Re: Secure email server setup
On Monday, January 15, 2018 01:51:30 PM rhkra...@gmail.com wrote: > (My understanding of SMTP may be faulty, but, AIUI, if your ISP is your > SMTP server, email is stored there (unless deleted) (so that you can > access it from more than one of your computers. For the record: 1) My statement above is wrong / misleading. It turns out that I was thinking of IMAP when I described a server that keeps email stored on the (computer with) the IMAP server (often your ISP). 2) I should usually refrain from discussions on email, although I set up a few email servers a long time ago (15 years??) they were cookie cutter copies of each other, and didn't deal with many things that should be dealt with these days (and probably should have been dealt with back then).
Re: Secure email server setup
On Mon 15 Jan 2018 at 16:22:26 -0500, Henning Follmann wrote: > On Mon, Jan 15, 2018 at 08:42:34PM +, Brian wrote: > > On Mon 15 Jan 2018 at 14:51:56 -0500, Henning Follmann wrote: > > > > > On Mon, Jan 15, 2018 at 08:34:33PM +0100, Jonathan Sélea wrote: > > > > > > > > As other people already have said - do you really need emailserver of > > > > this kind? > > > > > > This however is a valid question. A full functional mailserver requires > > > effort and administrative knowledge to setup properly. And your question > > > already hints that the latter is no there yet. > > > > All things computer-related require effort and administrative knowledge > > to setup properly if anything out of the ordinary is being done. "do you > > really need emailserver of this kind" is an indication of something bad > > in the state of email. > > > > Don't do it your way or take advantage of what the net provides appears > > to be the message. Your intentions are verging on the incompetent, or, > > maybe, you are bucking the trend, just use Google like everyone else > > is the message. > > > > Well, > honestly I always thought it is very beneficial to run your own mailserver. > But it is also one of the most difficult tasks to master. We have come a Agreed. Although the Debian exim documentation makes an excellent contribution to getting users off the ground. > long way from setting up a sendmail server with its unique M4 syntax, but > still you have to understand more than just setting up a smtp server. You > need to understand DNS, SSL, TLS. You have to master at least one form of > authentication method and avoid any possible relay desasters. > Because all this is potentially hard to understand. This was my thought Agreed. There are many pitfalls to avoid. > behind my comment. I would like to encourage anybody to try and set this > up. However this will take some time before this should be practiced on an > openly connected server. Having a fully operating mail server is very satisfying but your point is well-taken. The risk of mucking up a server for an important task is not to be taken lightly. -- Brian.
Re: Secure email server setup
On 01/15/18 22:30, Henning Follmann wrote: > On Mon, Jan 15, 2018 at 08:56:20PM +0100, Jonathan Sélea wrote: I would not recommend having a emailserver on the same server as a website, because if the website is compromised the "hacker" can just use the mail() function to send emails in your name. >>> so can she/he if the mailserver is on a different host. That doesn't make >>> any difference. >> It would, because other mailservers would deny emails from that one >> because it would fail authentication (SPF, DKIM, DMARC for example). >> > Your webserver having a method to use a smarthost, using an external > mailserver can be abused when compromised. So no win here. Still exploited > once the attacker is on the system. It will just use the same smarthost > with the webservers credentials and the mailserver will happily relay the > spam. > > -H If configured properly - the hacker can't change how the server do the transport, except if the hacker has gained the privileges to do so. But that is not that common if a LAMP server for example if properly configured. But if a hacker has found an exploit where he can change the transport settings for the MTA. I am talking about the default mail() function that is used by many websites. But you are talking about a server where a hacker has gained root privileges - in that case there is not much to do. smime.p7s Description: S/MIME Cryptographic Signature
Re: Secure email server setup
