This is Part 14 on Securing Your WHS & Network by Home Server Land. This part identifies the risks and vulnerabilities that are associated with hosting your email server. There are several protocols that can be used by your email server. The most widely used protocols are SMTP or simple mail transfer protocol and POP3 or post office protocol. Currently there are no Add-In products to use the Windows Home Server as an email server. Several alternatives methods are presented and can be considered prior to considering the installation of an email server.
The information presented in this part is based on the material presented in Parts 1 through 13. Securing Your WHS & Network - The Series is a table of contents that summarizes each part and has links to the published blog and threat assesssment guides. We recommend that you refer to those parts as needed to read the detailed information that is covered.
Email servers use Internet protocols to exchange messages from one computer to another. It is highly possible that the sender and receiver of an email message may use completely different email clients and operating systems, but the Internet protocol makes sure that any email can be read by the receiver.
Email messages are simply an electronic version of sending letters through the postal service. As with a letter, the email message contains an address of the recipient, the return address, and the message. The email contains a summary that may not be used in a letter.
Emails can contain attachments consisting of graphic, document, spreadsheet, picture, or video files. This is similar to bundling the printed forms in a package and sending the package. Email messages are sent through the Internet in a way that is similar to that used to send data between two computers. Part 5 describes how data packets are created, sent, and received. The following is the example used in Part 5 that described the functionality of NAT, but modified to represent the delivery method of email messages.
The purpose of the email server is to send outgoing messages in a format that complies with the email Internet protocol that used and sends the message. It also listens for messages, receives the messages, formats the message so that the receiver can read it, and delivers it to the addressee.
Part 8 explains how the network router sends and receives data. Sending and receiving data and email messages are very similar. Both use DNS or domain name system to transfer packets of information. The email server works in conjunction with the router where the server formats the message and passes the message to the router for delivery.
An email address is composed of two parts. The first part is the account name and the second part is the DNS domain name. The two names are separated by the "@" or "at" symbol. For example, Mary Smith has an email account at microminisoft.com. Her email address could be msmith@micorminisoft.com.
Parts 8 and 9 explain how DNS is used as a "telephone directory" to locate the public IP address. This "telephone directory" is based on the DNS A Records that associate domain and sub-domain names with their public IP address. The email delivery process uses DNS mail exchange or MX Records as an "address book" to locate the public IP address of the email server based on the domain portion of the email address. The email server has a local "address book", usually called a Directory, which contains the account names and locations of the email files. The receiving email server uses this information to deliver the email messages to the account holder.
The following is an example of how the DNS A and MX records could appear in the ISP's DNS configuration interface. Depending on the number of accounts, a domain could have more than one email server. When there is only one email server, the preference is ignored. When there are two or more email servers, the preference is used to deliver the mail. The preference is used to create a top-down hierarchy. The lower the preference number ranks the email server higher in delivery priority. It is possible that the main email server is busy or is not available in which case the next email server is used to deliver the mail.
There are several email protocols in use, but we will focus on only the POP3 and SMTP protocols. It is possible that an email server may use only one of these protocols or both of them.
POP stands for post office protocol. The "3" means that the third version of the protocol is in use. POP3 is an older protocol that focused mainly on email accounts that were accessed using dial-up connections. This permitted the user to download their messages to the email client on their computer where they could read and respond to them without the need to maintain their connection to the mail server. Legacies of POP3 clients exist today with Thunderbird, Opera, Win Mail, Outlook Express, and others. POP3 uses Internet port 110 and messages are usually transmitted without encryption.
SMTP means simple mail transfer protocol. This protocol is used for the efficient transfer of email messages between email servers that maintain a constant connection to the Internet. SMTP uses Internet port 25 and messages are usually transmitted without encryption. Email servers include Lotus Notes, Microsoft Exchange Server, and many Unix/Linux variants. These email servers exchange email messages with other email servers and deliver email messages to the user's email account.
