Testing Email Server Security

Back in the day, getting a mail server set up was definitely not a point-and-click operation. Today, messaging systems are much easier to get up and running – often no more difficult than installing any regular desktop software package.

Unfortunately, simplicity often comes with a price. While installing a mail server and getting it to exchange messages with other SMTP servers is no longer a tangled web of configurable settings at a basic level, there’s still plenty to consider on the security front. Most importantly, you’ll want to ensure that your server is not being used as a junk mail gateway by spammers.

It used to be the spammers used their own servers to send out spam email messages. While this is sometimes still the case, most “spamming” servers have been shut down by service providers or “blacklisted” as known sources of spam. Needing a way to continue getting their messages out, spammers next turned to other user’s mail servers. Specifically, they scan the Internet for unsecured mail servers that allow what is known as “relaying”.

In a nutshell, relaying ties into the lack of security with the SMTP protocol used to send messages – typically you don’t provide a username or password to send messages. So, if no other restrictions are implemented, any user can send set an unsecured mail server as their SMTP server, and then fire messages through that server at will – often thousands at once. Ultimately, it’s the mail server owner who has to deal with the fallout. Their server ends up being blacklisted as a source of spam, and other servers that subscribe to blacklists won’t exchange mail with them. Even after securing the email server to deny relaying, it can often take weeks to be removed from these blacklists, a frustrating exercise that you just don’t want to deal with.

They key to not having your mail servers used as a spam gateway is to block relaying. Different servers implement different techniques to prevent relaying, from checking sending user domain names (ineffective, as spammers can spoof these), to limiting senders to those on a specific network. Most SMTP servers also support authentication, allowing you to require users to supply a username and password to send messages via the server.

This tip isn’t about securing your particular mail server, but rather testing its security. If you want a quick an easy way to determine whether your mail server allows relaying, just head to http://www.abuse.net/relay.html.

If you input your mail server’s IP address or host name and click the Test for Relay button, this service will run through 17 different tests to check whether your server allows relaying. If your server is properly secured, you’ll be presented with the message “All tests performed, no relays accepted”. That’s good news.

Should your server fail any of the tests, you’ll want to get on top of things immediately. All mail server software packages provide clear documentation on ways to prevent relaying. If you don’t get the issue sorted today, you may just end up on a blacklist tomorrow. So, take a moment to test your mail server and be sure that it’s properly secured.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.