ODMR/ATRN ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
44 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
Couple things - last one first…

The static —> dynamic mapping…I would dig into what Wietse said earlier…VPN.  If you merely want to have a static IP just act as basically a front-end for your local dynamic setup, then that’s the ticket…

As to the local errant could-tech imaging your HDD, totally agreed…but again, manageable via on-disk encryption…

Regardless, I understand your concern\fears re: putting that much faith in a location\hardware\people you cannot directly touch\manage\talk-to…makes total sense but as I’m sure you’d agree, we all have our varying levels of comfort and thresholds…




> On Jun 9, 2019, at 3:58 PM, Ronald F. Guilmette <[hidden email]> wrote:
>
>
> In message <0100016b3e41b455-b95a3601-7822-4541-823a-6230f277bf1b-000000@email.
> amazonses.com>, Antonio Leding <[hidden email]>wrote:
>
>> Security:
>>
>> With some VMs, you will have complete root-level rights on
>> the server and can do what you wish in terms of server security.
>
> Yes.  Quite.  And believe me, I would -never- waste time on or trust in
> even the smallest way any VM that I DID NOT have root on.
>
> I already do have one VM "slice", and yes, I do have root on that.
>
> Traditionally, through the past 30+ years, and until quite recently, I've
> never placed -any- trust in any machine that I did not have immediate
> phsysical proximity to.  And even now, I still view remote cloud servers
> with great skepticism, security-wise.  The revelations, over that past
> year or so, of the multiple entire *waves* of x86 CPU security flaws...
> many of which still remain to be patched... have only underscored and
> reinforced my original skepticism.  Having root on a VM is hardly
> insurance against anything, and wasn't, even before anyone even knew
> about all of these CPU bugs.  How the hell do I know who has access
> to my storage volumes if they are in a data center a thousand miles
> away from me, being tended by people who I have never even met?
>
> So I approach remote VMs very very cautiously, and unlike various
> corporations that have jumped headlong onto the cloud bandwagon with
> both feet, I personally put as little of my data as possible on such
> things. And even then, you won't catch me putting anything on there that
> would cause me real problems if the data were exposed to the entire
> planet.
>
> Call me paranoid.  Call me a luddite.  But I sleep soundly at night.
>
>> I understand - and share - your concerns re: cloud-based mail security
>> but those issues are manageable if proper infosec is implemented.
>
> I disagree, and I believe that I even have evidence to the contrary.
>
> Anybody working in that same data center, or who has either direct or
> remote admin access to the whole thing can image your entire drive
> anytime they want.... and perhaps without you even knowing that it
> happened.  We all hope that hosting company personnel won't go around
> doing this, willy nilly, or in lieu of a court order, but there are no
> guarrantees.
>
> Even though I may disagree with you about the security of cloud VMs, I'm
> still very glad that you spoke up anyway, because you've made me think
> a bit more about the problem I'm trying to solve, and I've just realized
> that there may perhaps be a whole different way to skin this cat.
>
> The bottom line is that really, I just want a (another) remote VM *only*
> (or primarily) for its static IP address... a static IP that's needed,
> generally although not necessarily absolutely, in order to run a mail
> server.
>
> Sooooooo... maybe what I really should be trying to figure out is how
> I can run a -single- instance of Postfix, down here on my (soon to be
> dynamic) end-luser broadband line, and just set up a VM at some fixed
> IP address that will be running some sort of a VPN or something that
> will just be, in effect, transparently proxying all of the inbound port
> 25 traffic to my (soon to be dynamic) DSL line.
>
> Will this work?  Is anybody doing this already?  If so, how do I set it
> all up?
>
>
> Regards,
> rfg

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Wietse Venema
In reply to this post by Wietse Venema
Wietse Venema:

> Wietse Venema:
> > Ronald F. Guilmette:
> > >
> > > I'd very much like to move my (Postfix) mail server, which currently resides
> > > on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
> > > and then use something like fetchmail to poll that periodically to pull
> > > down all mail for my several domains and then have fetchmail re-inject
> > > all of those mail messages into the local Postfix.  The plan would be to
> > > get all this running and then give up my local static IP here, exchanging
> > > it for a dynamic one instead.  (This will save me a tiny bit of money on
> > > my monthy local ISP bill.)
> >
> > What about setting up a tunnel between home (dynamic IP) and cloud
> > (static IP)? Could be a VPN, or SSH.
>
> Plus a transport_maps setting on the cloud side that routes mail
> into the tunnel.

See also http//www.postfix.org/STANDARD_CONFIGURATION_README.html,
specifically the sections that describe a) a mail firewall and b)
a primary MX for a remote site.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

cvandesande
In reply to this post by Ronald F. Guilmette-2
Have a look at Postfix "transport maps" I think Weitse already suggested
it and it's what I'm using.

It's just a one liner config file.

This is mine:

$ cat /etc/postfix/transport_maps
# Mail to anyone at opendmz.com is sent via SMTP to haproxy
opendmz.com smtp:haproxy:10025

The haproxy is an unnecessary layer of complication I added, but it
could just as easily be your home IP.
I'm using dynamic DNS in case my home IP changes, but it hasn't changed
in over 3 years now!

for example:

opendmz.com smtp:my-home-ip.dyndns.org:25


On 10/06/2019 00:02, Ronald F. Guilmette wrote:
> Yes, yes, and yes.  This definitely sounds a lot like what I want to
> do.  I've just never set up Postfix as a relay before, so I haven't
> even been thinking in those terms, because I don't even know how to do
> this... yet.
>
> Thanks for the suggestion.  I have a lot of reading to do.
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by Wietse Venema

In message <[hidden email]>,
Wietse Venema <[hidden email]> wrote:

>> and then use something like fetchmail to poll that periodically to pull
>> down all mail for my several domains and then have fetchmail re-inject
>> all of those mail messages into the local Postfix.  The plan would be to
>> get all this running and then give up my local static IP here, exchanging
>> it for a dynamic one instead.  (This will save me a tiny bit of money on
>> my monthy local ISP bill.)
>
>What about setting up a tunnel between home (dynamic IP) and cloud
>(static IP)? Could be a VPN, or SSH.

In a word, yea.  That exact light just came on over my little noggin.

If I can figure out how to make that work, I think that will be THE
solution.

I just need to find some tool... some something... that will *transparently*
proxy all of the inbound port 25 traffic that  comes in to the cloud VM
server machine to some other IP address... some other IP address that
will in fact be dynamic and changing, over time. (And yes, I understand
that dynamic DNS is likely to be helpful here.)

So, what tool should I use to do this transparent TCP proxying?

I guess that I need to go a googling.


Regards,
rfg


Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
I think you want this tool that Chris mentioned earlier…

http://www.haproxy.org

On Jun 9, 2019, at 4:13 PM, Ronald F. Guilmette <[hidden email]> wrote:


In message <[hidden email]>,
Wietse Venema <[hidden email]> wrote:

and then use something like fetchmail to poll that periodically to pull
down all mail for my several domains and then have fetchmail re-inject
all of those mail messages into the local Postfix.  The plan would be to
get all this running and then give up my local static IP here, exchanging
it for a dynamic one instead.  (This will save me a tiny bit of money on
my monthy local ISP bill.)

What about setting up a tunnel between home (dynamic IP) and cloud
(static IP)? Could be a VPN, or SSH.

In a word, yea.  That exact light just came on over my little noggin.

If I can figure out how to make that work, I think that will be THE
solution.

I just need to find some tool... some something... that will *transparently*
proxy all of the inbound port 25 traffic that  comes in to the cloud VM
server machine to some other IP address... some other IP address that
will in fact be dynamic and changing, over time. (And yes, I understand
that dynamic DNS is likely to be helpful here.)

