Securing SmarterMail in 10 Steps

 Email  Comments Off on Securing SmarterMail in 10 Steps
Dec 012018
 

You may not be familiar with SmarterMail from Smatertools.com but it is an enterprise class Windows based mail server. It has a powerful web based management GUI and the company regularly releases version updates containing bug fixes and new features.  However, in my opinion one of the most compelling reasons to try SmarterMail is that they offer a full featured version free for one domain.

You may think configuring an enterprise mail server application could be a challenge but fortunately SmarterMail’s administration interface is organized in an intuitive way and the Smartermail Help manual is always available online. In this blog post I will cover a few key features that you want to configure to ensure your installation of SmarterMail is locked down. Some settings will depend on the volume of your mail server so adjust accordingly and double check often.

Change the admin password

If you’ve just installed SmarterMail the next step you will encounter after the install wizard completes is a prompt to set the admin password. Following Best Practices You should be changing it on a regular basis. This can be performed from the Settings menu by clicking on System Administrators as shown below.

image

However, there may come a time when you are not able to login to SmarterMail to change the admin password. To manually reset it without logging in you just need to edit mailconfig.xml which is usually located in C:\Program Files (x86)\SmarterTools\SmarterMail\Service. As noted within the file, you just need to delete the <sysAdminUserName> and <sysAdminPasswordHash> lines and then restart the SmarterMail service.

image

Change SMTP Relay and Authentication

On the Settings menu click on Protocol Settings and then click the SMTP In tab.  Only authenticated users should be allowed to relay mail. From the Allow Relay pulldown Select Nobody and then on the Require Auth Match pulldown menu select Email Address. Next in the options at the bottom of the list check the box Allow relay for authenticated users. These settings will only allow local accounts that have successfully authenticated to send mail off the server i.e relay and in order to authenticate the users are required to provide the complete email address. SmarterMail wisely recognizes how these settings could be cause issues and have highlighted a warning at the top of the page.

image

Limit IP Addresses and Ports

On the Settings menu select Bindings and then click on IP Addresses. Ensure other IP addresses on the server are not enabled for mail services.

image

Then click on each IP address and ensure only the necessary ports are enabled.

image

For even greater security you should also configure SSL / TLS for your services.

Internal Spammer Notification

This is a setting that ultimately depends on the volume of your mail server. It is located under the Security menu –> Advanced Settings –> Abuse Detection. This feature will send a notification to a designated mailbox when message volume exceeds a preset threshold. The recipient could be the mail admin or a group mailbox. Regardless who receives this notification they needs to be able to leap into action and potentially lock down an account that has been exploited and is sending spam.

image

Without the Internal Spammer Notification enabled you will have to rely on the System Summary – Message Traffic Report to quickly identify which domain on your mail server is sending spam. Change the date filter to today and depending on the usual message volume on your server it should be obvious which domain is sending the spam. Next click on the domain in question and then you’ll see which mailboxes within that domain have the highest message count. That is the mailbox that has been exploited.  You will need to temporarily reset the password of the mailbox in question to stop the spam from being sent.

image

Continuing with this example after resetting the password of the mailbox sending out the spam you’ll want to use a program such as GrepWin to purge the messages from the SmarterMail spool. If you don’t immediately delete that mail from the spool, SmarterMail continue to attempt to send it out which will most likely result in your mail sever being quickly being blacklisted.

image

Enable Greylisting

Greylisting is a great tool to leverage against spammers. It deliberately slows mail service by a preset amount of time using SMTP 4XX reply codes which tell the sender’s mail server to queue the message and try again shortly.  Legitimate SMTP servers sending mail will be whitelisted for a lengthy period of time and then will be able to deliver mail as usual without repeat delays.  SMTP servers used by Spammers that are not configured for 4XX queue timeouts will not reattempt to resend their junk mail there by preventing it from getting delivered. And even if spammers do configure their servers accommodate greylisting they will still most likely get blocked by Real-Time Blackhole Lists (RBL).

image

Configure Real-Time Blackhole Lists (RBL)

The Antispam Administration settings for SmarterMail are comprehensive. Many of these settings will need to tested and evaluated over time. The security settings are easy to reach from the navigation menu. The Spam Checks tab controls weighted numeric scores that are assigned to the incoming mail as it gets processed. The higher the numeric score the greater the likelihood that the message is spam. RBL servers are 3rd party resources that maintain extensive lists of mail server IP addresses where the servers in question have been identified as sending spam. RBL server checks should have a high weighted score so any IP address that is matched to an address already on an RBL is immediately blocked.

