back to article The last post: Building your own mail server, part 1

Email is one of those internet services that, like it or not, we all have to use. Yet the underlying protocols have been around since before the invention of spam (the electronic sort, of course), and have little in the way of protection. No junk mail. Pic: gajman, Flickr Internet email is far from perfect, but unless you …

Coat

in normal use, the load average is around 1.1.

1.1 what?

0
0

Re: in normal use, the load average is around 1.1.

I can see you're getting your coat, but maybe I'm not getting the joke. In case it's a serious question, here is a serious answer.

1
0
Vic

Re: in normal use, the load average is around 1.1.

1.1 what?

Just 1.1. Load averages are essentially[1] dimensionless.

1.1 also seems a little high; my server generally runs quite a bit lower than that (I was going to get some figures, but there is no mail at the moment, and it's actually showing 0.00).

Vic.

[1] It's actually the average number of processes in a runnable state at any point in time. You might be able to torture a unit out of that - but it's really not that important.

0
0

Re: in normal use, the load average is around 1.1.

I could probably bring it down a little with some tweaking - for instance, the screenshot shows a lot of Perl running, which is the various Amavisd-new child processes. Tweaking that down, and also the maximum number of simultaneous SMTP connections allowed would probably get it a lot lower.

Normally, I also have a couple of IMAP clients signed in continuously. And clamd is a bit of a hog too, at times. So, yes, I could tweak this down - but 1.1 on a system with two cores is perfectly livable with, and not really in the region where I need to worry about tinkering.

0
0
Silver badge

Is it just me or does this seem like a lot of effort and risk?

I admit I'm lazy and hopeless, but...

0
0

Re: Is it just me or does this seem like a lot of effort and risk?

A good few hours effort, for sure. Depends if you think the benefits outweigh that.

In terms of risk, probably less than there used to be - with a modern MTA, I think it's a bit less likely that you'll accidentally set up an open mail relay without intending to, whereas with Sendmail and some other old software, it was very easy to do that unwittingly.

0
0
Vic

Re: Is it just me or does this seem like a lot of effort and risk?

Setting up a mail server is actually really easy, and very worthwhile.

Where I differ significantly from the author is in the priorities for the system - I wouldn't be going out buying new kit to try this out. Find a duff old carcass - I've got them from the tip before - and just give it a go. If you decide it's worth your time and attention, *that's* the time to start looking for sexy hardware...

Vic.

0
0
Vic

Re: Is it just me or does this seem like a lot of effort and risk?

it's a bit less likely that you'll accidentally set up an open mail relay without intending to, whereas with Sendmail and some other old software, it was very easy to do that unwittingly.

No, that's very old, very stinky bait. sendmail generally comes configured not even to speak the the LAN; you have to make a deliberate effort to turn service on. Setting up an open relay requires you to read the documentation...

There's a lot of FUD spread about sendmail. It's actually a very good MTA, just as long as you don't try to understand the .cf file...

Vic.

0
0

Re: Is it just me or does this seem like a lot of effort and risk?

I wouldn't necessarily recommend buying a new server; this article was prompted by the new Revo, certainly - largely because it happened to turn up just when the old system wents tits up.

So I agree, an old machine will probably work pretty well, and that's one reason why I thought it was worth using the cheap Revo here, to show what you can do without a massively specced machine.

If you stick with the generic OpenBSD kernel, too, you can probably get away with building this on an old machine, and then if you want to replace it, popping the drive into a new system and not having to do much more than tweak the settings for the network interface, which may have a different name depending on chipsets.

0
0
Vic

Re: Is it just me or does this seem like a lot of effort and risk?

If you stick with the generic OpenBSD kernel, too, you can probably get away with building this on an old machine, and then if you want to replace it, popping the drive into a new system and not having to do much more than tweak the settings for the network interface, which may have a different name depending on chipsets.

Indeed. I'd build this with Linux rather than OpenBSD - but that's more about familliarity than anything else. The two are pretty much equivalent.

The box that runs my business mail started out as an IBM Aptiva - 400MHz? Something like that. It was an old dog that I repurposed to try out a home server.

That personality now has none of the original hardware - it's now an Athlon64 (still running in 32-bit mode, though, because it's evolved from the Aptiva installation) running on a 2005 Winfast motherboard. Moving from one chassis to another is trivial in Linux (as it is in *BSD, IME).

Vic.

0
0

So, what do I do if I need to wipe the server before turning it over to a congressional committee? You know, like wipe it with a cloth? Is that supported?

