Contents:

Securing Network Services

• Wrap Your Services: inetd, xinetd
• Chrooting
• Breaking Out of and Securing Chroot Jails
• Chrooting Your Users (and/or SSHD)

Proxies

• Application-Level Proxies
• SOCKS

Specific Examples

• Email
• YP/NIS
• RPC, Portmap and NFS
• Apache: modsecurity
• FTP Servers

---

About this document

7. Email

• First, most hosts do not need to receive mail from remote machines (clients mostly connect to remote IMAP servers these days) and so your mail-transport-agent (MTA), e.g., sendmail need not be run in daemon mode (need not be started via the init scripts) and need not listen to the network.
  
  
• If an MTA is needed, it is usually only for sending and receiving mail locally, or for sending via a "smart" host, for example, to see the output of cron scripts. In this case configure the MTA to listen to 127.0.0.1 only.
  
  
• Ensure your MTA is not configured as an open-relay (i.e., it will not route email for anyone who requests it) — open relays are a major hindrance in the fight against Spam.

Details specific to Sendmail and Exim are given below.

7.1. Sendmail

At the time of writing, sendmail has had few recent security-related problems and patches, but its history is not so good --- it's had more than its fair share of holes (e.g., those due to buffer overflows). In addition, sendmail is notoriously difficult to configure, compounding other problems.

• Shutdown if not needed. e.g.

        /etc/init.d/sendmail stop

  and change any entries /etc/rc?.d/S*sendmail to /etc/rc?.d/K*sendmail.
  
  
• To ensure sendmail is listening on only 127.0.0.1 edit /etc/mail/sendmail.mc so that the following DAEMON_OPTION is in place and not commented out:

        dnl # The following causes sendmail to only listen on the IPv4 
        dnl # loopback address 127.0.0.1 and not on any other network devices. 
        dnl # Remove the loopback address restriction to accept email from the 
        dnl # internet or intranet.
        DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

  and run /etc/mail/Makefile in order to update sendmail.cf. Finally, restart sendmail.
  
  
• Closed relay...
  
  
• Finally, the Sendmail Restricted Shell, smrsh, can be used. It is intended as a replacement for sh for use in the "prog" mailer in sendmail configuration files. It sharply limits the commands that can be run using the |program syntax thus improving the security of your systemm. (If an intruder can get sendmail to run a program without going through an alias or forward file, smrsh limits the set of programs that he or she can execute.)

7.2. Exim

• To ensure that Exim is listening on only 127.0.0.1, edit your configuration file so that local_interfaces lists only 127.0.0.1

        local_interfaces = 127.0.0.1

  and restart the exim daemon.
  
  
• To ensure that Exim is not acting as an open-relay, edit your configuration file so that relay_to_domains is empty and relay_from_hosts contains only the local interface,

        domainlist relay_to_domains =
        hostlist   relay_from_hosts = 127.0.0.1

  and restart the exim daemon.

...previous

up (conts)

next...