Miscellaneous Services

From linsec.ca

There are a number of services that come bundled on any Linux or OS X system. Using them can be fairly straightforward most of the time, but not always. Some are easy to use, but managing security, or increasing security, may be a little obscure. In other cases, certain functionality that can increase security needs to be configured and can be somewhat difficult to accomplish. Here we will attempt to look at alternate ways to configure services, perhaps shed a little light on good ways to configure services, and so forth.

Contents 1 Mail (MTA) Servers 2 Super Servers 3 DNS Servers

Mail (MTA) Servers

There are usually four MTA (Mail Transport Agents) servers that come pre-installed or are easily available on *NIX systems. Depending on what Linux or UNIX distribution you are using, you may have one or another default MTA installed. Of course, you can always change the default for something you prefer or are more accustomed to. Typically, the four servers that are most often in use are sendmail, postfix, qmail, and exim. Each have their own strengths and weaknesses. There are also a plethora of other commercial offerings out there. However, if you're looking for something powerful, on the cheap, and open source, these are your best bets.

For those who have been managing mail servers for a while, Sendmail may be what your accustomed to. I don't really have anything nice to say about sendmail, and would only recommend using it if you're familiar with it and need to get something setup quickly, and don't feel like re-training yourself to use something better. Beyond that, sendmail has had a pretty spotty security history, and I would recommend avoiding it, although others may disagree with this sentiment.

Postfix was designed with security in mind, and while it's had a few security problems in the past, it is an extremely robust and secure package. It has additional security features like the ability to run in a chroot, which helps prevent exposure to the surrounding system should a problem occur. It is also quite flexible. Postfix is a very well liked and well respected software, and is the default MTA on many operating systems such as Mandrakelinux and OS X.

qmail is rarely installed by default due to it's licensing, however many people remove the default MTA on their operating system and replace it with qmail. qmail has had an unblemished security history, and it's design is very secure. It runs different delivery and processing tasks under differnent system users so if a problem did occur in any one part of the delivery system, only a small part of the overall operation would be affected. It operates on the premise of least-permission, which is refreshing. Unfortunately, qmail is not in active development. It lacks a great number of features found in other popular MTA packages, such as the ability to interact with databases such as LDAP or MySQL. It does not have the ability to do SMTP AUTH or TLS/SSL. If you need a secure and fairly simple MTA, qmail may be right for you.

Exim, finally, was not designed with security in mind primarily, but is also a very secure MTA. It has had a few security issues in the past, but like Postfix, they were quickly fixed and were not many. Exim comes with some distributions, like Debian, by default. It's very flexible and offers a great number of features and an extremely high level of flexibility. It is perhaps one of the most customizable MTAs available and is quite reliable.

Depending upon your requirements and needs, using the default MTA provided with your operating system may be sufficient. However, if you plan on running an MTA for domain hosting or another purpose other than a simple local mail relay, you may wish to look at the alternatives available.

Here are some documents that discuss various configuration options or setups for the different MTAs discussed above:

• Enabling SASL in Postfix
• Using qmail with Mandrakelinux

Super Servers

There are a number of "super servers" available that handle listening to network sockets to hand off data connections to real programs. The original "super surver" was inetd, which has been pretty much obsoleted by xinetd in a number of recent Linux distributions. Even OS X comes with xinetd. Another, less well known "super server" is tcpserver, which was written by the author of qmail.

Inetd was replaced for a reason. It did it's job reasonably well but was not at all secure. xinetd, by contrast, is far more secure than inetd ever was. tcpserver, on the other hand, is just as secure as xinetd, if not more so, although setting up tcpserver-controlled services is a little more difficult than xinetd.

• Using tcpserver

DNS Servers

...

• Using djbdns with Mandrakelinux