On Mon, Jan 15, 2018 at 08:56:20PM +0100, Jonathan Sélea wrote: > >> I would not recommend having a emailserver on the same server as a > >> website, because if the website is compromised the "hacker" can just use > >> the mail() function > >> to send emails in your name. > > so can she/he if the mailserver is on a different host. That doesn't make > > any difference. > It would, because other mailservers would deny emails from that one > because it would fail authentication (SPF, DKIM, DMARC for example). > Your webserver having a method to use a smarthost, using an external mailserver can be abused when compromised. So no win here. Still exploited once the attacker is on the system. It will just use the same smarthost with the webservers credentials and the mailserver will happily relay the spam. -H > > > > -- Henning Follmann | hfollm...@itcfollmann.com
Re: Secure email server setup
On Mon, Jan 15, 2018 at 08:42:34PM +, Brian wrote: > On Mon 15 Jan 2018 at 14:51:56 -0500, Henning Follmann wrote: > > > On Mon, Jan 15, 2018 at 08:34:33PM +0100, Jonathan Sélea wrote: > > > > > > As other people already have said - do you really need emailserver of > > > this kind? > > > > This however is a valid question. A full functional mailserver requires > > effort and administrative knowledge to setup properly. And your question > > already hints that the latter is no there yet. > > All things computer-related require effort and administrative knowledge > to setup properly if anything out of the ordinary is being done. "do you > really need emailserver of this kind" is an indication of something bad > in the state of email. > > Don't do it your way or take advantage of what the net provides appears > to be the message. Your intentions are verging on the incompetent, or, > maybe, you are bucking the trend, just use Google like everyone else > is the message. > Well, honestly I always thought it is very beneficial to run your own mailserver. But it is also one of the most difficult tasks to master. We have come a long way from setting up a sendmail server with its unique M4 syntax, but still you have to understand more than just setting up a smtp server. You need to understand DNS, SSL, TLS. You have to master at least one form of authentication method and avoid any possible relay desasters. Because all this is potentially hard to understand. This was my thought behind my comment. I would like to encourage anybody to try and set this up. However this will take some time before this should be practiced on an openly connected server. -H -- Henning Follmann | hfollm...@itcfollmann.com
Re: Secure email server setup
On Mon 15 Jan 2018 at 14:08:35 -0500, rhkra...@gmail.com wrote: > On Monday, January 15, 2018 01:58:08 PM Greg Wooledge wrote: > > On Mon, Jan 15, 2018 at 01:51:30PM -0500, rhkra...@gmail.com wrote: > > > Does the SMTP server encrypt both between it and the "client" and between > > > it and the other end destination / source? > > > > No, not always. Plaintext SMTP is the default for transferring mail > > from one server to another. Basically, you should just assume that > > anything you send in an email is readable by the entire world, unless > > you encrypt the actual message itself (PGP, GnuPG, etc.). > > Ok, thanks. I guess that's what I expected, and that it could almost more > accurately be phrased--"almost never, unless you encrypt the actual message". You are confusing what the smtp delivery system can do with what *you* can do before sending the mail. There is no connection between the two. -- Brian.
Re: Secure email server setup
On Mon 15 Jan 2018 at 14:51:56 -0500, Henning Follmann wrote: > On Mon, Jan 15, 2018 at 08:34:33PM +0100, Jonathan Sélea wrote: > > > > As other people already have said - do you really need emailserver of > > this kind? > > This however is a valid question. A full functional mailserver requires > effort and administrative knowledge to setup properly. And your question > already hints that the latter is no there yet. All things computer-related require effort and administrative knowledge to setup properly if anything out of the ordinary is being done. "do you really need emailserver of this kind" is an indication of something bad in the state of email. Don't do it your way or take advantage of what the net provides appears to be the message. Your intentions are verging on the incompetent, or, maybe, you are bucking the trend, just use Google like everyone else is the message. -- Brian.
