Hi, So after a lot of tinkering I've gotten my little personal email server running just how I want it, however this is my first email server, and I'm feeling a little paranoid that I might have left something stupidly open. I'm already seeing quite a few spammers trying to use my server and being turned away, which is great, as long as there's no way in! I'm hoping someone here can run an experienced eye over my configs.
Local (Raspberry Pi) server smtpd.conf: https://privatebin.net/?f747c57fc7137f53#7Ce8NKCSRz9aphECY7s4FxZXaFcCEZMDCUGV8uYH2S8N Remote (VPS) server smtpd.conf: https://privatebin.net/?e9b61ad1f00f87ea#3Vm5r6eRy6593kq69U6ABqZ6FgGKu44YqX47Wg3h4XZL My set-up works like this: I have a local server (Raspberry Pi) and a remote server (VPS running OpenBSD). 098.765.4.321 = Internal IP address of my local server (Raspberry Pi). 12.345.67.890 = Public IP address of my remote server (VPS). The two servers are connect with a SSH tunnel: autossh -M 3999 -o ExitOnForwardFailure=yes -R 5500:098.765.4.321:25 -L 5600:mx.domain.tld:587 -N [email protected] Incoming mail arrives at my remote server and (if it's for me) is then relayed to port 5500 on my remote server, which is connected via SSH to port 25 of my local server. Outbound mail is sent to my local server (via IMAP - no password, just a certificate), and is then relayed to local server port 5600, which is connected via SSH to port 587 of my remote server (which then relays the email to it's recipient). My questions are: 1a) Have I left anything too open to spammers to use my server? Have I done anything stupid? 1b) Do my match rules work how I think they work (using src IP addresses to only allow mail sent by me)? 1c) Am I correct that "verify" will only allow client certificates signed by my CA? 2) I've struggling to fully get how srs works. Have I set it up correctly, or should it be on my local server instead (or as well as)? 3) I'm using the rdns and fcrdns filters. I'm sure in the past I've seen configs using other similar filters. Are there any others I should be using? 4a) At one point while I was setting up smtpd, my remote server was failing to connect to my local server (due to a misconfigured SSL cert). Test emails couldn't be delivered, and I think my remote server was trying to send back a failure report. This was failing because the sending address was an "invalid recipient". Is that because of my match rules? 4b) If so, how could I change the match rules to safely allow the sending of failure reports? 5) Does anyone here successfully use the rspamd filter for DKIM Ed25519? I set it up, rspamd was signing with Ed25519, and online checkers said my DNS was correct, but GMail reported: "dkim=neutral (no key)". 6a) Do any of you use anything like fail2ban to block spammers? 6b) What are your firewalls like? This email has became a lot longer than I intended, sorry. And sorry if some of the questions are stupid, or if this is the wrong place. I've always wanted my own email server, and I'm almost there, but I am a bit nervous! Kindest regards, Josey
