Secure Mail System
If we started by using messaging server alone without any kind of anti-spam solution, we can decrease the spam email that can be sent or received from our mail system by using feature built in within messaging server like MeterMaid, SMTP AUTH, SMTPS, block IP’s known to be spam sender using mapping file, RBL lookup and many others.But the problem with all of those solutions is they all can not scan the content of email to decide weather the email is spam or not, they are not User friendly (no GUI) and they are not enough to protect our environment from spam attacks which they are now increasing rapidly.
To solve this problem we need to use anti-spam, and besides using anti-spam we need to use all previously mentioned features to protect out environment.
Needed Software
- Sun Messaging Server
- Sun LDAP
- Anti-spam and Anti-virus Software
Steps Needed
After a lot of experiments I have found that the most secure setup goes like this:1- Use two servers:
a- one contain only the anti-spam ,that will receive external emails and scan them before arrive to our mail system, this is better than receiving email direct by messaging server, because Some Anti-spam can check with global database if the received email come from blacklisted IP or domain and drop the connection directly.
b- and the other contain messaging server and anti-spam channeled with messaging server, used to receive emails from the Anti-spam server, and send emails to all the users using different port than (25) (because we need this server to send emails only and not to receive any email from outside,and because most of spam sender use automatic software with default ports).
2- Force users to use complex password: you can do this from LDAP using password policy.
A lot of attacks start by using a weak password set by the client, like 123, the password same as username…, and start sending emails to thousands of users and this will make your IP blacklisted.
When hacker know username and password from your domain , he can use this data to send a lot of emails to other users using fake email and fake destination domain the thing that called backscatter, which make your IP listed as blacklisted.
3- SMTP AUTH, which is a great feature that prevent users who do not have password, from sending emails using our mail systemTo force all users to use this feature then you need to set only the IP of the server in the (mappings) file with subnet (/32), and change channels from (maysaslserver to mustsaslserver ) in (imta.cnf) file.
4- Now we need to set our anti-spam in the front-end edge (the software that will receive the emails in port 25), and configure messaging server to work with this anti-spam as a back-end ,read this for an example
[http://wikis.sun.com/display/CommSuite/Configure+TrendMicro+IMSS+To+Work+With+Messaging+Server+On+The+Same+Server\|display/CommSuite/Configure+TrendMicro+IMSS+To+Work+With+Messaging+Server+On+The+Same+Server|]
6- as anti-spam will receive the emails and send them back to messaging server, then there is no need to keep port (25) working in messaging server ( to prevent any body from using it to send emails) so in dispatcher.cnf file you need to change:
[SERVICE=SMTP]And add to dispatcher.cnf:
PORT=25
To
[SERVICE=SMTP]
PORT=2525
[SERVICE=SMTP_SUBMIT]
PORT=444
IMAGE=IMTA_BIN:tcp_smtp_server
LOGFILE=IMTA_LOG:tcp_submit_server.log
PARAMETER=CHANNEL=tcp_submit
STACKSIZE=2048000
Which will used by local client to send emails.
Now every user want to send email, then he have to set his mail client (outlook, incredimail )to send emails using outgoing server with the IP of the messaging server with port 444, and all the received emails to our domain will be received and scanned with our Anti-spam software and then forwarded to our messaging server.
No comments:
Post a Comment