Product » Xeams » Knowledge Base
|Subject:||Best Practices - Prevent hackers from guessing passwords|
|Creation date:||7/3/18 12:42 PM|
|Last modified on:||1/8/20 5:24 AM|
Prevent hackers from stealing passwords
Any publicly facing server is vulnerable to attacks from the Internet. These attacks are typically severe
against well-known servers like SMTP and HTTP since the TCP/IP port for these services is publicly known.
Hackers know that most email servers will contain user login information allowing them to send outbound
emails, increasing its vulnerability. This article talks about some best practices to prevent hackers from
guess passwords through your email server.
Most email servers contain at least 3 TCP/IP servers: SMTP, POP3, and IMAP. Some servers, such as Xeams,
also include an HTTP server. As the saying goes, "your network is as strong as your weakest link."
Therefore, it is essential you secure every path of entry from the Internet.
The timeline for an attack can be broken into two phases:
- Attack prevention - pro-active approach
- Recovery from an attack after it occurs
Consider the following tips to secure your email server minimizing the risks of a breach.
Disable SMTP Authentication
A common mistake is to enable SMTP Authentication on your primary SMTP port (TCP/IP 25)
even when it is not needed. Consider the following email flow diagram demonstrating a classic example
when SMTP Authentication should be disabled in Xeams.
The following assumptions are made in this example:
- You're using MS Exchange as your primary email server
- Users use MS Outlook or the OWA to send their outbound emails. In either case,
emails go to Exchange first and then are forwarded to Xeams before reaching its
- You have configured Xeams to accept relaying from the IP address where Exchange is running
- The regular SMTP server in Xeams handles both inbound and outbound emails
Since no user on the Internet needs to authenticate with their credentials to the SMTP server in Xeams,
consider disabling SMTP AUTH for port 25. This is done by following the steps below.
- Log in to Xeams web interface as admin
- Click SMTP Configuration under Server Configuration
- Uncheck the box for Allow SMTP Authentication
Once done, no one will be able to enter a user id/password through SMTP. They will get a
error if they attempt to send a user id/password.
Another mistake administrators make is to leave the POP3/IMAP server running even when no
user connects to fetch emails. Consider disabling POP3 and/or IMAP servers if no one connects to them.
Xeams contain many logs that will help you see if something out of ordinary is happening. For example:
- Intrusion Detection logs - Click here for details.
- InvalidPasswordAttempts.log - contains attempts made by users trying to guess passwords.
Use Custom Ports
When it comes to HTTP(S), IMAP and POP3, you can always ask your users to connect to a non-default port.
Since hackers do not know the port, number of attacks will go down tremendously.
Unfortunately, you will not be able to do that for SMTP server, since every incoming email is sent to
Go to Manage Alerts under Server Configuration and ensure alerts are properly configured. Additionally, make
sure the email address specified for the administrator in Xeams is correct. Xeams often generates email if something
out of ordinary is detected.
Recovering From An Attack
Consider the following steps if you think someone has gained access to a user account and is now misusing it to send their
Identify the User
The first step in mitigating the risks from a compromised user account is to identify the actual account. Consider the following
tips for identifying a user.
- Authenticated Messages report lets the administrator know if a particular user has sent more than a pre-determined
number of emails in an hour. An email alert is also sent to the administrator once the user goes beyond a specified threshold.
SMTPConversation.log and look for the
AUTH LOGIN command sent by the SMTP client. The following
lines will contain user's account name encoded in BASE64.
- Daily and Weekly reports also give a good summary of messages that are sent and received.
Change the user's password as soon as you identify the user account this is compromised.
Clear Outbound Queue
When a user id is compromised, someone on the Internet will be able to send their junk through your server. As a result, you
will see quite a few non-deliverable messages sitting in the outbound queue. Click Manage Outbound Queue under
Message Repository and delete the unwanted messages. If there are too many files, you can manually delete the files
at the OS level. On Windows, these files are stored in
C:\Xeams\OutboundMailQueue. On Linux, the path is
Add a comment to this document
Do you have a helpful tip related to this document that you'd like to share
with other users? Please add it below. Your name and tip will appear at the
end of the document text.