Re: Setting personal mailserver

[Archange]

Learn the basics. Unfortunately, you do not seem to understand MTA/SMTP.

So read maybe https://github.com/poolpOrg/OpenSMTPD-book, also 
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/, 
and get a better understanding of SMTP/MTA requirements.


A public IP is not enough, it has to be not residential or at least you 
of course need port 25 to be open towards the world, which is not your 
case, and you also need to be able to set the reverse for it, while 
currently


humaaraartha.in.    IN    A    182.59.136.243

but

243.136.59.182.in-addr.arpa.    IN    PTR 
static-mum-182.59.136.243.mtnl.net.in.


And I do not expect “Mahanagar Telephone Nigam Limited” to let you set 
that reverse.


So back to our options : either get a VPS or dedicated server somewhere 
that allow port 25 and setting reverse, or use an email service provider 
that would allow you to relay emails.


Actually I’m not even sure that your available SMTP options 
(Tutanota/GMail) would allow sending with an arbitrary MAIL FROM (i.e. 
one that is not @tutanota.tld or @gmail.com), and as I don’t have an 
account on either I cannot test that. So you would have to look into 
https://man.openbsd.org/smtpd.conf#host and 
https://man.openbsd.org/smtpd.conf#auth, and check whether any of your 
email providers allow you to send email as @humaaraartha.in (and then 
you might want to provide SPF records allowing them to do so).


Regards.

Le 06/09/2023 à 23:40, Sagar Acharya a écrit :

So what's the solution? I have a public ip. Can you suggest an edit?
Thanking you
Sagar Acharya
https://humaaraartha.in



7 Sept 2023, 00:43 by archa...@activis.me:


Hi,

Le 06/09/2023 à 22:40, Sagar Acharya a écrit :


I checked all network settings. They are perfect. Here is my conf below 
exactly. There's some issue with it.

== smtpd.conf ==
table aliases file:/etc/smtpd/aliases
table whitelist file:/etc/smtpd/whitelist

pki humaaraartha.in cert "path_to_fullchain"
pki humaaraartha.in key "path_to_privkey"

listen on 0.0.0.0 tls pki humaaraartha.in
listen on 0.0.0.0 smtps pki humaaraartha.in

action "local" maildir alias 
action "relay" relay host "smtps://humaaraartha.in" mail-from "@humaaraartha.in"


This line cannot work. You are asking to relay outgoing emails to your own 
server (host is the destination host — Jarod just linked the doc while I was 
writing). They won’t go anywhere. You cannot workaround port 25 being blocked 
by using another port, else port 25 would not be blocked anywhere. You have to 
use an external relay that will accept submission from you on port 465 (smtps) 
or 587 (submission) and then relay on port 25 to the world. That will likely 
have to be one you have an account on (gmail or tutatnota).

Regards.

Re: Setting personal mailserver

[Sagar Acharya]

Or maybe we can simplify mail systems more. If mail, a system used to send 
messages across computers cannot work on "residential" IPs, then we can make it 
work on "residential" network since most nodes are "residential". You can look 
at.

humaaraartha.in.           TXT

And you'll find spf records there. Maybe it's just time to say, reduce the 
requirements of mail hosting to just static ip and DNS in a world where most 
don't even have a static ip!
Thanking you
Sagar Acharya
https://humaaraartha.in

P.S. I see that you're talking substance and truth to some extent but 
discarding residential IPs and this need for reverse dns is outrageous! What is 
the point of reverse DNS in today's world?
7 Sept 2023, 14:25 by archa...@activis.me:

> Learn the basics. Unfortunately, you do not seem to understand MTA/SMTP.
>
> So read maybe https://github.com/poolpOrg/OpenSMTPD-book, also 
> https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/,
>  and get a better understanding of SMTP/MTA requirements.
>
> A public IP is not enough, it has to be not residential or at least you of 
> course need port 25 to be open towards the world, which is not your case, and 
> you also need to be able to set the reverse for it, while currently
>
> humaaraartha.in.    IN    A    182.59.136.243
>
> but
>
> 243.136.59.182.in-addr.arpa.    IN    PTR 
> static-mum-182.59.136.243.mtnl.net.in.
>
> And I do not expect “Mahanagar Telephone Nigam Limited” to let you set that 
> reverse.
>
> So back to our options : either get a VPS or dedicated server somewhere that 
> allow port 25 and setting reverse, or use an email service provider that 
> would allow you to relay emails.
>
> Actually I’m not even sure that your available SMTP options (Tutanota/GMail) 
> would allow sending with an arbitrary MAIL FROM (i.e. one that is not 
> @tutanota.tld or @gmail.com), and as I don’t have an account on either I 
> cannot test that. So you would have to look into 
> https://man.openbsd.org/smtpd.conf#host and 
> https://man.openbsd.org/smtpd.conf#auth, and check whether any of your email 
> providers allow you to send email as @humaaraartha.in (and then you might 
> want to provide SPF records allowing them to do so).
>
> Regards.
>
> Le 06/09/2023 à 23:40, Sagar Acharya a écrit :
>
>> So what's the solution? I have a public ip. Can you suggest an edit?
>> Thanking you
>> Sagar Acharya
>> https://humaaraartha.in
>>
>>
>>
>> 7 Sept 2023, 00:43 by archa...@activis.me:
>>
>>> Hi,
>>>
>>> Le 06/09/2023 à 22:40, Sagar Acharya a écrit :
>>>
 I checked all network settings. They are perfect. Here is my conf below 
 exactly. There's some issue with it.

