Re: Running your own mail server
On Fri, Sep 28, 2018 at 12:25:12PM +0200, Aham Brahmasmi wrote: > Craig, > > Thank you for your exhaustive reply - the list of checks along with > current workarounds to achieve them are very helpful. I now know that > I need to learn even more. > Indeed, interesting reading. > > OpenSMTPd's filter interface is not yet usable (last update 12/2014): > > http://www.poolp.org/posts/2014-12-12/the-state-of-filters/ > > Slide 73 of https://www.openbsd.org/papers/eurobsdcon2017-opensmtpd.pdf > mentions smtpfd - smtp filtering daemon. The slides are informative in > terms of the thinking behind filters that OpenSMTPD plans to introduce. > Some of the changes proposed in that talk like the modified grammar are > now in -current. I may be wrong here but the filter/smtpfd might have > been held back for post-6.4 introduction. > That is exactly the case. I have a non-invasive implementation of filters which I'm happy with and which I intend to commit shortly after OpenBSD 6.4 is tagged, so we have a full release cycle to work on details, keywords and such, in order for the feature to be production ready for 6.5. I _do_ have filters on my laptop right now. -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: Running your own mail server
Craig, Thank you for your exhaustive reply - the list of checks along with current workarounds to achieve them are very helpful. I now know that I need to learn even more. > OpenSMTPd's filter interface is not yet usable (last update 12/2014): > http://www.poolp.org/posts/2014-12-12/the-state-of-filters/ Slide 73 of https://www.openbsd.org/papers/eurobsdcon2017-opensmtpd.pdf mentions smtpfd - smtp filtering daemon. The slides are informative in terms of the thinking behind filters that OpenSMTPD plans to introduce. Some of the changes proposed in that talk like the modified grammar are now in -current. I may be wrong here but the filter/smtpfd might have been held back for post-6.4 introduction. > I heavily modified greyscanner to do a lot of the DNS checks. I found > the script's current maintainer extremely reluctant to implement even > very small bug fixes & general improvements, so I didn't even bother > presenting the vast bulk of my mods. But I stopped using greyscanner > about 5 years ago after setting spamd to be extremely aggressive, and > deploying Postfix's new postscreen (written in C). :( Would it be possible for you, in case you still have the mods, to please try sharing the diffs with the upstream? In case there might have been a change of heart, some of us might benefit from the added checks. Once smtpfd lands in -current, it could be further re-purposed as a filter. > I've not even begun to use IPv6 at all, for anything. I'm IPv4 only. Understood. I incorrectly assumed that you had enabled IPv6, and hence my question. I apologize. > I hope to use OpenSMTPd on external mail servers some day. Once the new smtpfd lands in -current, may be you could re-evaluate. > Cheers, > -- > Craig Skinner | http://linkd.in/yGqkv7 Regards, ab -|-|-|-|-|-|-|--
Re: Running your own mail server
On 19/09/18 00:01, Craig Skinner wrote: > On Mon, 17 Sep 2018 18:33:52 Mik J wrote: >> The only drawback I see is that roundcube is less sexy and less good >> than gmail. > Webmail isn't worth bothering with at all. Too complicated. > > All desktops & mobile phones/tablets have various IMAP clients. > > For computers, there are IMAP clients such as Thunderbird, Claws, mutt, > Mac Mail, MS Outlook, etc. > > For mobile gadgets, there are the Andriod Gmail app iOS's Mac Mail, > Blackberry mail thing, etc, etc -> connect to other IMAP/POP servers. > > Webmail is dead junk. I personally argue that the IMAP clients on Android are next to useless as you're poking around on a tiny screen, half of which is occupied by the on-screen keyboard. Of my phones 480×800 pixel display (that's all ZTE endowed it with), I suppose 300 of those 800 pixels get consumed by the keyboard, giving one the feeling of peering through the world via a drinking straw. Mutt via SSH on the phone isn't *too* bad, but it's still fiddly, and attachments are a hassle that way. As for webmail: I haven't bothered with it in years, but back when I was at university it was a godsend as often the machines were heavily locked down so you couldn't install your own software, and firewall restrictions on some networks prevented the use of SSH, IMAPS and SMTP submission ports. I think it has its place, and if you're a person that sometimes needs to check your email from random networks with esoteric firewall rules, it can be quite useful. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: Running your own mail server
On 10/09/18 22:30, Craig Skinner wrote: > On Sat, 8 Sep 2018 11:23:35 -0400 Ken M wrote: >> Just curious how many of you use openbsd to run your own personal >> email server? Do you find it a hassle to manage in any way? > Being a postmaster (email server administrator) and hostmaster (DNS > server administrator) is fun, hectic, and takes about 5 years to learn. I can certainly vouch for that. Okay, so far 100% of my production mail server work has been on Linux with various MTAs (sendmail, qmail, qmail+qpsmtpd, postfix). My journey started in 2001: my high school introduced a policy where by they wanted to inspect *all* email traffic sent from their school. In those days, everyone there had email addresses with the various webmail providers. None of these providers did https, and all of them had pissy email quotas. (Yahoo was 10MB back then, and that was one of the better ones! Gmail didn't exist. It's scary to think people send emails now that are many multiples of such quotas.) Thus I threw Slackware 8 on an old box, learned how to get sendmail working, and got Horde webmail going. Our home ADSL had a static IP, and I got a freebie dynamic DNS hostname linked to it. The machine ran 3 2GB SCSI HDDs in a software mirror-RAID. I had over 1GB free for mail. Went to school the next day, typed the address in, noted Netscape showed the padlock (after warning about a self-signed certificate), then I clicked the padlock to check out the security: AES-256. Crack that! Impersonating the self-signed certificate was a possibility, as was using remote desktop software on the workstation; that's about the limit of what they could do. I think the latter would be a more likely scenario than the former. I continue to run a server¹ today because I now have a *lot* of email dating back over 15 years. I could jettison this of course, or make a read-only archive of it for later perusal, but as it happens, having my own server means I can experiment with ideas and techniques which I can then apply to the servers at my workplace. Thus, it qualifies as "self training" (and a tax deduction). If you do have such a responsibility, then it might be worthwhile looking into how to set up such a mail server, working out how to do shared folders/public folders, spam filtering, etc. It's hard to go wrong with postfix+dovecot, and OpenSMTPD actually looks quite solid though I've not tried it myself as a primary MX. Otherwise, there is wisdom in just outsourcing this to whatever free-mail provider and just enjoy life. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. 1. well, used to be just one server… I think they're breeding: https://hackaday.io/project/10529-solar-powered-cloud-computing
Re: Running your own mail server
On Wed, 26 Sep 2018 16:32:35 +0200 Aham Brahmasmi wrote: > 1) Could you please suggest some script/mechanism that performs > these DNS PTR == SMTP HELO, envelope-address-from-domains-have-MX et > al checks with OpenSMTPD as the MTA? Sorry Aham, I don't know of any. OpenSMTPd's filter interface is not yet usable (last update 12/2014): http://www.poolp.org/posts/2014-12-12/the-state-of-filters/ > I may be wrong here, but I could not see options to perform these > useful checks in smtpd(8)/smtpd.conf(5) man pages. About 2.5 years ago I evaluated changing my front line MTAs from Postfix to OpenSMTPd, but found too much functionality missing then: # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= No client ((r)DNS) client hostname restrictions: smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_client_restrictions = reject_unknown_client_hostname smtpd_sender_restrictions = reject_non_fqdn_sender reject_unlisted_sender reject_unknown_sender_domain smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient reject_unknown_recipient_domain Postfix can reject (5XX) or defer (4XX) connections based on many DNS parameters. See: http://www.Postfix.Org/postconf.5.html Hack: modify greyscanner to handle white & black lists Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse & tag) After failing to pass greylisting, bad DNS is the primary sign of spam. Because DNS checks can be done at connection (before the DATA stage and mail acceptance), they are very much faster and lighter weight than shoving the entire mail through a heavy spam detection engine. Running Unbound on each mail server, and having each mail server's Unbound daemon refer to another upstream Unbound instance, is extremely effective in caching the DNS lookups. This is in contrast to EVERY mail being parsed by a spam detection engine... way too resource intensive! # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= No DNSBL weighting - http://www.Postfix.Org/postscreen.8.html Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse & tag) # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Missing strict RFC checks (spam often doesn't conform to RFCs): strict_7bit_headers = yes strict_8bitmime = yes strict_8bitmime_body = yes strict_mime_encoding_domain = yes strict_rfc821_envelopes = yes Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse & tag) # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= No connection rate limiting: smtpd_client_connection_count_limit = XX smtpd_client_connection_rate_limit = XXX Hack: pf # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= No submission user authentication via Dovecot (e.g: CRAM-MD5): smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth # chroot smtpd_sasl_security_options = noanonymous, noplaintext Hack: POP/IMAP before SMTP # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > In case greyscanner does this, please disregard this question. I came > to know about greyscanner in this thread, but struggle with > understanding perl. I heavily modified greyscanner to do a lot of the DNS checks. I found the script's current maintainer extremely reluctant to implement even very small bug fixes & general improvements, so I didn't even bother presenting the vast bulk of my mods. But I stopped using greyscanner about 5 years ago after setting spamd to be extremely aggressive, and deploying Postfix's new postscreen (written in C). > 2) Is IPv6 support in spamd essential? I've not even begun to use IPv6 at all, for anything. I'm IPv4 only. I hope to use OpenSMTPd on external mail servers some day. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Running your own mail server
Hi Craig, Thank you for sharing your valuable experience. I apologize for bumping up this slightly old thread. > After that, the MTA needs to be able to check the DNS validity of the > sender's SMTP HELO hostname, and check their DNS PTR record is valid, > and both the mail's envelope and address from domains have MX records. 1) Could you please suggest some script/mechanism that performs these DNS PTR == SMTP HELO, envelope-address-from-domains-have-MX et al checks with OpenSMTPD as the MTA? I may be wrong here, but I could not see options to perform these useful checks in smtpd(8)/smtpd.conf(5) man pages. In case greyscanner does this, please disregard this question. I came to know about greyscanner in this thread, but struggle with understanding perl. > A -> B -> C > spamd -> MTA (with loads of DNS knobs) -> Dovecot (via LMTP) which writes > mail to disk. 2) Is IPv6 support in spamd essential? In other words, does lack of IPv6 support in spamd hurt in terms of spam being delivered over IPv6? I may be wrong here, but the IPv6 spamd patch has reincarnated - https://mastodon.social/users/phessler/statuses/98912923844480209. Unfortunately, I do not know the current state of that patch beyond those toots by @phessler. And in case it helps anyone, https://github.com/vedetta-com/caesonia along with https://github.com/vedetta-com/vedetta is a useful resource. Regards, ab -|-|-|-|-|-|-|--
