ODMR/ATRN ?

classic Classic list List threaded Threaded
44 messages Options
123
Reply | Threaded
Open this post in threaded view
|

ODMR/ATRN ?

Ronald F. Guilmette-2

I'd very much like to move my (Postfix) mail server, which currently resides
on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
and then use something like fetchmail to poll that periodically to pull
down all mail for my several domains and then have fetchmail re-inject
all of those mail messages into the local Postfix.  The plan would be to
get all this running and then give up my local static IP here, exchanging
it for a dynamic one instead.  (This will save me a tiny bit of money on
my monthy local ISP bill.)

Googling for options just now, it sure sounds like ODMR/ATRN would fit
my needs nicely, however I can't quite make out whether any of this
ODMR/ATRN stuff has ever actually been implemented in Postfix or not.
Has it been?

Regardless of whether it has or not, if anyone wants to suggest or recommend
any alternative solution(s) I'm all ears.  I am open to anything that
will get the job done.  My only real requirements for a solution are:

    1)  Must support unlimited email addresses per each recipient domain.

    2)  Must preserve envelope sender information.

In general, speed is not an issue, but security most certainly is.

That having been said, I am not eager to use Jakob Hirsh's odmrd because
that SMTP server is written in Perl, and I've been known to be DDoS'd
from time to time.  So I'm loath to leave anything written in Perl running
on any outward facing port.  It's just way too easy for an attacker to
run the CPU usage up to 100% and keep it there if one does so.

Looking forward to info on Postfix support for ODMR or alternatives thereto.


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
Hey rfg,

Just curious…any reason to not use use the could-based Postfix server + something like Dovecot and then have your clients access that directly?  I have this now for at least 20 domains and it works awesome.

I’m not understanding why the need to relay the mail to your local Postifix instance…I’m sure there is a good reason but I’m just not seeing as yet…




> On Jun 9, 2019, at 1:42 PM, Ronald F. Guilmette <[hidden email]> wrote:
>
>
> I'd very much like to move my (Postfix) mail server, which currently resides
> on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
> and then use something like fetchmail to poll that periodically to pull
> down all mail for my several domains and then have fetchmail re-inject
> all of those mail messages into the local Postfix.  The plan would be to
> get all this running and then give up my local static IP here, exchanging
> it for a dynamic one instead.  (This will save me a tiny bit of money on
> my monthy local ISP bill.)
>
> Googling for options just now, it sure sounds like ODMR/ATRN would fit
> my needs nicely, however I can't quite make out whether any of this
> ODMR/ATRN stuff has ever actually been implemented in Postfix or not.
> Has it been?
>
> Regardless of whether it has or not, if anyone wants to suggest or recommend
> any alternative solution(s) I'm all ears.  I am open to anything that
> will get the job done.  My only real requirements for a solution are:
>
>    1)  Must support unlimited email addresses per each recipient domain.
>
>    2)  Must preserve envelope sender information.
>
> In general, speed is not an issue, but security most certainly is.
>
> That having been said, I am not eager to use Jakob Hirsh's odmrd because
> that SMTP server is written in Perl, and I've been known to be DDoS'd
> from time to time.  So I'm loath to leave anything written in Perl running
> on any outward facing port.  It's just way too easy for an attacker to
> run the CPU usage up to 100% and keep it there if one does so.
>
> Looking forward to info on Postfix support for ODMR or alternatives thereto.
>
>
> Regards,
> rfg

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Kevin A. McGrail
In reply to this post by Ronald F. Guilmette-2
Well, first, my firm's commercial Raptor anti-pam solution supports smarthosting for outbound and inbound on an alternate port.  Add any dynamic DNS solution and you are good to go.  Plus you get the best business anti-spam solution.  Happy to chat more about pricing. 

But that leads to my answer.  You can just setup a box on a VM with a static IP and do smtp authentication for smarthosting through that box and use it as a relay for your domain on an alternate port using Dynamic DNS.  No need for fetchmail or anything like that.

Regards,
KAM



On 6/9/2019 4:42 PM, Ronald F. Guilmette wrote:
I'd very much like to move my (Postfix) mail server, which currently resides
on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
and then use something like fetchmail to poll that periodically to pull
down all mail for my several domains and then have fetchmail re-inject
all of those mail messages into the local Postfix.  The plan would be to
get all this running and then give up my local static IP here, exchanging
it for a dynamic one instead.  (This will save me a tiny bit of money on
my monthy local ISP bill.)

Googling for options just now, it sure sounds like ODMR/ATRN would fit
my needs nicely, however I can't quite make out whether any of this
ODMR/ATRN stuff has ever actually been implemented in Postfix or not.
Has it been?

Regardless of whether it has or not, if anyone wants to suggest or recommend
any alternative solution(s) I'm all ears.  I am open to anything that
will get the job done.  My only real requirements for a solution are:

    1)  Must support unlimited email addresses per each recipient domain.

    2)  Must preserve envelope sender information.

In general, speed is not an issue, but security most certainly is.

