Fri, 22 May 2009
/Admin/email/misc:
Securing Your E-mail Server
I used this excellent tutorial[1] for most of the basic server setup (which
is still in progress....) What follows are some supplementary security-related
notes.
My goal is not so much a big server with a lot of users, but rather to
provide a highly secure, private e-mail service. I want to set it up so that
it is not easy to avoid using encryption in order to read, download, or send
e-mail through my server. Therefore my users can have confidence that their
communications with my server will be private, and they will not needlessly
expose themselves to eavesdropping. (It would be preferred to always insist
on encryption, but this is not possible. SMTP, for instance, must accept
unencrypted connections from other servers, and there is no way to prevent
an e-mail client from behaving like a server and making an unencrypted
connection to deliver e-mail to an account that is local to the server, as
this does not constitute relaying and does not require authentication.)
This server uses a postfix[2] e-mail server, a dovecot[3] imap server,
prayer[6] for webmail, and a MySQL[4] database backend containing user
account data.
The security steps I have taken so far:
- Dovecot: handles POP and IMAP, and provides the following
services: imap imaps pop3 pop3s. imap and pop3 are the insecure options. I
have disabled pop3, only allowing pop3s, in the dovecot configuration.
Webmail uses imap, so I have not turned it.
- Firewall: At present I am permitting the following services only:
http https ssh icmp imaps pop3s smtp. Note therefore that external users are
only permitted access to imaps & pop3s, and not imap nor pop3. The insecure
imap service is only available to processes running on the server itself
(such as webmail....)
- postfix: smtp is insecure by default. An smtps service exists,
but an e-mail server must support smtp in order to allow the normal
server-to-server delivery of e-mail addressed to my local users. So
firewalling smtp is not an option. Users are allowed to relay e-mail via
SMTP through my server by providing their username and password via SMTP
AUTH. The Tutorial enables STARTTLS (an encryption option) by default. By
adding "smtpd_tls_auth_only=yes" to /etc/postfix/main.cf, I can further
*insist* that a user use STARTTLS when sending e-mail via SMTP AUTH. With
smtpd_tls_auth_only on, a user who does not turn on STARTTLS in their e-mail
client will get a "relay denied" error.
- prayer webmail: in /etc/prayer/prayer.cf there is a
"ssl_encouraged" parameter that I have turned on. The result is that the
login form is not displayed by default on the http page, and there is a
strongly-worded suggestion to use the secure https prayer login page link. I
left the link in for logging in via http because: there are some browsers
out there that do not support https, and there may be odd-ball situations
where the https port is being blocked locally and a user can only access the
server via http.
Here[5] is a good resource for e-mail client configuration. For my
sylpheed e-mail client, I use the following settings:
- user id is always the full e-mail address
- for both POP and IMAP, select "Use SSL for POP3 connection" to use
imaps & pop3s
- for secure SMTP, select "Use STARTTLS command to start SSL session"
[1] http://workaround.org/articles/ispmail-etch/ (Note: I keep a local
copy of this howto (hidden) which can be resurrected if the source disappears.)
[2] http://www.postfix.org/
[3] http://www.dovecot.org/
[4] http://dev.mysql.com/
[5] http://ist.uwaterloo.ca/cs/emailsecure/
[6] http://www-uxsup.csx.cam.ac.uk/~dpc22/prayer/
posted at: 07:35 | path: /Admin/email/misc | permanent link to this entry
