Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Module 5 Securing SCOoffice Server. 2 3 Outlook 21 * 25 80/443* 110/995 143/993 389/636 * Not used by Outlook Express External Firewall Configuration.

Published byDennis Kelly Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Module 5 Securing SCOoffice Server. 2 3 Outlook 21 * 25 80/443* 110/995 143/993 389/636 * Not used by Outlook Express External Firewall Configuration."— Presentation transcript:

1 1 Module 5 Securing SCOoffice Server

2 2

3 3 Outlook 21 * 25 80/443* 110/995 143/993 389/636 * Not used by Outlook Express External Firewall Configuration Internet SCOoffice Server SMTP Server 25 WebClient 80/443 Firewall

4 4 Internal Firewall Configuration SCOoffice Server Firewall 3268 Active Directory Server

5 5 Internal Firewall Configuration SCOoffice (master) SCOoffice (slave) Firewall 25 389/636 143/993 2003

6 6 Remote Office Firewall Configuration SCOoffice (master) SCOoffice (slave) Firewall 25 389/636 143/993 2003 Internet SCOoffice (slave)

7 7 SCO OpenServer’s HTTP Servers  SCO OpenServer runs HTTP servers on ports:  80 – SCOoffice Server’s HTTP server  443 – SCOoffice Server’s HTTPS server  615 – Internet Configuration Manager  8457 – DocView: Access to SCO OpenServer documentation

8 8 Other SCOoffice Server Related Ports  SCOoffice Server runs daemons on ports:  21 – ProFTP  25 – SMTP  110 – POP3  143 – IMAP  389 – OpenLDAP  993 – IMAP4 over TLS/SSL  995 – POP3 over TLS/SSL  2000 –Cyrusmaster (sieve)  2003 –Cyrusmaster (LMTP)  2583 – MON  4840 – SASLAUTHD  4844 – SASLAUTHD  10024 – AMaViS

9 9 Disallowing Open Relay  Don’t let server be used as an open relay  Numerous ways to prevent open relay  We will configure SASLAUTHD + TLS # telnet rose.example.net smtp 220 rose.example.net ESMTP Postfix (2.0.20) HELO nuisance.spammer.net 250 rose.example.net MAIL FROM: nice_guy@example.net 250 Ok RCPT TO: victim@example.com 250 Ok...

10 10 Disallowing Open Relay  Useful for blocking unwanted SMTP sessions:  smtpd_client_restrictions  smtpd_sender_restrictions  smtpd_recipient_restrictions Stored in LDAP

11 11 Disallowing Open Relay LOGIN authentication mechanism Base64 encoded usernamebob Base64 encoded passwordbpasswd PLAIN authentication mechanism Base64 encoded: user+NULL+user+NULL+password bob\0\bob\0bpasswd Simple Authentication and Security Layer (SASL)

12 12 Disallowing Open Relay smtpd saslauthd slapd …/etc/saslauthd.conf ldap_servers: ldap://127.0.0.1/ ldap_filter: login=%u …/lib/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login imapd/pop3d …/etc/imapd.conf sasl_pwcheck_method: saslauthd cyrusmaster …/etc/cyrus.conf imapcmd=“imapd –p 2 … pop3cmd=“pop3d” … … SASL AUTHENTICATION

13 13 Disallowing Open Relay  SASL Configuration on the Server smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access ldap:ldapSenderAccess, permit_sasl_authenticated smtpd_recipient_restrictions = check_recipient_access ldap:ldapRecipientAccess, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_delay_reject = yes

14 14 Disallowing Open Relay  SASL Configuration on the Client smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/opt/insight/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous

15 15 Disallowing Open Relay  Create /opt/insight/etc/postfix/sasl_passwd:  Run postmap(1) after creating (or modifying) file example.netalice:apasswd example.orgbob:bpasswd

16 16 Disallowing Open Relay  TLS v1 is based on SSL v3  Encrypt SMTP traffic using TLS  X.509 certificates

17 17 Disallowing Open Relay  TLS Configuration on the Server smtpd_tls_cert_file = /opt/insight/etc/ssl/server.pem smtpd_tls_key_file = /opt/insight/etc/ssl/server.pem smtpd_tls_CAfile = /opt/insight/etc/ssl/server.pem smtpd_use_tls = yes

