[gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
hi. context: 1. tinfoil hat is on. 2. i feel disrespected when someone does things to my stuff without getting my approval. 3. vps admin is not trusty and their sys admin may read my emails, and laugh at me! 4. whole thing is not worth much money. so not welling to pay more than the price of a cheap vps. moving to dedicated hardware for me is not worth it. my goal is to make it annoying enough that cheap-vps's admins find it a bad idea for them to allocate their time to mingle with my stuff. thoughts on how to maximally satisfy these requirements? rgrds, cm.
Re: [gentoo-user]
On Mon, 17 Aug 2020 00:21:58 +0800, Pengcheng Xu wrote: > The email in question didn’t have "really small, tiny even, font"; it > is simply an empty email with no subject and body. > > Note: times when forcing plain text when reading actually helps :P Don't worry Dale, some of us got your sarcasm ;-) -- Neil Bothwick Vital papers will demonstrate their vitality by moving to where you can't find them. pgpeW97q2OExe.pgp Description: OpenPGP digital signature
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On Mon, Aug 17, 2020 at 04:50:43AM +, Caveman Al Toraboran wrote: > thoughts on how to maximally satisfy these > requirements? How many concurrent users will be connected to the mail server? How much traffic will the S.M.T.P. server receive (read: how many e-mails arrive on a daily basis)? If you really don't trust your V.P.S. provider, and your mail server is small-ish, you could just skip all the trust issues and buy a cheap Raspberry Pi for £20 or so. Running a mail server over a domestic connection presents some issues, such as dynamic I.P. ranges appearing in the Spamhaus blocklist, or some tyrannicalesque I.S.P.s blocking outbound port 25 (S.M.T.P. submission port), but it is possible to have a smooth, self-administered mail server, providing you can put in the time and effort. I have been doing it myself for a few years with Courier and Postfix (although I wouldn't recommend Courier; Dovecot is far superior). What do you think? -- Ashley Dixon suugaku.co.uk 2A9A 4117 DA96 D18A 8A7B B0D2 A30E BF25 F290 A8AA signature.asc Description: PGP signature
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 17-Aug-20 6:50, Caveman Al Toraboran wrote: hi. context: 1. tinfoil hat is on. 2. i feel disrespected when someone does things to my stuff without getting my approval. 3. vps admin is not trusty and their sys admin may read my emails, and laugh at me! 4. whole thing is not worth much money. so not welling to pay more than the price of a cheap vps. moving to dedicated hardware for me is not worth it. my goal is to make it annoying enough that cheap-vps's admins find it a bad idea for them to allocate their time to mingle with my stuff. thoughts on how to maximally satisfy these requirements? Rent VPS and be your own admin. But running properly configured mail-server is not so easy. Setting up postfix/exim/sendmail is just a beginning. If you mean it seriously and do not want your IP to land on blacklists (and you vps suspended), there is much more to do, i.e. spf, dkim, dmarc, dnssec, etc... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 17/08/20 12:33, Ashley Dixon wrote: > On Mon, Aug 17, 2020 at 04:50:43AM +, Caveman Al Toraboran wrote: >> thoughts on how to maximally satisfy these >> requirements? > > How many concurrent users will be connected to the mail server? How much > traffic > will the S.M.T.P. server receive (read: how many e-mails arrive on a > daily > basis)? If you really don't trust your V.P.S. provider, and your mail server > is > small-ish, you could just skip all the trust issues and buy a cheap Raspberry > Pi > for £20 or so. Yup. If you've got mail DNS records pointing at your home server, incoming mail shouldn't be a problem and your vps admin can't snoop :-) > > Running a mail server over a domestic connection presents some issues, such > as > dynamic I.P. ranges appearing in the Spamhaus blocklist, or some > tyrannicalesque > I.S.P.s blocking outbound port 25 (S.M.T.P. submission port), but it is > possible > to have a smooth, self-administered mail server, providing you can put in > the > time and effort. I have been doing it myself for a few years with Courier > and > Postfix (although I wouldn't recommend Courier; Dovecot is far superior). > Can't you tell your server to forward all outgoing mail to your ISP's SMTP server? That way, you don't have to worry about all the spam issues, and it *should* just pass through. The main worry for snooping is inbound mail waiting for collection - outbound requires a dedicated eavesdropping solution and if they're going to do that they can always snoop ANY outgoing SMTP. Cheers, Wol
Re: [gentoo-user]
