Exchange Best Practices: Secure POP and IMAP Access

Table of Contents

sqlsrv_connect
This may cause applications to allocate unnecessarily large SSLEngine buffers. Disabled by default [] []. You create an instance of this class in a similar manner to SSLContext , except for passing an algorithm name string instead of a protocol name to the getInstance method:. First, "Socket Example Without SSL" shows sample code that can be used to set up communication between a client and a server using unsecure sockets. You have no idea how much easier your product PowerTCP has made my current project.

Cookies are disabled

Essential Linux Skills with CentOS 7 – Secure Firewall with iptables

Telnet Telnet is a protocol for remote computing on the Internet. This protocol permits a computer to act as a terminal for a remote machine. The remote host accepts input directly from your computer as it is typed, and session output is directed to your screen. NET Tools include Telnet components. Thread-safe The technique of writing code that prevents multiple threads from concurrently accessing a block of code.

NET products provide thread-safety around critical members members that are using non-sharable resources , but other members are not thread-safe. TrueType True Type fonts are the most popular fonts used in the Windows operating systems. Their scalable nature allows them to be both displayed on screen at small sizes, and used for printing at high resolutions, without significant loss of quality.

TTY An early form of terminal communications that does not use any escape sequences to define characters. UDP does not require the sender and receiver to establish a connection before data is transmitted. The protocol is considered unreliable because there is no specification for the order in which sent datagrams will arrive, or whether they will arrive at all.

A URL such as www. V VT A terminal emulation program that makes a workstation appear to be a dumb terminal connected to some remote system, such as a mainframe. NET include controls that allow developers to build such applications. Since almost every computer made could recognize and work with a VT terminal, all terminal emulation products designed to work with non-IBM computers offer VT emulation as a basic emulation.

Specific escape code sequences are defined by the VT specification, which includes some multi-national character support. Specific escape code sequences are defined by the VT specification, which includes extended multi-national character support. Specific escape code sequences are defined by the VT52 specification.

W WaitFor This method reads from the data stream until the specified string is found or the method times out. For example, during a login operation, the client will send a username after receiving a "login: The WaitFor method could be used to continue reading data until the prompt was found. Web Form A Web page or portion of a Web page that is filled out by the user and sent back to the server for processing.

The component also includes extra support for multi-file uploading. Wildcard Characters used in a search that can match any character or string of characters. Wildcards can be used to match patterns or words. NET products do not include a service control as the technology is built into the. Microsoft does not recommend that applications using WinInet operate in a scripting environment such as ASP. The advantage of WinInet is that it does encapsulate such features as NTLM authentication, a proprietary Microsoft authentication mechanism.

Wrapper Class A class that wraps a component, providing easier use or value-added functionality. Other environments, such as Delphi and. NET, create wrappers automatically. Y Y-encode Otherwise known as yEnc format, this is a relatively new 8-bit encoding type popular in Usenet. Tags are auto-generated by the environment.

NET Framework creates a. NET wrapper as a go-between. Absolute positioning allows an HTML object to be placed anywhere on a web page, using coordinates rather than a layout technique such as tables.

COM technology enables software components to interact with one another and is fundamental to Microsoft's pre-. NET component-based development model. AES is considered a highly secure algorithm that improves on previous weaknesses to brute force attacks. Asynchronous JavaScript and XML, or Ajax is a web development technique for creating highly responsive and efficient applications.

Most modern browsers support all or most of these technologies, thereby making Ajax a reliable approach. An archive is a group of files or streams.

NET is called Archive to designate a collection of files or streams. A web-based Active Server Page application that runs on a web server. NET validation controls are a set of server controls that validate user input posted back to the same page. A supported component allows a validation control to access its posted data. Asynchronous operations are methods that execute in Windows Forms applications without interfering with the User-Interface UI.

A process of verifying that a computer or user is who that computer or user claims to be. NET products that simplifies the process of communicating over a network. When set, data is automatically received and an EndReceive event is raised with no explicit call to BeginReceive required.

A generic class from which other more specific classes are derived from using inheritance. NET products often provide access to their base classes so that developers can build their own custom solutions without having to recreate low-level capabilities. Synchronous, or blocking execution refers to a program that will not execute the next line of code until the current function call has completed.

