So in a previous blog post I set up postfix and dovecot by sort of following an online guide. Well the author of that guide has updated it for debian stretch. This doesn't help me much, as I already built my mail servers on debian stretch by adapting his previous guide. But some of the changes do interest me. I have been meaning to set up DKIM and DMARC, and the new guide includes instructions on doing so. The new guide also includes instructions for setting up clamav, which wouldn't hurt. However the instructions for clamav depend on using a new anti-spam tool, and I am actually getting on with spamassassin, on top of this the new anti-spam tool is not in the debian default repositories, which puts me off somewhat. They do provide an APT repository for stretch though which eases this concern a little. The new tool also supports some features I may be interested in, including greylisting shared across hosts by using redis (a piece of software I may be a little familiar with) a possibility that intrigues me. I am going to read this new guide, and decide if there is anything I wish to take from it, if so I shall almost certainly write a new blog post on the matter, if not I probably won't.
So I've had my mail servers set up and working for a month now, and there are a few things I haven't done. My old mail server is still set to send from a domain of craig-james-stewart.co.uk by default, and it is no longer in the SPF record as a sender for that domain, so I have had to fix that so that I can continue to receive emails from it seamlessly. I've also had to alter the contact form on my website for the same reason. As well as these minor tweeks I have come to the realisation that I ignored time drift when setting up the mail servers, easily corrected by installing ntpd in it's default configuration on debian, apart from my rather strict iptables rules. So having fixed that, the only thing left to do, is configure certbot to auto-renew my ssl certificates, which is as simple as adding a couple of cron entries. So now I have two mail servers that will continue to work, with little maintenance effort. I still need to look at DKIM and DMARC, but those can wait.
In my last blog post I set up apache and certbot and got the ssl certificates I needed for my new mail server. So this blog was going to be about postfix, but as I found a handy guide online I followed some of it to get what I wanted. That is to say I followed those steps that made sense, skipped the ones that conflicted with my requirements, and altered the ones that didn't apply because of changes I had made. This gave me a reasonable set up, on two servers, that could each act independently, but lacked the mailbox sync to allow me to use them as a single mail infrastructure. To be fair the only things that really needed changing in any great detail where the dovecot userdb settings to allow doveadm to enumerate the users and get the correct settings, most of the remaining settings changes were trivial (SSL cert locations for example). I also skipped all of the optional extras (like roundcube and phpmyadmin). After this I had to configure dovecot mailbox sync as per their guide, and tweak the SSL settings to harden them, and now I have new mail servers. It took longer than I would like, and I have less to say than I have for the previous steps. But all is now working. I have however decided to look into DKIM and DMARC settings, as I have already configured SPF and there is a nice guide to follow linked from the comments on the guide I followed to get postfix installed and working.
So after my last blog post I decided that this one should be less rushed, and more practised and tested, which turns out to be a good thing. After my last blog post the hosted servers I have didn't work over IPv6, this is due to the hosting firm's use of SLAAC to configure the external IPv6 address and routing, and my use of iptables to block all traffic that wasn't otherwise allowed. Now I allowed icmp echo requests on IPv4 but those commands raised an error run I transposed them to IPv6 so I left them out. This led to SLAAC, which requires ICMP to work over IPv6 to not work. That has been rectified now. So onto apache, and SSL certs. Now one of the requirements I had for these servers was the ability to swap between them via DNS, and as I do not know how to configure postfix to use multiple SSL certs based upon the domain that is being connected too I decided the easiest way to do that would be to get a cert with a cname to that shared domain for each server. Using http authentication with lets encrypt you put a file on disk and they request that file from the domain they are validating. This would be a problem for the server that is not currently being pointed at for the shared domain.
So in my last blog post I promised that I would talk about iptables, and basically I have been a little lax in getting started with configuring the IPTables rules on the new servers I have set up. Now I mentioned that IPTables is quite powerful, and it can be if configured to be so, but I am using it as a basic firewall, so that should I accidental configure a service to listen on an external port it shan't be able too. On top of this I am going to set the rules up such that the three default chains drop packets that don't match any rules, meaning I am using them as first match allows the flow firewall, with a default drop.
So, when I started this blog I wanted to make it a record of my learning of new skills, particularly around electronics. That hasn't happened, and now that I have a new project to start it isn't about to start, this project is very much within my skill set (or at least it should be). A little background, I have been running my website, and email server, on my home connection for years, I got an internet connection with a company that was a good ISP for those who were a little more knowledgeable of networking and computers when I moved into my house. Back then I was a novice, but with an ISP a little more forgiving of allowing more advanced use of an internet connection I could host a website, and emails, without paying any extra money for a proper hosting solution. This has lead to me being the only person on my street that has a wireless internet connection during a power outage, but that is not really the point. Since then there has been a great deal of consolidation in the UK ISP market, and my ISP, PlusNet, was bought, some time ago, by BT. Until recently this wasn't really an issue, nothing much changed, BT kept PlusNet at arms length, but for some reason, now, PlusNet have chosen to add the block of IP addresses that the static IP for my connection is in to Spamhaus' Policy Block List. This marks my internet connection as not suitable for email hosting. So my new project is to move my emails into a proper hosting solution.
So recently I changed my mail server over to postfix, this not that long after I ranted about e-mail security with plusnet. It turns out this has led to an interesting problem. So SSL settings were set pretty strictly on the smtps port, so only strong TLSv1.2 ciphers were available. On the smtp port I was a little more permissive, as long as it was TLSv1.2 it would accept even very weak ciphers (well a weak cipher is better than no cipher at all, and I was accepting mail that didn't use the starttls command) and everything was good. Accept that it turns out emails coming from Plusnet's mail servers was failing, they would connect, try to starttls, not like any of the ciphers and fail, breaking the connection. Once they tried again they didn't remember that starttls didn't work so they tried again. Until the mail timed out, and was bounced. So I've had to make the setting even more permissive, as getting emails from people I know on plusnet (like my Father for example) is sort of important.
Not so long ago I suggested I may change my mail server software. I have recently done so, moving from a highly customised qmail installation to postfix. I have done so for a number of reasons, but that is not to say I dislike qmail.
What did I get out of qmail?
- Easy to configure, all the configuration was done using flat files, named for their purpose, there was no monolithic and confusing config file to search through
- Highly customisable, I had applied many patches, and made alterations to my specific installation that served my needs
- multi process mail system, this one mattered to me, and is why when I switched I switched to postfix, there is no single binary running as root, that does everything, each process runs with the privileges it needs.
So why did I want to change?
Well qmail, and specifically my installation, had become unwieldy to add new functionality to, I wanted to add greylisting, and there were many ways to do this, but they all required adding yet another patch, and out of laziness I had not committed all my changes to any sort of source control. I couldn't stomach manually going through another patch and seeing where it didn't apply cleanly and why, and fix it again. So I had a choice stomach the pain of another round of patching, rebuilding, and testing, and make things worse for myself, set up source control for my qmail set up, or move to something better supported in the community, and with more features.
Postfix suited my needs reasonably well, it is a multi-process mail system, using the idea of least privilege, it has a modular design allowing the addition of extra features much more quickly and easily. It is also better supported, and even has pakages within debian, my operating system of choice. Greylisting was added easily by simply installing another package (postgrey) and altering the config of postfix to use it. By setting up postfix to allow access over ssl on port 465 (as I had previously on qmail) it has also enabled opportunistic encryption for any mail servers sending email to me (something I had considered adding to qmail, but had decided wasn't worth the effort) and I have also been able to easily enable opportunistic encryption for when my server sends email out to other servers that support it.
So do I regret using qmail in the past? Not at all I learnt a great deal from using qmail, and I still prefer it as a basic mail system to postfix, it was just becoming too much hassle to support new features.
What mail server would I advise others to use? For the most part I would suggest google apps or office365 if you want your own domain, or any of a number of other paid for mail hosting solutions, very few poeple have the time and skills and patience to run their own mail server. It started as a learning exercise for me, and I like the control I have over my set up. If someone genuinely wanted to run their own mail server my advise would be to find out what suits their needs best, qmail is great if your needs are simple, and is relatively easy to learn if you have some basic knowledge of how networks and specifically email work, but everyone has different needs, and those needs can change over time, my certainly have.
So, I use PlusNet as my ISP. I have an email address with them where they send updates about my account. It's also been used in the past to sign up to various things that I haven't bothered to update to a new email address. PlusNet's email servers do not require authentication to send email from my home connection, which is fair enough really. But they also don't support SSL for authentication from my connection. So my username and password (which is unique to this account) has to be sent in plain text, now as this is to my ISP over my ISP connection (and I trust my own network) it's not the end of the world. However, I also have a shiny smart phone, and that allows me to connect to my own email server, over SSL (that until recently wasn't as secure as it should be) as it should be when connecting over the internet, from untrusted, or unknown networks. It also allows me to use multiple different email inboxes at once. So I could add my PlusNet email address. They even have a handy guide on setting up email on android phones. And that's where the problems start. That guide sets up email without SSL, or TLS, but it requires username and password authentication. So I'd only be able to use it on my home network. What happens if I forget to turn email sync off? My details would be put at risk!
So what should a good sysadmin do? Should I leave the ISP email only on my home PC? Should I take the risk and add the email to my phone anyway?
Well as a paranoid sysadmin I wasn't willing to take the risk. And that was that. But frankly that was annoying me, so I decided to set up an SSL terminator for my ISP email using my own SSL cert. So I can get my email, from my ISP confident in the knowledge that only my ISP can intercept the username and password pair that I use with my ISP. I use non-standard ports for the ISP connections, and listen using stunnel. This would be a problem if I was supporting users as it would add a level of complexity to the instructions I'd have to give them, but as I only have to support myself I can cope.