What advice do you have in regard to setting up an e-mail server?

I'm looking for some good information on setting up an e-mail server, and in the near future a Web server, on our company's network. Both servers should be located in the DMZ, correct? Security, along with functionality, is the primary concern. However, I'm having trouble locating any information on a best practices summary to help guide me on my way. What would be your recommendation and do you know of any good info out on the web?

    Requires Free Membership to View

    Login

It's been my experience that UNIX is a far more secure OS than its Windows counterpart. However, you can take additional steps (e.g., disable unnecessary services) to make a Windows OS more secure, which will be easier to administer than UNIX in general. Since security is your primary concern, it's important to operate your email server -- and especially your web server -- on a secure OS. (Your email and web server should not run on the same server for security reasons.) Which OS you choose also depends on what in-house skill set or resource exists to support the server platform. The important thing is that you keep both the OS and the application -- whether its email or web server -- consistently updated with the latest and tested security hot fixes at both levels.

Keep in mind that SMTP (TCP port 25) is permitted through the firewall or proxy server to allow incoming and outgoing email messages. In other words, establishing and maintaining a secure OS and email or web server is not enough since SPAM permeates SMTP. In addition to OS and email security, you'll need to implement an anti-SPAM integrated or intermediary server solution that filters email messages and maintains a blacklist of spammers. Another alternative is to hire an outside company to provide the SPAM filtering service for your site.

As you can already see, setting up an email server and a future web server for your company demands more than just good information when security is of primary concern. I applaud you for starting here and making an effort to understand the dynamics involved when it comes to a secure email and web server setup. Depending on the role of the web server (e.g., to host public sites), you could place the server outside the firewall with ACL's configured on your perimeter router, or you could set up the web server in the DMZ; as for the location of email server, I have typically configured this server behind the firewall on the internal network or subnet. The latter location supports minimal holes in the firewall when configuring a front-end web server (e.g., OWA) to access a back-end email server (e.g., Exchange Server).

I have included below some links that provide good information and best practice instructions for UNIX SendMail, Exchange Server, Apache and IIS. I'm sure that there are other viable solutions, but these are the ones that I'm most familiar with and support.

http://www.linuxsecurity.com
http://www.secinf.net
http://www.cert.org/security-improvement/
http://www.microsoft.com/technet/prodtechnol/exchange/2003/exbpaqsg.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/rollout/websrvbp.mspx
http://www.apacheweek.com/security/

This was first published in September 2004

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top