how to setup a privacy oriented mailserver

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

how to setup a privacy oriented mailserver

Wesley Peng-9
Hi community,

I finally got a domain from registrar, if I want to run a privacy
oriented mail server, what steps should I take?

For example, setup SSL over all, SPF, DKIM, DMARC, DNSSec, DoH,
encrypted storage, app special pasword, secondary authentication?

Is there any guide for it?

Thanks in advance.

regards.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

lists@lazygranch.com
At a minimum, I would set it up to use port 587. Then block via firewall all the email ports other than port 25 all countries from which you will not be using the server.

Keep the attack surface small. For example don't provide for web based email.







  Original Message  


From: [hidden email]
Sent: November 25, 2019 5:48 PM
To: [hidden email]
Subject: how to setup a privacy oriented mailserver


Hi community,

I finally got a domain from registrar, if I want to run a privacy
oriented mail server, what steps should I take?

For example, setup SSL over all, SPF, DKIM, DMARC, DNSSec, DoH,
encrypted storage, app special pasword, secondary authentication?

Is there any guide for it?

Thanks in advance.

regards.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Wesley Peng-9
Hi

on 2019/11/26 10:22, lists wrote:
> At a minimum, I would set it up to use port 587. Then block via firewall all the email ports other than port 25 all countries from which you will not be using the server.
>
> Keep the attack surface small. For example don't provide for web based email.


Sorry I didn't talk about security. I pay attention to privacy, such as
these ones, but run by myself.

https://restoreprivacy.com/secure-email/

Regards.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

lists@lazygranch.com
Security is privacy.





  Original Message  


From: [hidden email]
Sent: November 25, 2019 6:25 PM
To: [hidden email]; [hidden email]
Subject: Re: how to setup a privacy oriented mailserver


Hi

on 2019/11/26 10:22, lists wrote:
> At a minimum, I would set it up to use port 587. Then block via firewall all the email ports other than port 25 all countries from which you will not be using the server.
>
> Keep the attack surface small. For example don't provide for web based email.


Sorry I didn't talk about security. I pay attention to privacy, such as
these ones, but run by myself.

https://restoreprivacy.com/secure-email/

Regards.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Bill Cole-3
On 25 Nov 2019, at 22:53, lists wrote:

> Security is privacy.

More precisely: Security includes privacy. Privacy is an essential *PART
OF* security.

The remit requested by the OP is really too broad to answer on a public
mailing list intended for discussion of a specific MTA (even though
Postfix would be a likely component...) because it could have very
different answers depending on the specific needs of a site and issues
like scale, threat model, risk tolerances, and available resources.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

André Rodier
Hello, Bill.

I had the same concern a few years ago.

I have been self-hosting for more than a decade, and more recently, I
built this:

https://github.com/progmaticltd/homebox

This is oriented towards security and privacy, and include defence
mechanisms against remote and physical intrusion.

- All daemons are protected by AppArmor.
- The main drive is fully encrypted using LUKS, unlock with a Yubikey
locally or remotely using SSH.
- Implementation of latest standards, like DNSSEC, SSHFP, MTA-STS,
etc...
- Encrypted remote or local backups with borg, with jabber alerts.
- Everything coming from Debian repositories.
- Some bonus features, like Jabber, RoundCube, Zabbix, SOGo, gogs,
transmission, etc.

One feature you may find particularly useful, is a monthly report with
all the accesses, by country, ISP, hours:

https://homebox.readthedocs.io/en/dev/access-reports/


Real time alerts and/or blocking if you connect from a blacklisted IP
and various parameters.

Everything is tested using continuous integration with a Jenkins
server.

It is on Debian Stretch for now, but we will provide a buster version
next year.

I am currently working on a way to provide static IP address if you do
not have one...

Enjoy!

Kind regards,
André

On Tue, 2019-11-26 at 00:48 -0500, Bill Cole wrote:

> On 25 Nov 2019, at 22:53, lists wrote:
>
> > Security is privacy.
>
> More precisely: Security includes privacy. Privacy is an essential
> *PART
> OF* security.
>
> The remit requested by the OP is really too broad to answer on a
> public
> mailing list intended for discussion of a specific MTA (even though
> Postfix would be a likely component...) because it could have very
> different answers depending on the specific needs of a site and
> issues
> like scale, threat model, risk tolerances, and available resources.
>

Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Wesley Peng-9
That look interesting. Do you provide a hosting plan Andre?

regards

on 2019/11/26 14:31, André Rodier wrote:

> Hello, Bill.
>
> I had the same concern a few years ago.
>
> I have been self-hosting for more than a decade, and more recently, I
> built this:
>
> https://github.com/progmaticltd/homebox
>
> This is oriented towards security and privacy, and include defence
> mechanisms against remote and physical intrusion.
>
> - All daemons are protected by AppArmor.
> - The main drive is fully encrypted using LUKS, unlock with a Yubikey
> locally or remotely using SSH.
> - Implementation of latest standards, like DNSSEC, SSHFP, MTA-STS,
> etc...
> - Encrypted remote or local backups with borg, with jabber alerts.
> - Everything coming from Debian repositories.
> - Some bonus features, like Jabber, RoundCube, Zabbix, SOGo, gogs,
> transmission, etc.
>
> One feature you may find particularly useful, is a monthly report with
> all the accesses, by country, ISP, hours:
>
> https://homebox.readthedocs.io/en/dev/access-reports/
>
>
> Real time alerts and/or blocking if you connect from a blacklisted IP
> and various parameters.
>
> Everything is tested using continuous integration with a Jenkins
> server.
>
> It is on Debian Stretch for now, but we will provide a buster version
> next year.
>
> I am currently working on a way to provide static IP address if you do
> not have one...
>
> Enjoy!
>
> Kind regards,
> André
>
> On Tue, 2019-11-26 at 00:48 -0500, Bill Cole wrote:
>> On 25 Nov 2019, at 22:53, lists wrote:
>>
>> > Security is privacy.
>>
>> More precisely: Security includes privacy. Privacy is an essential
>> *PART
>> OF* security.
>>
>> The remit requested by the OP is really too broad to answer on a
>> public
>> mailing list intended for discussion of a specific MTA (even though
>> Postfix would be a likely component...) because it could have very
>> different answers depending on the specific needs of a site and
>> issues
>> like scale, threat model, risk tolerances, and available resources.
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

André Rodier
Hello, Wesley.

The safest way is to have your own hardware, albeit there are some
other options.

Perhaps we can have a quick talk in the evening.

My phone number: on Signal: +447511244961

Kind regards,
André

On Tue, 2019-11-26 at 14:36 +0800, Wesley Peng wrote:

> That look interesting. Do you provide a hosting plan Andre?
>
> regards
>
> on 2019/11/26 14:31, André Rodier wrote:
> > Hello, Bill.
> >
> > I had the same concern a few years ago.
> >
> > I have been self-hosting for more than a decade, and more recently,
> > I
> > built this:
> >
> > https://github.com/progmaticltd/homebox
> >
> > This is oriented towards security and privacy, and include defence
> > mechanisms against remote and physical intrusion.
> >
> > - All daemons are protected by AppArmor.
> > - The main drive is fully encrypted using LUKS, unlock with a
> > Yubikey
> > locally or remotely using SSH.
> > - Implementation of latest standards, like DNSSEC, SSHFP, MTA-STS,
> > etc...
> > - Encrypted remote or local backups with borg, with jabber alerts.
> > - Everything coming from Debian repositories.
> > - Some bonus features, like Jabber, RoundCube, Zabbix, SOGo, gogs,
> > transmission, etc.
> >
> > One feature you may find particularly useful, is a monthly report
> > with
> > all the accesses, by country, ISP, hours:
> >
> > https://homebox.readthedocs.io/en/dev/access-reports/
> >
> >
> > Real time alerts and/or blocking if you connect from a blacklisted
> > IP
> > and various parameters.
> >
> > Everything is tested using continuous integration with a Jenkins
> > server.
> >
> > It is on Debian Stretch for now, but we will provide a buster
> > version
> > next year.
> >
> > I am currently working on a way to provide static IP address if you
> > do
> > not have one...
> >
> > Enjoy!
> >
> > Kind regards,
> > André
> >
> > On Tue, 2019-11-26 at 00:48 -0500, Bill Cole wrote:
> > > On 25 Nov 2019, at 22:53, lists wrote:
> > >
> > > > Security is privacy.
> > >
> > > More precisely: Security includes privacy. Privacy is an
> > > essential
> > > *PART
> > > OF* security.
> > >
> > > The remit requested by the OP is really too broad to answer on a
> > > public
> > > mailing list intended for discussion of a specific MTA (even
> > > though
> > > Postfix would be a likely component...) because it could have
> > > very
> > > different answers depending on the specific needs of a site and
> > > issues
> > > like scale, threat model, risk tolerances, and available
> > > resources.
> > >


Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Matus UHLAR - fantomas
In reply to this post by lists@lazygranch.com
On 25.11.19 18:22, lists wrote:
>At a minimum, I would set it up to use port 587.

I would set up port 465 also. Note that TLS on 465 is implicit, while on 587 is
explicit, so it's easier to allow unencrypted connections by a mistake on
587.

