Locking Down Your Server
Security is an ever-growing concern to business small and large. Because email servers are constantly under attack, SmarterMail has many features built into it to protect you. This topic explains steps you can take to protect yourself, your users, and your investment.
What is Security for a Mail Server?
The word security has many meanings. SmarterTools' opinion is that mail server security is comprised of several types of protection:
- Protecting your data
- Protecting your users
- Protecting your service availability
- Protecting others on the internet
Below are some "Best Practices" for maintaining a locked-down server, one that can withstand the constant abuse that mail servers are subject to.
- Update SmarterMail regularly
- Disable catch-all accounts
- Restrict bounces and auto-responders
- Require SMTP authentication
Update SmarterMail Regularly
SmarterTools is constantly working to improve SmarterMail and make it even more resistant to attacks. It is recommended that you keep your copy of SmarterMail up to date in order to stay protected.
Releases are announced via a system event that displays a notification within SmarterMail when a new version is available. In addition, we occasionally update customers via our social media pages and/or via email.
Disable Catch-All Accounts
Catch-all accounts were popular in the past because of the flexibility they offer to a domain administrator. All an administrator had to do was add a catch-all account, and any mail that was misdelivered would drop right into his mailbox. When catch-alls were most popular, spamming methods were not as sophisticated, and email harvesting attacks were not so prevalent.
Today, however, mail servers get attacked every minute of every day. Spammers assault email domains with thousands of spam messages sent to different users in the hope that they will strike a hit to verify that the email account exists and to deliver another spam email.
In addition, if the catch-all user has an auto-responder enabled, the problem can be doubly harmful. Spammers rarely use their real email address, so if your user auto-responds to each of the thousands of messages above, and they happen to go to a large email provider, you will likely end up getting blacklisted as a spammer yourself.
As you can see, allowing the use of catch-alls exposes you to many types of abuse. SmarterMail allows catch-alls because it is expected in a mail server, but to lock down your server, we recommend the following procedure that will disable catch-alls:
- Alert your users that catch-alls are being disabled.
- Select the domain you want to edit.
- Click on the Configuration tab.
- Disable Catch-All Alias on the domain's Features card.
- Click Save.
Restrict Bounces and Autoresponders
Email Bouncing occurs when delivery failures occur or a mailbox is full. A brief explanation of the error is sent back to the original sender of the message. Before spam became such a problem, this was usually not an issue. Today, however, spammers will sometimes spoof known spam trap accounts at places like SpamCop as the sender of the message. Thus, when your mail server bounces the message, the bounce ends up in the spam trap. Enough of these, and you'll be blacklisted.
The exact same is true for autoresponders that reply back to spoofed spam email.
SmarterMail allows you to restrict bounces and autoresponders to only those accounts that pass SPF checks, or to disable them entirely. SPF verifies that an email is not spoofed, and most of the serious spam trap accounts out there have SPF set up. To require SPF for bounces and autoresponders, do the following:
- First, alert your users of the new policies being put into place. Then you can make the necessary changes.
- Go to Antispam in the navigation pane and then the Options tab.
- Change Autoresponders to either Disabled or Require message pass SPF.
- Change Content Filter Bouncing to either Disabled or Require message pass SPF.
- Click Save in the content pane toolbar.
Require SMTP Authentication
SMTP Authentication is an unspoken requirement of domains on modern mail servers. Any domain that does not have Authentication enabled is at a serious risk of being a relay for spam. Spammers will try thousands of email addresses until they find one to send through, and if Authentication is not enabled, they will be able to use up your bandwidth and system resources to send mail.
Enabling SMTP Authentication ensures that users must supply credentials to send email from your server. This requires a change in their email clients so that the user's information gets passed in SMTP, so there is often a bit of a learning curve. This process is necessary and important to protect your server, however, and without it you are open for abuse.
To require SMTP Authentication for a domain, do the following:
- Alert your users of the change they will need to make to their email client. Due to the nature of this change, it is wise to give them a fair amount of warning.
- Select the domain you want to edit.
- Click on the Configuration tab.
- On the Security card, enable Require SMTP Authentication.
- Click Save.
It is also recommended that you update this setting in the default domain settings so that all new domains will require SMTP Authentication. In addition, to further secure the use of SMTP Authentication, you should ensure that "Require Auth Match" is set to Domain or Email Address for all domains. This means that a sender's "From" address much match the SMTP authentication address or domain, making it more difficult for users to spoof addresses. This can be done under the SMTP In tab of the Protocol Settings.
To apply this setting to all domains on your server at once, use the Domain Propagation page in the Settings menu.