Re: home server for email box

[Diane & Tim]

<<< No Message Collected >>>

Re: home server for email box

[tomas]

On Mon, Mar 13, 2023 at 08:56:04AM +0800, p...@ymail.ne.jp wrote:
> 
> 
> Jeremy Ardley wrote:
> >   * TLS connection with certificate that can't be verified
> 
> postfix can work with this way. MTA to MTA doesn't require a valid
> certificate (Said by postfix's author on the list). But HTTPs does require.

When it doesn't, it's called HTTP ;-)

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: home server for email box

[tomas]

On Mon, Mar 13, 2023 at 03:35:20AM +0100, Vincent Lefevre wrote:
> On 2023-03-12 22:30:50 -0400, Jeffrey Walton wrote:
> > Security on a channel (like HTTPS) usually makes it tougher to inspect
> > traffic. Or at least it makes it tougher in HTTPS. In fact, spam
> > filters are mostly useless for messages encrypted with a tool like GPG
> > or GnuPG.
> 
> Are there spammers who send encrypted messages???
> This seems counterproductive.

It seems doable, but somewhat awkward. For a spammer to send me an
encrypted message, they would have to fetch my public key. This
would have to happen in an automated way (on spam, every millionth
of a cent counts). Doable, but given the population sice (and
arguably, type) I don't think it would add up.

Of course, TLS is a whole different kettle of fish. On the one hand,
it's just the /transport/ which is secured (so the systems [1] on
both sides know the plaintext and can run whatever Bayes they like
on it. On the other hand, spammers can just get a LetsEncrypt
cert for only the setup cost -- so just having a "valid certificate"
wouldn't count very much towards the trust chain. Having a valid
certificate tied to the DNS would count a bit more (yes, someone
might lose control of their DNS, but those events are statistically
more sparse).

[1] I consider browsers more like MTAs as whole systems. They are
   operating systems in their own right, with knowledge about your
   hardware, running other people's code on your box and a small
   fractal of window managers, GUI toolkits, virtual machine Rube
   Goldbergisms and all that. For better or worse. Worse, if you
   ask me.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: home server for email box

[Vincent Lefevre]

On 2023-03-12 22:30:50 -0400, Jeffrey Walton wrote:
> Security on a channel (like HTTPS) usually makes it tougher to inspect
> traffic. Or at least it makes it tougher in HTTPS. In fact, spam
> filters are mostly useless for messages encrypted with a tool like GPG
> or GnuPG.

Are there spammers who send encrypted messages???
This seems counterproductive.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: home server for email box

[Jeffrey Walton]

On Sun, Mar 12, 2023 at 9:05 PM Jeremy Ardley  wrote:
>
> On 13/3/23 06:39, Vincent Lefevre wrote:
> > O
> >> Each of those options has  been chosen by the mail list administrator.
> >>
> >> As a general principal it's a good thing to know the system sending you 
> >> mail
> >> is genuine. Given the variety, there is no point in rejecting the email if
> >> there is no certificate, but having a verified certificate could be used to
> >> streamline any anti-spam processes such as not greylisting. I don't know if
> >> postfix can do that yet, but it seems it would be a good thing.
> > I think that DNS attacks are rather rare. Though strong authentication
> > is useful for various kinds of application, it is much less important
> > for antispam (I doubt that spammers do DNS attacks to let their spam
> > through).
> >
> I'm not assuming DNS attacks rather I was wondering if a valid
> certificate could give better 'customer service' i.e. quicker delivery
> of mail.
>
> Brief investigation suggests time consuming stuff happens before the
> certificate exchange - which in itself is expensive.
>
> However later processes could be expedited or improved with a valid
> certificate e.g. reducing content inspection or dropping some connection
> checks on emails from DNS names specified in the certificate

Email is store-and-forward. Ultimately, it is up to the recipient to
visit his/her/it mail server and download messages.

Security on a channel (like HTTPS) usually makes it tougher to inspect
traffic. Or at least it makes it tougher in HTTPS. In fact, spam
filters are mostly useless for messages encrypted with a tool like GPG
or GnuPG.

Jeff

Re: home server for email box

[Vincent Lefevre]

On 2023-03-13 09:05:28 +0800, Jeremy Ardley wrote:
> I'm not assuming DNS attacks rather I was wondering if a valid certificate
> could give better 'customer service' i.e. quicker delivery of mail.

Spammers can present valid certificates (or spam through existing
mail services with a valid certificate), so I don't see much the
point.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: home server for email box

[Jeremy Ardley]

On 13/3/23 06:39, Vincent Lefevre wrote:

O

Each of those options has  been chosen by the mail list administrator.

As a general principal it's a good thing to know the system sending you mail
is genuine. Given the variety, there is no point in rejecting the email if
there is no certificate, but having a verified certificate could be used to
streamline any anti-spam processes such as not greylisting. I don't know if
postfix can do that yet, but it seems it would be a good thing.

I think that DNS attacks are rather rare. Though strong authentication
is useful for various kinds of application, it is much less important
for antispam (I doubt that spammers do DNS attacks to let their spam
through).

I'm not assuming DNS attacks rather I was wondering if a valid 
certificate could give better 'customer service' i.e. quicker delivery 
of mail.


