Security for CSSMTP

Consider the following additional security measures for CSSMTP:

• For spool files from NJE nodes, the user ID associated with the spool file must be defined by SAF. For more information about the protection of SYSOUT data sets, see the following topics:
  • Protecting Data Sets on Spools in z/OS Security Server RACF Security Administrator's Guide
  • Authorizing SYSOUT in z/OS Security Server RACF Security Administrator's Guide
  • Authorizing Network Jobs and SYSOUT (NJE) in z/OS Security Server RACF Security Administrator's Guide
  • Authorizing SYSOUT in z/OS JES2 Initialization and Tuning Guide
  • Understanding default userids in z/OS JES2 Initialization and Tuning Guide
  • Using RACF® to Provide Security in z/OS JES3 Initialization and Tuning Guide
  • Understanding Default User IDs in z/OS JES3 Initialization and Tuning Guide
• If your installation protects access to the JESSPOOL class of resources, provide ALTER access to the CSSMTP user ID so that it can read and delete spool files. An example JESSPOOL definition follows:

  //CSSMTP   EXEC PGM=IKJEFT01
  //SYSTSPRT DD  SYSOUT=*
  //* The PERMIT for CLASS(JESSPOOL) is needed only if it has already
  //*   been activated.
  //SYSTSIN  DD  *
      SETROPTS CLASSACT(STARTED)
      SETROPTS RACLIST(STARTED)
      SETROPTS GENERIC(STARTED)
      ADDUSER  CSSMTP  DFLTGRP(OMVSGRP) OMVS(UID(nn) HOME('/'))           -
               NOPASSWORD NAME('Simple Mail Transfer') OWNER(OMVSGRP)
      RDEFINE  STARTED OWNER(SYS1) CSSMTP.* STDATA(USER(CSSMTP))
      RDEFINE  JESSPOOL  localnodeid.** UACC(READ)
      PERMIT   localnodeid.**                                            -
               CLASS(JESSPOOL) ID(CSSMTP) ACCESS(ALTER)
      SETROPTS GENERIC(JESSPOOL) REFRESH
      SETROPTS RACLIST(STARTED) REFRESH
      SETROPTS GENERIC(STARTED) REFRESH

• When CSSMTP is defined with a nonzero UID value, Delete Operator Message (DOM) messages are prefixed with message BPXM023I. To remove the prefix, you must authorize the CSSMTP procedure user ID to use the UNIX System Services console service. You can authorize CSSMTP to use the console service by entering the following commands:

  RDEFINE FACILITY BPX.CONSOLE UACC(NONE) 
  PERMIT BPX.CONSOLE - 
  CLASS(FACILITY) ID(CSSMTP) ACCESS(READ) 
  SETROPTS RACLIST(FACILITY) REFRESH

• You can control whether CSSMTP reads and processes the spool files created by specific users by creating one or more resource profiles in the SERVAUTH class.

  The format of the SERVAUTH profile name is EZB.CSSMTP.sysname.writername.originJESnode, where sysname is the system name defined in the sysplex, writername is the CSSMTP configured external writer name, and originJESnode is the JES node that originated the spool file. If this profile is created with UACC(NONE), then only user IDs permitted to the resource are able to have spool files processed by CSSMTP.

  For examples of the resource profile definitions, see the EZARACF sample in data set SEZAINST. For information about configuring the external writer name using the ExtWrtName statement, see z/OS Communications Server: IP Configuration Reference.

  Tips:

  • You can specify a wildcard on segments of the profile name, as shown in the following example:

    SETR GENERIC(SERVAUTH) GENCMDS(SERVAUTH)
    SETR CLASSACT(SERVAUTH)
    RDEFINE  SERVAUTH EZB.CSSMTP.sysname.writername.originJESnode          -
        UACC(NONE)                                                     
     PERMIT EZB.CSSMTP.sysname.writername.originJESnode                    -
        CLASS(SERVAUTH) ID(userid) ACCESS(READ)
                                                                       
     PERMIT EZB.CSSMTP.sysname.writername.*                                - 
        CLASS(SERVAUTH) ID(userid) ACCESS(READ)
                                                                       
     SETROPTS RACLIST(SERVAUTH) REFRESH

  • You can define multiple profiles. For example, if this CSSMTP instance processes spool files from local jobs and from remote systems, you can define a profile for the local system and for each JES node that originates spool files. The spool file is matched to the most specific RACF profile, and then the user ID associated with the spool file is validated against that profile.
  Result: If the profile is active with UACC(NONE), then when the spool file is received on the JES spool data set, CSSMTP checks to determine whether a profile is defined for the originating node or for any originating node (*), and then checks whether the user ID associated with the job that created the spool file is permitted to the profile:

  • If the user ID is permitted, the spool file is processed by CSSMTP.
  • If the user ID is not permitted, the spool file is considered to be a bad spool file and is subject to the action specified by the BadSpoolDisp statement. For more information about the BadSpoolDisp statement, see z/OS Communications Server: IP Configuration Reference.

  If the profile is not defined, then the spool file is processed as if the user ID is permitted.
• You can write a CSSMTP user exit or use the existing SMTPD user exit to inspect mail before it is sent to a target server.

  For example, you can create an exit to check the MAIL FROM: string on outbound mail. The mail originator, recipients, and other information can be inspected by the exit, and the entire JES job or a single mail message can be discarded.

  You can control the user exit that is used with the UserExit statement:

  • If you want to use a user exit that you have written for CSSMTP, then specify Version3 on the UserExit statement. You need to use this version if you want to use both RFC 821 and RFC 2821 commands to read and process from the JES spool data set. For more information about the CSSMTP exit, see z/OS Communications Server: IP Configuration Reference.
  • If you want to continue using your SMTPD user exit and use only RFC821 commands, then specify Version2 on the UserExit statement. For more information about using the SMTP server exits, see z/OS Communications Server: IP Configuration Reference.

  For more information about the UserExit statement, see z/OS Communications Server: IP Configuration Reference.

• You can enable the SMTP server and client to use Transport Layer Security (TLS) to provide private, authenticated communication over the Internet using RFC 3207, SMTP Service Extension for Secure SMTP over Transport Layer Security. For more information, see Steps for using Transport Layer Security for CSSMTP.