blog posts

E-Mail Servers

How To Secure Email Server?

To Secure Email Server: While Messengers and Social Networks Are Gaining Traction, Some Experts Believe The Use Of Email Has Changed; Emails Are Still The Main Communication Channel For Official Correspondence.

Secure Email Servers: For this reason, content stored on enterprise email servers has become more critical than ever, and the issue of email server security should not be overlooked.

Email Server Security Challenges

Ensuring the security of email servers is one of the most important things organizations should pay attention to because emails are still one of the most widely used communication mechanisms that host essential information.
As a result, if business confidential data stored on these servers is exposed, businesses will suffer serious economic damage.

In addition, email servers must operate continuously so that users can access them at all times. If the servers fail for any reason, they can lose customer information and cause serious problems for the business.
To prevent servers from malfunctioning, data loss, and other adverse events, you must consider securing and configuring email servers to identify and fix vulnerabilities quickly.

Potential vulnerabilities

When we talk about security breaches, we mean that there are one or more patched vulnerabilities that hackers could exploit. Indeed, it is impossible to deal with all the vulnerabilities, but we can reduce their number.
To do this, we must follow security guidelines when configuring email servers to minimize the problems we will address.

In this article, we no longer intend to mention the need to pay attention to installing operating system security patches and applications because we have discussed them in detail in previous issues of Network Monthly.

Unauthorized access

One of the most common attacks on email servers occurs when hackers circumvent authentication mechanisms to access users’ data. The first step to deal with this issue is to adopt strict policies for selecting strong passwords to access the server.

This prevents passwords from being detected under the influence of pervasive search attacks, which is a common way to bypass the authentication mechanism. SMTP-based authentication is another way to protect servers from user password hacking attacks.

Challenges related to data leakage

One of hackers’ most important goals is to gain access to users’ personal information. When an email is sent over the Internet, it passes through various paths and hops, most of which are not secure.
It is technically possible to interpret passwords, usernames, and even messages’ content. To prevent such problems, incoming and outgoing emails should be encrypted. The IMAP, POP3, and SMTP protocols must also be encrypted using SSL / TLS certificates.

Spam

One of the common problems associated with emails, especially corporate emails, is spam. Spam Challenges are divided into two groups: sending spam to the user’s email client and sending spam to other clients based on the Open Reply technique.
To prevent the Open Relay problem from occurring, the mail relay parameters of the server must be configured correctly.

Content filtering mechanisms should be used to prevent these problems. These filters are installed on an email server or a proxy application to protect access to the server. This program can be a firewall, proxy server, or similar example.

Another solution is to use a blocklist of spam servers. For example, blocklists based on DNS NDSBL, SPAM URI RBL SURBL, or local instances that contain spammers’ IP addresses are significantly prevented from receiving spam in the Mailbox of mail servers.

Mailbox problems

Email servers and clients are constantly exposed to malware threats. When an email server becomes infected with malware, not only is the stability of the system compromised, but the clients that use it are also under serious threat.
Other problems that malware poses are the loss of comprehensiveness and privacy of personal data and the spread of malware through email clients. To solve this problem, you need to use protection mechanisms against malware such as antivirus.

Service Denial of Service (DoS)Email Server

The deprivation of service attacks caused by corporate email servers are entirely destructive and prevent clients from sending or receiving emails. The above problem seriously damages an organization’s reputation.
To prevent this problem, you should try to minimize the number of connections to the SMTP server as much as possible and limit the number of connections to the server at specified intervals and the number of simultaneous connections.

Server stability and performance

When discussing maintaining server performance, we must consider implementing a load-balancing mechanism in case of a server attack or malfunction. Most organizations use a backup server in this case.
The above process is done for email servers through two MX records for each domain. EEmailservers offer SMTP authentication options.

If the above option is enabled, you must have a username and Password to email the server. Enabling this option is essential because it protects the server against sending out repeated requests.

In this case, uninterrupted server performance is guaranteed. Mail Relay is another essential option that needs to be set up and configured correctly.
The above option lets you specify which IP addresses the server can send an email to. This prevents many messages from being sent that could destabilize the server. Another powerful solution available to maintain server performance is the Reverse DNS system mechanism.

The above filter can compare IP addresses with hostnames and domains. Based on this strategy, the server can be used again to send emails.

Preparation of required documents

The first step is to figure out what, why, and how it should be addressed. These three vital questions should be answered carefully during the review and audit process, focusing only on the most critical details.

