[DNG] Mail processing; Re: OT? Re: ..devuan to the rescue? Easiest possible newbie email server setup, ideas?
On Wed, 23 Sep 2020 12:13:48 -0700 Ian Zimmerman wrote: > On 2020-09-23 12:15, terryc wrote: > > > The norm seems to be to just accept everything and process it, but > > until recently, all my internet services cam with a data charge. So > > for our domain, the easiest & cheapest method is just to block known > > spammers and not pay data charges. > > Much depends on what you mean by "block". > > You can reject connections from known spammer IPs at the IP level via > iptables or via tcpwrappers. We list only a few in the firewall. > You can also reject _delivery_ of > messages at the SMTP level with a 400 or worse status code. We do a lot of that. To get to that stage, they have to be a notice repeat offender > But once you accept a message with a success status after the DATA stage, The idea is not to get to that stage as that is where the costs are. > you > are obliged to either really deliver it or else bounce it back. It is > not acceptable to send messages down a "black hole". Where does that come from? Yep a human decides at that stage. Claws ussers usually flick it to spamcop as spam. the rest just dump it. Since the spamcop confirmations all get processed by me, I get to notice the repeat offenders and they'll go on the permanent black lst. That explains why gmail, hotmail, yahoo, live etc are all in the block list. I take the philiosophy that if it is spam, you dump it and you can discuss it with your 'user/customer'. I am definitely under no obligation to incurr costs to 'accept' spam so someone else/company can make money selling services to spammers. > > > FWIW, I do not accept email by IPv6. > > I am interested to know the specific reason for this. You know that > the RBLs do list IPv6 addresses, right? In fact, I just enabled IPv6 > in my own mail server a couple of days ago, and voila I ended up in > zen (not having done all of my homework). The whole process of someone responding to spam and the source getting black listed takes too long to consistently keep costs down. IPv4 is enough of a pipe without taking on the flood IPV6 would allow. FWIW, my ISP/RSP so generously give people a block of IPV6 /60 addresses and you can select /56 if you want them. you can also randomly swap them. I'll just end up with the equivalent of blocking by class again. I've been running a domain mail server for over 20 years(?). What we do works for us. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Shutdown/halt versus WiFi and NFS
On 23-09-2020 21:55, Michael S. Keller via Dng wrote: > My desktop is running Chimaera, and I saw this with Beowulf, but > didn't spend much time on it then. > > My network connection is via WiFi, and I have permanent NFS mounts in > place. I run SysV init. > > During halt or shutdown via init scripts, NetworkManager is terminated > before the NFS unmount, which brings down the active NIC, and usually > the unmount hangs forever, so I have to do a hard reset or power-off. > > After futzing with it for a while, trying to find a more elegant > solution, I ended up just renaming K01network-manager and K02sendsigs > in rc0.d and rc6.d. Now shutdown and reboot run reliably. > > Before that, I tried renaming K01network-manager to > K06network-manager, to place it after the NFS unmount, but it ran > earlier anyway. > > I also tried shielding NetworkManager from sendsigs, and I think it > would have worked if I could make K0.network-manager run later, but > that was about the point I gave up and took a virtual hammer to the > issue. > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I am still on ascii but have in /etc/dhcpcd.conf a line with persistent for exactly this reason, otherwise nfs hangs with reboot/shutdown. grtz Nick signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..devuan to the rescue? Easiest possible newbie email server setup, ideas?