That having been said, I am not eager to use Jakob Hirsh's odmrd because
that SMTP server is written in Perl, and I've been known to be DDoS'd
from time to time.  So I'm loath to leave anything written in Perl running
on any outward facing port.  It's just way too easy for an attacker to
run the CPU usage up to 100% and keep it there if one does so.

Looking forward to info on Postfix support for ODMR or alternatives thereto.


Regards,
rfg


--
Kevin A. McGrail
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
[hidden email]

https://www.linkedin.com/in/kmcgrail

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by Antonio Leding

In message <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
amazonses.com>, Antonio Leding <[hidden email]> wrote:

>Just curious any reason to not use use the could-based Postfix
>server + something like Dovecot and then have your clients access that
>directly?  I have this now for at least 20 domains and it works awesome.

Firstly, I have no idea what you mean by "could-based Postfix".  Was that
a typo?  What did you mean, actually?

Secondly, in answer to what I think your question was... security.  I'm
not keen to have -any- of my mail piling up for any lenth of time on some
cloud server that I don't have complete and -physical- control over.
Paranoid?  You bet.

My plan... if I can figure out a way to do it... will be to have a Postfix
instance running on some cloud VM someplace (with static IP, of course)
and use that for inbound and outbound (smarthost), and meanwhile set up
something like fetchmail here on my home system to pull down all of the
pending inbound message for all of my domains, say, every 120 seconds
or so.  That way nothing will actually stay on the cloud server for very
long, and if anyone manages to break into that, they won't find much in
the way of my confidential emails, because the lifetime of each (stored)
message there will typically be very very short.  (Maybe Hillary Clinton
should have been so careful! :-)

>I'm not understanding why the need to relay the mail to your
>local Postifix instance I'm sure there is a good reason
>but I'm just not seeing as yet

I have tried to explain my thought process.

Now that I have done so, I feel sure that someone will explain to me, very
logically, why I am a blithering idiot.  That's OK, as long as I learn
something in the process.


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Pau Amma
On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:

>
> In message
> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>
>>Just curious any reason to not use use the could-based Postfix
>>server + something like Dovecot and then have your clients access that
>>directly?  I have this now for at least 20 domains and it works awesome.
>
> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
> a typo?  What did you mean, actually?

I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
In reply to this post by Ronald F. Guilmette-2
Hi rfg,

What did I mean by cloud-based postfix:

 —> When you said “…"to some VM in the cloud someplace…”, I did presume you meant a Postfix server in the cloud…like on an AWS VM or similar…

Security:

—> With some VMs, you will have complete root-level rights on the server and can do what you wish in terms of server security.  In terms of NW security, that will depend of course on the cloud\hosting provider that you happen to use.  I use AWS which gives me a lot of NW control…for example, I have a low-cost FW on the front end of my Postfix box and then I also do a few things locally on the actual server all coming together to provide security for my email infrastructure.

In terms of a accessing my email, I just configure IMAP on my client and point it to my Postfix + Dovecot server.  This is very similar to many email accounts one might setup using IMAP.  No local Postfix server or fetchmail required.  Also, you do have the option of keeping the mail in the cloud or transfer it to your local machine.  In the latter case however, one thing you would lose is being able to access that mail from any device you wish.

I understand - and share - your concerns re: cloud-based mail security but those issues are manageable if proper infosec is implemented…


> On Jun 9, 2019, at 2:29 PM, Ronald F. Guilmette <[hidden email]> wrote:
>
>
> In message <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>
>> Just curious any reason to not use use the could-based Postfix
>> server + something like Dovecot and then have your clients access that
>> directly?  I have this now for at least 20 domains and it works awesome.
>
> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
> a typo?  What did you mean, actually?
>
> Secondly, in answer to what I think your question was... security.  I'm
> not keen to have -any- of my mail piling up for any lenth of time on some
> cloud server that I don't have complete and -physical- control over.
> Paranoid?  You bet.
>
> My plan... if I can figure out a way to do it... will be to have a Postfix
> instance running on some cloud VM someplace (with static IP, of course)
> and use that for inbound and outbound (smarthost), and meanwhile set up
> something like fetchmail here on my home system to pull down all of the
> pending inbound message for all of my domains, say, every 120 seconds
> or so.  That way nothing will actually stay on the cloud server for very
> long, and if anyone manages to break into that, they won't find much in
> the way of my confidential emails, because the lifetime of each (stored)
> message there will typically be very very short.  (Maybe Hillary Clinton
> should have been so careful! :-)
>
>> I'm not understanding why the need to relay the mail to your
>> local Postifix instance I'm sure there is a good reason
>> but I'm just not seeing as yet
>
> I have tried to explain my thought process.
>
> Now that I have done so, I feel sure that someone will explain to me, very
> logically, why I am a blithering idiot.  That's OK, as long as I learn
> something in the process.
>
>
> Regards,
> rfg

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
In reply to this post by Pau Amma
AHHH - yes, thank you Paul - I did mean “cloud” based Postfix…



> On Jun 9, 2019, at 2:53 PM, Pau Amma <[hidden email]> wrote:
>
> On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:
>>
>> In message
>> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
>> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>>
>>> Just curious any reason to not use use the could-based Postfix
>>> server + something like Dovecot and then have your clients access that
>>> directly?  I have this now for at least 20 domains and it works awesome.
>>
>> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
>> a typo?  What did you mean, actually?
>
> I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".
>

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

cvandesande
Maybe something like I'm doing?

