It becomes more and more important for business to have a reputable email server so that other email providers, like Google and Microsoft do mark your mails as spam and to guarantee to your clients and the recipient to have an encrypted communication channel. Over the time, a lot of security features were released which increase the usage of Emails a lot. Webtrend is commited to apply every useful of these features to keep the internet and our clients secure.
Ensuring an encrypted traffic, we issue certificates from official certficate authorities such as Let's Encrypt. A certificate plus the combination of STARTTLS, which wants to turn an existing insecure connection into a secure one, allows for an encrypted delivery of mails.
SPF, DMARC and DKIM are three email authentication protocols which immensely increase the security of an email server. SPF helps detecting forged sender addresses during the delivery of an email, DMARC further helps against email spoofing and DKIN to detect forged senders.
DANE (DNS-based Authentication of Named Entities) is a security protocol that is binding an issued digital certificate to a TLS connection. The purpose of DANE is to ensure that no certificate authority (especially the current issuer) is able to issue a new certificate for your domain. In case a certficate authority gets compromised, the attacker would not be able to create a new certificate. While DANE is relatively new, there is support for HTTP and SMTP and also works with self signed certificates. DNSSEC is required for DANE's security model to work.
A new alternative to DANE, which does not require DNSSEC to be enabled is MTA-STS. MTA-STS patches existing issues in the STARTTLS Protocol, as it instructs email servers that the SMTP connction must be encrypted and that the certificate should match the domain by a combination of DNS and HTTPS policies. MTA-STS does require a certificate from a known certificate authority and ultimatively is less secure than DANE. We therefor recommend the usage of MTA-STS there, where it's not possible to secure a domain with DNSSEC and therefor with DANE.
While above security protocols help to establish and send emails in an encrypted way, mails are normally still stored in plaintext on the email server. S/MIME encrypts email content and allows the sender to be verified as the legitmate sender making it an efficient weapon against many phising attempts. Note, Webtrend is not a PKI (Public Key Infrastructure) so we will not issue a certificate for you, but help you through the tedious process of retrieving and using a S/MIME certificate. There exist possibilities to self sign such certificates through Windows Active Directory environment.
Perfect forward secrecy is a cryptographic method that ensures the security of data transactions between a client and a server, guarantueing that the session keys are not compromised, revealing past communications, even if the private keys to a particular exchange was compromised by an attacker. his is achieved by generating new (ephemeral) session keys for every transaction.
Most email servers are configured by default to allow a quick and easy deployment but offer a basic security. We focus on using the best practices to enhance and harden the security of the email server server.
We also configure emailservers, so they will negotiate with the client with only secure cipher suites and normally prevent the client of deciding the selected cipher.
Email clients have the possibility to access their emails everywhere simply through a web browser. Of course they can easily connect to the email server with their prefered email client.
Normally we recommend to filter spam from a reverse SMTP proxy directly as it offers more flexibility, but if this is not possible, spam email can be filtered on the email server directly using modern algorithms to detect spam.
A reverse SMTP proxy acts on behalf of your email server and effectively hides it from the web. This adds a lot of advantages and flexibility. For example, the IP reputation which email server depend on to be not seen as spam, is shifted to the reverse SMTP proxy. The proxy itself can easily change the IP and switched by another proxy. Also a reverse SMTP proxy acts as a "one point of entry" for multiple email servers. It is also possible to not open any ports on the email servers but only on the reverse proxy. The most important feature however is to analyze mails directly from the reverse proxy for in- and outgoing spam.
Webtrend uses a reverse smtp proxy that is transparent. Transparent means that neither the email server and the client believe that they would talk to each other directly. The reverse proxy is able to read the encrypted traffic and do additional policy checks (see below for examples).
The reverse SMTP proxy is able to to analyze incoming and outgoing emails and checks them for spam. It uses a combination of a hidden markov model and a bayesian spam filter, amongst other policies. The spamfilter is continously learning by the emails reaching the reverse proxy and the reports made by users.
Email users have the ability to report emails that have not been detected as spam and vice versa. This allows, especially in the beginning, to adapt the spamfilter to your needs and also build a foundation of what language is primary used.
Available security reports for our infrastructure can be found here:
If you are interested in working with us together, send us an email to:
contact@webtrend.ch
We love to hear about your project.