Re: Secure email server setup
On Mon 15 Jan 2018 at 13:51:30 -0500, rhkra...@gmail.com wrote: > On Monday, January 15, 2018 12:53:20 PM Alessandro Vesely wrote: > > On Mon 15/Jan/2018 16:23:54 +0100 rhkramer wrote: > > > On Monday, January 15, 2018 04:39:17 AM Alessandro Vesely wrote: > > >> Since most email messages are sent in cleartext, it is also worth to > > >> note explicitly the difference in terms of privacy between receiving > > >> and collecting. > > > > > > I don't understand, can you (or someone) attempt to clarify / amplify? > > > > Personal (non-list) email messages happen to contain confidential > > information, from innocent shopping preferences to passwords. Although it > > is possible to use end-to-end encryption to safeguard confidentiality, the > > vast majority of messages are sent in cleartext. A good percentage[*] of > > SMTP servers apply transport encryption (STARTTLS), so the chances that a > > message is read in transit are low. However, the chances that MX servers > > can read cleartext messages is 100%, which hence is the rate of trust > > users have to grant to their mailbox providers. The amount of info that > > can be extracted is directly proportional to their AI skills, while what > > they do with it only depends on how much greedy they are. > > > > Given this state of affairs, the absence of a clean method for setting up > > an email server is particularly obnoxious, IMHO. > > Thanks very much--that helps a lot, but due to my ignorance of email systems, > let me ask a followup: > > Does the SMTP server encrypt both between it and the "client" and between it > and the other end destination / source? Use of TLS is explained here: https://www.gov.uk/government/publications/email-security-standards/transport-layer-security-tls Note "...in transit between computers..." > (My understanding of SMTP may be faulty, but, AIUI, if your ISP is your SMTP > server, email is stored there (unless deleted) (so that you can access it > from > more than one of your computers. Is it the transmittal between that server Your ISP is not *your* smtp server. You do not have an smtp server. You have a collection facility from your ISP. > and your computer(s) that is encrypted, or between that server and the source > / destination of the email, or both? The second. The mail is encrypted by the sender and transmitted to the receiver. You are not the receiver. All you do is collect it from the receiver. While the receiver has it, anyone with access to their systems can read it. I think this is the point Alessandro Vesely was making. Greg Wooledge's point is a different one because it depends (partly) on TLS not being used. Analogy: you give a letter to a trusted friend with instructions to deliver it directly to A, the intended recipient. You give a letter to a trusted friend with instructions to deliver it directly to B, a convenient drop-off point for mail. A *collects* it from B. Both methods work. Which one is the more secure? (Points are available for the correct answer :) ). -- Brian. >
Re: Secure email server setup
>> I would not recommend having a emailserver on the same server as a >> website, because if the website is compromised the "hacker" can just use >> the mail() function >> to send emails in your name. > so can she/he if the mailserver is on a different host. That doesn't make > any difference. It would, because other mailservers would deny emails from that one because it would fail authentication (SPF, DKIM, DMARC for example). smime.p7s Description: S/MIME Cryptographic Signature
Re: Secure email server setup
On Mon, Jan 15, 2018 at 08:34:33PM +0100, Jonathan Sélea wrote: > > > On 2018-01-15 00:19, Brian wrote: > > On Sun 14 Jan 2018 at 16:43:53 -0500, rhkra...@gmail.com wrote: > > > >> On Sunday, January 14, 2018 02:26:03 PM Brian wrote: > >>> On Sun 14 Jan 2018 at 12:49:46 -0500, rhkra...@gmail.com wrote: > On Sunday, January 14, 2018 10:36:40 AM J.W. Foster wrote: > [...] > I would not recommend having a emailserver on the same server as a > website, because if the website is compromised the "hacker" can just use > the mail() function > to send emails in your name. so can she/he if the mailserver is on a different host. That doesn't make any difference. > As other people already have said - do you really need emailserver of > this kind? This however is a valid question. A full functional mailserver requires effort and administrative knowledge to setup properly. And your question already hints that the latter is no there yet. > And why is Thunderbird installed on that particular machine? > > / Jonathan > -H -- Henning Follmann | hfollm...@itcfollmann.com
Re: Secure email server setup
On Mon, Jan 15, 2018 at 08:34:33PM +0100, Jonathan Sélea wrote: > I would not recommend having a emailserver on the same server as a > website, because if the website is compromised the "hacker" can just use > the mail() function > to send emails in your name. This can be done regardless of whether the email server is physically the same computer as the web server. That separation (or lack thereof) is not relevant.