I have 3 instances of postfix running (because I travel) but this can
work with 2.
1 server in the cloud, 2 locally one home one office.

The 2 local postfix instances only accept public email from the cloud
VM, but they accept local email (ipcam's, for example on the LAN).

The MX record points to the cloud VM, should it pass the spam test then
the 'clean' email is relayed to 1 of the 2 local postfix servers.
The local servers then deliver to a local Dovecot, where I access my
email from a local private IP on the LAN.

Think of the flow like this.

public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
> local Dovecot.

Whichever local Dovecot received the message with replicate to the other
site.

I think of it this way, the email is coming from the public internet, so
scan it while it's out on the public internet.

If it passes the test, then it's considered 'good enough' to be
delivered to one of the local servers.

Internal email like ipcam's, server emails never leave the local LAN
(except to be replicated to the other local site).

Hope that makes sense.

Chris.


On 09/06/2019 23:00, Antonio Leding wrote:

> AHHH - yes, thank you Paul - I did mean “cloud” based Postfix…
>
>
>
>> On Jun 9, 2019, at 2:53 PM, Pau Amma <[hidden email]> wrote:
>>
>> On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:
>>> In message
>>> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
>>> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>>>
>>>> Just curious any reason to not use use the could-based Postfix
>>>> server + something like Dovecot and then have your clients access that
>>>> directly?  I have this now for at least 20 domains and it works awesome.
>>> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
>>> a typo?  What did you mean, actually?
>> I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".
>>
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by Kevin A. McGrail

In message <[hidden email]>,
"Kevin A. McGrail" <[hidden email]> wrote:

>Well, first, my firm's commercial Raptor anti-pam solution supports
>smarthosting for outbound and inbound on an alternate port. Add any
>dynamic DNS solution and you are good to go. Plus you get the best
>business anti-spam solution. Happy to chat more about pricing.

Thank you, but I need to be frank.  VM slices are less expensive than
water these days.  And also, I'm the world's biggest cheapskate.  So I
do believe that I will be rolling my own solution in this instance.  But
thanks anyway.

>But that leads to my answer. You can just setup a box on a VM with a
>static IP and do smtp authentication for smarthosting through that box
>and use it as a relay for your domain on an alternate port using Dynamic
>DNS. No need for fetchmail or anything like that.

I believe that I understand fully how to handle my outbound email traffic,
i.e. treating my (soon to be) cloud VM running Postfix as a "smarthost"
for outbound.  That part is the easy part, and also the simple part.

The harder part is handing the inbound email traffic for my several domains.

I *think* that I *may* perhaps understand your suggestion with regards to
that, but I'll have to think about it awhile longer before I can be sure.

I wish that I had an example to look at, or some slightly-more-detailed
write-up to refer to that would show me how to configure this exact approach
with Postfix.

But if worse comes to worse, I can probably puzzle it all out, starting from
just what you said, above.

One part that I'm sure that I -do not- understand is why you suggeted an
alternative port number.  Can you explain?

Also, I've never set up any Postfix instance to be a relay before, ever,
so I'm hoping that there is a README available on that specific topic (and
I'll be googling for that any second now.)

The only other thing I can say for now is that although I understand how
MXs and their priorities work, I'm really still not too clear on how I would
get mail to go to the (static IP) cloud VM Postfix instance most or all of
the time, in the first instance, and -then- get all of that stuff to flow,
afterwards, to the (secondary) Postfix that I have running out at the dynamic
FQDN... when that machine is actually online.


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
In reply to this post by cvandesande
Hi Chris,

Not being critical but really just want to understand why you architected it the way you did…

Are your local PF boxes behind a more secure border than your cloud based PF server?  I understand the SPAM part of the design — or I think I do :=) — it seems like you just feel more comfortable performing SPAM analysis in the cloud vs. inside your border…but curious in terms of other infosec…

Also, did you implement pinholes on your local side so you can access mail from different locations or just opt to not have that flexibility?