18 18 Disallowing Open Relay  TLS Configuration on the Client smtp_tls_cert_file = /opt/insight/etc/ssl/server.pem smtp_tls_key_file = /opt/insight/etc/ssl/server.pem smtp_tls_CAfile = /opt/insight/etc/ssl/server.pem smtp_use_tls = yes

19 19 Disallowing Open Relay  Using a Certificate Authority’s Certificate smtp_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem smtpd_tls_CApath = /opt/insight/etc/ssl/ca_cert.pem

20 20 Disallowing Open Relay  To test to see if a mail server is an open relay:  Log into the mail server  telnet rt.njabl.org 2500

21 21 Exercise: Tracing TLS and SASL TLS + SASL Authentication: SASL Authentication Only:

22 22 Other Restrictions  Other useful restrictions:  smtpd_client_restrictions  smtpd_helo_restrictions  smtpd_sender_restrictions  See www.postfix.org/uce.html

23 23 Using smtpd_client_restrictions  In main.cf:  In /opt/insight/etc/postfix/smtp_clients: smtpd_client_restrictions = check_client_access hash:/opt/insight/etc/postfix/smtp_clients, permit 192.168.1.1OK 192.168.1.2PERMIT 192.168.1.3REJECT 192.168.1.123REJECT 192.168.1.0/24OK example.netOK paper.example.orgDUNNO example.orgREJECT

24 24 Using smtpd_helo_restrictions  check_helo_access  reject_invalid_hostname  reject_non_fqdn_hostname  reject_unknown hostname  In main.cf:  In /opt/insight/etc/postfix/helo: smtpd_helo_restrictions = reject_invalid_hostname, check_helo_access hash:/opt/insight/etc/postfix/helo example.orgOK example.netREJECT

25 25 Using smtpd_sender_restrictions  check_sender_access  reject_unknown_sender_domain

26 26 Creating a Chroot Jail  A chroot jail adds a layer of protection  Limits daemon(s) to /opt/insight/var/spool/postfix  Set the fifth field in master.cf to ‘y’

Download ppt "1 Module 5 Securing SCOoffice Server. 2 3 Outlook 21 * 25 80/443* 110/995 143/993 389/636 * Not used by Outlook Express External Firewall Configuration."

Similar presentations

Securing Email Bruce Maggs. Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email:

Securing Bruce Maggs. Separate Suites of Protocols Protocols for retrieving POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 SCOoffice 4.1 For OpenServer 5.0.7. 2 Pre-installation Handout.

1 SCOoffice 4.1 For OpenServer Pre-installation Handout.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Handling Spam in Postfix. Computer Center, CS, NCTU 2 Nature of Spam  Spam UBE – Unsolicited Bulk Email UCE – Unsolicited Commercial Email  Spam There.

Handling Spam in Postfix. Computer Center, CS, NCTU 2 Nature of Spam  Spam UBE – Unsolicited Bulk UCE – Unsolicited Commercial  Spam There.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security

Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Integrating ISA Server and Exchange Server. 2 How email works.

1 Integrating ISA Server and Exchange Server. 2 How works.
2440: 141 Web Site Administration Email Services Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Services Instructor: Enoch E. Damson.
Introduction 1 Lecture 7 Application Layer (FTP, e-mail) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.

Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.
SSL From Your Smartphone Support for Android Smartphones www.sharetech.com.twwww.sharetech.com.tw / www.higuard.comwww.higuard.com.

SSL From Your Smartphone Support for Android Smartphones /
Design and Management of Service

Design and Management of Service
Securing Exchange Server 2003. Session Goals: Introduce you to the concepts and mechanisms for securing Exchange 2003. Examine the techniques and tools.

Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.

Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.
Implementing POP3 and IMAP4 Using Dovecot

Implementing POP3 and IMAP4 Using Dovecot
1 SCOoffice Server 4.1 Administration Brian Watrous President & CEO ATCS, Inc.

1 SCOoffice Server 4.1 Administration Brian Watrous President & CEO ATCS, Inc.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google