 == smtpd.conf ==
 table aliases file:/etc/smtpd/aliases
 table whitelist file:/etc/smtpd/whitelist

 pki humaaraartha.in cert "path_to_fullchain"
 pki humaaraartha.in key "path_to_privkey"

 listen on 0.0.0.0 tls pki humaaraartha.in
 listen on 0.0.0.0 smtps pki humaaraartha.in

 action "local" maildir alias 
 action "relay" relay host "smtps://humaaraartha.in" mail-from 
 "@humaaraartha.in"

>>> This line cannot work. You are asking to relay outgoing emails to your own 
>>> server (host is the destination host — Jarod just linked the doc while I 
>>> was writing). They won’t go anywhere. You cannot workaround port 25 being 
>>> blocked by using another port, else port 25 would not be blocked anywhere. 
>>> You have to use an external relay that will accept submission from you on 
>>> port 465 (smtps) or 587 (submission) and then relay on port 25 to the 
>>> world. That will likely have to be one you have an account on (gmail or 
>>> tutatnota).
>>>
>>> Regards.
>>>

Re: Setting personal mailserver

[Archange]

This is not the 80–90’s anymore. Internet is not a friendly place, and 
the bulk of emails sent today are spams. So most actors are leveraging 
everything they can to reduce that, and a high entrance barrier to email 
sending is definitively part of this plan.


That’s why we have (fc)rDNS, SPF, DKIM… And regarding residential IPs, 
they are hosts of the biggest botnets in the world, so residential ISP 
tend to block port 25 outgoing by default to limit spam. Some provide 
you the option to disable the port blocking, but very rare are those 
that allow you setting the reverse.


On my receiving ends (plural, I handle multiple email servers of various 
sizes including some with thousands of users), cutting down non (fc)rDNS 
compliant senders kills 99+% of spam attempts and I’ve never been 
reached by someone having a false positive on that policy. I don’t see 
why anyone would want to not have this amazing first layer fence.


Regards.

Le 07/09/2023 à 13:12, Sagar Acharya a écrit :

Or maybe we can simplify mail systems more. If mail, a system used to send messages across computers cannot 
work on "residential" IPs, then we can make it work on "residential" network since most 
nodes are "residential". You can look at.

humaaraartha.in.           TXT

And you'll find spf records there. Maybe it's just time to say, reduce the 
requirements of mail hosting to just static ip and DNS in a world where most 
don't even have a static ip!
Thanking you
Sagar Acharya
https://humaaraartha.in

P.S. I see that you're talking substance and truth to some extent but 
discarding residential IPs and this need for reverse dns is outrageous! What is 
the point of reverse DNS in today's world?
7 Sept 2023, 14:25 by archa...@activis.me:


Learn the basics. Unfortunately, you do not seem to understand MTA/SMTP.

So read maybe https://github.com/poolpOrg/OpenSMTPD-book, also 
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/,
 and get a better understanding of SMTP/MTA requirements.

A public IP is not enough, it has to be not residential or at least you of 
course need port 25 to be open towards the world, which is not your case, and 
you also need to be able to set the reverse for it, while currently

humaaraartha.in.    IN    A    182.59.136.243

but

243.136.59.182.in-addr.arpa.    IN    PTR static-mum-182.59.136.243.mtnl.net.in.

And I do not expect “Mahanagar Telephone Nigam Limited” to let you set that 
reverse.

So back to our options : either get a VPS or dedicated server somewhere that 
allow port 25 and setting reverse, or use an email service provider that would 
allow you to relay emails.

Actually I’m not even sure that your available SMTP options (Tutanota/GMail) 
would allow sending with an arbitrary MAIL FROM (i.e. one that is not 
@tutanota.tld or @gmail.com), and as I don’t have an account on either I cannot 
test that. So you would have to look into 
https://man.openbsd.org/smtpd.conf#host and 
https://man.openbsd.org/smtpd.conf#auth, and check whether any of your email 
providers allow you to send email as @humaaraartha.in (and then you might want 
to provide SPF records allowing them to do so).

Regards.

Le 06/09/2023 à 23:40, Sagar Acharya a écrit :


So what's the solution? I have a public ip. Can you suggest an edit?
Thanking you
Sagar Acharya
https://humaaraartha.in



7 Sept 2023, 00:43 by archa...@activis.me:


Hi,

Le 06/09/2023 à 22:40, Sagar Acharya a écrit :


I checked all network settings. They are perfect. Here is my conf below 
exactly. There's some issue with it.

== smtpd.conf ==
table aliases file:/etc/smtpd/aliases
table whitelist file:/etc/smtpd/whitelist

pki humaaraartha.in cert "path_to_fullchain"
pki humaaraartha.in key "path_to_privkey"

listen on 0.0.0.0 tls pki humaaraartha.in
listen on 0.0.0.0 smtps pki humaaraartha.in

action "local" maildir alias 
action "relay" relay host "smtps://humaaraartha.in" mail-from "@humaaraartha.in"


This line cannot work. You are asking to relay outgoing emails to your own 
server (host is the destination host — Jarod just linked the doc while I was 
writing). They won’t go anywhere. You cannot workaround port 25 being blocked 
by using another port, else port 25 would not be blocked anywhere. You have to 
use an external relay that will accept submission from you on port 465 (smtps) 
or 587 (submission) and then relay on port 25 to the world. That will likely 
have to be one you have an account on (gmail or tutatnota).

Regards.

Re: Setting personal mailserver

[Sagar Acharya]

In today's times of mature NLP, you will not be able to differentiate human 
mail from bot mail or spam. Only in person verification is trustworthy.
No. Are you saying that only people who control the network should send mails? 
Well DNS exactly is for that. If you find I send spams, you can easily easily 
block mails from my domain humaaraartha.in but it is not wise nor ethical to by 
default not allow people to mail.

