions presented in this How-To were based on:
- CentOS 4.x with Scalix version 10.0.1 (RHEL 4 and Fedora Core 4 should behave simalar)
- CentOS 4.x with Scalix version 11.0.3 (RHEL 4 and Fedora Core 4 should behave simalar)
Note: This is work in progress and still incomplete. If you see any gaps or have comments please take some time and add them to this document, it helps others to implement secure servers that behave well on the internet.
Harden system and services
Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information.
Install Bastille-Linux
Bastille-Linux will help you harden your system as a whole. Before using this software please see if your OS is supported on http://www.bastille-linux.org/running_bastille_on.htm (this is also were you can download the rpm or source files).
Install the latest Bastille-Linux rpm:
# rpm -ihv Bastille-3.0.9-1.0.noarch.rpm
Install perl-Curses to run Bastille-Linux in text mode (dag repo has to be available):
# yum install perl-Curses --enablerepo=dag
Run Bastille-Linux for text mode hardening:
# bastille -c
During the hardening process read the questions carefully.
- Do not deactivate or limit Sendmail and Apache
- Do not deactivate the symbolic links from the Apache document root if you have a site that need those. However check that the symbolic links do not point outside the Apache document root (# find /var/www/html/ -type l -exec ls -l {} \;), since that might pose a security risk.
- Determine if you want the enhanced Bastille-Linux firewall or the simple build in OS firewall (see section Setup Firewall)
Afterwards you can see what Bastille-Linux did, using the logfiles in /var/log/Bastille/.
Change SMTP greeting
See http://www.scalix.com/wiki/index.php?title=HowTos/SMTP_Greeting
Note: the smtpd.cfg file is read only, use these commands to write to it:
Important Note: Changing the EXTENSIONS= line can have side effects. The extensions listed herein are advertised by the SMTP relay as part of the initial response to the connecting systems EHLO command. For example, if you remove the AUTH extension, clients will not try to authenticate any more, so this should not be used in environments where the SMTP port is also used for authenticated message submission. In case of doubt, leave the EXTENSIONS= line alone and change only the GREETING.
# chmod u+w /var/opt/scalix/sys/smtpd.cfg # vi /var/opt/scalix/sys/smtpd.cfg => "EXTENSIONS=" and "GREETING=SMTPd" # chmod u-w /var/opt/scalix/sys/smtpd.cfg
Change POP greeting
Standard POP session:
$ telnet mail.yourdomain.net 110 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. +OK Scalix POP3 interface ready on: mail.yourdomain.net quit +OK POP3 Server connection terminated Connection closed by foreign host.
As you can see the greeting line reveals the Scalix server (but not its version number). You can change the greeting by adding "POP3_GREETING=Pop3" to general.cfg and restarting pop3.
Restart the POP3 daemon:
# omoff -d 0 pop3 # omon pop3
Custom POP3 session
$ telnet mail.yourdomain.net 110 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. +OK Pop3 quit +OK POP3 Server connection terminated Connection closed by foreign host.
Change IMAP greeting
Standard IMAP session:
$ telnet mail.yourdomain.net 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK Scalix IMAP server 10.0.1.3 ready on mail.yourdomain.net a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
As you can see both the greeting and goodbye line reveal sensative information. You can change the greeting by setting the IMAP_GREETING tag in general.cfg, e.g. by adding "IMAP_GREETING=IMAPd" to the file.
Restart the IMAP daemon:
# omoff -d0 -w imap # omon imap
Custom IMAP session:
$ telnet mail.yourdomain.net 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK IMAPd a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
It is not currently possible to configure the goodbye line, therefore the IMAP session still reveals the Scalix server (but not the version number anymore). An enhancement request has been entered on 28 AUG 2006.
Change Apache information
By default Appache supplies a lot of information about the system. In this section we will minimize the information provided.
- Replace default page
When you surf to http://mail.yourdomain.net you get the default page. This will tell you something like 'Apache 2 Test Page powered by CentOS'. Replace this with your own page or a blank page.
- Change error/header information
Telnet from the Linux command line to mailserver port 80 and ask for the header information (HEAD / HTTP).
$ telnet mail.yourdomain.net 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP
HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 22:32:32 GMT Server: Apache/2.0.52 (CentOS) Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
As you can see the telnet session reveals sensative information. You can change this by editing the httpd.conf file, make directives ServerTokens read Prod and ServerSignature read Off. The last directive is outdated after Apache version 2.0.44, see http://www.sans.org/top20/2003/#u3 for more information.
