Loading ...
Sorry, an error occurred while loading the content.
 

Mail server, what else?

Expand Messages
  • J Gao
    Hi, All, I just built a new mail server and so far it works well. It took me almost two weeks to figure out all kind of stuff. I want to protect the mail
    Message 1 of 17 , Jul 12, 2013
      Hi, All,

      I just built a new mail server and so far it works well. It took me
      almost two weeks to figure out all kind of stuff. I want to protect the
      mail system at the best effort to use open source or free licensed
      software.

      Now I would like your advises on my system so I can improve it more.
      Here is my mail server system:
      - CentOS 6.4 64bit (SELinux disabled), iptables is in action.
      - Apache, MySql, PHP
      - Postfix 2.6.6 + Courier(Support virtual domain)
      - MailScanner with ClamAV and Spamassassin(with pyzor/rozor2/DCC)
      - Fail2ban (SSH, RoundCube, SASL)
      - SPF, OpenDKIM, DMARC
      - RoundCube webmail
      - Mailman maillist

      I appreciate if you can give me advise so I can further improve my system.

      Gao

      --
      __
      _|==|_
      ('')__/
      >--(`^^')
      (`^'^'`)
      `======'
    • J Gao
      Forgot to mention that I also use SASL to authenticated user: SMTP on port 587 only (STARSSL) IMAP on port 993 (SSL) POP3 on port 995 (SSL) So for email, port
      Message 2 of 17 , Jul 12, 2013
        Forgot to mention that I also use SASL to authenticated user:
        SMTP on port 587 only (STARSSL)
        IMAP on port 993 (SSL)
        POP3 on port 995 (SSL)

        So for email, port 25, 587, 993,995 is opened on firewall.


        --
        __
        _|==|_
        ('')__/
        >--(`^^')
        (`^'^'`)
        `======'
      • Erwan David
        ... STARTTLS also exists in IMAP or POP3 (where it is called STLS). And you ll need SMTP on port 25 to receive email from outside.
        Message 3 of 17 , Jul 12, 2013
          Le 12/07/2013 21:08, J Gao a écrit :
          > Forgot to mention that I also use SASL to authenticated user:
          > SMTP on port 587 only (STARSSL)
          > IMAP on port 993 (SSL)
          > POP3 on port 995 (SSL)
          >
          > So for email, port 25, 587, 993,995 is opened on firewall.
          >
          >

          STARTTLS also exists in IMAP or POP3 (where it is called STLS).

          And you'll need SMTP on port 25 to receive email from outside.
        • LuKreme
          ... Why would you setup a new system with a four year old version of Postfix that it is not even supported? 2.10 is current and 2.11 is right around the
          Message 4 of 17 , Jul 12, 2013
            On 12 Jul 2013, at 12:55 , J Gao <jgao@...> wrote:
            > - Postfix 2.6.6 + Courier(Support virtual domain)

            Why would you setup a new system with a four year old version of Postfix that it is not even supported? 2.10 is current and 2.11 is right around the corner.


            --
            I have seen galaxies die. I have watched atoms dance. But until I had
            the dark behind the eyes, I didn't know the death from the dance.
          • J Gao
            ... I used this: http://vault.centos.org/6.4/os/Source/SPackages/postfix-2.6.6-2.2.el6_1.src.rpm And patched with quota patch. I could use 2.10 but I thought
            Message 5 of 17 , Jul 12, 2013
              On 13-07-12 04:06 PM, LuKreme wrote:
              > On 12 Jul 2013, at 12:55 , J Gao <jgao@...> wrote:
              >> - Postfix 2.6.6 + Courier(Support virtual domain)
              >
              > Why would you setup a new system with a four year old version of Postfix that it is not even supported? 2.10 is current and 2.11 is right around the corner.
              >
              >

              I used this:
              http://vault.centos.org/6.4/os/Source/SPackages/postfix-2.6.6-2.2.el6_1.src.rpm

              And patched with quota patch.

              I could use 2.10 but I thought this will be "safe" for CentOS 6.

              Gao

              --
              __
              _|==|_
              ('')__/
              >--(`^^')
              (`^'^'`)
              `======'
            • LuKreme
              ... It might just be me, but I don t consider any software that is no longer supported to be safe, especially not something as critically important as an MTA.
              Message 6 of 17 , Jul 12, 2013
                On 12 Jul 2013, at 17:15 , J Gao <jgao@...> wrote:
                > I could use 2.10 but I thought this will be "safe" for CentOS 6.

