On Fri, 06 Dec 2013 23:50:28 +0000 steve-ALUG@hst.me.uk allegedly wrote:
The other major problem that I've had, even before trying to connect a mobile phone to the server. I did not want to introduce any vulnerabilities onto my server.
(As I understand it - feel free to point out any problems with my understanding!)
I didn't want to make it an open relay (intentionally or unintentionally). Consequently I think that means I need to authenticate with the server. Authenticating with the server requires certificates, otherwise passwords could be sniffed. Even with certificates, I'd like to make sure that they were being used and that unauthenticated and/or logins without certificates not be allowed.
You need an Exim expert here. I can give you the postfix configuration which I use, but that would mean you changing your MTA, which I guess you don't want to do.
You could start here. https://github.com/Exim/exim/wiki/Q0742
You are right about the authentication helping and you do also need to ensure that users /do/ authenticate when connecting and don't simply bypass that. But there are also explicit anti-relay configurations options you must consider (such as limiting which networks can send mail through you).
I also don't want to someone could telnet onto my server and keep trying to guess user names and passwords. - I know that it's possible to use denyhosts and similar to monitor ssh access and block suspicious login attempts/addresses - I'd like to do something similar with email if possible.
I get lots of "SASL LOGIN authentication failed:" messages in my logs......
You could use fail2ban to limit connections. Personally I'm not keen on a script fiddling with my iptables rules. but that's just me.
In postfix I insist on a proper helo and disable vrfy. Every little helps. You could also modify your banner to obfuscate your MTA identity. That information will still leak in your email headers of course (unless Exim allows this to be blocked too.)
As I said, thanks for the pointers. I'll work thorough it next week when I have a bit more time.
Have fun.
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------