Go to main content
1/12
Contents
Title and Copyright Information
Preface
Audience
Related Documents
Documentation Accessibility
1
Messaging Server Security Overview
Basic Security Considerations
Understanding the Messaging Server Environment
Overview of Messaging Server Security
Understanding Security Misconceptions
Other Security Resources
Recommended Deployment Topologies
Securing Your Firewall/DMZ Architecture
Using a Firewall to Allow Connections
Planning Secure High Availability and Load Balancing for Your Deployment
Operating System Security
Minimizing Operating System Security Risks
Firewall Port Configuration
Secure Communications
LDAP Security
2
Planning Messaging Server Security
Protecting Messaging Components in Your Deployment
Protecting MTAs
Integrating Third-Party Anti-spam and Anti-virus Software
Monitoring Your Security
Access Controls
Preventing Relaying From Outside Hosts
Conversion Channels and Third Party Filtering Tools
RBL Checking
Client Access Filters
Protecting the Message Store
Protecting MMPs
Planning Messaging User Authentication
Plain Text and Encrypted Password Login
Authentication with Simple Authentication and Security Layer (SASL)
Enabling Authenticated SMTP
Certificate-based Authentication with Secure Sockets Layer (SSL)
Client-based Authentication with Secure Sockets Layer (SSL)
Third-Party Authentication Server Support
Messaging Mutiplexor (MMP) Support
IMAP/POP/SMTP Support
Sample Code
Planning Message Encryption Strategies
Encryption with SSL
SSL Ciphers
Signed and Encrypted S/MIME
Planning a Messaging Server Anti-spam and Anti-virus Strategy
Anti-spam and Anti-virus Tools Overview
Milter
Access Control
Mailbox Filtering
Address Verification
Real-time Blackhole List
Relay Blocking
Authentication Services
Sidelining Messages
Comprehensive Tracing
Conversion Channel
MeterMaid
memcached
Anti-spam and Anti-virus Considerations
Architecture Issues with Anti-spam and Anti-virus Deployments
Security Issues with Anti-spam and Anti-virus Deployments
Implementing an RBL
Developing an Anti-spam and Anti-virus Site Policy
3
Performing a Secure Messaging Server Installation
Installing Infrastructure Components Securely
Credentials Needed to Install Messaging Server Components
Post-Installation Configuration
4
Implementing Messaging Server Security
Security Features
Messaging Server Security Strategy for your Deployment
Creating a Security Strategy
Identifying Password Policy Requirements
Verifying File Ownership for Configuration Files
Securely Monitoring and Auditing Your Messaging Server Deployment
Tracking Security Patches
Identifying Legal-intercept Requirements
Securing Your Archiving Needs
Disabling Users in Response to Abuse/Appeal Process
Utilizing a Disk Consumption Growth Plan
Preventing Unrelated Usage of Messaging Server Hosts and Virtual Machines
Determining Security Capabilities of Your Supported Mail Clients
MTA Security Guidelines
About Messaging Server Anti-spam and Anti-virus Solutions
Creating a Narrow Scope of MTA Relay Blocking in INTERNAL_IP Mapping Table
Using LMTP to Connect to Inbound MTAs and in Multi-tier Deployments
Greylisting
Forbidding Emailing Executable Code
Using and Configuring MeterMaid for Access Control
Using and Configuring memcache for Access Control
Setting MTA Recipient Limits
Using Sieve Securely
Using the MTA to Fix Messages from Bad Clients
Configuring Secure ETRN Command Support
Storing BadGuy Details in Memcached Server
Installing Memcached Server
Configuring Bad Guys for Memcached Server
Clearing Memcached Server Data
ENS Security Guidelines
Message Store Security Guidelines
Securing Your Backup System
Options for Securing Messaging Server
Being Aware of IMAP ACLs
Disabling IMAP Shared Folders if Not Needed
MMP Security Guidelines
User Authentication Guidelines
Acquiring SSL Server Certificates for the Server Domains
Requiring SMTP Authentication for Mail Submission
Message Encryption Guidelines
Determining SSL Cipher Suites
Using Solaris Crypto Framework in Place of NSS Default Software Token
Security Considerations for Developers
5
Using Role-Based Access Control
Overview of Role-Based Access Control
Theory of Operations
Setting Up and Using RBAC for Solaris
Setting Up and Using RBAC for Linux
Configuring Non-Root Users with Messaging Server
Messaging Server Privileges and Executable Files
Reference Information
6
Protecting Against Email Spammers
Overview of Email Spammers and Compromised User Accounts
Preventing Outbound Spam: Proactive Methods
Preventing Outbound Spam: Reactive Measures
Blocking Submissions of Local Senders Who Might Be Spammers
Rate Limiting All Outgoing Email
Rate Limiting Submission Based on the Authenticated Sender
Rate Limiting Only Outgoing Spam
Reject/Discard All Outbound Spam
Setting Up a No Phishing Zone
Recovering From Phishing Attacks That Have Compromised User Accounts
Greylisting Webmail
Installing and Configuring Greylisting for Webmail
