Re: [gentoo-user] inhouse email
On Oct 27, 2005, at 12:01 am, Elliott Clark wrote: I too have a local mail server and I came to the conclusion that I would really like a mx backup server. However I already spend too much on internet services. So what I would love to do is set up some kind of gentoo community run mx backup web. Something were users get 2 backup servers and they are a backup server for two others. However this would require some trust and a lot of programing to get a utility to create configs for all of the different mail servers out there. I posted on the forums but didn't get any real response so looks like the flaws are too great. But the idea still kinda stands find someone else who needs a mx server and exchange. You be their backup and they be yours. I posted here for DNS secondary volunteers a year or two back, and found a guy to host my secondary DNS for me. He seemed very reputable, having written computing books being referenced in Unix mailing lists 10 years old but he fell off the internet without telling me. According to a friend of his he's not dead, just quit all internet use completely. From this experience I'd advise you not to trust anyone with your secondary unless you're paying them to maintain it. I have friends locally who run their own servers and although I trust them to get me home when I'm drunk, on reflection I wouldn't trust them with a favour like this. It wouldn't surprise me at all if they were just to forget they were hosting my records when they reinstalled their server, and in things like this you only find out about it when you actually NEED the backup. $10 a year seems very cheap for such a service, IMHO - you'd spend more than that thanking your friends with beer. Stroller. -- gentoo-user@gentoo.org mailing list
[gentoo-user] inhouse email
Can anyone who has done it comment on the downside (if any) of bringing email in-house, as opposed to continuing to pay a hosting provider? My plan is to have a separate server, sitting by itself in the DMZ, so the internal LAN should remain relatively safe. The DSL provider we use will host the DNS records (MX). We have a top-notch firewall already in place, but this is the first step we've taken toward making anything available inbound, so I'm cautiously optimistic.-- Mark[unwieldy legal disclaimer would go here - feel free to type your own]
Re: [gentoo-user] inhouse email
Two things, well several things, really. You need more than one mail server, or you need a store-and-forward mx in case your mail server goes down. Second, I'd make sure you put antivirus and spam guards on the mail server, and that it's beefy enough to handle the traffic. A good split is to put a bastion mail server doing antivirus and spam checks, but no user verification outside the firewall (or inside a non-natting firewall), and have him just forward everything to a secure mail server inside. put the secure mail server with a non-routable ip, and the bastion mail server with one public ip, and one non-routable, to talk to the secure mail server. Make sure both mail servers are up-to-date and kept up to date patchwise. Run NO other services (except maybe ssh) on either server. On Monday 24 October 2005 10:29, Mark wrote: Can anyone who has done it comment on the downside (if any) of bringing email in-house, as opposed to continuing to pay a hosting provider? My plan is to have a separate server, sitting by itself in the DMZ, so the internal LAN should remain relatively safe. The DSL provider we use will host the DNS records (MX). We have a top-notch firewall already in place, but this is the first step we've taken toward making anything available inbound, so I'm cautiously optimistic. -- Mark [unwieldy legal disclaimer would go here - feel free to type your own] -- John Jolet Your On-Demand IT Department 512-762-0729 www.jolet.net [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
On Mon, 2005-10-24 at 11:29 -0400, Mark wrote: Can anyone who has done it comment on the downside (if any) of bringing email in-house, as opposed to continuing to pay a hosting provider? My plan is to have a separate server, sitting by itself in the DMZ, so the internal LAN should remain relatively safe. The DSL provider we use will host the DNS records (MX). We have a top-notch firewall already in place, but this is the first step we've taken toward making anything available inbound, so I'm cautiously optimistic. -- Mark [unwieldy legal disclaimer would go here - feel free to type your own] I have an in-house mail server. In my experience, the only problem I have with it is when our cable Internet goes out. I pay $99USD a month for cable Internet with a static IP and the cable usually goes out for a couple of hours on the weekends (grrr). Other than that I haven't really had any problems with it... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
