Building new mail server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Building new mail server

Stephen Satchell
My existing mail server is running Centos 4 (yes, VERY old -- which is a
testament as to the continuing quality of Postfix), with port 25 exposed
to the whole wide world.  Everything else is restricted by an IPTABLES
firewall and TCPwrapper.  I was going to wait for CentOS 8 to be
released and get some run time by early adopters, but my poor mail
server is starting to show signs of wearing out and I may have to pull
the trigger sooner.

My question for the user community is this: any gotchas in bringing up
Postfix on Centos 7.6.1810 from the Red Hat distribution?  Integration
with the version of Dovecot in 7.6 from same?

Other questions:

I'm not going to port over the mail directories from the old server.
Everything will be from scratch, so conversions are not an issue.  I
will be carrying over my header_checks file, though.

Do I need to buy a certificate for my domain satchell.net, or will a
self-signed certificate be sufficient?  The MX is mail.satchell.net for
that domain.  The other domains described on the old box have expired,
so I won't be bringing those over.

Significant services running on the new box: PostFix, DoveCot, BIND 9,
NTP (actually chrony)

Outside access and inside access are split using VLANs on an HP switch
(already in my network) to the one and only Ethernet port on the new
server, which is a laptop board in a mini-tower case. The outside port
will be on an external (access to the world) netblock
(75.140.42.118/29?), while the inside port will be in the 10.1.1.0/24
netblock.  If needed, I can also have the inside port be on the
10.1.2.0/24 and 10.1.3.0/24 to access isolated equipment.

I'm planning on exposing only port 25 (smtp) and rate-limited ICMP to
the world.  All the rest of the ports, TCP and UDP, plus other IP
protocols, will be blocked to outsiders.  The local LAN has access to
ecerything.  I'm considering how to handle output port blocking for
those services not needed by a mail server.