0
0
Anonymous Coward

Use a Pi2

I've been running email servers at home ever since I got ADSL. I now use an rPi2 with an external disk. I use postfix with dovecot with an auth'd submit port and IMAP over SSL with external inbound access. My rpi2 is a hidden gateway so and have two externally facing SMTP MTAs running on cheap VPSes (£3 pm also used for web servers, dns, etc). On those servers I only run postfix with DNS blacklists (zen.spamhaus.org and bl.spamcop.net), OpenDKIM to get more mail through to some servers (some will greylist you unless you have a valid DKIM sig) and postfix anvil (to prevent those annoying dict'-based email attacks). I don't use any AV - I get hardly any SPAM ever. Works a treat. The servers hardly break a sweat ever. I have a long queuing time on the externally facing servers so my rPi2 can be down for up to a month before a mail is bounced - good when away on long hols if my adsl fails. You really have to make sure you choose your VPSe/VMs well; Need to make sure your IP or AS isn't blacklisted and must have reverse DNS setup. On top of this I use a different email address for every company or org I deal with. Just cut them off if they don't honour the unsubscribe etc.

0
0
Vic

Re: Use a Pi2

On top of this I use a different email address for every company or org I deal with. Just cut them off if they don't honour the unsubscribe etc.

This is one of the best bits of running your own mailserver - you can allocate and destroy email addresses on a whim. None of this easily-defeated "me+tag@example.com" addressing - you can have genuinely unique addresses for every single contact. And when they become a pain in the arse, they suddenly don't get to send you any email...

Vic.

1
0
Anonymous Coward

Re: Use a Pi2

Actually this very policy has outed many companies that have sold or had my details stolen from them. I seem to recall that thebookdepository and Santander were in that list - the former admitted the hack and apologised the later ignored all of my reports despite much effort to inform them that they'd been compromised!! I started getting spam to both my entirely separate Santander emails from the same spammers at the same time.

0
0
Silver badge

Just my 2d worth ...

Add in amavis-milter - then you can do before-acceptance scainnig. Almost all the howtos out there configure dual Postfix instances so it goes : accept mail and queue it, scan it, requeue it and deliver to mailbox. The porblem is, you are now too late to reject it because it then becomes : accept mail and queue it, scan and reject it - now what ? If you "bounce" it then you are now part of the problem as you'll generate huge amounts of backscatter. If you don't bounce it, do you bother telling the user - if so, then that's no more useful than just delivering the message and tagging it as spam. Of do you silently discard it which is just so wrong in so many ways - which seems to be why all the big outfits do it.

With pre-queue scanning, it needs a bit more resource at message receipt time, but you have the option to reject the message outright. Any properly configured mail server will then notify the sender of any falsely tagged mail that their message has not been delivered, while spam software will just move on to the next.

Greylisting - most definitely, it gets rid of almost all my spam. There's a few niggles, but mostly it "just works" and you don't notice it.

I'd also suggest adding "Postfix Admin - a nice web frontend for managing domains, mailboxes, etc.

And Policyd (aka Cluebringer) which provides a nice policy daemon (though fiddly to set up) that will handle quotas (message count/size), greylisting, and some other stuff.

And of course - go over to sslmate and get yourself a real certificate. It's not expensive, but the real benefit is that they provide config snippets for the common softwares, and it can manage renewals etc.

2
0
Vic

The porblem is, you are now too late to reject it because it then becomes : accept mail and queue it, scan and reject it - now what ? If you "bounce" it then you are now part of the problem as you'll generate huge amounts of backscatter.

My apologies, I can only upvote your post once...

I used to get endless recommendations for MailScanner. Now I've not looked recently, but at the time, that was purely accept-then-reject. And the backscatter just flows...

One significant tool I use is an SPF milter[1]. Many, many spammers still forge domain addresses, and this just stops them dead.

Vic.

[1] I've actually modified mine - although it's no longer fully RFC-compliant, I recommend the modification to everyone. I treat "+all" in SPF as "-all". I suspect "+all" was included for orthogonality, but I cannot for the life of me think of a single situation where it is anything but harmful - and I've seen lots of "+all" records in the wild :-(

0
0

The config I'll be describing has a pre-queue filter using amavis. I agree that's the best way to do things.

0
0

I'd recommend using a test domain first

Having mail thrown away by accident is really annoying, especially when you only have yourself to blame. So if you are new to this, get yourself a domain to play with, and set everything up the way it should be. And test it properly. Domain prices vary a lot between the TLD's, but the .info domains appear to be cheap at the moment (29 kroner = ~3£ for a year at my local dns shop).