On Monday 24 October 2005 10:37, Michael Sullivan wrote: On Mon, 2005-10-24 at 11:29 -0400, Mark wrote: Can anyone who has done it comment on the downside (if any) of bringing email in-house, as opposed to continuing to pay a hosting provider? My plan is to have a separate server, sitting by itself in the DMZ, so the internal LAN should remain relatively safe. The DSL provider we use will host the DNS records (MX). We have a top-notch firewall already in place, but this is the first step we've taken toward making anything available inbound, so I'm cautiously optimistic. -- Mark [unwieldy legal disclaimer would go here - feel free to type your own] I have an in-house mail server. In my experience, the only problem I have with it is when our cable Internet goes out. I pay $99USD a month for cable Internet with a static IP and the cable usually goes out for a couple of hours on the weekends (grrr). Other than that I haven't really had any problems with it... this might be a little off-topic, but zoneedit.com will provide a store-and-forward backup mx for like $10/year. That's what I use. -- John Jolet Your On-Demand IT Department 512-762-0729 www.jolet.net [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
Mark wrote: Can anyone who has done it comment on the downside (if any) of bringing email in-house, as opposed to continuing to pay a hosting provider? My plan is to have a separate server, sitting by itself in the DMZ, so the internal LAN should remain relatively safe. The DSL provider we use will host the DNS records (MX). We have a top-notch firewall already in place, but this is the first step we've taken toward making anything available inbound, so I'm cautiously optimistic. Generally, most mail will sit in a queue for around 3 days before failing to deliver - but that depends on the host/server. So, the odd outage shouldn't be a problem - at least it's not with me here :) Also, it's worth double-checking to see if your ISP will allow port 25 inwards. Some don't, and you wouldn't want to do all that work only to find nothing happening! :/ -- Jonathan Wright ~ mail at djnauk.co.uk ~ www.djnauk.co.uk -- 2.6.13-gentoo-r3-djnauk-b2 AMD Athlon(tm) XP 2100+ up 4:46, 1 user, load average: 0.69, 0.55, 0.50 -- Did you hear about the Scottish drag queen? He wore pants. ~ Lynn Lavner -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
Mark wrote: Can anyone who has done it comment on the downside (if any) of bringing email in-house, as opposed to continuing to pay a hosting provider? My plan is to have a separate server, sitting by itself in the DMZ, so the internal LAN should remain relatively safe. The DSL provider we use will host the DNS records (MX). We have a top-notch firewall already in place, but this is the first step we've taken toward making anything available inbound, so I'm cautiously optimistic. You might want to find a provider to be your secondary MX so that email will get queued and forwarded upon failure of your DSL or your server. Tom Veldhouse -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
It is easy enough to set it up and test it in parallel with your current setup. Nothing important should be directed there till you advertise it.. I have been running a mail server on my home system ever since I got my DSL connection at home. It is where I normally direct mailing list traffic and other correspondence which is non critical, because I can create dedicated aliases which all point the the same ultimate mailbox, making it easy to identify where spammers have been obtaining addresses from, and making it possible to just invalidate the effected address... For person mail that I want to be able to access when I am travelling I use a mail forwarding address which can be pointed at an ISP hosted POP3 mailbox (which is polled using fetchmail when I am home) or when needed can be pointed direct to my home server. Regards, DigbyT On Mon, Oct 24, 2005 at 05:11:02PM +0100, Jonathan Wright wrote: Mark wrote: Can anyone who has done it comment on the downside (if any) of bringing email in-house, as opposed to continuing to pay a hosting provider? My plan is to have a separate server, sitting by itself in the DMZ, so the internal LAN should remain relatively safe. The DSL provider we use will host the DNS records (MX). We have a top-notch firewall already in place, but this is the first step we've taken toward making anything available inbound, so I'm cautiously optimistic. Generally, most mail will sit in a queue for around 3 days before failing to deliver - but that depends on the host/server. So, the odd outage shouldn't be a problem - at least it's not with me here :) Also, it's worth double-checking to see if your ISP will allow port 25 inwards. Some don't, and you wouldn't want to do all that work only to find nothing happening! :/ -- Jonathan Wright ~ mail at djnauk.co.uk ~ www.djnauk.co.uk -- 2.6.13-gentoo-r3-djnauk-b2 AMD Athlon(tm) XP 2100+ up 4:46, 1 user, load average: 0.69, 0.55, 0.50 -- Did you hear about the Scottish drag queen? He wore pants. ~ Lynn Lavner -- gentoo-user@gentoo.org mailing list -- Digby R. S. Tarvin [EMAIL PROTECTED] http://www.digbyt.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