This is common is scripting applications that lack mechanisms for events or callbacks. Blocking operations can also be easier to program as no notification is required when an operation completes. PowerTCP products offer both blocking and non-blocking operations.

The CertificateList control is an interface for selecting certificates. The CertificateStore object is a Dart class that represents the Microsoft certificate store. A certificate store is a database on the operating system that holds certificates. Applications installed as a service should store their certificates in the machine store since there is no current user when running as a service.

The numeric codes used to represent the characters of a particular country or place. An application that depends on and communicates with a server to deliver complete functionality.

Examples of clients include FTP clients, Email clients, and web browsers. A component or control that must be installed on a client computer before it can be used, rather than working on the server. A JavaScript class with an interface that can be accessed by users who wish to take advantage of the client-side functions contained within.

Client-side authentication is when a server requests the client's certificate for authentication purposes before being allowed to communicate with the server.

This assures that the client is not an imposter. Code-behind refers to ASP. NET code that is contained within a separate class file.

This allows a clean separation of your HTML from your presentation logic. Code-behind normally has a corresponding. An interactive dialog used for selecting the color of a particular HTML element, such as a font or background color.

NET includes several color pickers, providing options depending on the bandwidth requirements of the user. Cookies are very small text files that Web sites place on a computer so that the browser can remember certain information. For example, cookies can contain user IDs, passwords, and the last visit date. They can be also used to store personal preferences and are often used with shopping carts, allowing the cart to remember what items were added if a user leaves the site.

Some sites use temporary cookies called session cookies that are deleted when you exit your browser. Others place persistent cookies, which stay on your hard drive for longer periods. A process that listens for requests or forwards a request to another process for handling. Daemons run continuously, usually in the background. A daemon is often used as a building block for server applications.

For example, the http daemon responds to HTTP requests from a web client. NET includes a Server component that is a more advanced multi-threaded server.

This allows the user to work with streamed data in environments that don't natively support streaming such as VB6. Many PowerTCP Tools use a DartStream as a data type, allowing the developer to specify both memory and files as sources or destinations for their data.

String manipulation in VB is very inefficient. DartStrings overcomes these performance deficiencies, plus adds searching and formatting capabilities, such as parsing by delimiter. The source of the data being processed by the VT control. A real-time source is one like a Telnet connection that is actively returning data from a server, as opposed to a file that has previously captured data from a Telnet session. NET products often provide an interface to the underlying TCP class for a greater level of customization.

An independent and self-contained packet of data. A datagram carries comprehensive information so it can be routed from source to destination without reliance on a pre-existing connection, or any prior exchanges between source and destination. Datagrams are used in reference to UDP, which is a "connection-less" protocol.

The Debug Server is a TCP Listener that displays any incoming data, and allows for any response to be manually entered by the user.

Sending other, non-ASCII files was a challenge, as most of these file types in their natural state are 8-bit files. Some mail transfer agents only have the ability to transfer 7-bit data. Any interactive application that is made available by a component or control during design-time when a developer is writing code in the development environment, as opposed to running the application that assists in the code writing or development process.

Properties set from the editor will persist back to the control or component. NET components often include design-time editors for testing server connections.

A digital certificate, otherwise known as an x. A trusted organization, called a Certificate Authority CA , assigns a certificate to a user or entity and the user or entity then uses the certificate to prove itself to the other side. A user may configure a system to accept any number of Certificate Authorities. A user submits a certificate request to a CA and the CA returns a certificate for the user to use.

Verisign, Thawt, Microsoft Certificate Server user defined authority plus many others. There always needs to be a digital certificate installed to operate as a server. There is only need for a digital certificate installed on a client if the server requests authentication. This is the foundation of using domain names on the Internet. Domain Name Servers maintain central lists of IP addresses and their mapped domain names. These are the servers that match up a domain with a specified IP address.

This is necessary because computers only understand the IP address for your domain. HTML content that is dynamically created depending on the request that is received from a client or other circumstances that the programming logic dictates. Non-dynamic HTML content can be a static web page that resides on a server and is returned to the requesting client without modification. Emulation is behavior like another type of entity, usually as in "terminal emulation," where the behavior of video terminal hardware is emulated.

