Get reliable and fast VPS from Dropvps!Buy Now
Menu
Signup | Login
User

DropVPS Team

Writer: Cooper Reagan

How to Secure Email Ports on VPS Against Spam and Attacks

How to Secure Email Ports on VPS Against Spam and Attacks

Publication Date

02/16/2025

Category

Articles

Reading Time

2 Min

Table of Contents

Email servers use specific ports for sending and receiving messages. The most common ones include:

  • SMTP (Simple Mail Transfer Protocol): Port 25 (default, often blocked by ISPs), 465 (SSL), and 587 (STARTTLS) for outgoing mail.
  • IMAP (Internet Message Access Protocol): Port 143 (unencrypted) and 993 (SSL/TLS) for incoming mail.
  • POP3 (Post Office Protocol): Port 110 (unencrypted) and 995 (SSL/TLS) for incoming mail.

Each of these ports, if left unprotected, can be exploited for spam, unauthorized relay, or brute force attacks.

Steps to Secure Email Ports on VPS

Disable Unused Ports

Blocking or disabling unused ports prevents unauthorized access. Use firewall rules to restrict unnecessary exposure.

sudo ufw deny 25/tcp
sudo ufw allow 587/tcp
sudo ufw allow 993/tcp
sudo ufw allow 995/tcp

Enforce Authentication and Encryption

Require authentication for sending emails and enforce encryption protocols like TLS to protect communication. Modify Postfix configuration:

smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes

For Dovecot, enable SSL:

ssl = yes
ssl_cert = </etc/ssl/certs/mailserver.pem>
ssl_key = </etc/ssl/private/mailserver.key

Enable SPF, DKIM, and DMARC

These protocols help verify the authenticity of your emails and prevent spoofing.

  • SPF (Sender Policy Framework): Defines which mail servers are allowed to send on behalf of your domain.
  • DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to outgoing emails.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Enforces SPF and DKIM policies.

Example SPF record in DNS:

v=spf1 ip4:192.168.1.1 include:_spf.google.com -all

Example DKIM setup in Postfix:

opendkim-genkey -s default -d example.com

Configure a Firewall

A properly configured firewall prevents unauthorized connections to email ports. Use UFW or iptables:

sudo ufw enable
sudo ufw allow 587/tcp
sudo ufw allow 993/tcp
sudo ufw allow 995/tcp

Use Fail2Ban to Block Brute Force Attacks

Fail2Ban monitors log files for repeated failed login attempts and bans IPs automatically.

sudo apt install fail2ban

Configure jail.local for Postfix:

[postfix]
enabled = true
port = smtp
filter = postfix
action = iptables-multiport[name=Postfix, port="smtp,465,submission", protocol=tcp]
logpath = /var/log/mail.log

Monitor Server Logs

Regularly check email server logs for suspicious activity:

tail -f /var/log/mail.log
tail -f /var/log/auth.log

Protect Against DDoS Attacks

Use fail2ban, rate limiting, and Cloudflare to mitigate DDoS attacks. Example rate limiting in Postfix:

smtpd_client_connection_rate_limit = 10
Linux VPS
U
Loading...

Related Posts