Allow full confirguration of SMTP service in ossec.conf for SMTP auth including SMTP port
Allow full confirguration of SMTP service in ossec.conf for SMTP auth including SMTP port
anonymous
shared this idea
13 comments
-
Brill Pappin
commented
Unless its been uninstalled as per PCI-DSS Sections: 2, 4, 6, 12 (and maybe others)
-
dan
commented
Upgrade your systems, most worthwhile OSes come with one installed. ;)
-
Brill Pappin
commented
In my case, there are a couple of options.
- Mail in handled by another network in our organization, which we are isolated from (which also requires authentication, and punching holes).
- Mail is handled by AWS SES which would require SSL and authentication but is already inside the isolated network.
- Mail is handled by a service like GMail (Google Apps) which requires SSL/Authentication.In fact, I don't know of a single MTA that I have access to that does not require authentication. period.
-
dan
commented
Why would you have to open firewalls and VPNs if you're using the local MTA to authenticate with the remote MTA, but not if you're using OSSEC as the authenticating client? Are you filtering localhost that much? VPN on loopback?
-
Brill Pappin
commented
I'm sure it seems that simple to you, but in my experience its not. Not in a hardened environment anyway.
All of a sudden I need to open ports through firewalls and justify them. I may even need to make a hole in a VPN that shouldn't be there etc.
I'll even likely need to adjust company policy to *allow* an MTA on the host in the first place, and in a large company that can be almost impossible.AFAICS this is simply laziness in not implementing ssl and authentication for your SMTP client. Surely there is even trusted drop in code that could handle this.
-
dan
commented
You'd have to document and maintain the OSSEC configuration as well. Might as well throw 2 or 3 lines into your puppet configuration and be done with it. Any unix-like system worth using has an MTA enabled on it already.
-
Brill Pappin
commented
I already have mail transport services handled elsewhere.
Added an MTA just adds complexity and days worth of documentation and certification for a PCI-DSS installation.Why on earth should I have to maintain a configuration for yet another service, just so I can communicate with the MTA I already have configured, documented and hardened? I can't even add a username and password to ossec so I can authenticate it's MTA account!
-
dan
commented
I'm flabbergasted that so many people aren't willing to use their unixy systems in a unixy fashion.
-
Brill Pappin
commented
I'm flabbergasted that this doesn't already exist. WHo uses unauthenticated SMTP in this day and age?
-
Juliano
commented
I would like to share something
https://bitbucket.org/beraldoleal/ossec-hids/overview -
dan
commented
I understand the downsides of using the local smtpd, just wanted to offer a workaround until someone gets inspired to re-invent the wheel. ;)
-
Michael Cameron
commented
Yes, one could use a local SMTP daemon, but it's yet another piece of software to set up, configure, and make sure it is patched appropriately. Minimally adding username, password, and port would make many more SMTP relay options available.
-
dan
commented
I don't have a way to test this at the moment, but couldn't you relay the emails through the system's smtp daemon?
