All posts by Marc Kranat

Using an SMTP mail relay to secure a network

Small businesses with Exchange Server or other mail servers tend to have their mail server physically located in their office (in a DMZ), which is great for performance and communicating with each other, but they tend to run all their anti-spam and virus filtering on the same server. This brings up a number of issues.

  1. Windows Server anti virus and anti spam products tend to be resource intensive.
  2. Legislation in most locals require that all email is archived for x number of years, if you receive 80% spam on your email, it means that to.
  3. Your DNS MX record is being advertised to the world, while security through obscurity is never the answer, why advertise your public IP.
  4. RBLs will blacklist your public IP if you are found to have a spam producing virus, causing your outbound mail to bounce, it can take weeks to get off GMail and Hotmail’s spam lists.
  5. Some ISPs are not reliable, while a small office maybe unhappy about not having internet access for half a day, missing emails can have a greater business impact.
  6. It’s rare, but some ISPs will block port 25 which is used to relay mail between servers if they see what they consider as abuse, normally sending a warning first.

mail_relay

The answer to these risks is hosting a mail relay off-site, maybe even 2 if you want that resilience, but over the last 5 years, apart from reboots forced by updates taking 10 minutes every few months, I’ve not seen a customer impacting outage.

Your office mail server can block all incoming and outgoing SMTP traffic except between the mail relay, deleting the most obvious spam and all the viruses before the mail is delivered to your office. Also filtering outgoing email, ensuring you are not spreading viruses in the company’s name, and enforcing any other security policies you may have in place. Most abuse against an Exchange Server is against port 25, the public will not even see it exists. It will make it far less obvious what your public IP is.

You can block on your firewall all smtp traffic on the network except between the Server and the Relay, if someone brings in a an infected laptop and joins your network, it wont get you RBL listed, and the ISP wont block your port 25.

I have for more than a decade used Symantec Endpoint Protection for this purpose, but their SMTP relay can only be installed on bare metal or in a virtual machine, also for some strange reason require separate IP addresses for inbound and outbound and the costs are not so low for these to be hosted outside the office, and the performance and usability is no better than a free mail relay package such as MailScanner, which can easily be installed on a small cloud instance, as a guide I have 50 (heavy) users using one $20 a month DigitalOcean instance, and the processor and memory never goes over 20% and 600 (more regular) users using 2x $40 instances at different data centers.

This mitigation in no way suggests that you do not run anti-virus software on the workstations, this is still essential as not all virus infection come from email, and you should still have anti-spam filtering to fine tune the removal of the less obvious spam as it is simplest to set the relay to only delete the obvious, Microsoft own filter is usually ample for this.

While MailScanner itself is free, some of the RBL and signature subscriptions can be pricey, but a default installation which include amongst others Clam AV. Spam detection and Spamassassin is fine in most cases, also unlike Symantec’s pricing model, most additions to MailScanner are not charged at a per user license model.

This model works just as well in a distributed environment if you have a co-located mail server. Even adding a mail relay to a heavily firewalled website that wanted to hide the real IP of the host which was previously being leaked in automated emails from the site leading to a level 3/4 DDoS attack.

If you want assistance in setting such a configuration up, I am always available for hire, and if you have a suggestion to improve on this model, I am always willing to learn.

Hacking the Hackers

Well not quite hacking as most people think of it, but technically it is, and it’s great.

There is a common theme when you have cleared up some malware for someone, likely they have spent a while confused by what’s going on,  and again by the cleanup, maybe hit in the pocket and if it’s the first time, they can take it personally, if their confidentiality was breached it will be very personal.

Often when i get into conversation with victims, they will say “can’t we hack them back?”, when a mail server was recently hacked and hurt a client’s reputation by sending out millions of spam, the question was “can’t we bounce the spam back at them?”, in nearly all cases even if we could, we wouldn’t know who “them” was.

What I might do if they now have a firewall in place is get them to enjoy looking at their audit reports, at the wasted effort hackers are going to as the firewall deflects all the bad actors, such as this:

audit

While that can give some satisfaction, tying up the resources of the criminal hackers bots, it really is nothing compared to what Illusive Networks have developed, while honeypots are not a new idea, often designed to monitor the behaviour of automated attacks, Illusive have developed a system that will trick human hackers into believing they have stuck gold, giving them access not to just a fake network and server, but to the data as well, drawing them in deeper, taking advantage of a addictive behaviour problem seen in criminal hackers.
illusiveWhy I call this hacking, well it is, this is social engineering,  human hacking, ironically it’s well known that humans are easier to hack than machines, so Illusive really have turned the tables.

Current offerings are not for small businesses, but I do hope someone does develop something similar for the majority. Apart from what I expect is a very effective proactive  method of defense, there will be a certain satisfaction for intended victim when looking at those audits.

You can read more about Illusive Networks here at TechCrunch.

Switching a WordPress site over to HTTPS/SSL

WordPress.com, the official hosted version of WordPress have switched over to enforcing SSL, while this is mostly a political statement, there is some merit, firstly you might actually have some forms which should be secure, allowing users to communicate using the secure channel https provides, secondly there Google have started giving a slight boost to your PageRank when they see SSL in place.

ssl

But if you host your own server, you need to enable and provide a certificate yourself.

First check Apache is listening on 443

netstat -ntpl | grep 443

Create a Certificate Request

If all you need is secure forms and a green padlock as I have used here you can use a Rapid SSL Certificate @ $12.99 a year here.

You can also get a suitable free certificate from StartSSL, I have a walk through here for that. If you are able to use LetsEncrypt, they have a great free certificate thats generated from your server.

Here is a great walk through on enabling SSL and copying the certificate and key over to your server.

To redirect http URLs to https, do the following:

 ServerName www.example.com
 Redirect / https://www.example.com/
ServerName www.example.com
 # ... SSL configuration goes here

Enable SSL for apache

a2enmod ssl

Enable the new SSL config

a2ensite example.com-ssl

Test the new config

apachectl configtest

Restart

sudo /etc/init.d/apache2 restart

Quite often we see that while everything else is working, a firewall might be blocking port 443, check to see if IPTables is blocking

iptables -L -n

If not add the rule

iptables -I INPUT -p tcp --dport 443 -j ACCEPT
/etc/init.d/iptables-persistent save

check to see if UFW is blocking

ufw status

If you don’t see HTTPS or SSL listed

UFW allow https

If your padlock is broken, likely you have some non-ssl content that manually needs having it’s url altered. To check for non HTTPS content use this Why no Padlock tool.

This of course is another one of my reminder walkthroughs, that I will update as I find better instructions, and welcome any improvements.