Mail Server Setup

Lonnie Olson lists at kittypee.com
Tue Jun 3 10:13:07 MDT 2014


On Sun, Jun 1, 2014 at 5:48 PM, Brian J. Rogers <captbrogers at gmail.com> wrote:
> The server will not need to process more than 50 emails a day. I'd like
> something lightweight, but I am willing to use more resources for the sake
> of security. I'm unsure exactly what things like DKIM would do to help, and
> I don't even know if they are necessary. However, I do want to take as many
> reasonable precautions as I can when it comes to securing it. I have an
> irrational paranoid fear of having my mail server being in a server (e.g.
> Google Apps). I have nothing against Google, I'd just like to do my own
> server so I can set it up just the way I want. I will be signing each of my
> emails with my PGP key, so that will be a must for the configuration.

Signing outbound mail with DKIM is interesting, but not usually worth
the effort at this point.
Verifying inbound mail signed by DKIM is only useful as a away to
prevent false positives in an anti-spam system.
I'd suggest ignoring both of these for your "simple mail server".

PGP signing/encryption has very little to do with the mail server
itself, and everything to do with your mail client.  You can use PGP
over Gmail if you want.

> Are there benefits to getting an SSL certificate for it rather than just
> using a self-signed one? Would I be able to force the server to never make
> a connection with a client (phone/desktop) without SSL/TLS encryption? Is
> there a way to require a SSL/TLS connection from other mail servers before
> accepting mail? If there is, does that present problems with any server
> that doesn't support that feature?

With StartSSL (https://www.startssl.com), "real" SSL certificates are
free and easy to get.  No reason not to have a "real" one.

All of the most common SMTP/IMAP servers are capable of requiring SSL
encryption on incoming connections.
Now remember not to configure port 25 to require SSL for all
connections, as you will be losing some mail from remote senders that
don't use SSL.

I'd suggest adding another port to your SMTP server that does require
SSL for your clients to use.  Common ports are 587 (using STARTTLS),
or 465 (using pre-encrypted SSL), both are widely supported in mail
clients.

Additionally, I recommend enabling opportunistic SSL on both inbound
and outbound SMTP connections over port 25.  This will encrypt even
more SMTP traffic when possible, and is the good neighbor thing to do.

There are lots of different combinations of SMTP/IMAP servers you can use.

If you want a very detailed tutorial on your own mail server, I
recommend reading this series of articles on ArsTechnica.
http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/


More information about the PLUG mailing list