Re: Running your own mail server
Oh is it dead?? It used to be THE thing mind you it was the turn of the century that we are talking about! looks like I'm a little out of date lol Personally I haven't played around with Mail Web clients for a while; yeah there is Roundcube or Horde which was quite cool when I ran it in the day. Like many others have said IMAPssl is the way to go, though I wouldn't expose it to the web. Use a nice VPN system instead. Either a dedicated machine running OpenVPN as an example or a second hand Cisco ASA or any other enterprise equivalent firewall/VPN concentrator that you can pick up for cheap. Even OpenBSD has L2TP vpn built in which works well with Android clients. Regards, Kaya On 9/18/18 11:18 PM, Duncan Guthrie wrote: Hi, Please do not recommend SquirrelMail. It is unmaintained. Its last release was 5 years ago. User interfaces like Roundcube and Rainloop work well enough and still are actively maintained. I do not know how well those other ones you listed work. Alternatively, direct your users to some clear and well-written instructions that would allow them to configure a mail client of their choice. Best wishes, Duncan On 09/08/18 16:39, Kaya Saman wrote: I agree here! Basically you would need a few components: MTA / MDA / MUA https://en.wikipedia.org/wiki/Message_transfer_agent One way to do it would be something like: Postfix / Courier IMAP / Then bolt something like SquirrelMail on top for web UI client There are many ways to achieve the same goal as in you don't have to use Postfix you could go for Sendmail or any other However for you it might be a better option to go with Linux as @Jay suggested and then whack something like Scalix or Zimbra on top.. http://www.scalix.com/en/ https://www.zimbra.com/ That way you have a fully managed mail system right out of the box with granular control of what users can and can't do. Regards, Kaya
Re: Running your own mail server
On Tue, 18 Sep 2018 15:56:43 +0100 Zé Loff wrote: > On Tue, Sep 18, 2018 at 03:01:45PM +0100, Craig Skinner wrote: > > Webmail is dead junk. > > Until the day your gadget's battery runs out, Charge it Zé Solved. > you don't have your laptop with you and you need to borrow Have your friend install PuTTY or use Mac's xterm. Solved. > Plus, I'm a terminal+mutt guy and roundcube is still the easiest way > I found to configure sieve filters, although in all honesty that's > pretty much all I use it for. (Honest question: do you by any chance > know a simple method to handle them?) As each mail user has their own UNIX account, their sieve scripts are owned by them and in a directory they own, the simple files can be edited by their favourite $EDITOR on the command line. Otherwise, some mail clients have sieve plugins - Thunderbird has a pretty pretty sieve remote script editor widget. There are other sieve clients too. > Incidentally I also find thunderbird to be insanely > resource-consuming, especially if managing multiple accounts, and > macOS's Mail is even worse. Firefox, Safari and Internet Explorer are far worse at resource usage!! > If you have multiple users using multiple shared machines it might be > easier to just send them to a more or less friendly web UI than to > manage a multitude of configurations on a lot of machines No. Most mail clients auto guess new account configurations based on standard DNS entries. By plopping in a new address like user@example.provider, the mail client searches standard DNS entries for hostnames, such as imap.example.provider, smtp.example.provider, mail.example.provider. If found it connects to the standard ports for IMAP, POP & SMTP submission (587), collects a list of authentication methods and presents the details for the user to click the 'OK' button. If the standard DNS hostnames are not found, the mail client then looks for SRV DNS entries, and picks out the IMAP, POP & SMTP hostnames & ports for the user to hit the 'OK' button. See RFCs 6186, 2782 & wotnot: https://tools.ietf.org/html/rfc6186 https://tools.ietf.org/html/rfc2782 https://en.wikipedia.org/wiki/SRV_record http://blog.returnpath.com/srv/ As I wrote earlier, the postmaster needs to work closely with their hostmaster as mail relies extensively on DNS. MX & SPF records being the most obvious. > (especially when they start storing contacts locally, which obviously > won't sync to the machine they'll be using tomorrow). Many mail clients speak LDAP, which is the protocol designed to hold user details. Shock! Horror! It has all been invented and implemented! No need for webmail. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Running your own mail server
On Tue, 18 Sep 2018 15:25:20 + Tim Jones wrote: > > > Webmail isn't worth bothering with at all. Too complicated. > > Let me rephrase that for you. No Tim, I wont let you speak for me. How about you rewrite ntpd into ntpw and run your clock on port 80, all because the Network Time Protocol isn't pretty enough for you? Hey, then have a go at bgpd & submit your web version to the devs to run it on port 80 too? Awesome dude! Kawabunga! Why stop there (since you're on a roll), and convert dhcpd to run on port 80 as dhcpw. Never mind that the Dynamic Host Configuration Protocol works well. Hey, convince Gilles & crew to rewrite OpenSMTPd to run on port 80 as well & full webalise the whole mail thing!!! Ace! This is going to rock! Next up, talk Theo & Co, into dumping sshd and developing sshw;- a new non-privilege separated cluster fuck pile of web chroot busting Python, JSON, NoSQL, NodeJS piece of server admin crap! Yay Do you think he'll send you flowers & kisses for your "wonderful" idea? Why ram every fucking thing down port 80's throat and give your server syphilis via every XSS & SQL injection attack & other web transmitted diseases? Ask the devs to delete the 65,000 ports and have OpenBSD have only port 80! Why worship web? Why? IMAP = Imternet Mail Access Protocol - an actual protocol that has been designed and dedicated to the task of accessing mail across the Internet SMTP = Simple Mail Transfer Protocol - to simply transfer mail! With secure daemons skillfully written in C. Get with it man! Cool, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Running your own mail server
marko.cu...@mimar.rs (Marko Cupać), 2018.09.18 (Tue) 10:58 (CEST): > On Tue, 18 Sep 2018 10:32:25 +0100 > Kevin Chadwick wrote: > > > I see clamav and other scanning stuff as an insecurity personally. > > Can you elaborate, please? It's a case of Enumerating Badness :-) http://www.ranum.com/security/computer_security/editorials/dumb/ Marcus
Re: Running your own mail server
Hi, Please do not recommend SquirrelMail. It is unmaintained. Its last release was 5 years ago. User interfaces like Roundcube and Rainloop work well enough and still are actively maintained. I do not know how well those other ones you listed work. Alternatively, direct your users to some clear and well-written instructions that would allow them to configure a mail client of their choice. Best wishes, Duncan On 09/08/18 16:39, Kaya Saman wrote: > I agree here! > > > Basically you would need a few components: > > > MTA / MDA / MUA > > > https://en.wikipedia.org/wiki/Message_transfer_agent > > > One way to do it would be something like: Postfix / Courier IMAP / Then > bolt something like SquirrelMail on top for web UI client > > > There are many ways to achieve the same goal as in you don't have to use > Postfix you could go for Sendmail or any other > > > However for you it might be a better option to go with Linux as @Jay > suggested and then whack something like Scalix or Zimbra on top.. > > > http://www.scalix.com/en/ > > > https://www.zimbra.com/ > > > That way you have a fully managed mail system right out of the box with > granular control of what users can and can't do. > > > Regards, > > > Kaya > >
Re: Running your own mail server
> Webmail isn't worth bothering with at all. Too complicated. Let me rephrase that for you. Webmail is easy. Open source webmail is all horrible stuff stuck in the last century. To make open source webmail look and behave like the is the complicated bit.
Re: Running your own mail server
Hi postmasters, On Mon, 17 Sep 2018 18:33:52 Mik J wrote: > The only drawback I see is that roundcube is less sexy and less good > than gmail. Webmail isn't worth bothering with at all. Too complicated. All desktops & mobile phones/tablets have various IMAP clients. For computers, there are IMAP clients such as Thunderbird, Claws, mutt, Mac Mail, MS Outlook, etc. For mobile gadgets, there are the Andriod Gmail app iOS's Mac Mail, Blackberry mail thing, etc, etc -> connect to other IMAP/POP servers. Webmail is dead junk. IMAP and POP are the mail access protocols - use them and save yourself the complicated headache of any HTTP proxy to mail on disk junk. If you keep any user data in SQL or LDAP, have cron scripts to dump the relevant user data to flat files for your MTA to read. rdist(1) those flat files out to your mail farm. SQL and LDAP are too slow and unreliable. A -> B -> C spamd -> MTA (with loads of DNS knobs) -> Dovecot (via LMTP) which writes mail to disk. With a few scripts, that is enough to keep a postmaster productive & busy. The DNS knobs enable such a high accuracy of spam rejection, that no heavy weight spam scanning software is needed at all. Well, that's my almost 20 years experience of mastering multiple OpenBSD mail servers on the hostile Internet. Other people have other ideas. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Running your own mail server
Take a look other here: https://www.cvedetails.com/vulnerability-list/vendor_id-8871/Clamav.html El mar., 18 sept. 2018 a las 11:02, Marko Cupać () escribió: > On Tue, 18 Sep 2018 10:32:25 +0100 > Kevin Chadwick wrote: > > > I see clamav and other scanning stuff as an insecurity personally. > > Can you elaborate, please? > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ > >
Re: Running your own mail server
On Tue, 18 Sep 2018 10:32:25 +0100 Kevin Chadwick wrote: > I see clamav and other scanning stuff as an insecurity personally. Can you elaborate, please? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Running your own mail server
On Mon, 17 Sep 2018 13:20:22 -0700 > I don't mind throwing in PostgreSQL, but where are some good > table/column examples? SQL is for centralisation of many servers, it will likely be slower otherwise. There is greyscanner in ports. You can use that as a model for your own scripts to do extra checks. There is also a BGP powered spam list previously published on this list. Disposable addresses as supported by OpenSMTPD with automatic folder creation are neat. So bob-dodgyexhibit...@bob.com would automatically go in bob-dodgyexhibition folder and bob-johnnybestm...@bob.com would go in bob-johnnybestmate folder. Very useful to see who can't be trusted with security/email address keeping though. After all you rarely get spam as a result of handing addresses out to those you really need to talk to. I see clamav and other scanning stuff as an insecurity personally. Big companies use dedicated hw but I don't get the point. You shouldn't open untrusted weblinks so why open unexpected email. If you know the address it has gone to you already know the likelihood of it being spam and can pick out the odd email or ignore or delete/trap the folder. People get a shock when you tell them they are almost the only possible cause of you getting spam too. I've had one guy hangup the phone almost immediately, lol. Having said all this, email does not make you money, so consider if it is worth the time! A mailing list can be useful, less so your own mail server.