Brief investigation suggests time consuming stuff happens before the 
certificate exchange - which in itself is expensive.


However later processes could be expedited or improved with a valid 
certificate e.g. reducing content inspection or dropping some connection 
checks on emails from DNS names specified in the certificate


--
Jeremy
(Lists)

Re: home server for email box

[p...@ymail.ne.jp]

Jeremy Ardley wrote:

  * TLS connection with certificate that can't be verified


postfix can work with this way. MTA to MTA doesn't require a valid 
certificate (Said by postfix's author on the list). But HTTPs does require.


Yong

Re: home server for email box

[Vincent Lefevre]

On 2023-03-13 06:06:11 +0800, Jeremy Ardley wrote:
> On 13/3/23 05:52, Vincent Lefevre wrote:
> > Yes, but here, that's optional. So I'm wondering whether you really
> > miss anything. Note also that a client certificate may be sent only
> > if it is requested by the server, and if client certificates are
> > requested, then there are issues with some clients:
> > 
> > http://www.postfix.org/TLS_README.html#server_vrfy_client
> 
> That document refers to troublesome netscape clients (I didn't know Netscape
> did email?). Netscape went defunct in 2008 so there will be vanishingly few
> still using it.

The document also mentions qmail, which is still used nowadays,
e.g. by apache.org and opengroup.org. I suppose that if the
default is still "off", there's some reason.

> Observing my mailing lists I see several categories of mailer.
> 
>  * Anonymous TLS connection
>  * TLS connection with certificate that can't be verified
>  * TLS connection with certificate that can be verified
>  * TLS connection with verified R3 (letsencrypt) certificate.

"Anonymous TLS connection from" is what I always get when TLS is
used, and I suppose that's because my server doesn't request a
client certificate ("off"). That's for received mail.

When sending mail, I always have either of
  Trusted TLS connection established to
  Verified TLS connection established to
probably thanks to DANE (smtp_tls_security_level = dane).

> Each of those options has  been chosen by the mail list administrator.
> 
> As a general principal it's a good thing to know the system sending you mail
> is genuine. Given the variety, there is no point in rejecting the email if
> there is no certificate, but having a verified certificate could be used to
> streamline any anti-spam processes such as not greylisting. I don't know if
> postfix can do that yet, but it seems it would be a good thing.

I think that DNS attacks are rather rare. Though strong authentication
is useful for various kinds of application, it is much less important
for antispam (I doubt that spammers do DNS attacks to let their spam
through).

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: home server for email box

[Greg Wooledge]

On Mon, Mar 13, 2023 at 06:06:11AM +0800, Jeremy Ardley wrote:
> That document refers to troublesome netscape clients (I didn't know Netscape
> did email?).

Back in the day, Netscape (the company) had two main software products:
Netscape Communicator (a full suite of web browser, email client, and
more), and Netscape Navigator, which was just the browser portion.

This was back before 98% of the world started using web-based email
services.

Re: home server for email box

[Jeremy Ardley]

On 13/3/23 05:52, Vincent Lefevre wrote:


Yes, but here, that's optional. So I'm wondering whether you really
miss anything. Note also that a client certificate may be sent only
if it is requested by the server, and if client certificates are
requested, then there are issues with some clients:

http://www.postfix.org/TLS_README.html#server_vrfy_client


That document refers to troublesome netscape clients (I didn't know 
Netscape did email?). Netscape went defunct in 2008 so there will be 
vanishingly few still using it.


Observing my mailing lists I see several categories of mailer.

 * Anonymous TLS connection
 * TLS connection with certificate that can't be verified
 * TLS connection with certificate that can be verified
 * TLS connection with verified R3 (letsencrypt) certificate.

Each of those options has  been chosen by the mail list administrator.

As a general principal it's a good thing to know the system sending you 
mail is genuine. Given the variety, there is no point in rejecting the 
email if there is no certificate, but having a verified certificate 
could be used to streamline any anti-spam processes such as not 
greylisting. I don't know if postfix can do that yet, but it seems it 
would be a good thing.


--
Jeremy
(Lists)

Re: home server for email box

[Vincent Lefevre]

On 2023-03-12 07:21:55 +0100, to...@tuxteam.de wrote:
> On Sat, Mar 11, 2023 at 11:43:35PM +0100, Vincent Lefevre wrote:
> > But what's the point of a certificate in this particular case
> > (the server bendel.debian.org does not need to authenticate
> > the client)?
> 
> It is just part of the TLS protocol. You might configure your mail
> server to present a certificate to its peers. The usual TLS stuff,
> just wrapping SMTP.

Yes, but here, that's optional. So I'm wondering whether you really
miss anything. Note also that a client certificate may be sent only
if it is requested by the server, and if client certificates are
requested, then there are issues with some clients:

http://www.postfix.org/TLS_README.html#server_vrfy_client

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: home server for email box

[Yassine Chaouche]

Le 3/12/23 à 14:50, Greg Wooledge a écrit :

On Sun, Mar 12, 2023 at 12:13:54PM +0100, Yassine Chaouche wrote:

function net.ip.reputation(){
 revip=$(net.ip.reverse "$1")
 results=$(dig +short $revip.zen.spamhaus.org)
 [[ -z $results ]] && (echo "clean"; return 0)


You're caling return inside a subshell.  This doesn't actually return
from the function, since it occurs in a child process.

unicorn:~$ f() { true && (echo true; return 0); echo problem; }
unicorn:~$ f
true
problem

You either need to use "if", or use a curly-braced command group instead
of your parenthesized subshell command.

