Technical Aspects, Best Practice Recommendations and Hardening SMTP - Case Study Example

Technical Aspects, Best Practice Recommendations and Hardening SMTP Technical Aspects 1 Internet Information Service Internet Information Service (IIS) supports SMTP among other internet protocols. However, IIS will not be automatically turned on after the user installs Windows Server12r2 (Schaefer et al., 2012). A user interested in accessing IIS can do so via the control panel’s administrative tools. SMTP never operates in isolation. It needs other applications like IMAP, POP3 and Outlook. For instance, a client application like outlook can prove helpful for putting information in a user-friendly fashion to manage messages (Linenberger, 2013). An organization will require Mail Server software like Exchange 2013 Service Pack 1 if the need arises to host its mail server. Before the Exchange Product Group tested and validated windows server 2012 R2, deployment of 2012 R2 DCs was suspended environments that had Exchange installed. The Exchange Team has in the past devoted efforts towards testing and validating Exchange against Windows Server 12 DC. The task was completed hence Windows Server 2012 R2’s support for Exchange (Minasi, 2014). When you install SMTP in Windows Server 2012 R2, the server can operate as a primary SMTP server. However, a full-featured solution would require that the server administrator installs a messaging server like Microsoft Exchange Server (Stanek, 2014). As Stanek (2004) puts it, Encrypting File System (EFS) is instrumental in implementing encryption Windows Server 2012 R2. This system encrypts files using an enterprise encryption key in place of the client device-generated encryption key. Often, the enterprise encryption key is particular to the enterprise ID associated with a user, and SMTP services use this very ID as the default primary SMTP user address. Use of enterprise encryption keys different from client’s standard encryption keys is useful in making sure that every encrypted personal or work file is managed separately while using the SMTP service (Stanek, 2014). 1.2 Postfix The downloadable version of postfix comes as a collection that is initially made to go through tar followed by compression. For this reason, end users must unzip the files first using the here below shown command in the terminal of CentOS 7 terminal. $gzip –d postfix-2.2.10.tar.gz (Balcit, 2009). This command lets the administrator extract the files after which he would need to use the command $tar –xf postfix-2.2.10.tar which makes I bearing the name postfix -2.2.10 to appear in the current directory. The manner of operation of postfix is more or less similar to that of a network router. It receives an email from a sender then attempts to send it to the recipient. The recipient in this case could refer to another server or a local postfix server. Based on this factor, postfix features varied interfaces to tackle varying protocols (Davies, 2012). A postfix-oriented architecture is modular and constitutes varied daemons each particularly tackling only a few jobs. The SMTP daemon is an example of the daemons. It refers to the SMTP client that handles outgoing connections to send out email to other mail servers (Levine, 2004). 1.3 EXIM EXIM is an MTA whose use intend for hosts that run UNIX or UNIX-related operating systems (Nemeth, 2011). Its a design based on the assumption that the target systems would be running on hosts with a permanent connection to the internet. Its use is also possible on hosts with short-lived connections as long as the hosts feature suitable configuration adjustments. Use is not restricted to UNIX-based systems alone (Hazel, 2007). There exist configuration files that help to compile Exim inside the Cygwin environment that you could instal inside systems running windows like Windows Server 2012 R2. EXIM’s run-time configuration has certain futures that support its operation. An example of the features that EXIM comes with is the default configuration file often named as src/configure.default. For system administrators intending to use EXIM on hosts with simplified mail requirements, there would be no need changing the supplied default configuration settings. Another feature found in EXIM is authenticators section charged with SMTP authentication. This utility extends the SMTP protocol and can permit a client SMTP host to authenticate itself to the target server. This scheme helps servers to recognize clients that are authorized to use them as relays. However, servers that feature no managerial connection will find SMTP immaterial in the case of a need to transfer mail (Hazel, 2007). EXIM also has a number of methods and tools that are helpful in SMTP authentication. For instance, a server administrator will often have the option to use MySQL database systems, IMAP and Dovecot among other options in an attempt to authentic EXIM users. During the use of EXIM MTA, a server administrator could set the queue_ only_ load parameter to a load average value where the server must have to stop instant delivering then begin the queue only mode. In the default state, EXIM never uses this option and delivery remains constant whether the load situation is high or low (Nameth, 2011). 