Securing your Email server

Posted on 14-11-2017 by Nadir Latif


Introduction

Recently I had the opportunity of managing an email server for a client. This blog post describes my experience with installing, configuring and securing an email server. Many companies have their own email servers but one thing I noticed about in house email servers is that they are very unreliable. A very high percentage of emails sent to custom email addresses like user@abccompany.com cannot be delivered. The most likely cause is careless implementation of the email server. Email is a critical part of the I.T infrastructure so implementing email correctly is very important. The email server I installed and configured is called Postfix. Postfix is one of the most popular email servers. It runs on most Unix based servers such as AIX, BSD, HP-UX, Linux, MacOS X, Solaris etc. Best of all Postfix is free and open source.

Installing and configuring Postfix Email Server

Installing Postfix email server is as simple as entering an install command such as: yum install postfix on Centos servers. After that you have to edit the main.cf and master.cf configuration files. Postfix website has some useful documentation on basic configuration of Postfix mail server. Some of the important postfix configuration parameters are: myorigin, mydestination, mynetworks, relaydomains, relayhost, myhostname, mydomain and interinterfaces. These parameters need to be changed in /etc/main.cf. After the parameters have been updated reload postfix configuration with this command: postfix reload. You should now be able to send email through your postfix server from any device. Installation and basic configuration of postfix will result in a fully operational mail server. But it does not guarantee reliable error free mail delivery. To ensure that your email is delivered reliably your mail server needs to be secured.

Securing your email server

Email relies heavily on DNS (Domain Name System). Most of the techniques for securing email require changes to your domains DNS settings. Some of the steps that can be taken to secure email servers are:
  1. Open Relay preventation

    Open Relay prevention should be the first step for securing your mail server. An Open Relay is an email server that allows anyone to send email to anyone. Open Relays are often used by malware for sending spam. To prevent Postfix from working as an open relay configure the relay_domains, mynetworks_style, mynetworks and relayhost parameters in main.cf and reload Postfix. Use an online tool such as Open Relay Test for checking if your mail server is working as an open relay.
  2. Spam prevention

    Postfix has built in protection for preventing spam. The smtpd_recipient_restrictions and smtpd_sender_restrictions parameters in main.cf file can be used to reduce spam.
  3. Sender Policy Framework (SPF)

    SPF is a security mechanism that restricts the mail servers that are allowed to send email for a given domain. It involves adding a TXT DNS record for your domain. This record specifies the ip addresses of the servers that are allowed to send email for your domain. When a mail server receives an email from your domain, it will check if your domain has a SPF DNS record. If is has a SPF record, then it will check if the server that sent the email is allowed to do so by your SPF DNS record.
  4. Reverse DNS

    DNS maps host names to ip addresses, while Reverse DNS does the opposite. i.e it maps ip addresses to host names. When an email server receives an email it may do a reverse lookup on the ip address of the server that sent the email. If the host name corresponding to the ip address does not match the host name of the sending email server then the email may be rejected.
  5. DomainKeys Identified Mail (DKIM)

    DKIM is a security mechanism that involves creating an encrypted email signature and verifying the signature. Like SPF, DKIM also relies on the DNS. To enable DKIM, the user has to first install a DKIM server. e.g on Centos that can be done with the command: yum install opendkim. The main steps involved in configuring Open DKIM are:
    1. Generate a public/private key using the opendkim-gen command.
    2. Specify the path of the keys in the opendkim.conf configuration file.
    3. Give the name of the DKIM server in Postfix main.cf configuration file.
    4. Enter the generated public key in a new TXT DNS record for your domain.
    5. After that the email messages you send through your mail server will contain a DKIM header field which contains the signature of the message. The receiving email server retrieves the private key from the DNS and uses it to verify the message. If the check fails, then the message may be discarded.
  6. Domain Based Message Authentication, Reporting and Conformance (DMARC)

    DMARC is a system for validating emails. It requires use of SPF and DKIM. It is the latest and most popular email validation system. It not only ensures that the received email is from a valid sender but also ensures the email has not been tampered with. It requires publishing encryption information in DNS records. DMARC allows the administrator to specify policies for handling email including policies on reporting the email. According to the Wikipedia entry for DMARC, in October 2013, Mailman added support for DMARC and set the default DMARC policy to p=reject. In 2014 Yahoo and AOL both set their default DMARC policy to p=reject. According to the article "Google to adopt strictest DMARC policy to fight spam, phishing", Google will transition to the policy p=reject in June 2016. The policy p=reject implies that email that cannot be validated by DMARC will be rejected. In March 2015 DMARC RFC 7489 was published.
Secure DNS and Email settings greatly increases the reliability of your email server. It reduces the chance of your emails ending up as spam. It also reduces the chance of your email server sending and receiving spam. There are some excellent on-line tools that can help you find problems with your Email and DNS configuration. for example dnsstuff, mxtoolbox, emailsecuritygrader, nmonitoring, centralops.

Conclusion

Having your own secure Email server can be very useful. You can customize it to your needs and integrate it with other services. You can achieve this goal with open source tools such as Postfix.