> On Jun 9, 2019, at 3:12 PM, [hidden email] wrote:
>
> Maybe something like I'm doing?
>
> I have 3 instances of postfix running (because I travel) but this can
> work with 2.
> 1 server in the cloud, 2 locally one home one office.
>
> The 2 local postfix instances only accept public email from the cloud
> VM, but they accept local email (ipcam's, for example on the LAN).
>
> The MX record points to the cloud VM, should it pass the spam test then
> the 'clean' email is relayed to 1 of the 2 local postfix servers.
> The local servers then deliver to a local Dovecot, where I access my
> email from a local private IP on the LAN.
>
> Think of the flow like this.
>
> public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
>> local Dovecot.
>
> Whichever local Dovecot received the message with replicate to the other
> site.
>
> I think of it this way, the email is coming from the public internet, so
> scan it while it's out on the public internet.
>
> If it passes the test, then it's considered 'good enough' to be
> delivered to one of the local servers.
>
> Internal email like ipcam's, server emails never leave the local LAN
> (except to be replicated to the other local site).
>
> Hope that makes sense.
>
> Chris.
>
>
> On 09/06/2019 23:00, Antonio Leding wrote:
>> AHHH - yes, thank you Paul - I did mean “cloud” based Postfix…
>>
>>
>>
>>> On Jun 9, 2019, at 2:53 PM, Pau Amma <[hidden email]> wrote:
>>>
>>> On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:
>>>> In message
>>>> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
>>>> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>>>>
>>>>> Just curious any reason to not use use the could-based Postfix
>>>>> server + something like Dovecot and then have your clients access that
>>>>> directly?  I have this now for at least 20 domains and it works awesome.
>>>> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
>>>> a typo?  What did you mean, actually?
>>> I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".
>>>

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Wietse Venema
In reply to this post by Ronald F. Guilmette-2
Ronald F. Guilmette:
>
> I'd very much like to move my (Postfix) mail server, which currently resides
> on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
> and then use something like fetchmail to poll that periodically to pull
> down all mail for my several domains and then have fetchmail re-inject
> all of those mail messages into the local Postfix.  The plan would be to
> get all this running and then give up my local static IP here, exchanging
> it for a dynamic one instead.  (This will save me a tiny bit of money on
> my monthy local ISP bill.)

What about setting up a tunnel between home (dynamic IP) and cloud
(static IP)? Could be a VPN, or SSH.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Wietse Venema
Wietse Venema:

> Ronald F. Guilmette:
> >
> > I'd very much like to move my (Postfix) mail server, which currently resides
> > on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
> > and then use something like fetchmail to poll that periodically to pull
> > down all mail for my several domains and then have fetchmail re-inject
> > all of those mail messages into the local Postfix.  The plan would be to
> > get all this running and then give up my local static IP here, exchanging
> > it for a dynamic one instead.  (This will save me a tiny bit of money on
> > my monthy local ISP bill.)
>
> What about setting up a tunnel between home (dynamic IP) and cloud
> (static IP)? Could be a VPN, or SSH.

Plus a transport_maps setting on the cloud side that routes mail
into the tunnel.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

cvandesande
In reply to this post by Antonio Leding
Ha be critical if you want, I don't mind at all :P

The main reason was reliability, as someone who's always
breaking/rebuilding but also hosts their own email, I needed the email
to spool somewhere in case I broke something for more than a few days.

The local PF boxes are behind home NAT connections with whichever
firewall I felt like trying out at the time. More secure? I don't know
maybe/hopefully?

Having the spam check done on the cloud for the same reasons. Every time
I broke the server running the spam filter, it was like opening the
flood gates :D

For flexibility there's another element I didn't bother to mention...

The same cloud VM runs haproxy which will loadbalance IMAPS connections
back to either of the 2 local Dovecot sites. So I always have access to
my email wherever I happen to find myself.

Chris.


On 09/06/2019 23:19, Antonio Leding wrote:

> Hi Chris,
>
> Not being critical but really just want to understand why you architected it the way you did…
>
> Are your local PF boxes behind a more secure border than your cloud based PF server?  I understand the SPAM part of the design — or I think I do :=) — it seems like you just feel more comfortable performing SPAM analysis in the cloud vs. inside your border…but curious in terms of other infosec…
>
> Also, did you implement pinholes on your local side so you can access mail from different locations or just opt to not have that flexibility?
>
>
>
>> On Jun 9, 2019, at 3:12 PM, [hidden email] wrote:
>>
>> Maybe something like I'm doing?
>>
>> I have 3 instances of postfix running (because I travel) but this can
>> work with 2.
>> 1 server in the cloud, 2 locally one home one office.
>>
>> The 2 local postfix instances only accept public email from the cloud
>> VM, but they accept local email (ipcam's, for example on the LAN).
>>
>> The MX record points to the cloud VM, should it pass the spam test then
>> the 'clean' email is relayed to 1 of the 2 local postfix servers.
>> The local servers then deliver to a local Dovecot, where I access my
>> email from a local private IP on the LAN.
>>
>> Think of the flow like this.
>>
>> public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
>>> local Dovecot.
>> Whichever local Dovecot received the message with replicate to the other
>> site.
>>
>> I think of it this way, the email is coming from the public internet, so
>> scan it while it's out on the public internet.
>>
>> If it passes the test, then it's considered 'good enough' to be
>> delivered to one of the local servers.
>>
>> Internal email like ipcam's, server emails never leave the local LAN
>> (except to be replicated to the other local site).
>>
>> Hope that makes sense.
>>
>> Chris.
>>
>>
>> On 09/06/2019 23:00, Antonio Leding wrote:
>>> AHHH - yes, thank you Paul - I did mean “cloud” based Postfix…
>>>
>>>
>>>
>>>> On Jun 9, 2019, at 2:53 PM, Pau Amma <[hidden email]> wrote:
>>>>
>>>> On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:
>>>>> In message
>>>>> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
>>>>> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>>>>>
>>>>>> Just curious any reason to not use use the could-based Postfix
>>>>>> server + something like Dovecot and then have your clients access that
>>>>>> directly?  I have this now for at least 20 domains and it works awesome.
>>>>> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
>>>>> a typo?  What did you mean, actually?
>>>> I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".
>>>>
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
In reply to this post by Wietse Venema
Just thinking out loud here but because you would want to harden the cloud server in any case, I’m not sure what having a VPN gets you if also using IMAPS and SMTP + SSL between the cloud and the client.  I guess one could argue that if you forget to set the SSL on the client side, you’re still covered but not seeing any other benefit.  

