Product SiteDocumentation Site

5.6. Reforzando el servidor de correo

Si su servidor no es un sistema de correo, usted realmente no necesita tener un demonio de correo escuchando conexiones entrantes, pero usted podría querer envío de correo local, por ejemplo para recibir el correo del usuario Root desde cualquier sistema de alerta que usted tenga en algún lugar.
If you have exim you do not need the daemon to be working in order to do this since the standard cron job flushes the mail queue. See Sección 3.5.1, “Deshabilitar servicios” on how to do this.

5.6.1. Configuring a Nullmailer

You might want to have a local mailer daemon so that it can relay the mails sent locally to another system. This is common when you have to administer a number of systems and do not want to connect to each of them to read the mail sent locally. Just as all logging of each individual system can be centralized by using a central syslog server, mail can be sent to a central mailserver.
Such a relay-only system should be configured properly for this. The daemon could, as well, be configured to only listen on the loopback address.
The following configuration steps only need to be taken to configure the exim package in the Debian 3.0 release. If you are using a later release (such as 3.1 which uses exim4) the installation system has been improved so that if the mail transport agent is configured to only deliver local mail it will automatically only allow connections from the local host and will not permit remote connections.
In a Debian 3.0 system using exim, you will have to remove the SMTP daemon from inetd:
$ update-inetd --disable smtp
y configurar el demonio de correo solo para escuchar en la interfaz loopback. En exim (el MTA por defecto) usted puede hacer esto añadiendo la siguiente línea editando: /etc/exim.conf y añadiendo la siguiente linea:
local_interfaces = "127.0.0.1"
Reinicie ambos demonios (inetd y exim) y estarán escuchando en el socket 127.0.0.1:25 solamente. Sea cuidadoso, y primero desconecte inetd, de lo contrario, exim no iniciara ya que el demonio inetd está manejando las conexiones entrantes.
Para usar postfix edite /etc/postfix/main.conf:
inet_interfaces = localhost
Si usted solo quiere un correo local, este metodo es mejor que usar la cubierta tcp-wrapping al demonio de correo o añadir las reglas del cortafuego para limitar el acceso de cualquier persona a este. Sin embargo, si necesita que escuche en otras interfaces, debería considerar lanzarlo desde inetd y añadir un tcp-wraping de forma que las conexiones sean revisadas contra /etc/hosts.allow y /etc/hosts.deny también será advertido cuando un acceso no autorizado está atentando en contra de su demonio de correo, usted debe instaurar un registrador apropiado para cualquiera de los metodos mencionados anteriormente.
In any case, to reject mail relay attempts at the SMTP level, you can change /etc/exim/exim.conf to include:
receiver_verify = true
Even if your mail server will not relay the message, this kind of configuration is needed for the relay tester at http://www.abuse.net/relay.html to determine that your server is not relay capable.
If you want a relay-only setup, however, you can consider changing the mailer daemon to programs that can only be configured to forward the mail to a remote mail server. Debian provides currently both ssmtp and nullmailer for this purpose. In any case, you can evaluate for yourself any of the mail transport agents [36] provided by Debian and see which one suits best to the system's purposes.

5.6.2. Providing secure access to mailboxes

If you want to give remote access to mailboxes there are a number of POP3 and IMAP daemons available.[37] However, if you provide IMAP access note that it is a general file access protocol, it can become the equivalent of a shell access because users might be able to retrieve any file that they can through it.
Try, for example, to configure as your inbox path {server.com}/etc/passwd if it succeeds your IMAP daemon is not properly configured to prevent this kind of access.
Of the IMAP servers in Debian the cyrus server (in the cyrus-imapd package) gets around this by having all access to a database in a restricted part of the file system. Also, uw-imapd (either install the uw-imapd or better, if your IMAP clients support it, uw-imapd-ssl) can be configured to chroot the users mail directory but this is not enabled by default. The documentation provided gives more information on how to configure it.
Also, you might want to run an IMAP server that does not need valid users to be created on the local system (which would grant shell access too), courier-imap (for IMAP) and courier-pop, teapop (for POP3) and cyrus-imapd (for both POP3 and IMAP) provide servers with authentication methods beside the local user accounts. cyrus can use any authentication method that can be configured through PAM while teapop might use databases (such as postgresql and mysql) for user authentication.
FIXME: Check: uw-imapd might be configured with user authentication through PAM too.

5.6.3. Recibiendo Correo de forma segura

Leer/recibir correo es el protocolo más común de texto plano. Si usted usa POP3 o IMAP para obtener su correo, la contraseña es enviada en texto plano a través de la red, de modo que casi cualquiera podría leer su correo a partir de ahora. En lugar de esto, use SSL (Capa segura de Sockets) para recibir su correo. La otra alternativa es ssh, si tiene una cuenta shell en la máquina que actua como el servidor POP o IMAP. Este es un ejemplo básico fetchmailrc para demostrar esto:
poll my-imap-mailserver.org via "localhost"
 with proto IMAP port 1236
 user "ref" there with password "hackme" is alex here warnings 3600
 folders
 .Mail/debian
 preconnect 'ssh -f -P -C -L 1236:my-imap-mailserver.org:143 -l ref
 my-imap-mailserver.org sleep 15 </dev/null > /dev/null'
La preconexión es la línea más importante. Este lanza una sesión ssh y crea el tunel necesario, el cual automaticamente envía las conexiones para tener acceso a localhost puerto 1236 al servidor de correo IMAP, pero codificado. Otra posibilidad seria, usar el fetchmail con la caracteristica ssl.
Si usted quiere suministrar un servicio de correo codificado como POP e IMAP,apt-get install stunnel e inicie sus demonios de esta es la forma:
stunnel -p /etc/ssl/certs/stunnel.pem -d pop3s -l /usr/sbin/popd
Este comando encapsula al demonio proveido (-l) en el puerto (-d) y usa el certificado ssl especificado (-p).


[36] To retrieve the list of mailer daemons available in Debian try:
$ apt-cache search mail-transport-agent
The list will not include qmail, which is distributed only as source code in the qmail-src package.
[37] A list of servers/daemons which support these protocols in Debian can be retrieved with:
$ apt-cache search pop3-server
$ apt-cache search imap-server