 [[ -z $results ]] && { echo "clean"; return 0; }

It would also be polite to declare your function's local variables as
"local".


 for result in $results


You're using 3 variables locally, so you could add

 local revip results result

at the top of the function.

Finally, you're relying on the output of "dig +short ..." to be safely
word-splittable.  I don't know whether this is always going to be true.
However, it does look like dig +short writes its output as a sequence
of items, one per line.  This means you can read them into an array
without performing word-splitting or globbing:

 mapfile -t results < <(dig +short "$revip".zen.spamhaus.org)
 if (( ${#results[@]} == 0 )); then
 echo clean
 return 0
 fi
 for result in "${results[@]}"
 do
 ...

The way you've got it *might* be OK.  I just don't know whether the
output of dig +short can ever contain internal whitespace or globbing
characters.  I'd rather not take that chance.




Thank you Greg, for your very valuable feedback,
care,
kindness,
and patience,
as usual.

function net.ip.reputation(){
local revip result results
revip=$(net.ip.reverse "$1")

# parsing a string where spaces can be a problem
# results=$(dig +short $revip.zen.spamhaus.org)

# better way to retrive results in an array
mapfile -t results < <(dig +short $revip.zen.spamhaus.org)
(( ! ${#results[@]} )) && { echo "clean"; return 0; }
for result in "${results[@]}"
do
case "$result" in
127.0.0.2)
echo "SBL  : SPAM sender"
;;
127.0.0.3)
echo "CSS  : snowshoe"
;;
127.0.0.[4-7])
echo "XBL/CBL  : trojans, exploits"
;;
127.0.0.1[01])
echo "PBL(ISP) : not supposed to send mail"
;;
esac
done
return 1
}


Best,
--
yassine -- sysadm
+213-779 06 06 23
http://about.me/ychaouche
Looking for side gigs.

Re: home server for email box

[Greg Wooledge]

On Sun, Mar 12, 2023 at 12:13:54PM +0100, Yassine Chaouche wrote:
> function net.ip.reputation(){
> revip=$(net.ip.reverse "$1")
> results=$(dig +short $revip.zen.spamhaus.org)
> [[ -z $results ]] && (echo "clean"; return 0)

You're caling return inside a subshell.  This doesn't actually return
from the function, since it occurs in a child process.

unicorn:~$ f() { true && (echo true; return 0); echo problem; }
unicorn:~$ f
true
problem

You either need to use "if", or use a curly-braced command group instead
of your parenthesized subshell command.

[[ -z $results ]] && { echo "clean"; return 0; }

It would also be polite to declare your function's local variables as
"local".

> for result in $results

You're using 3 variables locally, so you could add

local revip results result

at the top of the function.

Finally, you're relying on the output of "dig +short ..." to be safely
word-splittable.  I don't know whether this is always going to be true.
However, it does look like dig +short writes its output as a sequence
of items, one per line.  This means you can read them into an array
without performing word-splitting or globbing:

mapfile -t results < <(dig +short "$revip".zen.spamhaus.org)
if (( ${#results[@]} == 0 )); then
echo clean
return 0
fi
for result in "${results[@]}"
do
...

The way you've got it *might* be OK.  I just don't know whether the
output of dig +short can ever contain internal whitespace or globbing
characters.  I'd rather not take that chance.

Re: home server for email box

[Yassine Chaouche]

Le 3/10/23 à 12:44, to...@tuxteam.de a écrit :

On Fri, Mar 10, 2023 at 12:01:57PM +0100, Nicolas George wrote:

p...@ymail.ne.jp (12023-03-10):

Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this box to 
receive/send email normally?


Probably not: ISP declare IP blocks attributed to clients as “domestic”
and a lot of important e-mail operators block them.


It makes sense to check for that. But having a static routable IP
is a strong hint that it could work.

Have you more details for that "declaration" you hint at? How is
an IP "declared" as "domestic"?



If your IP is listed in the PBL,
then your ISP has declared it as domestic
(not supposed to send mail)

I use a simple bash function to know if an IP is listed or not in spamhaus ZEN 
list.

function net.ip.reverse(){ local IFS; IFS=.; set -- $1; echo $4.$3.$2.$1; }

function net.ip.reputation(){
revip=$(net.ip.reverse "$1")
results=$(dig +short $revip.zen.spamhaus.org)
[[ -z $results ]] && (echo "clean"; return 0)
for result in $results
do
case "$result" in
127.0.0.2)
echo "SBL : SPAM sender"
;;
127.0.0.3)
echo "CSS : snowshoe"
;;
127.0.0.[4-7])
echo "XBL/CBL: trojans, exploits"
;;
127.0.0.1[01])
echo "PBL(ISP) : not supposed to send mail"
;;
esac
done
return 1
}

