Cyberia strongly recommends the following to our valid users who are having their own Exchange/Mail setups.
1. Configure mail relay options carefully to avoid being an Open Relay
- It’s very important to configure your mail relay parameter to be very restrictive. Where you can specify which domains or IP addresses your mail server will relay
2. Set up SMTP authentication to control user access
- SMTP Authentication forces the people who use your server to obtain permission to send mail by first supplying a username and password..
3. Limit connections to protect your server against DoS attacks
- The number of connections to your SMTP server should be limited. This could be very helpful to mitigate spam floods and DoS attacks that target your network infrastructure.
4. Activate Reverse DNS to block bogus senders
- Most messaging systems use DNS lookups to verify the existence of the sender’s email domain before accepting a message.
5. Use DNSBL servers to fight incoming email abuse
- Checking if the sender domain or IP is known by DNSBL servers world-wide (e.g., Spamhaus, etc.),. Activating this option will greatly reduce the impact of unsolicited incoming email.
6. Activate SPF to prevent spoofed sources
- When SPF is activated on your server, the sending server’s MX record (the DNS Mail Exchange record) is validated before message transmission takes place.
8. Maintain local IP blacklists to block spammers
- Having a local IP blacklist on your email server is very important for countering specific spammers who only target you.
9. Encrypt POP3 and IMAP authentication for privacy concerns
- SSLTLS is the best known and easiest way to implement strong authentication; it is widely used and considered reliable enough.
10. Have at least 2 MX records for failover
- It’s strongly recommended to set up at least 2 MXs for each domain. The first one is set as the primary, and the secondary is used if the primary goes down for any reason. This configuration is done on the DNS Zone level.
Minimize your use of attachments
- Attachments can cause your messages to be blocked, particularly the following:
- SCR, EXE, DOC, XLS, VBS: They are often used to transmit viruses
- JPEG and GIF: Some companies will block incoming graphics
- Large file attachments: Some companies will block large attachments to minimize bandwidth wastage and some mail servers do not support messages larger than 10MB
WSUS servers recommended.
- Strongly recommends to setup WSUS server in your environment, as your Environment consists with huge number of users. Administrators can fully manage the automatic distribution of updates that are released through Microsoft Update to computers in your network.