Archive

Posts Tagged ‘IP address’

Some mail server networking best practices

I was reminded this week about the importance of some good best practices when handling the networking portion of a mail server. While a server or exchange administrator will do a great job handling all of the best practices of configuring the software itself, it is not uncommon for the networking portion to be overlooked. Here is a summary of a couple of networking or firewall related best practices…

  • Your Mail Server should be NAT’ed to an IP address different than your general internet traffic. This ensures that malicious activity taking place on your general internet traffic, or an infected pc, or even a guest system does not impact your ability to send email. If I guest laptop on your wireless network has a virus and is sending out spam, it might result in your IP address being blacklisted, and it will cascade onto your mail server. With a public IP address dedicated to your mail server, you can be assured that if you’re blacklisted, it is because of traffic through your mail server, and not from another source.
  • Block outbound port 25 from everything except your mail server. In general, the only device that should be sending mail outside of your network is your mail server, and if another device needs to send email, such as your MFP or other device, it should relay off your mail server, and not send out directly.
  • If you are using some form of hosted inbound spam or mail filtering, such as MXLogic or Reflexion, you should source IP filter your inbound port 25 traffic, or better yet, consider using an alternate port. If you don’t lock this down, it permits people to bypass your hosted mail hosting, and directly send spam to your mail server.
  • Ensure that your firewall has application aware protection in place for SMTP traffic, however if you have an older Cisco PIX firewall and an Exchange mail server, consider turning FIXUP off for SMTP since there is a long history of documented problems.
  • Be on the lookout for a mail administrator who assigns a public IP address on their mail server directly, thereby bypassing the firewall or other edge protection. If they really want to dual home the mail server, have them place it on a DMZ instead.

Enjoy

 

Advertisements

DHCP Best Practices

Here are several DHCP best practices as collected from various resources including Comp/TIA and Microsoft:

  • Always include the entire subnet in the scope (192.168.1.1 – 192.168.1.254, or 172.29.0.1 – 172.29.255.254)
  • Add exclusions for ranges which are using static IP addresses, and for future growth area, such as setting aside 10 addresses for printers so they stay within the same general IP address range
  • For networks where DHCP services are critcal or for larger networks, consider two DHCP servers configured in an 80/20 split (however, Microsoft Server 2012 has a new provision for redundant DHCP servers)
  • Configure active directory credentials to enable DHCP to update the DNS server with IP address information using secure updates.
  • Use “server side conflict detection” only when needed – this is a feature which delays DHCP from handing out an address until it has first issued an ICMP ping message to check if the address might already be in use but not known by DHCP already (ie statically assigned within the lease range without an exclusion or active lease).
  • Typical DHCP lease time is 8 days, however if you have a separate scope for guest or wireless clients, consider a shorter lease time such as 8 hours; conversely, leases for fixed devices (printers, etc) consider 16-24 days.