Beware that this function doesn't work if you use an open resolver like 
8.8.8.8/8.8.4.4.
If you don't have your own DNS server setup,
you can try with OpenDNS servers
(208.67.222.222/208.67.220.220)

You can use the OpenDNS resolver by changing this line:
results=$(dig +short $revip.zen.spamhaus.org 208.67.222.222)

Some examples:

root@messagerie-principale[10.10.10.19] ~ # mail.spam.report | grep -o $REGX_IP 
| sort | uniq | head -3 | while read IP; do echo $IP; net.ip.reputation $IP; 
done;
101.43.66.163
XBL/CBL: trojans, exploits
102.152.254.85
XBL/CBL: trojans, exploits
PBL(ISP) : not supposed to send mail
103.132.168.165
XBL/CBL: trojans, exploits
PBL(ISP) : not supposed to send mail
root@messagerie-principale[10.10.10.19] ~ #

Best,

--
yassine -- sysadm
+213-779 06 06 23
http://about.me/ychaouche
Looking for side gigs.

Re: home server for email box

[Yassine Chaouche]

Le 3/10/23 à 22:04, Jeremy Ardley a écrit :


On 10/3/23 23:52, Henning Follmann wrote:


Well "could" is the best way to describe the chances of this working.

I think the best way too find out:
Check if the ISP will allow you to set the reverse DNS record matching
your chose A record.
If they do, GREAT! If they don't, you most likely will not be happy in the
long run.


All you need to do is generate an SPF record authorising your fixed IP(s) to 
send mail for your domain(s).

You don't need need to have control over the forward and reverse DNS of the 
IPs, but it is pretty much required that your ISP has forward and reverse 
entries for them.



Don't mail server operators/providers check for the PTR?
I thought you better have that setup.

Best,
--
yassine -- sysadm
+213-779 06 06 23
http://about.me/ychaouche
Looking for side gigs.

Re: home server for email box

[Yassine Chaouche]

Le 3/10/23 à 12:44, to...@tuxteam.de a écrit :

On Fri, Mar 10, 2023 at 12:01:57PM +0100, Nicolas George wrote:

p...@ymail.ne.jp (12023-03-10):

Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this box to 
receive/send email normally?


Probably not: ISP declare IP blocks attributed to clients as “domestic”
and a lot of important e-mail operators block them.


It makes sense to check for that. But having a static routable IP
is a strong hint that it could work.

Have you more details for that "declaration" you hint at? How is
an IP "declared" as "domestic"?


Where I live (Algeria),
ISPs have two offerings:
pro and domestic.

If you take domestic,
your server will be listed in spamhaus PBL,
which is the list of servers not supposed to send mail
(sending from a "domestic" IP)

It is the ISP who declares an IP as such,
spamhaus uses that info to classify spam.

Best,
--
yassine -- sysadm
+213-779 06 06 23
http://about.me/ychaouche
Looking for side gigs.

Re: home server for email box

[tomas]

On Sat, Mar 11, 2023 at 11:43:35PM +0100, Vincent Lefevre wrote:
> On 2023-03-11 05:13:36 +0800, Jeremy Ardley wrote:
> > I just checked the headers of this mail as received from the list. I was a
> > bit surprised (pleasantly) to see debian is using IPv6 mail services.
> > 
> > The headers show my dual stack edge router/mailer used an IPv6 connection to
> > Bendel rather than an IPv4 connection.
> > 
> > Received: from edge.bronzemail.com 
> > (2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net 
> > [IPv6:2403:5800:c000:1b7:f3d4:d970:ca28:bf4f])
> > (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> >  key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest 
> > SHA256)
> > (Client did not present a certificate)
> > by bendel.debian.org (Postfix) with ESMTPS id 79E372070F
> > for ; Fri, 10 Mar 2023 21:04:57 + 
> > (UTC)
> > 
> > (Now to figure out why 'client did not present a certificate'. The
> > edge router/mailer has a letsencrypt certificate, so I guess I'll
> > have to tweak postfix a bit.)
> 
> Possibly due to IPv6, which yields the
> 2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net
> hostname, which is different from IPv4?
> 
> But what's the point of a certificate in this particular case
> (the server bendel.debian.org does not need to authenticate
> the client)?

It is just part of the TLS protocol. You might configure your mail
server to present a certificate to its peers. The usual TLS stuff,
just wrapping SMTP.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: home server for email box

[Vincent Lefevre]

On 2023-03-11 05:39:20 +0800, Jeremy Ardley wrote:
> Sort of off topic. I've given up entirely on rbl. Every commented out option
> has had some type of intermittent failure resulting in lost or delayed valid
> incoming mail.
> 
> I now put up with a tiny fraction of spam that's managed well enough by
> spamassassin and postscreen
> 
> smtpd_recipient_restrictions =
>    permit_sasl_authenticated
>    permit_mynetworks
>    reject_unauth_destination
>    reject_invalid_hostname
>    reject_non_fqdn_hostname
>    reject_non_fqdn_sender
>    reject_non_fqdn_recipient
>    reject_unknown_sender_domain
> #   reject_rbl_client cbl.abuseat.org
> #   reject_rbl_client dnsbl-1.uceprotect.net
> #   reject_rbl_client dnsbl.sorbs.net
> #   reject_rbl_client spam.spamrats.com
> #   reject_rbl_client dyna.spamrats.com
> #   reject_rbl_client noptr.spamrats.com
> #   reject_rbl_client bl.spamcop.net
> #   reject_rbl_client dnsbl.sorbs.net
> #   reject_rbl_client sbl.spamhaus.org
> #   reject_rhsbl_helo dbl.spamhaus.org
> #   reject_rhsbl_reverse_client dbl.spamhaus.org
> #   reject_rhsbl_sender dbl.spamhaus.org
> 
> #   reject_rbl_client cbl.abuseat.org

Why not use postscreen for RBLs?

