10/5/2016 - Securing your Email Server
Posted in Unspecified




 Avoid just as one Open Relay
 Use SMTP authentication
 Limit SMTP Connections
 Activate Reverse DNS
 Use DNSBL servers
 Activate SPF
 Enable Spam URI Realtime Block Lists
 Use no less than 2 MX records for failover
 Maintain local IP blacklists
 Encrypt POP3 and IMAP Authentication


1. Don't be a Relay

Configure your mail relay parameter to be very restrictive. You are able to specify which domains or IP addresses your mail server will relay mail for. Quite simply, this parameter specifies to whom your SMTP protocol should forward mail. Misconfiguration with this option can harm you because spammers are able to use your mail server (and network resources) being a gateway for spamming others, resu lting within your getting blacklisted.

2. Use SMTP Authentication for Access Control

SMTP Authentication forces the people who make use of your server to have permission to transmit mail by first supplying a account information. This assists to stop open relay and abuse of the server. If configured the right way, only known accounts are able to use your servers SMTP to transmit an e-mail. SMTP Authentication configuration is very recommended as soon as your mail server includes a routed Internet protocol address.

3. Limit SMTP Connections

SMTP amounts of connections server ought to be restricted to protect your server against DoS attacks. These parameters rely on the specifications of the server hardware (memory, NIC bandwidth, CPU, etc.) as well as nominal load per day. The principle parameters used to handle connection limits include final number of connections, final number of simultaneous connections, and maximum connection rate. To keep up optimal values because of these parameters may necessitate refinement over time.

This can be very helpful to mitigate spam floods and DoS attacks that target your network infrastructure.

4. Activate Reverse DNS

Most messaging systems use DNS lookups to confirm the presence of the sender�s email domain before accepting a note. A reverse lookup is also an appealing alternative for battling bogus mail senders. Once Reverse DNS Lookup is activated, your SMTP verifies the senders IP address matches both host and website names which are submitted through the SMTP client within the EHLO/HELO command.

This really is valuable for blocking messages that fail the address matching test.

5. Use DNSBL servers to address incoming email abuse

Probably the most important configurations to protect your email server is by using DNS-based blacklists. Checking if the sender domain or IP is famous by DNSBL servers worldwide (e.g., Spamhaus, etc.), could decrease substantially the quantity of received spam. Activating this approach and ultizing an optimal amount of DNSBL servers will reduce the impact of the unsolicited incoming email.

DNSBL servers list all known spammers IPs and domains for this specific purpose.

6. Activate Sender Policy Framework

Sender Policy Framework (SPF) is a method accustomed to prevent spoofed sender addresses. Nowadays, almost all abusive messages carry fake sender addresses. The SPF check helps to ensure that the sending MTA is allowed to send mail on behalf of the sender�s url of your website. When SPF is activated on your own server, the sending server�s MX record (the DNS Mail Exchange record) is validated before message transmission occurs.

7. Enable Spam URI Realtime Block Lists

Spam URI Realtime Block Lists (SURBL) detects unwanted email depending on invalid or malicious links in a message. Having SURBL filter really helps to protect users from malware and phishing attacks. At the moment, not all mail servers support SURBL. Yet, if your messaging server does support it, activating it'll raise your server security, along with the security of your respective entire network since more than 50% of Security threats come from email content.

8. Have at least 2 MX records for failover

Developing a failover configuration is critical for availability. Having one MX record isn't adequate for ensuring a nonstop flow of mail into a given domain, which explains why it�s strongly recommended to set up at the very least 2 MXs for each and every domain. Website is defined as the primary, and also the secondary can be used in the event the primary goes down for any reason. This configuration is performed about the DNS Zone level.

9. Maintain local IP blacklists to dam spammers

Utilize a local IP blacklist on the email server to close particular spammers who only target you. Their list will cost you more maintenance time and resources. The significance influences turnaround time to stop unwanted Online connections from bothering your messaging system.

10. Encrypt POP3 and IMAP Authentication

POP3 and IMAP connections were not originally built with safety in mind. Therefore, they are generally used without strong authentication. It is a big weakness since users passwords are transmitted in clear text via your mail server, thus causing them to be easy to get at to hackers and folks with malicious intent. SSLTLS is the greatest known and easiest way to try strong authentication; it really is traditionally used and regarded reliable enough.

Share |
Share and enjoy
  • Digg
  • del.icio.us
  • DZone
  • Netvouz
  • NewsVine
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • YahooMyWeb