Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
51525354555657585960
Securing Sendmail
49
local_enable=NO
2.2.6.3.1. Restricting User Accounts
To disable FTP access for specific accounts or specific groups of accounts, such as the root user and
those with sudo privileges, the easiest way is to use a PAM list file as described in Section 2.1.4.2.4,
“Disabling Root Using PAM”. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.
It is also possible to disable user accounts within each service directly.
To disable specific user accounts in vsftpd, add the username to /etc/vsftpd/ftpusers
2.2.6.4. Use TCP Wrappers To Control Access
Use TCP Wrappers to control access to either FTP daemon as outlined in Section 2.2.1.1, “Enhancing
Security With TCP Wrappers”.
2.2.7. Securing Sendmail
Sendmail is a Mail Transfer Agent (MTA) that uses the Simple Mail Transfer Protocol (SMTP) to deliver
electronic messages between other MTAs and to email clients or delivery agents. Although many
MTAs are capable of encrypting traffic between one another, most do not, so sending email over any
public networks is considered an inherently insecure form of communication.
It is recommended that anyone planning to implement a Sendmail server address the following issues.
2.2.7.1. Limiting a Denial of Service Attack
Because of the nature of email, a determined attacker can flood the server with mail fairly easily and
cause a denial of service. By setting limits to the following directives in /etc/mail/sendmail.mc,
the effectiveness of such attacks is limited.
confCONNECTION_RATE_THROTTLE — The number of connections the server can receive per
second. By default, Sendmail does not limit the number of connections. If a limit is set and reached,
further connections are delayed.
confMAX_DAEMON_CHILDREN — The maximum number of child processes that can be spawned
by the server. By default, Sendmail does not assign a limit to the number of child processes. If a limit
is set and reached, further connections are delayed.
confMIN_FREE_BLOCKS — The minimum number of free blocks which must be available for the
server to accept mail. The default is 100 blocks.
confMAX_HEADERS_LENGTH — The maximum acceptable size (in bytes) for a message header.
confMAX_MESSAGE_SIZE — The maximum acceptable size (in bytes) for a single message.
2.2.7.2. NFS and Sendmail
Never put the mail spool directory, /var/spool/mail/, on an NFS shared volume.
Because NFSv2 and NFSv3 do not maintain control over user and group IDs, two or more users can
have the same UID, and receive and read each other's mail.