Re: Secure email server setup
On 2018-01-15 00:19, Brian wrote: > On Sun 14 Jan 2018 at 16:43:53 -0500, rhkra...@gmail.com wrote: > >> On Sunday, January 14, 2018 02:26:03 PM Brian wrote: >>> On Sun 14 Jan 2018 at 12:49:46 -0500, rhkra...@gmail.com wrote: On Sunday, January 14, 2018 10:36:40 AM J.W. Foster wrote: > I am looking for a reliable step by step process for setting up an > email server located on an existing website server. I have installed; > exim4 light, dovecot, Thunderbird, OpenSSL, and TLS security. I have > tried following several bits of documentation regarding this with some > success, but as with every time I try this, I open up my system to > SPAM at a ridiculous rate. I want to eliminate that and get this mail > server fully operational. I am seeking a well-documented approach that > I can follow. I am using current Debian Stretch and the server is > primarily a Mediawiki system where I NEED mail available. Any tips > are appreciated. Thanks!John Some clarification would help: * Do youi really need an email server on this machine, or do you just need the capability to send and receive email? I guess I'm not familiar enough with Mediawiki--does it need an email server? In my (old) installations of TWiki, the ability to send and receive email was all I needed. >>> If you did not use a mail server, you were not *receiving* email but, >>> more than likely, *collecting* it. >> Ok, but it worked and did what I needed to do. And how many people would >> perceive a difference between receiving it and collecting it in casual usage >> of >> those words and in this context? > Not many in this context, probably. But precision and the desire to > educate has never been amongst the strong points of commentators on > email. You would soon notice the difference if you had to collect > your mail from a Royal Mail office instead of having it delivered. > Apart from having to travel to collect it, "spam" control is handled > differently in each case. I would not recommend having a emailserver on the same server as a website, because if the website is compromised the "hacker" can just use the mail() function to send emails in your name. As other people already have said - do you really need emailserver of this kind? And why is Thunderbird installed on that particular machine? / Jonathan signature.asc Description: OpenPGP digital signature
Re: Secure email server setup
On Mon, Jan 15, 2018 at 01:58:08PM -0500, Greg Wooledge wrote: > On Mon, Jan 15, 2018 at 01:51:30PM -0500, rhkra...@gmail.com wrote: > > Does the SMTP server encrypt both between it and the "client" and between > > it > > and the other end destination / source? > > No, not always. Plaintext SMTP is the default for transferring mail > from one server to another. Basically, you should just assume that > anything you send in an email is readable by the entire world, unless > you encrypt the actual message itself (PGP, GnuPG, etc.). > But these days most use encryption S2S and most clients do too. I log on my server if they use TLS or not and all the big ones definitely do. However between each hop the mail is unencrypted. If it sits at gmail for example google can read the mail. There are a few exception worth mentioning: for example protonmail. If I understand this correctly they use your public key (pgp) and any unencrypted mail will be encrypted before stored. -H -- Henning Follmann | hfollm...@itcfollmann.com
Re: Secure email server setup
On Monday, January 15, 2018 01:58:08 PM Greg Wooledge wrote: > On Mon, Jan 15, 2018 at 01:51:30PM -0500, rhkra...@gmail.com wrote: > > Does the SMTP server encrypt both between it and the "client" and between > > it and the other end destination / source? > > No, not always. Plaintext SMTP is the default for transferring mail > from one server to another. Basically, you should just assume that > anything you send in an email is readable by the entire world, unless > you encrypt the actual message itself (PGP, GnuPG, etc.). Ok, thanks. I guess that's what I expected, and that it could almost more accurately be phrased--"almost never, unless you encrypt the actual message". Thanks very much!
Re: Secure email server setup
On Mon, Jan 15, 2018 at 01:51:30PM -0500, rhkra...@gmail.com wrote: > Does the SMTP server encrypt both between it and the "client" and between it > and the other end destination / source? No, not always. Plaintext SMTP is the default for transferring mail from one server to another. Basically, you should just assume that anything you send in an email is readable by the entire world, unless you encrypt the actual message itself (PGP, GnuPG, etc.).
