Re: how to setup a privacy oriented mailserver
Hello, Wesley. The safest way is to have your own hardware, albeit there are some other options. Perhaps we can have a quick talk in the evening. My phone number: on Signal: +447511244961 Kind regards, André On Tue, 2019-11-26 at 14:36 +0800, Wesley Peng wrote: > That look interesting. Do you provide a hosting plan Andre? > > regards > > on 2019/11/26 14:31, André Rodier wrote: > > Hello, Bill. > > > > I had the same concern a few years ago. > > > > I have been self-hosting for more than a decade, and more recently, > > I > > built this: > > > > https://github.com/progmaticltd/homebox > > > > This is oriented towards security and privacy, and include defence > > mechanisms against remote and physical intrusion. > > > > - All daemons are protected by AppArmor. > > - The main drive is fully encrypted using LUKS, unlock with a > > Yubikey > > locally or remotely using SSH. > > - Implementation of latest standards, like DNSSEC, SSHFP, MTA-STS, > > etc... > > - Encrypted remote or local backups with borg, with jabber alerts. > > - Everything coming from Debian repositories. > > - Some bonus features, like Jabber, RoundCube, Zabbix, SOGo, gogs, > > transmission, etc. > > > > One feature you may find particularly useful, is a monthly report > > with > > all the accesses, by country, ISP, hours: > > > > https://homebox.readthedocs.io/en/dev/access-reports/ > > > > > > Real time alerts and/or blocking if you connect from a blacklisted > > IP > > and various parameters. > > > > Everything is tested using continuous integration with a Jenkins > > server. > > > > It is on Debian Stretch for now, but we will provide a buster > > version > > next year. > > > > I am currently working on a way to provide static IP address if you > > do > > not have one... > > > > Enjoy! > > > > Kind regards, > > André > > > > On Tue, 2019-11-26 at 00:48 -0500, Bill Cole wrote: > > > On 25 Nov 2019, at 22:53, lists wrote: > > > > > > > Security is privacy. > > > > > > More precisely: Security includes privacy. Privacy is an > > > essential > > > *PART > > > OF* security. > > > > > > The remit requested by the OP is really too broad to answer on a > > > public > > > mailing list intended for discussion of a specific MTA (even > > > though > > > Postfix would be a likely component...) because it could have > > > very > > > different answers depending on the specific needs of a site and > > > issues > > > like scale, threat model, risk tolerances, and available > > > resources. > > >
Re: how to setup a privacy oriented mailserver
That look interesting. Do you provide a hosting plan Andre? regards on 2019/11/26 14:31, André Rodier wrote: Hello, Bill. I had the same concern a few years ago. I have been self-hosting for more than a decade, and more recently, I built this: https://github.com/progmaticltd/homebox This is oriented towards security and privacy, and include defence mechanisms against remote and physical intrusion. - All daemons are protected by AppArmor. - The main drive is fully encrypted using LUKS, unlock with a Yubikey locally or remotely using SSH. - Implementation of latest standards, like DNSSEC, SSHFP, MTA-STS, etc... - Encrypted remote or local backups with borg, with jabber alerts. - Everything coming from Debian repositories. - Some bonus features, like Jabber, RoundCube, Zabbix, SOGo, gogs, transmission, etc. One feature you may find particularly useful, is a monthly report with all the accesses, by country, ISP, hours: https://homebox.readthedocs.io/en/dev/access-reports/ Real time alerts and/or blocking if you connect from a blacklisted IP and various parameters. Everything is tested using continuous integration with a Jenkins server. It is on Debian Stretch for now, but we will provide a buster version next year. I am currently working on a way to provide static IP address if you do not have one... Enjoy! Kind regards, André On Tue, 2019-11-26 at 00:48 -0500, Bill Cole wrote: On 25 Nov 2019, at 22:53, lists wrote: > Security is privacy. More precisely: Security includes privacy. Privacy is an essential *PART OF* security. The remit requested by the OP is really too broad to answer on a public mailing list intended for discussion of a specific MTA (even though Postfix would be a likely component...) because it could have very different answers depending on the specific needs of a site and issues like scale, threat model, risk tolerances, and available resources.
