vttranlina commented on a change in pull request #835: URL: https://github.com/apache/james-project/pull/835#discussion_r781959438
########## File path: server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc ########## @@ -0,0 +1,178 @@ += Security checklist +:navtitle: Security checklist + +This document aims as summarizing threats, security best practices as well as recommendations. + +== Threats + +Operating an email server exposes you to the following threats: + + - Spammers might attempt to use your servers to send their spam messages on their behalf. We speak of +*open relay*. In addition to the resources consumed being an open relay will affect the trust other mail +installations have in you, and thus will cause legitimate traffic to be rejected. + - Emails mostly consist of private data, which shall only be accessed by their legitimate user. Failure +to do so might result in *information disclosure*. + - *Email forgery*. An attacker might craft an email on the behalf of legitimate users. + - Email protocols allow user to authenticate and thus can be used as *oracles* to guess user passwords. + - *Spam*. Non legitimate traffic can be a real bourbon to your users. + - *Denial of service*: A small request may result in a very large response and require considerable work on the server... + - *Denial of service*: A malicious JMAP client may use the JMAP push subscription to attempt to flood a third party +server with requests, creating a denial-of-service attack and masking the attacker’s true identity. + +== Best practices + +The following sections ranks best practices. + +=== Best practices: Must + + - 1. Configure James in order not to be an xref:configure/smtp.adoc#_about_open_relays[open relay]. This should be the +case with the default configuration. + +Be sure in xref:configure/smtp.adoc[smtpserver.xml] to activate the following options: `verifyIdentity`. + +We then recommend to manually test your installation in order to ensure that: + + - Unauthenticated SMTP users cannot send mails to external email addresses (they are not relayed) + - Unauthenticated SMTP users can send mails to internal email addresses + - Unauthenticated SMTP users cannot use local addresses in their mail from, and send emails both locally and to distant targets. + + - 2. Avoid *STARTTLS* usage and favor SSL. Upgrade from a non encrypted channel into an encrypted channel is an opportunity +for additional vulnerabilities. This is easily prevented by requiring SSL connection upfront. link:https://nostarttls.secvuln.info/[Read more...] + +Please note that STARTTLS is still beneficial in the context of email relaying, which happens on SMTP port 25 unencrypted, +and enable opportunistic encryption upgrades that would not overwise be possible. We recommend keeping STARTTLS activated +for SMTP port 25. + + - 3. Use SSL for xref:configure/mailets.adoc#_remotedelivery[remote delivery] whenever you are using a gateway relaying SMTP server. + + - 4. Rely on an external identity service, dedicated to user credential storage. James supports xref:configure/usersrepository.adoc#_configuring_a_ldap[LDAP]. If you are +forced to store users in James be sure to choose `PBKDF2` as a hashing algorithm. Also, delays on authentication failures +are supported via the `verifyFailureDelay` property. Note that IMAP / SMTP connections are closed after 3 authentication +failures. + + - 5. Ensure that xref:configure/webadmin.adoc[WebAdmin] is not exposed unencrypted to the outer world. Doing so trivially +exposes yourself. You can either disable it, activate JWT security, or restrict it to listen only on localhost. + + - 6. Set up `HTTPS` for http based protocols, namely *JMAP* and *WebAdmin*. We recommend the use of a reverse proxy like Nginx. + + - 7. Set up link:https://james.apache.org/howTo/spf.html[SPF] and link:https://james.apache.org/howTo/dkim.html[DKIM] +for your outgoing emails to be trusted. + + - 8. Prevent access to JMX. This can be achieved through a strict firewalling policy +(link:https://nickbloor.co.uk/2017/10/22/analysis-of-cve-2017-12628/[blocking port 9999 is not enough]) +or xref:configure/jmx.adoc[disabling JMX]. JMX is needed to use the existing CLI application but webadmin do offer similar +features. + + - 9. If JMAP is enabled, be sure that JMAP PUSH cannot be used for server side request forgery. This can be +xref:configure/jmap.adoc[configured] using the `push.prevent.server.side.request.forgery=true` property, +forbidding push to private addresses. + +=== Best practice: Should + + - 1. Avoid advertising login/authenticate capabilities in clear channels. This might prevent some clients to attempt login +on clear channels, and can be configured for both xref:configure/smtp.adoc[SMTP] and xref:configure/imap.adoc[IMAP] +using `auth.plainAuthEnabled=false`. + + - 2. Verify link:https://james.apache.org/howTo/spf.html[SPF] and xref:configure/mailets.adoc#_dkimverify[DKIM] for your incoming emails. + + - 3. Set up reasonable xref:operate/webadmin.adoc#_administrating_quotas[storage quota] for your users. + + - 4. We recommend setting up anti-spam and anti-virus solutions. James comes with some xref:configure/spam.adoc[SpamAssassin] +integration, and some experimental, insufficiently tested xref:configure/mailets.adoc#_clamavscan[ClamAV] tooling exisits. +Filtering with third party systems upstream is also possible. + + - 5. In order to limit your attack surface, disable protocols you or your users do not use. This includes the JMAP protocol, +POP3, ManagedSieve, etc... Be conservative on what you expose. + +=== Best practice: Could + + - 1. Set up link:https://openid.net/connect/[OIDC] for IMAP, SMTP and JMAP. Disable login/plain/basic authentication. + + - 2. You can configure xref:configure/ssl.adoc#_client_authentication_via_certificates[Client authentication via certificates]. Review comment: I can't access to href link from Github. (Page not found) It redirects to `https://github.com/apache/james-project/blob/900c2181b650653e49eea3ef3ff0a0bb61668b51/server/apps/distributed-app/docs/modules/ROOT/pages/operate/configure/ssl.adoc#_client_authentication_via_certificates` The correct path should be `pages/operate/configure/ssl.adoc` -> `pages/configure/ssl.adoc` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
