How to secure email
I recently faced a problem. My linode was sending emails because of some script or external access, which made sure my IP got blocked.
Now i am wondering how to have a secured mail server.
I am using WHM for now.
Please let me know what should be taken care of.
Thanks
Preetam
4 Replies
That said, the basic components of a mail server on a VPS like Linode would include:
Mail server software, probably Postfix
If accepting inbound mail:
Spam/virus handler, probably including Amavis, Clamav, and Spamassassin
Using blocklists such as spamhaus.org
Manage email accounts, including virtual users as appropriate
Access to mailboxes, probably including Dovecot and Roundcube
Manage the risk of unauthorized access to private information
If sending outbound mail:
Configure your mail server, including DNS and authentication
Authenticate to a trusted mail server to forward outbound mail for you
Secure access to your server, including SMTP ports, Sendmail, and other applications using Sendmail
Manage the risk of your server abusing access to trusted mail servers
@prkumble:
Now i am wondering how to have a secured mail server.
The best way to have a secure email server is let someone else run it. Keeping email secure and spam free is a full time headache, not worth the few bucks to pay someone else to do it correctly.
This may be more trouble than some want to do, but I set up two databases - one for the web application to use and a second that has the password hash and e-mail address.
The second database - the handler for it is only loaded by the few pages that need it - to avoid the possibility of a leaky web application with holes from leaking the e-mail addresses.
When a web application needs to send mail, it doesn't actually send the mail - it puts it in a database table with user id, subject, and message. It can't send it because the rest of the web application doesn't have access to the e-mail addresses.
Then a perl script on the server reads that mail cue database, and from the user id, looks up the e-mail address in the authentication database to actually send the mail.
Setting that up requires customizing your web applications because most just use a single database for everything, but it protects your users and keeps a buggy web app from being used as a spam relay.
Now as far as the mail system itself, I use postfix for the SMTP and dovecot for IMAP.
Test both to make sure only encrypted login is possible, and test your SMTP to make sure it is not an open relay. There are many sites out there that will test your mail server to make sure it is not an open relay, I use more than one just in case one isn't working properly. Searching google or bing will find them for you.
Make sure you keep up with updates. Especially for postfix but also for dovecot (if you need IMAP / POP3)
-=-
The reason I personally don't let someone else run my mail server, I'm paranoid - I don't want someone else scanning my mail. Google and others have done it in the past, their motives may have been pure but I don't like it.
When I run my own mail server, my mail is private. Also, I like to be able to add aliases on a whim - etc. which is something the services charge for but doesn't cost them anything, which I find offensive.