Originally published 3/8/01 on searchSecurity.com.
Fred Avolio, Avolio Consulting, Inc.
In last month's column, I addressed ways to secure individual e-mail messages against tampering, forgery and eavesdropping. During a subsequent searchSecurity online event we received many questions having to do with e-mail servers. I will touch on e-mail server security in this month's column, giving general guidelines and advice.
Security for e-mail gateways falls into four general areas: protecting the server itself, protecting the inside network, dealing with unsolicited commercial e-mail (commonly called "spam") and remote access to e-mail. These are the same whether you are working with a Microsoft Exchange server, a Lotus Domino server, or Sendmail Switch. We'll look at each of these areas.
There is no magic here. There are several general steps to secure a server, any server.
If the server cannot be hardened in these ways, put it behind a firewall and tightly control services.
Protecting inside machines from e-mail borne attacks is fairly simple. E-mail gateways and servers should be configured with content screening systems. Most of the major antivirus vendors have systems that will run in conjunction with Exchange, Notes and Sendmail. We want to filter out viruses -- an obvious step. We also want to strip dangerous e-mail attachments. As Peter Tippett, CTO of TruSecure Corporation recommends in the January 2001 Information Security Magazine, "Filter out e-mail attachments -- including .exe, .scr, .pif and .vbs -- and you'll have no problem from these 'surprise' viruses (such as the Happy 99 virus)... In rare cases, users have a legitimate business need for receiving such attachments; but in most cases, they do not. Users who actually need these file types can get the sender to zip them or ask their e-mail administrator to manually forward them."
There are really two concerns with unsolicited commercial e-mail, one more annoying than the other, but the other potentially more devastating than the one. The first is to cut down on incoming spam (which is an annoyance and not a security issue). The second is to stop spammers from using our e-mail gateway as a relay point.
"Antispam" is what the users ask for because it directly affects them. Antispam measures are satisfying if your users are spammed from the same address. They also are used to confirm that the sender address information on the e-mail -- the domain and the name and IP address of the connecting system, for example -- is valid and consistent.
E-mail relay control is a requirement for e-mail from outside your company to get to users inside and vice versa. We want to relay to and from user e-mail addresses we support. We do not want to relay from strangers to strangers. The trick of the spammer is to use someone else's e-mail gateway as a bulk-mailer. Some e-mail systems crash under the load. Others result in justifiably nasty messages complaining about your "open e-mail relay." Domino, Exchange and Sendmail all provide antispam and relaying controls.
From home or a hotel, our users want to get at their e-mail. An encrypted connection is a "must," not only to protect the traffic, but also to limit who can connect to the POP or IMAP service from the outside. Connection encryption can be accomplished by receiving e-mail over a Virtual Private Network (VPN) or over an SSL-encrypted web connection. Sendmail e-mail servers support using TLS (an Internet standard based on SSL) between the e-mail client and the server.
E-mail is the #1 used service on the Internet. It is also the easiest to misuse. In addition to securing the messages themselves, securing the e-mail server is equally important. Just as with the individual messages, encryption technology can help. Good system administration policies and procedures, combined with other well-tested mechanisms such as antivirus software, complete the picture.