Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Operating Since 2015
Email Server Security Hardening Checklist
Linux Server Security for Email Infrastructure
Version 2026-04 · Cloud Server for Email
SSH Access
- SSH password authentication disabled — key-only authentication
- Root login disabled (PermitRootLogin no in /etc/ssh/sshd_config)
- SSH port changed from 22 to non-standard port (e.g., 2222)
- Allowed users restricted to specific user accounts (AllowUsers directive)
- Fail2ban installed and configured for SSH
- SSH key passphrase set on all private keys
- Old/unused SSH keys revoked and removed from authorized_keys
Firewall Configuration
- Default-deny inbound policy (only explicitly allowed ports open)
- Allowed inbound: 25 (SMTP), 587 (SMTP injection), 80/443 (MailWizz), SSH port
- PowerMTA HTTP API (8080): accessible only from localhost or VPN — NOT public internet
- MySQL: accessible only from localhost — NOT public internet
- IP whitelist for admin access (your office/VPN IP for SSH)
# UFW (Uncomplicated Firewall) basic setup
ufw default deny incoming
ufw default allow outgoing
ufw allow 25/tcp # SMTP
ufw allow 587/tcp # Submission
ufw allow 443/tcp # HTTPS (MailWizz)
ufw allow 2222/tcp # Custom SSH port
ufw enable
# Fail2ban for SSH protection
apt install fail2ban
systemctl enable fail2ban
OS and Software Updates
- Automatic security updates enabled (unattended-upgrades)
- Critical patches applied within 24 hours of release
- PowerMTA kept current (update within 30 days of new release)
- PHP updated to current supported version (8.2+)
- MySQL/MariaDB on current stable release
- Nginx/Apache on current release
Data Protection (GDPR)
- Full-disk encryption enabled (LUKS on Linux)
- Database encrypted at rest (MySQL encryption or filesystem encryption)
- TLS enforced for all SMTP connections (outbound and MailWizz admin)
- MailWizz admin panel accessible via HTTPS only (HTTP redirects to HTTPS)
- Access logs retained 90 days minimum for security incident investigation
- Backup files encrypted at rest
PowerMTA Security
- HTTP management API restricted to localhost (127.0.0.1 only)
- SMTP authentication required for injection port (587)
- Open relay test: verify server does not relay for unauthorized senders
- Rate limiting on injection port to prevent internal abuse
- Log rotation configured: accounting logs rotated daily, retained 90 days
Monitoring for Security Events
- fail2ban alerts configured (email on repeated SSH failures)
- Unusual outbound SMTP volume alert (spike in queue depth not triggered by campaign)
- Login failure alerts from MailWizz admin panel
- Daily automated blacklist check (server IP appearing on blacklist may indicate compromise)
A compromised email server used for spam can result in: IP blacklisting, GDPR breach notification obligations, infrastructure provider account termination, and reputational damage that takes months to recover from. Security hardening is not optional for production email infrastructure.