>Then block via firewall all the email ports other than port 25 all
> countries from which you will not be using the server.

you apparently mean, from countries client won't be able to receive mail
from.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

lists@lazygranch.com
In reply to this post by Bill Cole-3
To make a long story short, in the past I used a hosting service. The email server was totally pwned by a Round Cube exploit from a hacker in a country I never occupied. Hence my advice to keep the server secure and reduce the attack surface.

Do hackers actually use their home ISPs? Yes if the country is basically lawless. You can't firewall your way to safety, but you can make these criminals do a little work.

I also maintain a file of server IP space. Some CIDRs are from the obvious big players. The rest are from hackers trying to mess with my web server. These CIDRs also can't access any email port other than 25.

The password guessers get anvil. I considered a fail2ban, but my passwords will not be guessed since they are randomly generated and high entropy. When I read the logs, most of the hackers are on Spectrum ISP, which is funny since Spectrum bans my VPS.

SPF, DKIM, and DMARC just make you look less spammy. You should set them up. This link will verify the settings.

https://dkimvalidator.com/





  Original Message  


From: [hidden email]
Sent: November 25, 2019 9:48 PM
To: [hidden email]
Subject: Re: how to setup a privacy oriented mailserver


On 25 Nov 2019, at 22:53, lists wrote:

> Security is privacy.

More precisely: Security includes privacy. Privacy is an essential *PART
OF* security.

The remit requested by the OP is really too broad to answer on a public
mailing list intended for discussion of a specific MTA (even though
Postfix would be a likely component...) because it could have very
different answers depending on the specific needs of a site and issues
like scale, threat model, risk tolerances, and available resources.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Wesley Peng-9
In reply to this post by Matus UHLAR - fantomas


on 2019/11/26 17:02, Matus UHLAR - fantomas wrote:
> I would set up port 465 also. Note that TLS on 465 is implicit, while on
> 587 is
> explicit, so it's easier to allow unencrypted connections by a mistake on
> 587.

587 is also used for StartTLS, am I right?

regards.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Arjan
In reply to this post by lists@lazygranch.com
My 1 cent for privacy wise (assuming you're hosting on a VPS and not at
home)

Remove headers and your home IP with postfix:

master.cf:

under submission:

-o cleanup_service_name=auth-cleanup

auth-cleanup    unix    n       -       n       -       0 cleanup
         -o syslog_name=postfix/auth-cleanup
         -o header_checks=pcre:/etc/postfix/auth_header_checks.pcre


# cat auth_header_checks.pcre
/^\s*(Received: from)[^\n]*(.*for <.*@(?!YOURDOMAIN.COM).*)/ REPLACE $1
[127.0.0.1] (localhost [127.0.0.1])$2
#/^\s*Mime-Version: 1.0.*/ REPLACE Mime-Version: 1.0
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE
/^\s*Mime-Version:*/ HOLD


This makes it look like all mail is sent from the email server itself
and hides your client. I can't remember where I got the above from but I
found it somewhere, possibly even from this list.


My other cent for security

I am also in the position to firewall off my machine to everything but
my home IP and just to be a dick, all login attempts on client ports
from any other IP's get routed to a honey pot.

To use things on the road I can vpn to my home and then get at my email.

Login attempts on port 25 still get nailed by fail2ban and I think I
just disabled the ability to log in at all on 25 but it's been a while
since I set this up.

If you wanted to be an even bigger jerk you could probably get fail2ban
to reroute bans to the honeypot instead of just blocking. it is kinda
entertaining to watch someone get a successful login on the honeypot
followed by a new account authorization request getting bounced from
some webshop a few minutes later.

Like someone else said, reducing the attack surface is the first line of
defense. Don't use default url's for any web stuff and try to restrict
on ip basis as much as you can.

I considered looking into the ancient art of port knocking but a vpn to
a fixed ip was just easier.

Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Jaroslaw Rafa
Dnia 26.11.2019 o godz. 10:23:09 Conz pisze:
>
> This makes it look like all mail is sent from the email server
> itself and hides your client. I can't remember where I got the above
> from but I found it somewhere, possibly even from this list.

Isn't it simpler to just use a server-based email client like mutt over a
ssh connection? :)
(however, this reveals your user ID on the server in default configuration,
like in this message - I guess it is possible to remove that header too, but
I never cared)
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Bernardo Reino
In reply to this post by Wesley Peng-9

On Tue, 26 Nov 2019, Wesley Peng wrote:

> on 2019/11/26 17:02, Matus UHLAR - fantomas wrote:
>> I would set up port 465 also. Note that TLS on 465 is implicit, while on
>> 587 is
>> explicit, so it's easier to allow unencrypted connections by a mistake on
>> 587.
>
> 587 is also used for StartTLS, am I right?

