Products Downloads Prices Support Company

Securing the Server

SurgeMail SSL / TLS support

SSL is fully supported on all protocols to ensure username and password are safely encrypted when sent over the internet so that they can't be stolen 'on the way past'. If you are running a mail server that doesn't support this feature then essentially anyone with access to your network can steal passwords. Almost all popular email clients now support SSL/TLS. Data is also encrypted, however be aware that when sending mail to other mail systems the data will be unencrypted on the journey, so only local Email is fully secure.

POP: Secure to regular port using STARTTLS, secure to dedicated port.

SMTP: Secure to regular port using STARTTLS

HTTPS: All web based administration tasks can be done either using secure HTTPS or standard HTTP.

Mirrorring: The in-built server mirrorring feature mirrors the server over a secure link.

SurgeMail SSL/TLS Frequently Asked Questions
What is SSL/TLS and how secure is it?

SSL/TLS is the same encryption system used by 'https' web pages. It is generally considered to be the most secure method for sending sensitive information across the internet, and is the basis of most ECommerce security systems used today.

How to generate a Certification Authority Request to get a CA signed key

SurgeMail is distributed with a sample certificate. For high level security you should consider getting your own server certificate. This means that clients can be sure that they are talking to 'your' server and not just someone pretending to be your server.

A script is provided. Create a DOS window and run the script file and answer the questions

	cd \surgemail
	.\make_ca.cmd

This will create two files, request.pem and privkey.pem

Paste request.pem into a CA registration form at a site that provides CA services,

e.g. http://www.verisign.com/
http://www.abaecom.com/
http://www.digsigtrust.com/
http://www.e-certify.com/
http://www.entrust.net/
http://www.equifax.com/
http://www.globalsign.com/
http://www.tc-trustcenter.com/
http://www.thawte.com/
http://www.valicert.com/

SurgeMail uses OpenSSL encryption / decryption libraries for SSL.

When they send you the actual key, save it as surge_cert.pem in the main SurgeMail directory.  Also, copy the privkey.pem file into the same directory and call it surge_priv.pem. e.g.

 copy privkey.pem       surge_priv.pem
 copy (signedkeyfromCA) surge_cert.pem

Then restart SurgeMail.

net stop surgemail
net start surgemail

Restricting Access by IP Number

Many of SurgeMail's features can be restricted to certain IP number ranges. This can be used to make the system more secure.

One feature that is that should probably be restricted is the g_admin_ip setting to limit the valid IP addresses for SurgeMail server admin users.

You should also look into the following settings that control which connections will use SSL:

Relay restrictions

It is important to ensure that your system is not setup as an "open relay", as this is likely to result in spam being sent through your system and your mailserver getting black listed by open relay databases.

SurgeMail "out of the box" is configured to not relay other than allow relay after pop login which, in general is safe and allows people using old mail clients (that do not know how to do SMTP authentication) to still send through your server without making your server an open relay.

A setting you may want to enable is g_relay_allow_ip for your mailserver's own IP address as this will enable other programs running on the system to send mail without needing to use SMTP authentication. Do not set this to * as this will make your system an open relay.

Other ways of enabling relaying is by destination domain (g_relay_to) or known from address (g_relay_allow_from).

Restricting mail services per user

Groups can be setup with rights to access POP, IMAP or SMTP services that will allow per user setting of access privileges. See managing accounts for more information.