3.2 E-MAIL SECURITY

3.2.1 Sendmail

Sendmail is the default Mail Transfer Agent (MTA) supplied with Red Hat 7.3 and most other distributions of Linux. Red Hat 7.3 shipped with version 8.11.6 of sendmail and at the time of this writing, sendmail version 8.12.5 is the most current and stable version offered . It is advisable to upgrade to the current release of sendmail (http://www.sendmail.org) since it eliminates a theoretical buffer overflow vulnerability.

The configuration and operation of sendmail can be quite complicated in the hands of a beginner. It is highly recommended that anyone wishing to use the more advanced features of sendmail get a copy of Sendmail (commonly known as the "Bat Book") published by O'Reilly and Associates.

3.2.1.1 Disable Sendmail Daemon Mode on Workstation

Rarely should a workstation ever need to run a Mail Transfer Agent (MTA) in a daemon mode. Most organizations utilize a central mail gateway to route messages so the daemon can be safely disabled.

 Edit /etc/sysconfig/sendmail to read:     DAEMON=no     QUEUE=15m

The QUEUE option controls how often sendmail will process the outgoing mail queue. In the example above, the queue is set to be processed every 15 minutes but this can be changed to suit individual needs to include seconds (s), minutes (m) or hours (h). Save the changes made to /etc/sysconfig/sendmail and restart the sendmail daemon:

 [root] # /etc/rc.d/init.d/sendmail restart

3.2.1.2 Define SMTP Server for Mail Clients

Most Linux distributions include several command-line and GUI-based mail clients. Red Hat is no exception and ships with Pine, ELM, mail (AKA Mail), Mutt, Netscape and Mozilla just to name a few. While programs like PINE and ELM default to using sendmail locally, they can be configured to use an external MTA. However, the command-line application, mail, does not include an option to use an external MTA which makes changes to sendmail necessary to route messages through the central mail gateway.

3.2.1.2.1 Set Outbound SMTP Server for Sendmail

Option One:

 Edit /etc/mail/sendmail.mc to read:     define('SMART_HOST', 'your.mailserver.com')

Keep in mind that ˜your.mailserver.com is the fully qualified domain name of the SMTP server for your organization. Generate a new sendmail.cf from the edited sendmail.mc :

 [root] # m4 /etc/mail/sendmail.mc > /etc/sendmail.cf

Restart the sendmail daemon:

 [root] # /etc/rc.d/init.d/sendmail restart

An alternate method is to edit /etc/sendmail.cf directly, but this is a generally discouraged practice. If, for some reason, using the m4 macro is not feasible , then edit /etc/sendmail.cf by looking for DS which can be located just after the "local info " heading. Change DS to read:

 DSyour.mailserver.com

It may also be a good idea to edit the file to handle locally delivered mail by editing the entries that begin with " DR ", " DH ", and " DM " in /etc/sendmail.cf:

 DRyour.mailserver.com     DHyour.mailserver.com     DMyour.mailserver.com

This will handle unqualified addresses (those without any @domain portion), local addresses ( user @host without any domain information) and sets the masquerade address, respectively. Save /etc/mail/sendmail.cf and restart the daemon.

Option Two:

There exists a fairly unknown feature of sendmail written exclusively to handle the situation of a local workstation relaying all outbound messages through a central SMTP server. The feature is called the Null Client Macro File and allows an administrator to create an appropriate sendmail.cf without all the extra features normally present.

Create the /etc/mail/null.mc with the following lines:

 OSTYPE ('linux')dnl     DOMAIN ('generic')dnl     FEATURE ('nullclient', 'your.mailserver.com')dnl     Define ('confPRIVACY_FLAGS', authwarnings, goaway, restrictmailq, restrictqrun')dnl

Generate a new sendmail.cf file by running the m4 macro and restart the sendmail daemon:

 [root] # m4 /etc/mail/null.mc > /etc/sendmail.cf     [root] # /etc/rc.d/init.d/sendmail restart

3.2.1.2.2 Set Outbound SMTP Server for Mail Clients

As stated earlier, mail programs like Pine will default to using sendmail on the localhost for sending messages. However, Pine can be configured to utilize a remote SMTP server, if desired. You can set the SMTP server directly from the main menu by selecting "S" for setup, then "C" for config and then moving down to the field labeled smtp-server . Enter the hostname of the remote SMTP server here and save your changes. In addition to the smtp-server field, personal-name and user-domain can be edited to reflect individual needs.

