|
Advertisement |
11 Security practices for managing mailing infrastructure
Posted On July 1, 2010 by Anish S filed under Open Source
It pains me when an IAS officer gives me a business card with an email id from Yahoo or Gmail. We have such a huge IT savvy nation, but many government organizations do not provide an organization owned email id to its officers and employees. The cost of setting up a mail server is small, but running it is often expensive. I provide some practical steps where an organization can plan their business mail solution easily.
PD Roy
Deciding on a business e-mail solution is an important decision. There are plenty of business e-mail solutions out there, all with their own advantages and disadvantages.
In today’s business, e-mail is the most important communication tool you have. Today’s employees literally work out of their inbox. The key to success is finding the right e-mail solution for your business needs. All businesses are different, so there isn’t just one packaged solution that everyone can deploy. However in this article we’ll look at how government organizations can scale up using the right mailing solutions.
In order to get the most from your e-mail solution (and save money at the same time), you basically have three options: do it yourself, use a free Web-based service or pay for a hosted solution. There are a few businesses that can run on free e-mail, but most others need a more personalized, reliable and secure solution that costs money but saves a lot of time, headaches and problems. In the end, the right solution can be well worth the money.
Due to security reasons government organizations are often advised to host their own mail solutions. Irrespective of the software they choose there are some best security practices that one must follow.
The overall goal for your government organization should be getting the most from your e-mail solution while saving money at the same time. But beware of the following pitfalls:
The Internet can offer your business many benefits – but it can also expose you to increased security risks. This section of our web site helps you understand the basics of good computer and Internet security.
Many small businesses rely on the Internet to communicate with customers, suppliers and business partners. Other businesses go a step further: instead of using general email accounts provided by Internet Service Providers (ISPs), they choose instead to run their own web and email servers.
While running your own server can cut costs and bring greater flexibility, it can also expose you to bigger security risks.
If your business runs an email or web server, you probably rely on it to send and receive email and to present your online presence to the world. Inadequate security practices can disrupt your business, expose sensitive information, cost you money and put your computers at risk of being hi-jacked by spammers.
Most spam is sent out via spammers who take control of computers just like yours: don't let security lapses allow these people to take advantage of you.
Why care about security? What's the connection with spam?
Information held in IT systems is crucial for the operation of many businesses. Good security policies and practices help preserve the confidentiality, integrity and availability of data and services.
Spammers actively hunt for computers with security vulnerabilities. Spammers use these compromised computers both as a platform from which to attack other computers, and as a conduit for sending vast amounts of illegal spam.
If your business networks have been compromised, this can result in the disclosure of sensitive information, corruption of data, business downtime, damage to your reputation and the hassle of removing your business from spam 'blacklists'. You are also financially liable for the excess ISP data charges that accrue when your computer is used to send spam.
Like all forms of security, computer security costs money. A security policy outlines the chosen balance between risks, possible consequences and cost. Developing and following a security policy requires management support, skills and input and is not simply an issue of technology.
This section presents 11 ways you can improve the security of your server (that is, ensure it is not compromised) and build a strong security policy. You can learn more about any of these security tips by browsing in a computer bookshop or by using your favourite Internet search engine.
1. Use a firewall
A firewall is your computer network's first line of defence against intruders. Firewalls can block all traffic between your network and the Internet that is not explicitly allowed. Firewall software is built into modern operating systems and can also be purchased as special-purpose hardware. Basic firewall settings to help get you started are readily available from your vendor or the internet.
2. Keep up to date with security patches
Most operating systems are supported by automatic updates ('security patches') that fix vulnerabilities found in important software components. You should either use the 'automatic update' option, or subscribe to a security-related mailing list and install these patches when necessary.
3. Protect yourself against viruses
Viruses and other malicious software, such as worms and Trojan horses, can alter or erase data on your computers; allow spammers and other intruders to use your computer and network; and may replicate and spread to others.
If you run an email server, you can install anti-virus software at the server to filter out email viruses before they reach users.