  • What: Make a list of all the data, including usernames, contact lists, attachments, and other items that you think are needed to track vulnerabilities. The list can be divided into several different checklists. It is best to prioritize each item on the list to make it easier to identify more serious problems.
  • How: Using the list of components you have prepared, identify the tools and applications you can monitor and review. Next, you need to specify a way to check and control each element of this list. Expand the list of potential vulnerabilities using the list of vulnerabilities and include controls to investigate the existence of these vulnerabilities.
  • Why: To identify the most important items, you need to specify each control operation’s reason, priority, and extent of coverage. At this point, you need to remove duplicates from the list.

When preparing the checklist, you can use NIST SP 800-45 checklists. After preparing the list, specify the scope of work and the necessary resources. Once you have prepared a report on the current state of server security, you should first evaluate the highest priority issues and examine their problems.

Analyze identified problems

The risks should be evaluated in the analysis process based on the following equation.

Impact × Probability Exposure to risk

 (Impact × Likelihood × Exposure)

Give each of the above points between 1 and 5. The number 5 indicates that a simple problem cannot be bypassed, and the number one means that the item on the list is not a serious security challenge.

The explanation of each of the parameters listed in the above equation is as follows:

  • Impact: The impact of an accident or problem depends on the components at risk. In some cases, this effect may be weak (for example, server performance is disrupted for 100 milliseconds), and sometimes it may be strong (loss of database information). If the checklists are prepared correctly, it is possible to better identify the effects based on them.
  • Probability refers to how reproducible the problem is and how simple it is to repeat—a clear example is filling the server memory with UDP packets through an open TCP port.
  • Risk: The above parameter indicates how difficult it is to diagnose the problem during regular server operation. Being at risk can range from impossible (several unlikely problems) to unavoidable (using words like Password aPasswordnagement account’s Password—password failure due to receiving more than 1000 emails simultaneously).

After evaluation, all identified problems are sorted by the degree of risk-based formula (impact × probability risk). In the next step, any event that is riskier than the specified value should be investigated.
This assessment helps to identify events (vulnerabilities (cyber threats such as data loss), defects (loss of loyal customers due to spam). And less essential problems so that vulnerabilities and shortcomings can be prioritized to address them.

 Repair vulnerabilities

Typically, there are three solutions to the so-called vulnerabilities:

  1.  Use a newer version of the software or replace the software with another safe software.
  2.  Install third-party software that can fix the problem.
  3. Disable problematic features.

The important things to look out for are the level of risk, the budget involved, and the resources needed to make the terms. Each factor significantly impacts the timing of remedial action and prioritization. So it’s best to fix simpler and easier problems rather than postpone them.
Typically, repairing complex vulnerabilities takes several days, so it’s best not to sacrifice small but dangerous problems for complex vulnerabilities. It is recommended to group vulnerabilities that can be fixed with a simple modification. This will save you money in the long run.

A Case Study of Cyber ​​Security

  • MS Exchange Server

Exchange Server is one of Microsoft’s most widely used email servers. It is only installed on the Windows Server operating system. In addition to standard protocols such as SMTP, POP3, and IMAP, the software can support specific protocols such as EAS and MAPI.
This section will look at the Exchange Server from a security perspective to get an overview of security measures related to managing and identifying vulnerabilities around email service. The most critical components of the Exchange Server are:

  • Edge Transport Server: This component monitors tending and receiving emails. The above component works best when an organization’s communication infrastructure is divided into a protected internal network, an unprotected environment, and a civilian area (DMZ).
    The above component is typically launched in the civilian area. Mailbox in the private mailbox Edge Transport Server provides additional protection for messages, exposing the server to fewer external attacks. Edge Transport is an optional component that can be installed or not installed when installing Exchange Server.
  • Database Availability Group: A component that provides high availability and data retrieval on the server. DAG is one of the main components of MailboxMailboxing mailbox availability and data retrieval after various events.
  • Spam Protection: The spam protection component interacts better with some anti-spam tools installed internally in the communication network. It can be enabled directly on the Mailbox server.
  • Malware protection: The above component is available to network administrators through the Malware agent on the Mailbox server. This feature is enabled by default in Exchange 2016.
  • Outlook Web Access: A web-based email that allows all the features needed to manage emails to install the desktop email fully.
  • In addition to these key components, Exchange Server uses some of the proprietary services and protocols as follows:
  • Exchange ActiveSync: A protocol for matching email template devices.
  • Exchange Web Services: A set of multi-platform application programming interfaces that provide client applications access to emails, emails, and other information.
  • RPC over HTTP, MAPI over HTTP: These proprietary protocols allow email communication with the Exchange Server.

