R. Diez
2020-Oct-25 22:25 UTC
Looking for a guide to collect all e-mail from the ISP mail server
> You need SPF and DKIM for your outgoing email to be accepted.> [...] I don't understand why that is the case (but keep in mind that I am a newbie). Is it not possible to set up some internal SMTP server that only relies the e-mails to the external ISP SMTP server? The internal SMTP server would then act like a normal user's Thunderbird. At first I tought that the internal SMTP server would need to know the password for each mailbox user. But then I asked, and the ISP SMTP server allegedly accepts any source e-mail address, as long as you are using one e-mail account that is valid in the domain. I wonder if that is standard practice.> My idea of a secure email server is to use submission port 587. > Expose port 25 to the world and aggressively filter all remaining > email ports with a firewall. And I mean aggressive. Geographically filter > so only countries where youe users reside can send and retrieve email. > Block major hosting IP space.Geo blocking can be problematic. Depending on the small business, some customers and suppliers may sit in China or some other geographical area you would normally block. I am too afraid, I would not expose any such port on the Internet. Who knows if the mail server stays months without an update. If I am to recommend or implement any such mail server solution to a small business, I would insist that the e-mail server is not exposed at all on the Internet. A web interface etc. is not a problem: I just connect with a VPN and bypass most external security issues. If you are the admin, you can also forward the web interface over an SSH connection. Best regards, rdiez
lists
2020-Oct-25 23:28 UTC
Looking for a guide to collect all e-mail from the ISP mail server
You look spammy if you don't have SPF or DKIM, and hopefully both. Your email will either be bounced or sent to a spam folder. You need a reverse pointer as well, but that shouldn't be an issue. The situation is actually worse than it sounds. ATT/SBC needs to whitelist you by IP if you are using a VPS. Spectrum/Charter just plain blocks many VPS with no recourse. Regarding geofencing, look back at my post. I leave port 25 open to the world. I can receive email from any country. Using submission port 587 means you can geofence from where your employee sends and receives email. It does not effect your customers since they use port 25. The reason I run my own email server is I got hacked when using a hosting service. The hacker used a vulnerability in RoundCube and could send email as me. My PayPal account password was then changed. The hacker was in Morocco. I'm sure Morocco is a fine country but I don't plan on visiting it and thus don't need to access my email from there. Note the hacker could have changed my email password too but didn't. To top it off, I don't even use RoundCube. Never use a? browser for email. When I set up my own email / webserver I made it a point to not use any GUI control panel. If there is no hook to change a password from a control panel then it won't happen. You reduce the attack surface. All passwords are SHA512. You geofence all email ports except 25. I also have a VPS using openvpn but it is on a different IP. That is a tunnel out of it to use the internet. Now I think for what you want to do is to have openvpn show up as the local host. What you might want to do is join the postfix users group. I wouldn't bring up this kind of proxied email scheme you want to set up. Rather just ask if it is possible to set up postfix/dovecot so that the user who will always be on a VPN can send and receive email. That is I think it will boil down to permit local host and nothing else in certain places. There are guru status users there. One thing you will learn about email servers is there are many programs to chain together. However think of light bulbs in series. The more in the chain, the more likely it is to fail. I dropped SpamAssassin and amavisd due to poor reliability. That was when I used freeBSD. I now run centos but just don't bother with those extra programs. I use RBLs for spam blocking. I use my brain for antivirus. Antivirus isn't all that good anyway. The key with antivirus is at what point in time do they recognize the file is a virus. I send all my malware links to virus total.com and maybe two will recognize the link goes to malware. ? Original Message ? From: rdiezmail-2006 at yahoo.de Sent: October 25, 2020 3:25 PM To: lists at lazygranch.com Cc: dovecot at dovecot.org Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server> You need SPF and DKIM for your outgoing email to be accepted. > [...]I don't understand why that is the case (but keep in mind that I am a newbie). Is it not possible to set up some internal SMTP server that only relies the e-mails to the external ISP SMTP server? The internal SMTP server would then act like a normal user's Thunderbird. At first I tought that the internal SMTP server would need to know the password for each mailbox user. But then I asked, and the ISP SMTP server allegedly accepts any source e-mail address, as long as you are using one e-mail account that is valid in the domain. I wonder if that is standard practice.> My idea of a secure email server is to use submission port 587. > Expose port 25 to the world and aggressively filter all remaining > email ports with a firewall. And I mean aggressive. Geographically filter > so only countries where youe users reside can send and retrieve email. > Block major hosting IP space.Geo blocking can be problematic. Depending on the small business, some customers and suppliers may sit in China or some other geographical area you would normally block. I am too afraid, I would not expose any such port on the Internet. Who knows if the mail server stays months without an update. If I am to recommend or implement any such mail server solution to a small business, I would insist that the e-mail server is not exposed at all on the Internet. A web interface etc. is not a problem: I just connect with a VPN and bypass most external security issues. If you are the admin, you can also forward the web interface over an SSH connection. Best regards, ?? rdiez
Peter Blair
2020-Oct-26 00:01 UTC
Looking for a guide to collect all e-mail from the ISP mail server
At 25 October, 2020 R. Diez wrote:> > I am too afraid, I would not expose any such port on the Internet. Who knows > if the mail server stays months without an update. If I am to recommend or > implement any such mail server solution to a small business, I would insist > that the e-mail server is not exposed at all on the Internet.Setting and forgetting any server/service to run unpatched for months is generally a bad idea. I presume that you won't be maintaining this for them long term -- why not just point them at a hosting service like google apps, and let google keep things up to date?