Neil Bothwick wrote: > On Mon, 17 Aug 2020 00:21:58 +0800, Pengcheng Xu wrote: > >> The email in question didn’t have "really small, tiny even, font"; it >> is simply an empty email with no subject and body. >> >> Note: times when forcing plain text when reading actually helps :P > Don't worry Dale, some of us got your sarcasm ;-) > > Many years ago, before I used Gentoo, it was claimed, and likely true, that Govt types were reading our emails looking for key words. Well, as a joke some of us gave them something to read. We put all the keywords in emails with white letters and a white background. A person reading our emails wouldn't see it but it was there, triggering those Govt types into crazy land. It was like a signature but invisible. This was before Facebook or even myspace if I recall correctly. Given we know now that the Govt types read our emails, maybe we should all do that again. If enough of us do it, it would make things more fun for us and difficult for them. ROFL Since the OP has yet to respond, I guess they think the email is funny. Thing is, I responded to try and help them, like us Gentoo folks tend to do, so I guess the joke is on them not us. ;-) Dale :-) :-)
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/16/20 10:50 PM, Caveman Al Toraboran wrote: hi. Hi context: 1. tinfoil hat is on. Okay. 2. i feel disrespected when someone does things to my stuff without getting my approval. Sure. 3. vps admin is not trusty and their sys admin may read my emails, and laugh at me! Do you have any (anecdotal) evidence that this has actually happened? Hanlon's razor comes to mind: Never attribute to malice that which is adequately explained by stupidity. My experience supports Hanlon's razor. This doesn't mean that there aren't malicious admins out there. Many in our industry have fun with the B.O.F.H. and P.F.Y. But I think that's more what we want to do -- if there were no repercussions -- and not what we actually do. *MANY* people talk a big game. I've seen few follow through on the boasting. 4. whole thing is not worth much money. so not welling to pay more than the price of a cheap vps. That is your choice. I personally find that my email / DNS / website is worth ~$240 a year. I could probably do it for ~$120 a year if I wanted to drop redundancy. I could theoretically do it for $60 a year if I wanted to lower functionality. moving to dedicated hardware for me is not worth it. Fair enough and to each their own. I used to have dedicated hardware in my house, and then migrated to VPS based solutions as part of a cross country move without a static IP on the destination end. my goal is to make it annoying enough that cheap-vps's admins find it a bad idea for them to allocate their time to mingle with my stuff. I'd like to hear any (anecdotal) evidence of this happening that you have. If there is anything, I'd suspect that it's bulk Deep Packet Inspection monitoring things. I doubt that actual malicious involvement is common. thoughts on how to maximally satisfy these requirements? Well, seeing as how you're talking about email, the biggest elephant in the room is SMTP's default of unencrypted communications path. It's realtively easy to add support for encryption, but more systems than I'm comfortable with don't avail themselves of the optional encryption for some reason. Sure, it's possible to configure many receiving SMTP servesr to require it from specific sending systems and / or sending domains. But this is effort you have to expend to enact these restrictions. Actual encrypted email; S/MIME, PGP, etc. help in this regard. -- Grant. . . . unix || die
Re: [gentoo-user]
Am 17.08.2020 um 14:11 schrieb Dale: Many years ago, before I used Gentoo, it was claimed, and likely true, that Govt types were reading our emails looking for key words. Well, as a joke some of us gave them something to read. We put all the keywords in emails with white letters and a white background. A person reading our emails wouldn't see it but it was there, triggering those Govt types into crazy land. It was like a signature but invisible. This was before Facebook or even myspace if I recall correctly. Where would I get a list with keywords the gov would look for? :-)
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/17/20 5:33 AM, Ashley Dixon wrote: How many concurrent users will be connected to the mail server? How much traffic will the S.M.T.P. server receive (read: how many e-mails arrive on a daily basis)? My main VPS has a single digit number of clients and processes anywhere between 50,000 and 200,000 emails per day. It does so without any problem. If you really don't trust your V.P.S. provider, and your mail server is small-ish, you could just skip all the trust issues and buy a cheap Raspberry Pi for £20 or so. The VPS includes a globally routed IP, something that a Raspberry Pi doesn't inherently include. The connectivity, including reverse DNS, is a big issue for running an email server. Running a mail server over a domestic connection presents some issues, such as dynamic I.P. ranges appearing in the Spamhaus blocklist, or some tyrannicalesque I.S.P.s blocking outbound port 25 (S.M.T.P. submission port), Nitpick: SMTP's /submission/ port is TCP 587. "Submission" is a very specific term in SMTP nomenclature. Specifically client's /submitting/ email into the SMTP ecosystem. Server to server happens over the SMTP port. I believe you mean the regular SMTP port, TCP 