Hi Arnt, On Sat, 2020-09-19 at 23:55 +0200, Arnt Karlsen wrote: > ..devuan to the rescue? Norwegian ISP "Get" is ditching their email > service and pointing their clients to a paid service, which again is > pointing them to Gmail's ad laden services, drawing due scorn. [1] > > > ..since we can do better, I'm thinking "Devuan Email Server Flavor" > sort of distro to put on an old pc or a Raspberry Pi, with all email > on local storage like I've done since the mid 1990ies. Which is > part of my problem: While Claws Mail is neat and easy, Fetchmail > and Procmail are _far_ from newbie friendly. > > ..expect the Get clientele to be total newbies, who may be capable > of entering their own email account data into a web browser > interface from their Wintendo, so our new email server flavor needs > to be kept as stupid simple as possible to setup and use. > > ..limit it to a pop3 and imap client and an imap server with local > storage? The big thing is control over your own email, on your own > hardware, in your own home. > Back in April I created a local email server based on Devuan Beowulf for my family. Previously we had one running on Linode under Ubuntu 14.4 (now eol) with postfix and courier-imap that had been set-up by my (adult) son many years earlier and largely just left to run. Early this year a spammer discovered an authentication 'hole' and we ended up relaying spam. Initially I fixed that, and added spam filtering with Spamassassin along with SPF, DKIM (Opendkim) and DMARC to recover our rep. As the Ubuntu was eol and I wanted to avoid systemd I replaced it with a new Devuan mailserver on a 6W, Intel NUC5CPYH with 4Gb RAM and and a 125GB SSD. My new server is on my home network which has a fixed IP. The configuration follows that in this guide: https://workaround.org/ispmail/buster/ which is for Buster but easilyadapted to Beowulf. The software stack is Postfix, Mariadb (for virtual users DB), Apache2 (for letsencrypt renewals), Dovecot (for auth, sieve and DKIM), Rspamd (for spam filtering including Bayes), fail2ban (for persistent spammer IP blocking) and dnscrypt-proxy (for dns). I also added Monit as my supervision daemon. The guide includes Roundcube (for webmail) and ClamAv (for malware filtering) but I didn't implement these. I do use imap for my users, who use MUAs Evolution (Devuan), Thunderbird (Windows, iMac), K9mail (Android), Spark (iPad, IPhone). The guide explains how to autoconfigure the imap settings. Other changes include: 1) a more restrictive postfix main.cf than in the guide, so less spam gets through to rspamd: postfix rejected about 37% of emails last month, rspamd about 7% with another 5% going to to users spam folders and is thus reviewable by them. The main reason for postfix to reject an email outright is no SPF. 2) use of the backport version of rspamd (2.5 - so the graphical interface works out of the box) and 3) use of a couple of scripts to incrementally backup up the vmail partition each day and to snapshot the root partition monthly. With my use case the 2 cpu are only very lightly loaded and I'm typically only using 20% of the RAM so I could have got away with less beefy cpu and RAM hardware. I decided against a Raspberry Pi as I preferred to mirror the known AMD64 set-up I use on my own desktop machine. -- Marjorie ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Shutdown/halt versus WiFi and NFS
My desktop is running Chimaera, and I saw this with Beowulf, but didn't spend much time on it then. My network connection is via WiFi, and I have permanent NFS mounts in place. I run SysV init. During halt or shutdown via init scripts, NetworkManager is terminated before the NFS unmount, which brings down the active NIC, and usually the unmount hangs forever, so I have to do a hard reset or power-off. After futzing with it for a while, trying to find a more elegant solution, I ended up just renaming K01network-manager and K02sendsigs in rc0.d and rc6.d. Now shutdown and reboot run reliably. Before that, I tried renaming K01network-manager to K06network-manager, to place it after the NFS unmount, but it ran earlier anyway. I also tried shielding NetworkManager from sendsigs, and I think it would have worked if I could make K0.network-manager run later, but that was about the point I gave up and took a virtual hammer to the issue. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] OT? Re: ..devuan to the rescue? Easiest possible newbie email server setup, ideas?
On 2020-09-23 12:15, terryc wrote: > The norm seems to be to just accept everything and process it, but > until recently, all my internet services cam with a data charge. So for > our domain, the easiest & cheapest method is just to block known > spammers and not pay data charges. Much depends on what you mean by "block". You can reject connections from known spammer IPs at the IP level via iptables or via tcpwrappers. You can also reject _delivery_ of messages at the SMTP level with a 400 or worse status code. But once you accept a message with a success status after the DATA stage, you are obliged to either really deliver it or else bounce it back. It is not acceptable to send messages down a "black hole". > FWIW, I do not accept email by IPv6. I am interested to know the specific reason for this. You know that the RBLs do list IPv6 addresses, right? In fact, I just enabled IPv6 in my own mail server a couple of days ago, and voila I ended up in zen (not having done all of my homework). -- Ian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] POSIX shell scripting (was: Danger: Debian POSIX hostility)
In response to nobody in particular.. I've always started shells with #!/usr/bin/env sh I now go *way* out of my way to not just remove bashisms but replace anything I can with POSIX compatible code. Call it puritanism as practice. I lint with Shellcheck: http://www.shellcheck.net/ The pure sh bible has been a big help: https://github.com/dylanaraps/pure-sh-bible Here are some examples of replacing "standard" software: https://github.com/spiralofhope/shell-random/blob/master/live/sh/scripts/examples/replace-head.sh https://github.com/spiralofhope/shell-random/blob/master/live/sh/scripts/examples/replace-dirname.sh -- If anyone wants to see the lengths I've gone to: https://github.com/spiralofhope/shell-random/tree/master/live/sh/scripts https://github.com/spiralofhope/shell-random/tree/master/live/sh/scripts/examples Of course it's slower to use scripts that summon other scripts, as my repository does, but it's easy enough to copy-paste functions into the primary script. Only startup scripts are time-sensitive for me, and everything else gains great clarity by separating functions out into separate scripts. In my preemptive defence, my style is clean and clear to me and allows for reading using columns. With that, a simple idea becomes a simple script: https://github.com/spiralofhope/shell-random/blob/master/live/sh/scripts/is-string-a-date?.sh ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] ..devuan to the rescue? Easiest possible newbie email server setup, ideas?
