This documentation is for a product that is no longer supported by SmarterTools.
Locking Down Your Server
Security is an ever-growing concern to business small and large. Because email servers
are constantly under attack, SmarterMail has many features built into it to protect
you. This topic explains steps you can take to protect yourself, your users, and
your investment.
What is Security for a Mail Server?
The word security has many meanings. SmarterTools' opinion is that mail server security
is comprised of several types of protection:
- Protecting your data
- Protecting your users
- Protecting your service availability
- Protecting others on the internet
Below are some "Best Practices" for maintaining a locked-down server, one that can
withstand the constant abuse that mail servers are subject to.
Update SmarterMail Regularly
SmarterTools is constantly working to improve SmarterMail and make it even more
resistant to attacks. It is recommended that you keep your copy of SmarterMail up
to date in order to stay protected.
Major and minor SmarterMail version releases are announced on our social media pages as well as the News items on the Support Portal. Email notices are sent to SmarterMail customers who are subscribed to receive these notifications. You can manage your mailing list subscriptions at My Account.
Disable Catch-All Accounts
Catch-all accounts were popular in the past because of the flexibility they offer
to a domain administrator. All an administrator had to do was add a catch-all account,
and any mail that was mis-delivered would drop right into his mailbox.
When catch-alls were most popular, spamming methods were not as sophisticated, and
email harvesting attacks were not so prevalent.
Today, however, mail servers get attacked every minute of every day. Spammers assault
email domains with thousands of spam messages sent to different email accounts in
the hope that they will strike a hit to verify that the email account exists
and to deliver another spam email.
In addition, if the catch-all user has an auto-responder enabled, the problem can
be doubly harmful. Spammers rarely use their real email address, so if your user
auto-responds to each of the thousands of messages above, and they happen to go
to a large email provider, you will likely end up getting blacklisted as a spammer
yourself.
As you can see, allowing the use of catch-all accounts exposes you to many types
of abuse. SmarterMail allows catch-alls because it is expected in a mail server,
but to lock down your server, we recommend the following procedure that will disable
catch-alls:
- Alert your users that catch-alls are being disabled.
- Click on the Domains icon and edit the desired domain.
- Click on the Features tab.
- Uncheck Catch-All Alias.
- Click Save.
Restrict Bounces and Auto-Responders
Email Bouncing occurs when delivery failures occur or a mailbox is full. A brief
explanation of the error is sent back to the original sender of the message. Before
spam became such a problem, this was usually not an issue. Today, however, spammers
will sometimes spoof known spam trap accounts at places like SpamCop as the sender
of the message. Thus, when your mail server bounces the message, the bounce ends
up in the spam trap. Enough of these, and you'll be blacklisted.
The exact same is true for auto-responders that reply back to spoofed spam email.
SmarterMail allows you to restrict bounces and auto-responders to only those accounts
that pass SPF checks, or to disable them entirely. SPF verifies that an email is
not spoofed, and most of the serious spam trap accounts out there have SPF set up.
To require SPF for bounces and auto-responders, do the following:
- Alert your users of the new policies being put into place.
- Click on the Security icon.
- Click on Antispam Administration in the navigation pane and then the Options tab.
- Change Auto-Responders to either Disabled or Require message passed SPF.
- Change Content Filter Bouncing to either Disabled or Require message passed SPF.
- Click Save in the content pane toolbar.
Require SMTP Authentication
SMTP Authentication is an unspoken requirement of domains on modern mail servers.
Any domain that does not have Authentication enabled is at a serious risk of being
a relay for spam. Spammers will try thousands of email accounts until they find
one to send through, and if Authentication is not enabled, they will be able to
use up your bandwidth and system resources to send mail.
Enabling SMTP Authentication ensures that users must supply credentials to send
email from your server. This requires a change in their email clients so that the
account information gets passed in SMTP, so there is often a bit of a learning curve.
This process is necessary and important to protect your server, however, and without
you are open for abuse.
To require SMTP Authentication for a domain, do the following:
- Alert your users of the change they will need to make to their email client. Due
to the nature of this change, it is wise to give them a fair amount of warning.
- Click on the Domains icon and edit the desired domain.
- Click on the Technical tab.
- Check Require SMTP Authentication.
- Click Save.
It is also recommended that you update this setting in the default domain settings so
that all new domains will require SMTP Authentication. In addition, to further secure the use of SMTP Authentication, you should ensure that "Require Auth Match" is set to Domain or Email Address for all domains. This means that a sender's "From" address much match the SMTP authentication address or domain, making it more difficult for users to spoof addresses. This can be done under the SMTP In tab of the Protocol Settings.
To apply this setting to all domains on your server at once, use the Domain Propagation page in the Settings menu.
Encourage the Adoption of SPF
SPF is an excellent method of preventing email spoofing, protecting your users from
having their domain show up on spam throughout the world. SPF, however, is only
as effective as you make it, as it requires changes to your DNS servers for each
domain you host email for.
It is in the best interest of all email users everywhere that domain administrators
add SPF records to their domain that indicate what servers are authorized to send
email for their domain. Encouraging your domain administrators to adopt SPF protects
them from being the victims of spoofing, and reduces the spam threat on not only
your server, but others throughout the world as well.
More information can be found at: http://www.openspf.net/