Yup, that's what Matus meant with "explicit". Connection starts in clear
text and is then (explicitly :) "upgraded" to TLS.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Matus UHLAR - fantomas
>>on 2019/11/26 17:02, Matus UHLAR - fantomas wrote:
>>>I would set up port 465 also. Note that TLS on 465 is implicit,
>>>while on 587 is
>>>explicit, so it's easier to allow unencrypted connections by a mistake on
>>>587.

>On Tue, 26 Nov 2019, Wesley Peng wrote:
>>587 is also used for StartTLS, am I right?

On 26.11.19 11:50, Bernardo Reino wrote:
>Yup, that's what Matus meant with "explicit". Connection starts in
>clear text and is then (explicitly :) "upgraded" to TLS.

...and there's no "starttls" on 465, that's what I meant "implicit".

while port 465 was assigned for SMTPS in January 2018, it's been used this
way on many sites/services for years (even decades)

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Wesley Peng-9
Hi

on 2019/11/26 19:27, Matus UHLAR - fantomas wrote:
> ...and there's no "starttls" on 465, that's what I meant "implicit".
>
> while port 465 was assigned for SMTPS in January 2018, it's been used this
> way on many sites/services for years (even decades)

How the traffic between big one's MTAs get through?
For example, gmail send messages to web.de via port 465 by SSL, or just
plain port 25?

regards.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Jaroslaw Rafa
Dnia 26.11.2019 o godz. 20:50:51 Wesley Peng pisze:
>
> How the traffic between big one's MTAs get through?
> For example, gmail send messages to web.de via port 465 by SSL, or
> just plain port 25?

Sending mail out of a MTA is always on port 25. STARTTLS is used if
possible.
Ports 468/587 are only for local mail sumission, ie. from client to MTA.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Wesley Peng-9
Hi

on 2019/11/26 20:53, Jaroslaw Rafa wrote:
> Sending mail out of a MTA is always on port 25. STARTTLS is used if
> possible.

If using plain port 25, the messages are not secure enough for traffic.
 From what I know there is a technology calling Traffic hijacking.

Regards.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Matus UHLAR - fantomas
In reply to this post by Wesley Peng-9
>on 2019/11/26 19:27, Matus UHLAR - fantomas wrote:
>>...and there's no "starttls" on 465, that's what I meant "implicit".
>>
>>while port 465 was assigned for SMTPS in January 2018, it's been used this
>>way on many sites/services for years (even decades)

On 26.11.19 20:50, Wesley Peng wrote:
>How the traffic between big one's MTAs get through?

port 25 as always/before

>For example, gmail send messages to web.de via port 465 by SSL,

this was the original intent of port 465, but it was deprecated 20 years ago
and never user. Port 465 was used for smtp with implicit SSL since.



--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
Reply | Threaded
Open this post in threaded view
|

Re: how to setup a privacy oriented mailserver

Bill Cole-3
In reply to this post by Wesley Peng-9
On 26 Nov 2019, at 7:56, Wesley Peng wrote:

> Hi
>
> on 2019/11/26 20:53, Jaroslaw Rafa wrote:
>> Sending mail out of a MTA is always on port 25. STARTTLS is used if
>> possible.
>
> If using plain port 25, the messages are not secure enough for
> traffic.

A rationally configured mail server in 2019 supporting both initial
submission and inbound transport (i.e. "MX" duty) will provide:

Port 25 with optional STARTTLS and no authentication support, for
inbound mail.
Port 465 with implicit TLS and mandatory authentication, for initial
mail submission.
Port 587 with both STARTTLS and authentication mandatory, for initial
mail submission. (Optional)

The 2 submission ports both provide the variant of SMTP defined in
RFC6409. Users should be encouraged to use 465 preferentially to 587,
for the reasons explained in RFC8314.

Historically, there was a proposal 20+ years ago that port 465 should be
used for standard SMTP transport with implicit SSL (SMTPS, analogous to
HTTPS) but it was dropped without definition in any RFC and without any
workable model for how sending SMTP servers would know which port to use
for a particular domain. However, multiple MTAs and MUAs implemented
SMTPS without a formal specification. For most of the years since, port
465 use was discouraged, in large part because there was no formal
specification and some prominent implementations were simplistic SSL/TLS
wrappers of the server's port 25 service, unfit for submission service.
As a result, we are left with the misnomer "SMTPS" for port 465 traffic
and a universe of MUAs and users conditioned for years to use port 587,
who we now are telling to use port 465.

It should all get cleaned up properly just in time for the end of the
world (or at least the 32-bit Unix epoch...) in 2038

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
12