The SMTP server is set in Netscape Messenger by selecting the Edit -> Preferences dialog, selecting Mail & Newsgroups -> Mail Servers and placing the hostname of the SMTP server in the window under Outgoing Mail Server . Mozilla Mail is quite similar as are the countless GUI-based mail clients available for Linux. The general idea is to locate the mail preferences dialog and change the settings to reflect your environment.

3.2.1.3 Increase Privacy and Security of the Sendmail Daemon

Several options are available to increase the privacy and security posture of the sendmail daemon. By adding particular flags within /etc/mail/sendmail.mc , an administrator can restrict access to the mail queue, prevent certain commands from being issued by remote hosts or tell sendmail to insert special headers into a mail message. A summary of these flags is presented below but all the options presented below are explained in great detail in Chapter 34 of the Bat Book.

authwarnings “ this causes sendmail to insert special headers into the mail message that advise the recipient of reasons to suspect that the message may not be authentic .
goaway “ a shorthand way to set all of authwarnings, noexpn, novrfy, needmailhelo, needexpnhelo and needvrfyhelo .
restrictmailq “ this restricts who may examine the contents of the queue by allowing only those users who are in the same group as the group ownership of the mail queue to examine its contents.
restrictqrun “ this limits queue processing to root and the owner of the queue directory. Any non-privileged user who attempts to process the queue will get an error message stating they do not have permission to process the queue.

Edit the ˜confPRIVACY_FLAGS section of /etc/mail/sendmail.mc to add the increased privacy and security flags as shown below:

 Define ('confPRIVACY_FLAGS', authwarnings, goaway, restrictmailq, restrictqrun')dnl

Generate a new sendmail.cf file by running the m4 macro and restart the sendmail daemon:

 [root] # m4 /etc/mail/sendmail.mc > /etc/sendmail.cf     [root] # /etc/rc.d/init.d/sendmail restart

3.2.1.4 Define Hosts Allowed to Relay Mail

Starting with version 8.9 of sendmail, relaying is prevented by default. This was done to prevent nefarious entities (e.g. Spammers) from being able to relay unsolicited email through a mail gateway that was not properly configured. Relaying is controlled through the access database located in /etc/mail/access and /etc/mail/access.db, respectively.

3.2.1.4.1 Check That the Access Database Is Active

To ensure sendmail has the ability to use the access database, check for the name of the database in /etc/sendmail.cf :

 [root] # grep Kaccess /etc/sendmail.cf     Kaccess hash /etc/mail/access

If the line above isn't found, edit /etc/mail/sendmail.mc and add the following build macro:

FEATURE ( ˜access_db )dnl

Generate a new sendmail.cf file by running the m4 macro and restart the sendmail daemon:

 [root] # m4 /etc/mail/sendmail.mc > /etc/sendmail.cf     [root] # /etc/rc.d/init.d/sendmail restart

3.2.1.4.2 Create Access Database for Domains Allowed to Relay

The access database has a simple "key value" format that is used when configuring allowed relay domains for sendmail. The "key" is a fully qualified hostname, sub-domain, domain or network. The "value" is an action, REJECT, DISCARD, OK, RELAY or an arbitrary message. Only hosts or domains with the RELAY action defined are allowed to use the mail server as a mail relay. For example, if your domain is mailserver.com and our server is also handling mail for all hosts on the 192.168.x.x network, edit /etc/mail/access to read:

 mailserver.com            RELAY     192.168                   RELAY

Save the changes to /etc/mail/access and use the makemap utility program to create the database map of this file and restart the sendmail daemon:

 [root] # makemap hash /etc/mail/access.db < /etc/mail/access     [root] # /etc/rc.d/init.d/sendmail restart