FYI, I've been using the following for quite a long time:

postscreen_blacklist_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..255]*3
  b.barracudacentral.org*2
  bl.spameatingmonkey.net
  dnsbl.ahbl.org
  bl.spamcop.net
  swl.spamhaus.org*-4
  list.dnswl.org=127.[0..255].[0..255].0*-2
  list.dnswl.org=127.[0..255].[0..255].1*-3
  list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3

IIRC, this more or less comes from the postfix-users mailing-list.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: home server for email box

[Vincent Lefevre]

On 2023-03-11 05:13:36 +0800, Jeremy Ardley wrote:
> I just checked the headers of this mail as received from the list. I was a
> bit surprised (pleasantly) to see debian is using IPv6 mail services.
> 
> The headers show my dual stack edge router/mailer used an IPv6 connection to
> Bendel rather than an IPv4 connection.
> 
> Received: from edge.bronzemail.com 
> (2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net 
> [IPv6:2403:5800:c000:1b7:f3d4:d970:ca28:bf4f])
>   (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
>key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest 
> SHA256)
>   (Client did not present a certificate)
>   by bendel.debian.org (Postfix) with ESMTPS id 79E372070F
>   for ; Fri, 10 Mar 2023 21:04:57 + 
> (UTC)
> 
> (Now to figure out why 'client did not present a certificate'. The
> edge router/mailer has a letsencrypt certificate, so I guess I'll
> have to tweak postfix a bit.)

Possibly due to IPv6, which yields the
2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net
hostname, which is different from IPv4?

But what's the point of a certificate in this particular case
(the server bendel.debian.org does not need to authenticate
the client)?

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: home server for email box

[Michel Verdier]

Le 10 mars 2023 Jeremy Ardley a écrit :

> |postconf mail_version mail_version = 3.5.17 |
> But with a 'long matured' main.cf

Proof of quality for postfix on debian :)

> smtpd_helo_restrictions =
>permit_mynetworks
>permit_sasl_authenticated
>reject_invalid_helo_hostname
>reject_non_fqdn_helo_hostname
>reject_unknown_helo_hostname
>
> Is it requred to remove the reject_invalid_hostname and 
> reject_non_fqdn_hostname from smtpd_recipient_restrictions ?

Not required, but since you check the same first in helo you don't really
need it during recipient tests if you set :
smtpd_helo_required = yes
else helo can be skipped. And if you dont require helo, restrictions can
easily be bypassed.
https://www.postfix.org/postconf.5.html#smtpd_helo_required
Choose your best way :)

Re: home server for email box

[tomas]

On Sat, Mar 11, 2023 at 05:04:48AM +0800, Jeremy Ardley wrote:
> 
> On 10/3/23 23:52, Henning Follmann wrote:
> > 
> > Well "could" is the best way to describe the chances of this working.
> > 
> > I think the best way too find out:
> > Check if the ISP will allow you to set the reverse DNS record matching
> > your chose A record.
> > If they do, GREAT! If they don't, you most likely will not be happy in the
> > long run.
> 
> All you need to do is generate an SPF record authorising your fixed IP(s) to
> send mail for your domain(s).

For those mail providers which go by SPF/DKIM. Some go by reverse DNS,
some by some kind of RBL, some by voodoo.

Unfortunately, there is some creativity in there. I guess this is in
part intended, since big players see a decentralised comms infrastructure
as a threat to their (silo) business model.

Alas.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: Re: home server for email box

[pyh]

They are really entire. Thanks for the info.

Yong

Re: home server for email box

[Lukasz Szybalski]

https://flurdy.com/docs/postfix/

This has probably the most info in one spot.
Enjoy.



__
Lucas
https://w5hnews.com/category/linux

On Fri, Mar 10, 2023, 4:39 AM  wrote:

> Hello,
>
>
> I have a home server with static IP from the ISP. The server has debian 11
> installed.
>
> Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this box
> to receive/send email normally?
>
> Or do you guys have this similar operation?
>
>
>
> Thanks
>
> Yong
>

Re: home server for email box

[gene heskett]

On 3/10/23 15:57, Brian wrote:

On Fri 10 Mar 2023 at 10:52:20 -0500, Henning Follmann wrote:


On Fri, Mar 10, 2023 at 12:44:25PM +0100, to...@tuxteam.de wrote:

On Fri, Mar 10, 2023 at 12:01:57PM +0100, Nicolas George wrote:

p...@ymail.ne.jp (12023-03-10):

Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this box to 
receive/send email normally?


