4.11. Hardening

Networking

Transport Layer Security

No TLS by default

By default TLS is not enabled for none of the web management console port, public rescan port and SMTP port. It is also disabled for outbound connections towards MetaDefender Core and Metadefender Vault (HTTP), Active Directory (LDAP) or SMTP services (SMTP).

To enable TLS, follow the instructions in 4.2. Transport Layer Security.

TLS versions

Verify that old versions of SSL and TLS protocols are disabled, such as SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred. For details see 4.2. Transport Layer Security.

No options for TLS clients

When Email Gateway Security acts as a client (connection to Core, Active Directory or an SMTP service), then there is currently no way to configure the preferred TLS versions on the client side.

TLSv1.3 is not supported

For compatibility reasons, TLSv1.3 is currently not supported by Email Gateway Security.

Cipher suites

Verify that the strongest algorithms and cipher suites are set as preferred.

Reasonable defaults

By default Email Gateway Security comes with the following cipher configuration: ssl_ciphers HIGH:!aNULL:!MD5;.

Cipher suites can be customized in the following way:

  1. Create a configuration file under your installation folder’s nginx directory (default C:\Program Files\OPSWAT\MetaDefender Email Security\nginx). The extension must be *.conf.

    copy con "C:\Program Files\OPSWAT\MetaDefender Email Security\nginx\cipher.conf"
  2. Add the desired cipher config as a single line entry as the ssl_ciphers directive

    ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
  3. Restart the Email Gateway Security service

    net stop mdemailsecurity
    net start mdemailsecurity

Recommended settings

As vulnerabilities in protocols and ciphers are continuously discovered, we recommend to keep the cipher configuration up-to-date.

For the same reason we recommend using a trusted service (e.g. https://wiki.mozilla.org/Security/Server_Side_TLS) to define the secure cipher configuration.

No options for TLS clients

When Email Gateway Security acts as a client (connection to Core, Vault, Active Directory or an SMTP service), then there is currently no way to configure the preferred TLS cipher suites on the client side.

Restrict web management port

Email Gateway Security provides the option to configure the web management console and the public rescan page to separate ports. For details see 4.1. Registry configuration.

Shared port by default

By default the web management console and the public rescan page are configured to the same port (restport, see 4.1. Registry configuration).

Separating the web management console and the public rescan page to different ports makes it possible to restrict the web management console to be accessible from a management network only, while keeping the public rescan page available even from the internet. For details see 4.1. Registry configuration.

images/download/attachments/3720318/image-20200805-130445.png

Open relay

An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the Internet to send email through it, not just mail destined to or originating from known users. This used to be the default, but open mail relays have become unpopular because of their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers. [https://en.wikipedia.org/wiki/Open_mail_relay]

By processing mail that is neither for nor from a local user, an open relay makes it possible for an unscrupulous sender to route large volumes of spam and/or spread malware. In effect, the owner of the server - who is typically unaware of the problem - donates network and computer resources to the sender's purpose. Moreover, open mail relays are often blacklisted as soon as they’re discovered, and email originating from these servers are marked as spam. [https://www.acunetix.com/vulnerabilities/web/smtp-open-mail-relay]

Email Gateway Security can be configured to filter email for certain email addresses and domains. For details see 4.4. Policy.

images/download/attachments/3720318/image-20201013-134715.png

Accounts

Changing the default password

After installation of versions pre 4.3.0, a default user account was created with a predefined password. This user may still exist in a post 4.3.0 version, if it was upgraded from an earlier version.

Change this predefined legacy password as soon as possible, following these steps:

  1. Log in using the legacy default user account's name and password (admin / admin),

  2. Change the password of the account as described in 4.5. Users.

Enhanced password policy

For Local type user directories Email Gateway Security provides enhanced password policy. The enhanced password policy provides higher level of security for passwords then the default password policy.

Off by default

The enhanced password policy is disabled by default for Local type user directories.

To enable enhanced password policy for a Local type user directory, follow the instructions in 4.5. Users.

Running the service as an unprivileged account

Default service account

By default the mdemailsecurity (OPSWAT Metadefender Email Gateway Security) service is running as the privileged Local System account.

To run the Windows service as another Windows account (we will use the Local Service account as an example below) follow these steps:

  1. Grant read and write permissions to the target account for the installation folder (default C:\Program Files\OPSWAT\MetaDefender Email Security) all its subdirectories and all other external files and folders that are configured to be read and written by the Email Gateway Security service (e.g.: logfile Windows Registry entry).

  2. Stop the OPSWAT Metadefender Email Gateway Security

    > net stop mdemailsecurity
  3. Open the Administrative Tools > Services window on your Windows server.
    images/download/attachments/3720318/image-20200729-131020.png

  4. Right click the OPSWAT Metadefender Email Gateway Security entry and select the Properties > Log On dialog.

  5. Change the service user account to the target user account.
    images/download/attachments/3720318/image2018-6-5_14-14-14.png

  6. Start the OPSWAT Metadefender Email Gateway Security service

    > net start mdemailsecurity

Unused accounts

Delete unused local accounts

User accounts in Local type user directories must be deleted manually if they are not needed any more.

AD or LDAP accounts

User accounts from Active Directory or LDAP type user directories can not access the web management console after they have been removed from the directory service.

Shared accounts

Verify that shared accounts are not present in Local type user directories (e.g. admin).

Components

Email Gateway Security

Always upgrade to the latest published version of the product that is available on https://portal.opswat.com/products/metadefender-email-security.

MetaDefender Core and engines

Standalone only

This section applies to Email Gateway Security standalone edition only. For details see 1. Licensing.

Always use the recommended versions of MetaDefender Core and the engines. For details see 3.1. Prerequisites.

OpenSSL

Always upgrade to the latest published version of OpenSSL. For details see 3.1. Prerequisites.

Microsoft .NET

Always upgrade to the latest published version of the Microsoft .NET Framework. For details see 3.1. Prerequisites.