10.5 Email Services Countermeasures

  • Don't run Sendmail in high-security environments, because the software contains many bugs and is heavily bloated. Sound Unix-based alternatives include qmail (http://www.qmail.org) and exim (http://www.exim.org), neither of which is as complex or susceptible to Internet-based attack.

  • To minimize the impact of a user-enumeration and password-grinding attack, ensure that all user accounts on SMTP and POP-3 mail servers have strong passwords. Ideally, SMTP servers shouldn't also run remote maintenance or email pickup services to the public Internet.

  • If you do offer public POP-3 or IMAP mail services, investigate their resilience from brute-force attack, including logging provisions and whether an account lockout policy can be deployed.

  • Using SSL-enhanced versions of POP-3 and IMAP services will minimize the risk of plaintext user account password details from being sniffed. Plaintext services are open to determined attack, so you need either SSL or VPN client software to protect both passwords and the email data sent from point to point.

  • Ensure that inbound commercial SMTP relay and antivirus scanners (such as Clearswift MAILsweeper and InterScan VirusWall) are patched and maintained to prevent circumvention attacks from being effective.

  • Cisco PIX, Check Point Firewall-1, and other firewall systems can run SMTP proxy services to scrub traffic flowing to and from SMTP mail servers. This SMTP proxy functionality is known as the "SMTP Security Server" under Check Point and the "SMTP fixup protocol" under Cisco. While these proxy components aren't bulletproof, they do provide valuable protection.