Re: Secure email server setup
On Monday, January 15, 2018 12:53:20 PM Alessandro Vesely wrote: > On Mon 15/Jan/2018 16:23:54 +0100 rhkramer wrote: > > On Monday, January 15, 2018 04:39:17 AM Alessandro Vesely wrote: > >> Since most email messages are sent in cleartext, it is also worth to > >> note explicitly the difference in terms of privacy between receiving > >> and collecting. > > > > I don't understand, can you (or someone) attempt to clarify / amplify? > > Personal (non-list) email messages happen to contain confidential > information, from innocent shopping preferences to passwords. Although it > is possible to use end-to-end encryption to safeguard confidentiality, the > vast majority of messages are sent in cleartext. A good percentage[*] of > SMTP servers apply transport encryption (STARTTLS), so the chances that a > message is read in transit are low. However, the chances that MX servers > can read cleartext messages is 100%, which hence is the rate of trust > users have to grant to their mailbox providers. The amount of info that > can be extracted is directly proportional to their AI skills, while what > they do with it only depends on how much greedy they are. > > Given this state of affairs, the absence of a clean method for setting up > an email server is particularly obnoxious, IMHO. Thanks very much--that helps a lot, but due to my ignorance of email systems, let me ask a followup: Does the SMTP server encrypt both between it and the "client" and between it and the other end destination / source? (My understanding of SMTP may be faulty, but, AIUI, if your ISP is your SMTP server, email is stored there (unless deleted) (so that you can access it from more than one of your computers. Is it the transmittal between that server and your computer(s) that is encrypted, or between that server and the source / destination of the email, or both?
Re: Secure email server setup
On Mon 15/Jan/2018 16:23:54 +0100 rhkramer wrote: > On Monday, January 15, 2018 04:39:17 AM Alessandro Vesely wrote: >> Since most email messages are sent in cleartext, it is also worth to note >> explicitly the difference in terms of privacy between receiving and >> collecting. > > I don't understand, can you (or someone) attempt to clarify / amplify? Personal (non-list) email messages happen to contain confidential information, from innocent shopping preferences to passwords. Although it is possible to use end-to-end encryption to safeguard confidentiality, the vast majority of messages are sent in cleartext. A good percentage[*] of SMTP servers apply transport encryption (STARTTLS), so the chances that a message is read in transit are low. However, the chances that MX servers can read cleartext messages is 100%, which hence is the rate of trust users have to grant to their mailbox providers. The amount of info that can be extracted is directly proportional to their AI skills, while what they do with it only depends on how much greedy they are. Given this state of affairs, the absence of a clean method for setting up an email server is particularly obnoxious, IMHO. Ale [*] See, for example this 2014 stat: https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223/
Re: Secure email server setup
On Monday, January 15, 2018 04:39:17 AM Alessandro Vesely wrote: > Since most email messages are sent in cleartext, it is also worth to note > explicitly the difference in terms of privacy between receiving and > collecting. I don't understand, can you (or someone) attempt to clarify / amplify?
Re: Secure email server setup
On Mon 15/Jan/2018 00:19:24 +0100 Brian wrote: > On Sun 14 Jan 2018 at 16:43:53 -0500, rhkra...@gmail.com wrote: > >> On Sunday, January 14, 2018 02:26:03 PM Brian wrote: >>> On Sun 14 Jan 2018 at 12:49:46 -0500, rhkra...@gmail.com wrote: On Sunday, January 14, 2018 10:36:40 AM J.W. Foster wrote: > I am looking for a reliable step by step process for setting up an > email server located on an existing website server. I have > installed; exim4 light, dovecot, Thunderbird, OpenSSL, and TLS Thunderbird isn't needed on a server > security. I have tried following several bits of documentation > regarding this with some success, but as with every time I try this, > I open up my system to SPAM at a ridiculous rate. I want to > eliminate that and get this mail server fully operational. I am > seeking a well-documented approach that I can follow. I am using > current Debian Stretch and the server is primarily a Mediawiki > system where I NEED mail available. Any tips are appreciated. > Thanks!John Some clarification would help: * Do youi really need an email server on this machine, or do you just need the capability to send and receive email? I guess I'm not familiar enough with Mediawiki--does it need an email server? In my (old) installations of TWiki, the ability to send and receive email was all I needed.