Re: Running your own mail server
Chris, In my opinion it needs a lot of reading and testing to make the puzzle in one go. But for path A -> B -> C -> D -> E -> F -> G -> H -> I, you might also want to do A -> B first and test it. That means send an email between two users locally. This way you'll understand better the role of each component as you go on every simple step I used a couple of blogs, mailling lists and man to build it http://technoquarter.blogspot.com/ https://frozen-geek.net/openbsd-email-server-1/ Le lundi 17 septembre 2018 à 22:20:24 UTC+2, Chris Bennett a écrit : On Mon, Sep 17, 2018 at 06:33:52PM +, Mik J wrote: > > Really it will take time, here are the components I installed for this to > work: opensmtp, dkimproxy, clamav, clamsmtp, nginx, roundcube, prosody, > dovecot, let's encrypt, bind > > I'm using imapsync for the migration and plan to use openldap and bogofilter. Here is where my problem is. OpenSMTPD and Dovecot, yes. Then, everywhere I look, I see an endless combination of different spam solutions. Every guide I've seen online tends to be a little out of date, as the knobs have all changed. And I have yet to find an explanation as to why they selected a particular combination. It seems that I should move to IMAP, but then I have to ask myself if that is even justified. I don't really know. I don't mind throwing in PostgreSQL, but where are some good table/column examples? Every guide just jumps straight to you need to install: A -> B -> C -> D -> E -> F -> G -> H -> I Whoa. I'm on severe overload here. It's kept me from even installing Dovecot yet since I don't even know crap about B -> C -> D -> E I don't mind putting in the work. But can anyone recommend a slower solution? Say skip C -> D -> E for now, but add them in bit by bit which gives me time to actually study them? I really don't like cut and paste. I really want to get rid of as much spam as I can, but I'm patient. Also, other than the mailing lists, almost everything is starting to be HTML emails. > > Yes, this hostmaster work is more important for deliverability than the > *optional* TLS & DKIM stuff, which I still don't bother at all with... > > Along with correct DNS PTR records (and matching SMTP HELO hostname), > basic SPF & DMARC DNS records are almost essential to send. > > With almost all inbound connections being spam, fighting that is the > main task of the postmaster. Aggressive spamd settings are needed here. > > After that, the MTA needs to be able to check the DNS validity of the > sender's SMTP HELO hostname, and check their DNS PTR record is valid, > and both the mail's envelope and address from domains have MX records. > > Most spam is sent by infected consumer devices, which do not have valid > reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is > the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak. > > Following that, the sender's IP address needs to be checked against > multiple reliable DNS black and lists, and a cumulative score being > totalled up to decide to reject or pass on to the next stage of tests. > > TLS & DKIM have very little value. The postmaster instead needs to work > closely with the hostmaster and concentrate on good DNS practice/tests. Then there is this part. Umm, I'd like to get this all correct. Despite reading up on this that I've done, without seeing any correct examples, I feel a little like my DMARC is being put up my DKIM, to be a little graphic. I would like nothing more than an example of the whole ball of wax that I can use to cut and paste with my info substituted. This has got to be a lot simpler than what I've seen as far as explanations, which has left me very frustrated. Worse, I got stuck for months without a laptop/desktop to work from. Yeah, I know I said cut and paste here. Shrug. This email thing is kinda important. I feel like a little kid trying to make pancakes with a fork instead of a spatula in a pressure cooker. Right now is a good time for me to learn all this. I don't get or send much email. But I'm planning on trying to make a real living wage online. If that works, I better have this all figured out by then. Turns out that right hip problems are genetic from my father's side of the family. All I can say is Ouch! I need to figure this out. Hey, thanks for any help and a special thanks for those clever OpenSMTPD people. Wow, sendmail was a real bitch! Chris Bennett
Re: Running your own mail server
On Mon, Sep 17, 2018 at 06:33:52PM +, Mik J wrote: > > Really it will take time, here are the components I installed for this to > work: opensmtp, dkimproxy, clamav, clamsmtp, nginx, roundcube, prosody, > dovecot, let's encrypt, bind > > I'm using imapsync for the migration and plan to use openldap and bogofilter. Here is where my problem is. OpenSMTPD and Dovecot, yes. Then, everywhere I look, I see an endless combination of different spam solutions. Every guide I've seen online tends to be a little out of date, as the knobs have all changed. And I have yet to find an explanation as to why they selected a particular combination. It seems that I should move to IMAP, but then I have to ask myself if that is even justified. I don't really know. I don't mind throwing in PostgreSQL, but where are some good table/column examples? Every guide just jumps straight to you need to install: A -> B -> C -> D -> E -> F -> G -> H -> I Whoa. I'm on severe overload here. It's kept me from even installing Dovecot yet since I don't even know crap about B -> C -> D -> E I don't mind putting in the work. But can anyone recommend a slower solution? Say skip C -> D -> E for now, but add them in bit by bit which gives me time to actually study them? I really don't like cut and paste. I really want to get rid of as much spam as I can, but I'm patient. Also, other than the mailing lists, almost everything is starting to be HTML emails. > > Yes, this hostmaster work is more important for deliverability than the > *optional* TLS & DKIM stuff, which I still don't bother at all with... > > Along with correct DNS PTR records (and matching SMTP HELO hostname), > basic SPF & DMARC DNS records are almost essential to send. > > With almost all inbound connections being spam, fighting that is the > main task of the postmaster. Aggressive spamd settings are needed here. > > After that, the MTA needs to be able to check the DNS validity of the > sender's SMTP HELO hostname, and check their DNS PTR record is valid, > and both the mail's envelope and address from domains have MX records. > > Most spam is sent by infected consumer devices, which do not have valid > reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is > the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak. > > Following that, the sender's IP address needs to be checked against > multiple reliable DNS black and lists, and a cumulative score being > totalled up to decide to reject or pass on to the next stage of tests. > > TLS & DKIM have very little value. The postmaster instead needs to work > closely with the hostmaster and concentrate on good DNS practice/tests. Then there is this part. Umm, I'd like to get this all correct. Despite reading up on this that I've done, without seeing any correct examples, I feel a little like my DMARC is being put up my DKIM, to be a little graphic. I would like nothing more than an example of the whole ball of wax that I can use to cut and paste with my info substituted. This has got to be a lot simpler than what I've seen as far as explanations, which has left me very frustrated. Worse, I got stuck for months without a laptop/desktop to work from. Yeah, I know I said cut and paste here. Shrug. This email thing is kinda important. I feel like a little kid trying to make pancakes with a fork instead of a spatula in a pressure cooker. Right now is a good time for me to learn all this. I don't get or send much email. But I'm planning on trying to make a real living wage online. If that works, I better have this all figured out by then. Turns out that right hip problems are genetic from my father's side of the family. All I can say is Ouch! I need to figure this out. Hey, thanks for any help and a special thanks for those clever OpenSMTPD people. Wow, sendmail was a real bitch! Chris Bennett
Re: Running your own mail server
Hello, I started to use my own mail server two years ago, but a few years ago I tried it unsuccessfully. So yes it will take you some time to set it up with all options. Now for your needs I would advice you openbsd+opensmtpd, you don't especially need performance just a one box solution. The only drawback I see is that roundcube is less sexy and less good than gmail. I also had a hard time to install the calendaring/invite functionality on my mail server. And also added prosody as an xmpp server (chat). Maybe your children will like less the look of roundcube. Really it will take time, here are the components I installed for this to work: opensmtp, dkimproxy, clamav, clamsmtp, nginx, roundcube, prosody, dovecot, let's encrypt, bind I'm using imapsync for the migration and plan to use openldap and bogofilter. You'll need to set it up just for yourself first and make your family to use it when you're sure it will really work otherwise your family won't want to use it. Le vendredi 14 septembre 2018 à 13:41:44 UTC+2, Craig Skinner a écrit : On Thu, 13 Sep 2018 09:24:18 +0200 Peter N. M. Hansteen wrote: > The part about getting a static IP address with correct reverse > lookup is truly essential. Yes, this hostmaster work is more important for deliverability than the *optional* TLS & DKIM stuff, which I still don't bother at all with... Along with correct DNS PTR records (and matching SMTP HELO hostname), basic SPF & DMARC DNS records are almost essential to send. With almost all inbound connections being spam, fighting that is the main task of the postmaster. Aggressive spamd settings are needed here. After that, the MTA needs to be able to check the DNS validity of the sender's SMTP HELO hostname, and check their DNS PTR record is valid, and both the mail's envelope and address from domains have MX records. Most spam is sent by infected consumer devices, which do not have valid reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak. Following that, the sender's IP address needs to be checked against multiple reliable DNS black and lists, and a cumulative score being totalled up to decide to reject or pass on to the next stage of tests. TLS & DKIM have very little value. The postmaster instead needs to work closely with the hostmaster and concentrate on good DNS practice/tests. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Running your own mail server
On Thu, 13 Sep 2018 09:24:18 +0200 Peter N. M. Hansteen wrote: > The part about getting a static IP address with correct reverse > lookup is truly essential. Yes, this hostmaster work is more important for deliverability than the *optional* TLS & DKIM stuff, which I still don't bother at all with... Along with correct DNS PTR records (and matching SMTP HELO hostname), basic SPF & DMARC DNS records are almost essential to send. With almost all inbound connections being spam, fighting that is the main task of the postmaster. Aggressive spamd settings are needed here. After that, the MTA needs to be able to check the DNS validity of the sender's SMTP HELO hostname, and check their DNS PTR record is valid, and both the mail's envelope and address from domains have MX records. Most spam is sent by infected consumer devices, which do not have valid reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak. Following that, the sender's IP address needs to be checked against multiple reliable DNS black and lists, and a cumulative score being totalled up to decide to reject or pass on to the next stage of tests. TLS & DKIM have very little value. The postmaster instead needs to work closely with the hostmaster and concentrate on good DNS practice/tests. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Running your own mail server
On Wed, Sep 12, 2018 at 11:01:13PM -0600, Austin Hook wrote: > Have run my own mail server for maybe 20 years of OpenBSD, and apart from > getting my ISP to give me a static IP and a correct reverse DNS entry, and > a couple of run ins with a few filters that dumb ISPs run, it's worked > fine all this time. This is very close to my own experience over the years. The part about getting a static IP address with correct reverse lookup is truly essential. You *will* need to actually monitor what happens and keep your systems in trim (*patch your shit* for example), and of course over the same 20+ years we've seen developments in mail that aren't easily ignored such as SPF+DKIM+DMARC but the motivation for running your own mail service most likely includes some genuine interest in the topic for its own sake so you will need to take those in stride. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Running your own mail server
On Wed, Sep 12, 2018 at 11:01:13PM -0600, Austin Hook wrote: > Have run my own mail server for maybe 20 years of OpenBSD, and apart from > getting my ISP to give me a static IP and a correct reverse DNS entry, and > a couple of run ins with a few filters that dumb ISPs run, it's worked > fine all this time. I have a personal archive of emails that goes back 20 > years as well, and a few search scripts to parse through it when I need > to. Hi, So you seem to be a proponent of this. I too had a mail server 20 years ago and would have kept this stance had I not switched countries some while back, which introduced me to use some other mail service for a while. I think it comes down to choice. You have the "do it yourself" option and the "let others do it for you" option. Isn't choice great? Regards, -peter
Re: Running your own mail server
On Sun, 9 Sep 2018, Thomas Bohl wrote: > > But the second (far more important) point I want to make is please *THINK > > TWICE* if "running your own mail server" is something you are planning to > > do on your home internet connection. > > For all intents and purposes, sending emails from a private internet > connection directly to the receiving MX stopped working 15 years ago. > (People started blocking everything with "dial" or "dyn" in the reverse > DNS or HELO not being followed with the matching reverse DNS of the > connected IP.) It should be in all books and tutorials by now. > Word on the street has it that the IP networks of the cloud providers > are slowly getting burned too. > > To live hassle-free you want your MX to have a static IP from a good > "commercial neighbourhood", with a reverse DNS that matches the SPF > entry and with your server's HELO greeting. > Check whether your IP is listed on a DNSBL > https://mxtoolbox.com/blacklists.aspx > Demand a different one from your provider if it is *before* you > associate your domain with it! (Or let the IP idle for a year or two.) > Plus: Thanks to Let's Encrypt and the super easy acme-client in base > there are no more excuses not to have a valid certificate. > > Of course that is only true for your MX. You can host your mailboxes at > home as long as you relay through said MX. > > OpenSMTPD + Dovecot (Sieve, IMAP, dsync) + Nextcloud(Calender, Contacts) > works for me for month without looking. (Be on the announce mailing > lists for security informations.) > > PS, don't sneak through you kids thoughts. Not even by "only" scanning > for "troubling words". Have run my own mail server for maybe 20 years of OpenBSD, and apart from getting my ISP to give me a static IP and a correct reverse DNS entry, and a couple of run ins with a few filters that dumb ISPs run, it's worked fine all this time. I have a personal archive of emails that goes back 20 years as well, and a few search scripts to parse through it when I need to.