Restart the HTTP daemon:
# service httpd restart
Telnet again to the mail server:
$ telnet mail.yourdomain.net 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 23:04:44 GMT Server: Apache Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
The telnet session still contains the product name but the version number and OS name are gone. You can change the product name by getting the Apache source code, edit the file httpd.h, compile and reinstall Apache. However keep in mind that you can't use the Apache (and associated modules) security updates for your system anymore. That might impose an even bigger security risk.
- Remove version numbers from the Webmail and SAC logon pages
...
Run tomcat as non-root user
See http://www.scalix.com/wiki/index.php?title=HowTos/Tomcat
Notes:
1. See if tomcat is running as root:
# ps aux | grep tomcat
2. Create a user and a group named tomcat:
# useradd tomcat
3. Make tomcat actually run as non-root user:
# vi /etc/init.d/scalix-tomcat
=> make startup and shutdown line look like:
startup="/bin/su - tomcat -c $CATALINA_HOME/bin/startup.sh"
shutdown="/bin/su - tomcat -c $CATALINA_HOME/bin/shutdown.sh"
# chown -R tomcat.tomcat /opt/scalix-tomcat/
# chmod go+r /etc/opt/scalix/caa/scalix.res/config/psdata
4. Now do the things as descriped in the link above.
5. Restart tomcat service:
# service scalix-tomcat restart
6. Check if tomcat is running as user tomcat:
# ps aux | grep tomcat
For troubleshooting you can have a look at the tomcat logfiles, located in /opt/scalix-tomcat/logs/. You can increase the verbosity of the logs by setting INFO to DEBUG in the /etc/opt/scalix/caa/config/log4j.properties file.
Warning: This section is not yet complete, there are still the following issues:
1. I don't know the security implecation of giving the psdata file world read writes (but it keeps the errors out of caa.log).
2. Starting tomcat gives the following error, but it runs afterwards:
# /etc/init.d/scalix-tomcat.changed start Starting Tomcat service: execvp: No such file or directory [FAILED]
3. When I try to get the log of the RES service in SAC, I get "Password:" written on the console.
4. Stopping tomcat gives the following error AND it won't stop:
# /etc/init.d/scalix-tomcat.changed stop Stopping Tomcat service: execvp: No such file or directory [FAILED]
Please help to get this section complete, by solving these issues!
Set up SELinux
t.b.d. - anyone???
Use secure protocols
Force to use https
Force your users to use the https protocol instead of the http protocol when they want to use webmail or sac. This way the information they supply won't be send in plain text over the internet.
For Scalix 10.x and earlier, you achive this by adding a VirtualHost section at the bottom of the Apache ssl.conf file (mod_ssl has to be installed for this to work).
<VirtualHost *:80>
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>
For Scalix 11.x and higher, edit the instance-<scalix-server-hostname>.conf file in /etc/opt/scalix-tomcat/connector/jk and /etc/opt/scalix-tomcat/connector/ajp, replace the VirualHost section in both these files,
<VirtualHost *:80> Include /etc/opt/scalix-tomcat/connector/<conn>/app-<scalix-server-hostname>.*.conf </VirtualHost>
with,
<VirtualHost *:80>
Include /etc/opt/scalix-tomcat/connector/<conn>/app-<scalix-server-hostname>.*.conf
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>
Note: Replace <conn> with appropriate connector name and replace <scalix-server-hostname> with your Scalix Server hostname.
A point to be noted, the changes to these instance file get overwritten on each Scalix Version update, this is a known issue and would be resolved in the release after 11.0.4.
Setting up stunnel
stunnel can be configured to allow IMAPS, POP3S and SMTPS connections to the Scalix server as follows:
1) Edit /etc/stunnel/stunnel.conf to ensure the following lines are present and uncommented:
[pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 # Caution: may create open relay # See end of article for workaround information [ssmtp] accept = 465 connect = 25
This configures the redirection from the secure ports to the non-secure ports. You would normally not open up the non-secure ports through the firewall. If your Scalix server is accepting incoming internet mail, you would also need to open port 25.
To enable Outlook connection via SSL (introduced with Scalix 11.3) you have to add the following lines to /etc/stunnel/stunnel.conf:
[uals] accept = 5767 connect = 5729
If you want to use LDAP through a secure connection set:
[ldaps] accept = 636 connect = 389
In a multihomed or clustered environment you should use the "host:port" syntax for the accept and connect lines.