That issue lies because hardware is not mapped to people. There is no 
technological solution for trust hopping between machines. ssh should be 
discouraged and each machine, denoted by single IP address should be mapped to 
a human. So humaaraartha.in is run by Sagar Acharya.

My configuration of whitelisting does exactly that. In today's world where each 
grain can potentially have an IPv6, I accept requests only from whitelist or at 
the very least accept from everyone and prioritize the whitelist.

Well, what action should be implemented for sending emails. I don't get a 
sending action. I have changed conf to

action "send" relay helo humaaraartha.inmatch from any for any action "send"
Thanking you
Sagar Acharya
https://humaaraartha.in



7 Sept 2023, 14:53 by archa...@activis.me:

> This is not the 80–90’s anymore. Internet is not a friendly place, and the 
> bulk of emails sent today are spams. So most actors are leveraging everything 
> they can to reduce that, and a high entrance barrier to email sending is 
> definitively part of this plan.
>
> That’s why we have (fc)rDNS, SPF, DKIM… And regarding residential IPs, they 
> are hosts of the biggest botnets in the world, so residential ISP tend to 
> block port 25 outgoing by default to limit spam. Some provide you the option 
> to disable the port blocking, but very rare are those that allow you setting 
> the reverse.
>
> On my receiving ends (plural, I handle multiple email servers of various 
> sizes including some with thousands of users), cutting down non (fc)rDNS 
> compliant senders kills 99+% of spam attempts and I’ve never been reached by 
> someone having a false positive on that policy. I don’t see why anyone would 
> want to not have this amazing first layer fence.
>
> Regards.
>
> Le 07/09/2023 à 13:12, Sagar Acharya a écrit :
>
>> Or maybe we can simplify mail systems more. If mail, a system used to send 
>> messages across computers cannot work on "residential" IPs, then we can make 
>> it work on "residential" network since most nodes are "residential". You can 
>> look at.
>>
>> humaaraartha.in.           TXT
>>
>> And you'll find spf records there. Maybe it's just time to say, reduce the 
>> requirements of mail hosting to just static ip and DNS in a world where most 
>> don't even have a static ip!
>> Thanking you
>> Sagar Acharya
>> https://humaaraartha.in
>>
>> P.S. I see that you're talking substance and truth to some extent but 
>> discarding residential IPs and this need for reverse dns is outrageous! What 
>> is the point of reverse DNS in today's world?
>> 7 Sept 2023, 14:25 by archa...@activis.me:
>>
>>> Learn the basics. Unfortunately, you do not seem to understand MTA/SMTP.
>>>
>>> So read maybe https://github.com/poolpOrg/OpenSMTPD-book, also 
>>> https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/,
>>>  and get a better understanding of SMTP/MTA requirements.
>>>
>>> A public IP is not enough, it has to be not residential or at least you of 
>>> course need port 25 to be open towards the world, which is not your case, 
>>> and you also need to be able to set the reverse for it, while currently
>>>
>>> humaaraartha.in.    IN    A    182.59.136.243
>>>
>>> but
>>>
>>> 243.136.59.182.in-addr.arpa.    IN    PTR 
>>> static-mum-182.59.136.243.mtnl.net.in.
>>>
>>> And I do not expect “Mahanagar Telephone Nigam Limited” to let you set that 
>>> reverse.
>>>
>>> So back to our options : either get a VPS or dedicated server somewhere 
>>> that allow port 25 and setting reverse, or use an email service provider 
>>> that would allow you to relay emails.
>>>
>>> Actually I’m not even sure that your available SMTP options 
>>> (Tutanota/GMail) would allow sending with an arbitrary MAIL FROM (i.e. one 
>>> that is not @tutanota.tld or @gmail.com), and as I don’t have an account on 
>>> either I cannot test that. So you would have to look into 
>>> https://man.openbsd.org/smtpd.conf#host and 
>>> https://man.openbsd.org/smtpd.conf#auth, and check whether any of your 
>>> email providers allow you to send email as @humaaraartha.in (and then you 
>>> might want to provide SPF records allowing them to do so).
>>>
>>> Regards.
>>>
>>> Le 06/09/2023 à 23:40, Sagar Acharya a écrit :
>>>
 So what's the solution? I have a public ip. Can you suggest an edit?
 Thanking you
 Sagar Acharya
 https://humaaraartha.in



 7 Sept 2023, 00:43 by archa...@activis.me:

> Hi,
>
> Le 06/09/2023 à 22:40, Sagar Acharya a écrit :
>
>> I checke

RE: Setting personal mailserver

[Vigneshwaran Ravichandran]

Dear Sagar,

What you mentioned is like, “Just because the grapevine is high on the tree, 
then it must be sour”. Hope you will learn some lessons and not put the blame 
on softwares or standards which is empowering critical part, communication.

Sent from Mail for Windows

From: Sagar Acharya
Sent: Thursday, September 7, 2023 5:45 PM
To: Archange
Cc: Misc
Subject: Re: Setting personal mailserver

In today's times of mature NLP, you will not be able to differentiate human 
mail from bot mail or spam. Only in person verification is trustworthy.
No. Are you saying that only people who control the network should send mails? 
Well DNS exactly is for that. If you find I send spams, you can easily easily 
block mails from my domain humaaraartha.in but it is not wise nor ethical to by 
default not allow people to mail.

That issue lies because hardware is not mapped to people. There is no 
technological solution for trust hopping between machines. ssh should be 
discouraged and each machine, denoted by single IP address should be mapped to 
a human. So humaaraartha.in is run by Sagar Acharya.

My configuration of whitelisting does exactly that. In today's world where each 
grain can potentially have an IPv6, I accept requests only from whitelist or at 
the very least accept from everyone and prioritize the whitelist.

