Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins? - gentoo-user

From:	Grant Taylor <gtaylor@×××××××××××××××××××××.net>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?
Date:	Wed, 19 Aug 2020 00:44:40
Message-Id:	`e2871eb0-5c00-aab6-f58c-5ecdfc800128@gentoo.tnetconsulting.net`
In Reply to:	Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins? by james

1

On 8/18/20 4:25 PM, james wrote:

2

> I find all of this *fascinating*.

3

4

;-)

5

6

> So I have threads from 7/28 and others that attempt to discover  the

7

> (gentoo) packages necessary to run my own email services. I have (2)

8

> R.Pi4 (8Gram) and (2) more on order to build out complete

9

> mail/DNS/security for a small/moderate number of folks to use. Just me

10

> to start/test/debug.

11

12

I expect that, other than CPU speed, the four systems that you have are 

13

probably overkill.

14

15

The CPUs may, or may not, be slow depending on the number of messages 

16

you want to handle a day.  They are probably quite adequate to start 

17

with for personal email.

18

19

> I'd like to build out Grant(Taylor) and Ashley's solution for further

20

> learning and testing, on Rpi4 based gentoo systems. robust security and

21

> reasonable straightforward (gentoo) admin, is my goal.

22

23

Sorry to be pedantic, but please list out what you mean by "robust 

24

security".  I ask more as an exercise for you to think about, and — more 

25

importantly — document goals that you'd like to achieve.  This 

26

documentation may seem somewhat silly, but as has been mentioned 

27

multiple times in this thread, there are a LOT of options.  So, 

28

documenting your desires helps reduce compatible options and makes some 

29

choices for you.

30

31

Don't worry if you find that your previous choice limits you.  That will 

32

happen.  You then need to decide if you want to live with the choice 

33

-or- go back a few steps and change your choice.

34

35

Note:  Changing your choice is perfectly fine.  Call it what it is, a 

36

change, and deal with it.

37

38

The documentation you're creating is sort of a proto / alpha checklist 

39

of goals that you want to achieve.

40

41

> Can either or both of you concisely list what I'd need

42

> (the ebuild list) to implement a basic, but complete, secure email

43

> system, as delineated in your recent posts? I'd be willing to document

44

> both the build and running tests, for the greater good of the gentoo

45

> community.

46

47

I will have to collect a list and get back to you.

48

49

Note:  My list will be biased towards my choices.  Given that I do 

50

things differently than many email admins, my list is likely to be 

51

considerably different than others.

52

53

> If there is interests in the tests and results.

54

55

I think that quality documentation is always a laudable goal.

56

57

> Remember, I started this  some months ago, cause Frontier does not even

58

> offer basic email services. I hate all thing cloud (deep desire to be

59

> 100% independent of the cloud) and want the ability  to remotely

60

> retrieve mails and send emails through *my email systems*. I am

61

> certainly not alone, as some have sent me private email,

62

> with similar desires.

63

64

Fair enough.

65

66

> The big corporations are trying to destroy and remove standards based

67

> email from the internet.

68

69

I haven't seen much where the big players are trying to actively destroy 

70

standards based protocols.

71

72

I have seen where the big players are requiring higher and higher 

73

standards than they did 5 / 10 / 15 years ago.

74

75

Note:  This is neither breaking nor removing standards.  If anything, 

76

it's adding new public standards and making people adhere to them.

77

78

Analogy:  Some states in the U.S.A. aren't removing old vehicles from 

79

the road.  They are however introducing requirements for vehicles to 

80

adhere to more strict emission standards -or- register as historic 

81

vehicles which imposes some restrictions.

82

83

> For me, it is my most useful, important and most desired feature of

84

> the internet.

85

86

I find email (SMTP(S) & IMAPS) and Usenet news (NNTP(S)) to be two of 

87

the most critical Internet services to me.

88

89

The web (HTTP(S)) is extremely convenient.  But I could live without the 

90

web, admittedly reluctantly.

91

92

> I'm ordering up (6) static IPs from Frontier.

93

94

Will this be an 8-block (/29) of globally routed IPs?  Or is it going to 

95

be 6 random IPs in a larger co-mingled IP network?

96

97

Start inquiring of Frontier about how to configure Reverse DNS.  Chances 

98

are good that Frontier will be familiar with RFC 2317 — Classless 

99

IN-ADDR.ARPA delegation.  —  If you're not familiar with it, I suggest 

100

you read RFC 2317.