The first requirement to host your own email server is that you should have a static public IP address that is assigned by your ISP. Alternatively you can use dynamic DNS or DDNS. Part 9 explains the function of DDNS and how to program the router to support DDNS.
The second requirement is that you should have a registered domain name. Alternatively you can subscribe for a sub-domain name. Part 9 explains this process.
The third requirement is that you need to spend a considerable amount of time administrating the email system and server. The email server will be attacked by hackers to identify any vulnerability that can allow them to use your email server to send their email messages. Also, you will be attacked with a considerable amount of SPAM and malicious email messages. Even if public blacklist sites are used to identify sites that have been identified as senders of SPAM messages, new sites crop up every day. You will need to identify these sites by placing them in your email system's blacklist.
The fourth requirement is that a firewall router is an absolute necessity. The router should support deep packet inspection and virus detection. There is a significant amount of traffic associated with email servers and a good firewall router is needed to address the threats that are associated with email protocol attacks.
The fifth consideration is the number of users that require their own email account. A good rule of thumb is that if there are ten or less email accounts that are needed, it will be more cost and time efficient to have your ISP host your email. The ISP can make the necessary configurations to DNS to allow you to use your registered domain name when you send and receive email. The email usually will be delivered to a POP3 account and you can use any client email program to compose or read email. In addition, email hosting is usually included as part of a small business Internet service agreement.
The final decision of selecting an email server is going to be based on cost, functionality, and ease of use. We are not going to make a recommendation of what brand to purchase because of the wide diversity of email servers that are available.
We are going to use Lotus Notes as an example of an email server and the basis for the illustrations. I am doing this because it demonstrates our diversity with products other than Microsoft. Plus Notes Mail is the only email server I have used in the past 20 years.
The Lotus Notes/Domino server software is installed in a way that is very similar to Windows Home Server. The only exception is that an operating system must be first installed. The Lotus Notes/Domino server can be installed on Linux and Windows operating systems. Server based operating systems is not necessary, Windows XP Professional is more than adequate. My Notes server uses Windows 2000 with no performance or other problems.
The detailed installation of the Lotus Notes/Domino server software is beyond the scope of this part. The installation process creates a Notes domain, an ID for the first server, a certifier ID for the Notes domain, and an ID for the Notes administrator. In addition, databases are created for the Directory, Mailbox, and Log.
After installing the email server software, the administrator installs the Notes and Administrator client programs on a networked computer. The Administrator client gives the administrator greater control with the day-to-day management of the duties that are necessary to administrator the Notes and Notes Mail server. The Notes client can also be used to perform some of these functions. The illustrations will be captured from both the Notes client and Administrator client.
All administration functions that are described require a user ID that has been assigned administrator authority. The initial configuration normally uses the administrator user ID that is created during the server software install.
The Lotus Notes Mail server is configured using a "Directory" database. This database contains the configuration settings for application and email servers, user accounts, and resources that are used by the calendaring and scheduling functions. The number of illustrations used to document the configuration of the email server may at first seem overwhelming; however, the majority of options are chosen from drop-down lists. Once the configuration is properly defined, there is no reason to change the settings unless you want to maintain rules and deny access lists.
In this example, we use the Notes client to demonstrate how to configure a Notes server to become a SMTP server. The database for the "Directory" is located on the Workspace and is represented by an icon. Double-click the database icon to open the Directory.
The Server document is used to initially configure the mail services. In the example below routing tasks are set to Mail Routing and SMTP Mail Routing. In this case, both Lotus Notes mail and Internet mail is routed within the local network and the Internet by this server. The SMTP listener task is set to Enabled so that Internet mail can be received. These two setting are all that is required to enable the SMTP email server.
Save the configuration settings and close the document.
Select the Configurations option in the left pane and select the configuration for * - [All Servers]. This is the master configuration document for all servers regardless of the number of server in use.
Click the Edit Configuration button. The master configuration document opens in the Basics tab.
Make sure the Yes box is checked for "Use these settings as the default settings for all servers" option. The server returns exact size of message for IMAP is Enabled and for POP3 is Disabled. We do not intend to use POP3 for our email server.