                It might just be me, but I don't consider any software that is no longer supported to be safe, especially not something as critically important as an MTA.

                --
                A bird in the hand makes it difficult to blow your nose.
              • Scott Kitterman
                ... Distributors are often placed in the position of needing to support older releases than are supported by upstream. So no longer supported by upstream
                Message 7 of 17 , Jul 12, 2013
                  On Friday, July 12, 2013 05:22:27 PM LuKreme wrote:
                  > On 12 Jul 2013, at 17:15 , J Gao <jgao@...> wrote:
                  > > I could use 2.10 but I thought this will be "safe" for CentOS 6.
                  >
                  > It might just be me, but I don't consider any software that is no longer
                  > supported to be safe, especially not something as critically important as
                  > an MTA.

                  Distributors are often placed in the position of needing to support older
                  releases than are supported by upstream. So no longer supported by upstream
                  isn't the same as no longer supported. Personally, I don't get the
                  RHEL/CentOS preference for ancient software, but that doesn't mean it's unsafe
                  to use. The most important thing is knowing to go talk to your distributor if
                  you have a problem in these cases because it's outside the window of what the
                  upstream is paying attention to.

                  Scott K
                • Craig R. Skinner
                  ... Old. ... Dovecot instead of Courier? ... Look at mlmmj instead of Mailman - no web interface needed. http://mlmmj.org/docs/readme-postfix/ ... No Apache,
                  Message 8 of 17 , Jul 13, 2013
                    On 2013-07-12 Fri 11:55 AM |, J Gao wrote:
                    >
                    > Now I would like your advises on my system so I can improve it more.
                    > - Postfix 2.6.6

                    Old.

                    > - Courier(Support virtual domain)

                    Dovecot instead of Courier?

                    > - Mailman maillist

                    Look at mlmmj instead of Mailman - no web interface needed.
                    http://mlmmj.org/docs/readme-postfix/

                    >
                    > I appreciate if you can give me advise so I can further improve my system.
                    >

                    No Apache, PHP or webmail. HTTP was designed to transfer hyperlinked
                    text files, not do dynmaic stuff with root access to the whole box.
                    Beware!!!!!

                    IMAP (Thunderbird, Elm, KMail) is the way to go.
                    https://en.wikipedia.org/wiki/Comparison_of_email_clients#Operating_system_support


                    Greylisting of some sort http://en.wikipedia.org/wiki/Greylisting

                    Cheers,
                    --
                    Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
                  • lists@rhsoft.net
                    ... in case of root access yes! but what has the protocol HTTP to do with the underlying application? that s a different layer and without whatever dynamic
                    Message 9 of 17 , Jul 13, 2013
                      Am 13.07.2013 20:11, schrieb Craig R. Skinner:
                      >> I appreciate if you can give me advise so I can further improve my system.
                      >
                      > No Apache, PHP or webmail. HTTP was designed to transfer hyperlinked
                      > text files, not do dynmaic stuff with root access to the whole box.
                      > Beware!!!!!

                      in case of root access yes!

                      but what has the protocol HTTP to do with the underlying
                      application? that's a different layer and without whatever
                      dynamic language running on webservers you do not come very
                      far and you would be negatively impressed if all web-apps
                      you are using are down from one day to the next
                    • Bastian Blank
                      ... Enterprisey. Well. ... What for? If at all use nginx mit php-fpm and mariadb. ... Not longer supported here. Get a current version. ... Use Dovecot. ...
                      Message 10 of 17 , Jul 13, 2013
                        On Fri, Jul 12, 2013 at 11:55:00AM -0700, J Gao wrote:
                        > Now I would like your advises on my system so I can improve it more.
                        > Here is my mail server system:
                        > - CentOS 6.4 64bit (SELinux disabled), iptables is in action.

                        Enterprisey. Well.

                        > - Apache, MySql, PHP

                        What for? If at all use nginx mit php-fpm and mariadb.

                        > - Postfix 2.6.6

                        Not longer supported here. Get a current version.

                        > - Courier(Support virtual domain)

                        Use Dovecot.

                        > - MailScanner with ClamAV and Spamassassin(with pyzor/rozor2/DCC)

                        This _will_ eat your mail for breakfast. Use amavisd-new.