Please clarify what I am missing if anything…



> On Jun 9, 2019, at 3:29 PM, Wietse Venema <[hidden email]> wrote:
>
> Wietse Venema:
>> Ronald F. Guilmette:
>>>
>>> I'd very much like to move my (Postfix) mail server, which currently resides
>>> on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
>>> and then use something like fetchmail to poll that periodically to pull
>>> down all mail for my several domains and then have fetchmail re-inject
>>> all of those mail messages into the local Postfix.  The plan would be to
>>> get all this running and then give up my local static IP here, exchanging
>>> it for a dynamic one instead.  (This will save me a tiny bit of money on
>>> my monthy local ISP bill.)
>>
>> What about setting up a tunnel between home (dynamic IP) and cloud
>> (static IP)? Could be a VPN, or SSH.
>
> Plus a transport_maps setting on the cloud side that routes mail
> into the tunnel.
>
> Wietse

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
In reply to this post by cvandesande
Just practicing the Au-rule…treat other as…  :=)

I would definitely agree NAT buys some security via obscurity…cheap, fairly easy, and does help to a degree.  So with the haproxy, am I understanding correctly that it will spin up (or already has running) IMAP back to your local site for when you’re say, on the Int’l Space Station, and need to get email?

Kinda cool...





> On Jun 9, 2019, at 3:31 PM, [hidden email] wrote:
>
> Ha be critical if you want, I don't mind at all :P
>
> The main reason was reliability, as someone who's always
> breaking/rebuilding but also hosts their own email, I needed the email
> to spool somewhere in case I broke something for more than a few days.
>
> The local PF boxes are behind home NAT connections with whichever
> firewall I felt like trying out at the time. More secure? I don't know
> maybe/hopefully?
>
> Having the spam check done on the cloud for the same reasons. Every time
> I broke the server running the spam filter, it was like opening the
> flood gates :D
>
> For flexibility there's another element I didn't bother to mention...
>
> The same cloud VM runs haproxy which will loadbalance IMAPS connections
> back to either of the 2 local Dovecot sites. So I always have access to
> my email wherever I happen to find myself.
>
> Chris.
>
>
> On 09/06/2019 23:19, Antonio Leding wrote:
>> Hi Chris,
>>
>> Not being critical but really just want to understand why you architected it the way you did…
>>
>> Are your local PF boxes behind a more secure border than your cloud based PF server?  I understand the SPAM part of the design — or I think I do :=) — it seems like you just feel more comfortable performing SPAM analysis in the cloud vs. inside your border…but curious in terms of other infosec…
>>
>> Also, did you implement pinholes on your local side so you can access mail from different locations or just opt to not have that flexibility?
>>
>>
>>
>>> On Jun 9, 2019, at 3:12 PM, [hidden email] wrote:
>>>
>>> Maybe something like I'm doing?
>>>
>>> I have 3 instances of postfix running (because I travel) but this can
>>> work with 2.
>>> 1 server in the cloud, 2 locally one home one office.
>>>
>>> The 2 local postfix instances only accept public email from the cloud
>>> VM, but they accept local email (ipcam's, for example on the LAN).
>>>
>>> The MX record points to the cloud VM, should it pass the spam test then
>>> the 'clean' email is relayed to 1 of the 2 local postfix servers.
>>> The local servers then deliver to a local Dovecot, where I access my
>>> email from a local private IP on the LAN.
>>>
>>> Think of the flow like this.
>>>
>>> public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
>>>> local Dovecot.
>>> Whichever local Dovecot received the message with replicate to the other
>>> site.
>>>
>>> I think of it this way, the email is coming from the public internet, so
>>> scan it while it's out on the public internet.
>>>
>>> If it passes the test, then it's considered 'good enough' to be
>>> delivered to one of the local servers.
>>>
>>> Internal email like ipcam's, server emails never leave the local LAN
>>> (except to be replicated to the other local site).
>>>
>>> Hope that makes sense.
>>>
>>> Chris.
>>>
>>>
>>> On 09/06/2019 23:00, Antonio Leding wrote:
>>>> AHHH - yes, thank you Paul - I did mean “cloud” based Postfix…
>>>>
>>>>
>>>>
>>>>> On Jun 9, 2019, at 2:53 PM, Pau Amma <[hidden email]> wrote:
>>>>>
>>>>> On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:
>>>>>> In message
>>>>>> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
>>>>>> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>>>>>>
>>>>>>> Just curious any reason to not use use the could-based Postfix
>>>>>>> server + something like Dovecot and then have your clients access that
>>>>>>> directly?  I have this now for at least 20 domains and it works awesome.
>>>>>> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
>>>>>> a typo?  What did you mean, actually?
>>>>> I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".
>>>>>