Click the Router/SMTP tab. A second level of tabs opens at the Basics tab.
Enter 1 for the number of mailboxes. Choose the following options.
The remaining fields are used if an ISP is hosting your email.
Click the Restrictions and Controls... tab. A third level of tabs opens. Click the SMTP Inbound Controls tab.
Make the following settings for Inbound Relay. These settings ensure that your mail server cannot be used by others or a spybot program to send mail.
Perform anti-relay checks for authenticated users - Exceptions for authenticated users.
Make the following settings for the blacklist filters. This helps reduce the amount of SPAM mail.
If desired, a private blacklist filter can be used. If used, enable the filter, enter the hosts to blacklist, reject the message, and enter a custom message.
Private whitelist filters are used when a desired host site is blocked by blacklist filter. For example, if mail from microsoft.com is not being received, the whitelist filter can be enabled and the desired site can be entered as a host site.
Inbound connection controls allow or deny connections from the SMTP host site. Determining the host names or their IP address is very tedious and I have developed a special application to assist me identify the SMTP hosts to deny. The amount of text entered in the Allow and Deny fields is limited to 64KB.
The inbound connection control must be enabled for the mail server to use your settings.
Inbound sender controls allow or deny connections from the Internet sites. It is possible that an Internet site uses an ISP to host their mail and; therefore, has no SMTP. It is also possible that a spybot routine has successfully invaded a legitimate SMTP site to distribute their messages. Determining the host names is very tedious and I have developed a special application to assist me identify the Internet hosts to deny. The amount of text entered in the Allow and Deny fields is limited to 64KB. Enabling the Verify sender's domain in DNS also helps block mail that uses a fictitious name as their email address.
The following is an example of using a portion of the deny list. By using the ending portion of the domain address acts as a wild card to block everything ending with these values.
When enabled, the inbound intended recipients' controls looks at the account name portion of the email address to ensure that the name exists in the Directory. If the names do not match, enable the reject ambiguous names option. If you use email groups, you can deny mail to be sent to the members of the email group.
Click Router/SMTP in the first tab row, Restrictions and Controls... in the second tab row, and SMTP Outbound Controls in the third tab row.
Make the following settings for outbound sender controls. These settings ensure that your mail server cannot be used by others or a spybot program to send mail.
Rules can be created to further reduce the amount of email that is not blocked based on the blacklists and deny site lists. Click Router/SMTP in the first tab row, Restrictions and Controls... in the second tab row, and Rules in the third tab row.
To perform any function except New Rule, first click on the row for the rule and then click on the button associated with the action you want to perform. To create a new rule, click the New Rule... button.
The rule is based on a specific condition and action is performed. It is very much like a When condition of a SQL Select statement. Our example is based on an email is addressed to shumar@datatectonics.com we do not want the message to be delivered and we do not want to return a 550 message indicating the account could not be found.
In the Specify Conditions section, click the selection arrow for the first field and select To. Click the selection arrow for the second field and select is. In the third field, type the condition, shumar@datatectonics.com in our case. Then click the Add button to add your condition.
If this is the first condition, a When statement using the three conditions specified is built. Additional conditions can be added using the AND or the OR conjunctions.
In the Specify Actions section, click the selection arrow for the first field and select don't deliver message. Click the selection arrow for the second field and select silently delete. Then click the Add Action button to add your action.
If this is the first action, an action statement using the two conditions we specified is built. Additional actions can be added by identifying other actions the Add Action button. When all conditions and actions have been identified, click the OK button to save the rule.
If your organization is required to comply with Sarbanes-Oxley, HIPPA, or other standards, the email server can be configured to support journaling. Journaling is a method that saves every inbound, outbound, and internal email message.
Click Router/SMTP in the first tab row, Advanced... in the second tab row, and Journaling in the third tab row. Select the appropriate configuration options.
At any time during the definition of the Configuration Settings you can save and continue working on the settings by pressing <Ctrl-S> or select File | Save from the main menu bar. The Save & Close action button will save and close the Configuration Settings. The view displaying a summary of the Configurations then appears.
