1 / 26

Comprehensive Guide to Securing SCOoffice Server and Preventing Open Relay

This detailed guide covers essential steps in securing the SCOoffice Server, including changing the admin password, configuring SMTP security, and setting up firewalls for both internal and external access. It highlights important services, port configurations, and anti-relay measures to protect your email server from unauthorized use. Learn how to implement SASL authentication, secure TLS settings, and set client restrictions effectively, ensuring your network remains safe from potential attacks. Complete with command examples and configuration snippets.

gomer
Télécharger la présentation

Comprehensive Guide to Securing SCOoffice Server and Preventing Open Relay

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 5 • Securing SCOoffice Server

  2. CHANGE THE ADMIN PASSWORD! Securing SCOoffice Server

  3. SMTPServer 25 SCOofficeServer Firewall Internet 80/443 WebClient 21*2580/443*110/995143/993389/636 Outlook * Not used by Outlook Express External Firewall Configuration

  4. SCOofficeServer Firewall ActiveDirectoryServer 3268 Internal Firewall Configuration

  5. SCOoffice(master) SCOoffice(slave) SCOoffice(slave) Firewall 25389/636143/9932003 Internal Firewall Configuration

  6. SCOoffice(master) SCOoffice(slave) SCOoffice(slave) SCOoffice(slave) SCOoffice(slave) SCOoffice(slave) Firewall Internet 25389/636143/9932003 Remote Office Firewall Configuration

  7. SCO OpenServer’s HTTP Servers • SCO OpenServer runs HTTP servers on ports: • 80 – SCOoffice Server’s HTTP server • 443 – SCOoffice Server’s HTTPS server • 615 – Internet Configuration Manager • 8457 – DocView: Access to SCO OpenServer documentation

  8. Other SCOoffice Server Related Ports • SCOoffice Server runs daemons on ports: • 21 – ProFTP • 25 – SMTP • 110 – POP3 • 143 – IMAP • 389 – OpenLDAP • 993 – IMAP4 over TLS/SSL • 995 – POP3 over TLS/SSL • 2000 –Cyrusmaster (sieve) • 2003 –Cyrusmaster (LMTP) • 2583 – MON • 4840 – SASLAUTHD • 4844 – SASLAUTHD • 10024 – AMaViS

  9. Disallowing Open Relay • Don’t let server be used as an open relay • Numerous ways to prevent open relay • We will configure SASLAUTHD + TLS • # telnet rose.example.net smtp • 220 rose.example.net ESMTP Postfix (2.0.20) • HELO nuisance.spammer.net • 250 rose.example.net • MAIL FROM: nice_guy@example.net • 250 Ok • RCPT TO: victim@example.com • 250 Ok • ...

  10. Stored in LDAP Disallowing Open Relay • Useful for blocking unwanted SMTP sessions: • smtpd_client_restrictions • smtpd_sender_restrictions • smtpd_recipient_restrictions

  11. Disallowing Open Relay Simple Authentication and Security Layer (SASL) PLAIN authentication mechanismBase64 encoded:user+NULL+user+NULL+passwordbob\0\bob\0bpasswd LOGIN authentication mechanismBase64 encoded username bobBase64 encoded password bpasswd

  12. …/etc/imapd.conf sasl_pwcheck_method: saslauthd imapd/pop3d …/etc/cyrus.conf imap cmd=“imapd –p 2 …pop3 cmd=“pop3d” …… cyrusmaster Disallowing Open Relay SASL AUTHENTICATION …/etc/saslauthd.conf ldap_servers: ldap://127.0.0.1/ldap_filter: login=%u slapd saslauthd …/lib/sasl2/smtpd.conf pwcheck_method: saslauthdmech_list: plain login smtpd

  13. Disallowing Open Relay • SASL Configuration on the Server • smtpd_sasl_auth_enable = yes • smtpd_sender_restrictions = check_sender_access ldap:ldapSenderAccess, permit_sasl_authenticated • smtpd_recipient_restrictions =check_recipient_access ldap:ldapRecipientAccess, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination • broken_sasl_auth_clients = yes • smtpd_sasl_security_options = noanonymous • smtpd_delay_reject = yes

  14. Disallowing Open Relay • SASL Configuration on the Client • smtp_sasl_auth_enable = yes • smtp_sasl_password_maps = hash:/opt/insight/etc/postfix/sasl_passwd • smtp_sasl_security_options = noanonymous

  15. Disallowing Open Relay • Create /opt/insight/etc/postfix/sasl_passwd: • Run postmap(1) after creating (or modifying) file example.net alice:apasswdexample.org bob:bpasswd

  16. Disallowing Open Relay • TLS v1 is based on SSL v3 • Encrypt SMTP traffic using TLS • X.509 certificates

  17. Disallowing Open Relay • TLS Configuration on the Server • smtpd_tls_cert_file = /opt/insight/etc/ssl/server.pem • smtpd_tls_key_file = /opt/insight/etc/ssl/server.pem • smtpd_tls_CAfile = /opt/insight/etc/ssl/server.pem • smtpd_use_tls = yes

  18. Disallowing Open Relay • TLS Configuration on the Client • smtp_tls_cert_file = /opt/insight/etc/ssl/server.pem • smtp_tls_key_file = /opt/insight/etc/ssl/server.pem • smtp_tls_CAfile = /opt/insight/etc/ssl/server.pem • smtp_use_tls = yes

  19. Disallowing Open Relay • Using a Certificate Authority’s Certificate • smtp_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem • smtpd_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem

  20. Disallowing Open Relay • To test to see if a mail server is an open relay: • Log into the mail server • telnet rt.njabl.org 2500

  21. Exercise: Tracing TLS and SASL SASL Authentication Only: TLS + SASL Authentication:

  22. Other Restrictions • Other useful restrictions: • smtpd_client_restrictions • smtpd_helo_restrictions • smtpd_sender_restrictions • See www.postfix.org/uce.html

  23. Using smtpd_client_restrictions • In main.cf: • In /opt/insight/etc/postfix/smtp_clients: smtpd_client_restrictions = check_client_access hash:/opt/insight/etc/postfix/smtp_clients, permit • 192.168.1.1 OK • 192.168.1.2 PERMIT • 192.168.1.3 REJECT • 192.168.1.123 REJECT • 192.168.1.0/24 OK • example.net OK • paper.example.org DUNNO • example.org REJECT

  24. Using smtpd_helo_restrictions • check_helo_access • reject_invalid_hostname • reject_non_fqdn_hostname • reject_unknown hostname • In main.cf: • In /opt/insight/etc/postfix/helo: smtpd_helo_restrictions = reject_invalid_hostname,check_helo_access hash:/opt/insight/etc/postfix/helo • example.org OK • example.net REJECT

  25. Using smtpd_sender_restrictions • check_sender_access • reject_unknown_sender_domain

  26. Creating a Chroot Jail • A chroot jail adds a layer of protection • Limits daemon(s) to /opt/insight/var/spool/postfix • Set the fifth field in master.cf to ‘y’

More Related