Digby Tarvin wrote: It is easy enough to set it up and test it in parallel with your current setup. Nothing important should be directed there till you advertise it.. That's fine for outgoing mail, but unless an MX record exists for the internal server on a domain/subdomain, it's difficult to 'direct' traffic from the outside in. The only other way I can think off is to test the server using either a telnet port or a script from an off-site computer onto the new server. I have been running a mail server on my home system ever since I got my DSL connection at home. It is where I normally direct mailing list traffic and other correspondence which is non critical, because I can create dedicated aliases which all point the the same ultimate mailbox, making it easy to identify where spammers have been obtaining addresses from, and making it possible to just invalidate the effected address... For person mail that I want to be able to access when I am travelling I use a mail forwarding address which can be pointed at an ISP hosted POP3 mailbox (which is polled using fetchmail when I am home) or when needed can be pointed direct to my home server. All me e-mail comes in on my home server and has been now for ~3 years, along with my families for the last year or so now that multiple domains has been setup. I've even used it as an emergency backup for another server when that went down. As for remote access, I use IMAP over SSL. Most new phones and PDA's support SSL encryption over IMAP and SMTP, plus I have the advantage of all my mail being handled from one location. -- Jonathan Wright ~ mail at djnauk.co.uk ~ www.djnauk.co.uk -- 2.6.13-gentoo-r3-djnauk-b2 AMD Athlon(tm) XP 2100+ up 5:41, 2 users, load average: 1.22, 0.86, 0.83 -- I can't help looking gay. I put on a dress and people say, Who's the dyke in the dress? ~ Karen Ripley -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
On Monday 24 October 2005 11:36, John Jolet wrote: Two things, well several things, really. You need more than one mail server, or you need a store-and-forward mx in case your mail server goes down. Second, I'd make sure you put antivirus and spam guards on the mail server, and that it's beefy enough to handle the traffic. A good split is to put a bastion mail server doing antivirus and spam checks, but no user verification outside the firewall (or inside a non-natting firewall), and have him just forward everything to a secure mail server inside. put the secure mail server with a non-routable ip, and the bastion mail server with one public ip, and one non-routable, to talk to the secure mail server. Make sure both mail servers are up-to-date and kept up to date patchwise. Run NO other services (except maybe ssh) on either server. I'd like to disagree with a couple points on here. First off, a secondary MX is not necessary. If an email can't get through due to a server being down, it will be retried and get through later when the server is up. Second, if you are receiving email from the outside world and are not doing any user verification, you are a source of backscatter, and therefore of spam. Do not accept mail for invalid receipients. Do not have a secondary MX if you can not do recipient verification with it. Accept-and-bounce is spam. Depending on the amount of mail received, it's not necessary to separate services to different boxes. Sending and receiving mail takes very little resources. It's the extra services, such as spam and antivirus, that require heavier hardware, again depending on your load. You do want to make sure, though, that no outside connections are possible to any spam or virus filtering programs on the mail server. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
