(RHCE) sendmail/dovecot/postfix question

UnixGuyUnixGuy Are we having fun yet?Mod Posts: 4,251 Mod
For those who studied or took the RHCE exam, I want to know your strategy to implement security for sendmail, dovecot, and postfix.

This is my strategy:

icon_arrow.gif If I'm asked to restrict a protocol like pop3 or imap, I use iptables.

icon_arrow.gif If I'm asked to configure only pop3s & imaps for example using dovecot, then in dovecot.conf file, I'll set this directive:
protocols pop3s imaps 
instead of the default:
protocols pop3 pop3s imap imaps

just to avoid enabling protocls that are not needed.



icon_arrow.gif both sendmail & postfix, in the cf configuration there's a way to restrict users to specific networks:

Postfix man.cf
mynetworks = 168.192.1.0/24, 127.0.0.0/8


Sendmail /etc/mail/access
# by default we allow relaying from localhost...
Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY
192.168.1.                              RELAY



is there anything else that can be done ? what about TCP_Wrappers ???

am I missing something related to host-based security for email agents ?
Certs: GPEN, GCFA, CISM, CRISC, RHCE
In Progress: MBA

Comments

  • varelgvarelg Banned Posts: 790
    You'd like to use TCP Wrappers if you like to read logs of access to the services/ports you intend to protect...
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    It is worth noting that you don't need to know Postfix AND Sendmail. You will be asked to implement POP3 or IMAP...they won't specify how you implement it. I would recommend that you focus more on the Postfix element if you are new to the RHCE studies as Sendmail is slightly date (in my personal opinion).

    That all being said...your plan looks good, I'd also make sure that you are comfortable with little security issues through the config files as well.

    Examples would include:
    Null connections
    Restricting open relays
    Subnet based restrictions
  • darkerosxxdarkerosxx Banned Posts: 1,343
    Only sendmail uses tcp_wrappers, not postfix, nor dovecot.

    Use this to find the parameters for postfix's main.cf that you need and then you'll be able to find them during the exam and you can forget studying this any further:

    man 5 postconf

    man page postconf section 5

    icon_study.gificon_thumright.gif
  • lsgondanelsgondane Registered Users Posts: 1 ■□□□□□□□□□
    I would rather use iptables, this would allow us to individually apply restrictions on each protocol. Tcpwrapper works on demons, hence it would allow or deny all the protocols.

    iptables -I INPUT -s <Source IP or Network> -d <my machine ip> -p tcp --dport <110 or 143> -j REJECT

    remember in examination we have to use REJECT and while in real time scenarios we should use DROP.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,251 Mod
    lsgondane wrote: »
    I would rather use iptables, this would allow us to individually apply restrictions on each protocol. Tcpwrapper works on demons, hence it would allow or deny all the protocols.

    iptables -I INPUT -s <Source IP or Network> -d <my machine ip> -p tcp --dport <110 or 143> -j REJECT

    remember in examination we have to use REJECT and while in real time scenarios we should use DROP.


    correction

    iptables -A (not -I) :)

    I agree, best strategy is iptables for services like this, and tcp wrappers for daemons like vsftpd, sshd...
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • /pub/beer//pub/beer/ Member Posts: 67 ■■■□□□□□□□
    UnixGuy wrote: »
    correction

    iptables -A (not -I) :)

    I agree, best strategy is iptables for services like this, and tcp wrappers for daemons like vsftpd, sshd...

    For the sake of having the end result a reject and not a drop you would have the last rule of the chain be a reject any source to any destination port. So depending on how you were writing the rules you may not want to just keep appending (-A) rules. Granted the example using insert (I) lacked the rule number, but I prefer using insert and carefully staking the rules in the chain. In the end, if it gives the proper result it doesn't matter.

    I prefer iptables as well, but I don't care for tcpwrappers. I used config files if needed to service control at a user level. The main one that sticks out in my head is putting user access in the sshd_config rather than tcpwrappers. Again, personal preference. Same concept with FTP users (From a rusty memory I want to say /etc/ftp.allow & /etc/ftp.deny).
    Certification Goal:
    - ¯\_(ツ)_/¯
Sign In or Register to comment.