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

cvandesande
Yeah exactly,

The local instances also don't need to listen on the standard TCP ports,
since they are always only getting email from the cloud VM. So the
firewalls whitelist the cloud VM's IP and the email is coming in via
non-standard ports so I don't have a horde of botnets trying to deliver
garbage to my local Postfix/Dovecot sites. The cloud VM gets the
pleasure of dealing with that.

It's a little unusual but it's worked for me for a couple of years now. 
Private DNS points "mail.opendmz.com" to a local IP, and public DNS
points to the cloud where Haproxy is always listening and will proxy the
IMAP connection back to one of the local sites (again, non-standard
ports and whitelisted IP)

It's nowhere perfect but I don't know what is.


On 09/06/2019 23:38, Antonio Leding wrote:

> Just practicing the Au-rule…treat other as…  :=)
>
> I would definitely agree NAT buys some security via obscurity…cheap, fairly easy, and does help to a degree.  So with the haproxy, am I understanding correctly that it will spin up (or already has running) IMAP back to your local site for when you’re say, on the Int’l Space Station, and need to get email?
>
> Kinda cool...
>
>
>
>
>
>> On Jun 9, 2019, at 3:31 PM, [hidden email] wrote:
>>
>> Ha be critical if you want, I don't mind at all :P
>>
>> The main reason was reliability, as someone who's always
>> breaking/rebuilding but also hosts their own email, I needed the email
>> to spool somewhere in case I broke something for more than a few days.
>>
>> The local PF boxes are behind home NAT connections with whichever
>> firewall I felt like trying out at the time. More secure? I don't know
>> maybe/hopefully?
>>
>> Having the spam check done on the cloud for the same reasons. Every time
>> I broke the server running the spam filter, it was like opening the
>> flood gates :D
>>
>> For flexibility there's another element I didn't bother to mention...
>>
>> The same cloud VM runs haproxy which will loadbalance IMAPS connections
>> back to either of the 2 local Dovecot sites. So I always have access to
>> my email wherever I happen to find myself.
>>
>> Chris.
>>
>>
>> On 09/06/2019 23:19, Antonio Leding wrote:
>>> Hi Chris,
>>>
>>> Not being critical but really just want to understand why you architected it the way you did…
>>>
>>> Are your local PF boxes behind a more secure border than your cloud based PF server?  I understand the SPAM part of the design — or I think I do :=) — it seems like you just feel more comfortable performing SPAM analysis in the cloud vs. inside your border…but curious in terms of other infosec…
>>>
>>> Also, did you implement pinholes on your local side so you can access mail from different locations or just opt to not have that flexibility?
>>>
>>>
>>>
>>>> On Jun 9, 2019, at 3:12 PM, [hidden email] wrote:
>>>>
>>>> Maybe something like I'm doing?
>>>>
>>>> I have 3 instances of postfix running (because I travel) but this can
>>>> work with 2.
>>>> 1 server in the cloud, 2 locally one home one office.
>>>>
>>>> The 2 local postfix instances only accept public email from the cloud
>>>> VM, but they accept local email (ipcam's, for example on the LAN).
>>>>
>>>> The MX record points to the cloud VM, should it pass the spam test then
>>>> the 'clean' email is relayed to 1 of the 2 local postfix servers.
>>>> The local servers then deliver to a local Dovecot, where I access my
>>>> email from a local private IP on the LAN.
>>>>
>>>> Think of the flow like this.
>>>>
>>>> public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
>>>>> local Dovecot.
>>>> Whichever local Dovecot received the message with replicate to the other
>>>> site.
>>>>
>>>> I think of it this way, the email is coming from the public internet, so
>>>> scan it while it's out on the public internet.
>>>>
>>>> If it passes the test, then it's considered 'good enough' to be
>>>> delivered to one of the local servers.
>>>>
>>>> Internal email like ipcam's, server emails never leave the local LAN
>>>> (except to be replicated to the other local site).
>>>>
>>>> Hope that makes sense.
>>>>
>>>> Chris.
>>>>
>>>>
>>>> On 09/06/2019 23:00, Antonio Leding wrote:
>>>>> AHHH - yes, thank you Paul - I did mean “cloud” based Postfix…
>>>>>
>>>>>
>>>>>
>>>>>> On Jun 9, 2019, at 2:53 PM, Pau Amma <[hidden email]> wrote:
>>>>>>
>>>>>> On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:
>>>>>>> In message
>>>>>>> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
>>>>>>> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>>>>>>>
>>>>>>>> Just curious any reason to not use use the could-based Postfix
>>>>>>>> server + something like Dovecot and then have your clients access that
>>>>>>>> directly?  I have this now for at least 20 domains and it works awesome.
>>>>>>> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
>>>>>>> a typo?  What did you mean, actually?
>>>>>> I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".
>>>>>>
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
Yeah - good stuff…I like it…