Troubleshooting Your Greylisting Deployment
HTML Filtering in Convergence
Enabling HTML Filtering in Convergence
Enabling Messaging Server to Accept mshttpd Client Requests
Domain Keys Identified Mail (DKIM)
7
Security and Access Control in Messaging Server
About Server Security
About HTTP Security
Configuring Authentication Mechanisms in Messaging Server
Overview
To Configure Access to Plaintext Passwords
To Configure Directory Server to Store Cleartext Passwords
To Configure Messaging Server for Cleartext Passwords
Transitioning Users
To Transition Users
Configuring Client Access to POP, IMAP, and HTTP Services
How Client Access Filters Work
Filter Syntax
Wildcard Names
Wildcard Patterns
Server-Host Specification
Filter Examples
Mostly Denying
Mostly Allowing
Denying Access to Spoofed Domains
Controlling Access to Virtual Domains
Controlling IMAP Access While Permitting Access to Webmail
To Create Access Filters for Services
To Create Filters by Using the Command Line
Configuring Encryption and Certificate-Based Authentication
Encryption and Certificate-Based Authentication Overview
Obtaining Certificates
To Manage Internal and External Modules
Creating a Password File
Obtaining and Managing Certificates
Implementing Secure Connections Using Two Different Certificate Authorities (CAs)
To Enable SSL and Selecting Ciphers
About Ciphers
Specify SSL Certificate
Configuring Individual Messaging Processes for SSL
To Configure MMP for SSL
To Configure IMAP for SSL
To Configure POP for SSL
To Configure HTTP for SSL
To Configure SMTP for SSL
To Verify the SSL Configuration
Configuring Indexed Search Converter for SSL
Configuring ISC for SSL Using a Self-Signed Certificate
Configuring ISC for SSL Using a CA-Signed Certificate
Setting Up Certificate-Based Login
To Set Up Certificate-Based Login
User/Group Directory Lookups Over SSL
8
Certificate-Based Authentication for Messaging Server
Introduction: SSL/TLS, Client Certificates and CRLs
Authentication Technology Overview
SSL/TLS Overview
Certificate Authentication Overview
Certificate and Key Storage Overview
SSL/TLS/Certificate Standards Overview
SSL/TLS Tools Available in Messaging Server Installer
Utilities Used to Manage Certificates
Certificate and Key Storage
Modifying the Certificate Format
Checking the NSS version
SSL/TLS Configuration
SSL-Related Settings
Dispatcher SSL-Related Settings
Messaging Transfer Agent (MTA) SSL-Related Channel Options
SMTP Channel Options
MMP SSL-Related Settings
certmap.conf Settings
SSL/TLS Tasks
How to Create and Install a Self-signed CA Certificate and Key
How to Create and Install a CA-signed Server Certificate and Key
How to Create a CA-signed Client Certificate and Key
How to Test a CA-signed Client Certificate and Key
How to Create and Install a CRL for a Client Certificate
How to Test a CRL for a Client Certificate
How to Look Up Numeric SSL/TLS Error Codes
Sample Protocol Sessions with Client Certificate Authentication
IMAP (STARTTLS) default port 143
Submission (STARTTLS) Default port 587
POP (STLS) default port 110
IMAPS typical port 993
Submissions typical port 465
POPS typical port 995
SSL/TLS Best Practices
Client Certificate SSL/TLS Best Practices
Messaging Server and SSL/TLS: Known Limitations
Administrative Proxy with a Certificate
Proxy IMAP Authentication Limitations
Proxy MMP (IMAP/POP/SMTP-Submission) Authentication Limitations
Internal Protocols Lacking Support for SSL and/or Authentication
Disabling Passwords-Over-SSL
Hosting Multiple Domains with SSL
CRL Updates and OCSP
Time Delay for Updates to CRLs or New Certificates
References
9
Configuring Messaging Server and Solaris Cryptographic Framework
About the Solaris Cryptographic Framework
Configuring Messaging Server for SSL
About the pk12util Command
Creating the Certificate Database and Add Certificate/Key Pairs
Obtaining a Certificate
Adding Certificates to the NSS Software Token
Listing the Default NSS Certificates
Configuring Individual Messaging Processes for SSL
Configuring MMP for SSL
Configuring IMAP for SSL
Configuring POP for SSL
Configuring HTTP for SSL
Configuring SMTP for SSL
Verifying the SSL Configuration
Configuring the Solaris Cryptographic Framework (SCF)
Setting Up the SCF Software Token Pin
Administering the Cryptographic Framework by Using cryptoadm
Configuring the SCF Provider
Adding the Solaris Cryptographic Framework as a Service Provider
Enabling the Slot Named Sun Metaslot
Exporting the Certificate/Key Pairs From the NSS Soft Token
Importing the Key/Certificate Pairs to the Sun Metaslot (SCF)
Verifying the Successful Importation of the Certificate/Key Pairs
Configuring Messaging Server to Use the External Token
Configuring Messaging Server Processes to Use the External Token
Starting and Debuging Messaging Server Services
Scripting on this page enhances content navigation, but does not change the content in any way.