This guide aims to help you provide security for your self-hosted SpamTitan system equivalent to that provided to systems hosted by TitanHQ.

 

What differs between self-hosted and TitanHQ hosted systems?

TitanHQ hosts exclusively in AWS, and uses AWS Security Groups and the Web Application Firewall to provide an additional layer of security for SpamTitan systems.

 

Security Groups / Firewall rules – Inbound Connections

Required Port:

SpamTitan requires only one port be exposed to the internet:

TCP Port 25 – SMTP – Accessible from any location

 

Optional Ports:

Quarantine Report

If you have users that use Quarantine Reports from external/remote locations, you will need to expose:

TCP Port 443 – HTTPS – Accessible from any location

(Note: The HTTPS port is customisable. If you are using a custom HTTPS port it is the custom port that will need to be exposed, or forward traffic on port 443 on your firewall to the custom HTTPS port configured in SpamTitan)

 

Let’s Encrypt

If you use the Let’s Encrypt service to obtain a signed SSL Certificate, you will need to expose:

TCP Port 80 – HTTP - Accessible from any location when creating the certificate. This should be disabled after creating the certificate. 

 

SpamTitan Cluster

If you run a SpamTitan cluster with one or remote SpamTitan servers, you will need to expose:

TCP Port 5432 – PostgreSQL – Access restricted to the IP address/es of the remote SpamTitan server/s.

 

No other ports are required to be opened for SpamTitan to function.

 

Ports that should be closed:

To prevent exposure of potentially sensitive data or abuse of the Node Exporter service, we recommend that port 9100 is not opened, or if opened access is restricted to specific IP addresses or ranges.

 

Web Application Firewall (WAF)

A WAF filters HTTP traffic entering an appliance/service and block attacks and exploits such as SQL injection, path traversal, cross-site scripting, and many others.

NOTE: If you are running an older version of SpamTitan, we recommend you upgrade as soon as possible to take advantage of a verity of improved security measured added to the system. We also highly recommend provisioning a WAF between your SpamTitan ports and the internet. 

A WAF is an important security measure to use in front of an email gateway server for several key reasons:

  1. Protection Against Web-Based Attacks
  2. Layered Security
  3. Protection from DDoS Attacks
  4. Blocking Malicious Traffic
  5. Zero-Day Vulnerabilities
  6. Traffic Monitoring and Logging
  7. Rate Limiting

By acting as a shield between external threats and your email gateway, a WAF improves the overall security posture of your email infrastructure and helps reduce the risk of breaches or service disruptions.

While continual security improvements are being implemented to protect against web-based attacks, it is strongly recommended that you use a WAF in-front of all self-hosted SpamTitan systems

 

Due to the huge variety of WAF devices, services, integrations, etc, available, TitanHQ cannot provide advice or recommendations on WAF devices, services, integrations, etc.  

However, we do recommend that the WAF used provides protection against at least the relevant OWASP Top Ten threats:

OWASP Top Ten | OWASP Foundation