101

102

I'd also suggest starting inquiries of Frontier if they Shared Whois 

103

Project (SWIP) and / or RWhois.  —  My VPS provider doesn't offer SWIP 

104

or RWhois, and I wish that they did.  —  SWIP and / or RWhois are quite 

105

nice to have when it comes to making your IP(s) / block(s) stand out 

106

from other IP(s) / block(s) near yours.  (Think in the same /24).

107

108

Note:  Many things on the Internet prefer for name servers to be in 

109

different /24 networks.  So, having multiple on different IPs in the 

110

same /24 doesn't count to many people.

111

112

> At some point, I'll put another primary bandwidth provider under

113

> this,

114

115

I would encourage you to start with a bandwidth provider that you plan 

116

to stick with for a number of years.  (I know, things change.  Do the 

117

best you can with the information you have at hand now, and deal with 

118

change if / when it comes.)

119

120

I say this because it takes a fair bit of effort to turn up a mail 

121

server, especially one intending to /send/ to the Internet at large.

122

123

Sure, you can largely re-use the system configuration.  But there is 

124

quite a bit of work / effort / reputation around IPs, especially for 

125

/sending/ email servers.  It's enough effort that I would hate to do it 

126

for one provider if I knew that I would be switching to another provider 

127

in the short to mid term future.

128

129

Such a future change would influence what windmills I would tilt at; 

130

e.g. RFC 2317 delegation vs traditional NS delegation for the IP(s) in 

131

question.

132

133

> with hopefully the ability to "bond the pipes" via BGP4 or another

134

> capable protocol.

135

136

With little exception, "BGP" and "Internet" almost always mean a /24 

137

sized prefix, your own provider independent IPs, and your own AS.  These 

138

are decidedly non-trivial hurdles to jump over.

139

140

Some providers /might/ be willing to form a BGP neighbor / peer session 

141

with you under other circumstances.  But they are for more specific 

142

things and likely don't achieve the goal that I think you want.

143

144

There really isn't much other than BGP that is used on the Internet 

145

between independent business / individual entities.

146

147

To do BGP with multiple upstream providers, you're really starting to 

148

talk about a small ISP level.  One that's got multiple upstream 

149

providers.  Many small ISPs are single homed.

150

151

It is possible to have multiple smaller, non-BGP, redundant ISP 

152

connections.  But you will almost always do it as separate systems that 

153

are addressed out of the different ISP links.  This can be another 

154

entirely separate thread about how you do this.  The TL;DR is that MX 10 

155

looks like it's on ISP Red and MX 20 looks like it's on ISP Green.

156

157

> Keeping the list of codes to a minimum, is appreciated, at least

158

> until I get the (2) boards up and running. Previously, IPv6 address

159

> mapped to these boards was suggested. I do not see any reason why both

160

> ipv4 and ipv6 cannot be mapped (routed if you like) to these R.pi.4

161

> boards simultaneously or separately, based on the test vectors under

162

> developmental/proof study?

163

164

Yes, you can easily have both IPv4 and IPv6 on the same systems.  This 

165

is commonly known as "Dual-Stack".

166

167

/My/ personal and professional opinion is that Dual-Stack is currently 

168

the industry best practice.  That being said, I'm sure that there are 

169

many that will try to sway you one way (IPv4 only) or the other (IPv6 

170

only).  —  IPv4 and / or IPv6 is another one of those pesky choices that 

171

you need to make.  Well, unless someone else makes it for you.

172

173

> Sorry for "jumping" this wonderful 'diatribe' but if I post directly,

174

> via Verizon, to gentoo-user, it mostly bounces (another problem).

175

> Verizon is dumping their email services too:

176

177

Ya.  Many medium sized players are getting out of the market.  We are 

178

ending up with a few extremely large players providing end user 

179

mailboxes and a lot of tiny providers providing mailboxes for a few users.

180

181

> https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server

182

>

183

> https://www.howtoforge.com/perfect_server_gentoo_2007.0

184

>

185

> https://www.androidpolice.com/2020/08/15/this-smartphone-has-physical-kill-switches-for-its-cameras-microphone-data-bluetooth-and-wi-fi/

186

187

I would encourage you to read all of these and try to understand all of 

188

them.  You will likely find that you agree with some points and disagree 

189

with other points.  This is where those choices, and documentation there 

190

of, come into play.