>>> >>> If you did not use a mail server, you were not *receiving* email but, >>> more than likely, *collecting* it. >> >> Ok, but it worked and did what I needed to do. And how many people would >> perceive a difference between receiving it and collecting it in casual >> usage of those words and in this context?> > Not many in this context, probably. But precision and the desire to > educate has never been amongst the strong points of commentators on > email. You would soon notice the difference if you had to collect > your mail from a Royal Mail office instead of having it delivered. > Apart from having to travel to collect it, "spam" control is handled > differently in each case. It may help to note explicitly that spam control includes the possibility to whitelist known wiki contributors from /some/ filters --e.g. never skip anti-virus; after all, even known contributors can have their email accounts hijacked. Since most email messages are sent in cleartext, it is also worth to note explicitly the difference in terms of privacy between receiving and collecting. For sending capabilities, many postmasters end up taking recourse to external smart hosts because their IP address is in a tainted block, regularly thrown in the Junk folder by some mailbox providers (e.g. hotmail). The worthiness of running a mail queue is lost in that case. Ale
Re: Secure email server setup
On Sun 14 Jan 2018 at 16:43:53 -0500, rhkra...@gmail.com wrote: > On Sunday, January 14, 2018 02:26:03 PM Brian wrote: > > On Sun 14 Jan 2018 at 12:49:46 -0500, rhkra...@gmail.com wrote: > > > On Sunday, January 14, 2018 10:36:40 AM J.W. Foster wrote: > > > > I am looking for a reliable step by step process for setting up an > > > > email server located on an existing website server. I have installed; > > > > exim4 light, dovecot, Thunderbird, OpenSSL, and TLS security. I have > > > > tried following several bits of documentation regarding this with some > > > > success, but as with every time I try this, I open up my system to > > > > SPAM at a ridiculous rate. I want to eliminate that and get this mail > > > > server fully operational. I am seeking a well-documented approach that > > > > I can follow. I am using current Debian Stretch and the server is > > > > primarily a Mediawiki system where I NEED mail available. Any tips > > > > are appreciated. Thanks!John > > > > > > Some clarification would help: > > >* Do youi really need an email server on this machine, or do you just > > >need > > > > > > the capability to send and receive email? I guess I'm not familiar > > > enough with Mediawiki--does it need an email server? > > > > > > In my (old) installations of TWiki, the ability to send and receive email > > > was all I needed. > > > > If you did not use a mail server, you were not *receiving* email but, > > more than likely, *collecting* it. > > Ok, but it worked and did what I needed to do. And how many people would > perceive a difference between receiving it and collecting it in casual usage > of > those words and in this context? Not many in this context, probably. But precision and the desire to educate has never been amongst the strong points of commentators on email. You would soon notice the difference if you had to collect your mail from a Royal Mail office instead of having it delivered. Apart from having to travel to collect it, "spam" control is handled differently in each case. -- Brian.
Re: Secure email server setup
On Sunday, January 14, 2018 02:26:03 PM Brian wrote: > On Sun 14 Jan 2018 at 12:49:46 -0500, rhkra...@gmail.com wrote: > > On Sunday, January 14, 2018 10:36:40 AM J.W. Foster wrote: > > > I am looking for a reliable step by step process for setting up an > > > email server located on an existing website server. I have installed; > > > exim4 light, dovecot, Thunderbird, OpenSSL, and TLS security. I have > > > tried following several bits of documentation regarding this with some > > > success, but as with every time I try this, I open up my system to > > > SPAM at a ridiculous rate. I want to eliminate that and get this mail > > > server fully operational. I am seeking a well-documented approach that > > > I can follow. I am using current Debian Stretch and the server is > > > primarily a Mediawiki system where I NEED mail available. Any tips > > > are appreciated. Thanks!John > > > > Some clarification would help: > >* Do youi really need an email server on this machine, or do you just > >need > > > > the capability to send and receive email? I guess I'm not familiar > > enough with Mediawiki--does it need an email server? > > > > In my (old) installations of TWiki, the ability to send and receive email > > was all I needed. > > If you did not use a mail server, you were not *receiving* email but, > more than likely, *collecting* it. Ok, but it worked and did what I needed to do. And how many people would perceive a difference between receiving it and collecting it in casual usage of those words and in this context?
