Sendmail is a free mail server software that has been widely used in the server of the Internet's various operating systems. Such as: Solaris, HPUX, AIX, IRIX, Linux, etc. With the popularity of interconnect, the chance to attack the email server has also increased. There are two types of attacks on the interconnected online mail server: one is the relay utilization, that is, the remote machine is sent to your server, so anyone can use your server to send mail to any address, long time Your machine not only has become a disaster that sends spam, but also makes your network international traffic, which will be refused to be rejected by many mail servers on the Internet. Another type of attack is called spam (spam), that is, people often say that the server may receive a lot of useless mail in a short period of time, so that the mail server is unbearable and paralyzed. Both attacks may make the mail server work properly. So as a campus mail server preventing mail attacks from attacking will be indispensable.
There are currently two ways to prevent email attacks on the Sendmail mail server. One is a server software that upgrades high versions, using the software itself. The second is to use a third-party software to utilize it, such as dynamic relay verification control functions. These methods are described as examples as Sendmail v8.9.3.
1. Server itself
(1) Safety considerations when compiling Sendmail
To use Sendmail 8.9.3 Blocking Mail Attack Function, you must set the relevant parameters at the time of system compile, and by the associated software package. At present, it is mainly using the Berkeley DB database, the Berkeley DB package can be downloaded from the relevant site and need to be pre-compiled. Then write the related parameters of the Berkeley DB into the relevant files of Sendmail.
a. Modify Site.config.m4 file
Add a Berkeley DB related library file path to the site.config.m4 file, enabling Sendmail to compile the Berkeley DB database. E.g:
# cc $ / sendmail-8.9.3 / buidtools / site
Modify Site.config.m4 file
Define (confincDirs, -i / usr / local / berkeleydb / incrude)
Define (ConflibDirs, L / USR / local / BerkeleyDB / LIB)
b. Modify Sendmail.mc files
Sendmail.mc is one of the template files that generate Sendmail.cf, to make Sendmail's anti-mail attack feature also need to be customized in this file. It mainly includes the following:
......
Feature (relay_entire_domain)
Feature (access_db) DN1
Feature (BlackList_Recipients)
......
(2) Configuration of related files
Correct compilation of Sendmail is the basis for the security control of the mail server, and the real security settings mainly use the related files. This file containing the control statement is primarily access and relay-domains.
Access is the primary database file for mail security control, which can be controlled in the file, the domain name, IP address, or target email address, and the corresponding action value, and then generate access.db files using the MAKMAP command ( #makemap hash access.db Spam.com Reject Edu.cn OK Hotmail.com Discard The REJECT action is a message that refuses to accept the message from the specified address; OK is allowed to access any particular address user; Relay allows transit messages through this mail server; Discard is handed over to a specific command, for example: Set the message received, or set to the user with an error message after the mail is received. The RELAY-DOMAINS file is setting which domains can be relayed, which occupy each domain. Such as: ...... CN EDU Jp ...... When the server starts to use, all top-level domains are added to it, and then modify it according to the security needs, otherwise the POP3 user will send a RELAY REJECT error, and the mail cannot be sent to the unpigned domain name target email address. 3) Modification of the version number For a mail server, you can get the version information of the server via a remote 25-port telnet command. Such as: "Telnet Sendmail Server Host 25" can view the current version of Sendmail. In order to prevent some malicious viewing version information, Sendmail provides an operation that can be modified to the displayed version. There is a statement in the Sendmail.cf file, "SMTPGREETINGMESSAGE = J sendmail $ V / $ z" statement, where $ V / $ z is version information, and the version information displayed by this parameter is Sendmail itself under normal conditions. version. If you want to set the version information given by the administrator, you only need to change the parameter, then join the information you want. For example: When this sentence is changed to "SMTPGREETITING Message = $ J Sendmail 0.0 / 0.0; $ B", restart the Sendmail service, the version of Sendmail will become "Sendmail 0.0". Thereby the purpose of concealing version information. The above is the security function settings with SENDMAIL 8.9.3 itself, which can greatly enhance server security through these security settings. But when preventing the setting of the mail relay and the mail bomb, how to determine which target addresses are to prevent relay, which is allowed to be transferred, and it seems to be only available to the analysis and observation of the log files through the administrator, or to find it. After security issues can be determined. Therefore, this safety control is only afterwards, and the server must be restarted after the relevant file is modified. To achieve prior dynamic security control, other methods are needed. 2. Dynamic relay verification control DRAC (Dynamic Relay Authorization Control) Dynamic relay verification control is a server-side software designed for mail server (http://mail.cc.umanitoba.ca/drac/index.html), which can be installed on a SMTP On the server, and simultaneously provide a dynamic relay verification service for multiple mail servers. DRAC is primarily controlled by automatically acquiring and dynamically updating relay verification databases to allow legal POP3 or IMAP users to use a mail server to effectively control the mail bomb and illegal mail relay. The principle of DRAC uses the functionality of the POP3 or IMAP server to obtain information such as username, password, and client IP address, and timely images in time to the verification database, for SMTP server call, and after a period of time ( The default is 30 minutes), and its verification information will be automatically invalid, and the user needs to re-enter the verification information. This not only guarantees legitimate POP3 or IMAP users to use the mail server normally, but also prevent any non-registered users (including local) from using the mail server to send mail. This mail security control is often referred to as: "POP Verification before Mail Service" (POP-BEFORE-SMTP). (1) DRAC compilation Before compiling DRACs, the system's Sendmail server should have been properly compiled. First edit the Makefile file in the DRAC source program directory, this Makefile is changed in the Solaris 2.x operating system: install = / usr / ucb / install Ebin = / usr / local / sbin MAN = / usr / local / man / man DEFS = -dti_rpc -dfcntl_lock -dsysinfo CC = (compiler) RANLIB =: CFLAGS = $ (DFES) -g -i / path / to / db / incrude LDLIBS = -L / path / to / db / library -lns1 -1db TSTLIBS = -L. -LDRAC -LNS1 Manlib = 3 Manadm = 1m Then compile and install it. If there are multiple POP / IMAP servers, you also need to add the IP addresses of these servers to file /etc/mail/dracd.allow, which is the same as the / var / yp / securenets file format. Such as: 255.255.255.255 202.139.244.23 255.255.255.255 127.0.0.1 (2) Modify Sendmail.mc file to regenerate Sendmail.cf Before using the DRAC verification function, you will also need to add DRAC authentication information to the Sendmail.cf file. First modify the sendmail.mc file and regenerate Sendmail.cf. The relevant statement in the Sendmail.mc file is modified as follows: Added in Local_Config KDRAC BTREE / ETC / MAIL / DRACD Added under Local_RuleSets SLOCAL_CHECK_RCPT R $$$ & {Client_Addr} R $ $: $ (DRAC $ 1 $:? $) R? $ @? R $ $ @ $ # OK After regenerating the sendmail.cf file, restart the Sendmail process.