Re: how to setup a privacy oriented mailserver
Hello, Bill. I had the same concern a few years ago. I have been self-hosting for more than a decade, and more recently, I built this: https://github.com/progmaticltd/homebox This is oriented towards security and privacy, and include defence mechanisms against remote and physical intrusion. - All daemons are protected by AppArmor. - The main drive is fully encrypted using LUKS, unlock with a Yubikey locally or remotely using SSH. - Implementation of latest standards, like DNSSEC, SSHFP, MTA-STS, etc... - Encrypted remote or local backups with borg, with jabber alerts. - Everything coming from Debian repositories. - Some bonus features, like Jabber, RoundCube, Zabbix, SOGo, gogs, transmission, etc. One feature you may find particularly useful, is a monthly report with all the accesses, by country, ISP, hours: https://homebox.readthedocs.io/en/dev/access-reports/ Real time alerts and/or blocking if you connect from a blacklisted IP and various parameters. Everything is tested using continuous integration with a Jenkins server. It is on Debian Stretch for now, but we will provide a buster version next year. I am currently working on a way to provide static IP address if you do not have one... Enjoy! Kind regards, André On Tue, 2019-11-26 at 00:48 -0500, Bill Cole wrote: On 25 Nov 2019, at 22:53, lists wrote: > Security is privacy. More precisely: Security includes privacy. Privacy is an essential *PART OF* security. The remit requested by the OP is really too broad to answer on a public mailing list intended for discussion of a specific MTA (even though Postfix would be a likely component...) because it could have very different answers depending on the specific needs of a site and issues like scale, threat model, risk tolerances, and available resources.
Re: how to setup a privacy oriented mailserver
On 25 Nov 2019, at 22:53, lists wrote: Security is privacy. More precisely: Security includes privacy. Privacy is an essential *PART OF* security. The remit requested by the OP is really too broad to answer on a public mailing list intended for discussion of a specific MTA (even though Postfix would be a likely component...) because it could have very different answers depending on the specific needs of a site and issues like scale, threat model, risk tolerances, and available resources. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
Re: how to setup a privacy oriented mailserver
Security is privacy. Original Message From: postmas...@wsly.de Sent: November 25, 2019 6:25 PM To: li...@lazygranch.com; postfix-users@postfix.org Subject: Re: how to setup a privacy oriented mailserver Hi on 2019/11/26 10:22, lists wrote: > At a minimum, I would set it up to use port 587. Then block via firewall all > the email ports other than port 25 all countries from which you will not be > using the server. > > Keep the attack surface small. For example don't provide for web based email. Sorry I didn't talk about security. I pay attention to privacy, such as these ones, but run by myself. https://restoreprivacy.com/secure-email/ Regards.
Re: how to setup a privacy oriented mailserver
Hi on 2019/11/26 10:22, lists wrote: At a minimum, I would set it up to use port 587. Then block via firewall all the email ports other than port 25 all countries from which you will not be using the server. Keep the attack surface small. For example don't provide for web based email. Sorry I didn't talk about security. I pay attention to privacy, such as these ones, but run by myself. https://restoreprivacy.com/secure-email/ Regards.
Re: how to setup a privacy oriented mailserver
At a minimum, I would set it up to use port 587. Then block via firewall all the email ports other than port 25 all countries from which you will not be using the server. Keep the attack surface small. For example don't provide for web based email. Original Message From: postmas...@wsly.de Sent: November 25, 2019 5:48 PM To: postfix-users@postfix.org Subject: how to setup a privacy oriented mailserver Hi community, I finally got a domain from registrar, if I want to run a privacy oriented mail server, what steps should I take? For example, setup SSL over all, SPF, DKIM, DMARC, DNSSec, DoH, encrypted storage, app special pasword, secondary authentication? Is there any guide for it? Thanks in advance. regards.
how to setup a privacy oriented mailserver
Hi community, I finally got a domain from registrar, if I want to run a privacy oriented mail server, what steps should I take? For example, setup SSL over all, SPF, DKIM, DMARC, DNSSec, DoH, encrypted storage, app special pasword, secondary authentication? Is there any guide for it? Thanks in advance. regards.
Re: Validation DMARC
On Sun, 24 Nov 2019 at 23:34, Richard Damon wrote: > On 11/24/19 6:21 PM, Wesley Peng wrote: > > Why it doesn’t break From: header SPF? Just curious > > > > On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote: > >> > Or in short: DMARC intentionally breaks every mailinglist and every > >> > mail-forwarding. So, if a mail-provider uses a strict DMARC-policy, > >> > it effectively says: "Our mail-addresses may not be used for > >> > mailinglists." > >> > >> this message (i am replying to) from you on this mailing list is not > >> broken > >> > It DOES break DMARC/SPF, as the IP address the message comes from > doesn't match the From of the message, but with DMARC if EITHER SPF or > DKIM pass, the message is to be considered to pass. > > A Domain with strict DMARC, and which doesn't DKIM sign messages, will > fail with any form of remailer, so would fail for this application. > Anyone using DMARC with p=reject and without using DKIM signing is asking for trouble - this should never be done intentionally. I have seen it happen by mistake (usually by public bodies e.g. police, HMRC...). Assuming the message is DKIM-signed (and the signing is only on the critical headers, as it normally is) then DMARC won't cause problems on this mailing list. For other mailing lists YMMV. We have used DMARC with p=reject on domains for personal and business use for several years and have never had any rejections or 'false positives' as a result. I don't use such domains for posting to mailing lists, and no one else using our domains has ever tried to.