Self-hosted email service

What has been found

Self-hosted email service.

A self-hosted email service was identified. Operating and maintaining an on-premises email system that is resilient against modern threats such as malware, phishing, spoofing, and credential attacks requires significant security expertise and ongoing maintenance. Without this, such systems often present greater risk than modern, managed SaaS email platforms.

Why this is a potential risk

Self-hosted email services are inherently exposed to the internet and are frequent targets for attackers due to their accessibility and critical role in communication. Common risks include misconfigured mail transfer agents (MTAs), insecure authentication mechanisms, lack of modern anti-spam/anti-phishing controls, and inadequate patch management.

Successful exploitation can result in data breaches, ransomware deployment, or the use of the mail server for spam and phishing distribution. SaaS-based email platforms typically provide stronger baseline security controls, continuous patching, and integrated threat protection.

Potential solutions/Improvements

• Migrate to a secure cloud-based email platform: Consider SaaS solutions such as Microsoft 365 or Google Workspace, which include managed patching, built-in anti-malware, and phishing defences.

• Restrict exposure: If self-hosting must continue, ensure only required mail ports (25, 465, 587) are exposed and that authentication and encryption (TLS 1.2/1.3) are enforced.

• Implement layered defences: Deploy spam filters, DKIM, SPF, and DMARC to validate email integrity and reduce spoofing risks.

• Patch and harden: Regularly update mail server software and operating systems. Follow vendor hardening guides and disable legacy authentication protocols.

• Monitor and log: Continuously monitor for failed login attempts, abnormal SMTP activity, or large outbound email volumes indicative of compromise.

How to verify it is resolved:

• Perform an external vulnerability scan to confirm that the mail service is appropriately secured or decommissioned.

• Audit firewall and network access controls to ensure exposure is restricted to required ports and services.

• Validate that encryption and authentication (STARTTLS, TLS 1.2+) are enforced for all mail flows.

• Review logs for signs of unauthorised access, spam relay attempts, or abnormal email traffic.

External references

• NCSC – Email security and anti-spoofing
• NIST SP 800-177 Revision 1 – Trustworthy Email