1 |
On 12/05/2012 01:43 AM, Grant wrote: |
2 |
>> |
3 |
>> I switched to msmtp when nbsmtp was treecleaned. The switch was |
4 |
>> uneventful; it just works, which is high praise. |
5 |
>> |
6 |
>> You can't encrypt your password unless you're going to be physically |
7 |
>> present to decrypt it (with some other password). If your machine is |
8 |
>> physically secure, you can just make the msmtp config file read-only to |
9 |
>> yourself. If someone can log in as you, they can get your password |
10 |
>> anyway. There's only a risk if e.g. you're not root, or someone else can |
11 |
>> get root (access to grub) or walk off with the hard drive. |
12 |
>> |
13 |
>> If you're worried about either of those scenarios, set up a separate |
14 |
>> account for your email alerts. |
15 |
> |
16 |
> I like the separate account idea. Any tips on locking it down? Maybe |
17 |
> that account on the mail server should somehow only be allowed to |
18 |
> deliver to a single email address (mine)? Would it need a shell |
19 |
> account? Certainly not allowed in sshd_config. |
20 |
> |
21 |
|
22 |
It depends on how you're authenticating. We've got our users in |
23 |
Postgres, and postfix uses Dovevot's SASL backend to auth. That way a |
24 |
"user" is just an email address/password combination and can't do |
25 |
anything except send/receive mail. |
26 |
|
27 |
The general defense against hacked user accounts is to do rate-limiting |
28 |
on the MTA with something like postfwd, and at least notify postmaster |
29 |
if someone begins sending hundreds of messages. That way if a user gets |
30 |
hacked, you find out about it and can disable them. |
31 |
|
32 |
In this case I wouldn't even worry about it. If someone can log on to |
33 |
your server and read the msmtp config, you've already got a big problem. |
34 |
The real benefit to using a separate account is that if that does |
35 |
happen, they can't see Grant's personal email password (which is |
36 |
essentially the keys to the kingdom). |
37 |
|
38 |
Another thing you might consider is getting added to the feedback loops |
39 |
of some major providers. When one of our users gets hacked, I find out |
40 |
quickly because AOL sends me a copy of every message that they get from |
41 |
us which is marked as junk. This is a Good Idea anyway, and mitigates |
42 |
the stolen-password problem in that unlikely event. |