Well, what action should be implemented for sending emails. I don't get a 
sending action. I have changed conf to

action "send" relay helo humaaraartha.inmatch from any for any action "send"
Thanking you
Sagar Acharya
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhumaaraartha.in%2F&data=05%7C01%7C%7Cd42530dd62fe4c9bf80d08dbaf87238e%7C84df9e7fe9f640afb435%7C1%7C0%7C638296767187028509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WMsP99lk%2BM%2FNu2%2BRluBbGYw6yC%2BnT%2Fz6ACk907tgWwY%3D&reserved=0



7 Sept 2023, 14:53 by archa...@activis.me:

> This is not the 80–90’s anymore. Internet is not a friendly place, and the 
> bulk of emails sent today are spams. So most actors are leveraging everything 
> they can to reduce that, and a high entrance barrier to email sending is 
> definitively part of this plan.
>
> That’s why we have (fc)rDNS, SPF, DKIM… And regarding residential IPs, they 
> are hosts of the biggest botnets in the world, so residential ISP tend to 
> block port 25 outgoing by default to limit spam. Some provide you the option 
> to disable the port blocking, but very rare are those that allow you setting 
> the reverse.
>
> On my receiving ends (plural, I handle multiple email servers of various 
> sizes including some with thousands of users), cutting down non (fc)rDNS 
> compliant senders kills 99+% of spam attempts and I’ve never been reached by 
> someone having a false positive on that policy. I don’t see why anyone would 
> want to not have this amazing first layer fence.
>
> Regards.
>
> Le 07/09/2023 à 13:12, Sagar Acharya a écrit :
>
>> Or maybe we can simplify mail systems more. If mail, a system used to send 
>> messages across computers cannot work on "residential" IPs, then we can make 
>> it work on "residential" network since most nodes are "residential". You can 
>> look at.
>>
>> humaaraartha.in.   TXT
>>
>> And you'll find spf records there. Maybe it's just time to say, reduce the 
>> requirements of mail hosting to just static ip and DNS in a world where most 
>> don't even have a static ip!
>> Thanking you
>> Sagar Acharya
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhumaaraartha.in%2F&data=05%7C01%7C%7Cd42530dd62fe4c9bf80d08dbaf87238e%7C84df9e7fe9f640afb435%7C1%7C0%7C638296767187028509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WMsP99lk%2BM%2FNu2%2BRluBbGYw6yC%2BnT%2Fz6ACk907tgWwY%3D&reserved=0
>>
>> P.S. I see that you're talking substance and truth to some extent but 
>> discarding residential IPs and this need for reverse dns is outrageous! What 
>> is the point of reverse DNS in today's world?
>> 7 Sept 2023, 14:25 by archa...@activis.me:
>>
>>> Learn the basics. Unfortunately, you do not seem to understand MTA/SMTP.
>>>
>>> So read maybe 
>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FpoolpOrg%2FOpenSMTPD-book&data=05%7C01%7C%7Cd42530dd62fe4c9bf80d08dbaf87238e%7C84df9e7fe9f640afb435%7C1%7C0%7C638296767187028509%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PaPKqhmp%2BCEa5Qq8mEbof%2Bd5sil9zhFPSYhEmH%2BXzqA%3D&reserved=0,
>>>  also 
>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpoolp.org%2Fpost

Re: Setting personal mailserver

[gilles]

September 7, 2023 11:44 AM, "Sagar Acharya"  wrote:

> In today's times of mature NLP, you will not be able to differentiate human 
> mail from bot mail or
> spam. Only in person verification is trustworthy.
> No. Are you saying that only people who control the network should send 
> mails? Well DNS exactly is
> for that. If you find I send spams, you can easily easily block mails from my 
> domain
> humaaraartha.in but it is not wise nor ethical to by default not allow people 
> to mail.
> 
> That issue lies because hardware is not mapped to people. There is no 
> technological solution for
> trust hopping between machines. ssh should be discouraged and each machine, 
> denoted by single IP
> address should be mapped to a human. So humaaraartha.in is run by Sagar 
> Acharya.
> 
> My configuration of whitelisting does exactly that. In today's world where 
> each grain can
> potentially have an IPv6, I accept requests only from whitelist or at the 
> very least accept from
> everyone and prioritize the whitelist.
> 
> Well, what action should be implemented for sending emails. I don't get a 
> sending action. I have
> changed conf to
> 
> action "send" relay helo humaaraartha.inmatch from any for any action "send"
> Thanking you
> Sagar Acharya
> https://humaaraartha.in
> 

As many people told you, domestic connections are no longer suitable for 
sending mail, wether you
like it or not this is the actual state of the SMTP network and will remain 
like this because the
big mailer corps control most of the e-mail address space and have decided so. 
If you ignore this
then you'll be blocked from most recipients, you decide if it's acceptable for 
you.


Then, if you're domestic connection has outgoing port 25 filtered, you can't 
work around this and
need a relay host somewhere else that can accept mail on a different port with 
unfiltered port 25
for outgoing trafic. You can't just switch to a different port and expect it to 
work this shows a
misunderstanding of how networking, internet and SMTP works.

There's nothing that can be changed in your config that will fix this because 
the problem isn't a
configuration issue but an issue with understanding both what you're allowed 
and trying to do.

Re: Setting personal mailserver

[Sagar Acharya]

I get you, I get you.

Let the mail providers have their setups. Is it possible to have a 
configuration where I have 2 servers, example.com example2.com where I can send 
and receive emails on ports say, 777 on plaintext, starttls optional and port 
778 with smtps?