John Jolet wrote: Two things, well several things, really. You need more than one mail server, or you need a store-and-forward mx in case your mail server goes down. Second, I'd make sure you put antivirus and spam guards on the mail server, and that it's beefy enough to handle the traffic. A good split is to put a bastion mail server doing antivirus and spam checks, but no user verification outside the firewall (or inside a non-natting firewall), and have him just forward everything to a secure mail server inside. put the secure mail server with a non-routable ip, and the bastion mail server with one public ip, and one non-routable, to talk to the secure mail server. Make sure both mail servers are up-to-date and kept up to date patchwise. Run NO other services (except maybe ssh) on either server. I'd skip the store and forward, it does nothing for you IMHO. The default queue time on most mail servers is 5 days. That should be more than enough time to get your mail server up and running or move your mail to somehwere else. If 5 days isn't enough time to make arrangements, then having a backup MX with store and forward would add some value. However store and forward servers don't allow you to check your mail from them in most cases so we're talking about no one in the office getting their mail for 5+ days. I'd definitely make plans for an outage, but I don't see store and forward as a necessary part of disaster recovery. Before splitting your mail up into multiple machines think about the number of users you have, the amount of mail you get, and what sort of server you have. A decent sized server can easily deal with a 50-100 person office using webmail, imap, and spam filtering. I'm sure you can find someway to shoot yourself in the foot and need more servers, but some simple planning should keep that from happening. 1. Block mail up front. Use greylisting as it stops spam before it enters the MTA's queue. This keeps 90% of my spam from even entering the more resounce intensive filtering processes. 2. Don't use blacklists 30% false positive rate. Comapared to 1-2% for Bayesian or Markovian filtering. 3. Do some simple check up front, but don't do too many. Require a helo, reject invalid hostnames, reject unknown domains, reject non FQDN, and that's pretty much it. Requiring DNS to match and other checks is something you can do, but I've found that there are too many poorly configured legitimate mail servers for this to be worth the hassle. Protecting your mail server is good, but you need to make that decision based on how you plan to use it. I've seen offices where you had to log into the VPN in order to check your mail, much like the system John described above. I've seen others where it was out on a public IP with no protection. Personally I go for somewhere in the middle. 1. Firewall You have one, so no problems here. Do remember that any sort of smtp protocol inspection usually breaks smpt-auth so you may need to turn that off. 2. Encryption You're not going to have all sorts of bearely litterate idiots using your mail server so you can configure and force all your users to use TLS with smtp, imap-ssl, pop3-ssl, and actually not run the unsecure services at all. 3. Webmail and user management I needed to support webmail and also wanted to use PostfixAdmin as the frontend to mail. PostfixAdmin allows users to change their password and set their own vacations which is all stuff I don't have to do anymore. PostfixAdmin also allows me to create users, aliaes, add domains, etc without having to deal with phpmyadmin or writing the SQL manually in a virtual system... you might not need to get that complicated. I'm also running Horde and did some changes that allow users to change their password through there as well to keep support requests down. Running these requires Apache, mod_php, and mod_ssl if you want to force https for logins and what not. If you're small enough I'd just force https period. I suspect that'll you'll need webmail or it'll just be too handy not to do. Make sure you look into some of the tuning stuff to keep it fast like imap-proxy. kashani -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
On Mon, Oct 24, 2005 at 06:08:05PM +0100, Jonathan Wright wrote: That's fine for outgoing mail, but unless an MX record exists for the internal server on a domain/subdomain, it's difficult to 'direct' traffic from the outside in. The only other way I can think off is to test the server using either a telnet port or a script from an off-site computer onto the new server. No, it is very easy. All I had was a static IP from my service provider and a router with port 25 forwarded to an internal mail server host. To get the mail working all I had to do was create a domain name (using the free service at freedns.afraid.org) and point it at my static IP. I think it is possible to setup a MX record explicitly, but I have never bothered because so far everything that has tried to sent mail to it has worked fine defaulting to using the A record in the absence of a MX record. This mailing list is being delivered to my host using the address gentoo_at_skaro.afraid.org, and dig gives me the following output for the domain: penemunde usb # dig skaro.afraid.org ; DiG 9.2.5 skaro.afraid.org ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34970 