So, what tool should I use to do this transparent TCP proxying?

I guess that I need to go a googling.


Regards,
rfg



Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by Wietse Venema

In message <[hidden email]>,
Wietse Venema <[hidden email]> wrote:

>> What about setting up a tunnel between home (dynamic IP) and cloud
>> (static IP)? Could be a VPN, or SSH.
>
>Plus a transport_maps setting on the cloud side that routes mail
>into the tunnel.

Wait.... WHAT???

Just when I thought I had it all figured out, you go and confuse the
livin' bejesus outta me.

The idea is that there is going t be only *one* intance of Postfix,
and it will be -actually- running down on my machine at home.  And
the cloud VM will just be transparently proxying TCP/25 back and forth
to/from that, so that it will look to the outside world AS IF my (one)
local Postfix instance here is actually running up on that cloud server.

That was what I *thought* that idea was anyway.

If so, then there simply will be *no* separate instance of Postfix running
"on the cloud side", either independently configurable or otherwise.  (So
your comment above makes no obvious sense.)


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Kevin A. McGrail
In reply to this post by Ronald F. Guilmette-2
On 6/9/2019 6:18 PM, Ronald F. Guilmette wrote:
> Thank you, but I need to be frank.

I thought you were Ronald?  :-)

> I believe that I understand fully how to handle my outbound email traffic,
> i.e. treating my (soon to be) cloud VM running Postfix as a "smarthost"
> for outbound.  That part is the easy part, and also the simple part.
>
> The harder part is handing the inbound email traffic for my several domains.
>
> I *think* that I *may* perhaps understand your suggestion with regards to
> that, but I'll have to think about it awhile longer before I can be sure.
>
> I wish that I had an example to look at, or some slightly-more-detailed
> write-up to refer to that would show me how to configure this exact approach
> with Postfix.
>
> But if worse comes to worse, I can probably puzzle it all out, starting from
> just what you said, above.
>
> One part that I'm sure that I -do not- understand is why you suggeted an
> alternative port number.  Can you explain?

Almost every residential ISP will block ports like 25 and 80 so you
can't run servers on the connections.  You have a static IP and usually
that means they don't block ports.  When you switch away from that
solution, I expect you will see that change.

So you have a domain, tristatelogic.com.

- You get a VM on AWS w/CentOS. 
- You put an Elastic IP on it so it is static. 
- You create a security group that allows 25 and 22 from /0 inbound to
the box
- You create an A record called mail.tristatelogic.com pointed to the IP
- You open a ticket with AWS for the reverse pointer for the box and to
remove smtp throttling
- You mail.tristatelogic.com to accept relay mail for the domain
tristatelogic.com. 
- Setup SMTP Auth so that someone has to authenticate to send email outbound
- Setup a transport to deliver mail for tristatelogic.com to
local.tristatelogic.com on port 2525

At your home:

- Setup your postfix server so it works like you want called something
like local.tristatelogic.com
- Configure/Purchase a Dynamic DNS service so that something like
ronald.dyndns.something is a CNAME for local.tristatelogic.com so that
your mail works when your ISP changes your IP
- On the firewall at your house, port forward an alternate port such as
2525 to 25 on the postfix server on a static internal IP behind your
firewall
- Setup postfix on local.tristatelogic.com to smarthost with SMTP auth
through mail.tristatelogic.com

Also recommend on both local and mail boxes, you install Let's Encrypt
certs so you can require TLS for all the mail going between
mail.tristatelogic.com and local.tristatelogic.com.  You'll also get
opportunistic TLS for places that support it.

This will let you have inbound and outbound mail working from a server
on a residential grade connection.

As a homework exercise for the reader will be picking better names for
the boxes.  I suggest disney characters, firefly | star (trek|wars)
canon or dilbert characters.  ratbert and dilbert would get at least a
B+ from me.

