1 |
> >> If you're worried about either of those scenarios, set up a separate |
2 |
> >> account for your email alerts. |
3 |
> > |
4 |
> > I like the separate account idea. Any tips on locking it down? Maybe |
5 |
> > that account on the mail server should somehow only be allowed to |
6 |
> > deliver to a single email address (mine)? Would it need a shell |
7 |
> > account? Certainly not allowed in sshd_config. |
8 |
> > |
9 |
> |
10 |
> It depends on how you're authenticating. We've got our users in |
11 |
> Postgres, and postfix uses Dovevot's SASL backend to auth. That way a |
12 |
> "user" is just an email address/password combination and can't do |
13 |
> anything except send/receive mail. |
14 |
> |
15 |
> The general defense against hacked user accounts is to do rate-limiting |
16 |
> on the MTA with something like postfwd, and at least notify postmaster |
17 |
> if someone begins sending hundreds of messages. That way if a user gets |
18 |
> hacked, you find out about it and can disable them. |
19 |
> |
20 |
> In this case I wouldn't even worry about it. If someone can log on to |
21 |
> your server and read the msmtp config, you've already got a big problem. |
22 |
> The real benefit to using a separate account is that if that does |
23 |
> happen, they can't see Grant's personal email password (which is |
24 |
> essentially the keys to the kingdom). |
25 |
|
26 |
I was planning on having the alerts sent from each system via my privileged |
27 |
account on the mail server which means storing that password in the msmtp |
28 |
config file on each system. If I instead set up a separate account for |
29 |
alerts and lock that account down so it can only send email to my own |
30 |
address, I can flaunt that password around all I want because it can only |
31 |
be used to send email to me, correct? |
32 |
|
33 |
By the way, is it considered safe to use my own privileged account on the |
34 |
mail server to send mail from a good local mail client if I use SSL/TLS in |
35 |
transmission? |
36 |
|
37 |
> Another thing you might consider is getting added to the feedback loops |
38 |
> of some major providers. When one of our users gets hacked, I find out |
39 |
> quickly because AOL sends me a copy of every message that they get from |
40 |
> us which is marked as junk. This is a Good Idea anyway, and mitigates |
41 |
> the stolen-password problem in that unlikely event. |
42 |
|
43 |
That sounds like a really good idea. Is there an industry-standard term I |
44 |
could use in a search to figure out how to get the providers (Google, |
45 |
Yahoo, AOL?) to set me up this way? |
46 |
|
47 |
- Grant |