Hi, I run a mail server for myself on a small pc (32-bit, 7 watt Via C7 Eden cpu) running Devuan. It was originally built on Debian Wheezy back in 2012 following the wheezy guide found at https://workaround.org/ispmail/wheezy/. After the updates for wheezy trailed off, I followed the instructions on Devuan to update from Debian Wheezy to Devuan Jesse and then updated to Ascii. The guide includes instructions for postfix and dovecot, as well as apache and roundcube for webmail support. One day in the near future, I'll retire the old hardware and attempt the guide again. Whenever I get around to rebuilding, I will look at LetsEncrypt to generate the ssl certs for roundcube and the tls encryption for the imap and smtp connections too. On the desktop, I'm using claws mail as well as evolution and on android I'm using aquamail. Pretty much anything that supports IMAP should be fine with this setup. Since my ISP is the devil and blocks port 25, I'm using autossh to forward port 25 traffic to a $5/month vps. Best Regards, DECbot Sent with AquaMail for Android http://www.aqua-mail.com On September 22, 2020 2:54:12 PM Arnt Karlsen wrote: Hi, ..devuan to the rescue? Norwegian ISP "Get" is ditching their email service and pointing their clients to a paid service, which again is pointing them to Gmail's ad laden services, drawing due scorn. [1] ..since we can do better, I'm thinking "Devuan Email Server Flavor" sort of distro to put on an old pc or a Raspberry Pi, with all email on local storage like I've done since the mid 1990ies. Which is part of my problem: While Claws Mail is neat and easy, Fetchmail and Procmail are _far_ from newbie friendly. ..expect the Get clientele to be total newbies, who may be capable of entering their own email account data into a web browser interface from their Wintendo, so our new email server flavor needs to be kept as stupid simple as possible to setup and use. ..limit it to a pop3 and imap client and an imap server with local storage? The big thing is control over your own email, on your own hardware, in your own home. ..me, I use Fetchmail as an imap and pop3 client to fetch my email, and Procmail to sprinkle it down my ~/Mail tree, and Claws Mail to read it, and to write and to send my outgoing email, directly out thru my isp's smtp servers. That's all I really need. ..the Get clientele will have similar needs, but will need their "home email server" as stupid simple as possible to setup and use. Easiest possible newbie email server setup, use and support, ideas? ..the competition: https://www.popsci.com/set-up-private-email-server/ https://www.geekwire.com/2015/why-you-shouldnt-try-to-host-your-own-email/ https://helpdeskgeek.com/how-to/how-to-set-up-your-own-email-server/ https://www.linux.com/topic/networking/how-build-email-server-ubuntu-linux/ https://www.pcworld.com/article/3184925/how-to-have-a-linux-home-server-on-the-cheap.html https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/ https://jeffreifman.com/how-to-install-your-own-private-e-mail-server-in-the-amazon-cloud-aws/ https://www.iredmail.org/ https://docs.iredmail.org/why.build.your.own.mail.server.html ..'1: The Norw. original news story: https://www.tek.no/nyheter/nyhet/i/Qml8dx/get-overfoerte-kundene-sine-til-epostselskap-som-naa-vil-ha-betalt-fo?utm_source=vgfront_content=row-30 ..the above in googlish: TESTS NEWS SERVICES GUIDES  Menu NEWS Get transferred its customers to email companies that will now have paid. - Reprehensible, says customer  Customers who previously used Getmail were transferred to Wemail this summer. Now Wemail requires customers to subscribe to keep their email address. Screenshot Stein Jarle Olsen and Niklas Plikk 18 SEPT 2020 13:39  90+ This summer, Get (now Telia) notified customers who have used the email service Getmail that their email service would be discontinued and that they would be transferred to the external service Wemail. The problem? A couple of weeks later, Wemail was informed that in a relatively short time they would demand a subscription fee of 19 kroner a month for customers to keep their emails. Wemail, which is run by the company Recurrent AS, explains on its own website that they are a Norwegian mail service without advertisements, and that they do not use data about customers for commercial purposes. Therefore, they are dependent on revenue from customers. Wemail apparently has no other customers than the previous Get customers. Several readers have contacted and reacted strongly to the fact that they now have to pay for a service that was previously included. "Directly reprehensible," says one. "Incredibly poor customer service", says another, who is also upset that Wemail gave customers "very short" deadlines and in practice threatened that the email archive would be deleted and the email address useless if you did not create a subscription. He
