Mac OS X Server 10.4 Tiger: Visual QuickPro Guide

Although your mail service is now set up and functioning, it is still far from secure. Internet mail protocols were originally designed in a time when the Internet was a trusting environment, but that's not so today. There are a number of things that can, and should, be done to secure mail for your users.

Advanced mail authentication

The default configuration of Mac OS X Server uses totally clear passwords. This is particularly bad whenever you may be checking email from a wireless link, as it allows anyone else on the same wireless link to quickly and easily obtain your password. Mac OS X Server supports a number of much more secure password transmission mechanisms that are easily enabled.

These are the types of authentication your server supports when an email client authenticates to it. Login, PLAIN, and Clear should all be considered to be completely nonsecure and should be disabled. Authenticated POP (APOP) is better than clear, but should still be considered weak encryption. Challenge Response Authentication Method (CRAM-MD5) is generally sufficient for most needs and should be offered where possible.

Kerberos

Kerberos is an extremely secure authentication mechanism because it doesn't ever transmit the user's password over the network. Instead, the client and server go through a highly secure encrypted exchange of keys that positively identify both the user and the server.

Kerberos is common in many educational institutions, and is also available in a pure Apple Open Directory environment. If it's available, it should almost always be used. If you don't already have Kerberos set up, it may not be worth the hassle to set it up just for mail as SSL provides sufficient security for most people.

To enable secure authentication

1.

From the Computers & Services column, select Mail.

2.

Select the Settings tab at the bottom of the screen and then select the Advanced tab.

3.

Uncheck Login, PLAIN, and Clear in each column.

4.

In the IMAP column, check CRAM-MD5; in the POP column, check APOP; and in the SMTP column, check CRAM-MD5 and then click Save (Figure 8.37).

Figure 8.37. If you can turn on authenticated SMTP, you should use CRAM-MD5 authentication.

Tips

  • Some automated background processes may need to send mail through your SMTP server. With SMTP set to use authentication, you'll need to either have the automated process generating the email authenticate itself to your mail server, or you'll need to add the IP address of the host generating that email to your SMTP server's list of hosts from which to accept SMTP relays.

  • In order for your server to support CRAM-MD5 or APOP authentication, the user's password hash must contain the CRAM-MD5 version of their password.

To enable secure authentication using Open Directory

1.

From the Computers & Services column, select Open Directory.

2.

Select the Settings tab at the bottom of the screen.

3.

Select the Policy tab at the top of the following screen and then select the Security tab.

4.

If you're offering POP mail retrieval, be sure the APOP box is checked and click Save if you made a change (Figure 8.38).

Figure 8.38. Be sure that Open Directory is storing the correct password types for each user.

To set the options for an account in your local NetInfo directory

1.

Launch Workgroup Manager and select the user from the left column whose password hashing options you want to verify.

2.

Select the Advanced tab at the top of the screen and click Security (Figure 8.39).

Figure 8.39. If you aren't using Open Directory, click the Security button to set the password types stored for each user.

3.

In the window that appears, be sure the CRAM-MD5 box is selected (Figure 8.40).

Figure 8.40. Check CRAM-MD5 as an authentication method.

4.

If you're offering POP service, also be sure the APOP box is selected.

5.

Click OK and Save.

Tip

  • Users may have to reset their passwords after you change the different types of password hashes that are stored for them.

Encrypting mail with SSL

Now that you've enabled stronger security on your mail server, you'll also need to instruct your users to reconfigure their mail clients to use the stronger security.

Although you've just increased the level of security protecting your passwords, the message text itself is still being sent in the clear both when retrieving messages from your inbox and when sending new messages from your client. This is particularly risky in a wireless environment where anyone else on the same wireless link can see the full text of all your email as it is transmitted to and from the server.

To protect against this (and to further protect passwords at the same time), you can implement SSL (Secure Sockets Layer) on your SMTP, IMAP, and POP service. This provides the same protection used by e-commerce Web sites that you visit using the HTTPS protocol, and will encrypt the entire traffic path between your email client at the email server. For more information on SSL, see Chapter 10, "Security."

