Axigen Mail Server Security

Axigen comes with a full security feature set, guaranteeing secure reception, transit and delivery of email, as well as protection of your confidential data.

Incoming Security Options

Axigen Mail Server Security Features Diagram encryption button multi-layer access control button flow control button SPF and Domain Keys Compliant Blacklist & Whitelist country filtering DNSBL DNS Checks AntiVirus Filtering Identity Confirmation AntiSpam Message Acceptance Policies

Outgoing Security Options

Axigen Mail Server Security Features Diagram

encryption button Anti-Impersonation Message Sending Policies AntiVirus Filtering SPF and Domain Keys Compliant Routing Policies

Authentication / Encryption

Axigen server supports authentication, meaning it can be instructed to accept only connections/messages from authenticated entities. CRAM-MD5, LOGIN, PLAIN, DIGEST-MD5 and GSSAPI methods (in this order) are available for client authentication, reducing the risk of unauthorized connections.

SSL/TLS: All Axigen communication protocols can benefit from SSL/TLS technology which allows sending encrypted messages across networks and preventing plain text messages to be intercepted on the way from sender to recipient. This encryption method guarantees secure data transmission over networks.

Back to top

Multi-layer access control (firewall-like rules)

Stopping spammers and preventing DOS attacks is one of the most important tasks of a mail server and the sooner the problem is identified in the mail stream , the better. This is why Axigen has a built in Firewall at the application (TCP listener) level that allows the administrator(s) to control connectivity parameters.

Furthermore, Administrators may define IP sets that have specific sets of such rules, applied with different priorities or IP sets whose connections are denied.

Mail Server Firewall - Application Level
  • rules set 1
  • enabled / disabled
  • priority: 2
  • rules set 1
  • enabled / disabled
  • priority: 3
  • denied
  • enabled / disabled
  • priority: 1
 
Overlaping IconIP Set - overlapping rules: apply lowest priority

Back to top

Flow control

Flow control restrictions can be defined in addition to the access control rules, in order to prevent the server and storage overload, as well as protect the server from DDos attacks.

Restrict maximum simultaneous connections
Restrict the total number of simultaneous connections that a service may accept, the maximum number of simultaneous connection accepted from the same IP address in order to avoid attacks from a single IP. Additionally, privileged IP address groups (trusted servers) may have different connection limits policies.

Restrict maximum incoming connections rate
Restrict the total number of connection per time unit that a service may accept, the maximum number of connection per time unit accepted from the same IP address in order to avoid attacks from a single IP. Additionally, privileged IP address groups (trusted servers) may have different connection rate limits policies.

Selectively restrict maximum messages size
The server can be configured to accept different maximum messages sizes based on sender/sender domain, recipient/recipient domain, remote IP address, connection security, authentication level and other message or connection related parameters, ensuring a flexible protection for the queue and the storage (privileged users may have extended rights).

Back to top

Sender validation (SPF compliant)

Axigen implements a standard-based SPF verification module for sender validation (if the remote domain is properly configured with SPF information).

Back to top

Greylisting

This feature enables Axigen to automatically reject messages from unknown senders / IPs with a temporary error message. Unlike legitimate email servers, most spam sources will not try to resend the emails in question, thus reducing the amount of spam received by the Axigen server.

Back to top

Message integrity validation (DomainKeys compliant)

The messages' integrity may be checked if the originating server used DomainKeys to sign them; locally-originated messages may be signed by Axigen to allow validation by DomainKeys-compliant remote servers.
(Yahoo associates a higher spam score to unsigned messages.)

Back to top

Blacklisting / Whitelisting

Permanently reject emails coming from untrusted senders - can be defined globally by the administrator (server level) and further refined by the users according to their personal needs (WebMail interface).

Administrators can also define Whitelists in order to permanently accept emails coming from trusted sources (such as business partners or remote offices).

Back to top

Country Filtering

Based on an IP-to-country database, administrators can block all emails coming from untrusted countries; alternatively they can accept emails coming exclusively from selected countries.

