0
I started writing some scripts that backup my log files. Whenever an error is found in the log file, I want to send off an email to myself. However, I want to make sure that my server is not compromised as I've heard that having smtp/mail installed opens up new options for hackers.
Is there a tool that does not receive emails, but is only able to send them? Also, what security considerations would I need to take when installing it?
Frank Vilea
Posted 2011-07-31T23:57:26.990
Reputation: 169
2
However, I want to make sure that my server is not compromised as I've heard that having smtp/mail installed opens up new options for hackers
Any service can "open up new options for hackers" if it's poorly written. But for mail, both Postfix or Exim4 are very secure.
(In general, you'll be fine as long as you don't use a ten-year-old Sendmail. Current versions are secure, but I would recommend staying away from Sendmail anyway – the configuration file isn't exactly human-readable.)
Is there a tool that does not receive emails, but is only able to send them?
Any MTA (Postfix, Exim4, Sendmail) can work this way – just configure it to listen on loopback addresses only (::1 and 127.0.0.1). You can even disable the SMTP compontent entirely – most Unix programs do not require it and send mail through /usr/sbin/sendmail1, making SMTP unnecessary.
It's really not necessary against "hackers", though. The worst you can get with a decent MTA is leaving it open for relaying – and the default configurations already take care of that.
Another option is msmtp, which doesn't even have full SMTP support – all it can do is relay mail through another mail server, such as Gmail's or your ISP's. But while it's useful for a personal computer, it doesn't really fit into a server environment.
1 "/usr/sbin/sendmail" is a program that comes with all MTAs, while "Sendmail" is the name of a specific MTA.
user1686
Posted 2011-07-31T23:57:26.990
Reputation: 283 655
2
Sending mail from a shell script is fairly easy as long as you have a standard MTA installed (Postfix, Exim4, Sendmail, etc). Generally to send you can use the mail command with appropriate arguments, echoing your email content to the program. For example:
echo "Error occurred in script at `date`" | mail -s "Error running script" youremail@domain.com
the -s argument specifies the subject and you follow with the email recipient.
Another example
grep -i error /path/to/yourfile.log | mail -s "Errors from script execution" youremail@domain.com
Check man mail for more options.
Another option if you're running your script via cron, is to have cron automatically email the output from your script to you. Add the MAILTO option to your crontab as follows:
MAILTO=youremail@domain.com
and you'll receive an email with any output from stdout each time your script runs.
As for security, sending and receiving email are 2 completely different things. You can send email from your server without running a receiving mail server, simply don't run the smtp daemon or block access to incoming port 25 (SMTP) via a firewall if you don't need to receive email via this server.
JJ01
Posted 2011-07-31T23:57:26.990
Reputation: 223
May I suggest using a google.com email account to sent outgoing automated messages? That's how I have my servers set up, that way if anyone ever comprises my email for spam, I only lose a very replaceable email account and no blacklist. All you need to do is setup your favorite MTA to send through your google account. Also, OSSEC - google it. – skub – 2011-08-01T00:48:50.597
@skub: Sounds very promising, which MTA are you using with gmail? – Frank Vilea – 2011-08-01T00:59:46.373
You can do it with either Exim or Postfix, but I think Exim is easier to configure. Here are the instructions for Exim and Gmail: http://wiki.debian.org/GmailAndExim4
– skub – 2011-08-01T02:02:15.870@skub: Just for the record, Exim on Debian/Ubuntu has a very different configuration system (M4-based) than it does on other distributions. It's not always "easier". – user1686 – 2011-08-01T07:33:21.547
You're right, it could be harder to set up in other systems. It was just an assumption that the poster was using some flavor of *nix. The theory remains the same regardless of the system used. You could setup a smart host with authentication in any MTA - including exchange. – skub – 2011-08-01T12:25:44.907
@skub: My experience is that it's easier without the Debconf layer... – user1686 – 2011-08-01T14:25:06.800