3 posts tagged with "security"

We are excited to announce a significant update to Stalwart Mail Server - the introduction of an integrated fail2ban-like system in our latest version, 0.5.3. This new feature marks an important advancement in our ongoing commitment to providing robust security measures for our users.

Understanding Fail2Ban​

Before diving into the specifics of our new feature, let's revisit what Fail2Ban is. Commonly used in the world of server security, Fail2Ban is an intrusion prevention software that protects servers from brute-force attacks. It operates by monitoring server logs for suspicious activities, like repeated password failures, and responds by blocking the offending IP addresses, typically by updating firewall rules.

Tailored Security​

In Stalwart Mail Server version 0.5.3, we've embraced the core philosophy of Fail2Ban but adapted it to better suit the unique environment of our mail server. Our integrated fail2ban system is designed to enhance security without relying on external Fail2Ban software. It's a part of Stalwart Mail Server, built directly into its architecture.

One key difference in our approach is how we handle the banning of IP addresses. Unlike traditional Fail2Ban that alters firewall rules, our system immediately drops further connections from any banned IP address. This swift action effectively cuts off malicious attempts at their source, ensuring immediate protection.

Fully Integrated​

Another significant aspect of our fail2ban system is its integration across all mail server services. Whether it be JMAP, IMAP, SMTP, or ManageSieve, authentication failures in any of these services contribute to the ban threshold. This comprehensive coverage ensures that the security of one service is not compromised at the expense of another.

Advanced Tracking Beyond IP Addresses​

A standout feature of our fail2ban system is its ability to track authentication failures not only by IP address but also by login name. This is particularly vital in defending against distributed brute-force attacks, where attackers might use numerous IP addresses to target a single account. Our system intelligently identifies such patterns and, after a certain number of failed attempts, blocks further authentication efforts for that account, regardless of the IP used. This means that an attacker cannot simply hop IP addresses to bypass security measures.

Conclusion​

The introduction of this integrated fail2ban system in version 0.5.3 is a testament to our dedication to providing top-tier security for our users. This advanced security feature is meticulously designed to address and neutralize a wide array of cyber threats, especially sophisticated brute-force attacks.

We are proud to bring this new level of security to Stalwart Mail Server. This update reflects our ongoing commitment to adapting and evolving in the face of emerging cyber threats. With the integration of our fail2ban system, Stalwart Mail Server version 0.5.3 stands as a more secure, reliable, and resilient solution for your email server needs.

Stay tuned for more updates and features as we continue to enhance and refine Stalwart Mail Server. Your security is our priority, and we are dedicated to providing you with the best tools to protect it.

ACME (Automatic Certificate Management Environment) represents a breakthrough in managing TLS (Transport Layer Security) certificates. This protocol automates the process of obtaining, installing, and renewing TLS/SSL certificates, which are crucial for securing network communications. TLS certificates provide authentication and encryption, ensuring that data transferred between users and servers remains private and secure.

ACME's ability to automate these tasks greatly simplifies certificate management, particularly for services like mail servers that require ongoing security maintenance. The protocol interacts with Certificate Authorities (CAs) such as Let's Encrypt to automate the verification of domain ownership and the issuance of certificates, significantly reducing manual effort and the risk of human error.

We are thrilled to announce the release of Stalwart Mail Server 0.5.2, which brings two significant advancements: the integration of the ACME protocol for automatic TLS certificate deployment and support for the HAProxy Protocol. These features mark a substantial step forward in our commitment to enhancing the security and efficiency of Stalwart Mail Server.

The Power of ACME​

The integration of ACME into Stalwart Mail Server simplifies the complexities of TLS certificate management. It ensures that the certificates are always up-to-date, thereby enhancing the overall security of your communications. With ACME, the server automatically verifies domain ownership, obtains the necessary certificates, and handles renewals, all without manual intervention. This automation is not only a boon for security but also significantly reduces the administrative burden and the risk of service interruptions due to expired certificates.

Embracing the Proxy Protocol​

The Proxy Protocol is another crucial feature in this release. When running servers behind load balancers or reverse proxies, such as Caddy, HAProxy, or Traefik, the server traditionally only sees the IP address of the proxy, not the actual client. This limitation can impact security and logging functions. By supporting the Proxy Protocol, Stalwart Mail Server 0.5.2 can now accurately identify the original client's IP address and connection details. This capability is essential for maintaining robust security measures and precise logging. It ensures that even in environments where Stalwart is behind a proxy, it retains full visibility over client connections.

Conclusion​

In conclusion, Stalwart Mail Server 0.5.2 is a significant update, offering both ACME for simplified and automated TLS certificate management and the Proxy Protocol for enhanced functionality behind proxy environments. These features underscore our dedication to providing a secure, efficient, and user-friendly mail server solution. We look forward to seeing how our users leverage these new capabilities in their Stalwart Mail Server deployments.

We are thrilled to announce that Stalwart Mail Server has undergone a comprehensive security audit conducted by Radically Open Security. As a part of their assessment, a crystal-box penetration test was performed to ensure the robustness and security of the mail server.

How Was The Security Audit Conducted?​

• Automated Scanning: Radically Open Security employs state-of-the-art automated tools and scanners to root out common vulnerabilities, coding flaws, or misconfigurations within the codebase. These tools are invaluable in identifying potential problem areas that might necessitate a more in-depth manual analysis. They also confirm that the code adheres strictly to secure coding practices.

• Manual Code Review: Building upon the insights provided by automated scanning, a manual code review was carried out. This process aims to spot complex security issues, logical flaws, and ensures that secure coding practices are consistently met. This meticulous step involves confirming the proper implementation of essential components such as input validation, authentication, authorization, and data protection mechanisms.

What Were the Results?​

We are proud to share that the audit concluded with no vulnerabilities or unsafe code identified in the Stalwart Mail Server. Such an outcome underscores our commitment to offering a safe and secure open-source mail server solution to our users.

For those who would like a deep dive into the audit's findings, the full report is accessible here.

Continuous Improvement​

Though the audit did not unearth any vulnerabilities, Radically Open Security did make a constructive recommendation: They advised against storing directory or OAuth secrets in the configuration file. We took this feedback to heart, and we're excited to introduce Stalwart Mail Server version 0.3.9. Released today, this latest version allows reading configuration settings from environment variables. It’s a step further towards ensuring that our users can trust Stalwart, not just for its capabilities, but also for its steadfast focus on security.

Looking ahead​

We extend our heartfelt gratitude to the team at Radically Open Security for their comprehensive evaluation and invaluable feedback. We're committed to constantly refining and improving our product, with the security and trust of our users being paramount. With this recent audit, we hope to have taken another significant step towards that goal.

Stay secure!