Sending and Recieving emails...

johnpoz

@raviktiwari said in Sending and Recieving emails...:

have been fine until now but if I have a client who decides to keep his password: “password” then one day scammer will get into my server and do what they actually want to do.

Welcome to trying to run services to the public internet..

Whats the old saying ;) "If you want to run with the big dogs you have to learn to piss in the tall weeds"

I and my customers (friends & family)

Sorry but never in a million years would I host something like a email server for friends and family..

Yup its going to be a nightmare.. Do yourself a favor and just get a domain, if you want a friends and family one and host it on gmail or something...

I host plex, and let friends and family in.. Atleast there plex handles the auth, and worse case - some random user would be able to watch my movies ;) And I would notice because I get alerts every time a user uses a different IP... And would shut that down quick if not from where my family or friends are from..

And I also limit the IPs to being in the US only..

email server is a huge target - because they want to send spam for free.. Have fun getting off a blacklist if a spammer does get in and send a bunch of spam.

My advice would be don't do such a thing unless your up to all the pitfalls that come with doing it.. Sorry there is no magic to stopping that sort of problem once you open services to the public.

raviktiwari

@johnpoz providing technical solution and running a business (with cost and earning in mind) are 2 different things.

You always challenge me technically, so let me ask you a simple business question: Do you have any idea how much hosted email id would cost me? Be it Google or Microsft.

I need at least 7 emails on at least 10 domains, so that is 70 emails - minimum. So what do you think is going to be my anual cost/expense?

Many Thanks,
Rav

johnpoz

Almost nothing.. Domains are what 10$ a year.. I have quite a few domains myself.

Something like zoho email only is $1 a month per user.. Gsuite is like $6 a month per user, but each user has full access to all of gsuite..

zoho alternative to gsuite is like $3 a month per user

raviktiwari

So even if I take $1 per month service, it will cost me $70 per month equating to $840 per year.

Do you see the difference? From $0 to £840.

The core reason why I got into hosting and running my own web and mail server was to learn what "big dogs" do... it cannot be a rocket science and even if it is, I would like to learn that rocket science and once I have learnt it enough and/or start making enough money, I don't mind migrating on google or Zoho... but until then if I just pay for 3rd party then that means, "It's too difficult, so I don't care" and this would also mean that I can rather throw my server, throw my pfsense, cancel my commercial ISP contract - just sit and let someone do my job - so where is the fun and learing in this?

Thx: Rav

johnpoz

@raviktiwari said in Sending and Recieving emails...:

Do you see the difference? From $0 to £840.

Its not 0$ that is for sure - how much is your time and effort worth? Let them get their own freaking email and pay for it or using free like gmail.

How much does your line cost, how much does it cost to power the server.. How much does it cost to back up all their email. How much does it cost for your system to be blacklist if they send something that gets you on a black list..

Sorry there is no magic button you can press that says bad guys will not bomb the shit out of your email server trying to use it to send spam once you place it on the internet.. There just isn't..

You dealing with all of that sure and and the hell is not $0 a year.. Only reason I let friends and family use my plex, is its my hobby.. And would be running it myself anyway - the second it becomes a problem or takes any of my time that is dealing with a "user" created problem would be the second I shut it down for them to use.

raviktiwari

@johnpoz fair enough... but for the time being, I don't want to calculate my time as the cost of running the service - this is a fake economy in my opinion... that is why all western countries are struggling to keep up with the eastern part of the world.

The world needs to stop throwing in all the cost in the name of operational cost... like the cost of the meeting, cost of coffee, cost of air-conditioning and anything else that you can see or think of. if I want, I can start including the cost of this chat that I am having with you, along with your time, your internet cost, netgate platform cost, cost my monitor, mouse, keyboard and whatnot.

Anyways, bringing the topic back to core issue: I get you to point and I partially agree with you that I should not host email ids for friends and family... let's assume I am happy to do that and going forward I will not host email ids for friend and families... this probably also means to say no to my paying customers (which is not good).