                        > - Fail2ban (SSH, RoundCube, SASL)

                        Self-DoS.

                        > - SPF, OpenDKIM, DMARC

                        Why?

                        > - RoundCube webmail

                        Not on the same machine.

                        Bastian

                        --
                        Virtue is a relative term.
                        -- Spock, "Friday's Child", stardate 3499.1
                      • Craig R. Skinner
                        ... OK then, shove every frigging thing down port 80 s throat. Why bother with Postfix, IMAP, ftp, ssh, ping, traceroute,.... Just have 1 port on the box that
                        Message 11 of 17 , Jul 13, 2013
                          On 2013-07-13 Sat 20:50 PM |, lists@... wrote:
                          >
                          > but what has the protocol HTTP to do with the underlying
                          > application?
                          >

                          OK then, shove every frigging thing down port 80's throat.

                          Why bother with Postfix, IMAP, ftp, ssh, ping, traceroute,....

                          Just have 1 port on the box that does it all. Really?

                          IMAP & POP were purpose designed for reading mail.

                          SMTP was purpose designed for transfering it, simple.

                          Use the right protocol (tool) for the job.

                          Yes, you can carry large items of furniture on the roof of a bubble car.
                          But diesel vans are better for that job as they're designed to carry the
                          load. Bubble cars have a purpose, so do vans, trucks, ships,.... Don't
                          get confused about what does what.

                          The current trend to put everything on HTTP is foolishness.
                          --
                          Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
                        • Peter
                          ... That s brilliant, now you can t get support for it anywhere. You don t need to patch postfix to get quotas, dovecot 2 has a policy daemon that plugs right
                          Message 12 of 17 , Jul 13, 2013
                            On 07/13/2013 11:15 AM, J Gao wrote:
                            > http://vault.centos.org/6.4/os/Source/SPackages/postfix-2.6.6-2.2.el6_1.src.rpm
                            >
                            > And patched with quota patch.

                            That's brilliant, now you can't get support for it anywhere.

                            You don't need to patch postfix to get quotas, dovecot 2 has a policy
                            daemon that plugs right into postfix for that now.

                            Seriously, go to Dovecot and get a newer version of postfix. It is well
                            worth it just to get postscreen support (which requires version 2.8 or
                            higher), and you really don't need to be patching it.


                            Peter
                          • Kris Deugau
                            ... Then what do you suggest for casual users who do not care to either bring along a single device everywhere they want to access their email, or (know how
                            Message 13 of 17 , Jul 15, 2013
                              Craig R. Skinner wrote:
                              > No Apache, PHP or webmail. HTTP was designed to transfer hyperlinked
                              > text files, not do dynmaic stuff with root access to the whole box.
                              > Beware!!!!!
                              >
                              > IMAP (Thunderbird, Elm, KMail) is the way to go.
                              > https://en.wikipedia.org/wiki/Comparison_of_email_clients#Operating_system_support

                              Then what do you suggest for casual users who do not care to either
                              bring along a single device everywhere they want to access their email,
                              or (know how to) install a fullblown mail program on every device they
                              may access their mail from? (Including things like Internet cafe PCs...)

                              Webmail means at least they only have one mail client and one UI to
                              learn to read their mail.

                              -kgd
                            • Craig R. Skinner
                              ... There are several Java IMAP email clients that can be wrapped in an applet or Java-webstart. These are downloaded from the website & then use IMAP/SMTP.
                              Message 14 of 17 , Jul 15, 2013
                                On 2013-07-15 Mon 16:26 PM |, Kris Deugau wrote:
                                > Craig R. Skinner wrote:
                                > >No Apache, PHP or webmail. HTTP was designed to transfer hyperlinked
                                > >text files, not do dynmaic stuff with root access to the whole box.
                                > >Beware!!!!!
                                > >
                                > >IMAP (Thunderbird, Elm, KMail) is the way to go.
                                > >https://en.wikipedia.org/wiki/Comparison_of_email_clients#Operating_system_support
                                >
                                > Then what do you suggest for casual users who do not care to either
                                > bring along a single device everywhere they want to access their
                                > email, or (know how to) install a fullblown mail program on every
                                > device they may access their mail from? (Including things like
                                > Internet cafe PCs...)
                                >

                                There are several Java IMAP email clients that can be wrapped in an
                                applet or Java-webstart. These are downloaded from the website & then
                                use IMAP/SMTP.

