Unit 9

Postfix
Objectives

Upon completion of this unit, you should be able to:
  • Understand Postfix design principles and architecture
  • Configure Postfix using postconf
  • Configure basic Postfix security
  • Use Connection filtering and access control
  • Use Content filtering
  • Secure email transmissions using TLS
Vulnerabilities

  • Monolithic design of Sendmail has led to security issues in the past
  • Denial of Service attacks
  • Need to control transmission of “spam”
  • Virus protection
Service Profile: Postfix

  • Type: System V-launched service
  • Packages:postfix
  • Daemons:master and sub-daemons
  • Script:postfix
  • Ports:25/tcp (smtp), 465/tcp (tls)
  • Configuration:/etc/postfix/main.cf, /etc/postfix/master.cf /etc/postfix/*, /etc/aliases
  • Alternatives:sendmail, exim
Postfix Security Principles

  • Exposed programs run at fixed low privilege
  • Separation of processes provides insulation
  • External processes are single-threaded
  • No SUID processes
  • Dynamic memory allocation to prevent buffer overruns
  • Memory objects limited to prevent “wedging” under high load
Postfix Design

  • master daemon controls the processes
    • 21 semi-resident cooperating sub-daemons
    • Runs sub-daemons on demand
  • Processes communicate through UNIX domain sockets or FIFOs
    • Only smtpd and smtp are exposed to the net
/etc/postfix/master.cf

  • The master.cf file configures which Postfix sub-daemons master will run
  • Each line has 8 fields that represent settings for individual services
    • smtp inet n - n - - smtpd
  • The master.cf file only needs to be edited when you want to add sub-daemons or change the configuration of an existing one
Receiving Mail

  • Mail initially arrives in different ways
    • Local mail is posted by sendmail to the maildrop queue, and is received by pickup
    • Mail to port 25/tcp is received by smtpd
  • Both pickup and smtpd pass mail to the cleanup daemon for processing
    • Basic checks, content filtering, header cleanup
    • Puts mail in incoming queue, notifies qmgr
Delivering Mail

  • qmgr moves messages being delivered from the incoming to the active queue
    • Messages that temporarily can not be delivered are moved to the deferred queue
  • Mail may be delivered in different ways
    • local delivers messages to local files
    • smtp sends or relays messages to other hosts
Queues

  • Queues are in /var/spool/postfix
  • Five primary mail queues:
    • incoming (for arriving mail)
    • active (mail being processed for delivery)
    • deferred (temporarily undeliverable mail)
    • corrupt (unreadable/damaged mail)
    • hold (mail kept on hold until taken care of)
Queues

  • Messages placed in the hold queue are held indefinitely and delivery is not attempted
    • Access control or content filtering rules can move messages to hold
    • The postsuper command can release messages from hold
  • Unreadable or damaged messages are placed in the corrupt queue
postconf
  • postconf is the default configuration tool
    • Displays and edits /etc/postfix/main.cf
  • Uses “plain English” configuration directives
  • By default, displays all configuration settings
    • The -n option displays only non-defaults
    • The -d option displays default settings
  • The -e option edits parameters in main.cf:
    • $ postconf -e “myorigin = example.com”
Basic Configuration Review

  • Some parameters should be configured
    • myhostname is the host's fully qualified name
    • myorigin is the domain used on outgoing mail
    • mydestination lists domains for which the host will receive mail
    • inet_interfaces specifies the network interfaces on which Postfix listens for mail
    • mynetworks lists networks for which the host will relay mail
Service Security

  • E-mail to root is forwarded to user postfix
    • Modify /etc/aliases to forward root mail to a system administrator
  • Suppress VRFY information leakage
    • disable_vrfy_command = yes
  • Force clients to start connection with HELO
    • smtpd_helo_required = yes
Postfix Security: DoS

  • Delay messages if delivery rate is slower than arrival rate
    • in_flow_delay
  • Limit local deliveries in parallel to one user
    • local_destination_concurrency_limit
Restricting Relaying

  • Relaying allowed for local subnets by default
    • Exposed if you set inet_interfaces = ethX
    • Default is mynetworks_style = subnet
    • Set mynetworks_style = host
    • Alternatively, set a restrictive mynetworks
  • “Percent hack” relaying allowed by default
    • Set allow_percent_hack = no
/etc/postfix/access

  • Similar to the Sendmail access file
spammer@aol.com
REJECT
spamRus.net
REJECT
10.3
OK
  • May be applied multiple times (main.cf)
    • check_helo_access, check_sender_access, check_client_access, check_recipient_access
DNS Blackhole Lists

  • DNS can be used as a database to store information about sources of “spam”
    • reject_rbl_client sbl-xbl.spamhaus.org
  • DNS lookup using reversed octets of sender IP address, with the domain of the blackhole list appended
  • Can implement locally or use public or subscription-based blackhole services
Procmail and SpamAssassin

  • Postfix does not use Procmail by default
    • mailbox_command = /usr/bin/procmail
  • Procmail may start SpamAssassin
  • An alternative is to have master call spamc for mail received on external interfaces
    • Mail sent from the localhost is not filtered
    • Then spamc can reinject the e-mail into Postfix by calling local sendmail.postfix
Content Filtering

  • Incoming messages can be filtered before receipt is acknowledged
    • header_checks
    • mime_header_checks
    • body_checks
    • body_checks_max_size
Postfix with SASL/TLS

  • Simple Authentication and Security Layer
  • Transport Layer Security
  • Configuring SASL and TLS requires changes to
    • /etc/postfix/main.cf
    • /etc/postfix/master.cf
Configuring SASL/TLS

  • create ssl CA cert and local certificate
  • edit /etc/postfix/main.cf:
    • smtpd_use_tls = yes
    • smtpd_tls_key_file = /etc/postfix/certs/postfix.key
    • smtpd_tls_cert_file = /etc/postfix/certs/postfix.crt
    • smtpd_tls_CAfile = /etc/postfix/certs/my-ca.crt
    • smtpd_tls_loglevel = 1
End of Unit 9

  • Questions and Answers
  • Summary
    • Postfix design principles
    • Service security
    • Relaying and access restrictions
    • Content filtering
    • TLS