Pages home > Securing your Email Server

Securing your Email Server


 Avoid just as one Open Relay
 Use SMTP authentication
 Limit SMTP Connections
 Activate Reverse DNS
 Use DNSBL servers
 Activate SPF
 Enable Spam URI Realtime Block Lists
 Use no less than 2 MX records for failover
 Maintain local IP blacklists
 Encrypt POP3 and IMAP Authentication

1. Do not be an empty Relay

Configure your mail relay parameter to be very restrictive. You'll be able to specify which domains or IP addresses your mail server will relay mail for. In other words, this parameter specifies to whom your SMTP protocol should forward mail. Misconfiguration with this option may damage you because spammers may use your mail server (and network resources) as a gateway for spamming others, resu lting in your getting blacklisted.

2. Use SMTP Authentication for Access Control

SMTP Authentication forces those who make use of your server to obtain permission to send mail by first supplying a account information. This helps to stop open relay and abuse of your respective server. If configured the proper way, only known accounts can use your servers SMTP to send a contact. SMTP Authentication configuration is extremely recommended when your mail server includes a routed Ip.

3. Limit SMTP Connections

SMTP variety of connections server needs to be on a protect your server against DoS attacks. These parameters rely on the specifications of the server hardware (memory, NIC bandwidth, CPU, etc.) and its particular nominal load daily. The key parameters utilized to handle connection limits include final number of connections, total number of simultaneous connections, and maximum connection rate. To maintain optimal values because of these parameters may require refinement with time.

This could be worthwhile to mitigate spam floods and DoS attacks that focus on your network infrastructure.

4. Activate Reverse DNS

Most messaging systems use DNS lookups to make sure that the presence of the sender�s email domain before accepting a message. A search can be an appealing option for rebuffing bogus mail senders. Once Reverse DNS Lookup is activated, your SMTP verifies that the senders IP address matches the host and domain names that have been submitted by the SMTP client within the EHLO/HELO command.

This is extremely valuable for blocking messages that fail the address matching test.

5. Use DNSBL servers to address incoming email abuse

Just about the most important configurations for safeguarding your email server is to apply DNS-based blacklists. Checking when the sender domain or IP is well known by DNSBL servers worldwide (e.g., Spamhaus, etc.), could reduce substantially the quantity of received spam. Activating this choice and ultizing an optimal variety of DNSBL servers will help reduce the impact of your unsolicited incoming email.

DNSBL servers list all known spammers IPs and domains for this purpose.

6. Activate Sender Policy Framework

Sender Policy Framework (SPF) is a process utilized to prevent spoofed sender addresses. Nowadays, nearly all abusive email messages carry fake sender addresses. The SPF check ensures that the sending MTA is in a position to send mail on behalf of the sender�s domain name. When SPF is activated in your server, the sending server�s MX record (the DNS Mail Exchange record) is validated before message transmission happens.

7. Enable Spam URI Realtime Block Lists

Spam URI Realtime Block Lists (SURBL) detects unwanted email according to invalid or malicious links in just a message. Having SURBL filter helps to protect users from malware and phishing attacks. At the moment, not every mail servers support SURBL. But if your messaging server does support it, activating it is going to increase your server security, along with the security of one's entire network since a lot more than 50% of Internet security threats originate from email content.

8. Have at least 2 MX records for failover

Having a failover configuration is critical for availability. Having one MX record isn't adequate for ensuring a consistent flow of mail with a given domain, which explains why it�s strongly recommended to put together no less than 2 MXs for each and every domain. The first is scheduled because primary, and also the secondary is used if your primary decreases for any reason. This configuration is completed on the DNS Zone level.

9. Maintain local IP blacklists to bar spammers

Work with a local IP blacklist in your email server to bar particular spammers who only target you. This list costs more maintenance resources and time. The value influences turnaround time for it to stop unwanted Online connections from bothering your messaging system.

10. Encrypt POP3 and IMAP Authentication

POP3 and IMAP connections are not originally constructed with safety planned. As a result, they are usually used without strong authentication. It is a big weakness since users passwords are transmitted in clear text by your mail server, thus which makes them easy to get to to hackers the ones with malicious intent. SSLTLS is the better known and fastest way to apply strong authentication; it is popular and considered reliable enough.

Last updated 899 days ago by chiefsoft2