Mail Relay Strategies How to protect an Exchange

  • Slides: 14
Download presentation
Mail Relay Strategies How to protect an Exchange Server

Mail Relay Strategies How to protect an Exchange Server

Basic Principles and Assumptions • Network and system security are important • Companies generally

Basic Principles and Assumptions • Network and system security are important • Companies generally want to keep internal e -mail private • Security and convenience are inversely proportional • Microsoft exchange is very convenient

Typical Network • Static hole through firewall for SMTP • If a hacker gets

Typical Network • Static hole through firewall for SMTP • If a hacker gets into the mail server, they usually get access to lots of stuff (e. g. accounts, files, e-mail, etc. )

Better Design • Put a mail relay machine outside the firewall, or in a

Better Design • Put a mail relay machine outside the firewall, or in a DMZ, but not on the internal network • Allow only the mail relay system to send email to the mail server

Why? • Every machine that can be hit from the Internet must be considered

Why? • Every machine that can be hit from the Internet must be considered “sacrificial” • A small(ish) machine that only forwards email and normally has no data, can easily be rebuilt without losing company secrets • It’s slightly more secure to force a hacker to break into two different types of mail servers

Relatively Easy • Setup DNS: xyz. com. IN MX 10 mailrelay. xyz. com. •

Relatively Easy • Setup DNS: xyz. com. IN MX 10 mailrelay. xyz. com. • Mailrelay. m 4: define(MAIL_HUB, relay: mailserver. xyz. com. ) Cw xyz. com • To let a specific user get mail on mailrelay: LOCAL_USER(nieusma)

A Bit More Difficult • Setup DNS: xyz. com. IN MX 10 mailrelay. xyz.

A Bit More Difficult • Setup DNS: xyz. com. IN MX 10 mailrelay. xyz. com. bite. com. IN MX 10 mailrelay. xyz. com. me. com. IN MX 10 mailrelay. xyz. com. • Mailrelay. m 4: MASQUERADE_AS(xyz. com) FEATURE(mailertable) FEATURE(masquerade_entire_domain) • mailertable: xyz. com relay: [mailserver. xyz. com] bite. com relay: [mail. bite. com] me. com relay: [mail. me. com]

Important Details • All of the following directories must not allow group or others

Important Details • All of the following directories must not allow group or others write access: /usr/local/mail/lib /etc/mail /var/spool/mqueue

Examples • Using DNS zone s 1. firstlink. com and: – bones. firstlink. com

Examples • Using DNS zone s 1. firstlink. com and: – bones. firstlink. com – worf. firstlink. com – crusher. firstlink. com – mail. firstlink. com

DNS zone file - nieusma@bones$ cat /var/dns/db. s 1. firstlink. com $TTL 30 @

DNS zone file - nieusma@bones$ cat /var/dns/db. s 1. firstlink. com $TTL 30 @ IN SOA bones. firstlink. com. nieusma. First. Link. com. ( 2000102302 ; Serial 10800 ; Refresh after 3 hrs 3600 ; Retry after 1 hrs 604800 ; Expire after 168 hrs 60 ) ; TTL 1 min - debug purposes only in ns bones. firstlink. com. IN MX 10 bones. First. Link. com. IN A 204. 144. 168. 40 localhost IN A 127. 0. 0. 1 bones in a 204. 144. 168. 43 in mx 10 bones in mx 20 crusher worf in a 204. 144. 168. 35 crusher in a 204. 144. 168. 40 in mx 10 bones

most of bones. mc define(`LOCAL_MAILER_FLAGS', `f. Smn. E 9')dnl OSTYPE(solaris 2. ml)dnl FEATURE(always_add_domain)dnl FEATURE(relay_entire_domain)dnl

most of bones. mc define(`LOCAL_MAILER_FLAGS', `f. Smn. E 9')dnl OSTYPE(solaris 2. ml)dnl FEATURE(always_add_domain)dnl FEATURE(relay_entire_domain)dnl FEATURE(relay_based_on_MX)dnl FEATURE(`mailertable', `hash -o /usr/local/mail/lib/mailertable')dnl define(`conf. AUTO_REBUILD', `True')dnl define(`conf. COPY_ERRORS_TO', postmaster)dnl define(`conf. RECEIVED_HEADER', `$? sfrom $s $. $? _($? s$|from $. $_) $. by $j $? r with $r$. id $i$? u for $u$. ; $b') Cw bones. s 1. First. Link. com # virus checking routine LOCAL_RULESETS HSubject: $>local_check_header D{virus}"553 We think your message contains a virus so it is rejected" Slocal_check_header RILOVEYOU Rfwd: Joke RSusitikim$* MAILER(local)dnl MAILER(smtp)dnl $#error $: ${virus}

mailertable - nieusma@bones$ cd /usr/local/mail/lib - nieusma@bones$ cat mailertable s 1. firstlink. com relay:

mailertable - nieusma@bones$ cd /usr/local/mail/lib - nieusma@bones$ cat mailertable s 1. firstlink. com relay: [worf. s 1. firstlink. com] worf. s 1. firstlink. com relay: [worf. s 1. firstlink. com] - nieusma@bones$ sudo makemap hash mailertable. db < mailertable

most of worf. mc define(`LOCAL_MAILER_FLAGS', `f. Smn. E 9')dnl OSTYPE(solaris 2. ml)dnl FEATURE(always_add_domain)dnl FEATURE(relay_entire_domain)dnl

most of worf. mc define(`LOCAL_MAILER_FLAGS', `f. Smn. E 9')dnl OSTYPE(solaris 2. ml)dnl FEATURE(always_add_domain)dnl FEATURE(relay_entire_domain)dnl FEATURE(relay_based_on_MX)dnl FEATURE(nouucp)dnl define(`MAIL_HUB', `esmtp: mail. firstlink. com')dnl define(`conf. AUTO_REBUILD', `True')dnl define(`conf. COPY_ERRORS_TO', postmaster)dnl define(`conf. SMTP_LOGIN_MSG', `$j: MTA by Nieusma; ready: $b') define(`conf. RECEIVED_HEADER', `$? sfrom $s $. $? _($? s$|from $. $_) $. by $j $? r with $r$. id $i$? u for $u$. ; $b') # this host is the final destination for the following domains: Cw s 1. First. Link. com Cw bones. s 1. First. Link. com Cw worf. s 1. firstlink. com MAILER(local)dnl MAILER(smtp)dnl

Questions?

Questions?