IT Brief New Zealand logo
Story image

Going postal

01 Jul 2009

Secure email is vital.

Since the beginning of the year, we have received a lot of queries regarding best practice and requests for information on how to set up best practice around a public mail server or mail transport agent (MTA). To me, mail server administration best practice fits into two main categories: setting up an MTA to ensure that users can safely receive email and can also send email reliably. These two factors require different configurations, but once they have been set up you will be able to reduce downtime and issues relating to email.

Sending email is often an overlooked area of administration. While there have been a few advances in email server best practice over the past few years, the protocol used to send email, simple mail transfer protocol (SMTP), was created in the 1970s when the Internet was in its infancy. Back then, spam, email viruses and phishing attacks did not exist, and as a result email protocol was designed to be open and trusting.

The SMTP protocol has not changed much over the past four decades, which is why it is still a trivial matter to spoof another email user. I recommend people with a domain name implement good sender policy framework (SPF) records. SPF allows domain owners to specify which hosts or IP addresses are allowed to send email from your domain. SPF will not only stop back-scatter by preventing spammers from using your domain name, but it will also help with delivery rates.

Delivery rates can also be improved by using the services of a reputable software as a service (SaaS) email provider. Any large email specialist should have a good reputation which helps ensure their customers’ emails are successfully delivered to the intended recipient.

A good SaaS email provider should also be able to provide expert assistance to you and your IT staff in the event of any delivery issues. If you are not using a SaaS email provider, ensure your forward and reverse domain name system (DNS) hostnames match each other and that your MTA uses the same name when delivering email.

Having good anti-spam and anti-virus filters on your outgoing and incoming email is vital these days, particularly if you run Windows programs in-house. The tendency for Windows programs to become infected these days is truly scary, so running anti-virus best practice on desktops is essential.

Receiving email is the main function people associate MTA with. Given the inherent insecurity in the SMTP protocol, having good anti-abuse protection on your incoming email is important. Rather than keeping up with the latest threats, and given the amount of effort required to stay protected these days, I would strongly recommend outsourcing your email security to a third party.

Another advantage of using a dedicated managed email services provider is backup mail exchanger (MX). If you cannot afford to pay a commercial provider, talk to Google, as they host domains. Ideally, I would recommend customers have a second site under their own control. Even a virtual private server (VPS) hosted in a data centre somewhere could really save your company further down the line.

Another part of the email process that is often neglected is DNS. Managing major email changes, such as changing MX or the provider, can be simplified by changing the time to live (TTL) on your DNS records. Your TTL defines how long DNS servers on the Internet will cache your records before going back to the hosts. Many sites do not reduce their TTL before embarking on a major email architecture change and then wonder why their changes are not being propagated. A lot of sites still have the default 24 hours TTL (86400 seconds), which means their changes will not fully propagate around the Internet for a day.

While setting up and managing a mail server on the Internet is fraught with risks, if you follow best practice and keep up with the security patches, and anti-spam and anti-virus filters, you will be able to provide a stable reliable environment for your staff to use.

If you are running a mail server you need to be aware of the risks, so you can prepare for them.