S 5.56 Secure operation of a mail server

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Secure operation of a mail server requires secure local communications as well as secure communications through public networks. The mail server receives e-mail from other mail servers and forwards it to connected clients and servers. The mail server also forwards e-mail transmitted by local users to external mail servers. Here, the mail server must ensure that local e-mail transmitted by connected users is only forwarded internally and not allowed to reach the public network.

A mail server temporarily stores e-mail until it is forwarded. Many Internet providers and administrators also archive incoming and outgoing e-mail. The mail server must be protected appropriately to prevent unauthorised persons from gaining access to messages on it. For this purpose, the server must be located in a secure area (server room or server cabinet). One administrator and one substitute should be trained and placed in charge of the proper functioning of the mail server as well as its operating system. A postmaster account must be configured to receive all undelivered e-mail and related error messages (also refer to S 2.120 Configuration of a mail center).

Only locally connected users should have access to their mailboxes. However, these local users should not be allowed to access areas where e-mail is stored temporarily prior to forwarding (e.g. spool files).

Regular checks must be made of the stability of links with neighbouring mail servers, particularly that of the mail provider. Furthermore, regular checks are required to determine whether there is still sufficient hard-disk space for the temporary storage of mail, otherwise the exchange of messages might be impeded.

Logging of the mail server's activities should be defined with respect to scope and contents.

The mail server should never be part of a production system. In particular, no other services should be dependent on the availability of the mail server. Quick deactivation of the server should be possible at all times, e.g. in the event of a denial of service or if manipulation is suspected.

To make unauthorised access to user accounts more difficult, user names on the mail server should not be directly inferable from the e-mail addresses.

Incoming e-mail should be checked by the firewall or mail server for computer viruses and other disruptive as well as active components (e.g. Java applets).

Filtration rules can be used to block the transmission and reception of e-mail for specific addresses. For example, this can prove useful for protection against spam mail. Other header entries can also be filtered to exclude spam. Caution must be exercised here to prevent desired e-mail from being filtered out as well. For this reason, the filtration rules should be defined very precisely, for example, by deriving a new, dedicated set of rules for every newly received consignment of spam mail. Appropriate filter lists are available in the Internet and can be obtained from various manufacturers of communications software.

Authorised protocols and services on the mail server must be specified. For example, it is advisable to authorise SMTP (TCP port 25) for outbound and inbound links, but only authorise POP3 for internal links.

The mail server must be protected against use as a spam relay. For this purpose, the mail server should be so configured that it only accepts e-mail intended for the organisation and only transmits e-mail originating from the staff of the organisation. The mail server should only accept incoming e-mail if the IP address of the transmitting mail server is located in an IP network authorised explicitly by the administrator, or if the mail server holds an MX entry for the recipient. All other e-mail must be rejected with a corresponding error message.

In spite of these safeguards, authorised users can continue to send/receive e-mail to/from any required party. However, the filtration of incoming e-mail described above prevents the mail server from being misused as a spam relay by external parties.

If IP networks from which e-mail is to be accepted have been inadvertently omitted from the list mentioned above, the administrator of the mail server must be informed duly so that he/she can include these networks subsequently in the list.

If, instead of operating its own mail server, an organisation accesses the mail server of a provider via one or more mail clients, clarification by the provider is required as to the rules and security measures applicable on that server (refer to S 2.123 Selection of a mail provider).