1 |
On 8/18/20 4:25 PM, james wrote: |
2 |
> I find all of this *fascinating*. |
3 |
|
4 |
;-) |
5 |
|
6 |
> So I have threads from 7/28 and others that attempt to discover the |
7 |
> (gentoo) packages necessary to run my own email services. I have (2) |
8 |
> R.Pi4 (8Gram) and (2) more on order to build out complete |
9 |
> mail/DNS/security for a small/moderate number of folks to use. Just me |
10 |
> to start/test/debug. |
11 |
|
12 |
I expect that, other than CPU speed, the four systems that you have are |
13 |
probably overkill. |
14 |
|
15 |
The CPUs may, or may not, be slow depending on the number of messages |
16 |
you want to handle a day. They are probably quite adequate to start |
17 |
with for personal email. |
18 |
|
19 |
> I'd like to build out Grant(Taylor) and Ashley's solution for further |
20 |
> learning and testing, on Rpi4 based gentoo systems. robust security and |
21 |
> reasonable straightforward (gentoo) admin, is my goal. |
22 |
|
23 |
Sorry to be pedantic, but please list out what you mean by "robust |
24 |
security". I ask more as an exercise for you to think about, and — more |
25 |
importantly — document goals that you'd like to achieve. This |
26 |
documentation may seem somewhat silly, but as has been mentioned |
27 |
multiple times in this thread, there are a LOT of options. So, |
28 |
documenting your desires helps reduce compatible options and makes some |
29 |
choices for you. |
30 |
|
31 |
Don't worry if you find that your previous choice limits you. That will |
32 |
happen. You then need to decide if you want to live with the choice |
33 |
-or- go back a few steps and change your choice. |
34 |
|
35 |
Note: Changing your choice is perfectly fine. Call it what it is, a |
36 |
change, and deal with it. |
37 |
|
38 |
The documentation you're creating is sort of a proto / alpha checklist |
39 |
of goals that you want to achieve. |
40 |
|
41 |
> Can either or both of you concisely list what I'd need |
42 |
> (the ebuild list) to implement a basic, but complete, secure email |
43 |
> system, as delineated in your recent posts? I'd be willing to document |
44 |
> both the build and running tests, for the greater good of the gentoo |
45 |
> community. |
46 |
|
47 |
I will have to collect a list and get back to you. |
48 |
|
49 |
Note: My list will be biased towards my choices. Given that I do |
50 |
things differently than many email admins, my list is likely to be |
51 |
considerably different than others. |
52 |
|
53 |
> If there is interests in the tests and results. |
54 |
|
55 |
I think that quality documentation is always a laudable goal. |
56 |
|
57 |
> Remember, I started this some months ago, cause Frontier does not even |
58 |
> offer basic email services. I hate all thing cloud (deep desire to be |
59 |
> 100% independent of the cloud) and want the ability to remotely |
60 |
> retrieve mails and send emails through *my email systems*. I am |
61 |
> certainly not alone, as some have sent me private email, |
62 |
> with similar desires. |
63 |
|
64 |
Fair enough. |
65 |
|
66 |
> The big corporations are trying to destroy and remove standards based |
67 |
> email from the internet. |
68 |
|
69 |
I haven't seen much where the big players are trying to actively destroy |
70 |
standards based protocols. |
71 |
|
72 |
I have seen where the big players are requiring higher and higher |
73 |
standards than they did 5 / 10 / 15 years ago. |
74 |
|
75 |
Note: This is neither breaking nor removing standards. If anything, |
76 |
it's adding new public standards and making people adhere to them. |
77 |
|
78 |
Analogy: Some states in the U.S.A. aren't removing old vehicles from |
79 |
the road. They are however introducing requirements for vehicles to |
80 |
adhere to more strict emission standards -or- register as historic |
81 |
vehicles which imposes some restrictions. |
82 |
|
83 |
> For me, it is my most useful, important and most desired feature of |
84 |
> the internet. |
85 |
|
86 |
I find email (SMTP(S) & IMAPS) and Usenet news (NNTP(S)) to be two of |
87 |
the most critical Internet services to me. |
88 |
|
89 |
The web (HTTP(S)) is extremely convenient. But I could live without the |
90 |
web, admittedly reluctantly. |
91 |
|
92 |
> I'm ordering up (6) static IPs from Frontier. |
93 |
|
94 |
Will this be an 8-block (/29) of globally routed IPs? Or is it going to |
95 |
be 6 random IPs in a larger co-mingled IP network? |
96 |
|
97 |
Start inquiring of Frontier about how to configure Reverse DNS. Chances |
98 |
are good that Frontier will be familiar with RFC 2317 — Classless |
99 |
IN-ADDR.ARPA delegation. — If you're not familiar with it, I suggest |
100 |
you read RFC 2317. |
101 |
|
102 |
I'd also suggest starting inquiries of Frontier if they Shared Whois |
103 |
Project (SWIP) and / or RWhois. — My VPS provider doesn't offer SWIP |
104 |
or RWhois, and I wish that they did. — SWIP and / or RWhois are quite |
105 |
nice to have when it comes to making your IP(s) / block(s) stand out |
106 |
from other IP(s) / block(s) near yours. (Think in the same /24). |
