Are you trying to secure your mail server ?
This guide will help you.
Email is inherently an insecure method of communication. All mail is sent through Simple Mail Transfer Protocol (SMTP), which does not use encryption or authentication
Email sent through SMTP can be accessed by outsiders due to the lack of security protocols.
It is quite common for people to exploit mail servers. Unfortunately, the same system that provides an efficient way to communicate with others can be exploited for malicious purposes if we don't configure it properly.
We know that there is no full-proof security; therefore optimal protection should substitute perfection.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Mail Server Queries.
In this context, we shall look into methods to secure mail server.
How to secure mail server ?
The security of our mailing infrastructure is closely tied to our sender reputation and is a building block for establishing long-lasting relationships with our customers.
A few after-effects of a hack or spam in our subscriber's inboxes, includes:
i. Creates a lot of complaints against our domains and IP addresses.
ii. A drop in subscriber engagement with our legitimate email.
iii. Both subscribers and Mailbox Providers (MBP’s) could block our mail.
iv. Malicious actors will likely send spam to random email addresses, which usually includes a high number of spam traps.
v. We are likely to be listed on publicly available blacklists.
Now let's look at some tips to apply in order to secure an email server.
1. Set maximum message size
There is a slight possibility, that the server might crash if it processes large mail messages, especially if we send them to multiple recipients at once.
To avoid this, we set an appropriate maximum message size for your server.
2. IP blacklists to block spammers
Another reliable way to stop spammers who only target us is the use of a local IP blacklist on the email server.
3. Set Reverse DNS to block bogus senders
Spamming always starts from a nonexistent email account. Hence, if we set RDNS for our server, we reduce it in major amounts.
Once Reverse DNS Lookup is active, our SMTP verifies that the sender’s IP address matches both the host and domain names that were submitted by the SMTP client in the EHLO/HELO command.
4. Encrypt POP3 and IMAP authentication for privacy concerns
POP3 and IMAP connections were not built with safety in mind. As a result, we may use them without strong authentication. This is a big weakness.
SSL/TLS is the best known and easiest way to implement strong authentication. When securing the mail server, encrypt POP3 and IMAP authentication and use SSL and TLS.
5. Activate SPF to prevent spoofed sources
Sender Policy Framework (SPF) allows domain owners to declare who is allowed to send email in their name. It is to prevent spoofed sender addresses.
When SPF is active, the sending server’s MX record validates before message transmission takes place. Evaluating the email source against the SPF policy of the sender can determine if the email is forged.
6. Set up SMTP authentication to control user access
To protect the server from unauthorized access, we can implement authentication and access control.
For example, SMTP authentication requires users who use our server to obtain permission to send mail by first supplying a username and password.
Our Support Experts highly recommend this when the mail server has a routed IP address.
7. Configure mail relay options carefully to avoid being an Open Relay
All mail servers have this option. With it, we can specify which domains or IP addresses our mail server will relay mail for.
In other words, this specifies for whom our SMTP protocol should forward mail.
However, misconfiguration of the same can harm us because spammers can use our mail server as a gateway to spam others, resulting in blacklisting our IP address.
8. Limit connections to protect our server against DoS attacks
More often we have a lot of connections to a server at a time. To set the limit for the connection to a server, we edit the configuration file. By setting this, we prevent our server from DoS attacks to a great extent.
However, to handle connection limits, check the parameters like the total number of connections, the total number of simultaneous connections, and the maximum connection rate.
9. Enable SURBL to verify message content
SURBL (Spam URI Real-time Block Lists) verify emails on the basis of invalid or malicious links within a message.
This filter helps to protect users from malware and phishing attacks. Not all mail servers will support SURBL. However, if our email server supports it, activate the same.
10. Have at least 2 MX records for failover
A failover configuration is very important for availability. Our Support Techs strongly recommend setting up at least 2 MX records for each domain.
The first one is the primary and the secondary is used if the primary goes down for any reason. This can be done on the DNS Zone level.
11. Implement DKIM (DomainKeys Identified Mail)
The DKIM (DomainKeys Identified Mail) is an email authentication protocol and a TXT type record.
This mechanism is based on encryption, a fingerprint hash, which validates the email so that the receiving mail server identifies the sender.
12. Implement DMARC
DMARC (Domain-based Message Authentication Reporting & Conformance) uses SPF and DKIM protocols to ensure even more security, providing reporting from receivers to senders.
This helps us monitor our domain and improve our mail server protection.
13. Use DNSBL to block malicious emails and domains
DNSBL (Domain Name System Blacklists) are spam blocking lists. It allows us to keep our server free of spam and threats.
The more connections with DNSBL, the better.