Regards,

KAM

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

cvandesande
In reply to this post by Ronald F. Guilmette-2
You can of course do this, and it will work.

The only reason to run a separate Postfix would be in case your home
server becomes unavailable, then the cloud VM will spool (hang onto)
your message(s) until your home server becomes available again, and as
soon as it's back it will deliver the messages it held.

On 10/06/2019 00:21, Ronald F. Guilmette wrote:
> If so, then there simply will be *no* separate instance of Postfix running
> "on the cloud side", either independently configurable or otherwise.  (So
> your comment above makes no obvious sense.)
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by Wietse Venema

In message <[hidden email]>,
Wietse wrote:

>> Please clarify what I am missing if anything?
>
>I understand that Ron wants to run Postfix on a static IP addres
>in the cloud, but he does not want to store his email there, so
>that rules out IMAP.

Yes. Exactly.

The more I think about this (transparent TCP/25 proxying) idea, the more
I think it ought to work.  I just have to find teh Right proxy software.

Somebody mentioned haproxy and I'm looking at that now.  It might do the
job.

The problem will be convincing it to dynamically -change- the one and only
-other- IP address that it is proxying traffic to/from based on dynamic
changes to some (dynamic) DNS FQDN.  If it can be coerced into doing that
then I think this will work.

So anyway, that will be a total solution for the inbound side.  My outbound
mail will have to be handled entirely separately.  For that, I'll have to
use someone else's smarthost, or else roll my own, which is easy enough
to do, I think.

If I get this all working, I'll have to do some modest write-up on it.
I already have a title!

    How To Run An SMTP Server on a Dynamic Line AND Get Away With It

:-)


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
Chris is the one who mentioned it (haproxy) and FWIW, based on the requirements you’ve stated in this thread, Chris’s setup seem to be pretty almost exactly what you want to do.

In case it got overlooked, I include the key EM here:



### BEGIN ###

I have 3 instances of postfix running (because I travel) but this can
work with 2.
1 server in the cloud, 2 locally one home one office.

The 2 local postfix instances only accept public email from the cloud
VM, but they accept local email (ipcam's, for example on the LAN).

The MX record points to the cloud VM, should it pass the spam test then
the 'clean' email is relayed to 1 of the 2 local postfix servers.
The local servers then deliver to a local Dovecot, where I access my
email from a local private IP on the LAN.

Think of the flow like this.

public email > Cloud VM (postscreen/rspamd test passes) > local Postfix
> local Dovecot.

Whichever local Dovecot received the message with replicate to the other
site.

I think of it this way, the email is coming from the public internet, so
scan it while it's out on the public internet.

If it passes the test, then it's considered 'good enough' to be
delivered to one of the local servers.

Internal email like ipcam's, server emails never leave the local LAN
(except to be replicated to the other local site).

Hope that makes sense.

Chris.

### END ###



> On Jun 9, 2019, at 4:46 PM, Ronald F. Guilmette <[hidden email]> wrote:
>
>
> In message <[hidden email]>,
> Wietse wrote:
>
>>> Please clarify what I am missing if anything?
>>
>> I understand that Ron wants to run Postfix on a static IP addres
>> in the cloud, but he does not want to store his email there, so
>> that rules out IMAP.
>
> Yes. Exactly.
>
> The more I think about this (transparent TCP/25 proxying) idea, the more
> I think it ought to work.  I just have to find teh Right proxy software.
>
> Somebody mentioned haproxy and I'm looking at that now.  It might do the
> job.
>
> The problem will be convincing it to dynamically -change- the one and only
> -other- IP address that it is proxying traffic to/from based on dynamic
> changes to some (dynamic) DNS FQDN.  If it can be coerced into doing that
> then I think this will work.
>
> So anyway, that will be a total solution for the inbound side.  My outbound
> mail will have to be handled entirely separately.  For that, I'll have to
> use someone else's smarthost, or else roll my own, which is easy enough
> to do, I think.
>
> If I get this all working, I'll have to do some modest write-up on it.
> I already have a title!
>
>    How To Run An SMTP Server on a Dynamic Line AND Get Away With It
>
> :-)
>
>
> Regards,
> rfg