191

192

You will likely learn something at some point that makes you want to 

193

change a choice.  I want to remind you that changing a choice is 

194

PERFECTLY FINE!  But, stick with what's documented, or make a new choice 

195

and change what's documented.  ;-)

196

197

> motivated and curious,

198

199

#staycurious

--

204

Grant. . . .

205

unix || die

Gentoo Archives: gentoo-user

Replies

1	On 8/18/20 4:25 PM, james wrote:
2	> I find all of this fascinating.
3
4	;-)
5
6	> So I have threads from 7/28 and others that attempt to discover the
7	> (gentoo) packages necessary to run my own email services. I have (2)
8	> R.Pi4 (8Gram) and (2) more on order to build out complete
9	> mail/DNS/security for a small/moderate number of folks to use. Just me
10	> to start/test/debug.
11
12	I expect that, other than CPU speed, the four systems that you have are
13	probably overkill.
14
15	The CPUs may, or may not, be slow depending on the number of messages
16	you want to handle a day. They are probably quite adequate to start
17	with for personal email.
18
19	> I'd like to build out Grant(Taylor) and Ashley's solution for further
20	> learning and testing, on Rpi4 based gentoo systems. robust security and
21	> reasonable straightforward (gentoo) admin, is my goal.
22
23	Sorry to be pedantic, but please list out what you mean by "robust
24	security". I ask more as an exercise for you to think about, and — more
25	importantly — document goals that you'd like to achieve. This
26	documentation may seem somewhat silly, but as has been mentioned
27	multiple times in this thread, there are a LOT of options. So,
28	documenting your desires helps reduce compatible options and makes some
29	choices for you.
30
31	Don't worry if you find that your previous choice limits you. That will
32	happen. You then need to decide if you want to live with the choice
33	-or- go back a few steps and change your choice.
34
35	Note: Changing your choice is perfectly fine. Call it what it is, a
36	change, and deal with it.
37
38	The documentation you're creating is sort of a proto / alpha checklist
39	of goals that you want to achieve.
40
41	> Can either or both of you concisely list what I'd need
42	> (the ebuild list) to implement a basic, but complete, secure email
43	> system, as delineated in your recent posts? I'd be willing to document
44	> both the build and running tests, for the greater good of the gentoo
45	> community.
46
47	I will have to collect a list and get back to you.
48
49	Note: My list will be biased towards my choices. Given that I do
50	things differently than many email admins, my list is likely to be
51	considerably different than others.
52
53	> If there is interests in the tests and results.
54
55	I think that quality documentation is always a laudable goal.
56
57	> Remember, I started this some months ago, cause Frontier does not even
58	> offer basic email services. I hate all thing cloud (deep desire to be
59	> 100% independent of the cloud) and want the ability to remotely
60	> retrieve mails and send emails through my email systems. I am
61	> certainly not alone, as some have sent me private email,
62	> with similar desires.
63
64	Fair enough.
65
66	> The big corporations are trying to destroy and remove standards based
67	> email from the internet.
68
69	I haven't seen much where the big players are trying to actively destroy
70	standards based protocols.
71
72	I have seen where the big players are requiring higher and higher
73	standards than they did 5 / 10 / 15 years ago.
74
75	Note: This is neither breaking nor removing standards. If anything,
76	it's adding new public standards and making people adhere to them.
77
78	Analogy: Some states in the U.S.A. aren't removing old vehicles from
79	the road. They are however introducing requirements for vehicles to
80	adhere to more strict emission standards -or- register as historic
81	vehicles which imposes some restrictions.
82
83	> For me, it is my most useful, important and most desired feature of
84	> the internet.
85
86	I find email (SMTP(S) & IMAPS) and Usenet news (NNTP(S)) to be two of
87	the most critical Internet services to me.
88
89	The web (HTTP(S)) is extremely convenient. But I could live without the
90	web, admittedly reluctantly.
91
92	> I'm ordering up (6) static IPs from Frontier.
93
94	Will this be an 8-block (/29) of globally routed IPs? Or is it going to
95	be 6 random IPs in a larger co-mingled IP network?
96
97	Start inquiring of Frontier about how to configure Reverse DNS. Chances
98	are good that Frontier will be familiar with RFC 2317 — Classless
99	IN-ADDR.ARPA delegation. — If you're not familiar with it, I suggest
100	you read RFC 2317.
101
102	I'd also suggest starting inquiries of Frontier if they Shared Whois
103	Project (SWIP) and / or RWhois. — My VPS provider doesn't offer SWIP
