Hello Zakaria, I agree if port 25 is open it would work just fine, but how to get around the fact that GCP block port 25?
On Sat, Feb 19, 2022 at 2:05 PM Zakaria <[email protected]> wrote: > Hi Terrence, Mohamed, > > If port 25 on such SMTP server is open and accessible remotely then EHLO > command will work, and if not then at such point it is not possible to be > initiated since its port is not accessible and this is the point where EHLO > wouldnt work. To check ports accessibility, I advise to refer to port > checkers tools and online services, insert server IP and check if the > relevant port is open or use the following command:- > > ss -alpnt | grep '25' > > I'm really sorry for not being able to help in configuring by myself, its > just I've many things to do while I would love to but I'm happy to answer > any question to any issue you might face. I advise to just hit the ground > and start compiling and installing dovecot and exim and things will be easy > once you start setting up the configuration files. > > With good luck. > > Zakaria. > > On 19 Feb 2022 17:42, Terrance Devor via Exim-users <[email protected]> > wrote: > > Hello Zakaria, > > - Adding Mohamed who is our CTO > > Please see my comments inline > > > On Mon, Feb 7, 2022 at 5:26 PM Zakaria via Exim-users <[email protected]> > > wrote: > > > Hi Terrance, > > Here is my input. > > I have configured EXIM with dovecot in VPS, I think it would be > doable > > in similar way to docker containers I presume and if its not then > seems > > the issues would be along the lines of just requiring ports opening, > > although I used not port 26 nor I found any need in my VPS setup but > I > > read somewhere GCP blocks 25 and people turn to 26 as unique one thus > > needs to be opened for SMTP authentications and connections. > > > > Agreed, the setup will be very similar and we will need to setup the > correct IN/EGRESS rules to setup the ports for SMTP/IMAP. The idea is to > setup EXIM/Dovecot with emails persisted to a filesystem. IMAP/POP will be > configured to force our employees to download the emails onto their local > machines after the quote (200MB) has been met. I am a little confused by > the whole use port 26 instead of port 25, whould EHLO attempt from other > SMTP servers still work? Would they not attempt the EHLO on port 25? At > which point the EHLO attempt would fail. > > > > In regards security implementation to handle DKIM, SPF, DMARC and > DANE > > I recommend sidn.nl tutorials on how to configure them, they offered > me > > great resource to understand how it works and, as always with me > while > > its depending on your security ideals still I suggest to loosen > sidn.nl > > denys to warning so to make sure all emails are received and perhaps > > add headers indicating which validation fails in case there was, and > > using sieve forward to spam with rewritten subject, e.g. content is > > likely spam, rewrite " spam content ", and in the event of DKIM > failure > > either bad or invalid signature, then add DKIM failure accordingly, > > etc. Refer to > > > https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing- > > spf-dkim-and-dmarc-in-exim > > > https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-exi > > m > > > > This will be very important. Because this is for corporate emails we don't > want to ask our clients to check their SPAM folder... > > > > > I have not tested Postfix but so far EXIM as MTA and Dovecot as IMAP > > Server, together works just perfectly, therefore I recommend using > them > > over Postfix. > > > > We also want to go with EXIM/Dovecot with spam and virus detection. > > > > Also, I recommend to secure EXIM and Dovecot so to handle connections > > only over SSL, I think its better to enable mail server over SSL and > > disable STARTTLS i.e. enable port 465 for SMTP and 993 for IMAP and I > > guess 995 for POP3 to enable SSL as well as disable 587, 143 and 110 > to > > disable STARTTLS and require ssl i.e. encryption in SMTP > > authentications and IMAP as well as POP3 connections, since it seems > > STARTTLS is prune to some attack vectors, refer > > to https://nostarttls.secvuln.info/ > > > I configured something very similar when I setup my own email server 15 > years ago. Would love to see the same setup (ie, use of SSL with disabled > STATTLS and enabling ports 465/993 only and disable the rest) We need a > very secured email server instance that require employees to get on the > company VPN to send/receive email. > > > > > In terms of ssl library, I compiled recent EXIM master against latest > > openssl, I guess 3.0.1 and it works perfectly with no issues. > > Lastly its ARC, I am currently working on configuring ARC > experimental, > > so far the EXIM experimental documentation seems to be a good > starting > > point. I've not finished, and there could be out there more > elaborative > > sources other than EXIM notes, so I recommend to do further research > on > > your own. It seems generally its all about adding several blocks in > > ACLs and options in transports and routers along enabling ARC flag > > during compilation. > > I hope you find my input helpful, with good luck. > > Zakaria. > > > > As discussed, I setup an email server on a 2U which I had in my home about > 10 years ago EXIM4 days.... Currently, technical work is well over my > ability and would really appreciate if you guys would help us deploy this > on our K8S cluster. > > We have a small budget that I could put towards settting up a fully > secured > EXIM and dovecot server on our Kuberntes cluster. We would package up the > custom docker image, we need someone to help in the configuration and lock > everything down for a secure email service that is fully verified. > > Can you please help? > > > > > > On 5 Feb 2022 15:01, Byung-Hee HWANG via Exim-users > > <[email protected]> wrote: > > > > Terrance Devor via Exim-users <[email protected]> writes: > > > To add some additional information regarding what we are trying > to > > achieve: > > > > > > - An email server as a docker container. Prefer EXIM however > > Postfix would > > > work > > > - A POP3/IMAP server as a docker container > > > > > > The containers will be deployed to a kubernetes cluster on GCP. > We > > also > > > want DKIM and all the verification to work perfectly. This is for > > my own > > > company, security is a must :) > > > > > > Can anyone please help guide in the right direction? > > As you know, all bytes are money on GCP, AWS and other Cloud > > services. So i do not use POP3/IMAP on GCP. All incoming emails > goes > > forward to real Gmail box: > > #+BEGIN_SRC text > > soyeomul@bionic190316003:~$ cat ~/.forward > > [email protected] > > #+END_SRC > > And i don't know about a docker. +Both Exim and Postfix are good > > MTA. > > Sincerely, Byung-Hee > > -- > > ## List details at > > https://lists.exim.org/mailman/listinfo/exim-users > > ## Exim details at http://www.exim.org/ > > ## Please use the Wiki with this list - http://wiki.exim.org/ > > -- > > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > > ## Exim details at http://www.exim.org/ > > ## Please use the Wiki with this list - http://wiki.exim.org/ > > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > > > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
