Deploy the Sendmail network, so that security is not leaked (on)

SendmailIt is an old mail server, but it still has various problems. The biggest problem is security. As the Sendmail mail server occupies a large market share, it is especially important to improve the security of Sendmail.
This article discusses the security of Sendmail from the certificate, Starttls, and Sasl technologies. First, the related terms are explained as follows (only the terms are from the Internet, so please respect copyright ).
STARTTLSIs an extension of the plain text communication protocol. It upgrades plain text connections to encrypted connections (TLS or SSL) instead of using a separate encrypted communication port. RFC 2595 defines STARTTLS for IMAP and POP3, RFC 3207 defines STARTTLS for SMTP, and RFC 4642 defines STARTTLS for NNTP. TLS is a protocol independent from the application layer. High-level protocols can be transparently distributed over TLS protocols. However, the TLS standard does not specify how applications increase security on TLS; it determines how to enable the TLS handshake protocol and how to explain the decision of the exchanged authentication certificate to the Protocol designer and implementer.
SaslSimple Authentication and Security Layer is a mechanism used to expand the verification capability of the C/S mode. In Postfix, SASL can be used to determine whether a user has the right to use the forwarding service or to identify who is using your server. SASL provides a common method to add verification support for connection-based protocols, while XMPP uses a common XML namespace to meet SASL needs.
Next, I will use an experiment with a picture of the truth to discuss with you the application examples of Sendmail security in the enterprise. (Sorry, Due to space limitations, this article has to be divided into two articles. We apologize for any inconvenience this may cause. Thank you)
Lab environment: an enterprise plans to use Sendmail to build an email server. To do its utmost to protect the security of the mail service system, certificates, Sasl and other technologies are required.
Tutorial topology:
 


Lab device:
DNS & MAIL Server LInux5.4 (2.6.18-164. el5)
Tutorial steps:
1. configure Sendmail
1. Install Sendmail Components
[Root @ ns ~] # Yum list | grep-E "Sendmail"
This system is not registered with RHN.
RHN support will be disabled.
Sendmail. i386 8.13.8-2. el5 installed
Sendmail-cf.i386 8.13.8-2. el5 rhel-Server
Sendmail-devel.i386 8.13.8-2. el5 rhel-Server
Sendmail-doc.i386 8.13.8-2. el5 rhel-Server
[Root @ ns ~] # Yum install-y Sendmail-cf.i386
[Root @ ns ~] # Rpm-qa | grep-E "Sendmail | m4"
M4-1.4.5-3.el5.1
Sendmail-cf-8.13.8-2.el5
Sendmail-8.13.8-2.el5

2. modify the configuration file of Sendmail.
[Root @ ns ~] #
[Root @ ns mail] # pwd
/Etc/mail
[Root @ ns mail] # vim Sendmail. mc


[Root @ ns mail] # vim access
 

 

[Root @ ns mail] # vim local-host-names
 


[Root @ ns mail] # service Sendmail start
Starting Sendmail:
[Root @ ns mail] # service Sendmail restart
Shutting down sm-client: [OK]
Shutting down Sendmail: [OK]
Starting Sendmail: [OK]
Starting sm-client: [OK]
[Root @ ns mail] #
3. Test
Add User
[Root @ ns ~] # Useradd user1
[Root @ ns ~] # Echo "123" | passwd -- stdin user1
Changing password for user user1.
Passwd: all authentication tokens updated successfully.
[Root @ ns mail] # telnet 127.0.0.1 25



Ii. Configure DNS
1. Install Sendmail Components
[Root @ ns Server] # pwd
/Mnt/cdrom/Server
[Root @ ns Server] # rpm-ivh bind-9.3.6-4.P1.el5.i386.rpm
[Root @ ns Server] # rpm-ivh bind-chroot-9.3.6-4.P1.el5.i386.rpm
[Root @ ns Server] # rpm-ivh caching-nameserver-9.3.6-4.P1.el5.i386.rpm
2. modify the configuration file of Sendmail.
[Root @ ns etc] # pwd
/Var/named/chroot/etc
[Root @ ns etc] # cp-p named. caching-nameserver.conf named. conf
[Root @ ns etc] # vim named. conf


[Root @ ns etc] # pwd
/Var/named/chroot/etc
[Root @ ns etc] # vim named. rfc1912.zones


[Root @ ns etc] # cd/var/named/chroot/var/named/
[Root @ ns named] # cp localhost. zone bj.com. db
[Root @ ns named] # vim bj.com. db


[Root @ ns named] # pwd
/Var/named/chroot/var/named
[Root @ ns named] # cp-p named. local 192.168.10.db
[Root @ ns named] # vim 192.168.10.db


3. Restart the service
[Root @ ns named] # rndc reload
Server reload successful
[Root @ ns named] # service named start
Starting named: [OK]
[Root @ ns named] #
[Root @ ns named] # chkconfig named on
[Root @ ns named] # chkconfig -- list | grep named
Named 0: off1: off2: on3: on4: on5: on6: off
3. Modify host information
1. Modify nameserver
[Root @ ns named] # vim/etc/resolv. conf


2. Modify the hostname
[Root @ ns named] # hostname
Ns.bj.com
[Root @ ns named] # vim/etc/sysconfig/network


3. Modify the hosts file
[Root @ ns named] # vim/etc/hosts


4. Restart
[Root @ ns named] # init 6
4. Configure dovecot
1. Install dovecot Components
[Root @ mail ~] # Yum list all | grep dov
This system is not registered with RHN.
RHN support will be disabled.
Dovecot. i386 1.0.7-7. el5 rhel-Server
[Root @ mail ~] # Yum install dovecot. i386-y
2. Modify the dovecot configuration file
[Root @ mail ~] # Service dovecot start
Starting Dovecot Imap: [OK]
[Root @ mail ~] # Chkconfig dovecot on
[Root @ mail ~] # Chkconfig -- list | grep dovecot
Dovecot 0: off1: off2: on3: on4: on5: on6: off
[Root @ mail ~] # Netstat-tupln | grep dovecot
Tcp 0 0: 993: * LISTEN 3179/dovecot
Tcp 0 0: 995: * LISTEN 3179/dovecot
Tcp 0 0: 110: * LISTEN 3179/dovecot
Tcp 0 0: 143: * LISTEN 3179/dovecot
[Root @ mail ~] #

[Root @ mail ~] # Grep 993/etc/services
Imaps 993/tcp # IMAP over SSL
Imaps 993/udp # IMAP over SSL

[Root @ mail ~] # Grep 995/etc/services
Pop3s995/tcp # POP-3 over SSL
Pop3s995/udp # POP-3 over SSL
[Root @ mail ~] # Service dovecot restart
Stopping Dovecot Imap: [OK]
Starting Dovecot Imap: [OK]
[Root @ mail ~] # Netstat-tupln | grep dovecot
Tcp 0 0: 110: * LISTEN 3294/dovecot
Tcp 0 0: 143: * LISTEN 3294/dovecot
[Root @ mail ~] # Vim/etc/dovecot. conf

(Sorry, Due to space limitations, this article has to be divided into two articles. We apologize for any inconvenience this may cause. Before you finish, refer to the network where Sendmail is deployed. Security is not missed (below).

BLOG by PheonixKing