image

Configure Spam Filtering Thresholds

On Filtering tab of the Antispam Administration page you will adjust the Weight Threshold actions.  So in the example below a message with a total score of 5 is considered normal mail and will delivered into a users inbox. A message with score of 12-17 is probably spam but the user can still review it in their inbox’s Junk E-Mail folder. Anything over 17 should be deleted and not delivered to the users. These values are globally set for all mailboxes by default. However, you can allow users to change the weight thresholds for their own mail in their domain’s settings.  The other tabs on the Antispam Administration page are straight forward to configure.

image

SMTP Authentication Bypass

The SMTP Authentication Bypass settings should be used with caution and reviewed frequently. Adding an IP address to this list as the name implies will allow mail being sent from that IP to skip the authentication procedures configured above. One might do this for an internal web server so that sites hosted on that server can conveniently send mail outside the network. However, it can quickly lead to trouble because if any of the web sites happen to have poor design security a simple contact form could be leveraged for spamming. In this situation because the IP address the of web server hosting the site is present on this page the bypass rule will let the spam flow out unimpeded. This simple oversight could quickly cause your mail server to be blacklisted before anyone even realizes it.

Abuse Detection

As mentioned above the Abuse Detection settings are under the Security menu and then click on Advanced Settings. These are all threshold settings that will notify a system administrator when the specific metric has been exceeded. The settings will need to be modified based on the volume of your mail server.

image

Password Complexity

The SmarterMail mailbox Password Requirement rules are globally applied to all mailboxes on the server. Best Practices dictate that you should require all users to have complex passwords using mixed case and at least numbers if not special characters too.  As with many of the other settings these will need to be adjusted according to the number of mailboxes you have on your server. I have supported large enterprise deployments of SmarterMail with 4000+ mailboxes. If you are only managing a fraction of that size you may be able to have less stringent requirements. However, it’s always better to be more cautious than less cautious.

image

A handy complement to the Password Complexity requirements is the Password Policy Compliance report that can be accessed on the Manage menu. It identifies all the mailboxes on the server that do not meet the configured required settings. It is a helpful report that quickly shows which mailboxes need to be corrected.

image

In Summary

SmarterMail by Smatertools.com is an enterprise Windows mail server with a powerful administration interface. I have highlighted 10 areas that should be configured to ensure your SmarterMail server is locked down and secured minimizing the chances of mailboxes being exploited by spammers. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Securing SmarterMail with SSL / TLS

 Email  Comments Off on Securing SmarterMail with SSL / TLS
Jul 152017
 

SmarterMail from Smatertools.com is a fantastic enterprise class Windows based mail server. One of the most compelling reasons to try Smatermail is that they offer a full featured version free for one domain. Leveraging SSL/TLS protocols with SmarterMail allows mail communication to be encrypted increasing privacy and security.

Export SSL Certificate to PFX File

Before making changes to Smartermail you will need to export the SSL certificate you intend to use to a PFX file that is password protected and contains the private key of the certificate. Smartertools recommends copying the file to C:\smartertools\certificates.

  1. Open Microsoft Management Console (MMC)
  2. Select Add new Snap-In and then select Certificates
  3. Expand the Personal certificate store and then select the certificate you want to export
  4. Right click on the certificate and select Export
  5. Select PKCS #12 (PFX) and click Next to save the file

image

Configure SmarterMail SSL/TLS Ports

After logging into SmarterMail using an administrator account, go to the Settings menu and then click on Bindings and then Ports. From this page you will see the currently configured Ports SmarterMail is using and whether or not they are using SSL and TLS.

image

From the Ports men select New to add each additional port you intend to configure with SSL. In the example below I’m configuring SSL to be used with the SMTP Protocol on Port 465. Enter the certificate path to the PFX file that was exported in the previous steps.  After entering the password click the Verify Certificate button to validate the path and certificate password are correct. When the certificate verification has successfully completed a notification will be displayed across the pop-up window. Click Save and the repeat the steps for any additional ports you intend to configure with SSL.

image

Configure SSL/TLS IP Address Bindings

Again from the SmarterMail Settings menu click on Bindings and then IP Addresses. From the list of configured IP Addresses select the one that is used by the mail server services and then click Edit. Select the new SSL/TLS ports that you added in the previous step that will be used and then click Save.

image

Open Firewall Ports for SSL/TLS

Be sure to open the new ports on your firewall appliance. In the example below I’m opening the additional SMTP ports using the local Windows Firewall on my server. The following ports can used for SSL/TLS.

  • 25 (TLS), 110 (TLS), 143 (TLS)
  • 465 (SSL), 993 (SSL), 995 (SSL)

image

Configure Mail Client for SSL/TLS

Once you have confirmed the new ports have been added to SmarterMail and the Firewall Ports are open you just need to configure your mail client to use the new settings.