Mac OS X Server comes preconfigured with a Default SSL certificate that you can use for mail services. Though it will provide the same encryption as a commercial SSL certificate that you may purchase, its use will cause each of your mail clients to display a warning dialog each time they connect because the Default certificate installed on each server is self-signed and its authenticity can't be verified by the mail client software. If you'd like to use the Default certificate, or any other SSL certificate that is already installed on your server, skip ahead to the "To configure the mail server to use the certificate" task.

To create your own SSL certificate

1.

Launch Server Admin and select the name of your server from the Computers & Services column (Figure 8.41).

Figure 8.41. Select the name of your server in the Server Admin tool to set options that affect all services.

2.

Select the Settings tab at the bottom of the screen and then select the Certificates tab.

3.

Click the plus button (Figure 8.42).

Figure 8.42. Click the add button to add a new certificate.

4.

In the Common Name field of the window that appears, type the name of your mail server exactly how your mail clients will be connecting to it (Figure 8.43).

Figure 8.43. Type the information that should be stored in the certificate. Be sure to select a 2048-bit private key size for the most strength.

5.

Type the rest of the fields as appropriate for your organization and be sure to select a 2048-bit private key size.

6.

Click Save.

Tip

  • If you'd like to get the certificate signed by a certificate authority, click Request Signed Certificate From CA (Figure 8.44). This will usually cost money and take a few days. Once they respond with your signed certificate, click the Add Signed Certificate button.

Figure 8.44. Server Admin provides an easy interface to request a signed certificate. Either enter the email address of your certificate authority, or drag the certificate icon to a Web page.

To configure the mail server to use the certificate

1.

From the Computers & Services column, select Mail.

2.

Select the Advanced tab at the top of the screen and then select the Security tab.

3.

From the SMTP SSL menu, select Use, and from the adjacent pop-up menu, select the SSL certificate you want to use (Figure 8.45).

Figure 8.45. Configuring a service to use SSL is easy in Server Admin.

4.

From the IMAP and POP SSL pop-up menu, select Require, assuming only normal mail client software will be connecting to your server.

If you will be using WebMail (described later), select Use instead of Require. WebMail doesn't use SSL to connect, so you must preserve the option to connect without SSL. However, you should firewall off all incoming non-SSL traffic except from your WebMail server.

5.

From the adjacent pop-up menu, select the SSL certificate you wish to use and click Save.

Tip

  • A few email clients don't offer SSL encryption for SMTP, so it's usually best to set it to Use, which gives people the option to use SSL but doesn't require it. If you enable SSL for SMTP, be sure to do some extra testing to ensure that your incoming mail, relayed or not, is not rejected for not using SSL. For IMAP and POP, however, SSL is generally available everywhere (except with WebMail), so it's usually acceptable to require it.

Adjusting the firewall

Although your mail server is now configured to use SSL, you need to make some adjustments to your firewall since SSL communication is done on a different network port than non-SSL communication.

To adjust the firewall for SSL

1.

From the Computers & Services column, select Firewall.

2.

Click the Settings tab at the bottom of the screen and then select the Services tab.

3.

From the "Edit Services for" menu, select any (Figure 8.46).

Figure 8.46. Use the firewall settings of Server Admin to allow network connections on the SSL IMAP and POP ports.

4.

Select Mail: IMAP SSL (port 993) in the list box.

5.

If you're offering a POP service, select Mail: POP3 over SSL (port 995).

6.

Assuming you're requiring SSL for IMAP and POP, deselect Mail: POP3 and Mail: IMAP (Figure 8.47).

Figure 8.47. You can safely turn off the non-SSL IMAP and POP ports using the firewall settings of Server Admin.

Note that even though WebMail can't use SSL, since you're hopefully using it from the same host as your mail server, its traffic will never be blocked by the firewall, so, regardless of whether you're using WebMail, you should deselect (block) the non-SSL IMAP and POP ports.