Probably not: ISP declare IP blocks attributed to clients as “domestic”
and a lot of important e-mail operators block them.


It makes sense to check for that. But having a static routable IP
is a strong hint that it could work.


Well "could" is the best way to describe the chances of this working.


Agrred. Having a static routeable IP is a good start, but what is
in the DNS rules.


I think the best way too find out:
Check if the ISP will allow you to set the reverse DNS record matching
your chose A record.


Mine was unsettable by me  but the ISP was co-operative and set it
up.


If they do, GREAT! If they don't, you most likely will not be happy in the
long run.


My opinion is that unhappiness is guaranteed.

I kicked verizon and its 50+ year old buried cable to the back fence and 
went to the local cable for both phone and net 15+ years ago, Shentel 
assigns ipv4's acc the mac of the router requesting a connection, so 
I've been cloning router mac's for at least that long, and so dependably 
that the link in my sig is in the middle of its 4th renewal at namecheap.


Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: home server for email box

[Jeremy Ardley]

On 11/3/23 06:09, Michel Verdier wrote:

Le 10 mars 2023 Jeremy Ardley a écrit :


smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject_unauth_destination
    reject_invalid_hostname
    reject_non_fqdn_hostname
    reject_non_fqdn_sender
    reject_non_fqdn_recipient
    reject_unknown_sender_domain

If I read the docs reject_invalid_hostname and reject_non_fqdn_hostname
are for postfix version < 2.3. Now its reject_non_fqdn_helo_hostname and
reject_invalid_helo_hostname to put on smtpd_helo_restrictions. You have
an old debian ?


|postconf mail_version mail_version = 3.5.17 |
But with a 'long matured' main.cf

This is my existing:

smtpd_helo_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   reject_invalid_helo_hostname
   reject_non_fqdn_helo_hostname
   reject_unknown_helo_hostname

Is it requred to remove the reject_invalid_hostname and 
reject_non_fqdn_hostname from smtpd_recipient_restrictions ?

--

Jeremy
(Lists)

Re: home server for email box

[Michel Verdier]

Le 10 mars 2023 Jeremy Ardley a écrit :

> smtpd_recipient_restrictions =
>    permit_sasl_authenticated
>    permit_mynetworks
>    reject_unauth_destination
>    reject_invalid_hostname
>    reject_non_fqdn_hostname
>    reject_non_fqdn_sender
>    reject_non_fqdn_recipient
>    reject_unknown_sender_domain

If I read the docs reject_invalid_hostname and reject_non_fqdn_hostname
are for postfix version < 2.3. Now its reject_non_fqdn_helo_hostname and
reject_invalid_helo_hostname to put on smtpd_helo_restrictions. You have
an old debian ?

Re: home server for email box

[Jeremy Ardley]

On 11/3/23 05:27, Michel Verdier wrote:

Le 10 mars 2023 Jeremy Ardley a écrit :


You may run into problems if your IP address is in a range that is blacklisted
due to some addresses being used to spam. I'm not sure if IPv6 ranges have got
into that category as yet.

spamhaus has a ipv6 drop list. Smaller than ipv4 but some yet
https://www.spamhaus.org/drop/


Sort of off topic. I've given up entirely on rbl. Every commented out 
option has had some type of intermittent failure resulting in lost or 
delayed valid incoming mail.


I now put up with a tiny fraction of spam that's managed well enough by 
spamassassin and postscreen


smtpd_recipient_restrictions =
   permit_sasl_authenticated
   permit_mynetworks
   reject_unauth_destination
   reject_invalid_hostname
   reject_non_fqdn_hostname
   reject_non_fqdn_sender
   reject_non_fqdn_recipient
   reject_unknown_sender_domain
#   reject_rbl_client cbl.abuseat.org
#   reject_rbl_client dnsbl-1.uceprotect.net
#   reject_rbl_client dnsbl.sorbs.net
#   reject_rbl_client spam.spamrats.com
#   reject_rbl_client dyna.spamrats.com
#   reject_rbl_client noptr.spamrats.com
#   reject_rbl_client bl.spamcop.net
#   reject_rbl_client dnsbl.sorbs.net
#   reject_rbl_client sbl.spamhaus.org
#   reject_rhsbl_helo dbl.spamhaus.org
#   reject_rhsbl_reverse_client dbl.spamhaus.org
#   reject_rhsbl_sender dbl.spamhaus.org

#   reject_rbl_client cbl.abuseat.org

postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = drop
postscreen_greet_action = enforce

--
Jeremy
(Lists)

Re: home server for email box

[Michel Verdier]

Le 10 mars 2023 Jeremy Ardley a écrit :

> You may run into problems if your IP address is in a range that is blacklisted
> due to some addresses being used to spam. I'm not sure if IPv6 ranges have got
> into that category as yet.

spamhaus has a ipv6 drop list. Smaller than ipv4 but some yet
https://www.spamhaus.org/drop/

Re: home server for email box

[Jeremy Ardley]

On 11/3/23 05:04, Jeremy Ardley wrote:


All you need to do is generate an SPF record authorising your fixed 
IP(s) to send mail for your domain(s).


You don't need need to have control over the forward and reverse DNS 
of the IPs, but it is pretty much required that your ISP has forward 
and reverse entries for them.


