Email server security solution

As a free email server software, Sendmail has been widely used on servers of various Internet operating systems. Such as Solaris, HPUX, AIX, IRIX, and Linux. With the popularization of Internet connections, the chances of email servers being attacked are also greatly increased. Currently, email servers on the Internet are under two types of attacks: Relay (Relay), that is, remote machines send messages through your server, in this way, anyone can use your server to send emails to any address. Over time, your machine will not only become a helper for sending spam emails, but also increase international network traffic, at the same time, it may be rejected by many email servers on the Internet. Another type of attack is Spam, which is often referred to as a mail bomb. It means that the server may receive a large number of useless emails in a short time, as a result, the mail server is overwhelmed and paralyzed. Both attacks may make the email server unable to work normally. Therefore, as a campus network email server, preventing email attacks is indispensable.

Currently, there are two methods to prevent email attacks on the sendmail server. One is to upgrade the server software of a higher version and use the security functions of the software. The second approach is to use third-party software to implement dynamic relay verification control. The following uses sendmail V8.9.3 as an example to describe these methods.

1. Security Features of the server

(1) security considerations when compiling sendmail

To use sendmail 8.9.3 to Prevent email attacks, you must set relevant parameters during system compilation and use related software packages. At present, we mainly use the Berkeley DB database function. the Berkeley DB package can be downloaded from the relevant site and needs to be compiled in advance. Then, write the relevant parameters of Berkeley DB into the relevant file of sendmail.

A. Modify the site. config. m4 file.

Add the library file paths of the compiled Berkeley DB to the site. config. m4 file so that the sendmail database can be used after compilation. For example:

# Cd$/sendmail-8.9.3/BuidTools/Site Modify the site. config. m4 File Define (confINCDIRS,-I/usr/local/BerkeleyDB/include) Define (confLIBDIRS, L/usr/local/BerkeleyDB/lib) B. Modify the sendmail. mc file. Sendmail. mc is one of the template files that generate sendmail. cf, To enable sendmail to defend against mail attacks, you must also define the file. It mainly includes the following items: ...... FEATURE (relay_entire_domain) FEATURE (ACCESS_DB) dn1 FEATURE (blacklist_recipients) ......

(2) configuration of Related Files

Correctly compiling sendmail is the basis for the security control of the mail server, and the real security settings are mainly implemented using relevant files. The files containing control statements mainly include access and relay-domains.

Access is the main database file for email security control. In this file, you can write the domain name, IP address, or target email address you want to control and the corresponding action value in a specific format, then use the makmap command to generate access. db file (# makemap hash access. db <access), allowing the server to allow or block email relay and mail bombing. The access format is as follows:

spam.com REJECT edu.cn OK hotmail.com DISCARD

Here, the reject action is to reject emails sent from a specified address; OK is to allow users of a specific address to access at will; relay allows transshipment emails through this email server; discard is used to send the received email to a specific command for processing. For example, you can set to discard the received email, or set to return an error message to the user after receiving the email.

The Relay-domains file specifies the domains that the server can Relay. The format of the Relay-domains file occupies one row for each domain. For example:

...... CN EDU JP ......

We recommend that you add all top-level domain names when the server starts to use, and then modify them based on security requirements. Otherwise, a relay reject error occurs when a pop3 USER sends an email, however, you cannot send an email to the target email address of the domain name you have not added.

3) modify the version number

For an email server, you can use the remote port 25 telnet command to obtain the version information of the server. For example, "telnet sendmail server host 25" can view the current version of sendmail. To prevent malicious version viewing operations, sendmail allows you to modify the displayed version.

In sendmail. the cf file contains a "SmtpGreetingMessage = $ j sendmail $ V/$ Z; $ B" statement, where $ V/$ Z is the version information, normally, the version information displayed by this parameter is the version of sendmail itself. If you want to set the version information given by the Administrator, you only need to modify the parameter and add the desired information. For example, if you change this sentence to "SmtpGreeting Message = $ j sendmail 0.0/0.0; $ B" and restart the sendmail service, the version of sendmail will change to "sendmail 0.0 ". So as to achieve the purpose of hiding version information.

The above are the security settings provided by sendmail 8.9.3. These security settings can greatly enhance the server security performance. However, when setting email relay and email bomb prevention, how can we determine which target addresses need to block relay and which are permitted for relay, it seems that the log file can only be determined after the Administrator analyzes and observes the log file, or after a security problem is discovered. Therefore, this security control is only post-event control, and the server must be restarted after the relevant files are modified. Other methods are required to implement advance dynamic security control.

2. dynamic relay verification control

DRAC (Dynamic Relay Authorization Control) Dynamic Relay verification Control is a server-side software (http://mail.cc.umanitoba.ca/drac/index.html) specifically designed for mail servers that can be installed on an SMTP server, it also provides dynamic relay verification services for multiple email servers. DRAC allows valid pop3 or IMAP users to use the email server by Automatically Obtaining and dynamically updating information in the relay verification database, thus effectively controlling mail bombs and illegal email relay. The principle of DRAC is to use the Inherent functions of pop3 or imap server to obtain information such as the user name, password, and Client IP address, and map the information to the verification database for the smtp server to call, at the same time, after a period of time (the default value is 30 sub-categories), the verification information will automatically expire and you need to re-enter the verification information. This not only ensures that valid pop3 or imap users can use the mail server normally, but also prevents any non-registered users (including local users) from sending emails using the mail server. This mail security control is often called pop-before-SMTP (POP-validation before mail service ).

(1) DRAC Compilation

Before compiling DRAC, the sendmail server of the system should have been correctly compiled and installed. First, edit the Makefile in the DRAC source program directory and change the Makefile in the Solaris 2.x operating system:

INSTALL =/usr/ucb/install EBIN =/usr/local/sbin MAN =/usr/local/man DEFS =-DTI_RPC-DFCNTL_LOCK-DSYSINFO CC = (compiler) RANLIB =: CFLAGS = $ (DFES)-g-I/path/to/db/include LDLIBS =-L/path/to/db/library-lns1-1db TSTLIBS =-L.-ldrac-lns1 MANLIB = 3 MANADM = 1 m

Then compile and install it.

If multiple pop/IMAP servers exist, you also need to add the IP addresses of these servers to the file/etc/mail/dracd. in allow, the file format is the same as that in/var/yp/securenets. For example:

255.255.255.255 202.139.244.23

255.255.255.255 127.0.0.1

(2) modify the sendmail. mc file to regenerate sendmail. cf

Before using the DRAC verification function, add the DRAC verification information to the sendmail. cf file. First, modify the sendmail. mc file and then regenerate sendmail. cf. Modify the statements in the sendmail. mc file as follows:

Add it under the LOCAL_CONFIG line Kdrac btree/etc/mail/dracd Add under LOCAL_RULESETS Slocal_check_rcpt R$ * $: $ & {client_addr} R$ + $: $ (drac $1 $ :? $) R? $ @? R$ + $ @ $ # OK

After the sendmail. cf file is regenerated, restart the sendmail process.