Re: Secure email server setup
basti wrote: > exim users mailing list would be a good place for your question I think. > basti, first of all we do not top post and second we reply to the message we intend to answer. As I've been using exim extensively and was part of team supporting cloud with exim and imap (dovecot), I can tell you what OP is doing is wrong. I don't think you want to send me to the exim list regards
Re: Secure email server setup
On Sun, 14 Jan 2018 15:36:40 + (UTC) "J.W. Foster" wrote: > I am looking for a reliable step by step process for setting up an > email server located on an existing website server. As you say, you won't have trouble finding basic instructions. What you probably won't find is exactly what you're looking for. > I have > installed; exim4 light, dovecot, Thunderbird, OpenSSL, and TLS > security. I have tried following several bits of documentation > regarding this with some success, but as with every time I try this, > I open up my system to SPAM at a ridiculous rate. There *is* a ridiculous amount of spam flying about, there's nothing you can do about that. It's a lot less than it used to be, my record for mail server rejections in a day is over 12,000. Yes, that's three noughts, though it was many years ago. > I want to eliminate that That's probably too ambitious. What you should be able to do is to reduce it to a manageable amount. I've taken this further than many people: nearly twenty years ago, I tried challenging the orthodox position that posting to Usenet and other fora should be done from a mangled or disposable address. I decided to use a normal, valid email address, and see what the consequences were. I've tried SpamAssassin, but that seemed to need a great deal of maintenance, being an arms race between the spammers and me. Every couple of weeks, they would find a new technique that had to be explicitly dealt with. So now, in order of effectiveness: 1. Don't implement a catch-all address, this will indeed catch all of the spam. The greatest single anti-spam technique is for the SMTP server to accept mail only for the server's named users, which is the default. It's not quite as effective as it used to be, as almost all spam used to be NDR spam: deliberately misaddressed, in order to get a POP3-based system to bounce it to a forged Reply-To address, thereby laundering it. Much less NDR spam these days, only five out of my 13 rejects yesterday were NDR. 2. Refuse mail where there is no proper reverse DNS record (PTR) for the sender address. This is slightly risky, as a few small businesses use mail 'providers' who seem less than clued-up about running mail servers. You *do* have a static address and a proper A-PTR DNS record pair for your mail server, don't you? There will be trouble otherwise. I do drop the occasional debian-user email as the d-u DNS server seems a bit slow to respond sometimes. The Debian exim4 setup only provides a warning message about faulty reverse DNS, but I and most others change this to 'deny'. Four of the 13 rejects fell foul of this one. 3. Refuse mail from non-existent domains. Exim4 has fine control over sender verification, in that for senders with domains not hosted on the server, it can verify the domain only, while verifying the full email address for hosted domains. This allows rejection of made-up domains, which helps a little, though spammers can register unlimited silly domain names fairly cheaply. The sender verify will also pick up spammers claiming to be random users on your domain, a common trick. 4. Keep blacklists of IP CIDR blocks, spamming domain names and, if your business model allows, entire top-level domains.The files /etc/exim4/local_host and .._sender blacklists and whitelists are a convenient place for these. My current local_host_blacklist contains just over 500 CIDR blocks, including three /8 blocks. I also have a list of 34 country codes and the TLDs .win, .biz, .click and .zip, and reject sender address PTRs and HELO strings containing them. There is a certain amount of spam that won't be caught this way. I have a ~.forward file on the server that routes half a dozen types of machine email, including debian-user and logcheck stuff, into IMAP folders. I route about another forty entries into the Spam folder, such as 'medica', 'iploma' and other likely string fragments in the Subject: header, and 'googlegroups' and others in the From: header. After all that, I still pick one or two spams a day out of my inbox, but I can live with that, and if any of them offend me sufficiently I might modify one of the defences to deal with it. Sometimes I do contact the senders' ISP where that may be helpful (from an .edu domain, for example) but usually it's a waste of effort. The big email providers like Google and Yahoo pretty much don't accept email abuse complaints, which is naughty. As others have said, if you allow your mail server to be used as a relay, such as by applications, you need to allow relaying only of authenticated email from only those sources. There's loads of information about that on the Net, if you allow anyone who connects from outside to your mail server to relay (send email to someone your server doesn't store email for) then you will be found by spammers and your IP address blacklisted almost instantly. There are numerous websites which will test your mail server, and one of the tests is invariably for relaying
Re: Secure email server setup
On Sun 14 Jan 2018 at 12:49:46 -0500, rhkra...@gmail.com wrote: > On Sunday, January 14, 2018 10:36:40 AM J.W. Foster wrote: > > I am looking for a reliable step by step process for setting up an email > > server located on an existing website server. I have installed; exim4 > > light, dovecot, Thunderbird, OpenSSL, and TLS security. I have tried > > following several bits of documentation regarding this with some success, > > but as with every time I try this, I open up my system to SPAM at a > > ridiculous rate. I want to eliminate that and get this mail server fully > > operational. I am seeking a well-documented approach that I can follow. I > > am using current Debian Stretch and the server is primarily a Mediawiki > > system where I NEED mail available. Any tips are appreciated. Thanks!John > > Some clarification would help: > >* Do youi really need an email server on this machine, or do you just need > the capability to send and receive email? I guess I'm not familiar enough > with Mediawiki--does it need an email server? > > In my (old) installations of TWiki, the ability to send and receive email was > all I needed. If you did not use a mail server, you were not *receiving* email but, more than likely, *collecting* it. -- Brian.
