How to Build an Effective Mail Server Defense



Similar documents
XGENPLUS SECURITY FEATURES...

AXIGEN Mail Server. Quick Installation and Configuration Guide. Product version: 6.1 Document version: 1.0

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

Serial Deployment Quick Start Guide

SESA Securing with Cisco Security Appliance Parts 1 and 2

Security. Help Documentation

Configuring Security for SMTP Traffic

CipherMail Gateway Quick Setup Guide

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

Resolving problems with SMTP Security Server and CVP operating in Check Point NG

Migration Project Plan for Cisco Cloud Security

The versatile solution of anti-spam, personal backup and recovery, easy security policy management and enforcement.

FortiMail Filtering Course 221-v2.2 Course Overview

Configuration Guide for Exchange 2003, 2007 and 2010

POP3 Connector for Exchange - Configuration

Guardian Digital Secure Mail Suite Quick Start Guide

ing from The E2 Shop System address Server Name Server Port, Encryption Protocol, Encryption Type, SMTP User ID SMTP Password

Exim4U. Server Solution For Unix And Linux Systems

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

F-Secure Internet Gatekeeper

Frequently Asked Questions

DomainKeys Identified Mail DKIM authenticates senders, message content

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

A D M I N I S T R A T O R V 1. 0

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

MDaemon Vs. Microsoft Exchange Server 2013 Standard

How To Upgrade To Symantec Mail Security Appliance 7.5.5

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

CTS2134 Introduction to Networking. Module Network Security

Anti Spam Best Practices

Basics of Internet Security

How To Prevent Hacker Attacks With Network Behavior Analysis

Clearswift Information Governance

RemotelyAnywhere. Security Considerations

The Leading Security Suites

Cornerstones of Security

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

ESET Mail Security 4. User Guide. for Microsoft Exchange Server. Microsoft Windows 2000 / 2003 / 2008

Reliable & Secure . Professional, Dependable, Complete Easy to Learn, Use and Grow

ISM/ISC Middleware Module

Cisco EXAM Implementing Cisco Threat Control Solutions (SITCS) Buy Full Product.

IronPort X1000 Security System

QUESTION 1 You deploy a server that has the Exchange Server 2013 Mailbox server role and Client Access server role installed.

How to Effectively Address Archiving Requirements for In-place Messaging Solutions Integrating the AXIGEN Mail Server with Mailarchiva

Advanced Settings. Help Documentation

How to Secure a Groove Manager Web Site

CS5008: Internet Computing

Chapter 11 Cloud Application Development

Blackbaud Communication Services Overview of Delivery and FAQs

Good Practice use of Outlook, Thunderbird and HORDE Webmail

Comprehensive Filtering. Whitepaper

Sonian Getting Started Guide October 2008

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Proxies. Chapter 4. Network & Security Gildas Avoine

eprism Security Appliance 6.0 Release Notes What's New in 6.0

sendmail Cookbook Craig Hunt O'REILLY' Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Troubleshooting IMAP Clients and ViewMail for Outlook in Cisco Unity Connection 8.x

Instructions Microsoft Outlook Express Page 1

Securing an IP SAN. Application Brief

Mail Avenger. David Mazières New York University

SpamPanel Reseller Level Manual 1 Last update: September 26, 2014 SpamPanel

How To Secure Mail Delivery

Nokia for Business. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Account Restrictions Agreement [ARA] - Required by LuxSci HIPAA Accounts

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Mail-SeCure for virtualized environment

Linux VPS with cpanel. Getting Started Guide

How to change your Internet Service Provider

Encryption. Administrator Guide

1 Accessing accounts on the Axxess Mail Server

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Feature Comparison Guide

Cisco IronPort X1070 Security System

Solution Brief FortiMail for Service Providers. Nathalie Rivat

Funkwerk UTM Release Notes (english)

Security 7.4 Administrator s Guide

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

U06 IT Infrastructure Policy

Access Webmail, Collaboration Tools, and Sync Mobile Devices from Anywhere

Ciphermail for BlackBerry Quick Start Guide

CIPHERMAIL ENCRYPTION. CipherMail white paper

How To Block Ndr Spam

Owner of the content within this article is Written by Marc Grote

Chapter 9 Firewalls and Intrusion Prevention Systems

BITS SECURITY TOOLKIT:

How To Protect Your Network From Attack From Outside From Inside And Outside

Advanced Administration

MCSA Objectives. Exam : TS:Exchange Server 2007, Configuring

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Transcription:

How to Build an Effective Mail Server Defense A multi-stage approach to securing your email communication August, 21 2006 Author: Alin Dobre, Head of Customer Support, AXIGEN GECAD Technologies 10A Dimitrie Pompei Blvd., BUCHAREST 2, ROMANIA Tel.: +40 21 303 20 80 Fax: +40 21 303 20 81 Copyright 2006 GECAD Technologies S.R.L.