I checked out the haproxy site and am conjuring ways to put it to use…very cool...Thanks…


> On Jun 9, 2019, at 3:48 PM, [hidden email] wrote:
>
> Yeah exactly,
>
> The local instances also don't need to listen on the standard TCP ports,
> since they are always only getting email from the cloud VM. So the
> firewalls whitelist the cloud VM's IP and the email is coming in via
> non-standard ports so I don't have a horde of botnets trying to deliver
> garbage to my local Postfix/Dovecot sites. The cloud VM gets the
> pleasure of dealing with that.
>
> It's a little unusual but it's worked for me for a couple of years now.
> Private DNS points "mail.opendmz.com" to a local IP, and public DNS
> points to the cloud where Haproxy is always listening and will proxy the
> IMAP connection back to one of the local sites (again, non-standard
> ports and whitelisted IP)
>
> It's nowhere perfect but I don't know what is.
>
>
> On 09/06/2019 23:38, Antonio Leding wrote:
>> Just practicing the Au-rule…treat other as…  :=)
>>
>> I would definitely agree NAT buys some security via obscurity…cheap, fairly easy, and does help to a degree.  So with the haproxy, am I understanding correctly that it will spin up (or already has running) IMAP back to your local site for when you’re say, on the Int’l Space Station, and need to get email?
>>
>> Kinda cool...
>>
>>
>>
>>
>>
>>> On Jun 9, 2019, at 3:31 PM, [hidden email] wrote:
>>>
>>> Ha be critical if you want, I don't mind at all :P
>>>
>>> The main reason was reliability, as someone who's always
>>> breaking/rebuilding but also hosts their own email, I needed the email
>>> to spool somewhere in case I broke something for more than a few days.
>>>
>>> The local PF boxes are behind home NAT connections with whichever
>>> firewall I felt like trying out at the time. More secure? I don't know
>>> maybe/hopefully?
>>>
>>> Having the spam check done on the cloud for the same reasons. Every time
>>> I broke the server running the spam filter, it was like opening the
>>> flood gates :D
>>>
>>> For flexibility there's another element I didn't bother to mention...
>>>
>>> The same cloud VM runs haproxy which will loadbalance IMAPS connections
>>> back to either of the 2 local Dovecot sites. So I always have access to
>>> my email wherever I happen to find myself.
>>>
>>> Chris.
>>>
>>>
>>> On 09/06/2019 23:19, Antonio Leding wrote:
>>>> Hi Chris,
>>>>
>>>> Not being critical but really just want to understand why you architected it the way you did…
>>>>
>>>> Are your local PF boxes behind a more secure border than your cloud based PF server?  I understand the SPAM part of the design — or I think I do :=) — it seems like you just feel more comfortable performing SPAM analysis in the cloud vs. inside your border…but curious in terms of other infosec…
>>>>
>>>> Also, did you implement pinholes on your local side so you can access mail from different locations or just opt to not have that flexibility?
>>>>
>>>>
>>>>
>>>>> On Jun 9, 2019, at 3:12 PM, [hidden email] wrote:
>>>>>
>>>>> Maybe something like I'm doing?
>>>>>
>>>>> I have 3 instances of postfix running (because I travel) but this can
>>>>> work with 2.
>>>>> 1 server in the cloud, 2 locally one home one office.
>>>>>
>>>>> The 2 local postfix instances only accept public email from the cloud
>>>>> VM, but they accept local email (ipcam's, for example on the LAN).
>>>>>
>>>>> The MX record points to the cloud VM, should it pass the spam test then
>>>>> the 'clean' email is relayed to 1 of the 2 local postfix servers.
>>>>> The local servers then deliver to a local Dovecot, where I access my
>>>>> email from a local private IP on the LAN.
>>>>>
>>>>> Think of the flow like this.
>>>>>
>>>>> public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
>>>>>> local Dovecot.
>>>>> Whichever local Dovecot received the message with replicate to the other
>>>>> site.
>>>>>
>>>>> I think of it this way, the email is coming from the public internet, so
>>>>> scan it while it's out on the public internet.
>>>>>
>>>>> If it passes the test, then it's considered 'good enough' to be
>>>>> delivered to one of the local servers.
>>>>>
>>>>> Internal email like ipcam's, server emails never leave the local LAN
>>>>> (except to be replicated to the other local site).
>>>>>
>>>>> Hope that makes sense.
>>>>>
>>>>> Chris.
>>>>>
>>>>>
>>>>> On 09/06/2019 23:00, Antonio Leding wrote:
>>>>>> AHHH - yes, thank you Paul - I did mean “cloud” based Postfix…
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Jun 9, 2019, at 2:53 PM, Pau Amma <[hidden email]> wrote:
>>>>>>>
>>>>>>> On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote:
>>>>>>>> In message
>>>>>>>> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email.
>>>>>>>> amazonses.com>, Antonio Leding <[hidden email]> wrote:
>>>>>>>>
>>>>>>>>> Just curious any reason to not use use the could-based Postfix
>>>>>>>>> server + something like Dovecot and then have your clients access that
>>>>>>>>> directly?  I have this now for at least 20 domains and it works awesome.
>>>>>>>> Firstly, I have no idea what you mean by "could-based Postfix".  Was that
>>>>>>>> a typo?  What did you mean, actually?
>>>>>>> I'm guessing "could" is a typo (or perhaps autocorrection) for "cloud".
>>>>>>>