2) Ensure that the stunnel certificate contains the correct information. /etc/stunnel/stunnel.conf has the following setting:
cert = /etc/stunnel/stunnel.pem
Note: If using a non-default location, enter this line at the top of stunnel.conf to ensure it does not get grouped under one of the [] settings.
To create a new certificate, you can use the openssl Makefile.
cd /usr/share/ssl/certs make /etc/stunnel/stunnel.pem
Enter in the requested information *but* make sure that the Common Name is entered as the hostname that users will be connecting to otherwise they will see certificate errors.
The following example init.d script can be used to ensure that stunnel is started at boot time.
#!/bin/bash
#
# stunnel This shell script takes care of starting and stopping
# stunnel
#
# chkconfig: 345 80 30
# description: Secure tunnel
# processname: stunnel
# config: /etc/stunnel/stunnel.conf
# pidfile: /var/run/stunnel/stunnel.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source stunnel configureation.
if [ -f /etc/sysconfig/stunnel ] ; then
. /etc/sysconfig/stunnel
fi
RETVAL=0
prog="stunnel"
start() {
# Start daemons.
echo -n $"Starting $prog: "
if test -x /usr/sbin/stunnel ; then
/usr/sbin/stunnel
fi
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/stunnel
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down $prog: "
killproc stunnel
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/stunnel
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/stunnel ]; then
stop
start
RETVAL=$?
fi
;;
status)
status stunnel
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
CAUTION: using stunnel with SMTP may create an open relay.
Creating an stunnel map for SMTP may cause an open relay. The way that stunnel works is that it it accepts encrypted data on port X and redirects the unencrypted form of that data to port Y via the localhost interface. In the case of SMTP, connections from localhost do not require, and in some cases forbid, user authentication for mail relay functions. Scalix 11 has a work around. Rather than redirecting to port 25; redirect to port 587 in the stunnel.conf, and enable the smtpd SUBMIT interface in the smtpd.cfg.
stunnel.conf:
[ssmtp]
accept = 465
connect = localhost:587
/var/opt/scalix/XX/s/sys/smptd.cfg:
[LMTP]
SUBMIT=ON
[SUBMIT]
LISTEN=localhost:587
ANONYMOUS Log_Reject ALL
Note for ActiveSync users: Putting in the LISTEN line closes the submit port from listening on port 587 EXCEPT to localhost.
The change should leave out that line and be simply:
[SUBMIT]
ANONYMOUS Log_Reject ALL
Access to the submit port (587) by the ActiveSync server is required.
Extra Stunnel Instructions
Step by Step
Added By: jgravert (You may contact me for Help. Look at the bottom of this documentation)
I am Running Scalix 11.4.3 on CentOS 5.2 x86_64bit. Since stunnel isn't well documented I decided to write this Step by Step to assist others in their setups.
NOTE: I have not verified if these instructions work on the i386 version of CentOS 5.2 or any other Linux OS for that matter. But the following may help you with configuring stunnel on your server.
First verify that the stunnel package version 4.15-2.x86_64 or later is installed on your server. Also make sure you have openssl installed according to the Scalix Installation documentation.
If stunnel is not installed you can install using terminal or Add/Remove Software (make sure you have a live Internet connection)
To Install stunnel open up Terminal
type: ''yum install stunnel''
You need to start by verifying your current state of stunnel: Check if the following folders and files exist.
/etc/stunnel – File(s) needed inside are--> stunnel.conf (create or modify) and stunnel.pem /etc/pki/tls/certs – File(s) needed inside are --> Makefile (For Creation of stunnel.pem) /etc/init.d – Only the folder is needed, you can append to an existing script or make your own as I did. /var/opt/scalix/ml/s/sys – File(s) needed inside are --> smtpd.cfg (needs modified) /var/run/stunnel – The folder needs created and permissions modified. Stunnel.pid will be stored here.
Do not worry if you do not have all these necessary files and folders. They can be created.
Step 1) Modify or Create /etc/stunnel/stunnel.conf
(I'm posting my stunnel.conf that I created based on stunnel.conf-sample in the /usr/share/doc/stunnel-4.15 folder)
; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/stunnel.pem ;key = /etc/stunnel/mail.key ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/run/stunnel/ setuid = nobody setgid = nobody ; PID is created inside chroot jail pid = /stunnel.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ;CAfile = /usr/share/ssl/certs/ca-bundle.crt ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log ; Use it for client mode ;client = yes ; Service-level configuration [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = localhost:587 [uals] accept = 5767 connect = 5729 ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 ; vim:ft=dosini
Step 2) Certificate Creation/Verification – You need to create/verify /etc/stunnel/stunnel.pem
(stunnel.conf looks for the stunnel.pem referenced as: cert = /etc/stunnel/stunnel.pem)
The following is what I had to do for CentOS 5.2 64-bit.
