My wife and I have a new hobby—powerlifting.
Most people relax during the summer, but Paige and I decided to push ourselves (and the bar) to the limit by entering our first powerlifting competition. However, within minutes of entering the building and before touching anything heavy, I really messed up! Well, almost. And that reminded me about my work in email server security. When you don’t have the essentials figured out, you could end up with a bar in your chest like I almost did.
I realize there’s a lot to know about any sport: how to swing, when to tackle, when to push yourself and when to rest. But a competition adds another layer of complexity, including things like waiting for and understanding the referee's cues, the value of teamwork, and being in the right place at the right time.
But competition is also helpful because you get feedback from people who know more than you do. For example, at check-in I scribbled down what I thought was a reasonable starting weight to lift. The girl at the desk looked at my numbers, looked at me (and probably my new hobby muscles), and said:
“Are you sure you want to attempt those weights in kilograms?"
Nervously, I laughed. “Um no, I was thinking pounds. May I have that card back?” This brief exchange, although embarassing, was important because it set me up for success—and kept me from getting flattened.
In this post, I hope to do something similar – give you an overview of the essentials of email (or web) server security so you can succeed and not get flattened. Let’s begin!
1) Protect Yourself & Your Passwords
Passwords are the digital keys to your server. And like those numbers on a powerlifting entry card, are meant to protect you and your hard work. If you create strong passwords and manage them well, you’re golden.
Here are four tips to keep your passwords effective:
- First, consider using a password manager. Password managers can make it easier to implement our remaining password related recommendations. We use 1Password at GreenArrow, but there are a number of other good options out there.
- Have your password manager in place? Great! Next, start using it to generate strong passwords, and use a different password for each login. This combo will make it a lot tougher for attackers to break into any of your accounts, and if they do manage to compromise one, limit the damage to other accounts.
- Also take a look at the system you used to store passwords before using a password manager. Did you simply memorize passwords? If so, congrats on your excellent memory. Did you write them down somewhere, such as on a sticky note? If so, reset those passwords and ditch the sticky notes.
- Next, rotate your passwords regularly. Doing so limits a compromised password's use to an attacker. Finally, look for ways to augment passwords or replace them with more secure alternatives. Some of these options are referred to as multi-factor authentication. As an example, when SSHing into a server, you can use both a key and password to authenticate. This combines something you have (a key) with something you know (the password). This combination provides a higher level of security than a password alone. It's also possible to login to an SSH server using a password-less key.
2) Keep Your Weights Up To Date
BONUS STORY: The Case of the Missing Server
Ever heard of the server that went missing for four years? A NetWare server at the University of North Carolina was accidentally sealed behind a wall in the late 90s, but it kept chugging along. It was so reliable that it was four years before anyone even realized it was physically missing. Clearly, the hardware was on its own, but I hope that they were keeping the server's software updated remotely!
For our weightlifting hobby, we made a few investments, but they're low tech and unlikely to change. Your software investments, not so much. As software vendors roll out updates, be sure to apply them early and often. It’s possible some software bugs contain security vulnerabilities.
If your GreenArrow installation resides in the GreenArrow Cloud, then we'll take care of software updates for you automatically. Otherwise, feel free to contact our support team for GreenArrow updates, and your system administrator for updates to your server's operating system.
3) Keep It Secret, Keep It Safe
Email can be encrypted by enabling TLS. Both the client and server need to be TLS aware for encryption to take place, so while enabling TLS won't mean that suddenly 100% of your email is being encrypted, it will probably mean that the majority of it is. Google reports that 88% of messages from Gmail to other providers and 86% of messages from other providers to Gmail use TLS.
Depending on who you send email to, you may see similar figures after enabling TLS. Web interface traffic can be encrypted by using HTTPS instead of HTTP. This applies to both GreenArrow's administrative web interfaces, which you can use by simply going to an HTTPS URL, and click and open tracking, which can be configured to use HTTPS by updating a URL Domain's configuration. If you receive a certificate warning when using HTTPS then you can resolve it either by contacting our support team or reviewing our HTTPS configuration documentation.
4) Configure That Firewall
Configuring a firewall adds an extra useful layer of protection.
The first decision is what type of firewall to use. The default in most environments is to use the iptables or firewalld installation that comes with your Linux distribution. For most installations, these are both good choices. Most of our customers use either iptables or firewalld. If you want to configure a different, possibly hardware based firewall either as an extra layer of security or simply because you're more familiar with it – then there are a number of other solid options out there, too numerous to list in this post.
Once you've selected your firewall, it's time to configure it. I recommend configuring it so that it explicitly allows only that traffic which you know the server should pass, and blocks everything else.
Our firewall configuration guide lists the network services and firewall openings needed for a typical GreenArrow installation. Most email servers will require a similar list of openings. Once you have your basic firewall in place, you may want to consider adding in an IDS (intrusion detection system) and/or IPS (intrusion prevention system). IDSs monitor networks or systems for malicious activity and send a notification if any is found. Snort is a good choice. IPSs take things a step further by taking measures to attempt to stop malicious activity. An example of using an IPS is configuring fail2ban to block traffic from IP addresses that have too many failed login attempts. fail2ban does this by updating the firewall's configuration.