2. Best Practice Recommendations 2.1 Internet Information Service The recommendation that the IIS SMTP server administrator protects the system with regular software updates. This measure helps in the creation of patches for existing or upcoming vulnerabilities and helps to protect the operating system against any attack or software flaw. The practice goes as far as suppressing the impacts of malicious software whose presence can impair the normal operation of IIS SMTP application. In the context of Windows server 2012 R2, the update operation can be manually performed. It can also be meant to run on its own on a regular basis (Tulloch, Windows Server Team, & Microsoft Corporation, 2012). 2.2 Postfix Postfix uses the same mechanism,, /etc./alternatives, as Sendmail. It gives the implication that the coexistence of the two applications leads to a conflict that renders an entry with the MTA unnecessary. In the light of this, a system administrator should get rid of the Sendmail application from CentOS 7 server prior to the installation of postfix. It is, therefore, attained through the command # yum remove sendmail (Ibm, 2014). In order to counteract spambots in the context of an SMTP server, postfix employs the my network parameter in specifying the trusted sender network. In a given scene, the users inside the internal LAN are treated as authorized users and postfix happily accepts SMTP requests from them then forwards the mails to the appropriate destinations. To cater for mobility needs, it would be prudent using Simple Authentication and Security Layer (SASL). One you enable SASL, postfix will not permit any incoming SMTP connection that does not have proper authentication. As such, no SMTP even from the internal users shall be accepted if it lacks proper authentication (Ibm, 2014). 2.3 EXIM In a shared operation environment where any act from any user affects many individuals, it is prudent for a server administrator to limit the outgoing mails then permit a per-case basis. To attain this is EXIM, a server administrator would need to set the here below stated options inside the Exim.Conf file recipients_max_reject = true recipients_max = 50 (Ibm, 2014) The recommended way to retain this change is to add the changes in /etc/exim.conf.local under @COFIG@ and run /scripts/buildeximconf You should never whitelist your domain inside one of the whitelists found in the /etc./virtual Directory lest you translate any DierctAdmin based server to an open relay. In addition, use of telnet from a server or a local machine makes the domain appear as though it is an open relay (Ibm, 2014). The file located at /var/log/Exim/mainlog would be helpful in case the system administrator needs to establish whether a sending user is authenticated (Ibm, 2014). 3. Hardening, Implementation and the How to (s) 3.1 Internet Information Service 1. Open the IIS manager by typing IIS found in the search field of the start menu and clicking Internet Information Service (IIS) 6.0 Manager. 2. Try expanding the computer name, right click on SMTP Virtual Server #1 then click properties. 3. in the access tab, click on the Relay button 4. Click Add. In the case of an individual PC, just feed 127.0.0.1 then click ok. When we add 127.0.0.1, we are rendering the local server to be in a position to send messages from this given SMTP server. 5. Click Outbound Security from the Delivery tab. From the resulting choices, we select Anonymous access, Basic authentication, Integrated Windows Authentication or TLS encryption depending on the desired security mechanism (Minasi, 2012). 6. In the same Delivery tab, we click on Outbond connections. The TCP port will by default be 25. An administrator has the choice to enter a different port as long as the port in question is open inside Windows server 2012 R2’s firewall systems (Meyler, Fuller, & Joyner, 2013). Click OK. 3.2 Postfix There is no news that is as displeasing as a mail server administrator discovering that some malicious users have finally compromised on the server system. At such, there is need to apply given practices aimed at rendering a postfix SMTP more secure. The here below shown parameters are useful in hardening postfix SMTP server. A parameter such as smtpd_reject_unlisted_sender (no) This parameter makes a request that the postfix SMTP server disregards all mails sent from any undefined sender address, even in situations