Securing SmarterMail in 10 Steps

 Email  Comments Off on Securing SmarterMail in 10 Steps
Dec 012018
 

You may not be familiar with SmarterMail from Smatertools.com but it is an enterprise class Windows based mail server. It has a powerful web based management GUI and the company regularly releases version updates containing bug fixes and new features.  However, in my opinion one of the most compelling reasons to try SmarterMail is that they offer a full featured version free for one domain.

You may think configuring an enterprise mail server application could be a challenge but fortunately SmarterMail’s administration interface is organized in an intuitive way and the Smartermail Help manual is always available online. In this blog post I will cover a few key features that you want to configure to ensure your installation of SmarterMail is locked down. Some settings will depend on the volume of your mail server so adjust accordingly and double check often.

Change the admin password

If you’ve just installed SmarterMail the next step you will encounter after the install wizard completes is a prompt to set the admin password. Following Best Practices You should be changing it on a regular basis. This can be performed from the Settings menu by clicking on System Administrators as shown below.

image

However, there may come a time when you are not able to login to SmarterMail to change the admin password. To manually reset it without logging in you just need to edit mailconfig.xml which is usually located in C:\Program Files (x86)\SmarterTools\SmarterMail\Service. As noted within the file, you just need to delete the <sysAdminUserName> and <sysAdminPasswordHash> lines and then restart the SmarterMail service.

image

Change SMTP Relay and Authentication

On the Settings menu click on Protocol Settings and then click the SMTP In tab.  Only authenticated users should be allowed to relay mail. From the Allow Relay pulldown Select Nobody and then on the Require Auth Match pulldown menu select Email Address. Next in the options at the bottom of the list check the box Allow relay for authenticated users. These settings will only allow local accounts that have successfully authenticated to send mail off the server i.e relay and in order to authenticate the users are required to provide the complete email address. SmarterMail wisely recognizes how these settings could be cause issues and have highlighted a warning at the top of the page.

image

Limit IP Addresses and Ports

On the Settings menu select Bindings and then click on IP Addresses. Ensure other IP addresses on the server are not enabled for mail services.

image

Then click on each IP address and ensure only the necessary ports are enabled.

image

For even greater security you should also configure SSL / TLS for your services.

Internal Spammer Notification

This is a setting that ultimately depends on the volume of your mail server. It is located under the Security menu –> Advanced Settings –> Abuse Detection. This feature will send a notification to a designated mailbox when message volume exceeds a preset threshold. The recipient could be the mail admin or a group mailbox. Regardless who receives this notification they needs to be able to leap into action and potentially lock down an account that has been exploited and is sending spam.

image

Without the Internal Spammer Notification enabled you will have to rely on the System Summary – Message Traffic Report to quickly identify which domain on your mail server is sending spam. Change the date filter to today and depending on the usual message volume on your server it should be obvious which domain is sending the spam. Next click on the domain in question and then you’ll see which mailboxes within that domain have the highest message count. That is the mailbox that has been exploited.  You will need to temporarily reset the password of the mailbox in question to stop the spam from being sent.

image

Continuing with this example after resetting the password of the mailbox sending out the spam you’ll want to use a program such as GrepWin to purge the messages from the SmarterMail spool. If you don’t immediately delete that mail from the spool, SmarterMail continue to attempt to send it out which will most likely result in your mail sever being quickly being blacklisted.

image

Enable Greylisting

Greylisting is a great tool to leverage against spammers. It deliberately slows mail service by a preset amount of time using SMTP 4XX reply codes which tell the sender’s mail server to queue the message and try again shortly.  Legitimate SMTP servers sending mail will be whitelisted for a lengthy period of time and then will be able to deliver mail as usual without repeat delays.  SMTP servers used by Spammers that are not configured for 4XX queue timeouts will not reattempt to resend their junk mail there by preventing it from getting delivered. And even if spammers do configure their servers accommodate greylisting they will still most likely get blocked by Real-Time Blackhole Lists (RBL).

image

Configure Real-Time Blackhole Lists (RBL)

The Antispam Administration settings for SmarterMail are comprehensive. Many of these settings will need to tested and evaluated over time. The security settings are easy to reach from the navigation menu. The Spam Checks tab controls weighted numeric scores that are assigned to the incoming mail as it gets processed. The higher the numeric score the greater the likelihood that the message is spam. RBL servers are 3rd party resources that maintain extensive lists of mail server IP addresses where the servers in question have been identified as sending spam. RBL server checks should have a high weighted score so any IP address that is matched to an address already on an RBL is immediately blocked.

image

Configure Spam Filtering Thresholds

On Filtering tab of the Antispam Administration page you will adjust the Weight Threshold actions.  So in the example below a message with a total score of 5 is considered normal mail and will delivered into a users inbox. A message with score of 12-17 is probably spam but the user can still review it in their inbox’s Junk E-Mail folder. Anything over 17 should be deleted and not delivered to the users. These values are globally set for all mailboxes by default. However, you can allow users to change the weight thresholds for their own mail in their domain’s settings.  The other tabs on the Antispam Administration page are straight forward to configure.

image

SMTP Authentication Bypass

The SMTP Authentication Bypass settings should be used with caution and reviewed frequently. Adding an IP address to this list as the name implies will allow mail being sent from that IP to skip the authentication procedures configured above. One might do this for an internal web server so that sites hosted on that server can conveniently send mail outside the network. However, it can quickly lead to trouble because if any of the web sites happen to have poor design security a simple contact form could be leveraged for spamming. In this situation because the IP address the of web server hosting the site is present on this page the bypass rule will let the spam flow out unimpeded. This simple oversight could quickly cause your mail server to be blacklisted before anyone even realizes it.

