In this chapter, we will explain the security measures that have to be taken in a mail server and on a client site.
Hardening a Mail Server
For hardening a mail server, you will need to adhere to the following steps ā
Step 1. Configure mail server not to have Open Relay
Itās very important to configure your mail relay parameters to be very restrictive. All mail servers have this option, where you can specify which domains or IP addresses your mail server will relay the mails to. This parameter specifies for whom your SMTP protocol should forward the mails to. An open relay can harm you because spammers can use your mail server for spamming others, resulting in your server getting blacklisted.
Step 2. Set up SMTP authentication to control user access
SMTP Authentication forces the people who use your server to obtain permission to send mail by first supplying a username and password. This helps to prevent any open relay and abuse of your server. If configured the right way, only known accounts can use your serverās SMTP to send an email. This configuration is highly recommended when your mail server has a routed IP address.
Step 3. Limit connections to protect your server against DoS attacks
The number of connections to your SMTP server should be limited. These parameters depend on the specifications of the server hardware and itās a nominal load per day. The main parameters used to handle connection limits include: Total number of connections, total number of simultaneous connections, and maximum connection rate. To maintain optimal values for these parameters may require refinement over time. It prevents Spam Floods and DoS Attacks that target your network infrastructure.
Step 4. Activate Reverse DNS to block bogus senders
Most of the messaging systems use DNS lookups to verify the existence of the senderās email domain before accepting a message. A reverse lookup is also an interesting option for fighting off bogus mail senders. Once Reverse DNS Lookup is activated, your SMTP verifies that the senders IP address matches both the host and domain names that were submitted by the SMTP client in the EHLO/HELO Command. This is very valuable for blocking messages that fail the address matching test.
Step 5. Use DNSBL servers to fight incoming email abuse
One of the most important configurations for protecting your email server is to use DNS ā based blacklists. Checking if the sender domain or IP is known by DNSBL servers world-wide could cut down the amount of spam received substantially. Activating this option and using a maximum number of DNSBL servers will greatly reduce the impact of unsolicited incoming email. The DNSBL servers list along with all known spammers IPs and domains for this purpose are all stored in a website, the link for this website is ā https://www.spamhaus.org/organization/dnsblusage/
Step 6. Activate SPF to prevent spoofed sources
The Sender Policy Framework (SPF) is a method used to prevent spoofed sender ddresses. Nowadays, nearly all abusive email messages carry fake sender addresses. The SPF check ensures that the sending MTA is allowed to send mail on behalf of the senderās domain name. When SPF is activated on your server, the sending serverās MX record (the DNS Mail Exchange record) is validated before any message transmission takes place.
Step 7. Enable SURBL to verify message content
The SURBL (Spam URI Real-time Block Lists) detects unwanted email based on invalid or malicious links within a message. Having a SURBL filter helps to protect users from malware and phishing attacks. At present, not all mail servers support SURBL. But if your messaging server does support it, activating it will increase your server security, as well as the security of your entire network since more than 50% of Internet Security threats come from email content.
Step 8. Maintain local IP blacklists to block Spammers
Having a local IP blacklist on your email server is very important for countering specific spammers who only target you. Maintenance of the list can take resources and time, but it brings real added-value. The result is a speedy and reliable way to stop unwanted Internet connections from bothering your messaging system.
Step 9. Encrypt POP3 and IMAP authentication for privacy concerns
The POP3 and IMAP connections were not originally built with safety in mind. As a result, they are often used without strong authentication. This is a big weakness since usersā passwords are transmitted in clear text through your mail server, thus making them easily accessible to hackers and people with malicious intent. The SSLTLS is the best known and the easiest way to implement strong authentication; it is widely used and considered reliable enough.
Step 10. Have at least two MX records for any failover
Having a failover configuration is very important for availability. Having one MX record is never adequate for ensuring a continuous flow of mail to a given domain, which is why itās strongly recommended to set up at least two MXs for each domain. The first one is set as the primary, and the secondary is used if the primary goes down for any reason. This configuration is done on the DNS Zone level.
Securing Email Accounts
In this section, we will discuss how to secure the email accounts and avoid them from getting hacked.
Securing on the Client Site
The most important thing is to Create complex passwords. As there are many techniques available to crack the passwords like brute-force, dictionary attacks and password guessing.
A strong password contains ā
- 7 to 16 characters.
- Uppercase and lowercase letters
- Numbers
- Special characters
Always connect the email password with another genuine email that you have access to. So in case this email is hacked, you have the possibility to gain access again.
Install in your computer a mail antivirus, so that every email that is coming in your email client is scanned like attachments and phishing links.
If you are in the habit of using web access, then never open attachments with the .exe extensions.
It is recommended to use an encrypted email when communicating officially with important data. So it is better that the communication to be encrypted between the end users, a good tool for this is PGP Encryption Tool.