18Oct/172

E-mail server in Windows Server, part 2: Security

This is a follow-up to the tutorial How to install an e-mail server in Windows, directed to those who already have an hMailserver and want to increase the security.

Spam protection

To activate the spam protection, please go to Settings >> Anti-spam in the hMailserver Administrator.

In the tab "General" you can leave the settings the way they are, as shown in the image. Of course you can adjust them later according to your needs.

In the second tab "Spam tests" you should select all four spam detection parameters:

- Use SPF (3)
- Check host in the HELO command (2)
- Check that sender has DNS-MX records (2)
- Verify DKIM-Signature header (5)

Malware protection

As already mentioned in the previous tutorial, you have the possibility to use different anti malware software in hMailServer. The most easy solution is to use the free ClamWin anti virus scanner. You can download it there:

https://sourceforge.net/projects/clamwin/

Please follow the installation wizard. Installing the browser extension is not required for your e-mail server. Normally ClamWin will now appear in the Windows system tray and start to update its database once a day. It will also protect your system from malware. You are of course free to change those settings individually in the ClamWin menu. The integration in the hMailServer is easy. Please go to Settings >> Anti-Virus >> ClamWin. The button "autodetect" will find the correct path to your ClamWin anti virus installation and you can finish the setup with "Save".

TLS encryption

To enable your clients to start an encrypted connection to your server, so nobody can steal your data, you have to enable this in your settings first. You will need an SSL certificate to achieve this. If you do not have already one for the host name of your server, you can create a self signed one on your own. Self signed certificates are free. But you will have to add an exception manually each time you set up a new client for your server. Most clients like Thunderbird or Outlook will ask you for that after the credentials got entered and they start the first connection. You can use XCA to create such a certificate:

https://sourceforge.net/projects/xca/

After the software got installed and opened, you have to create a new database on the upper left side. You can choose any name, you do not even have to remember the password. We will need this tool only once to create the new certificate. You can remove it again afterwards.

After the new database got created you can choose the tab "Certificates". In the following menu please choose "New Certificate" on the right side. A new window will open. In this new window please choose the tab "Subject" and add your host name next to "commonName". In our example screenshot this is mail.yourdomain.com. Now please create a key for the certificate by pressing the button "Generate a new key". The options in the window normally will be  inserted correctly per default as shown in the image. You can finish the creation with "create".

The next step is to switch to the tab "Extensions". Enter a date until the certificate will be valid. You can be generous at this point. In our example we set a date in the year 2030 for "Validity not after". With the "OK" button in the bottom right corner you will finally create the certificate.

Now you have to export the certificate and the according key. Please choose in the tab "Certificates" the certificate and click on "Export" on the right side. You can let the path the way it is. In our case it is:

C:\Program Files (x86)\xca\mail.yourdomain.com.crt

In the tab "Private Keys" please do the same for the previously created key. The path should be:

C:\Program Files(x86)\xca\mail.yourdomain.com.pem

Please open the hMailServer Administrator and navigate to Settings >> Advanved >> SSL certificates and click on "Add". Now you have to add the previously exported certificate and key as shown in the image below and save the settings.

For the last step please go to Settings >> Advanced >> TCP/IP ports. There you have to modify the three entries below "0.0.0.0 / 25 / SMTP" as shown in the following images. At "SSL Certificate", please choose your recently created certificate. "0.0.0.0 / 25 / SMTP" has to stay in its original state as the only one. If you change it, your e-mail server will not work properly!

Now you have to open the new ports in your firewall. For that you can edit the rule from the previous tutorial. We called it "Ports for hMailServer" there. Please change the "local ports" from 25, 110, 143, 587 to 25, 465, 993, 995. (Windows Firewall with Advanced Security on Local computer >> Inbound Rules >> Ports for hMailServer >> Protocols and Ports)

The settings for your clients have changed too:

ingoing server:

protocol: IMAP; port: 143; security: SSL/TLS; server: the IP or hostname of your server

outgoing server:

protocol: SMTP; port: 587; security: SSL/TLS; server: the IP or hostname of your server

9Oct/1710

How to install an e-mail server in Windows Server

You want to send and receive e-mails with your Windows server and connect to it by using your clients on PC, smartphone or tablet? In this tutorial we will explain how you can setup your own e-mail server on a Windows system with a static public IP. This tutorial will work for our VPS as well as for our dedicated servers. hMailServer is a free open source program, the setup is rather simple and can be done in just a few easy steps. Next to the default features like SMTP, POP3 and IMAP, the software is capable to detect spam and also a free virus protection like ClamWin can be added.