When speaking of mail server-related security, one tends to limit the issue to message applied security measures, and even more to Antivirus and Antispam protection. This is however only one stage in the more complex process of securing your server. This article aims at identifying and explaining all security layers, highly important when choosing a certain mail server and consequently when configuring and using it. We have chosen a multi-stage approach for your mail server securing procedure, each stage addressing one of the security layers we consider relevant: connection-related layer, protocol security, email control parameters (including Antivirus and Antispam applications), and the configuration and management layer (most likely to be affected by human errors). Mail Server Environment Overview The sections below describe security measures adapted to each layer of security: 1. Securing mail server connections When using a newly installed mail server, administrators should first make sure they use secure connections. There are two main possibilities to secure connections: encryption and firewall-like rules. Encoding methods have continuously been developed as the Internet has become the preferred medium for data transfers. The most commonly used encryption methods are 2

SSL (Secure Sockets Layer) and TLS (Transport Layer Security). However, incorrect usage of encryption often leads to security breaches. Most common examples are web pages containing both secured and unsecured information or communications secured only after login via a plain login page. Firewall-like rules enforced at server level are recommended to backup an existing Firewall or replace it when one is not available. They can impose limitations both on established connections and on hosted traffic. We recommend creating allow/deny rules both globally (applied to all protocols and listeners) and specifically for each listener in order to prevent attacks such as DOS (Denial of service). 2. Securing mail server protocols After securing the first stage of an email transfer, the next action to take would be securing protocols. The recommended steps are to use multiple listeners for each interface and correlate them with certain allow and deny rules. Also, limiting the number of connection and authentication errors, the maximum number of commands or setting a time-out for your sessions can help protect your server from further DOS attacks. To further enhance protocol security, we recommend client control rules, based on the sender or receiver address and certain limitations regarding the number and size of email messages. Authentication is also highly important at protocol level. By implementing several authentication methods, either simple (plain, login, CRAM-MD5), or complex (GSSAPI, Kerberos), the mail server enhances communication security and is better equipped against attacks and unauthorized access. Other efficient protocol level solutions are making sure your mail server is RFC compliant and preventing email looping (a very simple method would be setting a maximum numbers of Received headers per email). 3. Securing email control parameters Apart from using different Antispam and Antivirus applications, there are further actions you should keep in mind where email control based security is concerned. One very handy option would be using gray lists. Gray listing is basically a request to have the email resent, after temporarily rejecting the email. The server saves in a list the sender IP and the recipient and returns a temporary error. All valid servers will then resend the emails, unlike spamming scripts. Please note however that many servers cannot differentiate at this time between a temporary and a permanent error. 3

Host control is another easy way to ensure only valid emails are further processed by your email server. Two well known methods are SPF (Sender Policy Framework) and DNS based black hole lists. SPF records are public details published by domains within DNS servers. Usually they point to and confirm the real addresses of domains. By using SPF checks, you can successfully prevent spam and back-scatter emails. Black lists may be either public (free of charge) or private and usually contain IP addresses of open-relay servers, open proxies and ISPs with no spam filtering. Your server needs to be set up such as to request such lists and not to accept connections initiated by IP addresses included in them. If one of your servers gets erroneously listed, to be removed from such a list, you might need to fill an online form, contact the list administrators or, in more severe situations, change your IP. A more complex authentication method is DKIM (Domain Keys Identified Mail Signature). Implemented by Yahoo and supported by Google, Cisco, Sendmail, PGP, DKIM has considerable chances of becoming the standard authentication method. The email header contains an encrypted signature and is in its turn encrypted, pointing to an encrypted key, published on DNS servers by the sending domain. The server processing the email will use this key to decode the email body. If the decryption is successful, then the email is valid. Relay rules can sometimes make the difference between a secured server and an unsecured one. Our first recommendation is to never accept open relaying, as it can easily get you black listed. Therefore you should implement a few relay rules, based on sender address/recipient address, or relay for authenticated users only. When selecting your mail server, you should make sure it has the following features: it allows creating relay rules, domain authentication is configurable, the sending interface is customizable, it supports SSL/TSL and different authentication methods and extensions. 4. Secure configuration and administration Configuration and administration are not commonly regarded as a security layer. However, the configurability features offered by the server and the actual configuration made by the user play a key part in securing your MTA. Firstly, the administrator should get acquainted to the solution, all its features and all its flaws, if any. The server executable file needs to support programming with no memory leaks, dropping root privileges (on Unices systems only), and blocking all access requests except those for public files. Access to the configuration file should be granted to the administrator only. Further more, the file should always be very specific, easy to understand and to modify, while all default values should be secure. For example, a default value allowing open relay would represent a major security flaw. 4

Alternate administration modules (web interface, command line interface) should be provided for modifying the server configuration. It is also highly important that all connections to these modules are made through SSL. To make sure you securely access these modules, we recommend using a mail server with proprietary HTTP server and HTML-based scripting language. Our most complete security recommendation is implementing a smart-hosting system. Such a system consists of several mail servers installed on different machines, each performing a specific task. The server offering the best connection and protocol security should be focused on firewall protection. The second one should run email control parameters (including Antispam and Antivirus applications). The third one should be mainly focused on domain management. However, smart hosting might require more hardware and software resources than those available within your system. Smart Hosting Conclusions The most important aspect you should keep in mind is that there is no full proof security; therefore an optimal protection should substitute perfection. At each security layer, there are possible flaws and breaches. The solution is to choose the best possible configuration and adapt it to your network s needs and topology. If you have any further questions or comments regarding the content of this article, feel free to email the AXIGEN support team. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information