Having done this for 20+ years, my experience is that you shouldn't try this on a home connection. Too much hassle with ISP filtering ports, home DSL IP's being blacklisted etc. etc. And if you end up providing mail service to friends&family (and believe me, it will happen ...) then your home server suddenly needs to be up and running 24/7 - including power and Internet connection.

Much easier with a VPS somehwere, and it is cheaper on the power bill.

My own setup is based on https://workaround.org/ispmail/ - is uses Postfix and Dovecot on Linux. Sendmail? No way I'm gonna do another sendmail.cf voodoo dance again. QMail? Been there, done that - for 10+ years, actually, but it is definitely showing its age now, getting it to do spam filtering and avoiding backscatter mails was just too big a hassle.

0
0
Vic

Re: I'd recommend using a test domain first

Sendmail? No way I'm gonna do another sendmail.cf voodoo dance again.

As I keep saying, sendmail.cf is a horrific way to configure sendmail. sendmail.mc is easy.

There's little wrong with sendmail that can't be fixed with a bit of education for its admins...

Vic.

0
0
Silver badge

Couple of comments

Haven't had a chance to fully read the comments so apologies if I am repeating anyone.

I used to use Mailcleaner - www.mailcleaner.org as a free, fully customisable border protection with good forum support;

For Dynamic or Static IP, DNSExit can provide not only free tools to update the Dynamic aspect but for around US$20 a year, a backup MX/storage feature;

A lot of mail systems will bork at receiving mail from consumer IP addresses; Likewise a lot of ISP's like to close off known mail ports to force the use of business broadband.

Hope some of this is useful. :)

1
0
Anonymous Coward

Attn: Normal people

If you are one of the willy-wavers saying how easy-peasy it all is, please move on to the next post.

Now I've got rid of them...

I've set up postfix / dovecot / amavis etc firstly for my own domain on my own (datacentre-based) server and then for various customers. The only real reason I can think of for finding out that smtps won't bloody work until you've uncommented the line that says " -o smtpd_sasl_auth_enable=yes" (whatever that means) is so that you can tell a customer that yes, you can set up their mail server.

If email is a tool to do your job the same as your car is a tool to get you there to do it, you should no more roll-your-own mailserver than you would build your own gearbox.

Any fricking uber-geeks still reading - yes, I also needed smtpd_tls_wrappermode.

Let the flames begin.

0
0
Vic

Re: Attn: Normal people

I've set up postfix ... -o smtpd_sasl_auth_enable=yes ... smtpd_tls_wrappermode

I use sendmail. I don't use any of those sorts of options - SSL is on by default.

Vic.

0
0
Anonymous Coward

Re: Attn: Normal people

"I use sendmail."

Now you have *two* problems.

(Runs away).

0
0
Silver badge

Re: Attn: Normal people

smtpd := smtp daemon, actually, the process that you connect to with your email client (outlook, thunderbird, icedove, whatever) to send emails (via SMTP).

sasl := Simple Authentication and Security Layer

auth := authentication

enable := !disable

= := = or "equals"

yes := !no

Basically, it means that for the smtpd daemon, set the "simple authentication and strong security layer" to "enabled" for "authentication". Hope that helps ...

As for wrappermode ... I will quote the postfix TLS readme:

TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS, instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports).

It is strictly discouraged to use this mode from main.cf. If you want to support this service, enable a special port in master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8) command line option. Port 465 (smtps) was once chosen for this feature.

Basically, email clients tend to issue a STARTTLS to the server to say "Heydo, I wanna talk encrypted, you support that, right?" Outlook uses a wrapper mode instead - postfix discourages you from using it in the readme, I could not find anything in the actual cf file or google explaining why. Apparently non-standard.

Also, you would have to watch with Outlook, sometimes it insists on sending cleartext passwords over the wire, because, well, it detected mail server is not exchange.

0
0

Fail2Ban?

Great to see an article about this.

Been running my own mail server for over 15 years, Postfix + Spamassassin + Dovecot + (can't remember the AV software) + fail2ban.

Fail2ban is great, I see a lot of connections from spammers trying to brute crack users passwords and Fail2ban is set to ban them after 3 attempts, and it automatically unblocks these attempts after a couple of hours. (usual config time to unblock is a few minutes IIRC)

There are a couple of things in here I either never quite got working fully, or haven't used (GreyList) so will read the next installment closely.

0
0

Re: Fail2Ban?

sshguard will do similar for you, and works nicely with the OpenBSD pf firewall. It's available as a package, and if you want to use it to catch SASL login attempts, there's a patch for that here

0
0

Re: Fail2Ban?

Ooops; correct link to the patch is http://www.djs.to/2013/10/1-postfix-sasl-support-for-sshguard/

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018