Re: Running your own mail server
Op Sat, 08 Sep 2018 17:36:07 +0200 schreef Ken M : On Sat, Sep 08, 2018 at 11:32:00AM -0400, Jay Hart wrote: I've run my own email server for 15 years now I think. I stick with Linux for email server, OpenBSD for routing/firewall. I personally find this is the best of both worlds... Just my 35 cents... Dare I ask, is there a specific technical reason for using Linux as your email server. I ask as I already run a Debian web server on Digital Ocean. Hmm, non-spammers use DigitalOcean too? I have them blacklisted. -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Re: Running your own mail server
On Tue, 11 Sep 2018 11:23:36 +0100 > dropping/prevention especially with Linux tools. Postfix is decent > wherever it runs, of course. I guess I meant trapping and timing out not dropping before someone calls foul. It is really interesting which disposable addresses receive spam. Obvious ones but also some really unexpected ones that you can then ignore or advise and trap.
Re: Running your own mail server
On Mon, 10 Sep 2018 13:30:37 +0100 > OpenBSD is the best OS for both tasks (I've worked for an ISP doing > both roles, on other operating systems). +1 I much prefer the OpenBSD options including spamd and smtpd to the Linux options. Linux options seem to focus on filtering and inspection which IMHO is dangerous and less secure than dropping/prevention especially with Linux tools. Postfix is decent wherever it runs, of course. > Are you more interested in being a sysadmin, webmaster, netadmin, > hostmaster or postmaster? What do *YOU* want to do with your time? Good point, the time spent would probably be better spent being open with them. One benefit over gmail that smtpd can nicely provide with automatic folder creation on an OpenBSD setup is disposable addresses where your kids will see more of what they want and less of what others want them to unless they choose to. Not sure that is worth the time spent though for the few that get past gmails scanning.
Re: Running your own mail server
On 09-10 13:30, Craig Skinner wrote: > Being a postmaster (email server administrator) and hostmaster (DNS > server administrator) is fun, hectic, and takes about 5 years to learn. > [] > Save yourself the trouble and let them use their gMail > accounts/addresses directly. They'll soon be getting Android or Apple > phones, so let them use their Google/Apple accounts themselves. > Some good points. One could also use a different provider just for mail (pop or webmail) instead of google, if one wants to keep from centralizing more power there. (One example among many is pair.com, for webmail, DNS, domain, some hosting but not OpenBSD that I know of, unless you get a virtual private server).
Re: Running your own mail server
Hi Ken, On Sat, 8 Sep 2018 11:23:35 -0400 Ken M wrote: > Just curious how many of you use openbsd to run your own personal > email server? Do you find it a hassle to manage in any way? Being a postmaster (email server administrator) and hostmaster (DNS server administrator) is fun, hectic, and takes about 5 years to learn. OpenBSD is the best OS for both tasks (I've worked for an ISP doing both roles, on other operating systems). > Back story my family all has email addresses through the domain I > have. Which basically will forward to a gmail account. Save yourself the trouble and let them use their gMail accounts/addresses directly. They'll soon be getting Android or Apple phones, so let them use their Google/Apple accounts themselves. > The kids are getting old enough to use their own accounts for > things and not just through the school which sets them up with google > accounts to use through their chromebook. Let them use their Google account themselves. > So my wife really doesn't like the idea of setting them loose on > their own email accounts, and I don't necessarily disagree with her, > but I disagree on the way to do it. In a gmail point of view all I > can think of is shared passwords for for the kids. I don't like that > because first of all they could change it, second of all monitoring > their email means literally reading their email. What about their Google 'Hangout' instant messages? Or their Messenger/Facebook messages? Or their Twitter/Tumbler/Reddit/etc/etc/etc messages? Why not let them grow up? They will soon mature and leave home anyway. Are you going to be a permanent policeman/ISP in their adult lives?? If you want to become a hostnaster and postmaster for _yourself_, then do it. By the time you're skilled, your children could have left home. Forget the wife & kids - don't be a slave to them man! Do what you want, for your own personal technical skills. Are you more interested in being a sysadmin, webmaster, netadmin, hostmaster or postmaster? What do *YOU* want to do with your time? Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Running your own mail server
> On Sat, Sep 08, 2018 at 10:55:40AM -0700, jungle Boogie wrote: > > Ken, > > > > Just curious, are you using pf to filter out the bad websites for > > you kids? I find that to be more challenging for our older daughter > > to not stumble into the bad stuff and not the wholesome sites like > > openbsd.org, which happens to be her homepage. ;) > > > > Best, > > J. B. > (snip) > My wife is on the religious right side of the room > politics wise and I am more of the libertarian. > (snip) > > Ken While you should not take technical advice on mail servers from me, I've raised two kids to adulthood with a 17 year old to go, and had almost 200 foster children. The impedance mismatch you have with the missus is more important than the mail. -- Edward Ahlsen-Girard Ft Walton Beach, FL
Re: Running your own mail server
Yes, First was with qmail, and now is with OpenSMTPD, four domains. All my servers are OpenBSD. /Ama et fact quod vis/ *Óscar Rubén Cuéllar Valcárcel* 044 55 2678 1717 El 09/09/18 a las 11:34, Ken M escribió: > On Sun, Sep 09, 2018 at 08:49:26AM +, Tim Jones wrote: >> Ken, >> >> Putting all the OpenBSD evangelists to one side, there are two things to say. >> >> First, like me, you might use OpenBSD for many things. And like me, you >> might come to the conclusion that using OpenBSD for mail is not one of those >> things.Personally I prefer to use a decent Linux stack for my mail, but I >> know saying that is probably amounts to heresy round here, so I all I will >> say is "do your homework, test various options, see what works for you". >> > I am completely on the page of using the right tool for the job. No argument > there. > >> But the second (far more important) point I want to make is please *THINK >> TWICE* if "running your own mail server" is something you are planning to do >> on your home internet connection. >> >> Why ? >> >> Well, you have all the spammers of this world to thank for the xSP >> community taking "more rigorous" approaches to spam filtering. >> >> I can tell you now that running a mailserver on your home internet >> connection is only likely to lead to many head-scratching "why is Joe not >> receiving my emails ?" moments. >> >> If you are going to run your own personal mailserver, then either: (a) Rent >> a box somewhere else;or >> (b) Do it at home, but on a business internet connection where you can jump >> through all the anti-spam hoops without problems (static IP, reverse DNS >> etc. etc. etc. all of which will be difficult or impossible to convince >> your ISP to implement on your typical dollar a month residential connection). >> > I would never run something like this from my house. So no worries there. On a > VPS or something at minimum off site. > > Ken > signature.asc Description: OpenPGP digital signature
Re: Running your own mail server
On Sun, Sep 09, 2018 at 04:52:01PM +, Ken M wrote: > But frankly they go to a friends house in our red neck area with non tech > savvy > parents and who knows what happens. But frankly anywhere they are there is > always something that could happen. I feel like there is no winning the battle > of doing this, only losing. It is more important to teach them to make good > decisions than trying to invade on all of their bad ones before they can make > it. And frankly just like in science failure is a result so are the mistakes > we > all had to get to the point we learned from them. > > Ughh, sorry I opened what is more of a philosophical can of worms on the > mailing > list. Actually, you did not. s/kids/confused new users/g and we are having a completely appropriate conversation on dealing with problematic users that need some monitoring for IT safety and secrecy issues. And that IS an important topic every day! Chris Bennett
Re: Running your own mail server
On 9/9/18 5:54 PM, Ken M wrote: On Sun, Sep 09, 2018 at 05:49:31PM +0100, Stuart Henderson wrote: In a nutshell, monitoring email is concentrating on what is really likely to be one of the less problematic areas. The others, which IMO are MUCH more likely to be involved if any problems do occur, are less amenable to this sort of treatment. (For my children, 12-16, email is pretty much a last resort if other methods aren't available, I think that's pretty common nowadays). It's funny how things change per generation in tech. Even though I have a smart phone if I really have to compose a message I want a keyboard. And for communication I so prefer email because it can truly work on all connected devices where chat, and texts and other apps I am more at the mercy of an app or proprietary api, meanwhile with email I sync my mutt config and I have the terminal and vi style interface to work with that can be the same everywhere. I am now the fuddy duddy... Ken Lol... :-) Perhaps showing the kids a DEC VT100 style terminal might get their attention (though in good way or bad??) as through serial port text based mail will work great on those; Mutt or Alpine etc... Though this is completely off-topic now! ;-)
Re: Running your own mail server
On a side note to this whole chain. My wife and I had another conversation about this, and I think we are on the same page that there is no win in monitoring their email. So I think I can stay out of the mail server business for now, which I like. I pointed our how her dad was a cop and what happened the minute she got out from under the roof. Ken
Re: Running your own mail server
On Sun, Sep 09, 2018 at 05:49:31PM +0100, Stuart Henderson wrote: > > In a nutshell, monitoring email is concentrating on what is really > likely to be one of the less problematic areas. The others, which IMO > are MUCH more likely to be involved if any problems do occur, are less > amenable to this sort of treatment. > > (For my children, 12-16, email is pretty much a last resort if other > methods aren't available, I think that's pretty common nowadays). > It's funny how things change per generation in tech. Even though I have a smart phone if I really have to compose a message I want a keyboard. And for communication I so prefer email because it can truly work on all connected devices where chat, and texts and other apps I am more at the mercy of an app or proprietary api, meanwhile with email I sync my mutt config and I have the terminal and vi style interface to work with that can be the same everywhere. I am now the fuddy duddy... Ken
Re: Running your own mail server
On Sun, Sep 09, 2018 at 05:46:40PM +0100, Kaya Saman wrote: > > Maybe your ISP has option for "Parental Control"?? I know these days it is a > big concern so many do offer this type of service > > > Just a thought?? > As I mentioned we use OpenDNS for the home internet, which handles all connections in the house provided no one manually specifies an alternate DNS on their own. If my kids are at that point then they are also at the point of using a proxy service or a free vpn. The next aspect is on other networks. The school I think uses OpenDNS as well. As for their cell phones, well we have the verizon family thing. But frankly they go to a friends house in our red neck area with non tech savvy parents and who knows what happens. But frankly anywhere they are there is always something that could happen. I feel like there is no winning the battle of doing this, only losing. It is more important to teach them to make good decisions than trying to invade on all of their bad ones before they can make it. And frankly just like in science failure is a result so are the mistakes we all had to get to the point we learned from them. Ughh, sorry I opened what is more of a philosophical can of worms on the mailing list. Ken