In my case I have a static IPv4 from which much of my mail is sent 
(too few IPv6 mail servers as yet). I also have an IPv6 /56 range and 
I authorize a very small part of that range to send mail on my behalf.


You may run into problems if your IP address is in a range that is 
blacklisted due to some addresses being used to spam. I'm not sure if 
IPv6 ranges have got into that category as yet.


I just checked the headers of this mail as received from the list. I was 
a bit surprised (pleasantly) to see debian is using IPv6 mail services.


The headers show my dual stack edge router/mailer used an IPv6 
connection to Bendel rather than an IPv4 connection.


Received: from edge.bronzemail.com 
(2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net 
[IPv6:2403:5800:c000:1b7:f3d4:d970:ca28:bf4f])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest 
SHA256)
(Client did not present a certificate)
by bendel.debian.org (Postfix) with ESMTPS id 79E372070F
for ; Fri, 10 Mar 2023 21:04:57 + 
(UTC)

(Now to figure out why 'client did not present a certificate'. The edge 
router/mailer has a letsencrypt certificate, so I guess I'll have to tweak 
postfix a bit.)

--
Jeremy
(Lists)

Re: home server for email box

[Jeremy Ardley]

On 10/3/23 23:52, Henning Follmann wrote:


Well "could" is the best way to describe the chances of this working.

I think the best way too find out:
Check if the ISP will allow you to set the reverse DNS record matching
your chose A record.
If they do, GREAT! If they don't, you most likely will not be happy in the
long run.


All you need to do is generate an SPF record authorising your fixed 
IP(s) to send mail for your domain(s).


You don't need need to have control over the forward and reverse DNS of 
the IPs, but it is pretty much required that your ISP has forward and 
reverse entries for them.


In my case I have a static IPv4 from which much of my mail is sent (too 
few IPv6 mail servers as yet). I also have an IPv6 /56 range and I 
authorize a very small part of that range to send mail on my behalf.


You may run into problems if your IP address is in a range that is 
blacklisted due to some addresses being used to spam. I'm not sure if 
IPv6 ranges have got into that category as yet.


--
Jeremy
(Lists)

Re: home server for email box

[Brian]

On Fri 10 Mar 2023 at 10:52:20 -0500, Henning Follmann wrote:

> On Fri, Mar 10, 2023 at 12:44:25PM +0100, to...@tuxteam.de wrote:
> > On Fri, Mar 10, 2023 at 12:01:57PM +0100, Nicolas George wrote:
> > > p...@ymail.ne.jp (12023-03-10):
> > > > Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this 
> > > > box to receive/send email normally?
> > > 
> > > Probably not: ISP declare IP blocks attributed to clients as “domestic”
> > > and a lot of important e-mail operators block them.
> > 
> > It makes sense to check for that. But having a static routable IP
> > is a strong hint that it could work.
> 
> Well "could" is the best way to describe the chances of this working.

Agrred. Having a static routeable IP is a good start, but what is
in the DNS rules.

> I think the best way too find out:
> Check if the ISP will allow you to set the reverse DNS record matching
> your chose A record.

Mine was unsettable by me  but the ISP was co-operative and set it
up.

> If they do, GREAT! If they don't, you most likely will not be happy in the
> long run.

My opinion is that unhappiness is guaranteed.

-- 
Brian.

Re: home server for email box

[Henning Follmann]

On Fri, Mar 10, 2023 at 12:44:25PM +0100, to...@tuxteam.de wrote:
> On Fri, Mar 10, 2023 at 12:01:57PM +0100, Nicolas George wrote:
> > p...@ymail.ne.jp (12023-03-10):
> > > Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this 
> > > box to receive/send email normally?
> > 
> > Probably not: ISP declare IP blocks attributed to clients as “domestic”
> > and a lot of important e-mail operators block them.
> 
> It makes sense to check for that. But having a static routable IP
> is a strong hint that it could work.

Well "could" is the best way to describe the chances of this working.

I think the best way too find out:
Check if the ISP will allow you to set the reverse DNS record matching
your chose A record.
If they do, GREAT! If they don't, you most likely will not be happy in the
long run.  

> 
> Have you more details for that "declaration" you hint at? How is
> an IP "declared" as "domestic"? 
> 
> > Anyway, if you have to ask, then you probably have A LOT of reading to
> > do before you have the skill to do it without making mistakes that will
> > get you blocked or worse.
> 
> These days blocking goes the other way around. But if you manage to get
> SPF & DKIP up and running correctly (perhaps also DMARC) your chances
> are good.

Well it doesn't go the other way around. I think you should think DKIM
as another layer you have to worry about. All the other methods of blocking
are still there an can make you life difficult. 

> 
> Of course, some crappy ISPs (Microsoft, I'm looking at you, outlook.com
> and hotmail.com) insist that you register *with them directly*, it
> seems. But hey, that's Microsoft.

Yes they are horrible. And if you use greylisting you will never get past
this registration because every new confirmation request will come from a
different gateway. They are just horrible.





