1. ISQS 6342 Email server attacks Presented by Deven Patel

2. Common types of email abuse Eavesdropping Mail-bombing Impersonating someone else Propagating viruses Sending Hoaxes or Chain letters Hijacking email server

3. Email agents Message Transfer Agent (MTA) Message Delivery Agent (MDA)

4. MTAs Simple Mail Transfer Protocol (SMTP) Unix to Unix Copy Program (UUCP)

5. SMTP Sendmail Postfix Qmail Exim

6. Email Architecture: SMTP Gateways and DMZ Networks Intern et DMZ net End user workstationsSMTP and other internal servers RouterFirewall Switch Internal net SMTP Gateway Public FTP Public Web Server

7. SMTP attacks Buffer Overflow attacks http://www.cert.org/advisories/CA-1997-05.html Relaying Unsolicited Commercial Email http://www.cert.org/incident_notes/IN-2001-02.html Leaking User and System information to prospective intruders ftp://ftp.isi.edu/in-notes/rfc2821.txt VRFY & EXPN

8. Unsolicited Commercial Email Network availability Server performance and Bandwidth optimization.

9. Remedies Blacklist http://mail-abuse.org/rbl SpamAssasin http://www.spamassassin.org

10. Some SMTP troubleshooting commands Helo Mail from Rcpt to Data Subject Quit

11. Sendmail Pros Huge user community, as a result its easy to find both free and commercial support for it, not to mention a wealth of electronic and print publications.

12. Sendmail Cons Layers of old code resulting in a reputation of being insecure and bloated. Monolithic i.e. a vulnerability in one portion of its functionality results in the compromise of the entire application. Complex application.

13. Two modes of Operation Invoked on the fly Persistent Background Daemon

14. Configuring Sendmail 1. Enable needed features and tweak settings in sendmail.mc 2. Set up domain name masquerading, if needed, in sendmail.mc 3. Run m4 to generate sendmail.cf from sendmail.mc 4. Configure delivery rules by editing the mailertable. 5. Configure relaying rules by editing access. 6. Configure multiple-domain handling rules by editing virtusers. 7. Define local user-aliases in aliases. 8. Convert mailertable, access, virtusers, and aliases to databases. 9. Define all valid hostnames of the local system in the file local-host- names. 10. (Re-)start sendmail.

15. Excert from an /etc/mail/sendmail.mc file

16. Excert from an /etc/mail/sendmail.mc file (contd)

17. Feature directives

19. FEATURE(‘access_db’,’hash|dbm|btree [-o] /path/access.db’)dnl This is a modularizing feature which creates an access database providing a convenient way to maintain a list of both allowed and explicitly denied relaying hosts and domains.

20. FEATURE(‘dnsbl’,’blackhole.list.provider’)dnl Use a special DNS look-up to check all senders hostnames against a “black hole list” of known sources of UCE. If ommited, the name of the blackhole.list.provider defaults to blackholes.mail-abuse.org. This is a subscription-based service: mail-abuse.org charges a yearly fee for nonpersonal use. http://mail-abuse.org/rbl

21. FEATURE(‘blacklist_recipients’)dnl Check recipient addresses of incoming mail against the access database to block mail to selected usernames.

22. FEATURE(‘use_cw_file’)dnl This feature causes sendmail to use the file /etc/mail/local-host-names to determine valid local names – i.e. names that, if used to the right of the “@” in an email address, will cause that mail to be delivered locally. This is part of Sendmail’s anti-SPAM-relaying functionality.

23. Sendmail and SMTP AUTH SMTP AUTH is a badly needed extension to the SMTP protocol: it describes a flexible authentication mechanism that can be used to authenticate relaying. SMTP AUTH allows a password shared by two hosts (or stored by one host for its local users) to be used to validate email senders. ftp://ftp.isi.edu/in-notes/rfc2554.txt

24. Sendmail and STARTTLS Beginning with version 8.11, sendmail supports the Extended SMTP command STARTTLS. When this command is issued at the beginning of an ESMTP session, it initiates an encrypted TLS tunnel that protects the rest of the session from eavesdropping. ftp://ftp.isi.edu/in-notes/rfc2487.txt

25. Sendmail and STARTTLS TLS and SSL use x.509 digital certificates, a type of public-key cryptography in which one’s public key is formatted to include certain amount of identification information (besides just your key ID and the public key itself), including the digital signature of a “Certificate Authority” (CA) that vouches for the authenticity of the certificate. http://www.rsasecurity.com/rsalabs/faq

26. Postfix Postfix is simpler in design, more modular, and easier to configure and administer. Postfix is designed with scalability, reliability, and security as fundamental requirements. Postfix consists of a suite of Daemons and helper applications, whereas sendmail is essentially monolithic.

27. Postfix Postfix separates functions across different processes which is a big factor in postfix’s speed and stability. Also Postfix handles the mails intelligently by processing mails in four different queues rather than a single big queue as sendmail does.

28. Postfix’s four different queues Maildrop queue Incoming queue Active queue Deferred queue

29. References http://www.cert.org/incident_notes/IN-2001-02.html http://www.cert.org/advisories/CA-1997-05.html ftp://ftp.isi.edu/in-notes/rfc2821.txt http://mail-abuse.org/rbl http://www.spamassassin.org http://mail-abuse.org/rbl ftp://ftp.isi.edu/in-notes/rfc2554.txt ftp://ftp.isi.edu/in-notes/rfc2487.txt http://www.rsasecurity.com/rsalabs/faq Bauer, Michael D. (2002). Building Secure Servers with Linux. O’reilly, CA