Re: Running your own mail server
On 2018/09/09 12:37, Ken M wrote: > On Sun, Sep 09, 2018 at 10:08:39AM +, Stuart Henderson wrote: > > Scanning for troubling words is not going to work without being able to > > see the email itself for context. Whether it's automated scanning or > > reading the mails yourself there are still privacy issues. Plus whatever > > monitoring you do is going to miss IMs, web forums (reddit, youtube > > comments, etc), online chat in games, all sorts. Email is relatively Oh, and in-person of course! > > much less used. Better to keep your eyes open and talk to them rather > > than try to do this by technical means. > > > In general this is my belief as well. I am just trying to find the right > compromise on this for my wife to be satisfied. Or at least create the > semblance > of what will satisfy her. > > Ken In a nutshell, monitoring email is concentrating on what is really likely to be one of the less problematic areas. The others, which IMO are MUCH more likely to be involved if any problems do occur, are less amenable to this sort of treatment. (For my children, 12-16, email is pretty much a last resort if other methods aren't available, I think that's pretty common nowadays).
Re: Running your own mail server
On 9/9/18 5:42 PM, Ken M wrote: On Sun, Sep 09, 2018 at 11:24:38AM -0500, Ed Ahlsen-Girard wrote: While you should not take technical advice on mail servers from me, I've raised two kids to adulthood with a 17 year old to go, and had almost 200 foster children. The impedance mismatch you have with the missus is more important than the mail. Yeah, I know, and maybe I am exaggerating it in this discourse. Her words are, "they can have all the privacy they want when they are 18" and I don't feel that is a completely practical stand point. And in fact her own experience should tell her that might not be the best approach. I think what I want is something that I could monitor if need be, but would rather not. I am starting to lean more towards either paying for email service or paying for something that is a stronger parental control for all of their devices. My bigger concern is the link jacking porn sites can do. I recall once in the 90's mistyping msnbc.com at work and the carnage from a site called cafe flesh that came out. Ken Maybe your ISP has option for "Parental Control"?? I know these days it is a big concern so many do offer this type of service Just a thought?? --K
Re: Running your own mail server
On Sun, Sep 09, 2018 at 11:24:38AM -0500, Ed Ahlsen-Girard wrote: > > While you should not take technical advice on mail servers from me, > I've raised two kids to adulthood with a 17 year old to go, and had > almost 200 foster children. > > The impedance mismatch you have with the missus is more important than > the mail. > Yeah, I know, and maybe I am exaggerating it in this discourse. Her words are, "they can have all the privacy they want when they are 18" and I don't feel that is a completely practical stand point. And in fact her own experience should tell her that might not be the best approach. I think what I want is something that I could monitor if need be, but would rather not. I am starting to lean more towards either paying for email service or paying for something that is a stronger parental control for all of their devices. My bigger concern is the link jacking porn sites can do. I recall once in the 90's mistyping msnbc.com at work and the carnage from a site called cafe flesh that came out. Ken
Re: Running your own mail server
On Sun, Sep 09, 2018 at 10:08:39AM +, Stuart Henderson wrote: > Scanning for troubling words is not going to work without being able to > see the email itself for context. Whether it's automated scanning or > reading the mails yourself there are still privacy issues. Plus whatever > monitoring you do is going to miss IMs, web forums (reddit, youtube > comments, etc), online chat in games, all sorts. Email is relatively > much less used. Better to keep your eyes open and talk to them rather > than try to do this by technical means. > In general this is my belief as well. I am just trying to find the right compromise on this for my wife to be satisfied. Or at least create the semblance of what will satisfy her. Ken
Re: Running your own mail server
On Sun, Sep 09, 2018 at 08:49:26AM +, Tim Jones wrote: > Ken, > > Putting all the OpenBSD evangelists to one side, there are two things to say. > > First, like me, you might use OpenBSD for many things. And like me, you might > come to the conclusion that using OpenBSD for mail is not one of those > things.Personally I prefer to use a decent Linux stack for my mail, but I > know saying that is probably amounts to heresy round here, so I all I will > say is "do your homework, test various options, see what works for you". > I am completely on the page of using the right tool for the job. No argument there. > But the second (far more important) point I want to make is please *THINK > TWICE* if "running your own mail server" is something you are planning to do > on your home internet connection. > > Why ? > > Well, you have all the spammers of this world to thank for the xSP community > taking "more rigorous" approaches to spam filtering. > > I can tell you now that running a mailserver on your home internet connection > is only likely to lead to many head-scratching "why is Joe not receiving my > emails ?" moments. > > If you are going to run your own personal mailserver, then either: (a) Rent a > box somewhere else;or > (b) Do it at home, but on a business internet connection where you can jump > through all the anti-spam hoops without problems (static IP, reverse DNS etc. > etc. etc. all of which will be difficult or impossible to convince your > ISP to implement on your typical dollar a month residential connection). > I would never run something like this from my house. So no worries there. On a VPS or something at minimum off site. Ken
Re: Running your own mail server
On Sun, Sep 09, 2018 at 12:23:41PM +, Thomas Bohl wrote: > > But the second (far more important) point I want to make is please *THINK > > TWICE* if "running your own mail server" is something you are planning to > > do on your home internet connection. > > For all intents and purposes, sending emails from a private internet > connection directly to the receiving MX stopped working 15 years ago. > (People started blocking everything with "dial" or "dyn" in the reverse > DNS or HELO not being followed with the matching reverse DNS of the > connected IP.) It should be in all books and tutorials by now. > Word on the street has it that the IP networks of the cloud providers > are slowly getting burned too. > > To live hassle-free you want your MX to have a static IP from a good > "commercial neighbourhood", with a reverse DNS that matches the SPF > entry and with your server's HELO greeting. > Check whether your IP is listed on a DNSBL > https://mxtoolbox.com/blacklists.aspx > Demand a different one from your provider if it is *before* you > associate your domain with it! (Or let the IP idle for a year or two.) > Plus: Thanks to Let's Encrypt and the super easy acme-client in base > there are no more excuses not to have a valid certificate. I have to agree with this. When I signed up with Wikipedia as an editor, I found that my T-Mobile set of IP addresses for my hotspot were all blacklisted. I was able to get around the problem jumping around to access a form for special problems and now all is fine. This sort of problem will show up with any shared IP addresses. I was having my server text me the info from one of my contact pages until somebody sent me a spam set of comments. T-Mobile blocked it with their spam filters. So I dropped getting the texts. I am annoyed by this, but that's just the way it is. Chris Bennett
Re: Running your own mail server
Am 09.09.2018 um 15:36 schrieb flipchan: > Randomly jumping into this thread , does anyone have a quick and easy way to > do auto matical responses to certain aliases in opensmtpd? > Not with OpenSMTPD, but with Dovecot's Sieve https://wiki2.dovecot.org/Pigeonhole/Sieve/Examples#Vacation_auto-reply
Re: Running your own mail server
Randomly jumping into this thread , does anyone have a quick and easy way to do auto matical responses to certain aliases in opensmtpd? On September 9, 2018 12:23:41 PM UTC, Thomas Bohl wrote: >> But the second (far more important) point I want to make is please >*THINK TWICE* if "running your own mail server" is something you are >planning to do on your home internet connection. > >For all intents and purposes, sending emails from a private internet >connection directly to the receiving MX stopped working 15 years ago. >(People started blocking everything with "dial" or "dyn" in the reverse >DNS or HELO not being followed with the matching reverse DNS of the >connected IP.) It should be in all books and tutorials by now. >Word on the street has it that the IP networks of the cloud providers >are slowly getting burned too. > >To live hassle-free you want your MX to have a static IP from a good >"commercial neighbourhood", with a reverse DNS that matches the SPF >entry and with your server's HELO greeting. >Check whether your IP is listed on a DNSBL >https://mxtoolbox.com/blacklists.aspx >Demand a different one from your provider if it is *before* you >associate your domain with it! (Or let the IP idle for a year or two.) >Plus: Thanks to Let's Encrypt and the super easy acme-client in base >there are no more excuses not to have a valid certificate. > >Of course that is only true for your MX. You can host your mailboxes at >home as long as you relay through said MX. > >OpenSMTPD + Dovecot (Sieve, IMAP, dsync) + Nextcloud(Calender, >Contacts) >works for me for month without looking. (Be on the announce mailing >lists for security informations.) > >PS, don't sneak through you kids thoughts. Not even by "only" scanning >for "troubling words". -- Take Care Sincerely flipchan layerprox dev
Re: Running your own mail server
> But the second (far more important) point I want to make is please *THINK > TWICE* if "running your own mail server" is something you are planning to do > on your home internet connection. For all intents and purposes, sending emails from a private internet connection directly to the receiving MX stopped working 15 years ago. (People started blocking everything with "dial" or "dyn" in the reverse DNS or HELO not being followed with the matching reverse DNS of the connected IP.) It should be in all books and tutorials by now. Word on the street has it that the IP networks of the cloud providers are slowly getting burned too. To live hassle-free you want your MX to have a static IP from a good "commercial neighbourhood", with a reverse DNS that matches the SPF entry and with your server's HELO greeting. Check whether your IP is listed on a DNSBL https://mxtoolbox.com/blacklists.aspx Demand a different one from your provider if it is *before* you associate your domain with it! (Or let the IP idle for a year or two.) Plus: Thanks to Let's Encrypt and the super easy acme-client in base there are no more excuses not to have a valid certificate. Of course that is only true for your MX. You can host your mailboxes at home as long as you relay through said MX. OpenSMTPD + Dovecot (Sieve, IMAP, dsync) + Nextcloud(Calender, Contacts) works for me for month without looking. (Be on the announce mailing lists for security informations.) PS, don't sneak through you kids thoughts. Not even by "only" scanning for "troubling words".