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by cvandesande

In message <[hidden email]>,
[hidden email] wrote:

>$ cat /etc/postfix/transport_maps
># Mail to anyone at opendmz.com is sent via SMTP to haproxy
>opendmz.com smtp:haproxy:10025
>
>The haproxy is an unnecessary layer of complication I added, but it
>could just as easily be your home IP.
>I'm using dynamic DNS in case my home IP changes, but it hasn't changed
>in over 3 years now!
>
>for example:
>
>opendmz.com smtp:my-home-ip.dyndns.org:25

Wow!  My head is spinning!

I confess that I didn't "get it" at all when Wietse mentioned
transport maps, but I *think* I am just starting to get it now.

So, basically, I can do what I want to do without even introducing
the extra layer of complexity of -any- separate TCP proxy, yes?

Assuming so, this is getting easier and easier by the minute!

If all I really need to do is to put my own personalized version of
the one-liner you posted (above) into /etc/postfix/transport_maps,
then all I can say is "Thank you Postfix!!  Thank you Wietse!!"

I can't wait to try this.  I'm off now to do just that.  It'll take
me awhile.  I have to buy a fresh new VM, install an OS and Postfix
on it, set up dynamic DNS for my home machine, read up on how get my
SOHO router to do this fancy-schamncy port forwarding thing (for SMTP
traffic), configure and/or reconfigure two sets of Postfix .cf files,
and then reboot everything in sight and run some tests.

Wish me luck.


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Antonio Leding
Good luck…you’ll get it figured...  :=)


> On Jun 9, 2019, at 5:03 PM, Ronald F. Guilmette <[hidden email]> wrote:
>
>
> In message <[hidden email]>,
> [hidden email] wrote:
>
>> $ cat /etc/postfix/transport_maps
>> # Mail to anyone at opendmz.com is sent via SMTP to haproxy
>> opendmz.com smtp:haproxy:10025
>>
>> The haproxy is an unnecessary layer of complication I added, but it
>> could just as easily be your home IP.
>> I'm using dynamic DNS in case my home IP changes, but it hasn't changed
>> in over 3 years now!
>>
>> for example:
>>
>> opendmz.com smtp:my-home-ip.dyndns.org:25
>
> Wow!  My head is spinning!
>
> I confess that I didn't "get it" at all when Wietse mentioned
> transport maps, but I *think* I am just starting to get it now.
>
> So, basically, I can do what I want to do without even introducing
> the extra layer of complexity of -any- separate TCP proxy, yes?
>
> Assuming so, this is getting easier and easier by the minute!
>
> If all I really need to do is to put my own personalized version of
> the one-liner you posted (above) into /etc/postfix/transport_maps,
> then all I can say is "Thank you Postfix!!  Thank you Wietse!!"
>
> I can't wait to try this.  I'm off now to do just that.  It'll take
> me awhile.  I have to buy a fresh new VM, install an OS and Postfix
> on it, set up dynamic DNS for my home machine, read up on how get my
> SOHO router to do this fancy-schamncy port forwarding thing (for SMTP
> traffic), configure and/or reconfigure two sets of Postfix .cf files,
> and then reboot everything in sight and run some tests.
>
> Wish me luck.
>
>
> Regards,
> rfg

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by Kevin A. McGrail

In message <[hidden email]>,
"Kevin A. McGrail" <[hidden email]> wrote:

>On 6/9/2019 6:18 PM, Ronald F. Guilmette wrote:
>> One part that I'm sure that I -do not- understand is why you suggeted an
>> alternative port number.  Can you explain?
>
>Almost every residential ISP will block ports like 25 and 80 so you
>can't run servers on the connections...