Give me a configuration for such a thing. 

humaaraartha.in.       TXT        "v=spf1 ipv4:{myipv4address} -all"
humaaraartha.in.   TXT    "resports:777,778"humaaraartha.in. 
humaaraartha.in.       MX          10 humaaraartha.in. 
humaaraartha.in.       A              {myipv4address}
That is all you have, nothing more for both servers. Can you help me send and 
recieve mails on ports 777,778 with just above DNS and smtpd? I can add SRV 
records for detection of ports 777, 778 if you want.
Thanking you
Sagar Acharya
https://humaaraartha.in



7 Sept 2023, 15:33 by gil...@poolp.org:

> September 7, 2023 11:44 AM, "Sagar Acharya"  wrote:
>
>> In today's times of mature NLP, you will not be able to differentiate human 
>> mail from bot mail or
>> spam. Only in person verification is trustworthy.
>> No. Are you saying that only people who control the network should send 
>> mails? Well DNS exactly is
>> for that. If you find I send spams, you can easily easily block mails from 
>> my domain
>> humaaraartha.in but it is not wise nor ethical to by default not allow 
>> people to mail.
>>
>> That issue lies because hardware is not mapped to people. There is no 
>> technological solution for
>> trust hopping between machines. ssh should be discouraged and each machine, 
>> denoted by single IP
>> address should be mapped to a human. So humaaraartha.in is run by Sagar 
>> Acharya.
>>
>> My configuration of whitelisting does exactly that. In today's world where 
>> each grain can
>> potentially have an IPv6, I accept requests only from whitelist or at the 
>> very least accept from
>> everyone and prioritize the whitelist.
>>
>> Well, what action should be implemented for sending emails. I don't get a 
>> sending action. I have
>> changed conf to
>>
>> action "send" relay helo humaaraartha.inmatch from any for any action "send"
>> Thanking you
>> Sagar Acharya
>> https://humaaraartha.in
>>
>
> As many people told you, domestic connections are no longer suitable for 
> sending mail, wether you
> like it or not this is the actual state of the SMTP network and will remain 
> like this because the
> big mailer corps control most of the e-mail address space and have decided 
> so. If you ignore this
> then you'll be blocked from most recipients, you decide if it's acceptable 
> for you.
>
>
> Then, if you're domestic connection has outgoing port 25 filtered, you can't 
> work around this and
> need a relay host somewhere else that can accept mail on a different port 
> with unfiltered port 25
> for outgoing trafic. You can't just switch to a different port and expect it 
> to work this shows a
> misunderstanding of how networking, internet and SMTP works.
>
> There's nothing that can be changed in your config that will fix this because 
> the problem isn't a
> configuration issue but an issue with understanding both what you're allowed 
> and trying to do.
>

unsubscribe

[Slavik Svyrydiuk]

unsubscribe

Re: Setting personal mailserver

[Tassilo Philipp]

Give me a configuration for such a thing. 


I think several people mentioned by now reading the doc and getting 
familiar with email. This is not trying to be mean, I think you really 
would set it up faster by learning and using it, then also understanding 
it b/c you have to maintain it, than asking over and over for some 
config lines on here.



On Thu, Sep 07, 2023 at 12:44:07PM +0200, Sagar Acharya wrote:

I get you, I get you.

Let the mail providers have their setups. Is it possible to have a 
configuration where I have 2 servers, example.com example2.com where I can send 
and receive emails on ports say, 777 on plaintext, starttls optional and port 
778 with smtps?

Give me a configuration for such a thing. 

humaaraartha.in.       TXT        "v=spf1 ipv4:{myipv4address} -all" 
humaaraartha.in.   TXT    "resports:777,778"humaaraartha.in. humaaraartha.in.       MX          10 humaaraartha.in.  
humaaraartha.in.       A              {myipv4address} 
That is all you have, nothing more for both servers. Can you help me send and recieve mails on ports 777,778 with just above DNS and smtpd? I can add SRV records for detection of ports 777, 778 if you want. 
Thanking you

Sagar Acharya
https://humaaraartha.in



7 Sept 2023, 15:33 by gil...@poolp.org:


September 7, 2023 11:44 AM, "Sagar Acharya"  wrote:

In today's times of mature NLP, you will not be able to differentiate human mail from bot mail or 
spam. Only in person verification is trustworthy.
No. Are you saying that only people who control the network should send mails? Well DNS exactly is 
for that. If you find I send spams, you can easily easily block mails from my domain 
humaaraartha.in but it is not wise nor ethical to by default not allow people to mail.


That issue lies because hardware is not mapped to people. There is no technological solution for 
trust hopping between machines. ssh should be discouraged and each machine, denoted by single IP 
address should be mapped to a human. So humaaraartha.in is run by Sagar Acharya.


My configuration of whitelisting does exactly that. In today's world where each grain can 
potentially have an IPv6, I accept requests only from whitelist or at the very least accept from 
everyone and prioritize the whitelist.


Well, what action should be implemented for sending emails. I don't get a sending action. I have 
changed conf to


action "send" relay helo humaaraartha.inmatch from any for any action "send" 
Thanking you

Sagar Acharya
https://humaaraartha.in



As many people told you, domestic connections are no longer suitable for sending mail, wether you 
like it or not this is the actual state of the SMTP network and will remain like this because the 
big mailer corps control most of the e-mail address space and have decided so. If you ignore this 
then you'll be blocked from most recipients, you decide if it's acceptable for you.



Then, if you're domestic connection has outgoing port 25 filtered, you can't work around this and 
need a relay host somewhere else that can accept mail on a different port with unfiltered port 25 
for outgoing trafic. You can't just switch to a different port and expect it to work this shows a 
misunderstanding of how networking, internet and SMTP works.


There's nothing that can be changed in your config that will fix this because the problem isn't a 
configuration issue but an issue with understanding both what you're allowed and trying to do.

