Securing Submisssion on Exim

I noticed a significant increase in the number of hosts attempting to authenticate to my Exim submission ports (465 and 587). As a result, I have implemented a number of security measures. These measures have effectively blocked the attempts. This post outlines the main measures that I have implemented. This includes ACLs and fail2ban blacklisting.

Securing TLS

A StackExchange question on using HAProxy’s capture feature to pass data from TCP mode to HTTP mode prompted me to update my SSL configuration. This was intended to get an A+ rating from SSL Labs by sending non-SNI capable clients to a server with weaker ciphers. This was to enable clients on WinXP/IE8, Java 6,… Continue reading Securing TLS

MX on a Dynamic IP Address

I often see posts asking about running a mail server on a Dynamic IP address. Twenty years ago I started running my server on a dynamic IP address. However, times have changed, and it is more difficult to do so. Stil, there are mail server roles that work reasonably well on a dynamic IP address.  

Implementing DKIM with Exim

This article was updated in February 2014 to reflect changes in policy and reporting options. The earlier ADSP (Author Domain Signing Practices) information has been removed. DomainKeys Identified Mail (DKIM) provides a method to confirm the origin of an e-mail. DKIM also provides some protection against tampering. Unlike SPF, this validation applies to the contents… Continue reading Implementing DKIM with Exim

Signing Return Path Addresses with Exim

I have been receiving a fair amount of Spam from an e-mail forwarder. They are unwilling to correct their problems. Much of this Spam is in the form of bounce notifications. Attempting to reject other Spam resulted in more notifications. To control this Spam I implemented signed return path addresses. As a side benefit, I am also rejecting bogus notifications… Continue reading Signing Return Path Addresses with Exim