SUMMARY

It's important to understand what is required in securing a mail server. Common attacks on mail servers are to intercept unencrypted email connections and sniff out mailbox credentials. Reviewing this article can assist in understanding the various security features that can be enabled within MailEnable to tighten the server and help prevent mailbox data from being exploited.

DETAIL

Encrypted Authentication between client and server

In order to encrypt the communication between email clients and the MailEnable server SSL or TLS needs to be enabled. The first step is to configure an SSL certificate to be used for the MailEnable server. Please see the following articles on how to setup an SSL certificate within MailEnable and the types of SSL certificate recommendations:

https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Secure_Sockets_Layer_(SSL)_encryption.html

Article ME020678

Next step is to configure the MailEnable mail services and web services to prevent plain text authentication. 

SMTP:

• Navigate within the MailEnable administration console to: Servers->localhost->Services and Connectors->SMTP.
• Right click on SMTP and select properties.
• Navigate to the "Inbound" tab and click "Settings..." within the "Port Settings" section.
• For the default port 25 the recommendation is to disable authentication entirely and instruct clients to use an alternative port to send/receive. To set the service to prevent unencrypted authentication the option "Only allow secure authentication (using SSL or TLS) needs to be set for each SMTP port.
• Click "Apply" and then "Ok"
• Restart the SMTP service

Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/SMTP_props_-_Inbound.html

IMAP:

• Navigate within the MailEnable administration console to: Servers->localhost->Services and Connectors->IMAP.
• Right click on IMAP and select properties.
• Tick the option for "Enable SSL and TLS support"
• Next tick the option for "Force clients to login securely (over SSL)"
• Click "Apply" and then "Ok"
• Restart the IMAP service

Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/IMAP%20-%20Settings.html

POP:

• Navigate within the MailEnable administration console to: Servers->localhost->Services and Connectors->POP.
• Right click on POP and select properties.
• Tick the option for default POP port for "Requires SSL".
• Do the same for the alternative POP port if one is enabled.
• Click "Apply" and then "Ok"
• Restart the POP service.

Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/POP_General.html

XMPP:

• Navigate within the MailEnable administration console to: Servers->localhost->Services and Connectors->XMPP
• Right click on XMPP and select properties.
• Tick the option for "Advertise TLS"
• Tick the option for "Require TLS Support".
• Click "Apply" and then "Ok"
• Restart the XMPP service

Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/NewTopic6.html

Web Services (Mail Enable Web Mail, MailEnable Wed admin, MailEnable Protocols websites under IIS):

• Please refer the following Microsoft article on how to configure IIS SSL support for the MailEnable websites: https://docs.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis

Encrypting the mailbox passwords on server:

Encrypting the mailbox passwords on the MailEnable server provides another level of security by eliminating attackers from being able to see plain text passwords.

• Navigate within the administration console to: Messaging Manager.
• Right click on "Messaging Manager" and select properties.
• Navigate to the "Security" tab and the click on the "Encrypt passwords." button.
• Specify a key and store the key in case you need to unencrypt the passwords.

Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/Messaging_Manager_-_Security.html

Password Policies:

Enforcing users to set complex passwords helps prevent attackers from being able to guess a simple password.

• Navigate within the administration console to: Servers > Localhost.
• Right click on "Localhost" and select properties.
• Navigate to the "Policies" tab.
• Tick the option for "Enforce password policy"
•  The recommendation would to enable all password complexities to enforce a more complex password to be set by the end user.
• Click "Apply" and then "Ok".
• Run a password check on the existing passwords for all mailboxes and create a report of which list and mailboxes that do not meet the password policy.

Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html