dovecot - Oct 2020 - Looking for a guide to collect all e-mail from the ISP mail server

>> I would not advice any company that is continuously being fined for
breaking the law.
> This is not only an overstatement, it is completely irrelevant.? Given the
OP problem
> statement (small business, part-time admin, newbie to mail 
> servers), I do not think there is a better solution
> A small server already costs 20 USD / month, running a mail server consumes
a significant amount
> of resources, and as the OP mentions running a mail server also represents
a high security risk.

Guys, this kind of advice is not helping me either.

First of all, I want to learn how to do it, just for fun. Even if paying for a
hosted solution is an economically better solution. It's not for me to
decide anyway.

I will not recommend Google. Ever heard of data protection and data
confidentiality? And then you are completely dependent. Your are nothing for a
huge company like Google. If they lose your complete e-mail database, they will
tell you that they are awfully sorry. If at all.

And no, running a mail server does not "consume a significant amount of
resources". Any 10-year-old laptop can easily cater for a small business.

Besides, paying $6/user/month is actually very expensive for some small
organisations. If you have 20 volunteers coming to the help in a small public
library once a month, that would be $1440 a year just for e-mail services. Most
such people would continue to use private Hotmail addresses. I would
rather install a Synology NAS and use whatever e-mail service it comes with it.

An on-premise mail server is, and should be, virtually free, at least for a
basic e-mail service. No need for cloud. No need to expose any ports. No
need to configure the firewall. No need to ask anything from your ISP.

I have seen it running like that on existing small businesses with Microsoft
Exchange and the POP Connector. It is just that Microsoft wants you to
pay a subscription now, probably because the old licence fees are way cheaper
than $6/user/month.

If Linus had been reading this mailing list, we would all be paying lawyers to
contract professional Sun/Oracle consultants to run our software on
certified Solaris servers!

Regards,
   rdiez

>
> First of all, I want to learn how to do it, just for fun.
>
Okay, that was not what you initially said.  Some comments below, 
nonetheless.
>
> I will not recommend Google. Ever heard of data protection and data 
> confidentiality?
>
Your data is stored confidentially by Google, obviously.  Otherwise nobody 
would use their services.
>
> And then you are completely dependent. Your are nothing for a huge 
> company like Google. If they lose your complete e-mail database, they 
> will tell you that they are awfully sorry. If at all.
>
The likelihood that Google loses your email is far less than the 
likelihood that your server has a disk failure, gets hacked and rm -rf'd, 
is stolen, burns in a fire, and so forth.
>
> And no, running a mail server does not "consume a significant amount
of
> resources". Any 10-year-old laptop can easily cater for a small 
> business.
>
I meant human resources, obviously.
>
> Besides, paying $6/user/month is actually very expensive for some small 
> organisations. If you have 20 volunteers coming to the help in a small 
> public library once a month, that would be $1440 a year just for e-mail 
> services.
>
I'll say it again: Google is _free_ for nonprofits.  Free: $0/user/month, 
for as many users as you want.

On 10/26/20 11:24 AM, Gregory Heytings wrote:
> Your data is stored confidentially by Google, obviously.? Otherwise 
> nobody would use their services.
   My keyboard is now COMPLETELY saturated with coffee.  Some hit my 
display this time, too.

              -Dave

-- 
Dave McGuire, AK4HZ
New Kensington, PA

>
> First of all, I want to learn how to do it, just for fun.
>
If you want to do this yourself for fun, here is what I believe a good way 
to do it:

1. install and configure Dovecot with one account for each user; see for 
example https://doc.dovecot.org/configuration_manual/quick_configuration/

2. install and configure OfflineIMAP to synchronize the IMAP folders 
between your ISP IMAP server and your Dovecot server; see for example 
http://www.offlineimap.org/doc/quick_start.html

At this point you should have a functional IMAP server, and your users can 
use your ISP SMTP server to send their mails.

If you want to go one step further, and want your users to send their 
mails through your server, install and configure Postfix; see for example 
http://www.postfix.org/SOHO_README.html or 
https://www.howtoforge.com/how-to-relay-email-on-a-postfix-server

If you want to go another step further, and want to remove the mails from 
your ISP IMAP server (instead of just mirroring it in Dovecot), install 
and configure Fetchmail; see for example 
https://www.linode.com/docs/guides/using-fetchmail-to-retrieve-email/

> 2. install and configure OfflineIMAP to synchronize the IMAP folders
between your ISP IMAP server and your Dovecot server; see for example
> http://www.offlineimap.org/doc/quick_start.html
OfflineIMAP is not the way to go. Many ISPs have very low size limits for the
mailbox sizes. The one I am looking at right now does have this problem
(unless you pay extra).

 From what I have gathered now, your hints about Postfix and fetchmail are
correct. The trouble is that those doc pages are not real-life, complete
examples with Dovecot of the two possible ways: 1) multidrop/catch all, and 2)
one mailbox per user.

Yes, I should be able to piece it all together. I will probably try. I just find
it surprising that there is no such a complete guide yet. Because I
am sure that there are a few gotchas along the way.


 > see
 > https://blog.sys4.de/abholdienst-fur-mail-de.html

Yes, getmail is an alternative, and that looks like a good way too. But it's
the same problem: the article is not complete. It states "how you could
arrange it". It would be nice that you did not have to manually write a
getmail config file per user. And an example for multidrop is missing. There
is a note at the end that you should carefully plan the transport ways, but I
wouldn't know yet what to do in that respect.

It's just not a guide that I can follow from top to bottom to get a first
working mail server to play with. That makes it pretty hard for me at this
time. I will need much more time to learn and test every little detail myself.
I'm not promising anything, but I may actually invest the time if I
don't find anything else more interesting in the meantime. 8-)


In any case, thanks for the hints. I know now what the way to go is. Those pesky
port 25 people are not going to get me! ;-)

Regards,
   rdiez

> On 26 Oct 2020, at 09:11, R. Diez <rdiezmail-2006 at yahoo.de> wrote:
> 
>>> 
>>> I would not advice any company that is continuously being fined for
breaking the law.
> 
>> This is not only an overstatement, it is completely irrelevant.  Given
the OP problem
>> statement (small business, part-time admin, newbie to mail servers), I
do not think there is a better solution
>> A small server already costs 20 USD / month, running a mail server
consumes a significant amount of resources, and as the OP mentions running a
mail server also represents a high security risk.
> 
> 
> Guys, this kind of advice is not helping me either.
> 
> First of all, I want to learn how to do it, just for fun. Even if paying
for a hosted solution is an economically better solution. It's not for me to
decide anyway.
If you want to do it for fun and learning, setup a private mail server for
yourself and maybe some friends. You do not have "fun" with a
company's emails, not even a non-profit. ESPECAILLY since you have rather
sepcific legal restrictions and requirements on that email.

Doing it yourself is possible IF you already know what you are doing very well.
Doing this yourself as a "fun learning experiment" is irresponsible.
> I will not recommend Google. Ever heard of data protection and data
confidentiality? And then you are completely dependent. Your are nothing for a
huge company like Google. If they lose your complete e-mail database, they will
tell you that they are awfully sorry. If at all.
You are still confusing two very different things, the paid Google hosting
service and the free gmail service. They are not the same thing. You paranoia is
based on ignorance. You do not, obviously have to go with Google. There are many
other choices. Hundreds. Your government may even have a list of companies that
comply with German and European laws.
> And no, running a mail server does not "consume a significant amount
of resources". Any 10-year-old laptop can easily cater for a small
business.
That depends. You need to find an 18yo laptop that can run a current OS with
current security libraries, so that's a stretch right there. And while it
may not consume a lot of CPU resources, it consumes a lot of human/brain
resources. It takes knowledge which takes time. Your idea that you can just
setup a mialserver and walk away and never look at it again is laughable.
> Besides, paying $6/user/month is actually very expensive for some small
organisations.
Depends on what the cost of, for example, having all your email ransomwared or
published to some website costs. If your non-profit gets funding, your country
and the EU have very strict laws on the security of email and the requirement to
keep it archived and to ensure the data cannot get out. You may be facing
serious fines or even jail time if you setup an mail server badly that results
(as it almost surely will) a third party accessing that mail.
> If you have 20 volunteers coming to the help in a small public library once
a month, that would be $1440 a year just for e-mail services.
If you feel the need to give 20 volunteers individual, personal email addresses,
sure. $1500 a year for any sort of business, even a non-profit, is not a
significant cost.
> Most such people would continue to use private Hotmail addresses. I would
rather install a Synology NAS and use whatever e-mail service it comes with it.
You have to pay for that too.
> An on-premise mail server is, and should be, virtually free,
It is not. You need someone to admin it. You need someone to be vigilant and see
when things are going wrong, or when an intruder has gained access, or when your
DNS has expired, or your certificates need to be renewed, or a major system
update is required. You also need (well, should have) a  backup server, UPS
systems (check those batteries!) and a whole host of other things that need to
be done.
> at least for a basic e-mail service. No need for cloud. No need to expose
any ports. No need to configure the firewall. No need to ask anything from your
ISP.
You cannot send or receive any email if all your ports are closed. In order to
communicate with anyone else, you must have the ability to connect to them.

But it sure sounds like you've made up your mind to make the worst decision
and are ignoring the advice of many people who do this all day, everyday. Good
luck with that.

Please check with your legal counsel first, you may be shocked as to what the EU
and Germany actually require and what penalties you face when you decide to
ignore those requirements. For example, are you aware that Germany requires TLS
encryption on all email? And has more stringent E2EE requirements on many
emails?

-- 
"Let's get back to syntax of procmail and forget the syntax of
	fools." Don

>>EU have very strict laws on the security of email and the requirement to
keep it archived and to ensure the data cannot get out. 

No.
GDPR is very organization-specific, meaning that a small organization or
non-profit with 5 employees, don't need the same security as a 100 employee
multi-million dollar organization.

They were going to require small companies and even private persons
processing data outside of the "personal space" limitation, to have
the same
sort of physical and digital security as any multi-billion dollar
corporation, and require those that cannot cash up for such security, to
only use hosted cloud services and rented centrally-managed computers
without any own IT department.

Of course, they dropped that idea, because it was not fair against small
companies. They changed the ruling so the amount of security you need, is
dependant on how much people is at risk if the emails leak, and what type of
content the email has (if it has sensitive data, requirements are higher).

But also, export of data to third-world countries is not permitted at all,
regardless of organization size, due to the data losing legal protection (if
someone outside EU leaks the data, you cannot hold someone responsible),
unless specific requirements are met.

This means, a somewhat maintained mail server, physically located at a
company, is much better than using a hosted cloud service, as the cloud
services usually take extra payment to keep the data inside EU.

Same with the rulings on security bulletins - if you have a multi-billion
dollar company then you are expected to apply security fixes and patches,
even on a Saturday night. They are obliged by EU law to have alarms that
wake them up on any major security bulletin regarding any of the server
software.

For a small non-profit or family company - its OK to wait until business
hours with that - if that leads to the server being hacked - its okay. You
did what you could. Novody expects you to be available 24/7 to patch 0-days.

So its totally dependand on what type of organization you run, and the size
- that govern how much security you need.


And no, you don't need an UPS or backuped ISP connections, unless you run
something mission critical. Most mailservers will queue mails for several
days, so if your mailserver disappear for 1-2 days, it don't matter.
The "availability" requirements of GDPR only applies to
society-cricical
services where it can actually cause harm to end-users if a service is down.

If its just a small non-profit with 5 employees, GDPR is not gonna care
because the email server was down for a day or two.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5715 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20201027/af08eb1a/attachment-0001.p7s>