Re: Secure email server setup
On Sun 14 Jan 2018 at 15:36:40 +, J.W. Foster wrote: > I am looking for a reliable step by step process for setting up an > email server located on an existing website server. I have installed; > exim4 light, dovecot, Thunderbird, OpenSSL, and TLS security. I have > tried following several bits of documentation regarding this with some > success, but as with every time I try this, I open up my system to > SPAM at a ridiculous rate. I want to eliminate that and get this mail > server fully operational. I am seeking a well-documented approach that > I can follow. I am using current Debian Stretch and the server is > primarily a Mediawiki system where I NEED mail available. Any tips > are appreciated. Thanks!John I have a similar setup but don't use spam control. First get the mail server sending and receiving reliably. Then add spam filters. No links from me, I'm afaid; you should be able to locate plenty. It could be exim4-daemon-heavy is a better fit for your situation. -- Brian.
Re: Secure email server setup
exim users mailing list would be a good place for your question I think. On 14.01.2018 19:40, deloptes wrote: > J.W. Foster wrote: > >> I am looking for a reliable step by step process for setting up an email >> server located on an existing website server. I have installed; exim4 >> light, dovecot, Thunderbird, OpenSSL, and TLS security. I have tried >> following several bits of documentation regarding this with some success, >> but as with every time I try this, I open up my system to SPAM at a >> ridiculous rate. I want to eliminate that and get this mail server fully >> operational. I am seeking a well-documented approach that I can follow. I >> am using current Debian Stretch and the server is primarily a Mediawiki >> system where I NEED mail available. Any tips are appreciated. Thanks!John > > you don't usually install a mail server for each application and make it > public > > you usually relay the mail traffic to dedicated mail server. > this dedicated mail server takes care of the mail exchange with the world. > this mail server is responsible for filtering spam or signing messages, so > that they won't be rejected by other mail servers. > > reconsider your design. otherwise you should set up an official mail server > with all it takes. > > regards >
Re: Secure email server setup
J.W. Foster wrote: > I am looking for a reliable step by step process for setting up an email > server located on an existing website server. I have installed; exim4 > light, dovecot, Thunderbird, OpenSSL, and TLS security. I have tried > following several bits of documentation regarding this with some success, > but as with every time I try this, I open up my system to SPAM at a > ridiculous rate. I want to eliminate that and get this mail server fully > operational. I am seeking a well-documented approach that I can follow. I > am using current Debian Stretch and the server is primarily a Mediawiki > system where I NEED mail available. Any tips are appreciated. Thanks!John you don't usually install a mail server for each application and make it public you usually relay the mail traffic to dedicated mail server. this dedicated mail server takes care of the mail exchange with the world. this mail server is responsible for filtering spam or signing messages, so that they won't be rejected by other mail servers. reconsider your design. otherwise you should set up an official mail server with all it takes. regards
Re: Secure email server setup
On Sunday, January 14, 2018 10:36:40 AM J.W. Foster wrote: > I am looking for a reliable step by step process for setting up an email > server located on an existing website server. I have installed; exim4 > light, dovecot, Thunderbird, OpenSSL, and TLS security. I have tried > following several bits of documentation regarding this with some success, > but as with every time I try this, I open up my system to SPAM at a > ridiculous rate. I want to eliminate that and get this mail server fully > operational. I am seeking a well-documented approach that I can follow. I > am using current Debian Stretch and the server is primarily a Mediawiki > system where I NEED mail available. Any tips are appreciated. Thanks!John Some clarification would help: * Do youi really need an email server on this machine, or do you just need the capability to send and receive email? I guess I'm not familiar enough with Mediawiki--does it need an email server? In my (old) installations of TWiki, the ability to send and receive email was all I needed.