388 Chapter 10 • Sendmail and IMAP Security One possibility on some servers is to use an alternate authentication scheme such as CRAM-MD5 (Challenge-Response Authentication Mechanism with encryption using the MD5 algorithm developed by Ronald Rivest) or SASL (Simple Authentication and Security Layer). On the server, a typical authentication process accepts the password over the network from the client and then encrypts the password for comparison against the encrypted version it stores. With CRAM-MD5 or SASL authentication, the client generates a checksum of the password that was entered and the checksum is sent over the network for comparison with a checksum gener- ated on the server side. In this way, no information that might compromise security is passed over the network. (For more information about CRAM- MD5, see www.cis.ohio-state.edu/htbin/rfc/rfc2195.html. For more infor- mation about the SASL protocol see www.cis.ohio-state.edu/htbin/rfc/ rfc2222.html.) Another consideration is how authentication is managed on the server side. An IMAP server that uses standard UNIX authentication must run as root in order to access the UNIX password file. Most buffer overflow exploits that allow execution of root commands via a flaw in the server software take advantage of the server running as root. The buffer overflow condition tricks the system into executing a command outside the normal server operation. If a hacker can manage this trick on a server running as root, they can pry open a virtual door to later gain unauthorized access to your system. A number of servers don’t have to run as root because they use an alternate method of completing the authentication process on the server side. Cyrus IMAP, for example, supports an additional process just to check passwords (called pwcheck). The password checking process runs as root, but will talk only to authorized programs (such as IMAP). It accepts the password and username from the IMAP server and then returns a mes- sage indicating whether the authentication attempt succeeded. In this way, the IMAP server that is talking to the outside world does not have to jeop- ardize the rest of the system by running as root. Securing Access A strong authentication method may not be enough to maintain security if you have a wide-ranging and mobile population to support. Although there are methods to avoid plain text passwords, messages themselves may be passing over insecure networks and could be subject to interception. The solution is to make a secure connection from your IMAP client to your IMAP server. You might wonder whether your firewall is enough protection. A firewall simply guards your networked resources from unauthorized outside con- www.syngress.com 119_email_10 10/5/00 9:39 PM Page 388 Sendmail and IMAP Security • Chapter 10 389 nections. On a UNIX system you can accomplish a similar protection level by using an open source software package called TCP Wrapper (tcpd). TCP Wrapper allows you to control which IP addresses do or don’t have access to a particular process (such as IMAP) running on your system. In both these cases, however, no protection is afforded the IMAP connection out- side the protected network or server. A virtual private network (VPN) may provide a secure connection for your IMAP traffic. A VPN allows an authorized user to gain password- authenticated access to your network from anywhere on the Internet. A VPN implementation will usually encrypt all communications between the VPN client and the host network, thereby minimizing data compromise via network packet sniffing. A VPN may be a large answer to a small problem. A VPN is intended to guard all protocols on the network. A more targeted solution for IMAP security is to establish a Secure Sockets Layer (SSL) connection between the client and the server. This is the same type of security that Web servers use to support the secure transfer of data from the client to the server. Many clients support SSL, but not all servers do. You can still implement SSL support by using an open source program called stunnel (see www.stunnel.org). www.syngress.com Consider LDAP for Authentication More often these days the Lightweight Directory Access Protocol (LDAP) is supported as an authentication option for IMAP and other servers. LDAP is a directory services database implemented with Internet protocols for the standardized exchange of information over the net- work. LDAP has the advantage of being scalable to very large numbers. It allows you to avoid running your server as root. Because authentica- tion can be accomplished by testing the username and password on the LDAP server, there is no need to run as root to access and compare a value stored in the UNIX password file. LDAP supports CRAM-MD5 pass- word, avoiding the necessity to pass the clear password text over the network. OpenLDAP is now included in many LINUX distributions, and the LDAP Software Development Kit is included in Solaris 7 and above. You can find out more about LDAP and LDAP authentication by visiting www.openldap.org. For IT Professionals 