Protecting Postfix with AppArmor
Server Training - Mail Server

If you are using Postfix on a server that supports AppArmor like Suse, Debian, Ubuntu, etc., you can use AppArmor to protect Postfix. AppArmor attempts to protect processes on the server or desktop from security threats. AppArmor enforces limits on what processes can access on the system. It attempts to restrict processes to those resources that the process requires to function only. AppArmor will not only define the system resources a program can access , it will also determine the privileges with which it can access those resources. To protect applications you will need to set up a security profile for each application that you want to protect.

 

When you have many software applications on a system you have the risk of hosting software flaws that you are not aware of. These software flaws provide avenues of access for attackers to compromise your system. Exploits that are discovered and on the same day that they are used to crack a system by an attacker are called zero-day exploits. AppArmor provides protection against these

postfix

kinds of attacks by protecting against known and unknown vulnerabilities.

 

8 Week Course for $499.95  ORDER NOW

 Don't Outsource Your Mail Server, Learn how to run it yourself!
Postfix Training

We specialize in helping companies become independent of outsourcing Linux services.
8 Week Course for $499.95  ORDER NOW

 

 

 

 

 

 

Install AppArmor

There is no need to install AppArmor on a distro like Ubuntu as it is installed by default. The real issue is that the install has so little protection that it is not very helpful, so you will need to change that. Even in the new Ibex version cups, bind, mysql and slapd are the only processes protected by AppArmor. The Ibex desktop includes the Xsession for gdm.

Check the status of AppArmorWhen you check the status as root you will see active profiles. There are several modes that you may notice. Complain mode will help you learn what will happen if there were violations without hindering activity. It is like a warning only mode. Enforce mode means that the kernel will enforce the AppArmor protection for that process.

sudo apparmor_status


# apparmor_status

apparmor module is loaded.

5 profiles are loaded.

0 profiles are in enforce mode.

5 profiles are in complain mode.

/usr/sbin/mysqld

/usr/sbin/slapd

/usr/sbin/cupsd

/usr/sbin/named

/usr/lib/cups/backend/cups-pdf

3 processes have profiles defined.

0 processes are in enforce mode :

3 processes are in complain mode.

/usr/sbin/cupsd (4613)

/usr/sbin/named (4398)

/usr/sbin/mysqld (4518)

0 processes are unconfined but have a profile defined.

 


Create a New Profile

In order to provide the protection that you need you will be required to create a profile for each application you want to protect. So for Postfix this will require creating profiles for each application that is needed by Postfix to function correctly.

The aa-genprof command is used to create a new profile. From a terminal, as root, use the command aa-genprof:

sudo aa-genprof executable

The first question you will be asked when you begin the creation of a profile is if you want to connect to the repository. This repository which was hosted by Suse, saves profiles created by many different users and distros, which means it probably is not a good idea to enable this, create your own profile.

The second question will look like this:

[(S)can system log for SubDomain events] / (F)inish


At this point you need to have a working Postfix, including your Spam protection and anti-virus protection. AppArmor will scan the whole server to see what processes use Postfix so you can create the profile. Run Postfix by sending mail through it so AppArmor can detect all of the programs needed for the profile. The select “S” to scan for changes. Do this several times and note that you may be asked to accept additions to the profile as it is created. Once you have answered all of the questions then choose finish to complete the profile.


sudo aa-genprof /usr/sbin/postfix


Repository: http://apparmor.test.opensuse.org/backend/api


Would you like to enable access to the

profile repository?


(E)nable Repository / (D)isable Repository / Ask Me (L)ater

Writing updated profile for /usr/sbin/postfix.

Setting /usr/sbin/postfix to complain mode.


Please start the application to be profiled in

another window and exercise its functionality now.


Once completed, select the "Scan" button below in

order to scan the system logs for AppArmor events.


For each AppArmor event, you will be given the

opportunity to choose whether the access should be

allowed or denied.


Profiling: /usr/sbin/postfix


[(S)can system log for SubDomain events] / (F)inish

Reading log entries from /var/log/messages.

Updating AppArmor profiles in /etc/apparmor.d.


Profiling: /usr/sbin/postfix


[(S)can system log for SubDomain events] / (F)inish

Reading log entries from /var/log/messages.

Updating AppArmor profiles in /etc/apparmor.d.


Profiling: /usr/sbin/postfix


[(S)can system log for SubDomain events] / (F)inish


Here is an example of the basic Postfix profile (found in /etc/apparmor.d), note this is just the start.


# Last Modified: Wed Oct 8 17:42:02 2008

#include <tunables/global>

/usr/sbin/postfix {

#include <abstractions/base>

/usr/sbin/postfix mr,

}


Create the profile in complain mode so that you can test. It can be changed once you are sure it works correctly.


sudo aa-complain /usr/sbin/postfix


You can change the mode to enforce with this command:

 

sudo aa-enforce /usr/sbin/postfix



Basic Commands
Each of these commands must be run as root.

aa-autodep create a minimal profile
aa-enforce enforce the profile created
aa-complain violations logged but not enforced

aa-audit check the profile

aa-logprof look for error messages, provide a severity level and then give you the option to accept a correction or not.

aa-unconfined list all the network applications that are not protected

Profiles are saved in /etc/apparmor.d.