1. Configure Mail Relay Options to Prevent Open Relay
It’s important to configure the mail relay parameter to be restrictive. All mail servers have this option to specify which domains or IP addresses will act as a relay. Misconfiguration of this option can result in spammers using the mail server and network resources as a gateway to spam others. The end result could be blacklisting of the organization’s domains or IP addresses.
2. Set up SMTP Authentication to Control User Access
SMTP authentication enforces users on the mail server to get permission to send emails by entering their username and password. This helps to prevent open relay and abuse of the mail server. When configured correctly, only known accounts can access the server’s SMTP service. This configuration is recommended when your mail server has a routed IP address.
3. Limit Connections to Thwart DoS Attacks
Limit the number of connections to the SMTP server. These parameters depend on the specifications of the server hardware (memory, NIC bandwidth, CPU, etc.) and its nominal load per day. The main parameters used to handle connection limits include:
- Total number of connections
- Total number of simultaneous connections
- Maximum connection rate
To maintain optimal values for these parameters, it may need some refinement over time. This is helpful to mitigate spam floods and DoS attacks that target your network infrastructure.
4. Activate Reverse DNS to Block Bogus Senders
Most messaging systems use DNS lookups to verify the existence of a sender’s email domain before accepting the message. This is an interesting option for fighting off bogus mail senders. Once Reverse DNS Lookup is activated, your SMTP verifies that the senders IP address matches both the host and domain names that were submitted by the SMTP client in the EHLO/HELO command. This is valuable for blocking messages that fail the address matching test.
5. Use Domain Name System Blacklists (DNSBL) to Block Spammers
One of the most important configurations for protecting your email server is to use DNS-based blacklists. DNSBL checks if the sender’s domain or IP is known, for example, Spamhaus. Activating this option and using the maximum number of DNSBL servers reduces the number of unsolicited incoming email. DNSBL contain all known spammers’ IPs and domains for this purpose.
6. Activate Sender Policy Framework (SPF) to Inhibit Spoofed Sources
SPF is a method used to prevent spoofed sender addresses. Almost all phishing email messages use fake sender addresses. The SPF checks to ensure that the sending mail transfer agent (MTA) is allowed to send mail on behalf of the sender’s domain name. When SPF is activated on the server, the sending server’s mail exchanger (MX) record (the DNS Mail Exchange record) is validated before the message transmission takes place.
7. Enable Spam URI Real-Time Block Lists (SURBL) to Verify Message Content
SURBL detects unwanted email based on invalid or malicious links within a message. Having a SURBL filter helps to protect users from malware and phishing attacks. At present, not all mail servers support SURBL. If the messaging server does support it, activating it will increase server security, as well as the security of the entire network.
8. Maintain a Local IP Blacklists to Block Spammers
Having a local IP blacklist on the email server is an important defense to counter spammers who only target a specific organization. Maintaining the list requires resources and time, but the result is a speedy and reliable way to stop spammers from cluttering the email server.
9. Encrypt POP3 and IMAP Authentication for Privacy Concerns
POP3 and IMAP connections were not originally built with safety in mind. As a result, they are often used without strong authentication. This is a significant weakness since users’ passwords are transmitted in clear text through the mail server, thus making them easily accessible to hackers. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) can be used to encrypt connections between servers.
10. Use at Least Two Mail Exchanger Records (MX Records) for Failover
Having a failover configuration is important for availability. One MX record is never adequate to ensure a continuous flow of mail to a given domain. The first one is set as the primary, and the second record is used if the primary goes down. This configuration is done on the DNS Zone level.
11. Add a Spam Filter
Spam does nothing but clutter mailboxes and phishing is a security threat to the organization. A good filter should prevent most spam from reaching inboxes. Spam and phishing emails are always evolving so the service needs to be frequently updated for ongoing protection.