Auditing a Corporate E-mail Gateway Running Postfix on Linux: an Administrator's Perspective

This is a report of the audit of a corporate e-mail relay from an administrator's viewpoint. The audit process optimized the scope of the audit using a pre-audit risk assessment. The audit objectively showed the reduction of risk from the unaudited state of the system through the audit and the post-audit remediation of findings. The subject of the audit was a Postfix e-mail relay running on a Linux server. The Linux operating system and Postfix e-mail software were installed on the same computer. The goals of upgrading the system included improving the overall security and reliability of the server. The audit was conducted to determine if the new configuration can adequately protect the e-mail that it transports, defend against external and internal vulnerabilities, and provide reliable service. This report divides the audit process into four sections. Section one describes the system, analyzes its risks, develops the high-level objectives of the audit, and researches current practice. Section two is the audit checklist. The third section documents the actual audit and analyzes the results. The fourth section is a summary of audit findings and the risks they pose, a description of system changes, results of retesting the system, and a justification of the final state of the system.