You look spammy if you don't have SPF or DKIM, and hopefully both. Your email 
will either be bounced or sent to a spam folder. You need a reverse pointer as 
well, but that shouldn't be an issue. The situation is actually worse than it 
sounds. ATT/SBC needs to whitelist you by IP if you are using a VPS. 
Spectrum/Charter just plain blocks many VPS with no recourse.

Regarding geofencing, look back at my post. I leave port 25 open to the world. 
I can receive email from any country. Using submission port 587 means you can 
geofence from where your employee sends and receives email. It does not effect 
your customers since they use port 25.

The reason I run my own email server is I got hacked when using a hosting 
service. The hacker used a vulnerability in RoundCube and could send email as 
me. My PayPal account password was then changed. The hacker was in Morocco. I'm 
sure Morocco is a fine country but I don't plan on visiting it and thus don't 
need to access my email from there. Note the hacker could have changed my email 
password too but didn't. To top it off, I don't even use RoundCube. Never use a 
 browser for email.

When I set up my own email / webserver I made it a point to not use any GUI 
control panel. If there is no hook to change a password from a control panel 
then it won't happen. You reduce the attack surface. All passwords are SHA512.

You geofence all email ports except 25.

I also have a VPS using openvpn but it is on a different IP. That is a tunnel 
out of it to use the internet. Now I think for what you want to do is to have 
openvpn show up as the local host. What you might want to do is join the 
postfix users group. I wouldn't bring up this kind of proxied email scheme you 
want to set up. Rather just ask if it is possible to set up postfix/dovecot so 
that the user who will always be on a VPN can send and receive email. That is I 
think it will boil down to permit local host and nothing else in certain 
places. There are guru status users there.

One thing you will learn about email servers is there are many programs to 
chain together. However think of light bulbs in series. The more in the chain, 
the more likely it is to fail. I dropped SpamAssassin and amavisd due to poor 
reliability. That was when I used freeBSD. I now run centos but just don't 
bother with those extra programs. I use RBLs for spam  blocking. I use my brain 
for antivirus. Antivirus isn't all that good anyway. The key with antivirus is 
at what point in time do they recognize the file is a virus. I send all my 
malware links to virus total.com and maybe two will recognize the link goes to 
malware. 




  Original Message  


From: rdiezmail-2...@yahoo.de
Sent: October 25, 2020 3:25 PM
To: li...@lazygranch.com
Cc: dovecot@dovecot.org
Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server



> You need SPF and DKIM for your outgoing email to be accepted.
> [...]

I don't understand why that is the case (but keep in mind that I am a newbie).

Is it not possible to set up some internal SMTP server that only relies the 
e-mails to the external ISP SMTP server? The internal SMTP server would
then act like a normal user's Thunderbird.

At first I tought that the internal SMTP server would need to know the password 
for each mailbox user. But then I asked, and the ISP SMTP server
allegedly accepts any source e-mail address, as long as you are using one 
e-mail account that is valid in the domain. I wonder if that is standard
practice.


> My idea of a secure email server is to use submission port 587.
> Expose port 25 to the world and aggressively filter all remaining
> email ports with a firewall. And I mean aggressive. Geographically filter
> so only countries where youe users reside can send and retrieve email.
> Block major hosting IP space.

Geo blocking can be problematic. Depending on the small business, some 
customers and suppliers may sit in China or some other geographical area you
would normally block.

I am too afraid, I would not expose any such port on the Internet. Who knows if 
the mail server stays months without an update. If I am to recommend
or implement any such mail server solution to a small business, I would insist 
that the e-mail server is not exposed at all on the Internet.

A web interface etc. is not a problem: I just connect with a VPN and bypass 
most external security issues. If you are the admin, you can also forward
the web interface over an SSH connection.

Best regards,
   rdiez

Reply via email to