1. carefully configure mail relay options to avoid being an open relay
It is very important to set your mail relay parameter to be very restrictive. all mail servers have this option, where you can specify for which domains or ip addresses your mail server will relay mail. In other words, this parameter specifies who your smtp protocol should forward mail to. Setting this option incorrectly can harm you because spammers can use your mail server (and network resources) as a gateway to send spam to others, which can result in your being blacklisted.
2. configure smtp authentication to control user access
smtp authentication forces people using your server to get permission to send mail by first providing a username and password. this helps prevent open relay and abuse of your server. if configured correctly, only known accounts can use your smtp servers to send email. this setting is highly recommended when your mail server has a routed ip address.
3. limit connections to protect your server against dos attacks
The number of connections to your smtp server should be limited. These parameters depend on the server’s hardware specifications (memory, nic bandwidth, cpu, etc.) and its nominal load per day. The main parameters used to manage connection limits include: total number of connections, total number of simultaneous connections, and maximum connection speed. maintaining optimal values for these parameters may require refinement over time.
This could be very helpful in mitigating spam floods and dos attacks targeting your network infrastructure.
4. enable reverse dns to block fake senders
Most messaging systems use DNS lookups to verify the existence of the sender’s email domain before accepting a message. a reverse lookup is also an interesting option to combat spoof email senders. once reverse dns lookup is activated, your smtp verifies that the sender’s ip address matches the domain and host names that were sent by the smtp client in the ehlo/helo command.
this is very valuable for blocking messages that fail the address match test.
5. use dnsbl servers to combat incoming email abuse
one of the most important settings to protect your email server is to use dns-based blacklists. checking if the sender’s domain or ip is known to dnsbl servers around the world (eg spamhaus, etc), could substantially reduce the amount of spam received. enabling this option and using a maximum number of dnsbl servers will greatly reduce the impact of incoming unsolicited email.
dnsbl servers list all known IP addresses and domains of spammers for this purpose.
6. enable spf to avoid fake fonts
Sender Policy Framework (spf) is a method used to prevent spoofed sender addresses. Almost all abusive emails today have spoofed sender addresses. spf checking ensures that the sending mta can send mail on behalf of the sender’s domain name. when spf is enabled on your server, the sending servers mx record (the dns mail exchange record) is validated before the message transmission takes place.
7. enables surbl to check message content
surbl (spam uri real-time block lists) detects spam based on invalid or malicious links within a message. having a surbl filter helps protect users from malware and phishing attacks. Currently, not all mail servers support surbl. but if your messaging server supports it, turning it on will increase the security of your server, as well as the security of your entire network, since over 50% of internet security threats come from email content.
8. maintain local ip blacklists to block spammers
Having a blacklist of local ip addresses on your email server is very important to counter targeted spammers targeting only you. maintaining the list may require resources and time, but it brings real added value. the result is a fast and reliable way to prevent unwanted internet connections from disturbing your messaging system.
9. encrypt pop3 and imap authentication for privacy reasons
pop3 and imap connections were not originally created with security in mind. as a result, they are often used without strong authentication. this is a major weakness as user passwords are transmitted in clear text through your mail server, making them easily accessible to hackers and people with malicious intent. ssltls is the best known and easiest way to implement strong authentication; it is widely used and is considered reliable enough.
10. have at least 2 mx records for failover
this is the last but not least important tip. having a failover setup is very important for availability. having an mx record is never adequate to ensure a continuous flow of mail to a given domain, so it is recommended to set up at least 2 mx for each domain. the first is set as primary and the secondary is used if the primary stops working for some reason. this configuration is done at the dns zone level.