The Incoming Server (POP3) settings should use port 995.

image

The Outgoing Server (SMTP) settings should use port 465.

image

In Summary

SmarterMail is an enterprise class mail server that allows securing your mail communication using SSL/TLS for greater privacy and security. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Filtering IP Ranges From SmarterStats Reports

 Analytics  Comments Off on Filtering IP Ranges From SmarterStats Reports
Dec 162016
 

Recently while looking through my site’s traffic report from the past few months I noticed an unusual spike.  I use SmarterStats by SmarterTools which is a web based enterprise analytics tool and is free for one domain. After looking through a few other reports I came to realize that the spike I was seeing was caused by my site monitoring tool UptimeRobot. I didn’t want that activity to skew my stats so I decided to remove their IP address from the reports.

image

 

Using Logparser to find IP addresses by userAgent

UptimeRobot’s monitoring services use a range of IP addresses so I decided to use Log Parser to double check my logs to see which IPs of theirs where showing up. Here’s the query I used.

Add a Log Processing Rule

Log Parser quickly identified the IPs I wanted to exclude. Fortunately SmarterStats makes it easy to exclude a variety of data from your reports. After logging into your Stats report click on Settings and then Log Processing Rules.

 

image

Click Add from the menu and select Log Processing Rule. The Import Filter window will open and you can configure what you need to exclude or include.

image

 

To exclude the UptimeRobot IP addresses I enter the ranges 69.162.124.226 – 69.162.124.237 and 63.143.42.242 – 63.143.42.253. Their service uses a variety of IP addresses depending on where you are in the world. You can read more about that here.

image

 

Reprocessing Logs

After you have added the metrics that you want to filter from your logs you should clikc the Reprocess button. Depending on how many months or years of data you have in your logs it will take anywhere from a few minutes to a few hours. You will be able to monitor the import process from your report dashboard.

image

 

In Summary

SmarterStats by SmarterTools is a comprehensive web analytics tool. Periodically you may need to exclude data from your stats reports such activity from site monitoring services like UptimeRobot. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Automate Finding Disabled Domains in Smartermail

 ASP.NET  Comments Off on Automate Finding Disabled Domains in Smartermail
Sep 302012
 

Email is everywhere. You may not know immediately if your web site is down but you’ll almost always know if your email isn’t working.  The ability to send and receive email 24×7 is critical to the success of any business. This means you need a product which is reliable, scalable, and affordable. There are not many mail server products on the market which meet that criteria. However, Smartermail by SmarterTools.com is one such product. Year after year Smartertools has evolved with more features and better security. The latest version of Smartermail is their best product to date.
Smartermail 10 GUI
However, they inadvertently introduced a small design flaw in the administration GUI. Finding disabled domains is a real pain. If your Smartermail deployment only has 5-10 domains then you probably haven’t even noticed this. However if your organization relies on Smartermail to host hundreds or even thousands of mail domains then you are already well aware of this design oversight.  Of course one can simply scroll through the domain list looking for Disabled status which is clearly marked in red however this is a daunting task for large deployments. Curiously in legacy versions of Smartermail you could easily sort your entire domain list by enabled or disabled status.

Because Smartermail stores it’s domains in a logical fashion, it is easy to programmatically access the config files and determine whether or not a domain is enabled. For example C:\Smartermail\Domains would contain all the domains of your Smartermail instance.  Each mail domain will be stored as subdirectory of this directory and the individual domain settings will be stored in file called domainconfig.xml. Contained in this file is a node called “isEnabled”.  As one might expect if the domain is enabled the value will be True whereas if the domain is disabled then the value will be False. Here is a a snippet of what it looks like.


So here’s where a bit of programming saves the day. Using C# and ASP.NET I created a simple console application which will read the Smartermail domains folder,  check the domainconfig.xml of each domain on the server, and then output the results to a log file. One complication with this is that Smartermail may not have been installed in the default location so I am using a simple xml config file for my program which specifies the path to the domains folder along with the path where I want the log file to saved.

\r\n

\r\n\r\nHere’s how my program looks:\r\n\r\n

\r\n\r\nI create a subroutine called “checkFolders” which reads the Smartermail domains folder and then iterates through any subdirectory. To help keep things clean I will use a another subroutine to actually read domainconfig.xml file.\r\n\r\n

\r\n\r\nHere is the code I use to read the domainconfig.xml file. If a domain is identified as being disabled then I write a line to the screen as well as the log file.\r\n

\r\n\r\nWriting the output to the log file is straight forward. I check if the log file exists and if it doesn’t then just create an empty file.\r\n\r\n

\r\n\r\nRunning the program from the command line we see the results.

\r\n

\r\n
\r\n
Taking it a step further we could use Windows Task Scheduler run it on a weekly or daily basis and with only a small tweak we could code emailing the log file so that we didn’t even have to login to the server to check the disabled domains.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website