Enhance email server security against hacking using a VPN on CentOS/RHEL
09:00, 11.12.2023
Securing Email Server with a VPN
This article will be helpful for all the users who want highly secured email servers from online attacks. Here you will learn about all the possible tricks and recommendations for self-hosted VPNs. The problem with spammers is really huge, they are attacking email servers on a regular basis. Once they reach a goal and have access to the needed server, they are either stealing information or sending high volumes of spam. By using a self-hosted VPN, you can drastically lessen the chances of such spammers and get a safer environment.
If you are reading this article, then you have probably got an email server and set up a VPN server. If not, follow a couple of tutorials and install whatever you need. There are 2 variants, VPN server may function on the same server as mail, or on a separate host.
A better variant will be to run mail and VPN as 2 separate servers which will drastically lessen the operational complexities. When doing it on the same server, there will be a necessity to set up a response policy zone.
Locking Down Ports
When you have set up everything that relates to mail and VPN servers functioning and checked that the system runs smoothly, you can proceed to the next step. It is highly advisable to add the IP of the VPN server to the Firewall whitelist. This can be easily done by one small change on CentOS or RHEL, just replace12.34.56.78 to the server IP. Reload Firewalld and the process is completed.
Now you can actually start the locking down of ports. You will need to close POP3, Submission, and IMAP ports. No one wants any strange activity on the server, so it is better to close such ports as 995, 587, 110, 465, 993, and 143 in the firewall. Due to the previous step of IP whitelisting, only those who are actually connected to the VPN server can access those ports.
Don’t neglect the fact that port 25 should be left in order to continue receiving emails from SMPT servers.
For the removal of these ports on RHEL and CentOS, use the following commands:
sudo firewall-cmd --permanent --remove-service={smtp-submission,smtps,imap,imaps,pop3,pop3s}
sudo firewall-cmd --permanent --remove-port={587/tcp,465/tcp,143/tcp,993/tcp,110/tcp,995/tcp}
There might be a warning after these commands, but you don’t need to bother. Just reload Firewalld, with the line:
sudo systemctl reload firewalld
Safeguarding the Admin Panel and Webmail
Webmail and admin panel can be also secured by simply locking down the 443 and 80 ports. Nevertheless, this will provoke another issue – there won’t be public access to the virtual hosts. Lots of clients are preferring virtual hosts for instance in Nginx and that needs to be open. A way out of this situation will be the deployment of an access control feature for Nginx or Apache.
Nginx Security
To a higher security level, there are a couple of important steps. Start with the following file:
sudo nano /etc/nginx/conf.d/mail.your-domain.com.conf
Here you will need to edit the virtual host file for mail. The next line will deny all IPs except the one you have specified:
allow 12.43.23.45;
deny all;
In case you are using a couple of VPN servers, that is not a problem. You can add as many IPs as you need, then save changes and close the file. Test configuration and if it functions fine then reload Nginx. After you have completed the whole procedure, users who are not in the whitelist will be notified that something is wrong with 403 error.
Apache Security
As with Nginx, the process here also starts with the webmail in /etc/httpd/conf.d/ directory. You will need to find:
sudo nano /etc/httpd/conf.d/mail.your-domain.com-le-ssl.conf
You will need to fill in the needed IP between the following tags - <VirtualHost>...</VirtualHost>. By filling in the required IP address, all the other accesses will be denied.
Require ip 12.45.54.11
A couple of IPs can also be added in this file and this line will look like this:
Require ip 45.34.11.78 15.45.23.69
Then leave edits as you’ve modified them and close this file. After that test the configuration of Apache and reload it. Those users who are not included in the whitelist will be notified about that with the 403 error.
Disabling DNS Over HTTPS in Your Web Browser
In case mail and VPN servers are on one host, then it is advisable to disable DNS via HTTPS in the browser.
- In case the machine is connected to the VPN server, then the DNS traffic is encrypted and there is no need for the DNS over HTTPS feature.
- If DNS over HTTPS in the browser is enabled, then third-party DNS is used. At the same time, your personal DNS resolver isn’t used and you won’t access webmail and admin panel.
In various browsers, this type of setting may be called differently. For instance, Firefox users should search for network settings. Chrome clients will find these settings in Privacy and Security. After it's disabled, you will need to close the browser and wait a little bit. After that procedure, you will most likely get the access back. In case it is still not functioning, there might be a necessity to clear the cache of the browser.
Renewing Certbot TLS Certificates
In case you have enabled the whitelist in Nginx or Apache, in such a situation you will also block Let’s Encrypt servers to connect to the server. It is needed for the renewing TLS certificate with the HTTP-01 challenge. This issue can be handled by disabling the whitelist prior to the renewal of the certificate and enabling it right after the renewal.
Start with the shell script creation in the /root/ directory.
sudo nano /root/certbot-renewal.sh
In case, you are applying Nginx, the next lines should be added to the file.
sed -i 's/deny all;/#deny all;/g' /etc/nginx/conf.d/mail.required-domain.com.conf
systemctl reload nginx
certbot renew --quiet
sed -i 's/#deny all;/deny all;/g' /etc/nginx/conf.d/mail.required-domain.com.conf
systemctl reload nginx
In case, you are applying Apache, the next lines should be added.
sed -i 's/Require ip/#Require ip/g' /etc/httpd/conf.d/mail.required-domain.com-le-ssl.conf
systemctl reload apache2
certbot renew --quiet
sed -i 's/#Require ip/Require ip/g' /etc/httpd/conf.d/mail.required-domain.com-le-ssl.conf
systemctl reload apache2
Save the changes and close this file. After that add execute permission and edit the root user’s crontab file. Set everything up in such a way that the shell script will run once per day, and close the file with the made changes.
Considering SSH Port Security
Once you have completed the process of the IP whitelisting, the blockage of the ports is really important for safety reasons. As with all the closed ports, you can also consider the lockage of the SSH port in the firewall. Nevertheless, this process may lead to some additional risks. In case of an emergency when the server isn’t functioning, then it is possible to lock it out completely. That’s why, it is better to think about the proper protection of SSH. The best possible variant here will be to set up two-factor authentication or authentication of the public key.
To Sum Up
Email server security is really important and should be strategically planned and organized. All the steps that we have discussed in the article, will surely help to improve the safety level and minimize the risks of spammers’ attacks. Port security measures or complete lock down of the ports should be considered as a good method against undesirable log-ins. In addition to this, safeguarding the admin panel and webmail is also a good approach that all the users should implement.