Re: Running your own mail server
On Sun, Sep 09, 2018 at 10:08:39AM +, Stuart Henderson wrote: > >> own email server, when I have never done it before on any OS, worth it > >> over some > >> other solution. And yes I am very open to other suggestions for a > >> solution, even > >> if it is something I have to pay for, to avoid sharing passwords or > >> grotesque > >> privacy infringement of literally reading all their emails. > >> > >> Welcome to differences of opinion as well. Thank you. > > Scanning for troubling words is not going to work without being able to > see the email itself for context. Whether it's automated scanning or > reading the mails yourself there are still privacy issues. Plus whatever > monitoring you do is going to miss IMs, web forums (reddit, youtube > comments, etc), online chat in games, all sorts. Email is relatively > much less used. Better to keep your eyes open and talk to them rather > than try to do this by technical means. Well said, I agree with this! (much scolding deleted here, Stuart said it best). -peter
Re: Running your own mail server
On 2018-09-09, Friedrich Locke wrote: > if you demand for performance, FreeBSD + Qmail-ldap is THE way to go. qmail-ldap (or, well, anything+ldap for that matter) is a relatively complex setup and total overkill for a personal mail server. > > On Sat, Sep 8, 2018 at 12:26 PM Ken M wrote: > >> Just curious how many of you use openbsd to run your own personal email >> server? >> Do you find it a hassle to manage in any way? >> >> I know openbsd is perfectly fine for a mail server, don't get me wrong the >> question is more about is it worth it to do yourself. Specifically I will >> probably be doing it through a guest on vultr. I do, and don't find it a hassle, but I've been running mail myself long enough that I switched from sendmail to vmailer (before it was renamed to postfix).. >> Back story my family all has email addresses through the domain I have. >> Which >> basically will forward to a gmail account. The kids accounts don't really >> forward anywhere, they are place holders I guess. But they are getting old >> enough to use their own accounts for things and not just through the school >> which sets them up with google accounts to use through their chromebook. Don't do forwarding if possible, you will lose mail to spam filtering. Instead setup pop3 and smtp-auth and let gmail fetch/send that way. >> So my wife really doesn't like the idea of setting them loose on their own >> email >> accounts, and I don't necessarily disagree with her, but I disagree on the >> way >> to do it. In a gmail point of view all I can think of is shared passwords >> for >> for the kids. I don't like that because first of all they could change it, >> second of all monitoring their email means literally reading their email. >> >> My wife and I have different views on privacy as well. >> >> I was thinking I could run my own email server to give them accounts >> there, and >> at the same time instead of reading their email be able to more >> specifically >> block certain senders, but also to scan the email for troubling words. In >> my >> mind that is things like suicide, kill, etc. >> >> So I guess the end question, is for protecting the email of minors is >> running my >> own email server, when I have never done it before on any OS, worth it >> over some >> other solution. And yes I am very open to other suggestions for a >> solution, even >> if it is something I have to pay for, to avoid sharing passwords or >> grotesque >> privacy infringement of literally reading all their emails. >> >> Welcome to differences of opinion as well. Thank you. Scanning for troubling words is not going to work without being able to see the email itself for context. Whether it's automated scanning or reading the mails yourself there are still privacy issues. Plus whatever monitoring you do is going to miss IMs, web forums (reddit, youtube comments, etc), online chat in games, all sorts. Email is relatively much less used. Better to keep your eyes open and talk to them rather than try to do this by technical means.
Re: Running your own mail server
Ken, Putting all the OpenBSD evangelists to one side, there are two things to say. First, like me, you might use OpenBSD for many things. And like me, you might come to the conclusion that using OpenBSD for mail is not one of those things.Personally I prefer to use a decent Linux stack for my mail, but I know saying that is probably amounts to heresy round here, so I all I will say is "do your homework, test various options, see what works for you". But the second (far more important) point I want to make is please *THINK TWICE* if "running your own mail server" is something you are planning to do on your home internet connection. Why ? Well, you have all the spammers of this world to thank for the xSP community taking "more rigorous" approaches to spam filtering. I can tell you now that running a mailserver on your home internet connection is only likely to lead to many head-scratching "why is Joe not receiving my emails ?" moments. If you are going to run your own personal mailserver, then either: (a) Rent a box somewhere else;or (b) Do it at home, but on a business internet connection where you can jump through all the anti-spam hoops without problems (static IP, reverse DNS etc. etc. etc. all of which will be difficult or impossible to convince your ISP to implement on your typical dollar a month residential connection).
Re: Running your own mail server
I definitely agree to qmail It was a learning curve for me in the late 90's to get it going on Redhat, after that Mandrake and Slackware with finally settling down on FreeBSD and OpenBSD Sadly, there are some concerns about the aging code with various patches available to compensate, but I have not found a viable replacement ever since getting fond of qmails/tcpserver's flexibility with patches and pain to adopt to new encoders and ssl/tls versions Be aware, qmail is not an off the shelf usable software but once you get into it - you may never leave I did not and do not intent until it can't be maintained. -- if you demand for performance, FreeBSD + Qmail-ldap is THE way to go. my 1 cent. On Sat, Sep 8, 2018 at 12:26 PM Ken M wrote: > Just curious how many of you use openbsd to run your own personal > email server? > Do you find it a hassle to manage in any way? > > I know openbsd is perfectly fine for a mail server, don't get me wrong > the question is more about is it worth it to do yourself. Specifically > I will probably be doing it through a guest on vultr. > > Back story my family all has email addresses through the domain I have. > Which > basically will forward to a gmail account. The kids accounts don't > really forward anywhere, they are place holders I guess. But they are > getting old enough to use their own accounts for things and not just > through the school which sets them up with google accounts to use through > their chromebook. > > So my wife really doesn't like the idea of setting them loose on their > own email accounts, and I don't necessarily disagree with her, but I > disagree on the way to do it. In a gmail point of view all I can think > of is shared passwords for for the kids. I don't like that because > first of all they could change it, second of all monitoring their > email means literally reading their email. > > My wife and I have different views on privacy as well. > > I was thinking I could run my own email server to give them accounts > there, and at the same time instead of reading their email be able to > more specifically block certain senders, but also to scan the email > for troubling words. In my mind that is things like suicide, kill, > etc. > > So I guess the end question, is for protecting the email of minors is > running my own email server, when I have never done it before on any > OS, worth it over some other solution. And yes I am very open to other > suggestions for a solution, even if it is something I have to pay for, > to avoid sharing passwords or grotesque privacy infringement of > literally reading all their emails. > > Welcome to differences of opinion as well. Thank you. > > Ken > >
Re: Running your own mail server
On Sat, Sep 08, 2018 at 09:22:01PM -0300, Friedrich Locke wrote: > if you demand for performance, FreeBSD + Qmail-ldap is THE way to go. > > my 1 cent. > Performance is a priority, but not my first priority. In fact I think that is why I have started becoming a convert to openbsd. Although I do like freebsd for servers as well and linux and what not. Just lately I have started trying to see if I can OpenBSD all the things I need. Ken
Re: Running your own mail server
if you demand for performance, FreeBSD + Qmail-ldap is THE way to go. my 1 cent. On Sat, Sep 8, 2018 at 12:26 PM Ken M wrote: > Just curious how many of you use openbsd to run your own personal email > server? > Do you find it a hassle to manage in any way? > > I know openbsd is perfectly fine for a mail server, don't get me wrong the > question is more about is it worth it to do yourself. Specifically I will > probably be doing it through a guest on vultr. > > Back story my family all has email addresses through the domain I have. > Which > basically will forward to a gmail account. The kids accounts don't really > forward anywhere, they are place holders I guess. But they are getting old > enough to use their own accounts for things and not just through the school > which sets them up with google accounts to use through their chromebook. > > So my wife really doesn't like the idea of setting them loose on their own > email > accounts, and I don't necessarily disagree with her, but I disagree on the > way > to do it. In a gmail point of view all I can think of is shared passwords > for > for the kids. I don't like that because first of all they could change it, > second of all monitoring their email means literally reading their email. > > My wife and I have different views on privacy as well. > > I was thinking I could run my own email server to give them accounts > there, and > at the same time instead of reading their email be able to more > specifically > block certain senders, but also to scan the email for troubling words. In > my > mind that is things like suicide, kill, etc. > > So I guess the end question, is for protecting the email of minors is > running my > own email server, when I have never done it before on any OS, worth it > over some > other solution. And yes I am very open to other suggestions for a > solution, even > if it is something I have to pay for, to avoid sharing passwords or > grotesque > privacy infringement of literally reading all their emails. > > Welcome to differences of opinion as well. Thank you. > > Ken > >
Re: Running your own mail server
