Concept of securing mail server……!!!!!


Mail server security role issues


Mail servers store e-mail data, process client requests, and receive incoming e-mail from the Internet. The Post Office Protocol 3 (POP3) protocol provides clients with mailboxes and enables mail to be retrieved from the mail server. The e-mail accounts of users are POP3 accounts, and are stored on the configured mail server. POP3 makes is possible for clients to use Microsoft Outlook, or some other e-mail client to retrieve e-mail from the mail server. The Simple Mail Transfer Protocol (SMTP) protocol is utilized to transfer e-mail.

When the mail server role is installed, the following components are automatically added to the specific server:

  • POP3 Users group; enables users to only access their mailboxes.
  • Mailroot folder; used for storing and transferring mail.
  • SMTP Service; for transfer of mail.
  • IIS Admin Service; for managing the SMTP service

The main mail server security requirements which should be addressed are:

  1. Install a firewall solutions to prevent unauthorized individuals from accessing the private network.
  2. Use IP Security Protocol version 6 (IPSec v6) to further secure mail traffic.
  3. Do not connect the mail server to the Internet if you have no firewalls configured.
  4. Determine and implement the proper authentication method: Here, the authentication method used in Active Directory is automatically used if the mail server is a domain controller or a member server. If not, the local Windows accounts settings are used to specify the authentication method.

Securing Exchange server:


Most organizations use Exchange Server on which to create their messaging network infrastructure. This is due to Exchange Server providing a reliable messaging platform that is integrated with Active Directory. Microsoft Exchange Server 2003 provides more security and availability than the other messaging platforms.

A few security features of installing and using Exchange Server 2003 are listed here:

  • The default settings when you install Exchange Server 2003 are the same as the Windows Server 2003 default settings.
  • The least number of permissions are enabled by default to further secure the Exchange Server 2003 messaging platform. For instance, access is removed from the following groups:
    • Built-in Users
    • Anonymous Logon group
    • Everyone group
  • By default, applications and services are locked down.

    The services which are disabled when Exchange Server 2003 is installed are:

  • POP3 service
  • NNTP service
  • IMAP4 service

  • The default POP3 virtual server, NNTP virtual server and IMAP4 virtual server use basic authentication and Integrated Windows authentication.

You can use firewalls to protect Exchange Server computers and control traffic. Packet filtering features can be used to block traffic destined to and from Exchange Server computers. You can also limit the number of ports that are opened between an Exchange Server computer and other computers. Only those ports which are needed for communication should be opened.

The ports used by Exchange Server are listed here:

  • For a communicating with domain controllers:
    • Lightweight Directory Access Protocol (LDAP); TCP port 389, for SSL TCP port 686.
    • Site replication LDAP communication; TCP port 379
    • Global Catalog LDAP communication; TCP port 3268, for SSL TCP port 3269.
  • For queries to DNS Servers:
    • TCP port 53 and UDP port 53.
  • For message transfer:
    • SMTP traffic; TCP port 25, for TLS TCP port 465.
    • SMTP Link State Algorithm; TCP port 691.
  • For client retrieval of e-mail (POP3):
    • TCP port 110.
    • For SSL, TCP port 995.
  • For client retrieval of e-mail (IMAP4):
    • TCP port 143.
    • For SSL, TCP port 993.
  • For web browsers downloading e-mail (Outlook Web Access):
    • TCP port 80.
    • For SSL, TCP port 443.
  • For newsreader:
    • TCP port 119.
    • For SSL, TCP port 563.

Exchange Server secures network mail communication by means of encryption, through the Transport Layer Security (TLS) protocol. TLS only works to secure network mail communication between mail servers running SMTP though. Mail traffic between Web browsers and Outlook Web Access (OWA) is not secured through the Transport Layer Security (TLS) protocol. To secure this communication, you have to utilize the SSL protocol on your Web servers. Another method which you can employ is to use IPSec to secure all communication. You should also consider enabling auditing in Exchange Server to track activity on your mail server.

To enable TLS encryption for Exchange Server:

  1. Access the System Manager console.
  2. In the console tree, expand the Server node.
  3. Expand Protocols and expand SMTP.
  4. Select the virtual server by right-clicking it, and then select Properties from the shortcut menu.
  5. When the Properties dialog box opens, switch to the Access tab.
  6. Click Authentication.
  7. Enable the Require TLS Encryption checkbox.
  8. Click OK.
  9. Switch to the Delivery tab.
  10. Click Outbound Security.
  11. Enable the TLS Encryption checkbox.
  12. Click OK.

To enable Exchange Server auditing:

  1. Access the System Manager console.
  2. In the console tree, expand the Server node.
  3. Select and right-click the specific object which you want to audit and then click Properties from the shortcut menu.
  4. Switch to the Security tab.
  5. Click the Advanced button.
  6. Switch to the Auditing tab, and click Add.
  7. Select those users whose actions you would like to audit.
  8. Specify which actions you want to audit.
  9. Click OK.

Note:- The above rules are applied only for the windows server 2003 because in some organizations may be uses mail server 2003.The process will be helpful hopefully………..



About Author


Leave A Reply