Linux Enterprise Mail Server Security Guides - Chapter 2

Now, before doing anything else, we will explain how the different pieces of software work together to provide the required functionality.

First, you should know that we will be using these software (listed in the order an incoming email from internet would follow):

1) Mail Avenger (incoming) - Listening on port 25, public interface. RBL's are checked now.
2) Mail gets processed through Avenger scripts that will scan for virus, spam, etc.
3) internal Courier-MTA - Standard delivery (aliases, etc).

As you can see, the incoming chain is quite simple. The difficulty will be added in item 2, where we will develop some scripts to use ClamAV Antivirus, SpamAssasin and some home-made FROM/TO ACL tests that will tell Avenger if mail has to be accepted into stage 3.

Now, for outgoing mail, the chain is a bit longer:

1) MUA
2) Internal Courier-MTA
3) Outgoing Mail-Avenger
4) nbSMTP using an external MTA as Smarthost
5) the internet!

You can read that as: "User sends an eMail using his email client, configured to use Courier-MTA as SMTP server. Courier itself is configured to route non-local eMail to a Smarthost which is the Outgoing Mail-Avenger. The Avenger clamscans, spamassassins and ACL checks the eMail and, if it i accepted, forwards it to the nullbrainer's SMTP client, which itselfs forwards the eMail to an outside MTA, that will end the email to Internet".

Some people have asked me if this ACL/Virus/Spam content filtering could be implemented in Courier-MTA by using Courier Filters. The answer is "YES". BUT, my idea is to show that Courier-MTA could be removed from the chain and replaced with, let's say, an M$ Exchange server. This way, you get a very nice group of software that can be plugged in lots of different configurations, protecting your internal eMail server from Internet, succesfully splitting the MTA in two stages: Border and Internal.

Think about this, and we will continue next week.

Yours,
Buanzo

Encrypted VPN based mail system

Hi!

I know I have not updated the Secure Linux eMail Server guides yet, but I've been awfully busy.

I'm writing an internet draft regarding an identity-authentication extension to HTTP, I've been invited to a hacker's conference in Colombia, and my work has overwhelmed me. End of the month is the worst time :)

So, I wanted to let you know about an idea I had. You can read about it by clicking here. If you think you can contribute money, hardware, bandwidth, software, ideas, or whatever, just drop me a line.

I think this can be of great use to developers, researchers, etc.

Additionally, here you have the link to the latest release of the Information Systems Security Assessment Framework, by the OISSG. This is version 0.2, and I've also contributed a few paragraphs to it.

Sincerely,
Arturo 'Buanzo' Busleiman

Linux Enterprise Mail Server Security Guides - Chapter 1

Hi!

Yes, I took my time to get back to the blog, but I've been really busy. Fortunately ;)

Well, in our previous Chapter we were discussing the idea of these series of blog posts. So, for Chapter 1, we will see how to install Courier-Authlib and Courier-MTA on a Gentoo-Based GNU/Linux server, but we will leave CONFIGURATION details for the next chapter. So, after reading this post, you will go to Courier's Installation Instructions, read it thoroughly, but without the need of paying lots of attention to the prerequisites, compilation and installation details.

So, your first question probably is "Why Gentoo?". Simple: I like it. Very much. It's flexible enough to meet both server and desktop needs, the userbase is full of EXCELLENT people that like helping more than flaming (yes, this is a direct comment against a certain GNU/Linux Distribution's community), and their ebuild maintainers work wonderfully.

So what is an ebuild anyway? It's Gentoo's way of naming a "package". But not only that. Gentoo is a source-based distribution where mostly all packages (with some big exceptions, like OpenOffice) must be compiled/installed ("emerged" in Gentoo's jargon) from ground-zero. So, an ebuild is also the recipe of how to cook/compile a program.

There are other source-based distributions, like SourceMage GNU/Linux, where instead of "emerging an ebuild", you "cast a spell from the grimoire".

Since release 2006.0, Gentoo has added a graphical installer to it's installation livecd, which is both X and ncurses-based (ncurses being the console / text-mode function library used to develop the installer). I really recommend that you give it a try. You will not only learn lots from it, but you'll also discover a truly powerful gnu/linux distribution.

Well, to tell you the truth, you could also try UTUTO-e GNU/Linux, which was originally based on Gentoo, the only big difference being that all packages are pre-compiled on the installation CD-ROM. It's the quickest way of installing a Gentoo system, if you lack cpu power.

So, now, go and install your Gentoo based system. Here you have the current installation livecds and the current installation instructions. Once you finish installing and configuring networking, continue to the next chapter of this series.

Yours,