Re: Setting personal mailserver

[Pontus Stenetorp]

On Thu 07 Sep 2023, Tassilo Philipp wrote:
> >
> > Give me a configuration for such a thing. 
> 
> I think several people mentioned by now reading the doc and getting
> familiar with email. This is not trying to be mean, I think you really
> would set it up faster by learning and using it, then also
> understanding it b/c you have to maintain it, than asking over and
> over for some config lines on here.

Seconding this and adding that there is excellent documentation out there that 
will take you all the way there if you bother to read it:

https://github.com/poolpOrg/OpenSMTPD-book

https://man.openbsd.org/smtpd

https://man.openbsd.org/smtpd.conf

https://man.openbsd.org/smtpctl

https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/#installing-and-configuring-dovecot

I would recommend reading them in that specific order, but I have a strong 
bottom up bias.

Re: Setting personal mailserver

[Stuart Longland]

On 7/9/23 20:44, Sagar Acharya wrote:

Let the mail providers have their setups. Is it possible to have a 
configuration where I have 2 servers, example.com example2.com where I can send 
and receive emails on ports say, 777 on plaintext, starttls optional and port 
778 with smtps?

Give me a configuration for such a thing.

humaaraartha.in.       TXT        "v=spf1 ipv4:{myipv4address} -all"
humaaraartha.in.   TXT    "resports:777,778"

humaaraartha.in. humaaraartha.in.       MX          10 humaaraartha.in.

humaaraartha.in.       A              {myipv4address}
That is all you have, nothing more for both servers. Can you help me send and 
recieve mails on ports 777,778 with just above DNS and smtpd? I can add SRV 
records for detection of ports 777, 778 if you want.


Okay, not quite sure what the "resports" TXT record is achieving (a 
quick search on the topic didn't reveal any documentation on how it was 
supposed to work or correct syntax).  I won't labour the point about 
outgoing port 25 traffic since others have covered this already.


You can of course use different ports between servers on an agreed-upon 
manner.  e.g. say we have a server, bnemx.vk4msl.com, running OpenSMTPD:


vk4msl-bne# cat /etc/mail/smtpd.conf  
#   $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $


# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

#table aliases file:/etc/mail/aliases
table virtualdomains file:/etc/mail/virtualdomains
table virtualusers file:/etc/mail/virtualusers

pki bnemx cert "/etc/ssl/bnemx.vk4msl.com.fullchain.pem"
pki bnemx key "/etc/ssl/private/bnemx.vk4msl.com.key"
pki bnemx dhe auto

listen on socket
listen on all tls pki bnemx

… etc, I won't post the full config.

Those `listen` lines are the key, from smtpd.conf manpage:

 listen on interface [family] [options]
 Listen on the interface for incoming connections, using the same
 syntax as ifconfig(8).  The interface parameter may also be an
 interface group, an IP address, or a domain name.  Listening can
 optionally be restricted to a specific address family, which can
 be either inet4 or inet6.


In amongst the options:

 port [port]
 Listen on the given port instead of the default port 25.


So if I chose to, I could add:

listen on all port 777

and then re-start smtpd, I'd now be listening on port 777.

You could then tell your SMTP server to send to port 777 when sending to 
my domain.


But doing so would be useless:
- no one else would bother using port 777/tcp: they would most likely 
use port 25
- you wouldn't be able to send to any other server, unless they too, 
chose to use port 777/tcp.


If you have a good proposal for how such alternative ports could be 
advertised (maybe via DNS TXT record), perhaps you could propose that as 
a Request For Comment to the Internet Engineering Task Force… and maybe 
if enough people thought it was a good idea, it would be adopted with 
its own official RFC number (like RFC-821, later replaced by RFC-2821 
and RFC-5321).


That though, won't mean instant ability to pick your own port number. 
The "alternate port number" feature would then need to be added to the 
various SMTP servers out there.  Then sysadmins would need to install 
that version.


This may take years, or even never happen in some cases.  (Qmail is 
still IPv4-only because the author believes IPv6 is unnecessary.)


Regardless of what you think of spam or how to fight it, the truth is 
the small fish don't make the rules in this game.  You and I are small 
fish.  I've been mucking around with mail servers pretty much this whole 
century so far.


I started with trialling something over dial-up (ever seen a 56kbps 
modem screaming under the strain of an outbound mail queue stuffed with 
spam?  I have!)… moved to using Sendmail on an old Slackware server 
hosted on ADSL with 2GB SCSI disks and a self-signed HTTPS certificate 
for webmail in 2001.  Been running my own server ever since.


It's not impossible to do it yourself, and dealing with spam is a 
constant cat-and-mouse game.  Things have become more complex out of 
necessity (I didn't bother with DKIM until Google started mandating it 
for example), but even then, not overly difficult.


The minimum standard however has changed over the years as requirements 
changed.  That includes:


- outbound SMTP unblocked -- pretty much since forever since that's how 
TCP/IP works

- static IPv4 -- dynamic IPv4 has not been possible since ~2004 or so
- SPF DNS records -- since ~2010 or so
- DKIM signing and DMARC policies -- since ~2020

Some day, IPv6 may be a requirement as the IPv4 address space dries up.