I'm not too sure about that.

*Outbound* port 25, yes.  Lots of providers of end-luser lines do block
that, as they most certainly should... with some exceptions.

But for my outbound mail, that's not an issue.  I plan to have my mail
client just give stuff (on 587) directly to -somebody's- smarthost...
either my own or somebody else's.

With regards to *inbound* traffic with IP dest set to 25 or 80... I don't
think that most providers give a rat's ass about that... except maybe
Comcast, who may indeed block it, just as a way of extorting even more
money out of their victims for "upgrades" to "business class" service.
But I don't think my provider is one of the ones that plays those games.

I guess I'll find out, soon enough.
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

cvandesande
Don't forget since you're essentially sending the email from one of your servers to another you can use any port you want on your home side...inbound 25 blocked? No prob use 10025 on your transport_map or any unblocked port you want.



On June 10, 2019 12:14:39 AM UTC, "Ronald F. Guilmette" <[hidden email]> wrote:

In message <[hidden email]>,
"Kevin A. McGrail" <[hidden email]> wrote:

On 6/9/2019 6:18 PM, Ronald F. Guilmette wrote:
One part that I'm sure that I -do not- understand is why you suggeted an
alternative port number. Can you explain?

Almost every residential ISP will block ports like 25 and 80 so you
can't run servers on the connections...

I'm not too sure about that.

*Outbound* port 25, yes. Lots of providers of end-luser lines do block
that, as they most certainly should... with some exceptions.

But for my outbound mail, that's not an issue. I plan to have my mail
client just give stuff (on 587) directly to -somebody's- smarthost...
either my own or somebody else's.

With regards to *inbound* traffic with IP dest set to 25 or 80... I don't
think that most providers give a rat's ass about that... except maybe
Comcast, who may indeed block it, just as a way of extorting even more
money out of their victims for "upgrades" to "business class" service.
But I don't think my provider is one of the ones that plays those games.

I guess I'll find out, soon enough.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by cvandesande

In message <[hidden email]>,
[hidden email] wrote:

>You can of course do this, and it will work.
>
>The only reason to run a separate Postfix would be in case your home
>server becomes unavailable, then the cloud VM will spool (hang onto)
>your message(s) until your home server becomes available again, and as
>soon as it's back it will deliver the messages it held.
>
>On 10/06/2019 00:21, Ronald F. Guilmette wrote:
>> If so, then there simply will be *no* separate instance of Postfix running
>> "on the cloud side", either independently configurable or otherwise.  (So
>> your comment above makes no obvious sense.)


Ok, so just to be sure I am clear about all of this...

If I try to do this trivally simple transport maps solution (I mean instead
of having a whole separate TCP proxy) then in that case the Postfix instance
that will be running up on my cloud VM -will- spool incoming mail, and will
just hold on to it, as necessary, until whatever should be responding to
smtp:my-dynamic-fqdn starts answering its SMTP port again, yes?


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

cvandesande
Yes absolutely correct.

If your sever at home is online then it will pass through your cloud VM in mere seconds.  If your home server is offline then it will continue trying to deliver at intervals....which you can also configure.
As soon as it successfully delivers the message it will be purged from the spool.

> that case the Postfix
>instance
>that will be running up on my cloud VM -will- spool incoming mail, and
>will
>just hold on to it, as necessary, until whatever should be responding
>to
>smtp:my-dynamic-fqdn starts answering its SMTP port again, yes?
>
>
>Regards,
>rfg

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by cvandesande

In message <[hidden email]>,
Christopher van de Sande <[hidden email]> wrote:

>Don't forget since you're essentially sending the email from one of your
>servers to another you can use any port you want on your home side inbound
>25 blocked? No prob use 10025 on your transport_map or any unblocked
>port you want

OK.  Good tip.  I may need to use that.  Thank you.

And just so I'm clear... the syntax for the spec that I would be putting
into transport_maps in that case would look something like this then?

    smtp:home-dynamic-fqdn:2525

Or is that too many colons?

Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

cvandesande
Syntax looks good to me.

On June 10, 2019 12:33:01 AM UTC, "Ronald F. Guilmette" <[hidden email]> wrote:

In message <[hidden email]>,
Christopher van de Sande <[hidden email]> wrote:

Don't forget since you're essentially sending the email from one of your
servers to another you can use any port you want on your home side inbound
25 blocked? No prob use 10025 on your transport_map or any unblocked
port you want

OK. Good tip. I may need to use that. Thank you.

And just so I'm clear... the syntax for the spec that I would be putting
into transport_maps in that case would look something like this then?

smtp:home-dynamic-fqdn:2525

Or is that too many colons?


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Ronald F. Guilmette-2
In reply to this post by cvandesande

In message <[hidden email]>,
Christopher van de Sande <[hidden email]> wrote:

>Yes absolutely correct
>
>If your sever at home is online then it will pass through your cloud VM in
>mere seconds  If your home server is offline then it will continue trying
>to deliver at intervals Ewhich you can also configure

Perfect.  Just perfect.

Thank you Postfix!  Thank you Wietse!  Thank you everybody!  This is
going to be simpler than I had anticipated, I think.  (Knock on wood.)

I do have just a couple of small lingering concerns... things that just
now occurred to me.  These relate to dynamic DNS, which I've never actually
used before myself, but which I nontheless have a sort of vague conceptual
understanding of.

As I understand it, you get yourself your own private FQDN, which is
assigned to you by whatever dynamic DNS provider you choose.  And then,
each time your machine gets itself a fresh new DHCP lease, it needs to
send that address, in some manner, to the DDNS provider which will then
update the relevant A record based on your new dynamic IP.  Is that a
fair summary?

Assuming so, I have two questions about this...

Well, make that one question.  (I just answered my own first question,
which was "Yeabut, what if my whole local network is actually behind my
ASUS SOHO WiFi router and what if it is my router intself that is, in
the first instance, getting the DHCP lease?"  Apparently, some ASUS
router models, including mine, fortunately, have an in-built DDNS client,
and that in-built DDNS client can, allagedly, work wth both ASUS's own
free DDNS service and also, allegedly, with the one provided by noip.com...
and possibly also others for all I know.  So, no problem here!  This will
work.)

So, here is my only other question:

Assuming the setup, as discussed here so far, where I'll have a Postfix
instance running on a cloud VM, and where that Postfix instance will have
an appropriate set of entries in transport_maps to cause that Postfix
intance to try to send all mail it has received for my domains on to:

    smtp:my-dynamic-fqdn

What happens in this scenario when and if there is a power failure that
takes down my whole network, including my router?

Let's say that the the dynamic IP that I *was* using, just before the
power fail, was a.b.c.d.  The question is:  While I am wandering around
with my flashlight in the dark, what if some other customer of my ISP
happens to request a DHCP lease and also happens to get a.b.c.d ... which
is possible, because after all, *I* am not using that specific IP address
anymore, so it will have been returned to the DHCP free pool.

In this scenario, could that other party who got a.b.c.d, dynamically,
turn on a mail server and begin sucking down *my* emails from *my* cloud
VM Postfix instance?

I guess that another way of asking this might be:  Does DDNS have any sort
of "keep alive" signal that, if it goes dark suddenly, will result in
revocation of the relevant DDNS name-to-address mapping?

I know.  I know.  I should probably be asking about these DDNS details
someplace else.  And I probably shall.  But since all you folks here
already know exactly what I'm trying to do, and why, and how, it's just
easier to start here.

If what I have described is in fact a plausible and serious potential
security issue, then I guess that rather than using plain old SMTP to
move messages from my VM Postfix to my home Postfix, maybe I should
instead be looking for some alternative transport protocol that verifies
that the receiving node is actually one that *I* own and control... yes?

