(RHCE) sendmail/dovecot/postfix question

UnixGuy

For those who studied or took the RHCE exam, I want to know your strategy to implement security for sendmail, dovecot, and postfix.

This is my strategy:

If I'm asked to restrict a protocol like pop3 or imap, I use iptables.

If I'm asked to configure only pop3s & imaps for example using dovecot, then in dovecot.conf file, I'll set this directive:

protocols pop3s imaps 

instead of the default:

protocols pop3 pop3s imap imaps

just to avoid enabling protocls that are not needed.



both sendmail & postfix, in the cf configuration there's a way to restrict users to specific networks:

Postfix man.cf

mynetworks = 168.192.1.0/24, 127.0.0.0/8

Sendmail /etc/mail/access

# by default we allow relaying from localhost...
Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY
192.168.1.                              RELAY

is there anything else that can be done ? what about TCP_Wrappers ???

am I missing something related to host-based security for email agents ?

varelg

You'd like to use TCP Wrappers if you like to read logs of access to the services/ports you intend to protect...

NightShade03

It is worth noting that you don't need to know Postfix AND Sendmail. You will be asked to implement POP3 or IMAP...they won't specify how you implement it. I would recommend that you focus more on the Postfix element if you are new to the RHCE studies as Sendmail is slightly date (in my personal opinion).

That all being said...your plan looks good, I'd also make sure that you are comfortable with little security issues through the config files as well.

Examples would include:
Null connections
Restricting open relays
Subnet based restrictions

darkerosxx

Only sendmail uses tcp_wrappers, not postfix, nor dovecot.

Use this to find the parameters for postfix's main.cf that you need and then you'll be able to find them during the exam and you can forget studying this any further:

man 5 postconf

man page postconf section 5

lsgondane

I would rather use iptables, this would allow us to individually apply restrictions on each protocol. Tcpwrapper works on demons, hence it would allow or deny all the protocols.

iptables -I INPUT -s <Source IP or Network> -d <my machine ip> -p tcp --dport <110 or 143> -j REJECT

remember in examination we have to use REJECT and while in real time scenarios we should use DROP.

UnixGuy

lsgondane wrote: »

I would rather use iptables, this would allow us to individually apply restrictions on each protocol. Tcpwrapper works on demons, hence it would allow or deny all the protocols.

iptables -I INPUT -s <Source IP or Network> -d <my machine ip> -p tcp --dport <110 or 143> -j REJECT

remember in examination we have to use REJECT and while in real time scenarios we should use DROP.

correction

iptables -A (not -I)

I agree, best strategy is iptables for services like this, and tcp wrappers for daemons like vsftpd, sshd...

/pub/beer/

UnixGuy wrote: »

correction

iptables -A (not -I)

I agree, best strategy is iptables for services like this, and tcp wrappers for daemons like vsftpd, sshd...

For the sake of having the end result a reject and not a drop you would have the last rule of the chain be a reject any source to any destination port. So depending on how you were writing the rules you may not want to just keep appending (-A) rules. Granted the example using insert (I) lacked the rule number, but I prefer using insert and carefully staking the rules in the chain. In the end, if it gives the proper result it doesn't matter.

I prefer iptables as well, but I don't care for tcpwrappers. I used config files if needed to service control at a user level. The main one that sticks out in my head is putting user access in the sshd_config rather than tcpwrappers. Again, personal preference. Same concept with FTP users (From a rusty memory I want to say /etc/ftp.allow & /etc/ftp.deny).