Open terminal; type: cd /etc/pki/tls/certs (In this folder you will need Makefile to exist) now type: make /etc/stunnel/stunnel.pem (Follow the Prompts)
Verify that /etc/stunnel/stunnel.pem exists
NOTE: This default certificate will only last for 365 days. You can create your own custom certificate using different commands not listed here.
Step 3) Create Necessary Folders if they are not there already and modify permissions.
Create This Folder: /var/run/stunnel
You need to Change Permissions on the stunnel folder to: View & Modify Content in KDE or Create and Delete Files in Gnome - DO THIS FOR ALL USERS (Owner, Group and Others)
Step 4) Edit the Scalix smptd.cfg Location is: /var/opt/scalix/XX/s/sys/smptd.cfg (XX can stand for anything.)
You need to Uncomment SUBMIT=ON to enable it.
Change this:
EXTENSIONS=AUTH,DSN,8BITMIME # Uncomment the following lines to enable the Submission and LMTP listeners #SUBMIT=ON #LMTP=ON
To this:
EXTENSIONS=AUTH,DSN,8BITMIME # Uncomment the following lines to enable the Submission and LMTP listeners SUBMIT=ON #LMTP=ON
Now scroll down to the bottom of smptd.cfg and verify that it matches one of the following two options:
Option 1 - This will close the SUBMIT port to anything except localhost:587
[SUBMIT] LISTEN=localhost:587 # Reject all anonymous connections ANONYMOUS Log_Reject ALL
Option 2 - This will give the desired effect but will still allow ActiveSync Users to still function
[SUBMIT] #LISTEN=localhost:587 # Reject all anonymous connections ANONYMOUS Log_Reject ALL
Save your changes. NOTE: You may need to restart your Scalix Services or your Server for this change to take effect.
Step 5) Testing stunnel.conf Configuration: IMHO it's important to test stunnel before proceeding to the next step.
My stunnel.conf sample above has Debugging Enabled with creation of a Log file called stunnel.log that will be located in the /etc/stunnel folder after manually starting stunnel.
To manually start stunnel goto the terminal and type: cd /etc/stunnel then type: stunnel stunnel.conf start
You will see some information but in order to see everything you need to open the stunnel.log file
If you see the following in the log file stunnel may already be running: bind: Address already in use (98)
It's best to now test your SSL connections using an IMAP or POP3 client. SSL SMTP can also be tested now.
IMPORTANT! : As mentioned in this Wiki earlier using stunnel with SMTP may create an open relay. Step 4 Should have eliminated this Open Relay. However you need to verify this isn't the case with your server before moving forward. You can test with your email clients and I would recommend using an SMTP Open Relay Test. There are many out on the Internet.
If everything checks out then move onto the next step. If not use the log file to determine and repair your issue. Most issues here will be caused by Permissions on the directories.
NOTE: You can change the stunnel.conf file to stop debug mode once you have verified stunnel is working.
Change the following in the /etc/stunnel/stunnel.conf file to disable debugging.
Go From this:
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
To this:
; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log
Step 6) Create/Modify start up script
(This is necessary so that stunnel will start up automatically during boot up)
NOTE: I'm only going to cover creating your own Script file from scratch to control stunnel and how to automate it.
Create a new script file /etc/init.d/stunnel (Place the following script into this file using vi or KWrite editor)
#!/bin/bash
#
# stunnel This shell script takes care of starting and stopping
# stunnel
#
# chkconfig: 345 80 30
# description: Secure tunnel
# processname: stunnel
# config: /etc/stunnel/stunnel.conf
# pidfile: /var/run/stunnel/stunnel.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source stunnel configureation.
if [ -f /etc/sysconfig/stunnel ] ; then
. /etc/sysconfig/stunnel
fi
RETVAL=0
prog="stunnel"
start() {
# Start daemons.
echo -n $"Starting $prog: "
if test -x /usr/sbin/stunnel ; then
/usr/sbin/stunnel
fi
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/stunnel
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down $prog: "
killproc stunnel
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/stunnel
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/stunnel ]; then
stop
start
RETVAL=$?
fi
;;
status)
status stunnel
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
Now we need to make the script executable:
At the terminal type: chmod 755 /etc/init.d/stunnel
Next we create the system startup links for stunnel:
type: chkconfig --levels 235 stunnel on
Finally we start stunnel:
type: /etc/init.d/stunnel start
Step 7) I recommend that you block the ports for NON-SSL POP3, IMAP, and SMTP. Either do this in your Operating System, Firewall or Both. You can verify that you closed these ports by using your mail client. I personally recommend you do this at the Firewall and on the Server for higher security. But it is your choice.