The SMTP server is fully functional as soon as the SMTP Mail Routing option is selected for Routing tasks and the SMTP listener task option is set to Enabled. Make sure the configuration settings are set as described above before selecting these options.
The most frequent attack of an email server is to use it to send email using what is known as email relaying. A spybot routine can be written to take advantage of this vulnerability. We identified several areas in the configuration settings that prevent the server from relaying or forwarding email messages.
Email messages are delivered based on the portion of the email address that is to the right of the "at" sign or "@". While the message is being delivered through the Internet, routing is based on this portion. The routing servers look at the email address from the left to right and when an "at" sign is found, the routing servers considers that portion to be the delivery address. When the message is delivered, the receiving email server strips that trailing portion from the email address and delivers the message based on the reminder of the address.
Usually the remainder of the address is the account name. However, it is possible to include more than one email domain within an email address. For example, sclause@microminisoft.com@northpole.com is a valid email address. The routing methodology first delivers the email message to the "northpole.com" email domain. The email server strips its domain from the address which results in sclause@microminisoft.com and delivers it. The redelivery of an email message is called relaying.
The way you can test to ensure that your email server does not relay email messages is to have two valid email accounts. One account is from your email domain and another account such as an Internet email account. If your email domain is northpole.com and your Internet email account is live.com, compose an email message in the live.com account and address it to sclause@live.com@northpole.com. If you receive the email in your live.com account, your email server is not properly configured.
If you do not receive the email in your live.com account then your email server is properly configured to prevent relaying. If you receive a mail delivery error, you might want to consider stopping those messages from being generated from your email server. To a hacker, a confirmation of a rejection is an affirmation that an email server exists and they may try other methods to attack the server. Your email server should silently reject the email message, meaning no rejection message is sent. The hacker has no idea as to the success or failure of the attempt to attack your email server.
Because this exploit is uses so frequently, the majority of Internet email services catches and prevents the delivery of email messages that are addressed using multiple email domains. If so ask a friend to address an email message using the relay address method.
All email/user accounts created in Notes are fully RFC-822 compliant. This is a basic requirement to send email using the email Internet protocols. In addition they fully comply with the hierarchical naming conventions for security certificates of trust that is used to cross-certify other Organizations for trust and encryption purposes.
The highest level of a Notes name is the Organization or O level. The organization level can be the Internet domain name. For example, my Notes domain is DataTectonics and my Internet domain is datatectonics.com.
A Notes organization can be subdivided into up to four levels of Organizational Units or OU. The OU1 is a subset of the entity that is a direct descendent of the Organization. Many times the OU levels are based on geography which creates an administration burden when a user changes their address. A good example of an OU1 could be based on Continent for users and "Server", "Room", and "Equipment" for other resources. An example of an OU2 could be used for resources to define their geographical location. We would not subdivide the user's OU1 to lessen the name changing requirements. However, other resources are associated with a physical location. The OU2 for Server, Room, and Equipment can be the name of the location. The OU3 for Room can be "Conference", "Auditorium", or "Office". The OU3 for Equipment can be "Projector", "Computer", and so on. It is not necessary to use all four levels of the Organizational Unit.
In our example, we are not going to use Organizational Units. All IDs for servers, users, and resources are certified at the O or organization level. The Notes administrator creates these IDs in the Administrator client. There is a registration process to create a new email account. Open the Administrator client and click on the People and Groups tab. On the right side is a drop-down arrow for Tools and when clicked displays a drop-down option for People and Groups. Click on the People drop-down option and then click the Register... option.
The "Choose a Certifier" dialog box opens. Click the Certifier ID... button and locate the certifier ID file. This file was created during the installation of the Lotus Notes server. Click the OK button.
A dialog box to enter the certifier password opens. Enter the password and click the OK button.
Enter the first, middle, and last name, and initial password for each user. Select the mail system option. Click the Done button to add the new user to the registration queue and add another user. When all users have been entered into the registration queue, click the Register All button.
