SUMMARY
It's important to understand what is required in securing a mail server.
Common attacks on mail servers are to intercept unencrypted email connections
and sniff out mailbox credentials. Reviewing this article can assist
in understanding the various security features that can be enabled within
MailEnable to tighten the server and help prevent mailbox data from being
exploited.
DETAIL
Encrypted Authentication between client and server
In order to encrypt the communication between email clients
and the MailEnable server SSL or TLS needs to be enabled. The
first step is to configure an SSL certificate to be used for the
MailEnable server. Please see the following articles on how to setup an SSL
certificate within MailEnable and the types of SSL certificate recommendations:
https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Secure_Sockets_Layer_(SSL)_encryption.html
Article ME020678
Next step is to configure the MailEnable mail services and
web services to prevent plain text authentication.
SMTP:
-
Navigate within the MailEnable
administration console to: Servers->localhost->Services
and Connectors->SMTP.
-
Right
click on SMTP and select properties.
-
Navigate
to the "Inbound" tab and click "Settings..." within the "Port Settings"
section.
-
For
the default port 25 the recommendation is to disable authentication entirely
and instruct clients to use an alternative port to send/receive. To set
the service to prevent unencrypted authentication the option "Only
allow secure authentication (using SSL or TLS) needs to be set for each SMTP
port.
-
Click
"Apply" and then "Ok"
-
Restart
the SMTP service
Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/SMTP_props_-_Inbound.html
IMAP:
-
Navigate within the MailEnable administration console to:
Servers->localhost->Services
and Connectors->IMAP.
-
Right
click on IMAP and select properties.
-
Tick
the option for "Enable SSL and TLS support"
-
Next
tick the option for "Force clients to login securely (over SSL)"
-
Click
"Apply" and then "Ok"
-
Restart
the IMAP service
Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/IMAP%20-%20Settings.html
POP:
-
Navigate within the MailEnable administration console to:
Servers->localhost->Services
and Connectors->POP.
-
Right
click on POP and select properties.
-
Tick
the option for default POP port for "Requires SSL".
-
Do the same for the alternative POP port if one is
enabled.
-
Click "Apply" and then "Ok"
-
Restart the POP service.
Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/POP_General.html
XMPP:
-
Navigate within the MailEnable administration console to:
Servers->localhost->Services
and Connectors->XMPP
-
Right
click on XMPP and select properties.
-
Tick
the option for "Advertise TLS"
-
Tick
the option for "Require TLS Support".
-
Click
"Apply" and then "Ok"
-
Restart
the XMPP service
Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/NewTopic6.html
Web Services (Mail Enable Web Mail, MailEnable Wed
admin, MailEnable Protocols websites under IIS):
Encrypting the mailbox passwords on server:
Encrypting the mailbox passwords on the MailEnable server
provides another level of security by eliminating attackers from being
able to see plain text passwords.
-
Navigate within the administration console to: Messaging
Manager.
-
Right click on "Messaging Manager" and select
properties.
-
Navigate to the "Security" tab and the click on the
"Encrypt passwords." button.
-
Specify a key and store the key in case you need to
unencrypt the passwords.
Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/Messaging_Manager_-_Security.html
Password Policies:
Enforcing users to set complex passwords helps prevent attackers from being
able to guess a simple password.
- Navigate within the administration console to: Servers > Localhost.
- Right click on "Localhost" and select properties.
- Navigate to the "Policies" tab.
- Tick the option for "Enforce password policy"
- The
recommendation would to enable all password complexities to enforce a more
complex password to be set by the end user.
- Click "Apply" and then "Ok".
- Run a password check on the existing passwords for all mailboxes and
create a report of which list and mailboxes that do not meet the password
policy.
Documentation: https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html