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 7 ;; QUESTION SECTION: ;skaro.afraid.org. IN A ;; ANSWER SECTION: skaro.afraid.org. 60 IN A 195.157.127.247 ;; AUTHORITY SECTION: afraid.org. 86400 IN NS ns5.afraid.org. afraid.org. 86400 IN NS ns6.afraid.org. afraid.org. 86400 IN NS ns7.afraid.org. afraid.org. 86400 IN NS ns1.afraid.org. afraid.org. 86400 IN NS ns2.afraid.org. afraid.org. 86400 IN NS ns3.afraid.org. afraid.org. 86400 IN NS ns4.afraid.org. ;; ADDITIONAL SECTION: ns1.afraid.org. 1800IN A 70.84.177.198 ns2.afraid.org. 1800IN A 204.11.167.30 ns3.afraid.org. 1800IN A 69.28.135.46 ns4.afraid.org. 1800IN A 70.86.10.35 ns5.afraid.org. 1800IN A 70.86.10.32 ns6.afraid.org. 1800IN A 70.86.10.33 ns7.afraid.org. 3600IN A 70.86.10.34 ;; Query time: 157 msec ;; SERVER: 203.27.41.5#53(203.27.41.5) ;; WHEN: Mon Oct 24 20:30:22 2005 ;; MSG SIZE rcvd: 288 Regards, DigbyT -- Digby R. S. Tarvin [EMAIL PROTECTED] http://www.digbyt.com -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
Marshal Newrock wrote: I'd like to disagree with a couple points on here. First off, a secondary MX is not necessary. If an email can't get through due to a server being down, it will be retried and get through later when the server is up. That is true, if the down time is short in duration [say under three days]. However, not all servers are respectful of this downtime. The Gentoo list servers are an example of those that patronize you for being down. Tom Veldhouse -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
kashani wrote: 1. Block mail up front. Use greylisting as it stops spam before it enters the MTA's queue. This keeps 90% of my spam from even entering the more resounce intensive filtering processes. This is a very effective filter. However, it does greatly slow down delivery of legitimate email. I found it a bit of a pain. Further, there are those servers out there that respond to greylisting as a bounce, so you need to specifically configure accordingly. 2. Don't use blacklists 30% false positive rate. Comapared to 1-2% for Bayesian or Markovian filtering. I use both. As far as false positive goes, I have had very few false positives ... in fact, i can not think of any. But, for a corporate setting, I would not use it, but instead leave it all to software like DSPAM or Spam Assassin. 3. Do some simple check up front, but don't do too many. Require a helo, reject invalid hostnames, reject unknown domains, reject non FQDN, and that's pretty much it. Requiring DNS to match and other checks is something you can do, but I've found that there are too many poorly configured legitimate mail servers for this to be worth the hassle. All corporate servers should implement this IMHO ... I am always surprised how many sites out there send mail directly from webservers in a DMZ that do not have proper FQDN setup. I tend to find these upon making an order and not getting an email ... log searches reveal the problem. So, if you want maximum ability to receive email, don't enforce these rules. Tom Veldhouse -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] inhouse email
Thomas T. Veldhouse wrote: kashani wrote: 1. Block mail up front. Use greylisting as it stops spam before it enters the MTA's queue. This keeps 90% of my spam from even entering the more resounce intensive filtering processes. This is a very effective filter. However, it does greatly slow down delivery of legitimate email. I found it a bit of a pain. Further, there are those servers out there that respond to greylisting as a bounce, so you need to specifically configure accordingly. I set mine with a time of one minute. Hardly any spam retries so the time really isn't important. However hotmail and the like often retry once every minute for the first three minutes and then attempt again fifteen minutes later. With the one minute time most people don't notice any problems. 2. Don't use blacklists 30% false positive rate. Comapared to 1-2% for Bayesian or Markovian filtering. I use both. As far as false positive goes, I have had very few false positives ... in fact, i can not think of any. But, for a corporate setting, I would not use it, but instead leave it all to software like DSPAM or Spam Assassin. How do you know if you've had false positives? On a personal server you might be able to tell, but in an office of fifty people you can't be sure. And according to the math for every email that ends up in your junk folder in your mail client thirty are getting bounced by your blacklist. The last straw for me was when some jackass listed a few hotmail servers. So 90% of the tests worked unless you came in from a particular set of servers. I've got better things to do than deal with someone else's spam jihad nonsense. kashani -- gentoo-user@gentoo.org mailing list
