Re: Secure My Server

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

Secure My Server

We block mail from all areas outside of the US.
Our CEO wanted to get mail from overseas. So we created a new mail domain for the big boss's. We put a Linux RH9 server running sendmail inside our network as a relay. So our exchange server points overseas mail to the linux box and tehn forwards it to the bosses.
We have a pix in fron the the network, but if a spoofed email comes through the pix might let it through. I feel this is a security issue:

Question,, what would you all do out there to the Linux server to make it very secure. All I need is sendmail running. I know I can stop ftp and ssh and stuff like that. I am looking for more help....
UNIX IS GOOD
9 REPLIES 9
Nobody's Hero
Valued Contributor

Re: Secure My Server

port 25 is open for sendmail on the linux server. Is there anything xtra I can do to limit port access or anything like that?
UNIX IS GOOD
Vitaly Karasik_1
Honored Contributor

Re: Secure My Server

Robert,

I don't believe that limiting your mail server for accept only US mail is good policy.
The first thing - you should configure and support your server in secure way. And you have enough crackers in US, you know :-)

So I suggest you to take *supported* Linux evrsion, for example RHEL3.0 or 4 and don't use old and unsupported RHL9.

Nobody's Hero
Valued Contributor

Re: Secure My Server

I understand and respect your reply. However, this is what we have to use for a temp solution. So I am tasked with making it as secure as possible. Any ideas?
UNIX IS GOOD
Vitaly Karasik_1
Honored Contributor
Solution

Re: Secure My Server

You should run secure [== up to date] version of sendmail.

As for RHL9 - you can or use some project [Fedora Legacy?] which produces patches for old RHL;
or install sendmail using latest stable version from sendmail site.

As for sendmail secure configuration - you may use any linux/sendmail book for learning or use this article as start point http://www.itworld.com/nl/unix_insider/03032005/

and continue to http://sendmail.org [ Primary resources for learning about sendmail & Resources for learning more about sendmail]

kcpant
Trusted Contributor

Re: Secure My Server

Hi Robert,

some more points to make RHL more secure:

1. configure iptables firewall to allow only port 25 traffic, from specific source to specific destination.tighten it by adding antispoofing rules.

2. tighten the sendmail by making rules to relay only for specific hosts.there are so many feature in sendmail you can configure for more security, read sendmail documents for it.

3. if you want, you can install MailScanner in conjunction with sendmail and use an antivirus & spamassassin with it, for stoping spam & virus mails coming inside.
PreSales Specialist
peter demus
Frequent Advisor

Re: Secure My Server

strange going on.... also exchange is not secure at all and the pop3 connector is like the hell.

first: use ONE mail server not TWO - fewer security issues!

second: why do you don't want to communicate with me - i'm coming from germany. blocking email is silly, rejecting is also strange. how do you select

use spamassasin and a harden linux mail server with iptables running.

bye peter
jepp!
Karsten Breivik_1
Frequent Advisor

Re: Secure My Server


Hi. I agree with Mr Karasik that this sounds like a strange solution.

However, if you go ahead you could try using the Bastille script http://www.bastille-linux.org for tightening the OS and reducing the exponation of servers on your machine.

Also, you may concider using another mail transfer agent as a more secure drop-in replacement for sendmail. Qmail http://www.qmail.org/ is widely respected for security. Wietse Venema's Postfix server http://www.postfix.org/ is supposedly also more secure than Sendmail. Postfix first choice on my servers.

Both of these MTA's supports loads of additional plugins like the Amavis virus scanner and the SpamAssassin spam killer engine. See http://www.postfix.org/addon.html for more info on the addons.

poi
Steven E. Protter
Exalted Contributor

Re: Secure My Server

Most important:

iptables. Make sure all ports other than 25 and others you need open are locked down tight and hard.

People will use other ports to try and abuse httpd and mail servers and relay spam and just bring your kernel down. They do this for kicks, fun.

The best place to block mail is in the /etc/mail/access file.

Then you need to do m4 macro generation to genreate a sendmail.cf script to apply these file entries to your setup.

Blocking by country is difficult and probably fuitile. There is no way to know who gets wha t IP address.

If this is a spam issue, note that its a good idea to reject mail from those that have no reverse dns lookups. I do it, aol does it and it makes a lot of sense.

Most spam comes from relay servers set up by viruses spread by the spammers. Joe Schmoe's pc is taken over or running an open relay and all the spammers start using it until poor Joe loses his ISP connection for spamming (not).

You can actually limit attachments by using a web based mail solution like squirrelmail. Just adjust down the attachment limit. You can also block by extension, squirrelmail even has a limited function plugin to scan for viruses.

Let me know if any of the approaches above require elaboration and I will do so.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Mic V.
Esteemed Contributor

Re: Secure My Server

Hi, Robert,

I appreciate that you're thinking about security. I wish security-consciousness was more widespread.

I think the advice offered here is excellent. A couple of possible additions:
- if you mean Cisco PIX, my personal opinion is that you might like an application proxy better (last I knew, PIX was a packet filter type, correct me if I'm wrong)
- I assume your sendmail config makes use of RBLs; if not, it would be something to try for spam reduction

Regards,
Mic
What kind of a name is 'Wolverine'?