Securing server from email filter service
Question asked by jjreed34 - 11/26/2017 at 3:37 PM
I have my mail filtered by a service DYNU,  to filter SPAM/Virus.  How can I lock down my Smartermail to only allow mail form their 2 MX servers?   My MX record is set to their incoming servers, they scan and hold the mail (if needed) and then forward to my server.  
Also, they have an option to communicate server to server via TLS/SSL, does Smartermail support this?
Finally after purchasing, installing, converting from hosted 11.7 SM to 15.7 SM, everything is working great!   Many tips from this forum were helpful.   And I did not want to go down the 16SM road yet.

4 Replies

Reply to Thread
Paul Blank Replied
AFAIK, you cannot reliably allow incoming email from only certain addresses without making changes at the firewall level. You might be able to do this from within Windows Firewall or other 3rd party Windows program, but I use a filter on a Sonicwall firewall to allow only the IP addresses of my external filtering service on port 25 incoming; in my case the servers at Symantec Email Security.cloud. They utilize several IP ranges from around the world, and I only allow email from those address ranges.
Please correct me if I'm wrong! I do know that what I use works for me.
Kyle Kerst Replied
I believe you could whitelist their server addresses, and blacklist the IP ranges above and below to the blacklist. That should be sufficient on that front. 
As to ensuring your server is utilizing SSL/TLS for SMTP, you'll need to have/perform the following:
- SSL certificate bound to your server's host name or domain name (wildcard)
- SSL certificate bound to SMTP port definition in SM.
- "Use TLS if supported by the remote server" enabled under Protocol Settings>SMTP card.
- Standard SMTP disabled
This will force the server to utilize a TLS encrypted connection when communicating with outside servers. Now, if one of the spam servers ever tries to relay mail to your server while NOT using a TLS connection - the relay attempt will be dropped due to the lack of security. 
I'll double check the locations in my SM install this afternoon and follow up with some better instructions for you. 
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com
jjreed34 Replied
I totally blanked about the firewall option, thanks. Just have to make sure all mobile users are updated to using port 465 or 587, a few still use 25.

Regarding TLS on port 25. If I enable TLS on port 25 in bindings/ports (I can only have 1 bound to port 25), and server trying to connect without TLS will be allowed to communicate?

I saw somebody else's post about how TLS is not secure because it connects unencrypted first to handshake, if handshake fails does it revert back to standard transmission over port 25?
Kyle Kerst Replied
If you force TLS over port 25, email servers not capable of offering these security suites WILL have difficulty delivering mail to your server. TLS isn't ideal, but is what we have available on base line security. Email wasn't designed with security in mind from the beginning, so implementing updated security techniques causes undeliverable mail. I've seen instances where a business has mandated TLS or higher on SMTP, and then had trouble transmitting and receiving email with reputable (and "secure") vendors because they're NOT adhering to the standards. Its a slow, tedious process getting everyone up to "code" and most have no incentive to do so. That means the email world is essentially a minefield and it requires a combination of approaches. Offloading this pain in the neck to a third party filtering/security services isn't a bad idea, but you'll want to evaluate their security as well, and potentially reach out to their support team to see how they would handle a non-TLS encrypted message as well. In highly secure environments the message would be rejected, whereas in more lax environments it might come through. Lots of research to do on this one - wish I could help more!
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com

Reply to Thread