25. but it is possible to have a smooth, self-administered mail server, providing you can put in the time and effort. Agreed. ProTip: Running an email server is about more than just SMTP. You really should have a good working understanding of the basics of multiple protocols and technologies that are part of the email ecosystem: - SMTP protocol - DNS protocol - POP3 and / or IMAP client access protocols - MTA - LDA - Virus filtering - Spam filtering - SPF - DKIM - DMARC - RBLs - RWLs - Client operations - email ecosystem nomenclature That's just the short list. When I say "have a good working understanding", I mean that you should be able to provide a 101 level 30-90 second description of each of those items. Actual understanding, not just wrote memorization. I have been doing it myself for a few years with Courier and Postfix I've been doing it for 20+ years with multiple MTAs, multiple client MUAs, multiple 3rd part as a service providers. None of any of the components is difficult itself. The annoying thing comes when you try to get multiple to interact well with each other. (although I wouldn't recommend Courier; Dovecot is far superior). To each their own. I chose Courier because it could do things that Dovecot couldn't (at the time I made the decision) and fit my needs considerably better. Some of the things that you need to make decisions about are learned about with experience, usually unfavorable experience. As in "crap, I don't like the way that works". Thus you make a new decision. There is (or used to be) much debate about should email accounts be real and have backing Unix (OS) level accounts, or should they be virtual and fall under the auspice of one single Unix (OS) level account that the client access protocol daemon(s) run as. From a purely email perspective, this might not matter. But it really starts to matter if you want friends that have email with you to also be able to host a web site with you and need to connect in to manage their site, thus needing a Unix (OS) level account to do so. What do you think? There are MANY different ways that you can combine the things I listed above. It is usually a personal choice. Some things that work out well in one configuration are completely non-applicable or even detrimental in another configuration. There are many recopies to get started. You really need to start somewhere, learn as you go, and make your own choices. -- Grant. . . . unix || die
Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 8/17/20 6:10 AM, Wols Lists wrote: Yup. If you've got mail DNS records pointing at your home server, incoming mail shouldn't be a problem and your vps admin can't snoop :-) True. But the ISP can still sniff the traffic and you can be subject to DPI. Can't you tell your server to forward all outgoing mail to your ISP's SMTP server? That way, you don't have to worry about all the spam issues, and it *should* just pass through. That can start to run afoul of some SPF configurations. Or you must allow your ISP's SMTP server to send email as you. Which means that other ISP users can also send email as you. You are also beholden to the ISP's SMTP infrastructure not changing, lest a change on their end breaking your SPF configuration. I would probably recommend an ESP's SMTP service over your ISP's SMTP service as the ESP will have more experience with this because it's part of their business model. "Should" is the operative word. There is also the fact that your outbound email will now potentially, if not likely, sit in the ISP's SMTP server queue, thus re-introducing an opportunity for it to be scrutinized. The main worry for snooping is inbound mail waiting for collection - outbound requires a dedicated eavesdropping solution and if they're going to do that they can always snoop ANY outgoing SMTP. It depends what you mean by "dedicated eavesdropping solution". General network sniffing and / or DPI does not fall under many definitions of dedicated. Carte blanch redirecting / intercepting SMTP traffic through one of their hosts is also possible. Your local / residential ISP can't do anything if you tunnel your outbound SMTP through an encrypted connection to a VPS. But that re-introduces other complications of VPSs. -- Grant. . . . unix || die
Re: [gentoo-user]
hitachi303 wrote: > Am 17.08.2020 um 14:11 schrieb Dale: >> Many years ago, before I used Gentoo, it was claimed, and likely >> true, that Govt types were reading our emails looking for key words. >> Well, as a joke some of us gave them something to read. We put all >> the keywords in emails with white letters and a white background. A >> person reading our emails wouldn't see it but it was there, >> triggering those Govt types into crazy land. It was like a signature >> but invisible. This was before Facebook or even myspace if I recall >> correctly. > > Where would I get a list with keywords the gov would look for? :-) > > If you visit this site, it doesn't allow adblock to be in use. I can't tell if it has the actual list or not. Sites that don't like my adblock blocking their annoying ads that I will never click on gets a tab