Each individual computer should also have up-to-date anti-virus software. Viruses and worms spread fast, so your anti-virus software must be updated regularly.
4. Use hard-to-guess passwords
Passwords are surprisingly easy to guess. Read the simple rules described in AusCERT's 'Choosing Good Passwords' guide (see 'General Security', below).
5. Check and alter default settings
After installing software, check the configuration / setting options – you may find the software has extra features you don't need or want. Turning off unnecessary services is a good security precaution.
6. Back up your software
Back up your data regularly. Verify your backups from time to time.
7. Monitor your servers
Your servers can be compromised without your knowledge. Monitoring your servers can alert you to intrusions as they occur, as well as allowing you to check the servers are working properly. Turn on the 'logging' function as a first step. Ask your vendor or an expert about the best way to monitor your network.
8. Join security-related mailing lists
Reputable organisations such as AusCERT offer free mailing lists that allow subscribers to keep an eye on the latest security risks and tips.
9. Secure your mail server: Close open relays!
Mail servers are very attractive targets to hackers and spammers because they exchange data between external users and internal users.
Ensure your forward and reverse DNS match -
Also called Forward Confirmed Reverse DNS, having valid and matching forward and reverse DNS is one of the first recommendations in RFC 1912 (”Make sure your PTR and A records match”). It’s a sign that the system administrator understands at least the basic RFCs. It also helps to avoid spoofing of your systems by spammers.
You need to ensure that the IP address you are testing is the “edge” one that your email server connects to other servers with. In most cases this is obvious, but you might have a machine with multiple IP addresses, or you might be behind some sort of NAT system, in which case the apparent IP address will be the NAT router IP address, so make sure you are testing the right IP address.
'Relaying' is a feature in mail servers that allows the server to forward mail from one external domain to another. If you run an 'open relay', spammers will quickly find your computer and use it to send spam, which may result in your server being blacklisted – which will stop you from being able to send legitimate emails.
10. Secure your web server: Close open proxies!
Web servers are large, complex, and highly configurable (that is, they can be fine-tuned to suit your needs). As such, they are often targeted by hackers and spammers. Make sure you know what you are doing if you are setting up such a server. If in doubt consult an expert,
The two most popular web servers are Apache and Microsoft Internet Information Server (IIS). The default installations of both servers are often adjusted to improve security (see the links below).
Modern web servers can also run as 'proxy servers', a feature which allows users to forward web requests through your servers. If you run an 'open proxy', allowing open access to your proxy, spammers will quickly find your server and misuse your generosity, which could harm your reputation and result in your business being placed on spam blacklists.
Also Ensure your HELO string matches your reverse DNS
When your SMTP server sends email, it has to announce it’s name in the HELO or EHLO command. Since you have your DNS setup correctly, you have a fully-qualified domain name (the reverse DNS name), so you can follow RFC 2821 and use it as your HELO/EHLO string:
The argument field contains the fully-qualified domain name of the SMTP client if one is available
Doing this provides another level of verification that your server is who it says it is.
11) Avoid SAV
At first glance, Sender Address Verification (SAV) seems like a good idea. Because SMTP doesn’t include include any intrinsic way to authenticate the MAIL FROM address, you just connect to the appropriate return host and check if the site will accept email for that address.
Unfortunately SAV creates more problems than it solves. As noted by others, it’s easy to work around SAV, spammers just send with a valid MAIL FROM address. Given they’re already spamming lots of valid addresses, they have lots to choose from.
For spammers that don’t use valid MAIL FROM addresses, the result will be that your system ends up looking like it’s attempting to attack other systems. For instance, say a spammer sends you 1000 emails with forged and invalid @fastmail.fm MAIL FROM addresses. To check them, your server contacts us 1000 times seeing if you can deliver to each address. However that’s exactly the pattern that anyone trying to do a dictionary harvest attack against us would be doing! Without special precautions, your machine will now be treated as extremely suspicious because it just tried to send to lots of invalid addresses at our server.
PD Roy can be reached on pd@diqtech.com
