Security settings for the mail server

Source: Internet
Author: User
Tags auth error code imap log mail require valid client
Now the Internet spam is more and more, if set up your MailServer security settings is an important issue. Now, for example, the most popular MDaemon Mail server, let's discuss the security settings for MDaemon. Recommended reading: MDaemon Use tutorial

The security settings for MDaemon are set under the Setup menu. There are several options for this:

-address suppression (Address suppression): Lists the addresses that are not allowed to send letters through your mailserver. If you receive a message from an address in this list, you can choose to accept it and put it in the bad letter queue, or reject it in the process of SMTP (not even in the temporary directory of your server). This feature is used to control some problematic users, such as always sending a large number of malicious emails. Wildcard characters are supported, such as "* @hotmail. com" and "baduser@". You can set all domains and a domain to be valid.
-IP Screening (IP masking): Specifies the IP address of the server you wish to allow or disallow. If the connection is not allowed, attempts to connect from the IP address of the list will be rejected and immediately canceled. When your machine has multiple IP addresses, it is easy to set up here. Supports setting "206.*.*.*" or "206.101.*.130".
-host Screening (site masking): Specify the site (domain name) for the server you wish to allow or disallow. Same as IP masking, but this lets you specify the name of the site. Supports setting "*.sample.com" or "sample.*".
-ip Shielding (IP shield shield): If the domain name specified in the list tries to connect to your server, the IP address must match the address you have here. Here's another option: "Mail exceptions to legitimate local users." For example, when a lot of users use "54fg56ff@yahoo.com" or "tg7hj47r6@hotmail.com" and other fake names to send to you, you can set the true IP address of yahoo.com and hotmail.com to match here. But there are too many sites on the internet, sometimes they are not set, and other methods are used.
-SMTP Authentication (SMTP authentication): When the user letters to the MDaemon Server, if not first authenticated identity, with several options to indicate the behavior of MDaemon. (MDaemon supports importing authenticated users from Windows NT)
1. Authenticated senders are valid regardless of the IP they are using
Authenticated users are exempt from IP shielding (IP shield shield) restrictions, regardless of what IP can be used.
2. Authenticated users are exempt from the POP before SMTP requirement
If you have the following security features that use "Pre-SMTP Pop", this allows authenticated users to exempt from this limitation.
3. Authentication is always required when mail are from local accounts
Any letter claiming to be from a local user is required to be authenticated first.
4. MAIL from "Postmaster" requires a authenticated session
Letters from "Postmaster" also require a process of certification. Spammers and hackers know that there is a "postmaster" presence, and they may send mail to your server via this account. You can choose this setting to prevent them from doing so.
5. Authentication credentials must match those of the email sender
The authentication certificate must match the sender. This prevents local users from using other user addresses in this system to send letters.
6. Global AUTH Password
Use a generic auth password. If you use the above "Authenticated users can exempt from IP restrictions," MDaemon to Dynamic NT-certified user account configuration must use this generic password to replace their normal NT password.
-pop before SMTP (pre-SMTP POP): For each MDaemon user to first access his mailbox, and then allow the MDaemon to send a letter, this verifies that the user has a legitimate user account, allowing the use of this email system. This is the easiest way to reduce the use of your mail server by illegal users, which is a common method now used by major ISPs. But at the same time pay attention to require users to do the appropriate settings on the client.
-spam blocker (reject spam): Allows you to specify a few Ordb and maps RBL types of sites that are checked every time a user wants to send a letter to your server. If the IP address of the connection is in the site blacklist, the information is rejected or flagged. Note that some sites are incorrectly recorded in the blacklist.
If you want to query spam information and how to use ORDB or maps RBL to control and stop spam, you can refer to: http://www.ordb.org and http://www.mail-abuse.com/rbl/.
This spam blocker has several options:
1. Flag messages from blacklisted sites but to ahead and accept
Set this up, MDaemon will not reject the mail from the blacklist site, but these letters will be added with a "x-rbl-warning" warning letterhead. You can also use the content filtering function to search for letters with these letterhead, and to make the corresponding move to these letters. MDaemon will also automatically create a "spam" IMAP directory for each user and generate the appropriate IMAP mail rules to place the letters that it found with these "x-rbl-warning" letterhead in the directory. Although not necessarily accurate and safe, but this is also a simple convenience to help users quickly identify spam messages. This allows users to check the "junk e-mail" directory on a regular basis, confirming that some important letters are not accidentally placed in the directory (sometimes this happens). About this, you can refer to Http://www.hotmail.com's homepage, they do so.
