Mail Server Security

Discussion in 'ISPConfig 3 Priority Support' started by DylanPedro, Feb 11, 2018.

  1. DylanPedro

    DylanPedro Member HowtoForge Supporter

    Is there a way to added some custom code to the nginx.conf file within ISPConfig as I have just tested my mail server using the website:
    https://www.htbridge.com/websec/
    and it gives it a low core regarding the following:
    Code:
    SERVER
    The web server discloses its version. This may allow attackers to use known vulnerabilities and conduct further attacks against it. Misconfiguration or weakness
    Raw HTTP Header
    Server: nginx/1.10.3
    STRICT-TRANSPORT-SECURITY
    The header was not sent by the server. Misconfiguration or weakness
    PUBLIC-KEY-PINS
    The header was not sent by the server. Misconfiguration or weakness
    X-FRAME-OPTIONS
    The header was not sent by the server. Misconfiguration or weakness
    X-XSS-PROTECTION
    The header was not sent by the server, enabling XSS exploitation if not restricted by the client's browser. Misconfiguration or weakness
    X-CONTENT-TYPE-OPTIONS
    The header was not sent by the server. Misconfiguration or weakness
    CONTENT-SECURITY-POLICY
    The header was not sent by the server.
    I have found some recommendation on the following site:
    https://gist.github.com/plentz/6737338

    Just need to know if they should be entered directly into nginx.conf or admin?
     
    Last edited: Feb 11, 2018
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that's up to you. If you want to enable these settings globally, add them in nginx.conf, if you want to enable them for a specific vhost, then add them in that vhost.
     
  3. DylanPedro

    DylanPedro Member HowtoForge Supporter

    if specific vhost then does it go in the nginx directive in the control panel. Why would the default settings not be as secure as recommended?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The security of the current setup is absolutely fine, there need to change something. You just asked how to apply changes to an nginx server that someone else posted on his website and I told you how you can do that. Besides that, nginx is not your mail server, it's the web server, so your questions are about web server configuration and not about mail server security as the title says.
     
    Last edited: Feb 14, 2018 at 2:39 PM

Share This Page