Back to top

DNSBL

Administrators validate sender IPs against a selected list of DNSBLs (DNS Blacklists) in order to block emails; at the same time, they can also choose to skip this validation for custom defined IP Ranges.

Back to top

DNS Checks

Additional validations that can be run to reject spam are by checking the originating domain for MX entries and the originating IP for a reverse DNS entry.

Back to top

AntiVirus Filtering

The Axigen Advanced Filtering System allows the system administrator to define a set of filters and priorities at server, domain or user level, offering unparalleled flexibility to setup company security policies:

  • Domain 1: filter with 2 AV and 1 ASPAM applications
  • Domain 2: filter with only 1 AV
  • General Manager: filter with 3 AV and 1 ASPAM applications
Multiple Antivirus & AntiSpam - Integration Levels
Kaspersky AntiVirus & AntiSpam

Embedded AntiVirus Protection - Axigen offers premium, scalable defense against Virus threats, by leveraging on Kaspersky Lab's advanced malware detection engine. *

Multiple AntiVirus & AntiSpam Filtering

Axigen offers support and currently integrates with 15 of the most powerful AntiVirus applications, among which Kaspersky, BitDefender, Symantec, F-Secure, Panda, McAfee, Nod 32, or Trend Micro.

Click here for more info on AntiVirus and AntiSpam filtering in Axigen

Back to top

Identity Confirmation

Axigen Identity Confirmation © is basically the implementation of a Challenge / Response-based antispam method. It enables users to effectively block unwanted messages from reaching their inbox by intercepting incoming emails and requiring new / unknown senders to confirm their identity, while allowing legitimate communications to come through.

Click here for more info on Axigen Identity Confirmation

Back to top

AntiSpam

After applying the above mentioned antispam methods, the remaining traffic is further taken through a content filtering process (score based) & Bayesian filtering (through the included SpamAssassin). Administrators can set the thresholds over which the corresponding reject actions will be applied.

Kaspersky AntiVirus & AntiSpam

Embedded AntiSpam Protection - Axigen offers premium, scalable defense against Spam threats, by leveraging on Kaspersky Lab's advanced malware detection engine. *

Commtouch Real Time AntiSpam Protection

Real Time AntiSpam Protection - To prevent Spam outbreaks the minute they occur, Axigen integrates Commtouch's award winning online service as an additional AntiSpam layer. *

Back to top

Message Acceptance / Sending Policies (with expert-mode engine for acceptance rules)

Reject:

  • emails from impersonated users (authentication matching)
  • emails from unauthenticated users
  • emails suspicious to be spam (e.g. looping emails, emails with too large attachments and others)

Require validation for emails coming from unknown sources:

Accept:

  • emails coming from trusted sources (Whitelisting)
  • secure connections only

Back to top

Routing Policies

Virtual routing
Assign different outbound IP addresses to each domain; blacklisted IPs will only affect the associated domain, and not other domains operating on the same server.

Example:

  • relay emails from domain 1 to route 1, using IP1
  • relay emails from all other domains to route 2, using IP2
  • specify a username/password authentication before routing emails

Built in DNS Cache

DNS query responses are cached; subsequent queries are resolved locally instead of being re-sent over the network.

Back to top

Anti-Impersonation

Enforce user authentication on message submission and verify that the sender header matches the authentication credentials preventing impersonation attempts from local accounts.

Message and connection parameters for security policies (message size, anti-impersonation, SPF, access control, email address blacklisting / whitelisting, DNS checks, open relay blocking, etc):

  • Originating host's IP, ports, greeting
  • Originator's email address, domain or username
  • Recipient email address, routing information
  • Message size, headers, number of recipients
  • Connection security level (SSL / non-SSL)
  • Authentication information
  • Session statistics (total mails sent, total size)
  • SPF interrogation result; etc

Back to top

Secure passwords enforcement

Define password strength policies (minimum password length, required sets of characters and so on), restricting the users from setting simple passwords.

*) Available as add-on

Back to top