English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
Mail server and DDOS attack
-
Hello,
Wanted to get suggestions on service or best practice for preventing DDOS attacks on mail server.
We have been getting DDOS attacks on our various end points and we succesfullys mitigated them.
However, now we are looking for ways to prevent them from future attacks.
How can we go about safely hiding our email server from the public.
It's not as easy as other end points as mail server has different ports/services involved.
any suggestion would be greatly appreciated.
Thank you.
-
It comes at a cost, but a DDOS protection service is usually the most effective. Especially if the attacks get really large.
Basically hide your mail server, and the rest of your network, as best as you possible can and use all the tools you have available to detect and block as much bad traffic as soon as you possibly can. In my experience if you fall victim to a large scale, long term attack, the only option will be a DDOS protection service. If this happens they will probably be attacking your entire network, not just your mail server.
To protect yourself without a third party service, do everything you can to secure your entire network as much as possible.
Reduce your attack surface as much as possible. Disable services and block ports that are not being used. Disable accounts that are no longer being used. Restrict accounts to only allow access to the services they need. If you have accounts that are only accessed internally, then restrict their access to the internal newtwork.
Restrict traffic as much as possible using features like location screening. If you don't need to allow users to authenticate from a country, then don't allow authentication from that country. If you only allow users to authentication with the mail server from Greenland, then configure the server to only allow authentication from Greenland.
Turn on every security feature in MDaemon (with a couple of exceptions) and configure it as restrictive as you possibly can without preventing users from doing what they need to do. But to be clear, security is usually inconvienent for users. Everyone needs to find the balance of security and usability that works for their environment.
Things like POP Before SMTP, IP Shielding, Trusted IPs, and Trusted Domains should only be used if you have no other choice. Every modern SMTP client should be capable of using SMTP Authentication, but sometimes we have old tools that we are forced to use.
Use PTR lookups and block connections from IPs with no PTR records, do NOT exempt authenticated sessions from this requirement.
Perform lookups on EHLO domains, block if it returns domain not found. Do exempt authenticated sessions from this requirement.
Turn on every security feature your network tools offer and configure them as restrictive as possible without interferring with users.
Take a look at current practices and procedures to see what needs to be improved to better secure your network.
Force the use of strong passwords and two factor authentication.
Implement SPF, DKIM, DMARC and ensure MDaemon is checking them on inbound mail.
In many cases security features like rate limiting are going to require some experimentation to see what works for your environment. For example, we found that some IMAP clients will open a new session for every folder they check when they do a send/receive. This will probably force you to set the options to block IPs that connect more than X times in Y minutes higher than you'd like.
The list goes on, there is lots of information available online. In general, the same security practices apply across the board from web servers, dns server, to mail servers, etc...
if you have more questions, let us know we'll do our best to help.
