What are the security risks with running an SMTP server?

Question

I'm running Windows Server 2012 and I would like to set up an SMTP server to work with my hosted websites. I've previously installed various roles on my server which have resulted in exposing security holes. Since then I have tried being extremely careful whenever exposing server roles/features/services to the internet. I couldn't find a clear-cut explanation to the following questions:

• What are the most common security threats to SMTP servers (e.g. external use for sending spam)?
• Do SMTP Servers (especially one running as a Windows Server role) require additional configuration to be secured against threats on the internet?
• What mechanisms are in place to prevent or detect unauthorized use of an installed SMTP server?

Answer 1

Security risks?

The main risk is one of exploitation. You will be used as a spam relay.

By default there are no mechanisms to stop unauthorized access (unless you count your firewall)

In the unlikely event that an attacker was especially crafty, and your mail server was especially vulnerable, someone could send out a virus in such a way that it is stored somewhere on your server before sending out, thereby infecting your server. That's just an example that I made up on the spot.

Non-authenticated SMTP relays which are open to the public are constantly scanned for, and are usually found within 15-45 minutes of being online.

---

Suggestions

If you are going to run an SMTP relay, make sure that it requires Authentication.
You should also ensure that any repeated attempts to relay from denied IPs are blocked. There should be a software setting for this in any decent mail server client.

If you don't want to pay for a product such as Microsoft Exchange Server or IceWarp, then you should instead look to a Linux based solution using a combination of Postfix and Dovecot, Cyrus or similar in a SASL configuration.

There are numerous tutorials on the net for this. One good source (that I like) is [here]