7.

Click Save.

Detecting viruses

A crucial part of keeping computers secure is preventing viruses from reaching them. Although there are currently no known viruses that can attack Mac OS X directly, there will likely be some eventually. Also, viruses targeted at applications, such as macro viruses, can still infect a Mac because mail traveling through your mail server can contain a virus and could easily infect a less secure computer that might connect to your mail server. Due to this threat, it is in the best interest of mail administrators to scan email messages for viruses.

Fortunately, Mac OS X Server makes this an easy task. ClamAV is included, and can be enabled to easily scan every message that comes into your mail server.

To scan email for viruses

1.

From the Computers & Services column, select Mail.

2.

Select the Settings tab at the bottom of the screen and then select the Filters tab.

3.

Select the "Scan email for viruses" and "Notify recipients" check boxes (Figure 8.48).

Figure 8.48. Scanning for viruses is easy with Mac OS X Server. Just select the option to turn it on.

This will send a message to the intended recipients letting them know an infected message was deleted.

4.

Select the "Update the Junk mail and virus database" check box and set the value at 4 times per day.

Since viruses propagate so quickly, it's important to update your virus definitions frequently to minimize the spread of a future outbreak.

5.

Click Save.

Using service ACLs

Earlier when you enabled mail access for a user, you did so through Workgroup Manager on a per-user basis. Depending on the type of user management you use and on the size of your organization, this may or may not be an efficient way of controlling who has access to your mail server. As an alternative, you can use service ACLs (SACLs, or service access control lists) to control mail access. If you use SACLs to control mail, the per-user mail setting in Workgroup Manager is ignored. One benefit of using SACLs to control mail access is that you can give entire groups of people access to a service rather than having to specify it for an individual user. You can even nest groups (have groups of groups) to make your user management even easier. Note that you'll lose your quotas and forwarding ability if you use SACLs to enable mail as the SACL overrides any mail attributes in the user's record.

To enable mail access through service ACLs

1.

From the Computers & Services column, select the name of your server.

2.

Click the Settings tab at the bottom of the screen and then select the Access tab.

3.

Deselect the "Use same access for all services" check box and select Mail in the list below (Figure 8.49).

Figure 8.49. You can use service ACLs instead of Workgroup Manager to determine who has mail access.

4.

Select the "Allow only users and groups below" radio button.

5.

Click the plus button to open your users and groups drawer (Figure 8.50).

Figure 8.50. Click the plus button to open the users and groups drawer.

6.

Click and drag the users and/or groups that you'd like to have access to mail into the access list and then click Save (Figure 8.51).

Figure 8.51. Drag users from the drawer into the window to add them to the access list.

This will automatically enable each user's mailbox and allow them access.

Tip

  • Workgroup Manager may indicate that mail is not accepted for a given user. Remember that if SACLs are used, the Workgroup Manager mail settings are ignored.

Understanding physical security

One aspect of security that is often overlooked is that of physical security. You've hopefully taken actions like requiring stronger authentication and SSL for your mail service, but don't forget about the server hardware itself.

Think about physical security in two ways: You should protect the physical integrity of your server to maximize uptime and the authenticity of its contents, and you want to protect the data on your server (the mail messages) from theft or prying eyes.

The simple and obvious solution to most of this is to simply keep your mail server in a locked room and restrict who has access to that room. If someone has physical access to a computer, they can get control of that computer no matter what controls you've put in place. You'll also want to be sure to take the appropriate power, fire, and other environmental precautions. Since your users will always expect their mail to be where they left it, it's always a good idea to place a copy of your mail server backups in an offsite location so that you can quickly bring your mail service back online in the event of a disaster. Keep in mind, though, that those backups on tape or CD contain sensitive information (a copy of everyone's mail) and should also be appropriately safeguarded through the use of a safe deposit box or other physical security means.

Категории