CONGRATULATIONS!!! Stunnel should be working properly. Now verify your work. Restart your server then retest your connections. If you loose SSL function then the stunnel isn't restarting correctly.
NOTE: I'm not a CentOS or Scalix expert. If anyone is and can elaborate on this information please modify this Wiki.
I hope this information helps you all. If you have any direct questions you may contact me through the forums via Private Message. My Forum User name is: jgravert
Let SMTP guests authenticate themselves
t.b.d. - anyone???
TLS with SMTP
Q: Does Scalix offer SSL support for both IMAP and SMTP connections from the client to the server?
A: Scalix does not have native TLS, but SSL support is handled through the use of stunnel.
- Scalix Knowledgebase Article # 124269
Setup firewall
Available services
Before you setup a firewall you have to determine which services are running on your system and which services need to be available from the outside:
# netstat -npl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5729 0.0.0.0:* LISTEN 3010/advmail.sckd tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1652/httpd tcp 0 0 0.0.0.0:9092 0.0.0.0:* LISTEN 1627/python tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3044/omslapd tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 1501/java tcp 0 0 127.0.0.1:8009 0.0.0.0:* LISTEN 1501/java tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1057/mysqld tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 3081/pop3.server tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 966/clamd tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 3032/in.imap41d tcp 0 0 0.0.0.0:44975 0.0.0.0:* LISTEN 779/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 760/portmap tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 1603/postmaster tcp 0 0 192.168.100.11:25 0.0.0.0:* LISTEN 3700/omsmtpd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1249/sendmail: acce tcp 0 0 :::80 :::* LISTEN 1479/httpd tcp 0 0 :::22 :::* LISTEN 944/sshd tcp 0 0 :::443 :::* LISTEN 1479/httpd udp 0 0 0.0.0.0:32768 0.0.0.0:* 779/rpc.statd udp 0 0 192.168.100.11:5766 0.0.0.0:* 3029/omnssck udp 0 0 127.0.0.1:5766 0.0.0.0:* 3029/omnssck udp 0 0 0.0.0.0:955 0.0.0.0:* 779/rpc.statd udp 0 0 0.0.0.0:111 0.0.0.0:* 760/portmap udp 0 0 0.0.0.0:3450 0.0.0.0:* 1501/java udp 0 0 0.0.0.0:5757 0.0.0.0:* 3022/omdrs Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 2506 1057/mysqld /var/lib/mysql/mysql.sock unix 2 [ ACC ] STREAM LISTENING 9728 3038/mime.control /var/opt/scalix/temp/mime_browse unix 2 [ ACC ] STREAM LISTENING 3718 1526/dbus-daemon-1 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 4245 1603/postmaster /tmp/.s.PGSQL.8081 unix 2 [ ACC ] STREAM LISTENING 13195 3702/omsmtpd /var/opt/scalix/temp/smtpd_socket unix 2 [ ACC ] STREAM LISTENING 9575 2979/omsessd /var/opt/scalix/temp/sessd_socket unix 2 [ ACC ] STREAM LISTENING 9626 2999/omlicmon /var/opt/scalix/temp/lic
As you see there are a lot of services listening, most of these services don't need to be accessible from the outside. If you don't need a service at all shut it down and remove it from the system, otherwise firewall it.
Here we assume we need to have ports 22 (ssh), 25 (smtp), 80 (http), 443 (https) and 5729 (scalixual) available, see the next 2 sections how to configure that with your firewall.
Default OS firewall
This firewall can be easily implemented with only the knowledge of the ports that have to be open for Scalix to function.
When you decided to use the default OS firewall over the Bastille-Linux firewall, you have to make sure that the Bastille-Linux firewall is disabled at boot time and the default OS firewall is enabled at boot time.
First shutdown and disable the Bastille-Linux firewall completely (if it is running):
# vi /etc/Bastille/config => PSAD.psad_config="N", Firewall.ip_enable_firewall="N" & Firewall.ip_intro="N" # bastille -b # service psad stop # service bastille-firewall stop # chkconfig psad off # chkconfig bastille-firewall off # chmod 0600 /etc/init.d/psad # chmod 0600 /etc/init.d/bastille-firewall
As you can see from the list of commands, it was not easy to shutdown the Bastille-Linux firewall but it did the trick (there should be an easier way however).