Installation

hMailServer needs NET Framework 3.5. to run correctly. Therefore you should add it to Windows before you install hMailServer. To do so, please open the Server Manager. The next steps will differ a little in the different versions of Windows Server. We will explain it by using the example of Windows Server 2012. Please click on "Manage" on the right upper side and choose "Add Features and Roles". In the window that opens you can click four times on "Next" and leave all the settings the way they are. Now you can choose the features you need to install. You just have to choose the NET Framework 3.5 like shown in the image. With "Next" again, you confirm this selection and "Install" will start the installation. As soon as the process is finished, you can close the window and proceed with the installation of your e-mail server.

Please download the latest version of the software from this site:

https://www.hmailserver.com/download

Please do not choose a version that is still in beta, since it might contain bugs and vulnerabilities. After you received the installation package, you can execute it and accept the terms of service.

You should leave the default installation directory as is and continue with "Next". Now you can choose the required products for installation. You will need the full installation, so please let "Server" and "Administrative Tools" checked and proceed with "Next". For an easy installation, we do recommend to choose "Use built-in database engine" in the next step. In the following window let the name be hMailServer and proceed. hMailServer will need a password for administrative tasks in the future. So please create a password you want to use to protect your service and write it down. The last step will be to start the installation. It should finish without error.

hMailServer Configuration

Please open the hMailServer Administrator. In the first window you have to activate "Automatically connect on Start-up" and click on "Connect".

In the next window, please go to "Domains", choose "Add..." and insert your domain you want to use for sending e-mails.

After the domain got saved, you can add new e-mail addresses in the menu "Accounts".

Now please go to Settings >> Protocols >> SMTP >> Delivery of e-mail. There, please add the local host name of your server that should be used for introducing your server to other e-mail servers. It has to be a valid domain and has to resolve to the IP of your server. So please add an A record to your DNS zone if necessary. You also should set an identical PTR for the IP address of your server. This can be done in the Contabo customer control panel. The host name should consist of three parts. That means it has to be an FQDN and it may not contain too many numbers, since it might seem to be generic. A good name for example might be: "mail.justanexample.com". When you are done, please save your new settings.

Firewall Configuration

The main configuration is done. But you still have to open all used e-mail ports in the firewall to make it work. Please open the Windows Firewall settings and choose "Inbound Rules". On the right side click on "New Rule". A window will open and you have to choose "Port" and click on "Next". In the next window please insert the ports 25, 110, 143 and 587, as shown in the image.

In the following window please choose "Allow The Connection" and after "Next", please check "Domain", "Private" and "Public".

In the last window you can enter a name for the new rule. For example "Ports for hMailServer". Please finish the setup and close the firewall settings.

Now you should add an SPF record to your DNS zone. Many e-mail servers will reject e-mails from your server if it does not exist. Therefore please add this TXT record to your zone:

justanexample.com 86400 in TXT "v=spf1 ip4:1.2.3.4 ~all"

"justanexample.com" has of course to be replaced with your domain and 1.2.3.4 with your IP.

You should also add an MX record to your DNS zone, if it does not exist already. The MX record should look like this:

justanexample.com 86400 in MX 10 "mail.justanexample.com"

The value "mail.justanexample.com" has to be replaced with the the host name you have chosen for your e-mail server.

The basic setup of your e-mail server is now complete. It should be able to send and receive e-mails as soon as the DNS changes are active and you can now connect with any e-mail client like Outlook, Thunderbird or Apple Mail.

Client Configuration

Please use the following settings for your e-mail client.

ingoing server:

protocol: IMAP; port: 143; security: none; server: the IP or host name of your server

outgoing server:

protocol: SMTP; port: 587; security: none; server: the IP or host name of your server

Security

If you want to do some optimizations to the server security like transport encryption, spam checks and malware protection, please take a look at our second tutorial: E-mail server in Windows Server, part 2: Security.