Mail Server Setup

Brian J. Rogers captbrogers at gmail.com
Tue Jun 3 11:27:14 MDT 2014


> Signing outbound mail with DKIM is interesting, but not usually worth
> the effort at this point.
> Verifying inbound mail signed by DKIM is only useful as a away to
> prevent false positives in an anti-spam system.
> I'd suggest ignoring both of these for your "simple mail server".

Good to know, I just came across it and I just want to make sure I don't
overlook something that could be very helpful.

> PGP signing/encryption has very little to do with the mail server
> itself, and everything to do with your mail client.  You can use PGP
> over Gmail if you want.

I've once tried it with Gmail a while back and it didn't work out well. But
thinking about it, you are right. PGP signing is more on the client than
server.

> With StartSSL (https://www.startssl.com), "real" SSL certificates are
> free and easy to get.  No reason not to have a "real" one.

I applied for one with them and got a reply that because I am a registered
LLC, they won't do a free one for me. Namecheap has a $10 option that may
just be fine for me.

> All of the most common SMTP/IMAP servers are capable of requiring SSL
> encryption on incoming connections.
> Now remember not to configure port 25 to require SSL for all
> connections, as you will be losing some mail from remote senders that
> don't use SSL.

Thanks for the tip, I found something like that elsewhere and it makes
sense as to why.

> I'd suggest adding another port to your SMTP server that does require
> SSL for your clients to use.  Common ports are 587 (using STARTTLS),
> or 465 (using pre-encrypted SSL), both are widely supported in mail
> clients.

I ended up setting things up last night and used these ports.

> Additionally, I recommend enabling opportunistic SSL on both inbound
> and outbound SMTP connections over port 25.  This will encrypt even
> more SMTP traffic when possible, and is the good neighbor thing to do.

Is this (for Postfix) smtpd_tls_security_level = may ? Because I couldn't
find exactly what to put but this one seemed to be opportunistic SSL/TLS.

> There are lots of different combinations of SMTP/IMAP servers you can use.

I ended up going with Postfix/Dovecot/Amavis/SpamAssassin, and I'm pretty
sure I've done it right on all of it except SpamAssassin. I still need to
verify that I'm getting email passed through it's filter.

> If you want a very detailed tutorial on your own mail server, I
> recommend reading this series of articles on ArsTechnica.
>
http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/

Thanks for the link, I'll have to read through it tonight.


On Tue, Jun 3, 2014 at 10:13 AM, Lonnie Olson <lists at kittypee.com> wrote:

> On Sun, Jun 1, 2014 at 5:48 PM, Brian J. Rogers <captbrogers at gmail.com>
> wrote:
> > The server will not need to process more than 50 emails a day. I'd like
> > something lightweight, but I am willing to use more resources for the
> sake
> > of security. I'm unsure exactly what things like DKIM would do to help,
> and
> > I don't even know if they are necessary. However, I do want to take as
> many
> > reasonable precautions as I can when it comes to securing it. I have an
> > irrational paranoid fear of having my mail server being in a server (e.g.
> > Google Apps). I have nothing against Google, I'd just like to do my own
> > server so I can set it up just the way I want. I will be signing each of
> my
> > emails with my PGP key, so that will be a must for the configuration.
>
> Signing outbound mail with DKIM is interesting, but not usually worth
> the effort at this point.
> Verifying inbound mail signed by DKIM is only useful as a away to
> prevent false positives in an anti-spam system.
> I'd suggest ignoring both of these for your "simple mail server".
>
> PGP signing/encryption has very little to do with the mail server
> itself, and everything to do with your mail client.  You can use PGP
> over Gmail if you want.
>
> > Are there benefits to getting an SSL certificate for it rather than just
> > using a self-signed one? Would I be able to force the server to never
> make
> > a connection with a client (phone/desktop) without SSL/TLS encryption? Is
> > there a way to require a SSL/TLS connection from other mail servers
> before
> > accepting mail? If there is, does that present problems with any server
> > that doesn't support that feature?
>
> With StartSSL (https://www.startssl.com), "real" SSL certificates are
> free and easy to get.  No reason not to have a "real" one.
>
> All of the most common SMTP/IMAP servers are capable of requiring SSL
> encryption on incoming connections.
> Now remember not to configure port 25 to require SSL for all
> connections, as you will be losing some mail from remote senders that
> don't use SSL.
>
> I'd suggest adding another port to your SMTP server that does require
> SSL for your clients to use.  Common ports are 587 (using STARTTLS),
> or 465 (using pre-encrypted SSL), both are widely supported in mail
> clients.
>
> Additionally, I recommend enabling opportunistic SSL on both inbound
> and outbound SMTP connections over port 25.  This will encrypt even
> more SMTP traffic when possible, and is the good neighbor thing to do.
>
> There are lots of different combinations of SMTP/IMAP servers you can use.
>
> If you want a very detailed tutorial on your own mail server, I
> recommend reading this series of articles on ArsTechnica.
>
> http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list