Each "line" is of the same length, typically 64 or 76 characters. EnhancedStream is a class derived from the base stream class that adds type conversion, stream copying, and saving capabilities. Save allows you to save Stream data directly to a file. ToString returns a string representation of the data contained within the Stream. Not all mail servers implement ESMTP so those features can only be used when both the client and the server conform to the protocol.

An event driven application responds to conditions in real-time using an event notification mechanism to inform the application when a process or procedure has occurred. Progress indicators are an example of event driven implementations. Event driven applications are central to using non-blocking functions and writing applications in an asynchronous manner.

Explicit SSL is a technique of establishing a secure connection. The client sends a request for SSL encryption in the clear, with several other commands possibly preceding the SSL request. The server acknowledges, and the process of securing the connection begins. This is an alternative to Implicit SSL. This object is a collection of File objects, representing files or memory buffers that can be compressed or uncompressed.

Files and buffers can be added using the Add method. The FileStore object can be created and used independently from the Zip control; an independent FileStore object cannot fire events, but it can carry out all other operations on its own. A firewall is a program, often located at a network gateway server, which protects the resources of a private network from external access.

A font created as a graphic bitmap image and only available in a fixed size - not scaleable like a True-Type font. FTP is commonly used to transfer Web page files from their creator to the host web server on which they will reside. The protocol is also commonly used to download programs and other files from other machines.

An FTP Server may be used to host computer files. An HTTP command that makes a request for a specific resource from a server. Graceful degradation or fault-tolerance is the property of a system that continues operating properly in the event of failure of some of its parts. For example, an application using Ajax technologies should gracefully degrade by detecting the requesting browser capabilities.

Once these capabilities are assessed, the application would render functionally equivalent code to the client. A compression utility often found on UNIX operating systems.

Unlike the common zip implementation found on Windows operating systems, gZip is designed to compress a single file, rather than compress and store multiple files into a single file package. Message headers identify information about a message or its parts.

Headers normally decorate the beginning of a message or part. Example header information includes the To, From, Subject, CC, and Date fields, plus others, including those added by servers and mail filtering applications. HTML mail merges a web page with an email message. Creating such mail requires a construction and complex combination of message parts.

NET provide shortcut methods for creating such messages, and also allow for the manual construction of messages when fine-tuning is required. The WebPage object is responsible for this operation.

This protocol defines how messages are transmitted and formatted plus defines how Web servers and browsers should act in response to various commands.

The ability to easily upload and insert images, while also having the ability to edit the characteristics of an image during or after insertion. The Internet Message Access Protocol. The IMAP4 protocol is a sophisticated alternative to the POP3 protocol for message downloading; allowing more options for mailbox and message handling.

The latest version is based on RFC This is an alternative to Explicit SSL. Integrated help is a reference to version 2.

This new help engine uses a revised layout format and is available natively while using Visual Studio. NET products use the new help engine.

Integrated help includes capabilities such as F1 support and dynamic help. Just-in-time Is a compilation mechanism that compiles source code into machine code on the "fly" when required, rather than at an earlier stage. This technique is used by. Key mapping is the ability to remap the keyboard to correspond with a previously defined set of responses to key presses. NET is common, as users wish to match previously existing terminals. A Listing stands for a directory listing returned by an FTP server when a command is sent requesting directory information.

PowerTCP products return directory information as a collection, with all the individual files represented as objects, making programmatic responses to directory information much easier to code.

When finding directory structures that can't be parsed, the Listing object returns the directory data as a string for manual parsing. Localization is the process of adapting a computer program for a specific international market. This file must be created for all ActiveX components that require licensing, regardless of manufacturer.

WinForm templates are a set of forms created by Dart to assist developers in making interactive email applications. All the forms include source-code and are a great way of seeing how to build interactive email applications. The Message object transforms any Internet mail message into an object that you can easily manipulate within your program. Alternatively, any message that you build or modify can be quickly encoded and sent. NET, the equivalent object is the MessageStream.

The MessageStream object is used by the Smtp component to prepare and encode email messages, and by the Pop component to decode a received email message. A method to retrieve multiple files based on wildcards, file lists, or entire branches of a directory tree.