                                >
                                > Webmail means at least they only have one mail client and one UI to
                                > learn to read their mail.
                                >

                                Put up some screen shots of how to use a mail client in your FAQ.

                                If the average web user can post photo albums on Fakebook, they've the
                                brains to use a mail client. Thunderbird even tries to autoconfigure
                                itself based on the the email address, setting the servers & ports.

                                It's more work up front to teach them, but its less work than explaining
                                your box got rooted via some stupid web app & all their personal details
                                are now at risk.

                                Dump stubborn users, they're not worth the support nightmare. (I worked
                                for years in an ISP's tech support dept - ON THE PHONE. Most people are
                                OK with a few screen shots & some help to get going.)

                                Cheers,
                                --
                                Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
                              • Joe
                                ... Fairly current postfix packages for RHEL are available from several sources - we ve been using postfix 2.8.8 on RHEL 6 here. Joe
                                Message 15 of 17 , Jul 16, 2013
                                  On 07/13/2013 02:35 PM, Peter wrote:
                                  > On 07/13/2013 11:15 AM, J Gao wrote:
                                  >> http://vault.centos.org/6.4/os/Source/SPackages/postfix-2.6.6-2.2.el6_1.src.rpm
                                  >>
                                  >>
                                  >> And patched with quota patch.
                                  >
                                  > That's brilliant, now you can't get support for it anywhere.
                                  >
                                  > You don't need to patch postfix to get quotas, dovecot 2 has a policy
                                  > daemon that plugs right into postfix for that now.
                                  >
                                  > Seriously, go to Dovecot and get a newer version of postfix. It is
                                  > well worth it just to get postscreen support (which requires version
                                  > 2.8 or higher), and you really don't need to be patching it.

                                  Fairly current postfix packages for RHEL are available from several
                                  sources - we've been using postfix 2.8.8 on RHEL 6 here.

                                  Joe
                                • Kirill Bychkov
                                  Hi, 14.07.2013 0:17 пользователь Bastian Blank
                                  Message 16 of 17 , Jul 16, 2013

                                    Hi,

                                    14.07.2013 0:17 пользователь "Bastian Blank" <bastian+postfix-users=postfix.org@...> написал:

                                    >
                                    > On Fri, Jul 12, 2013 at 11:55:00AM -0700, J Gao wrote:
                                    > > Now I would like your advises on my system so I can improve it more.
                                    > > Here is my mail server system:
                                    > > - CentOS 6.4 64bit (SELinux disabled), iptables is in action.
                                    >
                                    > Enterprisey. Well.
                                    >
                                    > > - Apache, MySql, PHP
                                    >
                                    > What for? If at all use nginx mit php-fpm and mariadb.
                                    >
                                    > > - Postfix 2.6.6
                                    >
                                    > Not longer supported here. Get a current version.
                                    >
                                    > > -                 Courier(Support virtual domain)
                                    >
                                    > Use Dovecot.
                                    >
                                    > > - MailScanner with ClamAV and Spamassassin(with pyzor/rozor2/DCC)
                                    >
                                    > This _will_ eat your mail for breakfast. Use amavisd-new.
                                    >
                                    > > - Fail2ban (SSH, RoundCube, SASL)
                                    >
                                    > Self-DoS.
                                    What is Self-DoS? What does you mean?
                                    >
                                    > > - SPF, OpenDKIM, DMARC
                                    >
                                    > Why?
                                    >
                                    > > - RoundCube webmail
                                    >
                                    > Not on the same machine.
                                    >
                                    > Bastian
                                    >
                                    > --
                                    > Virtue is a relative term.
                                    >                 -- Spock, "Friday's Child", stardate 3499.1

                                  • LuKreme
                                    ... A self inflicted Denial of Service. sort of like when you ping flood yourselfà -- Can t seem to face up to the facts Tense and nervous and I can t relax
                                    Message 17 of 17 , Jul 16, 2013
                                      On 16 Jul 2013, at 14:03 , Kirill Bychkov <kirill.bychkov@...> wrote:
                                      > What is Self-DoS? What does you mean?

                                      A self inflicted Denial of Service.

                                      sort of like when you ping flood yourself…

                                      --
                                      Can't seem to face up to the facts
                                      Tense and nervous and I can't relax
                                      Can't sleep, bed's on fire
                                      Don't touch me I'm a real live wire
                                    Your message has been successfully submitted and would be delivered to recipients shortly.