closure. I've never once clicked on a ad or any sponsored link even in google search results. Link may work for you, may not. https://www.businessinsider.com/nsa-prism-keywords-for-domestic-spying-2013-6 These sites I can see the list. The more obvious ones are further down the list. https://www.sovereignman.com/lifestyle-design/uncle-sam-admits-monitoring-you-for-these-377-words-6832/ https://www.forbes.com/sites/reuvencohen/2012/05/26/department-of-homeland-security-forced-to-release-list-of-keywords-used-to-monitor-social-networking-sites/ Searching for "nsa email keyword list" should get you quite a few hits. Of course, only idiots will actually use those if they planning to do anything bad. A smart bad guy would call a bomb a pizza or a apple pie. Of course, we have Govts that don't have the sharpest tools in the shed working there so what more can we expect from them. ROFL Back then, I think there was less than a hundred words. It seems the list as grown. :/ Dale :-) :-)
Re: [gentoo-user]
On Monday, 17 August 2020 17:54:25 BST Dale wrote: [snip ...] > pie. Of course, we have Govts that don't have the sharpest tools in the > shed working there so what more can we expect from them. ROFL They use private IT consultancies for this kind of work. The Gov't work has been outsourced to private oligopolies. > Back then, I think there was less than a hundred words. It seems the > list as grown. :/ > > Dale > > :-) :-) AI is swimming into the pool of Big Data and is learning fast! ;-) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user]
Michael wrote: > On Monday, 17 August 2020 17:54:25 BST Dale wrote: > > [snip ...] >> pie. Of course, we have Govts that don't have the sharpest tools in the >> shed working there so what more can we expect from them. ROFL > They use private IT consultancies for this kind of work. The Gov't work has > been outsourced to private oligopolies. > Likely true but the Govt folks usually tell them what to look for. >> Back then, I think there was less than a hundred words. It seems the >> list as grown. :/ >> >> Dale >> >> :-) :-) > AI is swimming into the pool of Big Data and is learning fast! ;-) I strongly suspect that by now they put words into context. That likely weeds out some false positives. Just because a person says bomb doesn't mean just that. Years ago in my younger days, saying something was a bomb meant different things and none of them were related to a explosion. The AI component of that can weed through that. It's sort of amazing how when computers get better at doing bad things, they also get better at good things. One could reverse that as well. On one hand, poisonous gas or a really nasty virus. On the other hand, cure for cancer one day. Or cure for something else. Heck, even good treatments is good even if it isn't a complete cure. Just weird how that works at times. Dale :-) :-)
Re: [gentoo-user]
On Mon, Aug 17, 2020 at 12:40:52PM -0500, Dale wrote: > That likely weeds out some false positives. Just because a person says bomb > doesn't mean just that. Considering some of the words in this list, I can't seriously imagine they monitor every flagged case. Here are some of the more entertaining ones: Passwords; Hackers; Secure Internet Connections; Firewalls; SSL; Police; High Security; basement; ID; Bob; gorilla; Global ... and my personal favourite, "WANK". -- Ashley Dixon suugaku.co.uk 2A9A 4117 DA96 D18A 8A7B B0D2 A30E BF25 F290 A8AA signature.asc Description: PGP signature
Re: [gentoo-user]
Ashley Dixon wrote: > On Mon, Aug 17, 2020 at 12:40:52PM -0500, Dale wrote: >> That likely weeds out some false positives. Just because a person says bomb >> doesn't mean just that. > Considering some of the words in this list, I can't seriously imagine they > monitor every flagged case. Here are some of the more entertaining ones: > > Passwords; Hackers; Secure Internet Connections; Firewalls; SSL; > Police; High Security; basement; ID; Bob; gorilla; Global > > ... and my personal favourite, "WANK". > That's why I suspect they have methods of putting words into context. To me, some of them are even a bit silly. Dale :-) :-)
Re: [gentoo-user]
On 17/08/2020 13:11, Dale wrote: We put all the keywords in emails with white letters and a white background. And how do I do that when I use plain latin-1 (or unicode) emails ... ? Cheers, Wol
Re: [gentoo-user]
antlists wrote: > On 17/08/2020 13:11, Dale wrote: >> We put all the keywords in emails with white letters and a white >> background. > > And how do I do that when I use plain latin-1 (or unicode) emails ... ? > > Cheers, > Wol > > I'd guess it requires HTML email. This was before I started using Gentoo and this mailing list or plain text email. Dale :-) :-)
[gentoo-user] Re: tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
On 2020-08-17, Wols Lists wrote: > Can't you tell your server to forward all outgoing mail to your ISP's > SMTP server? That way, you don't have to worry about all the spam > issues, and it *should* just pass through. With many ISPs that will only work if you want the e-mail to come from your ISP-provided e-mail address. -- Grant