I noticed a significant increase in the number of hosts attempting to authenticate to my Exim submission ports (465 and 587). As a result, I have implemented a number of security measures. These measures have effectively blocked the attempts. This post outlines the main measures that I have implemented. This includes ACLs and fail2ban blacklisting.
A StackExchange question on using HAProxy’s capture feature to pass data from TCP mode to HTTP mode prompted me to update my SSL configuration. This was intended to get an A+ rating from SSL Labs by sending non-SNI capable clients to a server with weaker ciphers. This was to enable clients on WinXP/IE8, Java 6,… Continue reading Securing TLS
I often see posts asking about running a mail server on a Dynamic IP address. Twenty years ago I started running my server on a dynamic IP address. However, times have changed, and it is more difficult to do so. Stil, there are mail server roles that work reasonably well on a dynamic IP address.
The new Poodle vulnerability lead me to disable SSLv3 on my Ubuntu server. I have TLS/SSL enabled on three services: apache2, exim4, and dovecot2. Each service required a different method to disable SSLv3. While SSLv3 is mostly history, the techniques I used can be applied to other TLS versions. Ubuntu uses configuration files split into… Continue reading Disabling SSLv3 to block Poodle
I use eximstats to report my daily email traffic. I have a fairly high rate of rejections and wanted hostnames listed in the rejection reports. To resolve this I developed a patch to capture the hostname related to the IP address, and add this data to the rejection reports. The enhanced list saves me the… Continue reading Hostnames for eximstats Rejections
Configuring a common login for Dovecot IMAP(s) and Exim SMTP. Also Exim Submission port and TLS (SSL) configuration.
Replacing 6to4 tunnel with 6in4. IPv6 enabling Bind, Exim, SPF, Squid, and updating Databases containing IP addresses.
Spam blocking techniques for Exim. Uses delays to cause Spambots to fail. Notes on bulk and automated mail servers.
This article was updated in February 2014 to reflect changes in policy and reporting options. The earlier ADSP (Author Domain Signing Practices) information has been removed. DomainKeys Identified Mail (DKIM) provides a method to confirm the origin of an e-mail. DKIM also provides some protection against tampering. Unlike SPF, this validation applies to the contents… Continue reading Implementing DKIM with Exim
I have been receiving a fair amount of Spam from an e-mail forwarder. They are unwilling to correct their problems. Much of this Spam is in the form of bounce notifications. Attempting to reject other Spam resulted in more notifications. To control this Spam I implemented signed return path addresses. As a side benefit, I am also rejecting bogus notifications… Continue reading Signing Return Path Addresses with Exim