Making Outlook Less Insecure
If, even after the recent SoBig and Blaster attacks, your users insist on running Outlook or Outlook Express, Carla Schroder feels your pain. For the sake of your sanity, here's a list of tips and tricks you can implement to counter the mail client's 'Swiss cheese' approach to security.
I know, bringing this up now is like locking the barn after the horse has already been stolen. Still, as crazy as it sounds, once the smoking rubble of SoBig has been cleared away there may still be a few people who want to continue using Outlook or Outlook Express. For the overworked harassed system administrator that has to deal with the onerous mail client, here are some steps that can be taken to mitigate Oulook's indiscriminate friendliness with every bit of malware that wanders down the pike.
Securing MS Exchange
First of all, in my not-so-humble opinion, the only reason to use Outlook is for its groupware features, and only then when it's used on an Exchange intranet that is well walled-off from the outside world. Exposing Exchange directly to the Internet is a very bad idea.
An increasingly popular method of keeping Exchange away from the world at large is to build a gateway with Postfix. Postfix filters the bad stuff out and passes wanted mail to Exchange, which then distributes it to users. As a result, Exchange hides behind Postfix, protected and secure.
The best tutorial I've come across for Postfix is an excellent four-part tutorial on Security Focus, "Filtering E-Mail with Postfix and Procmail." The author, Brian Hatch, has done a marvelous job describing in depth Postfix's built-in filtering features, and also teaching procmail — procmail is mighty powerful, but learning to write procmail rules can drive even the best of sysadmins to drink. Finally, Hatch also teaches how to integrate SpamAssassin or Vipul's Razor into the works.
For anyone looking for an MS Exchange replacement, I recommend SuSE's OpenExchange. It's a great choice for those in need of strong groupware features, good performance, and immunity to the vast majority of email viruses. I personally think it is the best of all groupware/email servers. (See Resources for additional information on OpenExchange.)
It's best to nail viruses before they get anywhere near Exchange or Outlook. There are a number of solid anti-virus apps than run with Postfix. RAV Antivirus is my personal favorite, but its future is uncertain with Microsoft recently purchasing the virus scanner's parent company — the rumor is that Microsoft will simply kill RAV Antivirus off. I don't know for sure what will happen, but I do entertain dark thoughts.
Not to worry, though, as Kaspersky, Vexira MailArmor, and Amavis are all good. In fact, there is no shortage of viable anti-virus programs for Postfix, or for that matter, any Linux mail transfer agent (MTA).
Next, make sure to add an iptables firewall to the mix in order to trap outgoing malicious packets in case your defenses are ever compromised. The least you can do is not be a source of contagion. Again, I refer to the excellent Brian Hatch article, "Egress Filtering for a Healthier Internet" (see resources).
August 04, 2003
Make no mistake about it -- spam and viruses are deliberate, malicious assaults on our systems that often work together to penetrate and compromise our networks. Carla Schroder's new series takes a look at server-level and client-side defenses for defeating the two-headed monster.