This technique enables a more efficient deployment and security mechanism for multiple MIB files, plus increases the speed of interpreting the MIB files. The MIME protocol was created as an extension to the SMTP protocol as a way of storing more complex data, such as images, videos, applications, or any binary data, in an email message.

A method to store multiple files based on wildcards, file lists, or entire branches of a directory tree. A thread is simply defined as a single path of code that is being executed. A multi-threaded development environment is one that allows a single process to have multiple worker threads in addition to the user-interface thread if the application is interactive and provides context-switching between the threads. Such development environments include.

Visual Basic 6 uses another technique called apartment-model threading where threads operate in their own apartment. This technique does little to separate it from a single threaded model as all requests are serialized through the Windows message queue, thus only a single apartment is accessed at a time. A network device is any device that operates on a network such as a switch, printer, hub, router, or computer.

Non-blocking operations are methods that execute in Windows Forms applications without interfering with the User-Interface UI. OID Object IDentifier is a number that identifies an object's position in a global object registration tree. An example is 1. On-line help and dynamic help refer to the ability to bring up documentation within Visual Studio. NET by simply using the F1 key on any member or showing the associated member on the dynamic help window when the cursor moves over a member in the code window.

The PowerTCP Zip Compression Tool uses a high-performance compression algorithm that is intended to maximize compression speed for a majority of files. This technique is very helpful in web applications where server-side resources are at a premium. Telnet uses options to describe what capabilities will be supported during a telnet session. Before using an option, the parties must negotiate to ensure that both ends support the option.

This is done by exchanging "option code sequences. Data that is sent across a network. Large blocks of data are often broken up into several packets and then reassembled at the destination. Packets often include checksum codes to detect transmission errors. The structure of a packet is determined by the protocol being used.

A MIME message consists of one or more parts. An example is a text message with an attached file, which would contain two parts. When any file is attached to a message, the Content-Type in the main header becomes multipart, identifying it as a message with more than just text.

Parts are included after the main header, separated by a boundary. Each part may be encoded with a different encoding scheme. Ping Packet Internet Groper is a protocol used for determining whether a machine is currently connected to the Internet. This is done by sending a packet to the host and waiting for a reply.

NET includes a Ping component. Pipelining is an advanced mail mechanism that sends multiple commands to a server at once, rather than one-at-a-time. This technique increases the processing proficiency of mail commands.

Essentially, the stream acts as a "pipe", simply passing data through to the next stream. PipeStreams can be connected to perform numerous transformations on the data passing through. The Post Office Protocol. This protocol is the most common mail download system, and is supported by the largest number of email clients. Outlook is a common POP client. An HTTP command to upload content to a server. This command is often used to send form data or files from a client to a server.

A private-key is the secret part of a key pair in a public-key cryptographic mechanism. When a certificate request CSR is generated by a computer that wishes to receive an x. The certificate request contains the public-key which will be part of the certificate that is generated by a certificate authority such as Verisign or Thawte in response to the certificate request.

During secure communications, the public key, which is available in the certificate, is used to encrypt the data, while the private key, which is only available on the machine that is the owner of the certificate, is used to decrypt the data.

Certificates can be exported, along with their corresponding private-keys and any certificate authority certificates using the PFX export mechanism. A design-time editor that allows the properties of a control to be set interactively, and changes the characteristics of the control in the designer the visual non-code page that contains all the controls on a form immediately. This allows for extensive changes to a control without writing any code, and is useful for proto-typing its look and feel.

An intermediary application that is both a client and a server, and is dedicated to making requests on behalf of other clients. A proxy is often used as client-side portals through a network firewall, or as application that adds support for protocols not inherent to a client.

When working with a network firewall, a proxy acts as a trusted application that will access the Internet on the client's behalf.

Public-key is half of a key pair, the other being a private-key. A public key is contained within a digital certificate. A public key can encrypt data, however data encrypted with a public key can only be decrypted by the corresponding private key, which is kept by the owner. A public key can also be used to verify the authenticity of a digital signature. An HTTP command to put content to a server.

