✓ Solved

Security issue for new email server

Hi guys.

How can we make sure that our email server has a good security?
I follow a tutorial on Youtube and he's adding an ssl. He's not talking about anything else related to security I think. What about firewall and all that stuff?

Is there any ressource to be 100% sure that my email server won't get hacked?

Thank you.
ps: I have a Cyberpanel account with a ip address and :8090 that is not HTTPS. I decided to just stop the tutorial and continue tomorrow. I wonder if this is a potential weakness if I just leave it to HTTP.

I did not add a ssh key when I created the linode cause he didnt in the tutorial. I tried to add it afterward but I found nothing in the options.

My Linode account has a very strong password with 2FA.

5 Replies

✓ Best Answer

ok thx.
First of all. Why am I always losing my Cyberpanel account? I think it is already hacked. I'm just trying to enter the password. It was working, now I can't get in. I have to start all over again. Is there a way to secure the Cyberpanel account before a man in the middle?

And in the tutorial, he doesnt install postfix. Should I?

He's not talking about anything else related to security I think. What about firewall and all that stuff?

For a firewall, you need ports 587, 465 and 25 to be open. Use of an SSL cert will tell the mail server how to establish and respond to connections (in a secure way). The mail server will handle the connection/response mechanics. Make sure your users always use port 587 (submission) to submit outbound mail (not port 25).

If you have mailboxes, you need ports 143/993 open for imap/imaps (you can use the same cert you used for ports 587/465 for imaps). If you use pop3/pop3s, you need to have ports 110/995 open (you can use the same cert you used for ports 587/465 for pop3s).

For mailboxes, I'd standardize on one access method and turn off the other one. imaps is more modern and has more features but it also has more overhead in terms of disc space required for mailbox storage. pop3s requires more net traffic but requires less disc space for mailboxes.

You shouldn't use imap/pop3 at all…unless you have a burning desire to invite every spammer in the universe to fill your users' mailboxes with junk mail. As a caveat, I have to confess here that I use imap for a particular mail filtering service I have but the only addresses that can use it are 127.0.0.1 and ::1 (aka, localhost)…all other access is blocked.

I wonder if this is a potential weakness if I just leave it to HTTP.

Only if you don't want someone between you and your Linode to eavesdrop on your traffic.

Other thoughts…

  1. You're about to get flooded with attempts to connect to your mail server from every hacker/spammer in the world (the Russians and Chinese -- who have turned this into national industries -- are particularly egregious). You need to mitigate this too. Unfortunately, in the Linux world, about the only solution available is fail2ban. It's effective enough but big, slow and only detects intrusion attempts after the fact. Still, when all you have are lemons you make lemonade…

  2. Implement greylisting. You need to decide how best to do that. There are lots of options… This will stop about 75% of the junk mail generated by #1.

  3. You can also protect your users (and your server somewhat) by rigorously enforcing SPF, DKIM and DMARC on senders.

  4. Make sure your mail server is not operating as an open relay.

My Linode account has a very strong password with 2FA.

Good on you! However, mail server security (all of the above) has nothing to do with the security of your account on https://cloud.linode.com .

-- sw

PS. For postfix I have the server enforce the following restrictions:

# SMTPD Client restrictions (restrict who can connect to me)
#
smtpd_client_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_pipelining,
    reject_unknown_client_hostname,
    reject_unauth_destination,    
    check_client_access hash:/srv/mail/var/db/client-access,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client bl.spamcop.net
#   reject_rbl_client dnsbl.sorbs.net,

# SMTPD helo restrictions (restrict who can talk to me)
#
smtpd_helo_required = yes
smtpd_helo_restrictions = 
    permit_sasl_authenticated, 
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_unknown_reverse_client_hostname, 
    reject_invalid_helo_hostname,
    reject_unknown_helo_hostname

# SMTPD recipient restrictions (restricts who I will actually receive mail from)
#
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_pipelining,
    reject_unauth_destination,
    reject_invalid_helo_hostname,
    warn_if_reject reject_non_fqdn_helo_hostname,
    warn_if_reject reject_unknown_helo_hostname,
    warn_if_reject reject_unknown_reverse_client_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    check_client_access hash:/srv/mail/var/db/client-access,
#   reject_rbl_client zen.spamhaus.org,
    reject_rbl_client xbl.spamhaus.org,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client psbl.surriel.com,
    reject_rhsbl_client dbl.spamhaus.org,
    reject_rhsbl_sender dbl.spamhaus.org,
    check_recipient_access hash:/srv/mail/var/db/local-recipient-access

Specifically, note the use of realtime black lists (reject_rbl_client, reject_rhsbl_client, reject_rhsbl_sender) and the use of local access restrictions (check_client_access, check_recipient_access). You can find out what all these mean/do at:

http://www.postfix.org/postconf.5.html

Since I control the mail delivery pipeline, I have inserted a bunch of custom filters and checks for malformed messages and other spam. I can't provide those to you without giving you a certain amount of support (which I'm not prepared to do). Fora comprehensive spam filtering system, you can use:

  • spamassassin (apt install spamassassin spamd); or
  • rspamd.

I've not used rspamd…it looks pretty comprehensive but the learning curve looks pretty steep…

PLEASE! PLEASE! PLEASE! Don't just plop all of the above into some existing postfix configuration you may already have without understanding what it is that you're doing and the possible ramifications. I can guarantee that you'll break your mail server if you do that! The future post from you about such breakage writes itself…

My Cyberpanel always get hacked! I think I have to secure it before a man in the middle robot comes.

Where do you setup all the options about firewall and imap/pop3? Cyberpanel?

I found this tutorial for security:
https://www.youtube.com/watch?v=diAVCQSe1F0
and this one:
https://dimensionquest.net/2022/01/cyberpanel-part-2/

Did I missed something?

In the tutorial (Not the one above), he doesnt install postfix. Should I?

What is bugging for real is that the password I set for cyberpan

My Cyberpanel always get hacked! I think I have to secure it before a man in the middle robot comes.

That would be a good idea…

Where do you setup all the options about firewall and imap/pop3? Cyberpanel?
 
I found this tutorial for security: https://www.youtube.com/watch?v=diAVCQSe1F0
Did I missed something?

I don't use Cyberpanel and don't know the first thing about it. You'll have to discover that by yourself. I configure my firewall & mail server by modifying the configuration files directly with a text editor (vim).

In the tutorial (Not the one above), he doesnt install postfix. Should I?

I dunno. Like I said, I don't know anything about Cyberpanel (and I prefer to keep it that way). I did find this:

https://www.hostinger.com/tutorials/how-to-host-your-own-email-server-on-a-vps-with-cyberpanel

-- sw

I found that link. Before signing in Cyberpanel, you have to setup the security in the terminal. SO no chance for man in the middle.

https://dimensionquest.net/2022/01/cyberpanel-part-2/#configure-ssh-server-to-not-permit-root-or-password-based-logins

I think it's all I need.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct