So, when I started this blog I wanted to make it a record of my learning of new skills, particularly around electronics. That hasn't happened, and now that I have a new project to start it isn't about to start, this project is very much within my skill set (or at least it should be). A little background, I have been running my website, and email server, on my home connection for years, I got an internet connection with a company that was a good ISP for those who were a little more knowledgeable of networking and computers when I moved into my house. Back then I was a novice, but with an ISP a little more forgiving of allowing more advanced use of an internet connection I could host a website, and emails, without paying any extra money for a proper hosting solution. This has lead to me being the only person on my street that has a wireless internet connection during a power outage, but that is not really the point. Since then there has been a great deal of consolidation in the UK ISP market, and my ISP, PlusNet, was bought, some time ago, by BT. Until recently this wasn't really an issue, nothing much changed, BT kept PlusNet at arms length, but for some reason, now, PlusNet have chosen to add the block of IP addresses that the static IP for my connection is in to Spamhaus' Policy Block List. This marks my internet connection as not suitable for email hosting. So my new project is to move my emails into a proper hosting solution.
Now when I first discovered this I moved the control of my primary domain from plusnet, to a new registrar. That action did not go well, and it was frustrating, but it was part of a rushed attempt to get something working, however I don't send many emails, so after the pain of that transfer I took a step back, and realised I have worked in IT too long to want to embark on a project with little to no planning, and no firm requirements. So here we are now, and this post is the start of the project, with the plans for what I am planning on doing, and the requirements I have going forward. As this is in my spare time it'll take a while, and if that causes me problems I shall raise them in further blog posts.
This project, and the blog posts that discuss it are not intended to be a step by step guide for someone else to follow to set up an email server, there are enough of those on the internet already, they are about my thought process, and decision making processes.
So first off, during the panic steps, before making any plans I signed up to a hosting provider and created a debian virtual server. This is currently off, but has SSH, Molly Guard, and Fail to Ban installed, as a basic set of requirements, I need to able to access this host (ssh), I need to be warned when I try to shut the host down in error (Molly Guard), and I don't know what my IP will be going forward, if I decide to move ISPs, so need to secure SSH connection attempts against brute force through something other than IP restrictions (fail2ban). These requirements are a basic for me, and didn't need much planning, so this base was a good start.
Thinking forward if I am to have internet hosted emails, I need some form of resilancy incase a host breaks, and multiple MX records is a good idea in practice, so two servers is a good idea, as such I have already duplicated the setup on the first virtual server, but this is in a different zone from the first (with the same provider), this second server is also off for now.
So my future requirements, and what I plan to do to meet them where I have a firm idea already.
A firewall, to protect against accidentally configuring services listening on the external IP address and exposing me to hacking, and data loss. I shall implement IPTables, this will be done, to my satisfaction prior to me turning the servers on, and leaving them on. Now I am familiar with iptables in a basic form, and understand the concept of a firewall and know that IPTables is capable of more, but I am also aware that it meets my needs, and is freely available, alas in debian I believe it uses different tables for IPv4 and IPv6, this is a complication as I shall also be attempting to configure these hosts to work over IPv6 to make the future proof. IPTables is likely to be the subject of my next blog post (which will be shorter than this one).
Next I need an SSL certificate for the hosts, I am using Certbot successfully on my website, and current mail server, but I want the mail servers to share a domain name, and so I am going to have to come up with a way of ensuring whichever of the two hosts initiates a certificate request on that shared domain the certificate will be properly validated.
I need to synchronise the mail store, such that whichever host I log into I get all my emails, and I also need to make sure this mail store is copied onto both hosts physically (so proxying from one host to the other is only a solution if I use some form of replication and failover solution).
Finally I intend to use mail virtual hosting, my current set up I use a user account on the server, and all none system user accounts get a mail box. By using virtual mail hosting I will have mail users that are only able to connect to the email system, and will be able to keep user accounts on the servers separate, and more secure.
Now the astute will have noticed that I have not mentioned backups, and there is a reason for that. I have no plan for backups as such. I shall be making a copy of the configurations when these servers are finished, but I shall be using the distance between the servers as security against faults causing data loss, and should one go down the idea will be to rebuild it before it becomes a problem and let the data sync back from the other host. I may build a more robust back up solution at some stage, but for my own personal emails availability is as important to me as data integrity.