Now you can enable and configure the standard OS firewall using:
# system-config-securitylevel => Enabled & Customize # chkconfig --level 2345 iptables on
View the active iptables rules (it should at least accept packages on the ports you specified):
# iptables -L ... ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:scalixual ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ...
Bastille-Linux firewall
This is an advanced firewall and to configure it you need indept knowledge of protocols, port numbers, interfaces and the psad software.
When you decided to use the Bastille-Linux firewall over the default OS firewall, you have to make sure that the default OS firewall is disabled at boot time and the Bastille-Linux firewall is enabled at boot time.
Deactivate the default OS firewall:
# system-config-securitylevel => Disabled # chkconfig iptables off
Activate the Bastille-Linux firewall (possibly already configured during system hardening process):
# service bastille-firewall start
The firewall has its own configuration file (/etc/Bastille/bastille-firewall.cfg), however only edit this file when it can't be done in the global Bastille-Linux configuration file (/etc/Bastille/config). This way you avoid loosing the specific firewall rules when running Bastille-Linux on a later date. The global Bastille-Linux configuration file can be excecuted by issueing the command:
# bastille -b
Another nice feature of the Bastille-Linux firewall is, that it can be integrated with the Port Scan Attack Detector psad. Installing this tool is easy, just execute the commands:
$ wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm # rpm -ivh psad-1.4.6-1.i386.rpm # cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig # vi /etc/psad/psad.conf => you have to change the HOME_NET variable # service psad start
The configuration of psad is difficult, you want to receive messages on scans but not on lost packages. It can take some time to find the right configuration settings.
Keep secure
Update system
When you are done configuring and hardening your system you should keep it secure over time. Therefore always take action quickly when new updates and security paches becom available.
System software can be updated using the command:
# yum -y update
This can be automated to ensure that you are always up to date, to do so execute:
# chkconfig yum on && service yum start
The downside of automating is that it sometimes breaks your configuration (over the last 7 years I had downtime once through a failed automatic update). Consider for yourself if possible downtime outweights the risk of being outdated for some time. When using other repos than the system repos (dag or kbsingh) don't enable them by default, I found out the hard way that my system was not updating at all due to conflicting packages in the different repos. The best workaround is to keep a list of the packages installed from the non system repos and run a script to check for updates for these packages.
Non system software can be updated as it comes available from the vendor, Scalix belongs to this kind of software. To keep up to date subscribe to a vendors update & security email announce list or if available decide to use the automatic update service.
Scalix has no automatic update service or update & security email announce list. However, you can get update & security information emailed to you by subscribing to a daily digest from the 'Support Announcements' forum. This is done by selecting the 'Digests' option at the top of any page in the Scalix Community Forums.
Install Tripwire and Chkrootkit
This section is realy a way to give you a feeling if your system is still secure and not compromised. It won't be a 100% fail proof but it monitors your system and warns when strange things are happening on your system.
Tripwire will monitor the system critical files for modifications by creating a base line database and periodically compare system files with this database afterwards.
To set it up have a look at this page http://lists.centos.org/pipermail/centos/2006-June/066071.html.
Updating the base line database after allowed changes (updates / configuration changes):
1. When there are a lot of allowed changed (through updating for example) you can use:
# tripwire --update
Warning: do not use this after reading the daily tripwire email you get, in the meantime unauthorized changes could have been made. You don't want to approve those too, so first run a check and see if you still want to update.
2. When there are a few changes you can do so by running tripwire in interactive mode and aprove the allowed changes:
# tripwire --check --interactive
Chkrootkit will monitor the system periodically for the installation of rootkits.
Install chkrootkit (dag repo has to be available):
# yum install chkrootkit --enablerepo=dag
Note: When you are using stunnel the following entries will show up in chkrootkit's output:
Checking `bindshell'... INFECTED (PORTS: 465) Checking `sniffer'... /proc/89/fd: Permission denied eth0: not promisc and no PF_PACKET sockets
You may use fuser to identify which processes is using tcp port 465:
# fuser -vn tcp 465
USER PID ACCESS COMMAND
465/tcp root 3891 f.... stunnel
Install ClamAV
Install ClamAV (dag repo has to be available):
# yum install clamd clamav clamav-db --enablerepo=dag
Note: Don't use the clamav packages from the kbsingh repo those are a nightmare to setup.
Start daemon:
# service clamd start
Update definition files:
# freshclam
