> Signing outbound mail with DKIM is interesting, but not usually worth > the effort at this point. > Verifying inbound mail signed by DKIM is only useful as a away to > prevent false positives in an anti-spam system. > I'd suggest ignoring both of these for your "simple mail server".
Good to know, I just came across it and I just want to make sure I don't overlook something that could be very helpful. > PGP signing/encryption has very little to do with the mail server > itself, and everything to do with your mail client. You can use PGP > over Gmail if you want. I've once tried it with Gmail a while back and it didn't work out well. But thinking about it, you are right. PGP signing is more on the client than server. > With StartSSL (https://www.startssl.com), "real" SSL certificates are > free and easy to get. No reason not to have a "real" one. I applied for one with them and got a reply that because I am a registered LLC, they won't do a free one for me. Namecheap has a $10 option that may just be fine for me. > All of the most common SMTP/IMAP servers are capable of requiring SSL > encryption on incoming connections. > Now remember not to configure port 25 to require SSL for all > connections, as you will be losing some mail from remote senders that > don't use SSL. Thanks for the tip, I found something like that elsewhere and it makes sense as to why. > I'd suggest adding another port to your SMTP server that does require > SSL for your clients to use. Common ports are 587 (using STARTTLS), > or 465 (using pre-encrypted SSL), both are widely supported in mail > clients. I ended up setting things up last night and used these ports. > Additionally, I recommend enabling opportunistic SSL on both inbound > and outbound SMTP connections over port 25. This will encrypt even > more SMTP traffic when possible, and is the good neighbor thing to do. Is this (for Postfix) smtpd_tls_security_level = may ? Because I couldn't find exactly what to put but this one seemed to be opportunistic SSL/TLS. > There are lots of different combinations of SMTP/IMAP servers you can use. I ended up going with Postfix/Dovecot/Amavis/SpamAssassin, and I'm pretty sure I've done it right on all of it except SpamAssassin. I still need to verify that I'm getting email passed through it's filter. > If you want a very detailed tutorial on your own mail server, I > recommend reading this series of articles on ArsTechnica. > http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/ Thanks for the link, I'll have to read through it tonight. On Tue, Jun 3, 2014 at 10:13 AM, Lonnie Olson <[email protected]> wrote: > On Sun, Jun 1, 2014 at 5:48 PM, Brian J. Rogers <[email protected]> > wrote: > > The server will not need to process more than 50 emails a day. I'd like > > something lightweight, but I am willing to use more resources for the > sake > > of security. I'm unsure exactly what things like DKIM would do to help, > and > > I don't even know if they are necessary. However, I do want to take as > many > > reasonable precautions as I can when it comes to securing it. I have an > > irrational paranoid fear of having my mail server being in a server (e.g. > > Google Apps). I have nothing against Google, I'd just like to do my own > > server so I can set it up just the way I want. I will be signing each of > my > > emails with my PGP key, so that will be a must for the configuration. > > Signing outbound mail with DKIM is interesting, but not usually worth > the effort at this point. > Verifying inbound mail signed by DKIM is only useful as a away to > prevent false positives in an anti-spam system. > I'd suggest ignoring both of these for your "simple mail server". > > PGP signing/encryption has very little to do with the mail server > itself, and everything to do with your mail client. You can use PGP > over Gmail if you want. > > > Are there benefits to getting an SSL certificate for it rather than just > > using a self-signed one? Would I be able to force the server to never > make > > a connection with a client (phone/desktop) without SSL/TLS encryption? Is > > there a way to require a SSL/TLS connection from other mail servers > before > > accepting mail? If there is, does that present problems with any server > > that doesn't support that feature? > > With StartSSL (https://www.startssl.com), "real" SSL certificates are > free and easy to get. No reason not to have a "real" one. > > All of the most common SMTP/IMAP servers are capable of requiring SSL > encryption on incoming connections. > Now remember not to configure port 25 to require SSL for all > connections, as you will be losing some mail from remote senders that > don't use SSL. > > I'd suggest adding another port to your SMTP server that does require > SSL for your clients to use. Common ports are 587 (using STARTTLS), > or 465 (using pre-encrypted SSL), both are widely supported in mail > clients. > > Additionally, I recommend enabling opportunistic SSL on both inbound > and outbound SMTP connections over port 25. This will encrypt even > more SMTP traffic when possible, and is the good neighbor thing to do. > > There are lots of different combinations of SMTP/IMAP servers you can use. > > If you want a very detailed tutorial on your own mail server, I > recommend reading this series of articles on ArsTechnica. > > http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/ > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