5) Redundancy is So, So Good
One of the most important areas of information security is availability. Availability refers to keeping information systems both accessible and operating at an acceptable level of performance.
If your server goes offline due to a hardware failure, then you've lost availability. One of the best ways to mitigate the risk of hardware failure is through redundancy. A few examples of this are using RAID for your hard drives, installing redundant power supplies, and keeping spare hardware on hand.
6) Back Up Your Data, Jack
Redundant hardware can save you from a lot of failure scenarios, but there are still things that could cause you to need to restore your data from backups. Backup your email server regularly, and verify that those backups are good. As a simple verification, you can check your backup logs.
Our Unmanaged Backup script can be configured to email you a report each time it runs. That report will contain information on any errors that were encountered. And if you really want to kick things up a notch, perform a test restore every once in awhile. That will both show whether the backups are viable and provide you with a realistic idea of how long it would take to restore them.
7) Monitor Yourself and Your Server
Back to the competition. When it was time for me to make my first lift, I executed what I thought was a perfect squat. But the referee who was watching my right side saw that my right hip didn't drop down deep enough, and called me out on it. Determined to not repeat the same mistake, I requested the same weight. This time I intentionally went a lot deeper than I thought was required. Success! The attempt counted.
Your monitoring system is a referee who can alert you automatically when issues are detected—both current problems and potential failures. If your server goes offline, it’s important to get notified immediately by your monitoring system rather than hours later by frustrated or confused customers. But it's even better to get notified of a problem before it takes effect—for example, monitoring disk space can tip you off to issues before you have an outage.
Here are some areas to consider monitoring:
- Responsiveness of SMTP and HTTP services
- Disk space usage
- Memory usage
- Network latency
- The integrity of any RAID arrays
- The ability to send and receive emails. On the email sending side of things, you could setup a cron job to send emails on a regular basis. On the email receiving side, you could create an email user that processes a .qmail file for all deliveries.
There are a lot of options for monitoring and notification software and services. Here at DRH, we use Nagios for server monitoring. Nagios is configured to email our sysadmin team about minor issues, and page our on-call technician using PagerDuty about major issues. If you're setting up your own monitoring system, then you may find our monitoring tools useful. They're designed for Nagios, but can be adapted to other monitoring systems which can be configured to query HTTP servers.
8) Keep Spam and Malicious Email in Check
Spam isn't just an annoyance. It's also a security threat. Spammers can send malicious content or links your way in an attempt to relay their spam through your mail server, or simply send you so much mail that it impacts availability or performance.
The spam filtering industry is large, so there is no shortage of options out there. One of the simplest to implement but still effective options is to configure your email server to use DNSBLs (DNS-based Blackhole Lists), such as the ZEN Spamhaus List to filter incoming mail.
9) Keep It Simple
Finally, we have my favorite security principle of all - the KISS principle (Keep It Simple, Señor). The more complex something is, the more ways it can fail or have an exploitable security vulnerability, so it pays to err on the side of simplicity.Give each server a single, well-defined role. This often means running either a single service, or group of closely related services. Here are a couple examples:
- A dedicated email server providing SMTP, POP3 and IMAP services.
- A dedicated web server providing HTTP and HTTPS services.
In these examples, the email server could host a web server, and the web server could have a basic email server configured, but these would typically be to support the server's primary purpose. Continuing with the same examples, the email server's web server could be there for processing email clicks and opens, while the web server's email server could be configured to relay all of its email into your dedicated email server.
Along these lines, we recommend having your GreenArrow server run only GreenArrow services, plus SSH. This eliminates a lot of potential conflicts and helps to contain the damage if there is an exploit. As an example of potential conflicts - GreenArrow and cPanel can co-exist but require tuning to prevent their web, DNS, SMTP and POP3 services from conflicting.
Aside from the software used to fulfill the server's role, make the installation of your server's operating system minimal.
And don't reinvent the wheel. If you're developing your own application, then find out how much of the heavy lifting the application(s) that you're installing to support it can do for you. As an example, GreenArrow provides functions that aren't traditionally associated with email servers, like bounce, spam complaint and unsubscribe processing as well as click and open tracking. Before you invest the time in making email-related enhancements, I recommend searching through our documentation or contacting our support team to find out if GreenArrow can either do the work for you or provide tools to make what you're looking for easier to accomplish.
Do What You Can With What You Have
While competing, we were divided by age, gender and weight class. There was a 15-year old woman and an 84-year old man with sizes of 48kg - 136kg (or 105lbs - 301lbs) in one of my events. And if that wasn't inspiring enough, the 84-year old lifted more than I did at the bench!
Not all organizations are going to have the same types of resources to devote to security. So make wise use of what you have. Lean on an expert when you need one. (Shout out to the lady at the desk - thanks again!) And if you can, put a team together – it makes a big difference. My wife and I joined an experienced team and I'm proud to say, our team won!
How do you manage your security? Did I miss anything you do at your organization? I'd love to hear about it. Tell me in the comments below.