119_email_10 10/5/00 9:39 PM Page 389 390 Chapter 10 • Sendmail and IMAP Security Stunnel can connect a secure port on your server to the normal port on which your application runs. IMAP usually listens on port 143. Stunnel might listen on port 943 and make a virtual connection inside your system to port 143. Traffic from the client to the stunnel server is encrypted. The advantage is that you don’t have to make changes to your IMAP server to support secure access. Stunnel is also available for Windows systems and can be used on the Windows client side if SSL support is not built into the client software. SSL requires the use of a digital certificate that is used to identify the server and encrypt the traffic being transmitted. If you want your certificate to be automatically recognized by client software such as Netscape or Internet Explorer, you will need to acquire it from a commer- cial certificate authority like Verisign. From the Client Side Your IMAP client will need to have some specific features to take advantage of a number of these security options. Not all clients can support an alter- nate authentication method like CRAM or SASL. You may need additional software on the client side to support an SSL connection. Netscape Communicator and Internet Explorer both have SSL support built in, but they may not be the first choice in an e-mail client. Whatever you decide to support for client software it may pay to be proactive in providing information to your e-mail users or even preconfig- ured copies of the client software. The best way to ensure security compli- ance is to make it easy for people to comply. When security makes things difficult, people will find easy methods to manage the difficulty (like having their password stuck on their monitor screen because the sever enforces password changes so often they can’t keep up with it). Security is an ongoing coordination between you and the users you support. IMAP Summary It is entirely possible to provide a secure and reliable standards-based mail system using IMAP as the server protocol. The key is to know how your software operates, and to secure the system on which it runs. You need to be sure that mail messages are stored on reliable hardware and backed up on a regular basis. When you can, make use of secure login or connection protocols. These guidelines apply whether you use a commercial IMAP server or open source software. Security is a result of how well you install and maintain your service. www.syngress.com 119_email_10 10/5/00 9:39 PM Page 390 Sendmail and IMAP Security • Chapter 10 391 Recovery No matter how secure you think your mail service is, you must be pre- pared for the worst in case it happens. Being prepared means making reg- ular backups and being able to restore from those backups. If your system must be totally rebuilt because of an actual disaster, a hardware failure, or a security compromise, the ability to restore data as well as configuration files becomes a critical need. www.syngress.com IMAP Administration Tips Know (and read) your log files. Log files can keep you in touch with what’s happening on your server. Knowing what’s normal will help you spot abnormalities. Browse your logs on a daily basis or create automated processes to provide you with summary information from your logs. POP3 and IMAPD server in one: Enable only one. The more protocols you have running, the more opportunity there is for a compromise of your server. Limit your support to the minimum required to support your enterprise. Give preference to protocols that have tools on the client and server side for providing a secure connec- tion. Watch that space. One of the biggest hazards to ongoing smooth operation is run- ning out of resources. E-mail will continue to grow in size and quantity so you have to plan ahead to keep up with the pace. Know your paradigm. The way your IMAP server is implemented may affect the extent to which you can control security. Be aware of the limitations and advan- tages of your software. Don’t run as root. Servers running as root pose the largest threat from exploits such as a buffer overflow. When possible, use server implementations that do not need to run as root to perform their authentication functions. Keep up with and apply security patches. Monitor security bulletins and apply security patches recommended by your software vendor. You can get security information from your vendor’s Web site or from organizations like CERT (www.cert.org). For IT Professionals 119_email_10 10/5/00 9:39 PM Page 391 392 Chapter 10 • Sendmail and IMAP Security Backing Up Data A number of built-in, commercial, or free backup solutions exist for use with UNIX mail servers. There are built-in commands, such as tar, cpio, and dd. These are traditional UNIX facilities used to move files and directo- ries from one place to another. More sophisticated commercial packages are available, which not only move the data, but also include data com- pression and incremental backup. Tar (tape archive) is probably most familiar, since it is commonly used to