Email Server Security Hardening Checklist

Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Email Server Security Hardening Checklist
Linux Server Security for Email Infrastructure
Version 2026-04 · Cloud Server for Email

SSH Access

  • SSH password authentication disabled — key-only authentication
  • Root login disabled (PermitRootLogin no in /etc/ssh/sshd_config)
  • SSH port changed from 22 to non-standard port (e.g., 2222)
  • Allowed users restricted to specific user accounts (AllowUsers directive)
  • Fail2ban installed and configured for SSH
  • SSH key passphrase set on all private keys
  • Old/unused SSH keys revoked and removed from authorized_keys

Firewall Configuration

  • Default-deny inbound policy (only explicitly allowed ports open)
  • Allowed inbound: 25 (SMTP), 587 (SMTP injection), 80/443 (MailWizz), SSH port
  • PowerMTA HTTP API (8080): accessible only from localhost or VPN — NOT public internet
  • MySQL: accessible only from localhost — NOT public internet
  • IP whitelist for admin access (your office/VPN IP for SSH)
# UFW (Uncomplicated Firewall) basic setup ufw default deny incoming ufw default allow outgoing ufw allow 25/tcp # SMTP ufw allow 587/tcp # Submission ufw allow 443/tcp # HTTPS (MailWizz) ufw allow 2222/tcp # Custom SSH port ufw enable # Fail2ban for SSH protection apt install fail2ban systemctl enable fail2ban

OS and Software Updates

  • Automatic security updates enabled (unattended-upgrades)
  • Critical patches applied within 24 hours of release
  • PowerMTA kept current (update within 30 days of new release)
  • PHP updated to current supported version (8.2+)
  • MySQL/MariaDB on current stable release
  • Nginx/Apache on current release

Data Protection (GDPR)

  • Full-disk encryption enabled (LUKS on Linux)
  • Database encrypted at rest (MySQL encryption or filesystem encryption)
  • TLS enforced for all SMTP connections (outbound and MailWizz admin)
  • MailWizz admin panel accessible via HTTPS only (HTTP redirects to HTTPS)
  • Access logs retained 90 days minimum for security incident investigation
  • Backup files encrypted at rest

PowerMTA Security

  • HTTP management API restricted to localhost (127.0.0.1 only)
  • SMTP authentication required for injection port (587)
  • Open relay test: verify server does not relay for unauthorized senders
  • Rate limiting on injection port to prevent internal abuse
  • Log rotation configured: accounting logs rotated daily, retained 90 days

Monitoring for Security Events

  • fail2ban alerts configured (email on repeated SSH failures)
  • Unusual outbound SMTP volume alert (spike in queue depth not triggered by campaign)
  • Login failure alerts from MailWizz admin panel
  • Daily automated blacklist check (server IP appearing on blacklist may indicate compromise)
A compromised email server used for spam can result in: IP blacklisting, GDPR breach notification obligations, infrastructure provider account termination, and reputational damage that takes months to recover from. Security hardening is not optional for production email infrastructure.