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Wietse Venema
In reply to this post by Antonio Leding
Antonio Leding:
> Just thinking out loud here but because you would want to harden
> the cloud server in any case, I?m not sure what having a VPN gets
> you if also using IMAPS and SMTP + SSL between the cloud and the
> client.  I guess one could argue that if you forget to set the SSL
> on the client side, you?re still covered but not seeing any other
> benefit.
>
> Please clarify what I am missing if anything?

I understand that Ron wants to run Postfix on a static IP addres
in the cloud, but he does not want to store his email there, so
that rules out IMAP.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by Antonio Leding

In message <0100016b3e41b455-b95a3601-7822-4541-823a-6230f277bf1b-000000@email.
amazonses.com>, Antonio Leding <[hidden email]>wrote:

>Security:
>
>With some VMs, you will have complete root-level rights on
>the server and can do what you wish in terms of server security.

Yes.  Quite.  And believe me, I would -never- waste time on or trust in
even the smallest way any VM that I DID NOT have root on.

I already do have one VM "slice", and yes, I do have root on that.

Traditionally, through the past 30+ years, and until quite recently, I've
never placed -any- trust in any machine that I did not have immediate
phsysical proximity to.  And even now, I still view remote cloud servers
with great skepticism, security-wise.  The revelations, over that past
year or so, of the multiple entire *waves* of x86 CPU security flaws...
many of which still remain to be patched... have only underscored and
reinforced my original skepticism.  Having root on a VM is hardly
insurance against anything, and wasn't, even before anyone even knew
about all of these CPU bugs.  How the hell do I know who has access
to my storage volumes if they are in a data center a thousand miles
away from me, being tended by people who I have never even met?

So I approach remote VMs very very cautiously, and unlike various
corporations that have jumped headlong onto the cloud bandwagon with
both feet, I personally put as little of my data as possible on such
things. And even then, you won't catch me putting anything on there that
would cause me real problems if the data were exposed to the entire
planet.

Call me paranoid.  Call me a luddite.  But I sleep soundly at night.

>I understand - and share - your concerns re: cloud-based mail security
>but those issues are manageable if proper infosec is implemented.

I disagree, and I believe that I even have evidence to the contrary.

Anybody working in that same data center, or who has either direct or
remote admin access to the whole thing can image your entire drive
anytime they want.... and perhaps without you even knowing that it
happened.  We all hope that hosting company personnel won't go around
doing this, willy nilly, or in lieu of a court order, but there are no
guarrantees.

Even though I may disagree with you about the security of cloud VMs, I'm
still very glad that you spoke up anyway, because you've made me think
a bit more about the problem I'm trying to solve, and I've just realized
that there may perhaps be a whole different way to skin this cat.

The bottom line is that really, I just want a (another) remote VM *only*
(or primarily) for its static IP address... a static IP that's needed,
generally although not necessarily absolutely, in order to run a mail
server.

Sooooooo... maybe what I really should be trying to figure out is how
I can run a -single- instance of Postfix, down here on my (soon to be
dynamic) end-luser broadband line, and just set up a VM at some fixed
IP address that will be running some sort of a VPN or something that
will just be, in effect, transparently proxying all of the inbound port
25 traffic to my (soon to be dynamic) DSL line.

Will this work?  Is anybody doing this already?  If so, how do I set it
all up?


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by cvandesande

In message <[hidden email]>,
[hidden email] wrote:

>Maybe something like I'm doing?
>
>I have 3 instances of postfix running (because I travel) but this can
>work with 2.
>1 server in the cloud, 2 locally one home one office.
>
>The 2 local postfix instances only accept public email from the cloud
>VM, but they accept local email (ipcam's, for example on the LAN).
>
>The MX record points to the cloud VM, should it pass the spam test then
>the 'clean' email is relayed to 1 of the 2 local postfix servers.

Yes, yes, and yes.  This definitely sounds a lot like what I want to
do.  I've just never set up Postfix as a relay before, so I haven't
even been thinking in those terms, because I don't even know how to do
this... yet.

Thanks for the suggestion.  I have a lot of reading to do.


Regards,
rfg
123