It's no good "wishing" it to be different.  In the future it may become 
impossible for me to run my own server on the hom

Re: Dokuwiki

[latincom]

>
>> Am 08.09.2023 um 00:38 schrieb latin...@vcn.bc.ca:
>>
>> Hello
>>
>> Does somebody can help? OpenBSD 7.3 Dokuwiki
>> # ps ax |grep dokuwiki
>> 27461 p0  S+p  0:00.01 grep dokuwiki
>
> DokuWiki is not a process. So the above does not make any sense.
>
>
>> The error.log at /www/log is full of this messages and dokuwiki stop
>> working:
>>
>> Access to the script '/dokuwiki' has been denied (see
>> security.limit_extensions)
> …
>> Access to the script '/dokuwiki' has been denied (see
>> security.limit_extensions)
>>
>> Thanks for your attention.
>
> You need to show us the relevant server {} block in your /etc/httpd.conf
> (assuming that you are using httpd(8) as the web server).
>
> The actual error message refers to the php-fpm setting, see
> https://www.php.net/manual/en/install.fpm.configuration.php#security-limit-extensions.
> But feeding the path /dokuwiki to php-fpm does not make any sense, so the
> root cause is somewhere else.
>
> Also you may want to take a look at
> https://www.dokuwiki.org/install:openbsd for some additional hints.
>
>
> This is what a working httpd.conf could look like:
> (You may want to replace the server name with an FQDN or add an alias
> setting. You would also need a port 80 host to redirect to https and to
> handle ACME certificate verification. But that is all standard web server
> stuff, not specific to DokuWiki.)
>
> server "default" {
>   listen on $my_ipv6 tls port 443
>
>   tls {
>   certificate "/etc/ssl/acme/fullchain.pem"
>   key "/etc/ssl/acme/private/privkey.pem"
>   }
>
>   log style combined
>
>   root "/dokuwiki"
>   directory index doku.php
>
>   connection max request body 2097152 # Default is 2M for
> upload_max_filesize and 8M for post_max_size.
>
>   location "/*.inc" { block }
>   location "/*.ht*" { block }
>   location "/data/*" { block }
>   location "/conf/*" { block }
>   location "/bin/*" { block }
>   location "/inc/*" { block }
>   location "/vendor/*" { block }
>
>   location "*.php" {
>   fastcgi socket "/run/php-fpm.sock"
>   }
> }
>
>
> Mike
>
>

Hello Mike yes, it is different! My complete httpd.conf thanks.

# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $

server "agroena.org" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI";
}
}

server "agroena.org" {
listen on * tls port 443
root "/htdocs/agroena.org"
tls {
certificate "/etc/ssl/agroena.org.fullchain.pem"
key "/etc/ssl/private/agroena.org.key"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}

server "consultores.agroena.org" {
listen on * tls port 443
root "/htdocs/consultores"
tls {
certificate "/etc/ssl/agroena.org.fullchain.pem"
key "/etc/ssl/private/agroena.org.key"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}

server "historia.agroena.org" {
listen on * tls port 443
root "/dokuwiki"
tls {
certificate "/etc/ssl/agroena.org.fullchain.pem"
key "/etc/ssl/private/agroena.org.key"
}

location "/pub/*" {
directory auto index
}

location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "*~" {
block drop
}
location match "/kb/data/" {
block drop
}
location match "/kb/conf/" {
block drop
}
location match "/kb/bin/" {
block drop
}
location match "/kb/inc/" {
block drop
}
location match "/kb/vendor/" {
block drop
}
}

Re: Setting personal mailserver

[Sagar Acharya]

Thank you Stuart. That is very helpful.

SRV records would get port, like 

https://xmpp.org/extensions/xep-0368.html

The logic would be like, say there is opensmtpd on the other server too.

dig _mail._smtp.humaaraartha.in. SRV
get_port_from_SRV()
if found_different_port()  try_port()
else  try_25()

Caching can also be done for future requests.

> You and I are small fish. I've been mucking around with mail servers pretty 
> much this whole century so far.

OpenBSD and suckless are moving forward and providing solutions. Which 
mailserver do you use? If we can establish that any software be run on any 
port, then blocking ports won't make sense. Besides, they can block any domains 
and they already do if they find spam there. SPAM is just an excuse.
Thanking you
Sagar Acharya
https://humaaraartha.in