distribute source code packages and other sets of files. Tar, by default, will write to a tape device and is a very basic backup command. It concate- nates files, preserves directory structures, and preserves file ownership and permissions. A tar archive will be slightly larger than the space required to store those same files. It will not necessarily be a fast process. It is also not selective. Tar starts at the base directory you specify and recursively copies all files in that tree. You can cd to root, mount a tape, and issue a tar-c command. However, depending on the size and number of your disk partitions, you could be waiting a long time (days) for that backup to complete. Cpio is a bit more efficient in copying files but it is not selective by default and also does nothing on its own to compress data. Commercial packages such as Legato Networker are available to manage and execute backups (see www.legato.com). The Legato product is a full-featured backup program that keeps track of media, does incre- mental and/or full backups, and compresses data during the backup pro- cess. It is extremely efficient in moving data, and writes data to tape in a proprietary format. It is a client/server utility that can operate over a net- work or on a single system. Networker is not the only commercial package available, but it is one of the more popular ones in the UNIX world. Somewhere in between tar and Networker is a public domain package called AMANDA (Advanced Maryland Automated Network Disk Archiver), developed at the University of Maryland, College Park. It will run in client/server mode over a network and has some media management capa- bility. It can do incremental backups and write data in a number of open standards, configurable by the backup manager (see www.amanda.org). No matter what the frequency of your backups is, it will not be frequent enough to preserve all e-mail. If you back up once per day and experience some kind of system failure or compromise, you will have complete data only up to the time of your last backup. Any files added to the system since the last backup may be missing, corrupt, or compromised. The only way to ensure survival of all e-mail data files is to mirror the file systems on which they are stored. Mirroring data is expensive from the standpoint of disk and processor resources, so you must balance the cost of losing www.syngress.com 119_email_10 10/5/00 9:39 PM Page 392 Sendmail and IMAP Security • Chapter 10 393 any e-mail with the cost of maintaining a mirror of all files. This method still does not protect against a catastrophic disaster such as fire or flood. When you install and use a backup program, be sure you use it on a regular basis and with a specific data protection plan in mind. Don’t just set the backups to run every night. Be sure to monitor those backups and respond to conditions that cause backups to fail. Don’t just run incre- mental backups. Regular full backups are necessary for the efficient and timely restoration of data (and to avoid having to mount 50 tapes just to restore one data partition). If possible, allow for off-site storage of a copy of your most recent backup set (full and incrementals) or of your next most recent set. With such a plan in mind you can minimize data loss in the event a problem does occur. Restoring Data If you have been diligent with your backups, restoring data will not be impossible. For the most part, your backup program will manage the file retrieval. However, there are some considerations when you are trying to restore a system or its data. For example, will you be restoring files that are used in the operation of any of your software services? Will your backup program overwrite files or allow you to save a copy with a slightly different name? In any case, it is probably a good idea to not run or shut down any programs that rely on the files you are trying to restore. Restoring data can also require some thought. Is restoring data all that is required? As we have seen, sometimes the data must be reintegrated into the software’s tracking scheme, such as is the case with Cyrus IMAP. It’s also sometimes possible to restore too much data, creating, for example, duplicate copies of e-mail messages in someone’s mailbox. Restoring a compromised system offers its own challenges. If your system has been compromised for some time, then the files on your backup tapes will be compromised as well. If you require customized con- figuration or program files, then it might be necessary to reconstruct them, a time-consuming process at best. To guard against being without “clean” versions of your files, you may wish to make a complete backup three to four times a year, which you keep for a specified time. That way if your recent and regular backup is compromised, you can reach back and recover at least some clean copies of files you spent a long time creating. The Bottom Line on Backup The most important thing to say about backup is “do it.” It is sometimes possible to minimize the impact of losing files or programs on your desktop computer. It