Anytime information is modified in /etc/mail/access , it is important to run a new makemap command and restart the sendmail daemon so the changes will take effect. The example above is meant to illustrate simple usage of the access database. A more detailed explanation and advanced configurations can be found at: http://www.sendmail.org/tips/relaying.html

3.2.1.5 Set Domain Name Masquerading

Many organizations prefer to have uniform mail addresses for all employees , such as joeuser@mailserver.com. While some mail clients can be configured to use a specific domain, the administration of multiple mail clients in even a small environment can be tedious and cost prohibitive. Sendmail can be configured to rewrite the headers of all outbound messages so that they masquerade as a single domain name for the entire organization. To define the masquerade address, edit /etc/mail/sendmail.mc to reflect the following example:

 MASQUERADE_AS('mailserver.com')dnl     FEATURE ('masquerade_entire_domain')dnl     FEATURE ('masquerade_envelope')dnl

Generate a new sendmail.cf file by running the m4 macro and restart the sendmail daemon:

 [root] # m4 /etc/mail/sendmail.mc > /etc/sendmail.cf     [root] # /etc/rc.d/init.d/sendmail restart

3.2.1.6 Configure Sendmail to Use RBL Support

The Real-time Blackhole List, commonly referred to as RBL, is a DNS-based service that contains a database of suspected and known spammers. The m4 feature, dnsbl , allows sendmail to reference this database and automatically reject any messages originating from a domain listed by RBL. It should be noted that RBL is not an exact science and there are times when a domain you wish to communicate with has found itself listed by RBL. It can often prove difficult to get a domain removed so it is advised to use this feature with caution as it may cause a break in communication with legitimate domains. To add the feature to sendmail edit /etc/mail/sendmail.mc and add the following:

FEATURE ( ˜dnsbl )dnl

Generate a new sendmail.cf file by running the m4 macro and restart the sendmail daemon:

 [root] # m4 /etc/mail/sendmail.mc > /etc/sendmail.cf     [root] # /etc/rc.d/init.d/sendmail restart

3.2.1.7 Install an Alternative MTA

Several other mail transfer agents are available to replace sendmail. Three popular alternatives are Qmail (http://www.qmail.org) by Daniel Bernstein, Postfix (http://www.postfix.org) by Wietse Venema, and Exim (http://www.exim.org/) developed by the University of Cambridge. These MTA's were written with security in mind and generally considered to offer high performance. It is beyond the scope of this guide to give details on the installation and configuration of these alternatives but a wealth of information is available at their respective sites.

3.2.2 Secure the POP and IMAP Daemons

For mail servers that collect all incoming mail for an organization, a common means to deliver the mail to clients is for them to retrieve the mail using the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP). POP (also called POP3) is the older and less complicated of the two protocols, providing basic commands for authentication, retrieval and deletion of mail messages from the mail server. IMAP is more flexible and supports creating, deleting and renaming mail folders (mailboxes), searching, selective retrieval of message attributes and more.

3.2.2.1 Get the Latest Version of POP and IMAP Daemons

Unfortunately, many POP and IMAP daemon implementations have been plagued with vulnerabilities that lead to remote root compromises of mail servers on various platforms. There are several well-known exploit programs for cracking vulnerable Linux POP and IMAP daemons. It is generally considered a good practice to always use the most current and stable release of any daemons and this is no exception.

Most newer POP and IMAP daemons currently available will offer support for secure retrieval of messages. This is most commonly done with TLS/SSL that requires the use of OpenSSL and the creation of a certificate. Qpopper (http://www.eudora.com/qpopper/), for example, is a POP daemon that offers TLS/SSL. The website contains detailed instructions on how to accomplish this goal and is highly recommended.

3.2.2.2 Control Access to POP and IMAP with TCP Wrappers

POP/IMAP is traditionally run out of xinetd , so access control through TCP wrappers is easy to configure and adds an important element of security. Limit access to only those hosts that have a legitimate need for the service. For a central mail hub that holds mail for the entire mailserver.com domain and the 192.168.x.x network and delivers it to clients via POP3 or IMAP, edit /etc/hosts.allow to reflect the following changes:

 ipop3d:        .mailserver.com        192.168. imapd:         .mailserver.com        192.168.