8 Sept 2023, 03:55 by stua...@longlandclan.id.au:

> On 7/9/23 20:44, Sagar Acharya wrote:
>
>> Let the mail providers have their setups. Is it possible to have a 
>> configuration where I have 2 servers, example.com example2.com where I can 
>> send and receive emails on ports say, 777 on plaintext, starttls optional 
>> and port 778 with smtps?
>>
>> Give me a configuration for such a thing.
>>
>> humaaraartha.in.       TXT        "v=spf1 ipv4:{myipv4address} -all"
>> humaaraartha.in.   TXT    "resports:777,778"
>>
> humaaraartha.in. humaaraartha.in.       MX          10 humaaraartha.in.
>
>> humaaraartha.in.       A              {myipv4address}
>> That is all you have, nothing more for both servers. Can you help me send 
>> and recieve mails on ports 777,778 with just above DNS and smtpd? I can add 
>> SRV records for detection of ports 777, 778 if you want.
>>
>
> Okay, not quite sure what the "resports" TXT record is achieving (a quick 
> search on the topic didn't reveal any documentation on how it was supposed to 
> work or correct syntax).  I won't labour the point about outgoing port 25 
> traffic since others have covered this already.
>
> You can of course use different ports between servers on an agreed-upon 
> manner.  e.g. say we have a server, bnemx.vk4msl.com, running OpenSMTPD:
>
>> vk4msl-bne# cat /etc/mail/smtpd.conf 
>>  #   $OpenBSD: 
>> smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
>>
>> # This is the smtpd server system-wide configuration file.
>> # See smtpd.conf(5) for more information.
>>
>> #table aliases file:/etc/mail/aliases
>> table virtualdomains file:/etc/mail/virtualdomains
>> table virtualusers file:/etc/mail/virtualusers
>>
>> pki bnemx cert "/etc/ssl/bnemx.vk4msl.com.fullchain.pem"
>> pki bnemx key "/etc/ssl/private/bnemx.vk4msl.com.key"
>> pki bnemx dhe auto
>>
>> listen on socket
>> listen on all tls pki bnemx
>>
> … etc, I won't post the full config.
>
> Those `listen` lines are the key, from smtpd.conf manpage:
>
>> listen on interface [family] [options]
>>  Listen on the interface for incoming connections, using the same
>>  syntax as ifconfig(8).  The interface parameter may also be an
>>  interface group, an IP address, or a domain name.  Listening can
>>  optionally be restricted to a specific address family, which can
>>  be either inet4 or inet6.
>>
>
> In amongst the options:
>
>> port [port]
>>  Listen on the given port instead of the default port 25.
>>
>
> So if I chose to, I could add:
>
> listen on all port 777
>
> and then re-start smtpd, I'd now be listening on port 777.
>
> You could then tell your SMTP server to send to port 777 when sending to my 
> domain.
>
> But doing so would be useless:
> - no one else would bother using port 777/tcp: they would most likely use 
> port 25
> - you wouldn't be able to send to any other server, unless they too, chose to 
> use port 777/tcp.
>
> If you have a good proposal for how such alternative ports could be 
> advertised (maybe via DNS TXT record), perhaps you could propose that as a 
> Request For Comment to the Internet Engineering Task Force… and maybe if 
> enough people thought it was a good idea, it would be adopted with its own 
> official RFC number (like RFC-821, later replaced by RFC-2821 and RFC-5321).
>
> That though, won't mean instant ability to pick your own port number. The 
> "alternate port number" feature would then need to be added to the various 
> SMTP servers out there.  Then sysadmins would need to install that version.
>
> This may take years, or even never happen in some cases.  (Qmail is still 
> IPv4-only because the author believes IPv6 is unnecessary.)
>
> Regardless of what you think of spam or how to fight it, the truth is the 
> small fish don't make the rules in this game.  You and I are small fish.  
> I've been mucking around with mail servers pretty much this whole century so 
> far.
>
> I started with trialling something over dial-up (ever seen a 56kbps modem 
> screaming under the strain of an outbound mail queue stuffed with spam?  I 
> have!)… moved to using Sen

Re: Setting personal mailserver

[Stuart Longland]

On 8/9/23 15:51, Sagar Acharya wrote:

SRV records would get port, like

https://xmpp.org/extensions/xep-0368.html

The logic would be like, say there is opensmtpd on the other server 
too.


dig _mail._smtp.humaaraartha.in. SRV get_port_from_SRV() if 
found_different_port()  try_port() else  try_25()


Sounds okay… but you'd have to get that supported by:

- sendmail
- postfix
- netqmail
- opensmtpd
- exim
- Microsoft Exchange
- Google's mail server (whatever they call it)
… and umpteen other possible mail servers.

It isn't yet as far as I know.

Another is for the MX record to support `hostname:port`, although one
could argue MX could be readily replaced by SRV.

Also, this does not solve your outbound SMTP issue: it'd only advertise 
to others that "I listen on a different port".


It doesn't tell my server to start listening on a different port.  Nor 
does it tell any firewalls in between to suddenly allow this 
out-of-the-ordinary connection.



Caching can also be done for future requests.


Yeah well, DNS will do that anyway.  That's what the TTL field is for.

You and I are small fish. I've been mucking around with mail 
servers pretty much this whole century so far.
OpenBSD and suckless are moving forward and providing solutions. 
Which mailserver do you use?


Postfix on AlpineLinux is my primary MX.  Simply out of familiarity, I
started with sendmail then later Qmail, but migrated to Postfix some
time around 2006 or so.

OpenSMTPD (and spamd) on OpenBSD is my secondary MX.  I have some custom
scripts that then store the email OpenPGP-encrypted for later collection
by the primary MX in case there's downtime.

The vast majority of my email traffic is direct to the primary MX 
(probably because of spamd's greylisting).



If we can establish that any software be run on any port, then
blocking ports won't make sense. Besides, they can block any domains
and they already do if they find spam there. SPAM is just an excuse.


Moving ports won't solve the problem.  Yes it'd be nice to say, "ohh, by 
the way my SMTP is listening on port 2225", but that won't help you. 
You're expecting the world to move off 25/tcp for SMTP so you can hit it 
behind your ISP's firewall.


That won't happen.

Your options are:
1. set up a server outside your ISPs network that can transmit the 
message for you (e.g. if Internode decide to block port 25 or withdraw 
my public IP, I might use my secondary MX as the outbound mail server 
relay.)
2. use your ISPs mail server as a relay (after adding it to your SPF 
records along with any DKIM keys needed)

3. move to an ISP that lets you do this stuff

I'd suggest (3) is your best option… as trying to circumvent firewall 
rules will likely get you disconnected for violating their Terms of 
Service anyway.  (I note humaaraartha.in appears to be hosted by MTNL 
India, but their website is not responding for me at this time.)

--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Re: Setting personal mailserver

[Reio Remma]

On 08.09.2023 09:42, Stuart Longland wrote:

Your options are:
1. set up a server outside your ISPs network that can transmit the 
message for you (e.g. if Internode decide to block port 25 or withdraw 
my public IP, I might use my secondary MX as the outbound mail server 
relay.)
2. use your ISPs mail server as a relay (after adding it to your SPF 
records along with any DKIM keys needed)

3. move to an ISP that lets you do this stuff

I'd suggest (3) is your best option… as trying to circumvent firewall 
rules will likely get you disconnected for violating their Terms of 
Service anyway.  (I note humaaraartha.in appears to be hosted by MTNL 
India, but their website is not responding for me at this time.)


You can get a virtual server for 5€/m with a static IP and configurable 
reverse DNS - the same price as getting a mere static IP from my ISP.


Good luck
Reio