Server Security
Security features are an important part of all communication products these days. IceWarp Mail Server offers the best-of-breed technologies, surprisingly easy to configure. Once set, they are protecting user data without requiring an intervention. Detailed information about misbehaved activities can be found quickly to take counter measures in time.
Data Encryption
Login credentials are by default protected with passwords using RSA public-key asymmetric cryptographic methods, also implemented by SSL traffic encryption to prevent eavesdropping and data tampering. Either the supplied, custom or trusted CA acknowledged server certificate can be used.
Messages can be signed using public-private key combination just like in PGP, but server-side without the need for extra software in email client.
- SSL/TLS 128-bit encryption for all services
- Digital Certificates Creation and Management
- Secured Destinations (force SSL)
- Authentication: CRAM/Digest MD5, login, plain, POP before SMTP
- Server-side message encryption using S/MIME
- TCP/IP tunneling front-end (VPN like operation)
Password Catching Protection
Apart from many options to enforce password policies, passwords can be safe from the beginning, using built-in password generator, and validated against a required level of password strength to prevent dictionary attacks.
- Extensive password, expiration and login policies
- License generator and password validation
- Account login IP restriction
- Change passwords over POP3 protocol
- Service authentication- support for superuser login syntax
Denial of Service Protection
Advanced rate control allows to set limits for each service in terms of outgoing and incoming connections, data transferred over a defined period or simultaneously established sessions. Even local senders can be checked for viruses and spam and their daily email usage restricted to prevent abuse through leaked or weak passwords.
- Bandwidth throttling per service
- Data and connection rate control
- Service usage policies
- Traffic monitoring with alerts
- Command monitoring
- Service usage restrictions
- Allow/ban host rules with host patterns
Anti-Bombing
Sending bulk amounts of mail can be effectively prevented by extensive session and protocol control policies. Some of the common SMTP protocol weaknesses used to collect email addresses can be disabled, along with other commands if not in use.
- Protocol policies and session control
- Session inactivity timeout, Protocol response delay, Max bad commands, Max outstanding connection requests
- Perform a delay before processing an incoming SMTP connection
- Disable telnet access
- SMTP policies- disable EHLO, AUTH, EXPN, VRFY commands
Anti-Spoofing
Forged message headers are common especially in phishing attacks. DNS checks are performed to ensure credibility of the sending mail server and subsequently of email it sends. Further level of protection is the support for DomainKey Identified Mail and related security standards originally introduced by Yahoo!.
- DNS MX and A record authorization
- rDNS validation
- Security standard SPF with SRS support
- DKIM, DomainKeys and domain literals
Anti-Relaying
Closed relay is crucial in preventing abuse of the server for sending spam and being blacklisted by other servers in turn. On the other hand, there are options to reject connections from servers which are open relays.
- Closed relay except for Trusted IPs
- Domain IP shielding, IP Binding
- Non-authorized domain rejection
- Hop count and number of recipients restrictions
- DNSBL query
- HELO-EHLO filter
Intrusion Prevention
This system is monitoring attempts to deliver to unknown users, to abuse SMTP commands, to send spam or to relay without authentication and when a certain treshold is reached, automatically closing further sessions for a period of time or permanently blocking connections from such IP addresses.
- Cross-session and cross-protocol monitoring
- Management of intruders' IPs
- Reasons for blocked hosts displayed
- Helpful against spam and DoS attacks