2. Check "Received" headers within SMTP collected messages
Check the IP address that is marked in the "Received" letterhead in the letters received by SMTP. This is not a very useful strategy for the messages you have received, if you have already set up "SMTP pops before", this is not necessary.
3. Check "Received" headers within POP collected messages
Check the IP address that is marked in the "Received" letterhead in the letters received by Domainpop or Multipop.
4. ADD blacklisted sites to the IP screens (under all Domains)
Add the sites in the blacklist to the IP screen (IP masking) features above (under All domains). This option is important to prevent these sites from trying to connect to your server in the future. Automatic blacklist of sites added to IP screen file is probably 20KB (about 500 entries), and will not be automatically added (can be manually). This prevents too much of the address in IP screen from affecting the performance of the server.
5. Several other options speak of several exceptions, much like the above, and there is little to say.
On the spam Blocker hosts page, you can add and remove lists of sites manually.
In the spam Blocker caching page, you can set up a query that caches blocking spam. This is set to Automatic.
-relay settings (forwarding setting): Used to control MDaemon when your mailserver receives a letter that is not a local address.
1. This server does not relay mail for foreign domains
Set this option, MDaemon will refuse to accept letters from and to that do not contain local users. That is, do not transfer letters to external mail.
2. Refuse to accept mail for unknown Local Users
Set this option, MDaemon accepts messages to local unknown users.
3. Sender ' s address must is valid if it claims to is from the local domain
If the letter claims it is from a local domain, the local user must exist, otherwise MDaemon will refuse to send the letter.
4. Mail sent via authenticated SMTP sessions can always be relayed
Letters sent through the authenticated process are always forwarded.
5. Mail can always be relayed through domain gateways
Letters can always be forwarded through the gateway of a domain, regardless of the forwarding control. This feature is prohibited by default and is not recommended.
-trusted Hosts (Trusted sites): Specifies the domain name or IP address that is an exception to the relay rule in relay settings.
-trapit Settings (intentional delay): Trapitting refers to the intentional insertion of latency during SMTP processing to prevent the sending server from constantly trying to send.
-reverse Lookup (inverse query): MDaemon can query DNS server to check the legality of the domain name and IP address of the letter. Can be used to reject suspicious letters or have a special letterhead in the letterhead. DNS back-check data is also recorded in the MDaemon log file.
1. Perform reverse PTR record lookup on inbound SMTP connections
MDaemon will perform a counter tag record query for all incoming SMTP processes.
2. Send 501 and shutdown connection if no PTR record match
If no PTR record is found, send a 501 error code and abort the connection.
3. Perform lookup on Helo/ehlo domain
Helo/ehlo is the identity used by the sending client to confirm that it is connected to the server. Set this option to reverse query the domain name that is reported when the Helo/ehlo command is used in the process.
4. Perform lookup on value passed in the MAIL command
Set this option to reverse query the domain name that is reported when the Mail command is used in the process. For example, you can see "MAIL from abced@yahoo.com.cn" in the log. This time will be the domain name yahoo.com.cn to reverse query. This address is usually the return path to the letter and is the original originating address of the letter. But be aware that sometimes this is replaced by the wrong address.
5. Refuse to accept mail if a lookup returns ' domain not found '
If the result of the query is "do not find the domain name", setting this option rejects the letter and gives the 451 error code (the requested operation is aborted), and the process is allowed to execute normally.
6. Send 501 error code (normally sends 451 error code)
Set this option, and replace the 451 error code with the 501 error code when the "No Name found" error appears.
7.. and then shutdown the socket connection
Set this option to abort the connection when the "No Name found" error appears.
8. Insert "x-lookup-warning" header into suspicious messages
If the query finds a suspicious letter, insert the letter "x-lookup-warning" to the letter header.
To sum up, you can see that the current popular mail server can use a variety of means to achieve the message security and spam problems. But in the real use we also need to keep reference to the log file at any time to make changes. For example, 163.com is considered a spam server by foreign organizations (indeed, a lot of spam is issued from there), and if you use spam blocker, you may not receive mail from 163.com. Therefore, specific circumstances should be given specific settings. This consideration in everyone's own, it is a matter of opinion.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.