The DISA STIG guides do cover some of the mentioned technologies. For example, with regards to postfix, there are a few different standards listed under the Red Hat. At a quick glance, I see this:
If the system uses Postfix, edit the main.cf file and add or edit the "smtpd_client_restrictions" line to have contents "permit mynetworks, reject" or a similarly restrictive rule. If the system does not need to receive mail from external hosts, add or edit the "inet_interfaces" line to have contents "loopback-only" or a set of loopback addresses for the system. Restart the service. You can find the unclassified STIGs for all of their approved operating systems here: http://iase.disa.mil/stigs/os/index.html If you look around I'm sure there are other unclassified STIG guides that may be of further assistance. DoD/DISA STIGing happens to be what I have the most experience with but I recall finding similar resources online in the past from other agencies as well. Hope this helps! -Evan On Thu, Apr 5, 2012 at 5:53 AM, Hung Nguyen <[email protected]> wrote: > Hi all, > > Our IT team intend to audit (mainly about security settings) for OS and > Services in our company 's infrastructure. But It seems that from > well-known standards, such as: CIS, DISA, PCI 2.2 they don't have checklist > for mail service in general and particularly for postfix, sendmail, > dovecot mail service (except for Microsoft Exchange :-( ). > > So, could you have any recommend about checklist or best practice for > auditing mail service, especially for postfix, sendmail, dovecot ? > > Thanks and best regards, > HungNT > ______________________________**_________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-**bin/mailman/listinfo/discuss<https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss> > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