The Exchange Server plays a key role in management; emails should be appropriately configured and evaluated regarding security settings and anti-malware because malware infection affects the server and the clients who use it. Puts.
In this step, we intend to review the process of testing and evaluating a concept server based on the policies mentioned at the beginning of the article.

Software test

Exchange Server security testing is best done based on organizational considerations and current environment infrastructure settings. Typically, an organization’s communication infrastructure may be based on the following scenarios:

  • Scenario 1: The company has an internal network with Internet access. It has an MS Exchange Server with basic settings, and no Edge Transport Server installed.
  • Scenario 2: The company has an internal organizational network located within the civilian area and accesses the Internet through this area. The two Exchange servers, together with the accessibility group of the reproducible database and the Edge Transport Server installed in the civilian area, form the communication structure of this organizational network.
  • As you can see in Scenario 1, the network is vulnerable to cyber-attacks. However, some companies use the above architecture due to cost savings. Before starting the test, the infrastructure should be configured according to the application defined for it, and the test should be performed to identify hazards.

Personal data leakage protection test

The above test interprets the connections between the Exchange Server and themailiemailsls. The above operation should be performed based on the following checklist:

  1.  EAS, MAPI, IMAP, and emails configured in thematic
  2. The mail must be installed and tested on the OWA web, mobile, and desktop (Atloc, Thunderbird).
  3. Hardware configuration is performed to simulate a middleman attack (MITM) between server and client, and then Wireshark, tcpdump, and Fiddler are used to analyze the data.
  4.  Data is transferred between client and server via IMAP, MAPI, EA, S, or SMTP protocols.
  5.  A thmiddlemanan attack interprets network packets, and attempts are made to identify unencrypted data.

Spam protection test

An example Exchange Server protection test against spam is based on the following scenario:

  1. Setting up several locaemailiemailsls to spam the tested Exchange Server is best.
  2. . Send spam to the Exchange Server and use the available scripts to create spam.
  3.  Once spam is sent, the inboxes targeted should be checked to see if it has been sent to them.

It is best to perform this test for cases where anti-spam filters for Mailbox and Edge Transport Server are enabled and disabled. This helps to evaluate the effectiveness of anti-spam mechanisms.

Test for protection against malware-infecteemailsls

It would be best to have several malware-infected attachments to perform a test to protect emails with malicious attachments. The Standard Anti-VAntivirusFile is Antiviruserforming the first test using an EICAR file called Eciar. This file is not originally malware and does not contain any malware.
However, most antivirus software detects viruses as malicious files. For this test, it is best to use files created for a specific purpose. For example, unique dynamic library (DLL) files that do not contain malicious code can be used. Still, the antivirusassifies them as antivirus and then performs the test based on the following steps:

  1.  Disable Malware Protection on Exchange Server.
  2.  Send several malware-info email emails to different clients.
  3.  On recipient clients, search emails to find malware.
  4. Repeat the same scenario for the server with the Protection Agent enabled. In addition, repeat the test to see if this factor is enabled for the Edge Transport Server.
  5.  Now, compare the results.

User password test

To test the reliability of users’ passwords, we can use Hydra, which is in the Kali Linux distribution. The above software allows us to identify weak passwords based on the pervasive search attack vector. This test performs the attack through SMTP, IMAP, and POP3 protocols.

Test for protection against deprivation of service

To test for protection against deprivation of service attacks, you should simulate traffic to test the stability of Exchange Server services in the event of such attacks.

In addition, it is better to simulate various network failures. You can use software such as WAN for this purpose. In the above test, check which Exchange Server is more resistant to attacks and how fast the recovery process occurs when an attack occurs.
When performing the test, consider the above accessibility and check if the Exchange Server’s database accessibility component is enabled. In addition, is another server intended for backup?

Results

Once you have done these tests, you should classify the results in Table 1 to facilitate the vulnerability repair process.

last word

This article examines email server security and outlines the essential points to consider when performing security tests. We also provide an overview of attacks on email servers, briefly analyze them, and show you how to identify and repair vulnerabilities.

Finally, we examined the security status of Exchange Serve, a popular server based on the Windows platform, as a case study.
Finally, it should be noted that the purpose of preparing the above article was to show that server security should be considered in the early stages of installing a server because planning to deal with potential threats prevents severe damage to the reputation. Enter the organization.