Securing SMTP Services

Advanced Configuration of Axigen

For securing SMTP Receiving services, the following settings are recommend:

  • define two listeners (one listening on port 25 and one on 587)
  • (optionally — but recommended) define one listener on 465
  • Configure on both listeners the SSL details for enabling STARTTLS
  • disable authentication on plain text connections
  • enable authentication on secure connections (only after STARTTLS)

Why 3 different ports (25, 465 and 587) for SMTP Receiving services

The 3 different SMTP ports are officially labeled as follows:

  • 25 - SMTP — used by MTA to MTA communication (mail server to mail server). It may be used for client to server communication but it is not currently the most recommended
  • 465 - SMTPS — SSL encryption is started automatically before any SMTP level communication
  • 587 - MSA — almost like standard SMTP port. SSL encryption may be started by the STARTTLS command at SMTP level if your ISP does not modify / filter server's EHLO reply. Since several ISPs block outgoing connections to port 25 an Axigen server should allow port 587 incoming in order for the mobile users to be able to submit messages.

The STARTTLS ESMTP Extension (for incoming SMTP connections)

Check that the STARTTLS ESMTP extension is enabled for incoming connections (use of this extension is up to the remote MTA or Client):

  • Go to WebAdmin → Security and Filtering
  • Click on Acceptance and Routing
  • In the Acceptance Basic Settings check the Allowed ESMTP Commands
  • Make sure that the "Allow StartTLS" checkbox is ticked

The STARTTLS ESMTP Extension (for outgoing SMTP connections)

Check that the STARTTLS ESMTP extension is enabled for outgoing connections (if the remote MTA server that Axigen is relaying an email to will advertise that it supports STARTTLS then Axigen will obey this configuration):

  • Go to WebAdmin → Security and Filtering
  • Click on Acceptance and Routing
  • In the Routing Basic Settings check the Outgoing delivery settings
  • Make sure that the "Use StartTLS" checkbox is ticked

Configuring SMTP Listeners

SMTP Ports: 25 and 587

These two ports should permit non SSL connections but should allow the STARTTLS ESMTP extension

 

The SSL Settings tab on the Listener's configuration should be the same on both these listeners:

Please note the following:

  • The "Enable SSL" checkbox should not be ticked for this listener since these two listeners should accept non SSL connections and only start SSL when the SMTP protocol command STARTTLS is issued by the client
  • The SSLv2 and SSLv3 are disable since these two old SSL protocols have a well known set of vulnerabilities
  • In case you choose to use DHE ciphers (e.g. DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA) you have to configure a Path to DH (Diffie-Hellman) parameter file

SMTP Port: 465

The 465 port should permit only SSL connections.

In order to achieve that, the checkbox "Enable SSL" should be ticked for this listener.

Rules for authentication

Disabling authentication on plain text connections and enabling authentication on secure connections (only after STARTTLS) is accomplished in Axigen by means of the Advanced Acceptance / Routing Rules (which can be configured from WebAdmin → Security and Filtering → Acceptance and Routing → Advanced Settings).

Two rules have to be defined:

  • disableAUTH_on_non_SSL
  • enableAUTH_on_SSL

Disabling authentication on plain text connections

  • Click on "+ Add Acceptance / Routing Rule".
  • In Rule Name enter "disableAUTH_on_non_SSL" (or choose another name)
  • In Conditions leave empty. This would mean that the rule will match any email message
  • In Actions choose the action"Plain connections authentication" and set "Not authenticated"
  • Click Save Configuration

Enabling authentication on secure connections (only after STARTTLS)

  • Click on "+ Add Acceptance / Routing Rule".
  • In Rule Name enter "enableAUTH_on_SSL" (or choose another name)
  • In Conditions leave empty. This would mean that the rule will match any email message
  • In Actions choose the action"SSL connections authentication", set "Authenticated" and check what authentication mechanisms you want. Since this is on a secured session, you can leave the Plain and Login authentication mechanisms on without any worry.
  • Click Save Configuration

Order of rules

In the Advanced Acceptance / Routing Rules screen, make sure that the disableAUTH_on_non_SSL rule precedes the enableAUTH_on_SSL one.

Require STARTTLS for incoming SMTP connections to a certain domain

In order to force the use of STARTTLS for either incoming or outgoing SMTP connections, a new Acceptance and Routing Rule has to be defined.

This is especially useful when:

  1. you want to accept emails for a local domain only if the remote servers uses STARTTLS 

The following rule has to be defined:

  • Click on "+ Add Acceptance / Routing Rule".
  • In Rule Name enter "allow_only_tls_for_mydomain_com" (or choose another name)
  • Select the condition "Connection → isSSL" and leave the checkbox unticked
  • Select the condition Recipient → Domain is "mydomain.com" → replace with your own domain name for incoming or external domain name for outgoing
  • Change the dropdown For incoming messages that match and choose ALL.
  • Add action "SMTP → Action, choose Reject in the dropdown and write an explanation like: "Accepting only secure delivery (STARTTLS) for mydomain.com".
  • Click Save

Forcing outbound SMTP delivery only using SSL with TLS1.1 and TLS1.2 for a specific domain

 

The SSL Settings tab on the Listener's configuration should be the same on both these listeners:

 

In case you want to make sure that your Axigen server will ONLY deliver email to other email servers out there using STARTTLS using only TLS1.1 and TLS1.2, the following rule has to be defined:

  • Click on "+ Add Acceptance / Routing Rule".
  • In Rule Name enter "use_only_tls11_and_12_when_relaying" (or choose another name)
  • Select the condition Delivery → Relaying mail
  • Select the condition Recipient → Domain is 'example.com'
  • Change the dropdown For incoming messages that match and choose ALL.
  • Add action Relay → Host and populate the smart host for this domain and the SSL remote enabled port
  • Add action Relay → SSL Encryption and make sure the checkbox is checked
  • Add action Relay → SSL Versions and make sure only TLS1.1 and TLS1.2 are checked
  • Click Save