can be catastrophic to be unprepared for the loss of data on a www.syngress.com 119_email_10 10/5/00 9:39 PM Page 393 394 Chapter 10 • Sendmail and IMAP Security system that serves thousands of people. It can cost time, money, and progress. Having a plan to back up and restore data is an essential part of running a secure, reliable e-mail service. Summary Sendmail is the most popular and in some ways most useful mail routing program on the Internet. In spite of its reputation for insecurity, with attention and planning, it can be run in a secure and reliable manner. There are some alternatives to Sendmail that are relative newcomers to the Internet, but may provide a secure and capable mail routing environment for those not wishing to manage the complexity of Sendmail. A secure and reliable standards-based mail system using IMAP as the server protocol can be provided without compromising the security of the server. New developments in encryption and authentication make it pos- sible to protect the message passing through the server and the server system itself. Server systems should be backed up frequently and a plan should exist for restoring data in response to a crisis situation. FAQs Q: Where can I find the latest Sendmail source code if I want to compile my own customized version? A: You can download the Sendmail source code from the open source Sendmail site at www.sendmail.org. You will find general documenta- tion in the top-level README file as well as in an INSTALL file. Within the Sendmail source directory is another README file that gives spe- cific information about compilation. Q: Can I control which sites are allowed to make an SMTP connection to my server running Sendmail? A: If you compile and install Sendmail from the source code, you can issue a compile-time option to include TCP Wrapper support. You include –D TCPWRAPPERS in the compiler directive. This feature requires some prerequisite resources. To quote from the Sendmail 8.11.0 README: “If you are using -DTCPWRAPPERS to get TCP Wrappers support you will also need to install libwrap.a and modify your site.config.m4 file or the generated Makefile to include -lwrap in the LIBS line (make sure that INCDIRS and LIBDIRS point to where the tcpd.h and libwrap.a can be found).” www.syngress.com 119_email_10 10/5/00 9:39 PM Page 394 Sendmail and IMAP Security • Chapter 10 395 The TCP Wrappers package is available at ftp://ftp.porcupine.org/ pub/security. Access to your system is controlled by definitions in the hosts. deny and hosts.allow files in the /etc directory. The most secure prac- tice is to disallow all systems a connection to your STP server in the hosts.deny file and then allow specific hosts or domains to connect by adding them to the hosts.allow file. For more information about the format of those files, see the man page for hosts_access. Q: How do I create mail aliases? A: You can create Sendmail aliases by modifying the aliases file found in /etc/mail. The format for an alias is the following: <alias>: destination For example, to create an alias for abuse@ <your server> you would add a line with the word “abuse,” a colon (:), a space, and a delivery address. The delivery address could be a local user on the same system or an address on a different host. Once you have updated the aliases file, you will need to build a version that Sendmail can read. Change your default directory to /etc/mail (cd/etc/mail) and issue the newaliases command. Q: Where can I buy PostFix? A: PostFix is copyrighted, but freely available and can be downloaded directly from the Internet at no cost. For installation on your system, you may need to compile the software by following the instructions included with the source code. A precompiled package is available for Sun Solaris 8 at www.sunfreeware.com. There is also an RPM package for Red Hat Linux, which can be found by searching for PostFix at www.redhat.com/apps/download. Q: Can I download a precompiled Qmail package? A: The Qmail source code package can be downloaded from www.qmail.org. That page also has a link to a Linux RPM package. For other systems, you will need to compile the source code in order to install Qmail. www.syngress.com 119_email_10 10/5/00 9:39 PM Page 395 396 Chapter 10 • Sendmail and IMAP Security Q: Does an IMAP server require users to have shell access to the server? A: Cyrus IMAP allows for a “black box” server operation. That is, all com- munication with the server from mail clients is done via the IMAP pro- tocol. E-mail users do not have any need to log into the server directly and therefore have no need for shell access to the mail system. Furthermore, Cyrus IMAP allows for authentication mechanisms that are self-contained within the IMAP server. In this way, it negates the need for any user accounts to be included in your local password file or for relying on NIS to define user accounts for you. www.syngress.com 119_email_10 10/5/00 9:39 PM Page 396 Deploying Server- side E-mail Content Filters and Scanners Solutions in this chapter: ■ Overview of Content Filtering ■ Overview of Attachment Scanning ■ Installing and Configuring McAfee GroupShield ■ Installing and Configuring Trend Micro ScanMail for Exchange Server ■ Installing and Configuring Content Technologies’ MAILsweeper for Exchange 5.5 ■ Choosing Third-party Attack Detection and Scanning Services Chapter 11 397 119_email_11 10/6/00 2:03 AM Page 397 [...]... by Sender The easiest, most obvious way to filter e- mail is by looking at the sender of the e- mail Usually, the sender is visible in the header of the e- mail The sender field of the e- mail is one of the default items that content-filtering software is designed to look at It is already possible, in most enterprise e- mail server software, to create a list of senders and e- mail domains that are rejected from... someplace else Sometimes the sender field is blank to the human reader or it may appear the e- mail message is coming from the recipients themselves However, content-filtering and attachment-scanning software installed at the server can see through these tricks by filtering and breaking down the e- mail header to raw data, which reveals hidden information about the source of the e- mail So even if the e- mail. .. have subject headers that don’t match the actual message in the body of the e- mail Messages that appear to be legitimate are received and opened daily by unaware end-users only to discover that the e- mail is actually an advertisement For users with free Web-based e- mail accounts, visiting certain sites that register their e- mail addresses often seems to open up the floodgates of unsolicited e- mail One... company e- mail should all be the result of an effective content-filtering software implementation When using a content-filtering tool, all e- mail is filtered at the server before it reaches the intended recipient E- mail can be filtered based on sender, subject, excessive file size, prohibited content, profanities, corrupted data, pornography, or racist or hate e- mails One of the leading content-filtering tools... was relayed through multiple SMTP servers on the Internet, this can be seen once the header containing the sender information is broken down Furthermore, if the sender cannot be revealed, scanning the body of the e- mail or the attachments for suspicious content would be the next step that the software would take Once discovered, questionable e- mail would be blocked or eliminated Filtering by Receiver... of the e- mail message 5 Once the e- mail message has been disposed of, the threat no longer exists Figure 11.1 E- mail traveling through a network equipped with contentfiltering software Sender 1 Recipient Header Other important header info 2 Body Attachment 3 Content Scanned for inappropriate content Raw Data Legitimate Mail sent to recipient 4 Threat Deleted 5 As we mentioned, the body and attachments... the database, by directing the e- mails to a quarantine zone Once in the quarantine zone, the e- mail can be further dissected to determine the safety and/or validity of the e- mail and its contents If it is determined that the e- mail is safe, then it is passed on to the intended recipient; if the e- mail is determined to be a security threat or in violation of corporate policy, the e- mail is discarded... numerous quarantine areas The quarantine areas can be assigned based on file size, sender name, subject, compiled database keywords, encrypted messages, recursive breakdown with virus present, or even junk e- mail Once the e- mails have reached quarantine, they are dealt with, in most cases, in a predefined manner In some cases, it is the system administrator’s responsibility to determine further action Protocol... inappropriate content may have been established depending on what a particular IT department determines to be best practice In most cases, all e- mail received in quarantine is disposed of without further hesitation Content-filtering software can be configured to add legal disclaimers, automatically archive e- mail, or generate information messages These messages can be sent to the intended recipient within the network... software 1 An e- mail message is received from the host mail system 2 The e- mail message is broken down into component parts, such as header, body, and attachments The header is examined for sender www.syngress.com 1 19_ email_11 400 10/6/00 2:03 AM Page 400 Chapter 11 • Deploying Server-side E- mail Content Filters and Scanners and recipients along with other key values that have been previously determined . implemen- tation. When using a content-filtering tool, all e- mail is filtered at the server before it reaches the intended recipient. E- mail can be filtered based on sender, subject, excessive file. of the junk mail sent and received over the Internet uses the same keywords and sentence structure, which makes it easy to weed them out once the body is examined. These keywords, as mentioned before,. tolerate questionable mate- rial via e- mail, they were able to detect such e- mails being sent through their corporate e- mail system, and were able to dismiss employees, based on the content-filtering