Category Archives: Policy

Using an SMTP mail relay to secure a network

Small businesses with Exchange Server or other mail servers tend to have their mail server physically located in their office (in a DMZ), which is great for performance and communicating with each other, but they tend to run all their anti-spam and virus filtering on the same server. This brings up a number of issues.

  1. Windows Server anti virus and anti spam products tend to be resource intensive.
  2. Legislation in most locals require that all email is archived for x number of years, if you receive 80% spam on your email, it means that to.
  3. Your DNS MX record is being advertised to the world, while security through obscurity is never the answer, why advertise your public IP.
  4. RBLs will blacklist your public IP if you are found to have a spam producing virus, causing your outbound mail to bounce, it can take weeks to get off GMail and Hotmail’s spam lists.
  5. Some ISPs are not reliable, while a small office maybe unhappy about not having internet access for half a day, missing emails can have a greater business impact.
  6. It’s rare, but some ISPs will block port 25 which is used to relay mail between servers if they see what they consider as abuse, normally sending a warning first.

mail_relay

The answer to these risks is hosting a mail relay off-site, maybe even 2 if you want that resilience, but over the last 5 years, apart from reboots forced by updates taking 10 minutes every few months, I’ve not seen a customer impacting outage.

Your office mail server can block all incoming and outgoing SMTP traffic except between the mail relay, deleting the most obvious spam and all the viruses before the mail is delivered to your office. Also filtering outgoing email, ensuring you are not spreading viruses in the company’s name, and enforcing any other security policies you may have in place. Most abuse against an Exchange Server is against port 25, the public will not even see it exists. It will make it far less obvious what your public IP is.

You can block on your firewall all smtp traffic on the network except between the Server and the Relay, if someone brings in a an infected laptop and joins your network, it wont get you RBL listed, and the ISP wont block your port 25.

I have for more than a decade used Symantec Endpoint Protection for this purpose, but their SMTP relay can only be installed on bare metal or in a virtual machine, also for some strange reason require separate IP addresses for inbound and outbound and the costs are not so low for these to be hosted outside the office, and the performance and usability is no better than a free mail relay package such as MailScanner, which can easily be installed on a small cloud instance, as a guide I have 50 (heavy) users using one $20 a month DigitalOcean instance, and the processor and memory never goes over 20% and 600 (more regular) users using 2x $40 instances at different data centers.

This mitigation in no way suggests that you do not run anti-virus software on the workstations, this is still essential as not all virus infection come from email, and you should still have anti-spam filtering to fine tune the removal of the less obvious spam as it is simplest to set the relay to only delete the obvious, Microsoft own filter is usually ample for this.

While MailScanner itself is free, some of the RBL and signature subscriptions can be pricey, but a default installation which include amongst others Clam AV. Spam detection and Spamassassin is fine in most cases, also unlike Symantec’s pricing model, most additions to MailScanner are not charged at a per user license model.

This model works just as well in a distributed environment if you have a co-located mail server. Even adding a mail relay to a heavily firewalled website that wanted to hide the real IP of the host which was previously being leaked in automated emails from the site leading to a level 3/4 DDoS attack.

If you want assistance in setting such a configuration up, I am always available for hire, and if you have a suggestion to improve on this model, I am always willing to learn.

Adding disclaimers on blog comments

I was asked a couple of days ago to add a disclaimer to the commenting section on a WordPress Blog, something like: “Commentators are asked to be polite, stay on topic. While we do monitor and moderate comments, they are the expression of the commentator and do not necessarily share the opinion of the Blog owner.”

Surprisingly at this time there is no comment disclaimer plugin for WordPress (Jump to the bottom of the page if you want to see how to do it). In fact there is really very little written on the subject.

Quite a few bloggers over the years have been sued or faced criminal charges for their own postings, basically using existing defamation and copyright law. And recently we are seeing the threat of terrorist charges for “disseminating” a video that I saw a huge number of blogs sharing at that time, I don’t know of any that were actually contacted by any authority.

BloggingBlue have a great Comment Policy & Disclaimer, but if you go to comment there, there your attention is not brought to this disclaimer when you actually comment, I guess it should say “by posting you agree…” I found another well worded document but again with no way for the commentator to confirm they have read or agree to the policy here at Monsanto, who I know face a lot of commenting abuse.

Looking for legal advice on this, all I found was an Australian lawyer who suggests that you should:

add a Creative Commons licence to your blog comments page stipulating that in posting comments they agree to license them to you.

Funnily enough, the much loved, decade old herche’s blog disclaimer does cover commenting quite well.

Comments on this website are the sole responsibility of their writers and the writer will take full responsibility, liability, and blame for any libel or litigation that results from something written in or as a direct result of something written in a comment. The accuracy, completeness, veracity, honesty, exactitude, factuality and politeness of comments are not guaranteed.

I think it is also important to warn aggressive trolls if you have a “Comment Kittening policy“.  Comment Kittening of course far more effective than the ban hammer or IP banning.

comment disclaimer

Adding the comment disclaimer, or whatever notice, will look like this is, and is done by adding the following to the custom.css or style.css.

 

#reply-title::after {
 content: "(your message to commentators)";
 font-size: 12px;
 text-transform: none;
 font-weight: 300;
 font-style: italic;
}

Of course if you do come across a better method, please let me know, just be polite, stay on topic…   😉

Hello World!

While I have contributed to a number of blogs, forums and sites over the years, decades even and setup, managed and moderated countless others for clients and friends, I’ve never actually had my own.

I first came to think it would be a good time to commit myself a few months back when I’d started on a “recertification” processPrincess Margaret Bridge Fredericton, as I’d let quite a few of my qualifications lapse over the years. I was spurred on by a friend who noticed how opinionated I was about how badly written the official guide for businesses and organisations to PIPEDA was comparing it to the UK’s DPA and said “write it up”, and while you are at it take a look at the UK’s Bribery Act.

Well that’s not a task I want to take up right now, they’re both sizable documents and PIPEDA should really just be revisited by a copywriter and proof-reader. What is relevant though is that this is a very important document that nearly all businesses of any size in Canada should have an understanding of, and it would make sense that it was written using clear, simple and correct English (I can’t comment on the French). And the Bribery Act, that discussion is more about its broader impact and implications.

Back to the blog in general, I’m not going to be asking my long suffering wife or one of the designers we normally use on clients projects to beautify this WordPress blog, I think I’ll leave it “vanilla” for now.

The friend is right of course, I am opinionated, as he says “You can always tell an Englishman – but you can’t tell him much!”, so here goes…