Re: Setting up a mail server
On Tue, Sep 03, 2002 at 08:47:02PM -0400, Stephen Gran wrote: > Hello all, > > I'm getting ready to set up a mail server, and I have a few questions > that I was hoping people would have opinions on. Right now I have a box > that collects my mail with fetchmail, and then allows other boxes on the > LAN to collect from it via qpopper. All direct outside access is > blocked, first with iptables, and then with both tcpwrap and qpopper > itself. (...) That's a common question, how about reading (first): http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s5.6 ? In any case, as other's suggested, the most sensible thing to do is to *not* create accounts and configure PAM to use an external database. This can be just a separate user/password list, an LDAP or a full-blown database. Your option. For a (brief) overview see http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.10 Best regards Javier
RE: Setting up a mail server
> Many of these user accounts will no doubt be sending and > receiving email > from dial-up accounts, which limits the ability to deny service on a > per-IP basis. Suggestions for security, with pointers, please? I > already plan on SSL, I'm asking I guess more about open relay > issues in > this sort of setup. Also, these user accounts will not be > dialing into > an ISP that I control, but I may wish to allow them to use me as a > smarthost - does this seem foolish? I am undecided. You could try to setup "pop-before-smtp". (apt-get install pop-before-smtp) :-) Any IP address trying to use your SMTP services for relaying will have to have authenticated through POP (or IMAP) a few seconds before. I know some ISPs use that, its not too much restrictive for users, since they can still use plain SMTP, not ESMTP. Hope this helps Vincent
Re: Setting up a mail server
This one time, at band camp, Andy Coates said: > > Hello all, > > [snip] > > > Now I find myself in the position of changing the setup, so > > that it is a > > real internet-facing mail server. It will act as the MX for > > my domain, > > using exim, and will distribute the mail to people, either still with > > qpopper or with an IMAP server (haven't decided yet). > > > > There are several questions I have at this point: > > > > I would like to add user accounts, so that exim and qpopper (or IMAP) > > accept and deliver mail for them, but not allow these users shell > > access. Is changing their shell to /bin/false enough, or is there a > > smarter way (or one that is not quite so manual?) > > You'd want to go one step further and forget even adding them an > account. Qpopper supports PAM modules for other authentication than > /etc/passwd, as well as third-party patches for alternate mechanisms. > This usually means that all mail on the system is handled by one user, > since there is no individual unix accounts actually in use. > > I don't use qpopper myself (since IIRC it doesn't support IMAP, just > POP3). If you're open to alternatives, have a look at Courier MTA > (http://www.courier-mta.org/) which supports both POP3 and IMAP via many > authentication systems, and it'll also do your SSL. Main reason I use > this is for integration with qmailadmin/vpopmail, but even with exim > since it uses Maildir format so your mail deliveries won't need any > special tweaking. > > > Many of these user accounts will no doubt be sending and > > receiving email > > from dial-up accounts, which limits the ability to deny service on a > > per-IP basis. Suggestions for security, with pointers, please? I > > already plan on SSL, I'm asking I guess more about open relay > > issues in > > this sort of setup. Also, these user accounts will not be > > dialing into > > an ISP that I control, but I may wish to allow them to use me as a > > smarthost - does this seem foolish? I am undecided. > > Use SMTP AUTH with exim too (no special patches needed). You can > configure it to query wherever you decide to authenticate POP3/IMAP > from, so you have one password for both reading and sending mail. > > > Anything you think I'm leaving out? I've done a lot of googling and > > RTFM'ing recently, but I haven't found a really good guide to > > practical > > security considerations for a mail host - if someone has a > > good link it > > would be appreciated. > > I'd look at the whole picture - you'll be giving users access to mail, > and the ability to relay mail. Both require authentication, so you'd > save yourself a lot of hassle if both authenticated against the same > passwords/database. > > There's probably hundreds of combinations to achieve that, but since > Courier is probably the most configurable with regards to > authentication, and exim is just sexy anyway, I'd say those two are your > best bet. Both can be configured to authenticate against a MySQL > database (or LDAP), which are relatively easy to setup and plenty of > examples on the web on how to do so. > > You seem to be