Full Installation Guide - Security

From Qmail-LDAP Wiki

Jump to: navigation, search

Up

Introduction

Besides setting a firewall and have good and patched installation, you can make two things to increase security: use SMTP AUTH and TLS. The first will let you close relay to anyone but users with a valid account. This will reduce risk of your server been used by a spammer or spyware and you wont need pop-before-smtp anymore. The second option(TLS) will cipher all SMTP traffic, reducing the risk that your port 25 traffic be sniffed. Next we explain how to setup this two features.

SMTP AUTH

SMTP-AUTH permits relay to users with dynamic IP´s which are not in tcp.cdb file. To enable it, you must edit /service/smtpd/run and replace the line: 

/var/qmail/bin/qmail-smtpd

with this: 

/var/qmail/bin/qmail-smtpd /var/qmail/bin/auth_smtp /usr/bin/true


Additionaly you must define the SMTPAUTH variable for those classes which will use it. Just add the string 'SMTPAUTH=”AUTHREQUIRED”' to the required classes in /service/smtpd/tcp and thats all. Example: 

127.:allow,RELAYCLIENT=””
192.168.1.:allow,RELAYCLIENT=””,SMTPAUTH=”"AUTHREQUIRED”"
:allow,SMTPAUTH=”"AUTHREQUIRED”"

This will enable SMTP AUTH to everyone(:) and 192.168.1.X (192.168.1.:). Only the localhost(127.) wont be granted SMTP AUTH.

To enable it just type make in tcp file directory: 

cd /service/smtpd
make


TLS

It is possible to cipher all SMTP traffic with TLS(Transport Layer Security) protocol. For this, you must have compiled qmail-ldap with TLS support and generate proper certificates. To do it, chage to qmail-ldap source code directory and type make cert 

cd /usr/local/src/qmail-1.03
make cert

When you execute make cert you'll be asked for basic data and a new autosigned certificate will be created in /var/qmail/control/cert.pem, which will be sent to the users through STARTTLS encryption.


Now tell qmail-ldap where can it find the cerfiticate: 

echo “/var/qmail/control/cert.pem”>/var/qmail/control/smtpcert


And to enable it, restart smtpd: 

svc -t /service/smtpd


You can even force all SMTP transactions to be encrypted, but be careful because this can cause problems if you dont know what you are doing. If you are sure that you need it, do: 

echo “TLSREQUIRED”>/service/smtpd/env/SMTPAUTH

If in doubt, dont do it.

Retrieved from "http://www.qmail-ldap.org/wiki/index.php/Full_Installation_Guide_-_Security"
Personal tools