Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have setup squirrelmail, using postfix and cyrus. However I would like to know if anyone can recommend some websites that will advice on securing the various elements for webmail like Apache, PhP, cyrus and postfix. I would appreciate if I dont have to trawl through tonnes of information.
Finally, use /usr/share/squirrelmail/config/conf.pl to change the settings in Squirrelmail to use secure IMAP:-
Code:
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Server Settings
General
-------
1. Domain : my.domain
2. Invert Time : false
3. Sendmail or SMTP : Sendmail
IMAP Settings
--------------
4. IMAP Server : localhost
5. IMAP Port : 993
6. Authentication type : login
7. Secure IMAP (TLS) : true
8. Server software : dovecot
9. Delimiter : detect
B. Change Sendmail Config : /usr/sbin/sendmail
H. Hide IMAP Server Settings
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >>
I hope that gets you started.
Last edited by blacky_5251; 08-28-2008 at 06:49 PM.
Reason: Added details for /usr/share/squirrelmail/config/conf.pl
I had a really hard time getting MS Outlook (main or Express versions) to talk securely with my email server. Thunderbird works fine using port 25 and TLS - no problems - easy peasy. I use port 465 and SSL for Outlook variants and this is done via the master.cf file (look for smtps and comments in my master.cf file below).
I'm also using postgrey to grey-list new email senders to reduce the amount of SPAM I get. SPAMMERS don't like to be told to wait or try again soon - and often don't. If the email is legitimate, then they will send the email again and postgrey will let it through.
My postfix files are too large to post here, so send me your email address and I'll forward them to you. The master.cf is small enough though, so here it is.
master.cf
Code:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
# -----------------------------------------------------------------------------------
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# For outlook express (Ian 12/05/08)
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_security_options=noanonymous
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
I think I am a getting a bit confused. Basically I have now changed the config.pl settings. I have gone back to smtp on port 25 and imap on 143. Sending mail works fine..
Also as this is squirrelmail how does this impact on application clients. For me both outlook and thunderbird have worked fine with TLS. It is the web based mail that I am trying to secure in the best manner.
I have setup https over port 143...I checked the traffic and it is encrypted. Postfix does present TLS. I suppose I am a bit confused as to the role of the config.pl settings for TLS. Why does one need to define this if one has an https channel established and postfix or dovecot are presenting tls? Why bother setting the 993 port in the config.pl if the https channel is up?
True, using HTTPS and TLS is a duplication, but I've disabled port 143 so I only have access to 993 so have to use TLS with Squirrelmail. If you want fully secure email using clients such as Thunderbird and Outlook, you can't rely solely on HTTPS (which is enough if you're only using Squirrelmail).
At the moment I have some PDAs that are using imap so port 143 is open. I dont let them relay out using my mail server as the ip range is dynamic.
For application clients I am pushing to use imaps and tls, relay out is again limited to a defined ip range.
For web based I will probably stick to https (which I also want to lock down to a defined ip address range..I need to investigate this)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.