Does any such thing exist?


Regards,
rfg
Reply | Threaded
Open this post in threaded view
|

Re: ODMR/ATRN ?

Tom Hendrikx
On 10-06-19 03:37, Ronald F. Guilmette wrote:

> In message <[hidden email]>,
> Christopher van de Sande <[hidden email]> wrote:
>
>> Yes absolutely correct
>>
>> If your sever at home is online then it will pass through your cloud VM in
>> mere seconds  If your home server is offline then it will continue trying
>> to deliver at intervals Ewhich you can also configure
>
> Perfect.  Just perfect.
>
> Thank you Postfix!  Thank you Wietse!  Thank you everybody!  This is
> going to be simpler than I had anticipated, I think.  (Knock on wood.)
>
> I do have just a couple of small lingering concerns... things that just
> now occurred to me.  These relate to dynamic DNS, which I've never actually
> used before myself, but which I nontheless have a sort of vague conceptual
> understanding of.
>
> As I understand it, you get yourself your own private FQDN, which is
> assigned to you by whatever dynamic DNS provider you choose.  And then,
> each time your machine gets itself a fresh new DHCP lease, it needs to
> send that address, in some manner, to the DDNS provider which will then
> update the relevant A record based on your new dynamic IP.  Is that a
> fair summary?
>
> Assuming so, I have two questions about this...
>
> Well, make that one question.  (I just answered my own first question,
> which was "Yeabut, what if my whole local network is actually behind my
> ASUS SOHO WiFi router and what if it is my router intself that is, in
> the first instance, getting the DHCP lease?"  Apparently, some ASUS
> router models, including mine, fortunately, have an in-built DDNS client,
> and that in-built DDNS client can, allagedly, work wth both ASUS's own
> free DDNS service and also, allegedly, with the one provided by noip.com...
> and possibly also others for all I know.  So, no problem here!  This will
> work.)
>
> So, here is my only other question:
>
> Assuming the setup, as discussed here so far, where I'll have a Postfix
> instance running on a cloud VM, and where that Postfix instance will have
> an appropriate set of entries in transport_maps to cause that Postfix
> intance to try to send all mail it has received for my domains on to:
>
>     smtp:my-dynamic-fqdn
>
> What happens in this scenario when and if there is a power failure that
> takes down my whole network, including my router?
>
> Let's say that the the dynamic IP that I *was* using, just before the
> power fail, was a.b.c.d.  The question is:  While I am wandering around
> with my flashlight in the dark, what if some other customer of my ISP
> happens to request a DHCP lease and also happens to get a.b.c.d ... which
> is possible, because after all, *I* am not using that specific IP address
> anymore, so it will have been returned to the DHCP free pool.
>
> In this scenario, could that other party who got a.b.c.d, dynamically,
> turn on a mail server and begin sucking down *my* emails from *my* cloud
> VM Postfix instance?
>
> I guess that another way of asking this might be:  Does DDNS have any sort
> of "keep alive" signal that, if it goes dark suddenly, will result in
> revocation of the relevant DDNS name-to-address mapping?
>
> I know.  I know.  I should probably be asking about these DDNS details
> someplace else.  And I probably shall.  But since all you folks here
> already know exactly what I'm trying to do, and why, and how, it's just
> easier to start here.
>
> If what I have described is in fact a plausible and serious potential
> security issue, then I guess that rather than using plain old SMTP to
> move messages from my VM Postfix to my home Postfix, maybe I should
> instead be looking for some alternative transport protocol that verifies
> that the receiving node is actually one that *I* own and control... yes?
You can add TLS verification to your postfix client in the cloud. The
client will only deliver to a server when it presents a specific SSL
certificate to the client during the handshake. See
http://www.postfix.org/TLS_README.html#client_tls_policy



signature.asc (849 bytes) Download Attachment
123