Sebastian Nielsen
2020-Oct-26 04:47 UTC
SV: Looking for a guide to collect all e-mail from the ISP mail server
>>"Never use a browser for email."I don't agree. In fact, using a browser for email or atleast initial setup, is actually more secure. This because SMTP/IMAP clients normally don't support 2FA, so you would have to "hack" a solution to enable 2FA for email. This can be made in 2 ways: Either, you have a full fledged email setup. Whats important, is, to prevent auth-bypass holes, you remove the authentication in RoundCube or whatever webmail you use, and instead use a reverse-proxy or firewall authentication instead. Thus an unauthenticated user doesn't even touch RoundCube/webmail at all, but must authenticate at a prior stage. The second way, is to not have webmail at all, but instead have a authentication gateway in browser, where you must auth with 2FA and captcha. The only purpose of this gateway, is to authenticate users with 2FA before their IP is whitelisted. After this, you simply have a script, that upon valid login (with 2FA) in either webmail or auth gateway, you set the authorized IP of the user to this. Whats happen then, is that each account will have an authorized IP attached (you could limit it to the /24 to cater for mobile clients), and then login to that account, will only be accepted from that authorized IP. This then allows SMTP/IMAP usage from that IP. If you want to go even more secure, you could restrict the firewall to the list of all IPs that all users have dynamically, and then in the SMTP/IMAP server, lock down auth to the authorized IP of that particular user account only. Its very important, that upon authing with a incorrect IP, that the server responds in the same way as a invalid password was specified, in this way, if someone attempts to bruteforce the password, they will "miss" the correct password, if the server does not react differently to a correct password but invalid IP. Thus bots that bruteforce will not gain any success. All this can be combined with permanent whitelists and geoIP whitelists, to avoid users having to authenticate with 2FA for "trusted" locations. One example would be to have the local office as permanent whitelist, and also have it that any IP in the user's "home country" is permanently whitelisted for his account once the user authenticates with 2FA. Other IPs outside his home country, is then only whitelisted once, next 2FA login, the old whitelist is simply deleted. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5715 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20201026/7d072cef/attachment.p7s>
Sebastian Nielsen
2020-Oct-26 04:51 UTC
SV: Looking for a guide to collect all e-mail from the ISP mail server
>> why not just point them at a hosting service like google apps, and letgoogle keep things up to date? Costs money, and also the problem is that gmail imposes heavy spam filters and "reputation blocks" meaning smaller providers with low email volumes, are put in the spam folder, even if they never send spam, just because their email volume is so low (ergo, they must prove they don't spam before getting out of ispam folder) Another thing is that you cannot impose IP restrictions when using Google Apps, or have SSO with trusted access from inside the office. (for example - scan your badge at the office door, your personal computer is automatically logged on and you get access to everything). With locally hosted servers, of course you have to keep them updated. Most linux distributions can keep them updated automatically. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5715 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20201026/3026ce11/attachment-0001.p7s>
R. Diez
2020-Oct-26 10:24 UTC
Looking for a guide to collect all e-mail from the ISP mail server
> You look spammy if you don't have SPF or DKIM, and hopefully both.> [...] I don't want to worry about spam, SPF, DNS or the lot. That is what the ISP is there for. Most of them actually do a pretty good job for very little money in my experience. If not, you can always switch to another ISP.> Regarding geofencing, look back at my post.> [...] Geofencing is way too complicated. You would need a real e-mail consultant for that. 8-) It is far easier to install OpenVPN, in order to avoid exposing anything else internal on the Internet. Then it is like the user is inside the LAN. There is nothing else to adjust in the mail server or anywhere else.> The reason I run my own email server is I got hacked when using a hosting service.> [...] I can understand that you got hacked. A nasty experience. But, if you think about it, your ISP got hacked, not you. If you open ports, your server may get hacked. And then the hacker is inside your network. Hack attacks like yours is probably the reason why the European Union is forcing nowadays a kind of two-factor authentication for banks, PayPal etc. The hacker did not change the e-mail password so that you do not realise immediately that you got hacked, and maybe immediately cancel your credit cards etc. There is no way most part-time admins like me can provide better security than an ISP. Even paying for a more professional service is probably not worth it. It's an economic weighing exercise: how many get hacked, and what protection costs. I would start by securing PayPal etc. better, by using two-factor authentication like SMS or a separate mobile App to approve payments.> One thing you will learn about email servers is there are many programs to chain together.> [...] That is why I wanted the ISP to take over spam and virus detection. Most do a reasonable job, better than I could ever do anyway. Best regards, rdiez
Apparently Analagous Threads
- SV: Looking for a guide to collect all e-mail from the ISP mail server
- SV: Looking for a guide to collect all e-mail from the ISP mail server
- SV: Looking for a guide to collect all e-mail from the ISP mail server
- Looking for a guide to collect all e-mail from the ISP mail server
- SV: SV: Looking for a guide to collect all e-mail from the ISP mail server