I am trying to add/make a new security policy for the courier mail server. Sendmail is easy compared with qmail or courier. This will also be a good learning experiance for me (and others) to go through the thinking behind creating a security policy. I am not a courier expert, but I think selinux and courier would be good togther.
courier stuff See http://www.nsa.gov/selinux/doc/policy/policy.html I was think about at least three domains for smtp. One for the input modules, one for submit/courierd, and one for the output modules. The issues here are we want to isolate any IO modules from the queue AND isolate any modules that have suid. What I need to know is which executable accesses what files/dirs? What are the transitions, what modules call/execute what other modules? A state diagram of the basic courier process would be great? I the FUTURE I would want to add TLS certs auth, the pop3 and imap daemons with auth, and then the web configuration and web email. I courier does have selinux support then it could become one of the most secure mail systems. selinux stuff The problem is how fine grained a security policy I should make? Should every processes have a seperate policy or should the whole package be one security? Should the certs be protected more than other parts? Courier writes to the users Maildir in their home dir, only courier_local writes to users dir. ???? Background: Courier is a all inclusive mails server. It is like qmail with different processes doing different tasks. It also has imap,pop3 secure imap,pop3 also. It has a web interface to help with configuration. And webmail client. File structure /etc/courier courier_conf_t configuration files /var/spool/courier courier_spool_t spool directories for courier /var/spool/courier/msgq courier_msgq_t /var/spool/courier/msgs courier_msgs_t /var/spool/courier/authdaemon /usr/lib/courier courier_t courier /usr/lib/courier/bin courier_bin_t /usr/lib/courier/sbin courier_sbin_t /usr/lib/courier/share courier_share_t /usr/lib/courier/share/rootcerts courier_certs_t esmtp, imap, pop3 certs for SSL /usr/lib/courier/share/htmldoc Running processes: courierd main daemon courier_daemon_t courierXXXX transport daemons courier_trans_t courieresmtp input daemon courier_esmtp_t authdaemon authorize connections courier_auth_t couriertcpd courier tcpd courier_tcpd_t pop3d, pop3d-ssl, imapd, imapd-ssl courier_XXXX_t courierfilter spam killer (not used now) courier_filter_t _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