104	or RWhois, and I wish that they did. — SWIP and / or RWhois are quite
105	nice to have when it comes to making your IP(s) / block(s) stand out
106	from other IP(s) / block(s) near yours. (Think in the same /24).
107
108	Note: Many things on the Internet prefer for name servers to be in
109	different /24 networks. So, having multiple on different IPs in the
110	same /24 doesn't count to many people.
111
112	> At some point, I'll put another primary bandwidth provider under
113	> this,
114
115	I would encourage you to start with a bandwidth provider that you plan
116	to stick with for a number of years. (I know, things change. Do the
117	best you can with the information you have at hand now, and deal with
118	change if / when it comes.)
119
120	I say this because it takes a fair bit of effort to turn up a mail
121	server, especially one intending to /send/ to the Internet at large.
122
123	Sure, you can largely re-use the system configuration. But there is
124	quite a bit of work / effort / reputation around IPs, especially for
125	/sending/ email servers. It's enough effort that I would hate to do it
126	for one provider if I knew that I would be switching to another provider
127	in the short to mid term future.
128
129	Such a future change would influence what windmills I would tilt at;
130	e.g. RFC 2317 delegation vs traditional NS delegation for the IP(s) in
131	question.
132
133	> with hopefully the ability to "bond the pipes" via BGP4 or another
134	> capable protocol.
135
136	With little exception, "BGP" and "Internet" almost always mean a /24
137	sized prefix, your own provider independent IPs, and your own AS. These
138	are decidedly non-trivial hurdles to jump over.
139
140	Some providers /might/ be willing to form a BGP neighbor / peer session
141	with you under other circumstances. But they are for more specific
142	things and likely don't achieve the goal that I think you want.
143
144	There really isn't much other than BGP that is used on the Internet
145	between independent business / individual entities.
146
147	To do BGP with multiple upstream providers, you're really starting to
148	talk about a small ISP level. One that's got multiple upstream
149	providers. Many small ISPs are single homed.
150
151	It is possible to have multiple smaller, non-BGP, redundant ISP
152	connections. But you will almost always do it as separate systems that
153	are addressed out of the different ISP links. This can be another
154	entirely separate thread about how you do this. The TL;DR is that MX 10
155	looks like it's on ISP Red and MX 20 looks like it's on ISP Green.
156
157	> Keeping the list of codes to a minimum, is appreciated, at least
158	> until I get the (2) boards up and running. Previously, IPv6 address
159	> mapped to these boards was suggested. I do not see any reason why both
160	> ipv4 and ipv6 cannot be mapped (routed if you like) to these R.pi.4
161	> boards simultaneously or separately, based on the test vectors under
162	> developmental/proof study?
163
164	Yes, you can easily have both IPv4 and IPv6 on the same systems. This
165	is commonly known as "Dual-Stack".
166
167	/My/ personal and professional opinion is that Dual-Stack is currently
168	the industry best practice. That being said, I'm sure that there are
169	many that will try to sway you one way (IPv4 only) or the other (IPv6
170	only). — IPv4 and / or IPv6 is another one of those pesky choices that
171	you need to make. Well, unless someone else makes it for you.
172
173	> Sorry for "jumping" this wonderful 'diatribe' but if I post directly,
174	> via Verizon, to gentoo-user, it mostly bounces (another problem).
175	> Verizon is dumping their email services too:
176
177	Ya. Many medium sized players are getting out of the market. We are
178	ending up with a few extremely large players providing end user
179	mailboxes and a lot of tiny providers providing mailboxes for a few users.
180
181	> https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server
182	>
183	> https://www.howtoforge.com/perfect_server_gentoo_2007.0
184	>
185	> https://www.androidpolice.com/2020/08/15/this-smartphone-has-physical-kill-switches-for-its-cameras-microphone-data-bluetooth-and-wi-fi/
186
187	I would encourage you to read all of these and try to understand all of
188	them. You will likely find that you agree with some points and disagree
189	with other points. This is where those choices, and documentation there
190	of, come into play.
191
192	You will likely learn something at some point that makes you want to
193	change a choice. I want to remind you that changing a choice is
194	PERFECTLY FINE! But, stick with what's documented, or make a new choice
195	and change what's documented. ;-)
196
197	> motivated and curious,
198
199	#staycurious
200
201
202
203	--
204	Grant. . . .
205	unix \|\| die