opensmtpd is great! Aliases and alot more goodness On September 8, 2018 3:23:35 PM UTC, Ken M wrote: >Just curious how many of you use openbsd to run your own personal email >server? >Do you find it a hassle to manage in any way? > >I know openbsd is perfectly fine for a mail server, don't get me wrong >the >question is more about is it worth it to do yourself. Specifically I >will >probably be doing it through a guest on vultr. > >Back story my family all has email addresses through the domain I have. >Which >basically will forward to a gmail account. The kids accounts don't >really >forward anywhere, they are place holders I guess. But they are getting >old >enough to use their own accounts for things and not just through the >school >which sets them up with google accounts to use through their >chromebook. > >So my wife really doesn't like the idea of setting them loose on their >own email >accounts, and I don't necessarily disagree with her, but I disagree on >the way >to do it. In a gmail point of view all I can think of is shared >passwords for >for the kids. I don't like that because first of all they could change >it, >second of all monitoring their email means literally reading their >email. > >My wife and I have different views on privacy as well. > >I was thinking I could run my own email server to give them accounts >there, and >at the same time instead of reading their email be able to more >specifically >block certain senders, but also to scan the email for troubling words. >In my >mind that is things like suicide, kill, etc. > >So I guess the end question, is for protecting the email of minors is >running my >own email server, when I have never done it before on any OS, worth it >over some >other solution. And yes I am very open to other suggestions for a >solution, even >if it is something I have to pay for, to avoid sharing passwords or >grotesque >privacy infringement of literally reading all their emails. > >Welcome to differences of opinion as well. Thank you. > >Ken -- Take Care Sincerely flipchan layerprox dev
Re: Running your own mail server
I run an email server for myself on OpenBSD running on Vultr. OpenBSD, OpenSMTPD, dovecot and Roundcube all run fine on a $5 per month server. If you want a pre-packaged mail server to avoid any hassle, check out iRedMail. On September 8, 2018 10:23:35 AM CDT, Ken M wrote: >Just curious how many of you use openbsd to run your own personal email >server? >Do you find it a hassle to manage in any way? > >I know openbsd is perfectly fine for a mail server, don't get me wrong >the >question is more about is it worth it to do yourself. Specifically I >will >probably be doing it through a guest on vultr. > >Back story my family all has email addresses through the domain I have. >Which >basically will forward to a gmail account. The kids accounts don't >really >forward anywhere, they are place holders I guess. But they are getting >old >enough to use their own accounts for things and not just through the >school >which sets them up with google accounts to use through their >chromebook. > >So my wife really doesn't like the idea of setting them loose on their >own email >accounts, and I don't necessarily disagree with her, but I disagree on >the way >to do it. In a gmail point of view all I can think of is shared >passwords for >for the kids. I don't like that because first of all they could change >it, >second of all monitoring their email means literally reading their >email. > >My wife and I have different views on privacy as well. > >I was thinking I could run my own email server to give them accounts >there, and >at the same time instead of reading their email be able to more >specifically >block certain senders, but also to scan the email for troubling words. >In my >mind that is things like suicide, kill, etc. > >So I guess the end question, is for protecting the email of minors is >running my >own email server, when I have never done it before on any OS, worth it >over some >other solution. And yes I am very open to other suggestions for a >solution, even >if it is something I have to pay for, to avoid sharing passwords or >grotesque >privacy infringement of literally reading all their emails. > >Welcome to differences of opinion as well. Thank you. > >Ken -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Running your own mail server
On Sat, Sep 08, 2018 at 05:54:18PM +0200, Peter N. M. Hansteen wrote: > On 09/08/18 17:23, Ken M wrote: > > If you've never run a mail server before but are familiar with OpenBSD, > please do go the OpenBSD route. > > Setting up and running a mail service involves learning a few skills. If > you already manage DNS for your domain(s) I suppose you have a head start. > > Anything that comes as part of OpenBSD or packaged for OpenBSD will come > with sensible defaults. Please do yourself and the rest of the world a > favor and read up properly on the effects of anything you do change. A > lot of stuff that appears on the face of it to be trivial actually isn't. > > I've written quite a few pieces on mail and related topics on the blog > (the first URL in the signature) and of course The Book of PF touches on > the issue as well, at least the spamd(8) parts. I suppose the "Effective > Spam and Malware Countermeasures" > (https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html) > piece is a goodish place to start. > > For anyone setting up a mail server these days there are worse things to > do than read Aaron Poffenberger's SMTPd mail server tutorial slides and > some related materials > (https://www.bsdcan.org/2016/schedule/events/691.en.html and links therein). > > - Peter > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > I have never run a mail server before so I know I have a learning curve to work on, which I was not trying to solve in this email, just to feel out where similar people have their mindset on this. I do have more experience administering linux than openbsd but I am slowly working on changing that as I really appreciate the way openbsd is engineered at all levels. I am familiar with your blogs so I will read up and when I get to the point of specific questions I will bring them up here. Ken
Re: Running your own mail server
On Sat, Sep 08, 2018 at 10:55:40AM -0700, jungle Boogie wrote: > Ken, > > Just curious, are you using pf to filter out the bad websites for you kids? > I find that to be more challenging for our older daughter to not stumble > into the bad stuff and not the wholesome sites like openbsd.org, which > happens to be her homepage. ;) > > Best, > J. B. So when computer usage for them first became something to talk about here they had only kindles that only connect to our wifi. Kindles are pretty good out of the box for parental controls. For the main workstation in the house (usually linux) that they can access I used Dan's Guardian. Overtime, they got older and so many more devices are in play, from android phones to chromebooks. Our home uses opendns, set at the router. Granted easy enough to bypass but my kids aren't there yet. On the android side we have verizon so we use the verizon family settings. I don't consider any of this ideal but it is the best I got so far without having to spend all my time administrating things on the home network. I opt for a mixture of what I got and keeping the kids believing that my computer skills are that that I can see what they do no matter what. Which is mostly true but I don't practice that. Also if asked to unlock their devices for us to see something they know they are to do it without question or delay or they lose said device. The difficult part of all this and why I asked this here. My wife and I have different philosophies on such things. Example she would put the kids in a damn plastic bubble, meanwhile I am the type that believes that our job is not to protect them from everything but to teach them to protect themselves and make good decisions as we won't always be there. My wife is on the religious right side of the room politics wise and I am more of the libertarian. Sorry to digress but I asked these things here as I figure others here have similar mindset on security vs censorship vs privacy. I don't view them as mutually exclusive but there are ways that I try to avoid that strengthen one by compromising the other. As my kids enter their teenage years I know they will find a way to subvert such controls and the more I try to stop them from doing so the harder it will get when they do and the more likely they are to not trust us to bring us a problem they have. In short I am more worried about my kids feeling they have to hide everything that they don't bring something important to us to talk about, than I am about them sneaking something by me. Ken
Re: Running your own mail server
On Sat, Sep 8, 2018, 11:32 AM Peter N. M. Hansteen wrote: > On 09/08/18 19:55, jungle Boogie wrote: > > Just a general question about openbsd... > > > > I understand smtpd is in base for sending mail. Then we also have spam. > > Both very neat and useful! > > > > Is there a particular reason there is not a mail receiving agent in base? > > You're joking, right? > > man smtpd and references therein. There are also pointers in this thread > to running a full featured mail server on OpenBSD with smtpd from base. > > > Ah, thanks for setting me straight. >
Re: Running your own mail server
> Wiadomość napisana przez Ken M w dniu 08.09.2018, o godz. > 17:23: > > Just curious how many of you use openbsd to run your own personal email > server? another here - running my own server since long time (OpenBSD). If you choose dovecot you can nicely encrypt backend store mails: https://blog.onefellow.com/post/167267172603/server-side-email-encryption-with-dovecot and keep private key safe: https://blog.onefellow.com/post/173796677183/how-to-obfuscate-dovecot-encryption-key good luck! _ Zbyszek Żółkiewski
Re: Running your own mail server
On 09/08/18 19:55, jungle Boogie wrote: > Just a general question about openbsd... > > I understand smtpd is in base for sending mail. Then we also have spam. > Both very neat and useful! > > Is there a particular reason there is not a mail receiving agent in base? You're joking, right? man smtpd and references therein. There are also pointers in this thread to running a full featured mail server on OpenBSD with smtpd from base. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Running your own mail server
Hi all, Just a general question about openbsd... I understand smtpd is in base for sending mail. Then we also have spam. Both very neat and useful! Is there a particular reason there is not a mail receiving agent in base? Are the existing one sufficient enough for devs and there isn't enough desire to write one? Ken, Just curious, are you using pf to filter out the bad websites for you kids? I find that to be more challenging for our older daughter to not stumble into the bad stuff and not the wholesome sites like openbsd.org, which happens to be her homepage. ;) Best, J. B.