Abuse Detection

As mentioned above the Abuse Detection settings are under the Security menu and then click on Advanced Settings. These are all threshold settings that will notify a system administrator when the specific metric has been exceeded. The settings will need to be modified based on the volume of your mail server.

image

Password Complexity

The SmarterMail mailbox Password Requirement rules are globally applied to all mailboxes on the server. Best Practices dictate that you should require all users to have complex passwords using mixed case and at least numbers if not special characters too.  As with many of the other settings these will need to be adjusted according to the number of mailboxes you have on your server. I have supported large enterprise deployments of SmarterMail with 4000+ mailboxes. If you are only managing a fraction of that size you may be able to have less stringent requirements. However, it’s always better to be more cautious than less cautious.

image

A handy complement to the Password Complexity requirements is the Password Policy Compliance report that can be accessed on the Manage menu. It identifies all the mailboxes on the server that do not meet the configured required settings. It is a helpful report that quickly shows which mailboxes need to be corrected.

image

In Summary

SmarterMail by Smatertools.com is an enterprise Windows mail server with a powerful administration interface. I have highlighted 10 areas that should be configured to ensure your SmarterMail server is locked down and secured minimizing the chances of mailboxes being exploited by spammers. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

MX Guarddog – Unparalleled Free Spam Filtering

 Email  Comments Off on MX Guarddog – Unparalleled Free Spam Filtering
Nov 112018
 

According to the  IBM Threat Intelligence Index Spam email volume continues to rise every year as does the threat from sophisticated phishing emails or seemingly innocuous messages with malicious attachments. You may never have heard of MX Guarddog but they have been providing “best in class” email security solutions since 2006. In my opinion the most compelling reason to use their service is that they offer free email security filtering in exchange for a referral otherwise their rate is a paltry $0.25 per mailbox.

 

Configuring MX Guarddog Email Security

Another compelling reason to use MX Guarddog is that their filtering service is so simple to implement. After setting up your free account and configuring your settings all you need to do is change your domain name’s MX records to point to their mail servers. Once your mail goes through their filtering service it will be delivered as usual to your mail server and with minimal delay. When you login to your account you’ll arrive at the Domain Center as shown below. From this dashboard you will maintain all of your account settings. If you have configured multiple domains within your account just click on change focus to access those other domains. The navigation and menus will be identical regardless of how many domains you have configured.

image

Configuring your mailboxes

Clicking on the Emailing Addresses section of the Domain Center will enable you will to configure your individual mailboxes per domain. In addition to adding mailboxes you can configure a mailbox alias your a catch-all however following email best practices you should never configure a catch-all account. Of course there are certain cases when a catch-all could be used but in general it will usually just significantly increase the the amount of spam you receive.

image

Configuring your destination mail server

From the Domain Center dashboard click on Your Email Servers to configure your mail server MX records. This is the mail server that is currently hosting your mailboxes. If you’re not sure of the mail server MX records then check with your service provider or use a free tool such as mxtoolbox.com to look up your MX records. For my personal mail I use Zoho.com which is a free mail service provider that provides 5 GB of space and allows you to use a domain name at no additional cost.

image

As you can see in the picture above there is a tool available to send a test sending a message to your mailbox using the MX records you entered. This tool will help ensure everything is configured correctly. If the test is unsuccessful a notification will be displayed.

Configuring MX Guarddog mail servers

From the Domain Center dashboard click on MX Guarddog servers to see the new MX records that you need to configure with your domain registrar.  Using your domain registrar’s DNS control panel you will replace your existing MX records with the new MX records provided by MX Guarddog.  Once you complete this change,  your MX Guarddog configuration will be complete. As you can see in the picture below, your domain’s new MX records will be clearly displayed. 

image

Spam Filtering Aggression

If you click on Aggression, from the Domain Center dashboard, you will see the options below to modify how aggressively MX Guarddog filters your mail. There is no right for wrong threshold here. Only time will tell how one should set these values. Setting a lower value to start and increasing accordingly would be the safest bet. Ultimately you want the most filtering with the least amount of false-positives. There are additional settings on this page that you can tweak such as country blacklisting and blocking sender=recipient messages which is a common type of spam where the messages appear to have been sent by the recipient which usually isn’t true.

image

Country Blacklisting

MX Guarddog’s blacklisting functionality is robust. As one can see in the picture below, there are several levels of blacklisting available. Country blacklisting is a great feature to leverage when you know with 100% certainty that you will never need to receive mail from certain countries. Simply check the box on the menu to block mail from that country and then uncheck the box in the future if your needs happen to change.

image

MX Guarddog Quarantine

After setting up your account and configuring your settings the next logical question is what happens to the mail that gets filtered. Naturally filtered mail gets quarantined. From the Domain Center dashboard you can configure how you want to be notified of quarantined mail. You have the option of receiving a daily quarantine message from MX Guarddog or not receiving any notification at all. From within the Quarantine message that you receive in your inbox,  you will have the option to release any quarantined messages into your inbox, whitelisting the sender to prevent future quarantine,  or ignoring the messages. Quarantined messages are purged on a periodic basis.  Fortunately depending on your aggression settings and blacklisting settings your quarantine notifications may only contain a few messages each day. MX Guarddog does a great job of eliminating blatant spam without even quarantining it. However, this too is an option that can be configured unless of course you want to see everything that is filtered in which case you can review these messages one by one.

In Summary

Email spam and phishing scams are increasing year after year. Having enterprise email security filtering available for just pennies per mailbox or even free is a compelling reason to consider MX Guarddog’s service. I have worked with many mail filtering solutions including Symantec Cloud, Vircom, Positini, SmarterMail, and even Barracuda but nothing compares to the features offered by MX Guarddog at their price point. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website