107 |
|
108 |
Note: Many things on the Internet prefer for name servers to be in |
109 |
different /24 networks. So, having multiple on different IPs in the |
110 |
same /24 doesn't count to many people. |
111 |
|
112 |
> At some point, I'll put another primary bandwidth provider under |
113 |
> this, |
114 |
|
115 |
I would encourage you to start with a bandwidth provider that you plan |
116 |
to stick with for a number of years. (I know, things change. Do the |
117 |
best you can with the information you have at hand now, and deal with |
118 |
change if / when it comes.) |
119 |
|
120 |
I say this because it takes a fair bit of effort to turn up a mail |
121 |
server, especially one intending to /send/ to the Internet at large. |
122 |
|
123 |
Sure, you can largely re-use the system configuration. But there is |
124 |
quite a bit of work / effort / reputation around IPs, especially for |
125 |
/sending/ email servers. It's enough effort that I would hate to do it |
126 |
for one provider if I knew that I would be switching to another provider |
127 |
in the short to mid term future. |
128 |
|
129 |
Such a future change would influence what windmills I would tilt at; |
130 |
e.g. RFC 2317 delegation vs traditional NS delegation for the IP(s) in |
131 |
question. |
132 |
|
133 |
> with hopefully the ability to "bond the pipes" via BGP4 or another |
134 |
> capable protocol. |
135 |
|
136 |
With little exception, "BGP" and "Internet" almost always mean a /24 |
137 |
sized prefix, your own provider independent IPs, and your own AS. These |
138 |
are decidedly non-trivial hurdles to jump over. |
139 |
|
140 |
Some providers /might/ be willing to form a BGP neighbor / peer session |
141 |
with you under other circumstances. But they are for more specific |
142 |
things and likely don't achieve the goal that I think you want. |
143 |
|
144 |
There really isn't much other than BGP that is used on the Internet |
145 |
between independent business / individual entities. |
146 |
|
147 |
To do BGP with multiple upstream providers, you're really starting to |
148 |
talk about a small ISP level. One that's got multiple upstream |
149 |
providers. Many small ISPs are single homed. |
150 |
|
151 |
It is possible to have multiple smaller, non-BGP, redundant ISP |
152 |
connections. But you will almost always do it as separate systems that |
153 |
are addressed out of the different ISP links. This can be another |
154 |
entirely separate thread about how you do this. The TL;DR is that MX 10 |
155 |
looks like it's on ISP Red and MX 20 looks like it's on ISP Green. |
156 |
|
157 |
> Keeping the list of codes to a minimum, is appreciated, at least |
158 |
> until I get the (2) boards up and running. Previously, IPv6 address |
159 |
> mapped to these boards was suggested. I do not see any reason why both |
160 |
> ipv4 and ipv6 cannot be mapped (routed if you like) to these R.pi.4 |
161 |
> boards simultaneously or separately, based on the test vectors under |
162 |
> developmental/proof study? |
163 |
|
164 |
Yes, you can easily have both IPv4 and IPv6 on the same systems. This |
165 |
is commonly known as "Dual-Stack". |
166 |
|
167 |
/My/ personal and professional opinion is that Dual-Stack is currently |
168 |
the industry best practice. That being said, I'm sure that there are |
169 |
many that will try to sway you one way (IPv4 only) or the other (IPv6 |
170 |
only). — IPv4 and / or IPv6 is another one of those pesky choices that |
171 |
you need to make. Well, unless someone else makes it for you. |
172 |
|
173 |
> Sorry for "jumping" this wonderful 'diatribe' but if I post directly, |
174 |
> via Verizon, to gentoo-user, it mostly bounces (another problem). |
175 |
> Verizon is dumping their email services too: |
176 |
|
177 |
Ya. Many medium sized players are getting out of the market. We are |
178 |
ending up with a few extremely large players providing end user |
179 |
mailboxes and a lot of tiny providers providing mailboxes for a few users. |
180 |
|
181 |
> https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server |
182 |
> |
183 |
> https://www.howtoforge.com/perfect_server_gentoo_2007.0 |
184 |
> |
185 |
> https://www.androidpolice.com/2020/08/15/this-smartphone-has-physical-kill-switches-for-its-cameras-microphone-data-bluetooth-and-wi-fi/ |
186 |
|
187 |
I would encourage you to read all of these and try to understand all of |
188 |
them. You will likely find that you agree with some points and disagree |
189 |
with other points. This is where those choices, and documentation there |
190 |
of, come into play. |
191 |
|
192 |
You will likely learn something at some point that makes you want to |
193 |
change a choice. I want to remind you that changing a choice is |
194 |
PERFECTLY FINE! But, stick with what's documented, or make a new choice |
195 |
and change what's documented. ;-) |
196 |
|
197 |
> motivated and curious, |
198 |
|
199 |
#staycurious |
200 |
|
201 |
|
202 |
|
203 |
-- |
204 |
Grant. . . . |
205 |
unix || die |