The registration process in our example creates an email database for the user. The database file name is based on the short name. All email databases are located in the Mail folder on the server. Notes databases use the .nsf file extension meaning Notes Storage Format. The user can create a replica copy of their email database if they have a laptop. The synchronization of Notes database replicas is called replication.
The router must be configured so that the email server can receive email messages from the Internet. We are going to use the SMTP protocol which uses Internet port 25 for our example. Even if a POP3 server is used, SMTP is usually used as the method to receive email messages. There is no need to isolate the email server in a DMZ. The email server must be defined in the router as a network object and a rule for the SMTP service must be configured. The following illustrates the configuration method of the SonicWALL TZ-180 router.
The computer that is used as the email server must be defined as an address object in the SonicWALL router. Click Network, then the Address Objects option, scroll to the bottom of the Address Objects table, and click the Add... button. In our example, we entered Email Server for the name and 192.168.145.31 for the IP address. Select the LAN option for zone, and Host for the type. Click the OK button to save the configuration.
A static internal IP address is configured for the email server. Click Network, then click the DHCP Server option, and click the Add Static button. In our example, we entered 192.168.145.31 as the IP address, 00-1f-e2-4d-92-c4 as the Ethernet address. Select LAN interface option and 192.168.145.1 option for the gateway. Click the OK button to save the static IP configuration for the email server.
The SMTP service uses port 25 to listen for SMTP delivery attempts. To allow email to be received, an inbound rule must be defined in the router for the SMTP service. This rule permits the router to forward SMTP traffic to the email server for it to receive the email messages.
To create the rule, first click the Firewall and then the Access Control option, and then click on the configuration icon at the intersection of WAN and LAN.
The five major components to the rule are as follows.
The Lotus Notes/Email Server can be accessed by a Notes client from the Internet. This is very similar to using remote access to the Windows Home Server. The difference is that only databases on the Notes server can be accessed and Notes encrypts the data that is transferred. Windows Home Server permits file access and uses the SSL Internet protocol to encrypt the data packet. Using the OSI model from Part 8, Notes encrypts the message at the physical or Layer 1 where the SSL protocol encrypts at the transport or Layer 4.
The five major components to this rule are as follows.
We at Home Server Land make the following recommendations when considering hosting your email server.
This blog identified threats and effort that are associated with hosting an email server. If an email server is deemed necessary, consider the increased threats that are associated with the attacks that are made to the email server. The security plan should be updated to identify threats specific to your WHS and network and address methods to resolve the threats. We have developed the Email Hosting Threats Risk Assessment to assist with the identification and methods that can reduce threats we identified. The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them. Both documents are attached at the end of this blog.
This concludes Part 14 of Securing Your WHS & Network. We identified the risks, vulnerabilities, and effort that are associated with managing an email server. Although the WHS cannot be configured as an email server, a dedicated email server can be used. We suggested alternative methods to hosting your own email and illustrated how to configure an email server so that it is secure from threats and attacks from the Internet.
We used Lotus Notes as an example of an email server. We illustrated how to configure the email server to prevent attacks. We also explained the router configuration settings to permit SMTP and Lotus Notes traffic reach the server.
In Part 15, we will identify threats associated with the Voice over Internet Protocol or VoIP. We explain alternative ways to separate the VoIP traffic from the network traffic. We illustrate how to configure the router to maintain the highest level of securing the WHS and the network.
In the meantime, we look forward to your questions and discussion in response to this blog. Part 16 will address the threats and security compromises that are associated with Windows Home Server Add-In products. We would like to cover applications like μTorrent and others that need user name and password information entered in the application settings. I would like to ask for your help with this part. If you would want a particular Add-In included, I would appreciate your suggestions. If you have had any experiences with an Add-In product, I would appreciate them. Just enter your ideas in the box below.
I remember when Lotus notes was first released in the late 80's. WOW that was 20 years ago!
That was also the time you knew just about everyone at Lotus. And then there was Lotusphere!