Support
- Advanced Backup
- Client Side
- Cloud Enterprise
- ColdFusion
- Control Panel
- cPanel
- Customer Portal
- DNS Information
- Dedicated Servers
- DirectAdmin
- Domain Name
- dotDefender
- Dreamweaver
- FileCatalyst
- Front Page
- FTP
- General Information
- Hosted Exchange & SharePoint
- IIS6
- IIS7
- Juniper Netscreen Firewalls
- Linux
- List Server
- MIVA Merchant
- MySQL
- Patching / Server Updates
- phpMyAdmin
- Plesk
- Policies and Procedures
- Premium Spam Filtering
- Programming
- Ruby on Rails
- Search Engine Submission
- SharePoint 3
- SharePoint 2010
- SiteDesigner
- SmarterMail 3
- SmarterMail 4
- SmarterMail 5
- Alias
- Autoresponder
- Browsers
- Calendar
- Catchall Email Alias
- Createcontact
- Disablefilter
- Domainalias
- Domaincontent
- Domainfilter
- Domainkey
- Editmailbox
- Emailfilter
- Emailpassword
- Faq
- Forwarding
- Globaladdress
- Impexpcontacts
- Newmailuser
- Pop Retrieval
- Rssfeed
- Smsync
- Spamfiltering
- Synch
- Tasks
- Smartermail5
- Configure SmarterMail to Forward to Another Address
- Check how much disk space my email domain is using
- Automatically delete old junk mail or deleted items for my email users
- Download list subscribers to a flat file
- Enabling Logging in SmarterMail
- Add a new domain to SmarterMail
- Fix Bad Data error in SmarterMail
- Install SmarterMail dictionary packs
- Reset my SmarterMail admin password
- View the logs in SmarterMail 5 and 6
- Install SmarterMail 5.x and 6.x
- Install ClamWin & Configure for SmarterMail
- Fix SmarterMail CPU Fluctuation on 64bit Server
- Migrate SmarterMail between Virtual or Dedicated Servers
- Relay ColdFusion Mail through SmarterMail on Localhost
- Propagate settings to all domains in SmarterMail
- Relay through SmarterMail on Localhost
- Upgrade SmarterMail
- Impersonate a user via SmarterMail
- Install the SmarterMail Language Pack
- Securing SmarterMail
- Set a forwarding blacklist for SmarterMail
- Set secure password requirements for SmarterMail
- SmarterMail order of operations
- Upload list subscribers from a flat file
- Create folder in SmarterMail
- Send an email from a domain alias in SmarterMail
- Set up Abuse Detection in SmarterMail
- Enable and Disable email users
- How to setup SmarterMail in Windows 2008 / IIS 7
- SmarterMail FAQ
- Change my default settings for new users in SmarterMail
- Open a shared folder in SmarterMail
- Set up my email account to process content filters before spam filters
- Change my default settings for existing users in SmarterMail
- Set up sent items folder in SmarterMail
- Share a folder in SmarterMail
- Use SmarterMail Sync
- What does the SmarterMail error “unable to send message this time” mean?
- What is greylisting and how do I enable it?
- Create a new mailing list in SmarterMail
- Re-Start SmarterMail Service
- Create a new email account with the SmarterMail interface
- Add RBLs to SmarterMail for Spam Protection
- Set up a signature in SmarterMail
- Add images to my signature in SmarterMail
- Use Reports in SmarterMail
- Creating Contact Categories in SmarterMail
- hostname
- SmarterMail 6
- SmarterMail 7
- SmarterStats
- SmarterTrack
- SQL Server
- Secure Socket Layer (SSL)
- Uploading Your Website
- Video Tutorials
- Windows Server 2003
- Windows Server 2008
- Web Design
- WordPress
- Advanced Monitoring
- MediaWiki
- Enkompass
- Microsoft Outlook 2010
- Android
- Outlook Web Access
- Critical Availability Service
- NAS Data Transfer
- Customer Portal Demos
- Joomla
- Moodle
- Cloud Dedicated
- Gallery CMS
- phpBB
- Standard Monitoring
- Righteous Restore
- NAS (Network Attached Storage)
- Networking
- SmarterMail 8
- PCI Security Scan
- LinkTiger
- Windows Cloud VPS
- Linux Cloud VPS
- Linux VPS
- Windows VPS
- Hyper V
- ENSIM
- Alert Logic
- Webmin
- e107
- Vbulletin
- VPN
- Visual Vault
- Mozilla Thunderbird
- PyroCMS
- Active Directory
- Vmware Related
- Drupal
Securing SmarterMail
This article will discuss some of the basic steps you can take to secure SmarterMail and prevent abuse from the server. This article applies to SmarterMail version 5.x and greater.
Log into SmarterMail admin which is typically located at http://<server_ip_address>:9998
Enable detailed Logging
Enable logging under Settings > Log Settings. The minimum Log Detail Levels should be Detailed logging enabled for at least Delivery Log Level and SMTP Log Level
Setup SMTP Authentication
Under Settings > Defaults > Domain Defaults check the box for Require SMTP Authentication.
This will ensure that all users for each domain must authenticate in order to send mail. Note that for domains that are already setup in SmarterMail, this is not a retroactive setting. If a domain was setup without SMTP Authentication it will still be setup without it even after enabling this setting.
Ensure secure passwords
Under Security > Advanced Settings > Password Requirements, check off a minimum of 2 boxes with a minimum password length of 8 characters. The more boxes that are checked the more secure the server will be.
Note: enabling these options will not affect users that connect via POP or IMAP. A user will need to log into the web interface to have the password requirements enabled for their account. For example, if John Smith checks mail exclusively via POP in Outlook and his password is insecure such as 'mypassword1', he will not be prompted for a new password until he logs into webmail directly. Only at that time will he be forced to change his password and thus it will also have to be changed in his Outlook settings.
A secure password should be at least 8 characters, not contain any dictionary words, not contain the username, and should contain uppercase, lowercase, symbols, and numbers. If you need to generate a new password, you can do so following the random password generator here: http://www.pctools.com/guides/password/
Ensure the SmarterMail admin password is strong
Navigate to Settings > General Settings > Administrator tab and change the password per the guidelines listed above. This will prevent brute force attacks on SmarterMail admin.
Setup Abuse Detection
Under Security > Advanced Settings > Abuse Detection setup some basic abuse detection rules so the server does the work for you. Click New and setup a Denial of Service (DOS) rule where if the service (SMTP/POP/IMAP) is hit X number of times in Y minutes, block the connection for Z minutes.
Ensure SmarterMail is up-to-date
Navigate to Settings > SmarterMail Self Diagnostic
This will report the version installed on the server. Compare that version number to http://www.smartertools.com/SmarterMail/Download/ and if the server is not running the latest version, you should download the new version and update SmarterMail. Often new versions contain security and bug fixes.
Don't whitelist IP addresses
Even if you whitelist 127.0.0.1 and/or the server's external IP address, there is a chance it will be abused. Check to make sure no IP's are whitelisted under Security > Whitelist. Disabling any whitelisted IP's prevents abuse from mail forms and scripts. If a hacker does compromise your site and uploads a mail script to blast out spam and the external IP address of the server is whitelisted without SMTP authentication checked, the script will pass that mail on and the server will become blacklisted. Instead, setup a domain such as 'localhost.com' with a secure username and password that your forms will use to authenticate. Require SMTP authentication for the domain and all mail be authenticated rather than unauthenticated through SmarterMail thus preventing any insecure script used to spam from doing harm to the server IP's reputation.