Locking Down Your Server
Security is an ever-growing concern to business small and large. Because email servers
are constantly under attack, SmarterMail has many features built into it to protect
you. This topic explains steps you can take to protect yourself, your users, and
your investment.
What is Security for a Mail Server?
The word security has many meanings. SmarterTools' opinion is that mail server security
is comprised of several types of protection:
- Protecting your data
- Protecting your users
- Protecting your service availability
- Protecting others on the internet
Below are some "Best Practices" for maintaining a locked-down server, one that can
withstand the constant abuse that mail servers are subject to.
Update SmarterMail Regularly
SmarterTools is constantly working to improve SmarterMail and make it even more
resistant to attacks. It is recommended that you keep your copy of SmarterMail up
to date in order to stay protected.
Major and minor SmarterMail version releases are announced on our social media pages as well as the News items on the Support Portal. Email notices are sent to SmarterMail customers who are subscribed to receive these notifications. You can manage your mailing list subscriptions at My Account.
Disable Catch-All Accounts
Catch-all accounts were popular in the past because of the flexibility they offer
to a domain administrator. All an administrator had to do was add a catch-all account,
and any mail that was mis-delivered would drop right into his mailbox.
When catch-alls were most popular, spamming methods were not as sophisticated, and
email harvesting attacks were not so prevalent.
Today, however, mail servers get attacked every minute of every day. Spammers assault
email domains with thousands of spam messages sent to different email accounts in
the hope that they will strike a hit to verify that the email account exists
and to deliver another spam email.
In addition, if the catch-all user has an auto-responder enabled, the problem can
be doubly harmful. Spammers rarely use their real email address, so if your user
auto-responds to each of the thousands of messages above, and they happen to go
to a large email provider, you will likely end up getting blacklisted as a spammer
yourself.
As you can see, allowing the use of catch-all accounts exposes you to many types
of abuse. SmarterMail allows catch-alls because it is expected in a mail server,
but to lock down your server, we recommend the following procedure that will disable
catch-alls:
- Alert your users that catch-alls are being disabled.
- Click on the Domains icon and edit the desired domain.
- Click on the Configuration tab.
- Disable Catch-All Alias.
- Click Save.
Restrict Bounces and Autoresponders
Email Bouncing occurs when delivery failures occur or a mailbox is full. A brief
explanation of the error is sent back to the original sender of the message. Before
spam became such a problem, this was usually not an issue. Today, however, spammers
will sometimes spoof known spam trap accounts at places like SpamCop as the sender
of the message. Thus, when your mail server bounces the message, the bounce ends
up in the spam trap. Enough of these, and you'll be blacklisted.
The exact same is true for autoresponders that reply back to spoofed spam email.
SmarterMail allows you to restrict bounces and autoresponders to only those accounts
that pass SPF checks, or to disable them entirely. SPF verifies that an email is
not spoofed, and most of the serious spam trap accounts out there have SPF set up.
To require SPF for bounces and autoresponders, do the following:
- First, alert your users of the new policies being put into place. Then you can make the necessary changes.
- Click on Antispam in the navigation pane and then the Options tab.
- On the Options card, change Autoresponders to either Disabled or Require message passed SPF.
- Change Content Filter Bouncing to either Disabled or Require message passed SPF.
- Click Save in the content pane toolbar.
Require SMTP Authentication
SMTP Authentication is an unspoken requirement of domains on modern mail servers.
Any domain that does not have Authentication enabled is at a serious risk of being
a relay for spam. Spammers will try thousands of email accounts until they find
one to send through, and if Authentication is not enabled, they will be able to
use up your bandwidth and system resources to send mail.
Enabling SMTP Authentication ensures that users must supply credentials to send
email from your server. This requires a change in their email clients so that the
account information gets passed in SMTP, so there is often a bit of a learning curve.
This process is necessary and important to protect your server, however, and without
you are open for abuse.
To require SMTP Authentication for a domain, do the following:
- Alert your users of the change they will need to make to their email client. Due
to the nature of this change, it is wise to give them a fair amount of warning.
- Click on the Domains icon and edit the desired domain.
- Click on the Configuration tab.
- On the Security card, enable Require SMTP Authentication.
- Click Save.
It is also recommended that you update this setting in the default domain settings so
that all new domains will require SMTP Authentication. In addition, to further secure the use of SMTP Authentication, you should ensure that "Require Auth Match" is set to Domain or Email Address for all domains. This means that a sender's "From" address much match the SMTP authentication address or domain, making it more difficult for users to spoof addresses. This can be done under the SMTP In tab of the Protocol Settings.
To apply this setting to all domains on your server at once, use the Domain Propagation page in the Settings menu.
Copyright © SmarterTools Inc. All rights reserved.