Securing your Mail Exchange System

It’s not enough to simply have an email mail exchanger that you manage. It requires some basic level of improvement to be in anyway regarded as secure. Our aim here is to minimise the impact of an attack on the system. That’s the aim of every information security system we put in place..

We’re making a few assumptions in this post. Namely…

  1. Your’e already using good secure password practices for all your users.
  2. You have a CSF or similar to guide your overall Security decision making and strategy throughout the business.
  3. You manage your Mail Exchange System, or responsible for those who do (CEO, CTO, CIO Etc)

So if you are all ready having all your users adhere to good secure password practice let’s consider the whole system.

Is your Email Exchanger secure for your users?  If you are a business it is also critical to protect your entire email systems.  Most people in business tend to use one of the following…

  1. Microsoft Exchange Online
  2. Microsoft Exchange On Premise
  3. Gmail (GSuite for Business)
  4. Linux / BSD based On Premise systems
  5. A “free” account that came with their website of or similar.
    1. Remember if you don’t pay for the product, you are the product, so free is never free.  In fact it is usually the most costly in the long run.

Not a single one one of these common business MXs (which account for over 95% of business email throughout the world) come secure, as standard.  When these companies build these apps they build them easy to access and simple.  They don’t build them secure.  They do this purely so you will adopt them.  But they all require extensive alteration to make them more secure.

There’s not enough space here to go through how to effectively secure your email systems for every type of email system, so let’s just give some generalisations

MX Baseline

Below is a very basic standard baseline. If your MX does not have these basics, you are behind the eight ball to start with.

First and Foremost though, understand what you’re setting out to achieve. Don’t just blindly follow a guide.

Also, use best practice change management processes. Don’t wreck your system by just changing things with no plan. Okay, here’s a sturdy basic baseline for an MX you manage

  1. Secure your domain. Time and again we see businesses that have had their domain delegation tampered with. Please secure your Domain and it’s delegation.
  2. DNS:  Secure your DNS.  Make sure Record changes to your zone file are carefully controlled. SPF, DKIM, DMARC and DNSSEC are all tools you also have at your disposal for DNS protection.  Use the tools most appropriate for your business.
  3. Patch Patch PATCH. If you run an on premise exchanger (MS Exchange or one of the excellent Linux options) keep it up to date and follow best practices regarding redundancy. If you can’t do this, move it to Exchange OnLine.
  4. Link Scanners/Sanitisers:  All inbound links should be at least scanned, if not sanitised BEFORE the users get to see them. None of them are perfect, but it is another layer in the Cyber Defences.  Put it on the Mail Exchanger though.  On the endpoint is not nearly as effective.
  5. Attachment Scanners/Sanitisers:  As above
  6. Malicious and Blacklist traffic dropping goes without saying.
  7. Multi Factor Authentication (MFA/2FA).
    1. Biometrics are great. A good option.
    2. U2F style tokens are a close second (Yubikey etc)
    3. Software tokens (authenticator apps) are next
    4. SMS code is okay, but still way better than no MFA
    5. Location based is also way better than nothing.
  8. Turn Off protocols not needed.  e.g. O365 rarely needs POP3, iMap, EWS etc enabled, but they’re on by default.
  9. Enable extended log retention. I personally think 1 year is minimum. Also consider SEIMs such as Chronicles Backstory for excellent visibility into the past.
  10. Redundancy. It goes without saying that ANY system needs to be backed up and fully replicable. Redundancy is also generally required.
  11. Firewall and access control is also required. You need to carefully control what and who can access your systems. Obviously “Most” other systems should be able to send mail to it, but logging in to mailboxes should be tightly controlled.
  12. Alerting:  Have your system send alerts if anomalies happen. Into a SEIM as well as other alerting systems is obviously best.
    1. Privilege escalation,
    2. forwarding rules added
    3. Delegation changes
    4. Logins from multiple locations
    5. logins from unusual locations.
    6. TOR exit node access
    7. Change in protocol availability
    8. Other alerting required for your system
  13. Regular auditing of the system for security issues.
  14. You will have noticed by now that if your system doesn’t support these features (very few free ones do) it may be time for a new Mail Exchanger system.

Remember that these are simply baseline options. There may be far more you need to do for your particular environment over and above these baselines. Please contact us if you need help with a security audit. Maybe you need a Cloud Services Security check up or just your email system. Just drop us a line and we’d be only too happy to assist.

If you get these baselines in place, it will go a long way towards keeping your users far safer than an out of the box system.  And most cost options very little or nothing!  Now you can turn your attention to your wider Business and systems Security.

You can also Contact Us to assist with a security audit and assistance with implementing a CSF (Cyber Security Framework) for your organisation.  It costs very little and will make an enormous difference to your business’ security and hence, bottom line.


Ross Marston