aiming for a very secure system, so what I've said might > not be the *ultimate* secure system, but it is very simple and easily > managed - as well as being as safe as you'll probably ever need. > > HTH, > Andy. No, I think you about hit it on the head - I'm not doing anything with this box other than serving mail for friends, so if it gets cracked, it's really not the end of the world. On the other hand, I'd like to have reasonable safeguards set up so I can save myself the headache of a cracking. I'll look into Courier and SQL - SQL was something I was planning to learn anyway, and this gives me the excuse. Thanks all, Steve -- Boob's Law: You always find something in the last place you look. pgpQ2HokThlVR.pgp Description: PGP signature
Re: Setting up a mail server
Also sprach "Stephen Gran" <[EMAIL PROTECTED]> am Tage Tue, 3 Sep 2002 20:47:02 -0400: > Hello all, > > There are several questions I have at this point: > > I would like to add user accounts, so that exim and qpopper (or IMAP) > accept and deliver mail for them, but not allow these users shell > access. Is changing their shell to /bin/false enough, or is there a > smarter way (or one that is not quite so manual?) > I'm using postfix and courier and all users are in postgresql, but you could also use mysql or others. Like this there is really NO connection between the unix accounts and the mail accounts. The worst thing that could happen is that someone figures out an email account's password and reads this user's emails. The other advantage of this solution is, that it allows you quite easily to use a web frontend for changing the user's information like passwords, name and so on. Marcel - PGP / GPG Key:http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc pgpymi5ohoIY9.pgp Description: PGP signature
RE: Setting up a mail server
> Hello all, [snip] > Now I find myself in the position of changing the setup, so > that it is a > real internet-facing mail server. It will act as the MX for > my domain, > using exim, and will distribute the mail to people, either still with > qpopper or with an IMAP server (haven't decided yet). > > There are several questions I have at this point: > > I would like to add user accounts, so that exim and qpopper (or IMAP) > accept and deliver mail for them, but not allow these users shell > access. Is changing their shell to /bin/false enough, or is there a > smarter way (or one that is not quite so manual?) You'd want to go one step further and forget even adding them an account. Qpopper supports PAM modules for other authentication than /etc/passwd, as well as third-party patches for alternate mechanisms. This usually means that all mail on the system is handled by one user, since there is no individual unix accounts actually in use. I don't use qpopper myself (since IIRC it doesn't support IMAP, just POP3). If you're open to alternatives, have a look at Courier MTA (http://www.courier-mta.org/) which supports both POP3 and IMAP via many authentication systems, and it'll also do your SSL. Main reason I use this is for integration with qmailadmin/vpopmail, but even with exim since it uses Maildir format so your mail deliveries won't need any special tweaking. > Many of these user accounts will no doubt be sending and > receiving email > from dial-up accounts, which limits the ability to deny service on a > per-IP basis. Suggestions for security, with pointers, please? I > already plan on SSL, I'm asking I guess more about open relay > issues in > this sort of setup. Also, these user accounts will not be > dialing into > an ISP that I control, but I may wish to allow them to use me as a > smarthost - does this seem foolish? I am undecided. Use SMTP AUTH with exim too (no special patches needed). You can configure it to query wherever you decide to authenticate POP3/IMAP from, so you have one password for both reading and sending mail. > Anything you think I'm leaving out? I've done a lot of googling and > RTFM'ing recently, but I haven't found a really good guide to > practical > security considerations for a mail host - if someone has a > good link it > would be appreciated. I'd look at the whole picture - you'll be giving users access to mail, and the ability to relay mail. Both require authentication, so you'd save yourself a lot of hassle if both authenticated against the same passwords/database. There's probably hundreds of combinations to achieve that, but since Courier is probably the most configurable with regards to authentication, and exim is just sexy anyway, I'd say those two are your best bet. Both can be configured to authenticate against a MySQL database (or LDAP), which are relatively easy to setup and plenty of examples on the web on how to do so. You seem to be aiming for a very secure system, so what I've said might not be the *ultimate* secure system, but it is very simple and easily managed - as well as being as safe as you'll probably ever need. HTH, Andy.