The command is often used to place files directly on a server. A POST request is used when uploaded data is to be handled by a known resource, while a PUT request could be directed at a resource which does not yet exist. The PUT method is suited for publishing pages. This SMTP related method is designed to send mail messages in one line of code by specifying all the needed information to create a valid message using parameters such as To, From, Subject, Text, etc. These hooks allow for kernel modules to interact with them.

Iptables has a huge list of kernel modules used for its firewalling capabilities. In fact if you want to see a list of iptables kernel modules, type: This is our network adapters; eth0, eth1, and so on. Netfilter uses prerouting and postrouting to and from the network stack to inspect packets sent and received on each interface. So the packet inspection is done at the kernel layer with the netfilter, and all the firewall rules and tools to manage the firewall reside in the user-space.

The main difference is that firewalld gives us dynamic rule management in place changes as opposed to iptables which has a static ruleset. Both firewalld and iptables use the iptables service to talk to the netfilter.

The change is at the user-space layer firewall-cmd. Whether or not to use firewalld or to switch back to iptables is up to you. One thing is for certain, and that is firewalld is NOT a replacement for iptables. Personally I like to use iptables, so that is what I will use here. If you already use Linux as your desktop OS then firewalld will be easier to manage with the GUI firewall-config and dynamic configuration.

Both use netfilter, and both use iptables tools to function. There have been some interesting developments since the 3. A new firewall, nftables, looks set to replace iptables in the long run. You can read more about nftables here: First we need to replace firewalld with iptables. Disabling the service will remove it from what we used to know at the runlevel, with systemd this is our. Stop and disable firewalld systemctl stop firewalld systemctl mask firewalld.

Enable iptables systemctl enable iptables systemctl enable ip6tables systemctl start iptables systemctl start ip6tables. At this stage you have no firewall rules. To check your existing rules we use: There are heaps of tutorials out there for iptables, but I want to give you enough information to understand the basics and adopt some security best practices. Before we go any further I should explain what chains are all about. Using verbose output iptables -L -v is useful to show stats on each rule.

If there are no matches on a given rule then you can mark it for deletion. A chain is a set of rules, checked one by one until it is matched. There are 3 chains: In other words it will expect you to create your rules on which traffic to deny, leaving everything else to get through. Look at the first line:. Later in this guide we will set the default policy to deny all other traffic for all 3 chains, so we will also need to allow SSH traffic back out of eth0 notice the use of -o for out interface.

Using the limit matching module -m limit we can ensure that we log no more than 4 per minute, this will stop our logs filling up too fast. It also means you specify exactly what you let in, and out. Here is our first basic firewall ruleset with iptables, go ahead and copy the following into your console remember to flush your configuration first. Make sure the interface name is correct -i eth0 as you may have something different.

Within minutes of booting a Linux virtual machine with my hosting provider, my host was under a brute force attack for root. By default, your SSH configuration will allow root to login. There are some more tricks we can deploy. If you change the listening port then remember to change your firewall rules accordingly!

I just picked , but this could be something else if you wish. Finally, my favorite trick is rate limiting, to drop more than 3 connections per minute from an IP address. In fact you can adjust the time frame accordingly to be more aggressive than that. We have two new rules that use the —recent extension. This creates a list of IP addresses that match a certain criteria.

This allows us to create our list of IP addresses. Call this what you want. Christmas trees, floods and empty packages. Sounds like someone is having a really bad time! We can use iptables to help protect against these attacks. If you are receiving a large number of these then someone may be trying to conduct a denial-of-service attack. Null packets usually indicate that your host is being scanned, as a single packet with no flags set.

This is never legitimate, so we should drop it. This has nothing to do with iptables, but worth a mention. This makes it possible to allow or deny access to certain services based on the IP.

Getting Started with iptables

Leave a Reply

Is there anything more frustrating than getting computer errors? Well, they actually are cleaning up things more frustrating than that. But if you are experiencing a connection problem right now (or have experienced some before), knowing that there are other really frustrating things in the world might not be of much help. Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now deprecated by the Internet Engineering Task Force (IETF) – are cryptographic protocols that provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web . Parameters. serverName. The name of the server to which a connection is established. To connect to a specific instance, follow the server name with a backward slash and the instance name (e.g. serverName\sqlexpress).