5.6. 邮件服务的安全化
如果您的服务器并不是一个邮件系统, 那么您并不需要一个邮件守护进程监听传入连接, 但是也许您希望本地邮件能够有序的分发,比如,为 root 用户接收从报警系统传来的邮件.
如果您安装了exim
, 并不需要其作为守护进程, 因为标准 cron
任务可以刷新邮件队列. 配置方法, 参阅第 3.5.1 节 “禁用守护进程服务”.
5.6.1. 配置 Nullmailer
也许您需要一个本地邮件守护进程, 以便可以将本地邮件发送到其他系统. 当您管理几个系统, 并且不想连到每个系统去阅读本地邮件时, 那么这是很普通的需求. 所有单个系统的登录可以通过一台中央 syslog 服务器集中起来, 邮件被发送到一台中央邮件服务器.
这就需要正确的配置一个只读系统. 守护进程配置为仅监听回送地址.
The following configuration steps only need to be taken to configure the exim package in the Debian 3.0 release. If you are using a later release (such as 3.1 which uses exim4) the installation system has been improved so that if the mail transport agent is configured to only deliver local mail it will automatically only allow connections from the local host and will not permit remote connections.
In a Debian 3.0 system using exim, you will have to remove the SMTP daemon from inetd
:
- $ update-inetd --disable smtp
并将邮件守护进程配置为仅监听回送接口. 在 exim
中(缺省的MTA) 您可以通过编辑 /etc/exim.conf
加入如下行来完成配置:
- local_interfaces = "127.0.0.1"
重起两个守护进程(inetd 和 exim)后, exim 将只对 127.0.0.1:25 监听. 注意, 要首先禁用 inted, 否则 exim 将不能启用, 因为 inetd 守护进程仍然处理传入连接.
对于 postfix
来说应当编辑 /etc/postfix/main.conf
:
- inet_interfaces = localhost
如果您只是希望处理本地邮件, 这种方法比 tcp-wrapping 邮件或增加防火墙规则来限制访问更好. 但是, 如果您仍需要监听其他接口, 则应当考虑由 inetd 装载并增加一个 tcp wrapper, 并用 /etc/hosts.allow
和 /etc/hosts.deny
来限制访问. 并且, 如果你正确的设置了日志纪录, 则当未被授权的访问试图攻击您的邮件守护进程时,将会被告知.
无论如何, 在 SMTP 级别拒绝邮件转发, 您应当编辑 /etc/exim/exim.conf
加入如下行:
- receiver_verify = true
既使您的邮件服务器不会转发信息, 这种配置对于中转测试器来说也是必须的, 可以通过 http://www.abuse.net/relay.html 来检测您的服务器有无中转能力.
If you want a relay-only setup, however, you can consider changing the mailer daemon to programs that can only be configured to forward the mail to a remote mail server. Debian provides currently both ssmtp and nullmailer for this purpose. In any case, you can evaluate for yourself any of the mail transport agents [37] provided by Debian and see which one suits best to the system’s purposes.
5.6.2. 提供对邮箱的安全访问
If you want to give remote access to mailboxes there are a number of POP3 and IMAP daemons available.[38] However, if you provide IMAP access note that it is a general file access protocol, it can become the equivalent of a shell access because users might be able to retrieve any file that they can through it.
例如, 可以尝试配置您的 inbox 路径为 {server.com}/etc/passwd, 如果可以成功, 则说明您的 IMAP 守护进程没有正确的配置以阻止此类访问.
Of the IMAP servers in Debian the cyrus
server (in the cyrus-imapd package) gets around this by having all access to a database in a restricted part of the file system. Also, uw-imapd
(either install the uw-imapd or better, if your IMAP clients support it, uw-imapd-ssl) can be configured to chroot the users mail directory but this is not enabled by default. The documentation provided gives more information on how to configure it.
Also, you might want to run an IMAP server that does not need valid users to be created on the local system (which would grant shell access too), courier-imap (for IMAP) and courier-pop, teapop (for POP3) and cyrus-imapd (for both POP3 and IMAP) provide servers with authentication methods beside the local user accounts. cyrus
can use any authentication method that can be configured through PAM while teapop
might use databases (such as postgresql and mysql) for user authentication.
FIXME: Check: uw-imapd might be configured with user authentication through PAM too.
5.6.3. 安全的接收邮件
Reading/receiving mail is the most common clear-text protocol. If you use either POP3 or IMAP to get your mail, you send your clear-text password across the net, so almost anyone can read your mail from now on. Instead, use SSL (Secure Sockets Layer) to receive your mail. The other alternative is SSH, if you have a shell account on the box which acts as your POP or IMAP server. Here is a basic fetchmailrc
to demonstrate this:
- poll my-imap-mailserver.org via "localhost"
- with proto IMAP port 1236
- user "ref" there with password "hackme" is alex here warnings 3600
- folders
- .Mail/debian
- preconnect 'ssh -f -P -C -L 1236:my-imap-mailserver.org:143 -l ref
- my-imap-mailserver.org sleep 15 </dev/null > /dev/null'
The preconnect is the important line. It fires up an ssh session and creates the necessary tunnel, which automatically forwards connections to localhost port 1236 to the IMAP mail server, but encrypted. Another possibility would be to use fetchmail
with the SSL feature.
如果您想象 POP 和 IMAP 一样提供加密邮件, apt-get install stunnel
, 然后用如下方式启动您的守护进程:
- stunnel -p /etc/ssl/certs/stunnel.pem -d pop3s -l /usr/sbin/popd
This command wraps the provided daemon (-l) to the port (-d) and uses the specified SSL certificate (-p).
[37] To retrieve the list of mailer daemons available in Debian try:
- $ apt-cache search mail-transport-agent
The list will not include qmail
, which is distributed only as source code in the qmail-src package.
[38] A list of servers/daemons which support these protocols in Debian can be retrieved with:
- $ apt-cache search pop3-server
- $ apt-cache search imap-server