But assuming that is the way I am going, what do I do about my own email ids? Don't tell me that even I should host it on Google and Microsoft... because if that is the case, then as I said, I can sell off everything and pay $1000 per yr to Microsoft when the main purpose of all this was to do the technical bit myself and earn some money as MS and Google do.

And as I said they are not using any rocket science so I am sure even I can do whatever heck they are doing... yes it will take time and effort... and I am completely free doing nothing except dealing with and fixing this issue for let's say next 1-3 months. :-)

Thx: Rav

Gertjan

@raviktiwari said in Sending and Recieving emails...:

As soon as I open the ports, scammers get excited and they start hitting my server and because the port is opened pfSense ...

That's totally normal. If you have a to serve port Xx, you'll be needing an server type application that you should (totally) trust, it should be set up to 'listen' to that port, and that port should be reachable by the public that could have to use that port Xx. This actually means that anybody on planet earth can connect to 'your' server.
( people tend to use firewalls on server type devices to lock down non-served ports. Think about this for a minute or so.
If your laughing right now , then ok, perfect. You got it. A firewall on a server is ... quiet useless - There is no reasons to 'close' non served ports, because they are black holes by nature.
This reasoning is valid if the admin admins his server. That is : that he controls what executes,a nd when, on his server - and how it is executed. When the looses control, well, the first thing that would fall is the firewall - so start with not using a firewall on a server => one thing less to 'admin ;) and one thing less to mess up l.

Like Apache2, nginx will be listening to port 80 and or 443. postfix will be listing to 25 TCP and probably also 465 TCP and 587 TCP (now out phasing)

postfix will show / produce huge logs daily ****, filled up connection attempt from 'other' devices on the Internet connecting to your IP:port to try to 'dump' their rubbish. That normal, and you should consider it as simple back ground noise.

Important to know : postfix, as worlds most used mail server, is pretty darn good to take care of the rela mails 'for you' and discarding the rest.
But : postfx is as good as the admin maintaining it.

The setup of a postfix server is ..... huge.
And, IMHO, its totally impossible to encapsulate the settings with some sort of GUI like VirtualMin or others. You have to master - with your head - the master.cf and main.cf files. This is my opinion of course, as I needed a multi domain, multi IPv4, multi IPv6 with added IMAP/POP mailbox support. It should work with Outlook Express (back then) - all Thunderbird version, as up to the latest "Office 365".

For me, it all started here (I guess) : http://www.postfix.org/SMTPD_ACCESS_README.html
This is gold : http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt is still actual as of today !!

A firewall can't help you here "with some rules". *** What really helps to get out the 'door knockers' is a tools like fail2ban.
It parses the postfix logs, searches for known - non accepted by postfix - incoming connections, and if they repeat themselves, or come back to often, the firewall gets loaded with a block rule for that IP.

Se it here in action.
fail2ban parses also ssh logs, web server logs, teamspeak logs, etc, and acts if it finds something suspect.

*** most traffic, even mail traffic, is SSL encoded, so a firewall hasn't even access to the payload, it would see the source IP, and that's it.

**** you'll meet up with logrotate for log file management.

edit : sorry for losing the subject.

edit 2 : I'm not running postfix on or after pfSEnse postfix of course (@work) . ISP lines are mostly big mega f*ck to host mail servers, as they are listed as such.
It's a typical VPS usage, or what I use : a pair of https://www.ovh.com/ca/en/dedicated-servers/ which includes all the IP's needed, and, hopefully I never need it : a huge DOSS protection - on a naked (no GUI) Debian 9/10 install.

When you start to run postfix yourself, bind (named) wiill follow as a master DNS server for your domains, and a web server will follow. Some Squirrel (old ... I know)/Roundcube instances, a MariaDB (ex. MySQL) for housekeeping etc etc.

Btw : the "rock science" used by the big ones has nothing to do with what I / you do. They will not tell how they do it for - logical - security issues. But English/German/Belguim/French/Spanish biggest ISP did this : they took a copy of postfix, as it is 'free ware' (somewhat), and adapted it to it scales up on a pure maddens level.
They ware using qmail back then .... they all paid the price. And no, no 'Exchange' for them.