Re: Running your own mail server
On 9/8/18 6:01 PM, Chris Bennett wrote: [snip] IMHO, I would skip using partially insecure OS's like Linux. These are your kids! Of course security at the OS level is important but also a lot of work must be done around in the infrastructure area too for security... running a good IDS for example: OpenBSD with Snort totally rocks in this area going through a web proxy... again OpenBSD with Squid and Clamd. Additionally perhaps a VPN to whatever mail solution the OP chooses if 'in house' like OpenVPN running on an OBSD gateway for example then lock down the mail system to just have port 25 open inbound in PF maybe even with queueing enabled. Encryption of the storage medium can also be suggested so wherever the maildir store is located the FS becomes encrypted as added layer of security. There's a lot one can do even just by sticking to a few OpenBSD based boxes but it really is a matter of locking things down as opposed to doing something silly even OpenBSD will become insecure if port 22 (ssh) is opened up with root account available and password something easily guessed like 'root' or 'admin'. It's not really a short topic that has one specific answer but I will state that OpenBSD for router/gateways and servers is an excellent solution as unlike other OS's is not resource intensive and overall pretty secure right out of the box. --K
Re: Running your own mail server
On Sat, 08 Sep 2018, Ken M wrote: > Just curious how many of you use openbsd to run your own personal email > server? > Do you find it a hassle to manage in any way? I've managed my personal domain on and off over the years (not at the moment, but that will change again later this year). I've used Debian, FreeBSD and OpenBSD. By far the easiest setup is OpenBSD in my opinion. OpenSMTPd + spamd and add spamassassin and dovecot to the mix and you have a pretty good solution. Using sieve with dovecot you can even filter email before it get's delivered to mailboxes if you need to. That said, the biggest challenge when self hosting email is not on the OS or programs you use, but on the fact of spam. Keeping spam away is not difficult but requires some work (take a look at P. Hansteen's blog. He does an amazing job explaining this sort of things). Another challenge is be sure your mx hosts are "reputable". Meaning they don't get up on any blacklist over there (a lot of admins use them on their smtps ... which I think is madness ... but anyway). This can be because of the ip you get assigned on your vm is reused by an spammer or a million other reasons. Get your emails delivered can be a problem sometimes. And maybe another problem you may encounter is reliability. You should have at least 2 mx hosts. Thet involves a bit of work (on OpenBSD keep spamd in sync between hosts and other stuff ...). Basically be sure you can rely on your setup. If somebody sends you an email you'll get it. I hope it helps. -- Paco Esteban. GnuPG key: https://onna.be/44CA735E.asc
Re: Running your own mail server
I have to absolutely agree that OpenBSD using OpenSMTPD is "the right solution" for this problem. It's secure and after a little bit of learning, not hard to use. Spamd is pretty effective for most spam. Not perfect, but what is now-a-days? You can monitor both sent and received emails. The delivery part raises the exact same questions for whatever you use, but dovecot is excellent and can work with whatever email programs you/they want to use on what devices. As far as privacy, others can give you help with that and scanning incoming and outgoing emails. Personally, I would send a copy to another user and scan without actually reading them yourself unless a "red light" shows up. That can be accomplished pretty easily and I did that myself when I had a set of mailing list emails processed before a script posted them to a forum board of received emails. i.e in from user joe, forwarded to joe2 and then scanning is done. IMHO, I would skip using partially insecure OS's like Linux. These are your kids! Chris Bennett
Re: Running your own mail server
Sat, 8 Sep 2018 16:39:52 +0100 Kaya Saman > I agree here! > [snip] > That way you have a fully managed mail system right out of the box with Hi misc, Fully managed and VPS are incompatible. Also incompatible are: remote infrastructure and turnkey solutions without complete control of bits. They are remote flawed products and services with some tweaks & knobs. This thread seems like a poor imitation of virtual server comparisons. I see no mention of OpenBSD and the software related to OpenBSD here.. I'd be really interested to read "running OpenBSD as our mail server". Kind regards, Anton Lazarov
Re: Running your own mail server
On 09/08/18 17:23, Ken M wrote: > Just curious how many of you use openbsd to run your own personal email > server? I've been running my personal domains on OpenBSD for a number of years. So have I suspect a largish subset of the readership here, but I have no idea how many will actually come forward and say so in public. > Do you find it a hassle to manage in any way? If anything I find running everything on OpenBSD makes for less hassle than most other options, because the system is so consistently sane. That said, I've had other systems in the mix for various reasons at various times for places I've worked, but I go for all-OpenBSD setups whenever feasible. > So I guess the end question, is for protecting the email of minors is running > my > own email server, when I have never done it before on any OS, worth it over > some > other solution. And yes I am very open to other suggestions for a solution, > even > if it is something I have to pay for, to avoid sharing passwords or grotesque > privacy infringement of literally reading all their emails. If you've never run a mail server before but are familiar with OpenBSD, please do go the OpenBSD route. Setting up and running a mail service involves learning a few skills. If you already manage DNS for your domain(s) I suppose you have a head start. Anything that comes as part of OpenBSD or packaged for OpenBSD will come with sensible defaults. Please do yourself and the rest of the world a favor and read up properly on the effects of anything you do change. A lot of stuff that appears on the face of it to be trivial actually isn't. I've written quite a few pieces on mail and related topics on the blog (the first URL in the signature) and of course The Book of PF touches on the issue as well, at least the spamd(8) parts. I suppose the "Effective Spam and Malware Countermeasures" (https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html) piece is a goodish place to start. For anyone setting up a mail server these days there are worse things to do than read Aaron Poffenberger's SMTPd mail server tutorial slides and some related materials (https://www.bsdcan.org/2016/schedule/events/691.en.html and links therein). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Running your own mail server
> On Sat, Sep 08, 2018 at 11:32:00AM -0400, Jay Hart wrote: >> Ken, >> >> I've run my own email server for 15 years now I think. I stick with Linux >> for email server, >> OpenBSD for routing/firewall. I personally find this is the best of both >> worlds... >> >> Just my 35 cents... >> >> Jay >> > > Dare I ask, is there a specific technical reason for using Linux as your email > server. I ask as I already run a Debian web server on Digital Ocean. > > Ken > > Main "technical reason" would be not all my eggs in one basket (ie box).
Re: Running your own mail server
I agree here! Basically you would need a few components: MTA / MDA / MUA https://en.wikipedia.org/wiki/Message_transfer_agent One way to do it would be something like: Postfix / Courier IMAP / Then bolt something like SquirrelMail on top for web UI client There are many ways to achieve the same goal as in you don't have to use Postfix you could go for Sendmail or any other However for you it might be a better option to go with Linux as @Jay suggested and then whack something like Scalix or Zimbra on top.. http://www.scalix.com/en/ https://www.zimbra.com/ That way you have a fully managed mail system right out of the box with granular control of what users can and can't do. Regards, Kaya On 9/8/18 4:32 PM, Jay Hart wrote: Ken, I've run my own email server for 15 years now I think. I stick with Linux for email server, OpenBSD for routing/firewall. I personally find this is the best of both worlds... Just my 35 cents... Jay Just curious how many of you use openbsd to run your own personal email server? Do you find it a hassle to manage in any way? I know openbsd is perfectly fine for a mail server, don't get me wrong the question is more about is it worth it to do yourself. Specifically I will probably be doing it through a guest on vultr. Back story my family all has email addresses through the domain I have. Which basically will forward to a gmail account. The kids accounts don't really forward anywhere, they are place holders I guess. But they are getting old enough to use their own accounts for things and not just through the school which sets them up with google accounts to use through their chromebook. So my wife really doesn't like the idea of setting them loose on their own email accounts, and I don't necessarily disagree with her, but I disagree on the way to do it. In a gmail point of view all I can think of is shared passwords for for the kids. I don't like that because first of all they could change it, second of all monitoring their email means literally reading their email. My wife and I have different views on privacy as well. I was thinking I could run my own email server to give them accounts there, and at the same time instead of reading their email be able to more specifically block certain senders, but also to scan the email for troubling words. In my mind that is things like suicide, kill, etc. So I guess the end question, is for protecting the email of minors is running my own email server, when I have never done it before on any OS, worth it over some other solution. And yes I am very open to other suggestions for a solution, even if it is something I have to pay for, to avoid sharing passwords or grotesque privacy infringement of literally reading all their emails. Welcome to differences of opinion as well. Thank you. Ken
Re: Running your own mail server
On Sat, Sep 08, 2018 at 11:32:00AM -0400, Jay Hart wrote: > Ken, > > I've run my own email server for 15 years now I think. I stick with Linux for > email server, > OpenBSD for routing/firewall. I personally find this is the best of both > worlds... > > Just my 35 cents... > > Jay > Dare I ask, is there a specific technical reason for using Linux as your email server. I ask as I already run a Debian web server on Digital Ocean. Ken
Re: Running your own mail server
Ken, I've run my own email server for 15 years now I think. I stick with Linux for email server, OpenBSD for routing/firewall. I personally find this is the best of both worlds... Just my 35 cents... Jay > Just curious how many of you use openbsd to run your own personal email > server? > Do you find it a hassle to manage in any way? > > I know openbsd is perfectly fine for a mail server, don't get me wrong the > question is more about is it worth it to do yourself. Specifically I will > probably be doing it through a guest on vultr. > > Back story my family all has email addresses through the domain I have. Which > basically will forward to a gmail account. The kids accounts don't really > forward anywhere, they are place holders I guess. But they are getting old > enough to use their own accounts for things and not just through the school > which sets them up with google accounts to use through their chromebook. > > So my wife really doesn't like the idea of setting them loose on their own > email > accounts, and I don't necessarily disagree with her, but I disagree on the way > to do it. In a gmail point of view all I can think of is shared passwords for > for the kids. I don't like that because first of all they could change it, > second of all monitoring their email means literally reading their email. > > My wife and I have different views on privacy as well. > > I was thinking I could run my own email server to give them accounts there, > and > at the same time instead of reading their email be able to more specifically > block certain senders, but also to scan the email for troubling words. In my > mind that is things like suicide, kill, etc. > > So I guess the end question, is for protecting the email of minors is running > my > own email server, when I have never done it before on any OS, worth it over > some > other solution. And yes I am very open to other suggestions for a solution, > even > if it is something I have to pay for, to avoid sharing passwords or grotesque > privacy infringement of literally reading all their emails. > > Welcome to differences of opinion as well. Thank you. > > Ken > >
Running your own mail server
Just curious how many of you use openbsd to run your own personal email server? Do you find it a hassle to manage in any way? I know openbsd is perfectly fine for a mail server, don't get me wrong the question is more about is it worth it to do yourself. Specifically I will probably be doing it through a guest on vultr. Back story my family all has email addresses through the domain I have. Which basically will forward to a gmail account. The kids accounts don't really forward anywhere, they are place holders I guess. But they are getting old enough to use their own accounts for things and not just through the school which sets them up with google accounts to use through their chromebook. So my wife really doesn't like the idea of setting them loose on their own email accounts, and I don't necessarily disagree with her, but I disagree on the way to do it. In a gmail point of view all I can think of is shared passwords for for the kids. I don't like that because first of all they could change it, second of all monitoring their email means literally reading their email. My wife and I have different views on privacy as well. I was thinking I could run my own email server to give them accounts there, and at the same time instead of reading their email be able to more specifically block certain senders, but also to scan the email for troubling words. In my mind that is things like suicide, kill, etc. So I guess the end question, is for protecting the email of minors is running my own email server, when I have never done it before on any OS, worth it over some other solution. And yes I am very open to other suggestions for a solution, even if it is something I have to pay for, to avoid sharing passwords or grotesque privacy infringement of literally reading all their emails. Welcome to differences of opinion as well. Thank you. Ken
