Mail Server Role Security Issues

Mail servers store e-mail data, process client requests, and receive incoming e-mail from the Internet. The Post Office Protocol 3 (POP3) protocol provides clients with mailboxes and enables mail to be retrieved from the mail server. The e-mail accounts of users are POP3 accounts, and are stored on the configured mail server. POP3 makes is possible for clients to use Microsoft Outlook, or some other e-mail client to retrieve e-mail from the mail server. The Simple Mail Transfer Protocol (SMTP) protocol is utilized to transfer e-mail.

When the mail server role is installed, the following components are automatically added to the specific server:

  • POP3 Users group; enables users to only access their mailboxes.

  • Mailroot folder; used for storing and transferring mail.

  • SMTP Service; for transfer of mail.

  • IIS Admin Service; for managing the SMTP service

Because mail servers provide the means by which unauthorized individuals can access and retrieve user accounts and passwords for e-mail accounts, it is important than you secure POP3 servers.

The main mail server security requirements which should be addressed are:

  • Determine and implement the proper level of security to secure your mail servers: To secure POP3 servers, you should consider the following strategies:Securing Mail Servers

    • Install a firewall solution to prevent unauthorized individuals from accessing the private network.

    • Use IP Security Protocol version 6 (IPSec v6) to further secure mail traffic.

    • Do not connect the mail server to the Internet if you have no firewalls configured.

  • Determine and implement the proper authentication method: Here, the authentication method used in Active Directory is automatically used if the mail server is a domain controller or a member server. If not, the local Windows accounts settings are used to specify the authentication method.

Standard POP3 service authentication sends user authentication details to the mail server in plaintext. You should therefore consider configuring the mail server to only allow passwords which are encrypted so that all authentication communication between the mail server and clients are encrypted. This prevents unauthorized individuals from seizing and easily reading passwords.

Windows Server 2003 POP3 Service uses Secure Password Authentication (SPA) that is integrated with Active Directory to authenticate users when they attempt to retrieve e-mail from the mail server. When POP3 uses SPA for authentication, authentication between the mail server and client must be encrypted. All passwords transmitted in plaintext are not accepted by the mail server. If you are not using domain controllers, then Secure Password Authentication can still authenticate users accessing the mail server to the local accounts hosted on the mail server.

If you are using NTFS volumes, you can specify permissions on those directories that contain e-mail. This would prevent unauthorized individuals from accessing the directories. To protect the hard disk space of the mail server from becoming exhausted, and to protect the performance of your mail server, consider implementing disk quotas to limit the amount of hard disk space accessible to your users. A user would not be able to use more than the specified quota on the NTFS volume. You can only implement disk quotas on NTFS volumes, and on a per volume basis.

Securing Exchange Server

Most organizations use Exchange Server on which to create their messaging network infrastructure. This is due to Exchange Server providing a reliable messaging platform that is integrated with Active Directory. Microsoft Exchange Server 2003 provides more security and availability than the other messaging platforms.

A few security features of installing and using Exchange Server 2003 are listed here:

  • The default settings when you install Exchange Server 2003 are the same as the Windows Server 2003 default settings.

  • The least number of permissions are enabled by default to further secure the Exchange Server 2003 messaging platform. For instance, access is removed from the following groups:

    • Built-in Users

    • Anonymous Logon group

    • Everyone group

  • By default, applications and services are locked down.

  • The services which are disabled when Exchange Server 2003 is installed are:

    • POP3 service

    • NNTP service

    • IMAP4 service

  • The default POP3 virtual server, NNTP virtual server and IMAP4 virtual server use basic authentication and Integrated Windows authentication.

You can use firewalls to protect Exchange Server computers and control traffic. Packet filtering features can be used to block traffic destined to and from Exchange Server computers. You can also limit the number of ports that are opened between an Exchange Server computer and other computers. Only those ports which are needed for communication should be opened.

The ports used by Exchange Server are listed here:

  • For a communicating with domain controllers:

    • Lightweight Directory Access Protocol (LDAP); TCP port 389, for SSL TCP port 686.

    • Site replication LDAP communication; TCP port 379

    • Global Catalog LDAP communication; TCP port 3268, for SSL TCP port 3269.

  • For queries to DNS Servers:

    • TCP port 53 and UDP port 53.

  • For message transfer:

    • SMTP traffic; TCP port 25, for TLS TCP port 465.

    • SMTP Link State Algorithm; TCP port 691.

  • For client retrieval of e-mail (POP3):

    • TCP port 110.

    • For SSL, TCP port 995.

  • For client retrieval of e-mail (IMAP4):

    • TCP port 143.

    • For SSL, TCP port 993.

  • For web browsers downloading e-mail (Outlook Web Access):

    • TCP port 80.

    • For SSL, TCP port 443.

  • For newsreader:

    • TCP port 119.

    • For SSL, TCP port 563.

Exchange Server secures network mail communication by means of encryption, through the Transport Layer Security (TLS) protocol. TLS only works to secure network mail communication between mail servers running SMTP though. Mail traffic between Web browsers and Outlook Web Access (OWA) is not secured through the Transport Layer Security (TLS) protocol. To secure this communication, you have to utilize the SSL protocol on your Web servers. Another method which you can employ is to use IPSec to secure all communication. You should also consider enabling auditing in Exchange Server to track activity on your mail server.

To enable TLS encryption for Exchange Server,

  1. Access the System Manager console.

  2. In the console tree, expand the Server node.

  3. Expand Protocols and expand SMTP.

  4. Select the virtual server by right-clicking it, and then select Properties from the shortcut menu.

  5. When the Properties dialog box opens, switch to the Access tab.

  6. Click Authentication.

  7. Enable the Require TLS Encryption checkbox.

  8. Click OK.

  9. Switch to the Delivery tab.

  10. Click Outbound Security.

  11. Enable the TLS Encryption checkbox.

  12. Click OK.

To enable Exchange Server auditing,

  1. Access the System Manager console.

  2. In the console tree, expand the Server node.

  3. Select and right-click the specific object which you want to audit and then click Properties from the shortcut menu.

  4. Switch to the Security tab.

  5. Click the Advanced button.

  6. Switch to the Auditing tab, and click Add.

  7. Select those users whose actions you would like to audit.

  8. Specify which actions you want to audit.

  9. Click OK.