where the system explicitly specifies reject_unlisted_sender access restriction. The parameter smtpd_delay_open_until_valid_rcpt (yes) suspends the start of all SMTP mail transactions till the system receives legitimate RCPT TO command. In case the use of postfix SMTP server encompasses mobile devices such as laptops and phones, it would be appropriate enabling Simple Authentication and Security Layer (SASL). One you enable SASL i, Postfix will only permit an incoming SMTP connection that has a proper authentication (Wietse et al.). The server administrator should ensure that the SASL service does not exempt internal users because the smart spammers can mimic valid mail accounts. There are certain parameters inside the /etc./postfix/main.Cf file that need to be set to make sure that postfix only permits local emails for purposes of delivery. We then set the parameters as shown here below (Ibm, 2014) mydestination = $myhostname, localhost.$mydomain, localhost inet_interfaces = localhost (Ibm, 2014) The parameters my destination enlists every domain to receive mails for whereas the parameter inet_interfaces states the network that the application lists on. After Configuring postfix, we restart postfix using the command #/etc/init.d/postfix restart (Ibm, 2014). It is never safe for the users to run the commands on the local host considering that postfix is meant to permit connections that originate from the local node (Ibm, 2014). 3.3 EXIM 3.3.1 Authentication The pop-auth stuff occurs prior to the –smtp that Directadmin uses. It (pop-auth) gives the implication that so long as you log in the end user into a POP3 account on a Directadmin-powered server, you temporarily add the IP address into a white list. Consequently, it will be possible sending emails through SMTP to any other domain without prior authentication requirement. This state prompts the need to force every user to make use of SMTP authentication. Such a condition can be realized by disabling pop-auth-before-smtp in this context and setting limits assoaciated with the use of SMTP (Ibm, 2014). 3.3.2 Attaining Performance Optimization SMTP is defaulted to send up to a total of 100 messages for every SMTP session to a particular destination domain. In an attempt to increase the top-most number of permitted messages sent in every session, a system administrator gets the chance to efficiently re-use the SMTP connection. It leads to economical use of the CPU alongside reduced bandwidth consumption. In order to set the highest number of messages to send over the network, in every SMTP session, we edit the etc./Exim/Exim.Conf file. We then enter the detail shown here below in section named as transport configuration: connection_max_messages =300 (Ibm, 2014). In a nutshell, in order to attain performance maximization, there should be an attempt by the system administrator to re-use the SMTP. References Baclit, R. (2009). Foundations of CentOS Linux: Enterprise Linux on the cheap. Berkeley, Calif.: Apress. Davies, J. (2012). To understand IPv6: The essential guide to implementing IPv6 on Windows. Redmond, Wash: Microsoft. Hazel, P. (2007). The Exim SMTP mail server: The Official guide to releasing 4. Cambridge: UIT Cambridge. Ibm, R. (2014). Ibm smartcloud storage access v1.2 an implementation guide. S.l.: Vervante. Levine, J. R. (2004). Qmail: [managing Unix-based mail systems]. Beijing [u.a.: OReilly. Linenberger, M. (2013). Total workday control using Microsoft Outlook. Meyler, K., Fuller, C., & Joyner, J. (2013). System Center 2012 Operations Manager unleashed. Indianapolis, Ind: Sams. Minasi, M. (2014). Mastering Windows server 2012 R2. Nemeth, E. (2011). UNIX and Linux system administration handbook. Upper Saddle River, NJ: Prentice Hall. Stanek, W. (2014). The Windows Server 2012 R2 Inside Out Configuration Storage & Essentials. Microsoft Press. Schaefer, K., Cochran, J., Forsyth, S., Glendenning, D., & Perkins, B. (2012). The Professional Microsoft IIS 8. New York: Wiley. Tulloch, M., Windows Server Team., & Microsoft Corporation. (2012). Introducing Windows Server 2012. Redmond, Wash: Microsoft Press. Other References Boldizsar Bencsath, Miklos Aurel. (n.d.). An Empirical Analysis of Denial of Service Attack Against SMTP Servers. Retrieved September 19, 2014, from Laboratory of Cryptography and System Security: https://www.crysys.hu/publications/files/BencsathR07cts.pdf Limited, C. I. (n.d.). Latest Version: 4.84. Retrieved September 19, 2014, from Exim Intenet Mailer: www.exim.org Limited, C. I. (n.d.). SMTP Authentication. Retrieved September 19, 2014, from Exim Internet Mailer: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html Wietse Venema, Till Franke, Lutz Jaenicke, Victor Duchovni. (n.d.). Postfix SMTP Server. Retrieved September 26, 2014, from die.net: http://linux.die.net/man/8/smtpd Read More