Sent via the Samsung Galaxy A10e, an AT&T 4G LTE smartphone
-------- Original message --------From: Josey Smith
<joshritter...@googlemail.com> Date: 5/4/22 6:48 AM (GMT-06:00) To:
misc@opensmtpd.org Subject: Am I running an open relay? And a few questions.
Hi,So after a lot of tinkering I've gotten my little personal emailserver
running just how I want it, however this is my first emailserver, and I'm
feeling a little paranoid that I might have leftsomething stupidly open. I'm
already seeing quite a few spammerstrying to use my server and being turned
away, which is great, as longas there's no way in! I'm hoping someone here can
run an experiencedeye over my configs.Local (Raspberry Pi) server
smtpd.conf:https://privatebin.net/?f747c57fc7137f53#7Ce8NKCSRz9aphECY7s4FxZXaFcCEZMDCUGV8uYH2S8NRemote
(VPS) server
smtpd.conf:https://privatebin.net/?e9b61ad1f00f87ea#3Vm5r6eRy6593kq69U6ABqZ6FgGKu44YqX47Wg3h4XZLMy
set-up works like this:I have a local server (Raspberry Pi) and a remote
server (VPS running OpenBSD).098.765.4.321 = Internal IP address of my local
server (Raspberry Pi).12.345.67.890 = Public IP address of my remote server
(VPS).The two servers are connect with a SSH tunnel: autossh -M 3999 -o
ExitOnForwardFailure=yes -R5500:098.765.4.321:25 -L 5600:mx.domain.tld:587 -N
user@mx.domain.tldIncoming mail arrives at my remote server and (if it's for
me) is thenrelayed to port 5500 on my remote server, which is connected via
SSHto port 25 of my local server.Outbound mail is sent to my local server (via
IMAP - no password, justa certificate), and is then relayed to local server
port 5600, whichis connected via SSH to port 587 of my remote server (which
thenrelays the email to it's recipient).My questions are:1a) Have I left
anything too open to spammers to use my server? Have Idone anything stupid?1b)
Do my match rules work how I think they work (using src IPaddresses to only
allow mail sent by me)?1c) Am I correct that "verify" will only allow client
certificatessigned by my CA?2) I've struggling to fully get how srs works. Have
I set it upcorrectly, or should it be on my local server instead (or as well
as)?3) I'm using the rdns and fcrdns filters. I'm sure in the past I'veseen
configs using other similar filters. Are there any others Ishould be using?4a)
At one point while I was setting up smtpd, my remote server wasfailing to
connect to my local server (due to a misconfigured SSLcert). Test emails
couldn't be delivered, and I think my remote serverwas trying to send back a
failure report. This was failing because thesending address was an "invalid
recipient". Is that because of mymatch rules?4b) If so, how could I change the
match rules to safely allow thesending of failure reports?5) Does anyone here
successfully use the rspamd filter for DKIMEd25519? I set it up, rspamd was
signing with Ed25519, and onlinecheckers said my DNS was correct, but GMail
reported: "dkim=neutral(no key)".6a) Do any of you use anything like fail2ban
to block spammers?6b) What are your firewalls like?This email has became a lot
longer than I intended, sorry. And sorryif some of the questions are stupid, or
if this is the wrong place.I've always wanted my own email server, and I'm
almost there, but I ama bit nervous!Kindest regards,JoseyThe only issue I saw
was you aren't using authentication on port 587.