Op Tue, 17 Mar 2015 13:38:26 +0000, schreef Dan Purgert: <snip>
> Didn't you just say that you were using a Debian box as your firewall/ > router? Not yet. I'm still employed but have everything up and running in a VPS, and I have all the legal stuff in order like VAT and so on. Legally this means it's seen as a secondary activity. >From the moment I quit, it becomes my main occupation. That's how it works over here. Currently I have my own VPS running but no business internet line yet ror a Debian Firewall but that's the plan. Just thinking ahead on how I will get up and running as fast as possible :) > Personally I have used Ubiquiti Edge Routers (ubnt.com), and they're > really nice - based on Vyatta 6.3, rival bigger names in terms of > routing performance, and are cheap ($100 for the 3-port model "ER Lite", > and under $500 for the 8-port "ER-8". There's also a "PRO" variant of > the 8- > port that includes 2 SFP ports that're shared with 2 of the copper > ports, > and a 5-port model with PoE, but this is really only the ER Lite with a > switch in the same case, so it's 2x routing ports + 3x switch ports, and > might not fit in your situation). > > Here's the Datasheet for their routers --> > http://dl.ubnt.com/datasheets/edgemax/EdgeRouter_Lite_DS.pdf Thanks, looks like a simple and adequate solution. > It's not "difficult" to get redundancy, though depending on the levels > of redundancy you're after, it can get a bit complex. > > Easiest route is a cold spare -- buy a second of whatever router, config > it exactly the same way, and then shut it down for use if / when the > first one dies. > > Though you could always scale to multiple WAN connections spread across > multiple routers, with OSPF / iBGP being used to manage the routes... > but this is probably a bit much for a small business. > I should have been more clear about the use case. The cold spare in my case is enough. If a lot of other people would use services, that's somethings else but I don't see that happening in the near future. > Depends on how their router is configured, but this sounds about right. > That said, in 99.5% of cases that I've seen the ISP-provided routers are > absolute rubbish, and should be relegated to bridge-only mode so that > you can use a better (i.e. more configurable) device to handle the > tasks. I didn't know that. Thank you for the information. > If the email server is public already (in the DMZ zone), you'll probably > have an easier (and still secure) time if you just have the clients > using STARTTLS to access THAT server. Not that you couldn't set up a > gateway / > relay, but there is much to be said about the KISS principle. The mail service is public on the VPS. There isn't a DMZ zone on that server. As you suggest, both postfix and Dovecot are accessible via STARTTLS/SSL. If I read your comment correctly, you would leave the mail server config as it is, and put it in a DMZ and that's it? This would leave the mails also in the DMZ but as you said, accessing mail can only be done over a secure connection (SSL). I have SSL certificates setup for this (for my website, and Dovecot). >> - I have Roundcube (webmail) installed as well. I think I could handle >> this by forwarding the requests from firewall to the internal mail >> server. >> Not sure if this is the safest way to do this. >> One can of course argue about web mail in the first place. > > Again, might be easiest (best) to keep the entire mail service in the > DMZ, including webmail. OK I would really like to go KISS :) Basically, if I end up with a local situation I would move the services to a local server in a DMZ zone. Otherwise, I could just keep the VPS to serve as our mail server. >> - Central user and document management. >> I would like to have a space on the file server where people could >> store their own and shared documents. I think I would need NFS for this >> (haven't used this before). The docs might need to be accessible from >> Windows as well, although I really would like to only use Debian >> machines for my own people. Otherwise, this would mean using Samba. > > If you need / want access to the file server from windows hosts, I'm > pretty sure samba is your only solution. That's what I thought. >> My mail users are in a Postgresql database. I would like to keep it >> that way if I would ever provide mail to customers. > > Sure. If you're selling email services, then you might need a dedicated > DB box, but that's not exactly 'difficult'. Indeed. There is some really great info regarding Postfix and keeping all the necessary info in a Postgresql db. If I would ever go with offering this as a service to users, I would use Django to build a web interface but that's a whole different topic. In my current mail setup, I would need to provide a way for users to change their password. Maybe Roundcube has such a plugin. >> I can see LDAP being useful to have central authentication. >> It can be a challenge to setup though. Are there other ways of having a >> simple central authentication? > > LDAP, and a couple of books on the subject. ;) Hehe, in the past I have setup LDAP on my own home network with Samba. It worked great and I could login from my Windows machine as well. The docs that I wrote back then will be horribly outdated by now :) I like using a CLI but not when dealing with LDAP. Are there any good gui tools to manage a LDAP server? I have come across phpLDAPadmin. Is it any good? >> I have thought about using a document management system from the start. >> But I have only experience with commercial ones and that might be >> overkill from the start. Besides, they are Windows based. > > You mean like git? Funny you should say that. I have thought about using git for this. Are there people using git to keep track of docs? I suppose you need a hiƫrarchical tree setup to put the docs in appropriate folders. For my own notes, I use a virtualenv with Sphinx for my docs in rst format, and generate html docs. It works great. >> VPS === <snip> > file server should be local. However, there's no reason that you could > not set up a local file server, and still run other services (e.g. > email) > off a VPS. That is kind of a hybrid solution I was thinking of as well. That would mean keeping the VPS, and using a firewall and file server locally with whatever local services (LDAP, nginx) I need. Can't get more KISS than that. >> Might make it a bit harder to fully manage reverse dns. As for my >> current VPS, I had to ask my VPS supplier to insert a reverse DNS >> record for my mail server as I don't own the range and as such, can't >> set the reverse DNS. If I would want to manage this myself, I would >> need to reserve a small range with the VPS supplier. >> I probably wouldn't need those in the case of receiving a range of >> public IP addresses from the ISP that provides the company internet >> line. >> If I would use these public IP's, I wouldn't need the VPS range, and I >> could manage my own reverse DNS and have the firewall forward the >> traffic from these public IP's to the private IP's (well also public >> IP's because you get a public IP with every VPS) of the corresponding >> VPS'es over the OpenVPN connection? > > I'm honestly not sure where you intended to go with this one? > Realistically, you can do most (all) of what you want to do with a > single public IP from your ISP. Multiple IPs just make it easier to > work with. I was referring to a problem I had when setting up my mail server on the VPS. I had set up reverse DNS but no reverse DNS request made it to my DNS server which was to be expected as I don't own the range, my VPS provides does. I needed to ask them to add a reverse DNS entry in their zone to have the public IP appointed to me, point to my VPS server with the name I specified for my mail server. I thought I could avoid this, if I have a range of public IP's. If I do, then the reverse DNS queries would probably make it to my DNS service. But I'm not sure about that. > Depending on your ISP and their policies, you may need to work with them > to get the reverse DNS entries added. Indeed, as I had to do for my VPS. Thanks for all the info. I appreciate it. Regards, Bene -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/me9j6m$e98$2...@ger.gmane.org