-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: Re: home server for email box

[Tixy]

On Fri, 2023-03-10 at 21:29 +0900, p...@ymail.ne.jp wrote:
> As you suggested I may use other relays as outgoing gateway. But the
> home box will receive and store messages. I can operate the email
> accounts for me and my family on this server.

This is what I do. But another thing to bear in mind is what happens if
you have a problem with your home internet connection or with the
computer receiving your email? Yes, email senders will retry for a
while, but personally I've had my ADSL line go down for a week or more.
Also, if you are away on holiday you won't be there to fix a broken
email server. For most people, email service is pretty critical so you
will likely want a second fallback email server somewhere else. This is
what I do, I used to have a VPS for this but to save money I recently
moved to an email hosting service that supports receiving emails for
other domains.

-- 
Tixy

Re: home server for email box

[Vincent Lefevre]

On 2023-03-10 20:03:53 +0800, cor...@free.fr wrote:
> On 10/03/2023 19:57, Nicolas George wrote:
> > Vincent Lefevre (12023-03-10):
> > > Mail may still be sent via the ISP's smarthost.
> > 
> > Unless the ISP's relay refuses to take mail not from the ISP's domain,
> > like I have seen a few times.
> 
> Or use an outgoing mail relay, such as mail gun, mail channel, they even
> have free budgets.

I have received much spam from mailgun. I'm wondering about
its reputation.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Re: home server for email box

[pyh]

As you suggested I may use other relays as outgoing gateway. But the home box 
will receive and store messages. I can operate the email accounts for me and my 
family on this server.

Thanks
Yong

Re: home server for email box

[coreyh]

On 10/03/2023 19:57, Nicolas George wrote:

Vincent Lefevre (12023-03-10):

Mail may still be sent via the ISP's smarthost.


Unless the ISP's relay refuses to take mail not from the ISP's domain,
like I have seen a few times.


Or use an outgoing mail relay, such as mail gun, mail channel, they even 
have free budgets.


Corey H.

Re: home server for email box

[Nicolas George]

to...@tuxteam.de (12023-03-10):
> It makes sense to check for that. But having a static routable IP
> is a strong hint that it could work.

Alas no.

> Have you more details for that "declaration" you hint at? How is
> an IP "declared" as "domestic"? 

I think it goes through the whois declarations.

> These days blocking goes the other way around.

It goes the other way around too, but the dynamic lists of spam IP that
really are extortion rackets are still operating.

Regards,

-- 
  Nicolas George

Re: home server for email box

[Nicolas George]

Vincent Lefevre (12023-03-10):
> Mail may still be sent via the ISP's smarthost.

Unless the ISP's relay refuses to take mail not from the ISP's domain,
like I have seen a few times.

-- 
  Nicolas George

Re: home server for email box

[Vincent Lefevre]

On 2023-03-10 12:01:57 +0100, Nicolas George wrote:
> p...@ymail.ne.jp (12023-03-10):
> > Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on
> > this box to receive/send email normally?
> 
> Probably not: ISP declare IP blocks attributed to clients as “domestic”
> and a lot of important e-mail operators block them.

For receiving mail (i.e. for an "email box" as the subject says),
this should not be an issue. Mail may still be sent via the ISP's
smarthost.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: home server for email box

[tomas]

On Fri, Mar 10, 2023 at 12:01:57PM +0100, Nicolas George wrote:
> p...@ymail.ne.jp (12023-03-10):
> > Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this box 
> > to receive/send email normally?
> 
> Probably not: ISP declare IP blocks attributed to clients as “domestic”
> and a lot of important e-mail operators block them.

It makes sense to check for that. But having a static routable IP
is a strong hint that it could work.

Have you more details for that "declaration" you hint at? How is
an IP "declared" as "domestic"? 

> Anyway, if you have to ask, then you probably have A LOT of reading to
> do before you have the skill to do it without making mistakes that will
> get you blocked or worse.

These days blocking goes the other way around. But if you manage to get
SPF & DKIP up and running correctly (perhaps also DMARC) your chances
are good.

Of course, some crappy ISPs (Microsoft, I'm looking at you, outlook.com
and hotmail.com) insist that you register *with them directly*, it
seems. But hey, that's Microsoft.

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: home server for email box

[Nicolas George]

p...@ymail.ne.jp (12023-03-10):
> Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this box to 
> receive/send email normally?

Probably not: ISP declare IP blocks attributed to clients as “domestic”
and a lot of important e-mail operators block them.

Anyway, if you have to ask, then you probably have A LOT of reading to
do before you have the skill to do it without making mistakes that will
get you blocked or worse.

Regards,

-- 
  Nicolas George

Re: home server for email box

[Jeremy Ardley]

On 10/3/23 18:29, p...@ymail.ne.jp wrote:


Hello,


I have a home server with static IP from the ISP. The server has 
debian 11 installed.


Can I setup a mail server (postfix, dovecot, dkim, rspamd etc) on this 
box to receive/send email normally?


Or do you guys have this similar operation?



Thanks

Yong



Absolutely. All you need to do is direct appropriate ports on your firewall.


But there is a bit more to it. You need to have server certificates such 
a letsencrypt.



You will also need to look to security - perhaps firewall into lan and 
on the host (less likely), and all the server protections for dovecot 
and postfix.


--
Jeremy
(Lists)