OpenSMTPD makes mail server configuration easy

Scrutinized

Header or Not?

Others suggest [4] including an additional SMTP header via the configuration file: X-AV-Checked: ClamAV using ClamSMTP . For testing purposes, this is fine, but a production environment – where attackers can easily discover that a virus scanner is running and even identify the scanner – rules this approach out, at least for outgoing email. Virus scanners can also be victims of attacks; just think of zip bombs. You might argue that concealing the scanner type is only security by obscurity; on the other hand, hiding a potential attack vector will certainly not detract from your overall security posture.

Anyone who is that paranoid will want to operate two email servers anyway: one that only accepts mail from external sources, the other scans. If you are still worried about a breach through the scanner, you can use a third computer to host the mailboxes. Email worth protecting can thus be isolated really well in IMAP mailboxes.

There is also a legal argument against the note header: A recipient could understand it as an indication that the email is safe and virus free and therefore stop exercising caution. However, all virus scanners are only as good as their last signature update (freshclam does this for ClamAV via a cronjob, by the way). There is always a risk that malware can slip through. Depending on the legal interpretation, a note header could mean liability.

Spam Filter

A configuration guide for SpamAssassin [8] is available for anyone wanting to filter spam as well as malware. Caution is advised here: Mail server experts regularly warn against just getting rid of spam. It is more sensible to move it into a spam folder where users can look at the suspect email, as required. No filters are perfect, and incorrectly filtered business email could cause exposure.

I take an even stricter legal view: Excessive filtering is a crime. It violates confidentiality of telecommunications legislation – if it exists in your locality – by suppressing correspondence. Others might think that local mail server users, if they agree to filtering, have given consent, thus ruling out any legal worries. However, the senders of email that are filtered out by a server cannot give their consent, and they are protected by the same legislation.

Conclusions and a Look at BSD

As this short guide has shown, OpenSMTPD is an email transfer agent that is both extremely simple to configure and sufficiently powerful. It appears to be much more clear-cut than the established players on the Linux platform. Those who do not have years of experience with Sendmail will achieve their objective much more quickly with OpenSMTPD.

OpenSMTPD users who also choose the OpenBSD operating system will benefit from spamd, which is tied to the firewall and thus not portable, to fight spam. Spamd is a smart and efficient gray-listing solution with a tarpit.

The Author

Upper Bavarian Tobias Eggendorfer is a professor for IT security at Weingarten University, as well as a freelance IT consultant specializing in security and IT forensics. He is also qualified as a privacy officer.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus